# syntax=docker/dockerfile:1.3
#
# RUNTIME REQUIREMENTS for bubblewrap sandboxing:
#   - When running in gVisor (GKE Sandbox / minikube with gVisor addon):
#       No special capabilities needed - gVisor handles syscall isolation
#   - When running in standard Docker/containerd:
#       docker run --cap-add=SYS_ADMIN ...
#
# bubblewrap is used instead of nsjail because nsjail requires prctl(PR_SET_SECUREBITS)
# which gVisor hasn't implemented. bubblewrap provides equivalent filesystem isolation.
#
FROM python:3.12-slim
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

# Install system dependencies
RUN apt-get update && apt-get install -y \
    htop \
    vim \
    curl \
    tar \
    python3-dev \
    postgresql-client \
    build-essential \
    libpq-dev \
    gcc \
    cmake \
    netcat-openbsd \
    nodejs \
    npm \
    # bubblewrap for handler sandboxing (works inside gVisor unlike nsjail)
    bubblewrap \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

RUN uv pip install --system --upgrade pip setuptools wheel

ENV UV_HTTP_TIMEOUT=1000

# Copy terminaluse package to /app (so ../.. from examples/hello_world resolves to /app)
COPY pyproject.toml /app/pyproject.toml
COPY src /app/src
COPY README.md /app/README.md

# Copy the hello_world source files (path must match ../.. reference in tool.uv.sources)
COPY examples/hello_world/pyproject.toml /app/examples/hello_world/pyproject.toml
COPY examples/hello_world/src /app/examples/hello_world/src

WORKDIR /app/examples/hello_world

# Install the required Python packages using uv
# OpenTelemetry is included by default for traces, metrics, and log correlation
RUN uv pip install --system "/app" && uv pip install --system .

# Set environment variables
ENV PYTHONPATH=/app

# Run the agent using uvicorn
ENTRYPOINT ["uvicorn", "src.agent:server", "--host", "0.0.0.0"]
