# ORCH-100 (FND/F1b): sidecar-watchdog — thin stdlib-only monitoring brain.
#
# A separate, deliberately tiny image (NO pip dependencies — Python 3.12 stdlib
# only, ADR-001 D1): urllib for HTTP/Telegram, a raw HTTP-over-unix-socket client
# for the read-only docker.sock, shutil/proc for host metrics. Kept thin on a
# tight host (C-3); mem_limit is enforced in docker-compose.yml (D2).
#
# The build context is the REPO ROOT (see docker-compose.yml `build:
# context: . / dockerfile: watchdog/Dockerfile`) so we can COPY the watchdog/
# package. src/** is intentionally NOT copied — the sidecar must not import the
# orchestrator (C-1).
FROM python:3.12-slim

WORKDIR /app

# Run as a non-root user; the sidecar only READS (docker.sock :ro, host paths :ro).
RUN useradd -u 1000 -m -d /home/watchdog -s /bin/bash watchdog

# Copy ONLY the sidecar package (no src/, no requirements — stdlib only).
COPY watchdog/ ./watchdog/

ENV PYTHONPATH=/app
ENV PYTHONUNBUFFERED=1

USER watchdog

# `python -m watchdog` runs watchdog/__main__.py (the tick loop).
ENTRYPOINT ["python", "-m", "watchdog"]