FROM public.ecr.aws/lambda/python:3.11

# Postgres host/port/database are baked into the image at build time from the
# deploy workflow's --build-arg values (GitHub Actions DEV_DB_* secrets),
# mirroring the landlord_description_overrides Dockerfile. They map onto the
# POSTGRES_* names PostgresConfig.from_env reads. Username/password are NOT baked
# in -- Terraform injects those as Lambda env vars from Secrets Manager.
ARG DEV_DB_HOST
ARG DEV_DB_PORT
ARG DEV_DB_NAME

ENV POSTGRES_HOST=${DEV_DB_HOST}
ENV POSTGRES_PORT=${DEV_DB_PORT}
ENV POSTGRES_DATABASE=${DEV_DB_NAME}

WORKDIR /var/task

COPY applications/bulk_upload_finaliser/requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# DDD-shaped packages only -- no pandas, no legacy backend/. The finaliser writes
# both `property` and the terminal `bulk_address_uploads` status through DDD repos
# on its own PostgresConfig session (ADR-0013). `datatypes/` comes in via the
# Property aggregate's import closure (domain/property/property.py -> site_notes ->
# datatypes/epc/...), enforced by tests/test_lambda_packaging.py.
COPY datatypes/ datatypes/
COPY domain/ domain/
COPY infrastructure/ infrastructure/
COPY orchestration/ orchestration/
COPY repositories/ repositories/
COPY utilities/ utilities/
COPY applications/ applications/

# Place the handler at the Lambda task root so the runtime resolves
# ``main.handler`` without an extra package prefix.
COPY applications/bulk_upload_finaliser/handler.py /var/task/main.py

CMD ["main.handler"]