# Base image for building
ARG LITELLM_BUILD_IMAGE=python:3.11-slim

# Runtime image
ARG LITELLM_RUNTIME_IMAGE=python:3.11-slim

# Builder stage
FROM $LITELLM_BUILD_IMAGE AS builder

# Set the working directory to /app
WORKDIR /app

USER root

# Install build dependencies in one layer
RUN apt-get update && apt-get install -y --no-install-recommends \
    gcc \
    python3-dev \
    libssl-dev \
    pkg-config \
    && rm -rf /var/lib/apt/lists/* \
    && pip install --upgrade pip build

# Copy requirements first for better layer caching
COPY requirements.txt .

# Install Python dependencies with cache mount for faster rebuilds
RUN --mount=type=cache,target=/root/.cache/pip \
    pip wheel --no-cache-dir --wheel-dir=/wheels/ -r requirements.txt

# Fix JWT dependency conflicts early
RUN pip uninstall jwt -y || true && \
    pip uninstall PyJWT -y || true && \
    pip install PyJWT==2.12.0 --no-cache-dir

# Copy only necessary files for build
COPY pyproject.toml README.md schema.prisma poetry.lock ./
COPY litellm/ ./litellm/
COPY enterprise/ ./enterprise/
COPY docker/ ./docker/

# Build Admin UI once
# Convert Windows line endings to Unix and make executable
RUN sed -i 's/\r$//' docker/build_admin_ui.sh && chmod +x docker/build_admin_ui.sh && ./docker/build_admin_ui.sh

# Build the package
RUN rm -rf dist/* && python -m build

# Install the built package
RUN pip install dist/*.whl

# Runtime stage
FROM $LITELLM_RUNTIME_IMAGE AS runtime

# Ensure runtime stage runs as root
USER root

# Install only runtime dependencies
RUN apt-get update && apt-get upgrade -y \
        libxml2 \
        libexpat1 \
        openssl \
        libssl3 \
        git \
        libkrb5-3 \
        libglib2.0-0 \
        wget \
        libaom3 \
        libxslt1.1 \
        libgnutls30 \
        libc6 \
    && apt-get install -y --no-install-recommends \
        libssl3 \
    libatomic1 \
    nodejs \
    npm \
    && rm -rf /var/lib/apt/lists/* \
    && npm install -g npm@latest tar@7.5.11 glob@11.1.0 @isaacs/brace-expansion@5.0.1 minimatch@10.2.4 diff@8.0.3 \
    && GLOBAL="$(npm root -g)" \
    && find "$GLOBAL/npm" -type d -name "tar" -path "*/node_modules/tar" | while read d; do \
          rm -rf "$d" && cp -rL "$GLOBAL/tar" "$d"; \
       done \
    && find "$GLOBAL/npm" -type d -name "glob" -path "*/node_modules/glob" | while read d; do \
          rm -rf "$d" && cp -rL "$GLOBAL/glob" "$d"; \
       done \
    && find "$GLOBAL/npm" -type d -name "brace-expansion" -path "*/node_modules/@isaacs/brace-expansion" | while read d; do \
          rm -rf "$d" && cp -rL "$GLOBAL/@isaacs/brace-expansion" "$d"; \
       done \
    && find "$GLOBAL/npm" -type d -name "minimatch" -path "*/node_modules/minimatch" | while read d; do \
          rm -rf "$d" && cp -rL "$GLOBAL/minimatch" "$d"; \
       done \
    && find "$GLOBAL/npm" -type d -name "diff" -path "*/node_modules/diff" | while read d; do \
          rm -rf "$d" && cp -rL "$GLOBAL/diff" "$d"; \
       done \
    && find /usr/local/lib /usr/lib -path "*/node_modules/npm/package.json" -exec \
        sed -i 's/"tar": "\^7\.5\.[0-9]*"/"tar": "^7.5.10"/g; s/"minimatch": "\^10\.[0-9.]*"/"minimatch": "^10.2.4"/g' {} + 2>/dev/null \
    && npm cache clean --force \
    && apt-get purge -y npm

WORKDIR /app

# Copy only necessary runtime files
COPY docker/entrypoint.sh docker/prod_entrypoint.sh ./docker/
COPY litellm/ ./litellm/
COPY pyproject.toml README.md schema.prisma poetry.lock ./

# Copy pre-built wheels and install everything at once
COPY --from=builder /wheels/ /wheels/
COPY --from=builder /app/dist/*.whl .

# Install all dependencies in one step with no-cache for smaller image
RUN pip install --no-cache-dir *.whl /wheels/* --no-index --find-links=/wheels/ && \
    rm -f *.whl && \
    rm -rf /wheels

# SECURITY FIX: nodejs-wheel-binaries (pip package used by Prisma) bundles a complete
# npm with old vulnerable deps at /usr/lib/python3.*/site-packages/nodejs_wheel/.
# Patch every copy of tar, glob, and brace-expansion inside that tree.
RUN GLOBAL="$(npm root -g)" && \
    [ -n "$GLOBAL" ] || { echo "ERROR: npm root -g returned empty; aborting"; exit 1; } && \
    find /usr/lib -type d -name "tar" -path "*/node_modules/tar" | while read d; do \
        rm -rf "$d" && cp -rL "$GLOBAL/tar" "$d"; \
    done && \
    find /usr/lib -type d -name "glob" -path "*/node_modules/glob" | while read d; do \
        rm -rf "$d" && cp -rL "$GLOBAL/glob" "$d"; \
    done && \
    find /usr/lib -type d -name "brace-expansion" -path "*/node_modules/@isaacs/brace-expansion" | while read d; do \
        rm -rf "$d" && cp -rL "$GLOBAL/@isaacs/brace-expansion" "$d"; \
    done && \
    find /usr/lib -type d -name "minimatch" -path "*/node_modules/minimatch" | while read d; do \
        rm -rf "$d" && cp -rL "$GLOBAL/minimatch" "$d"; \
    done && \
    find /usr/lib -type d -name "diff" -path "*/node_modules/diff" | while read d; do \
        rm -rf "$d" && cp -rL "$GLOBAL/diff" "$d"; \
    done

# Generate prisma client and set permissions
# Convert Windows line endings to Unix for entrypoint scripts
RUN prisma generate && \
    sed -i 's/\r$//' docker/entrypoint.sh && \
    sed -i 's/\r$//' docker/prod_entrypoint.sh && \
    chmod +x docker/entrypoint.sh && \
    chmod +x docker/prod_entrypoint.sh

EXPOSE 4000/tcp

ENTRYPOINT ["docker/prod_entrypoint.sh"]

# Append "--detailed_debug" to the end of CMD to view detailed debug logs 
CMD ["--port", "4000"]