# syntax=docker/dockerfile:1.3
#
# RUNTIME REQUIREMENTS for bubblewrap sandboxing:
#   - When running in gVisor (GKE Sandbox / minikube with gVisor addon):
#       No special capabilities needed - gVisor handles syscall isolation
#   - When running in standard Docker/containerd:
#       docker run --cap-add=SYS_ADMIN ...
#
# bubblewrap is used instead of nsjail because nsjail requires prctl(PR_SET_SECUREBITS)
# which gVisor hasn't implemented. bubblewrap provides equivalent filesystem isolation.
#
FROM python:3.12-slim
COPY --from=ghcr.io/astral-sh/uv:0.6.4 /uv /uvx /bin/

# Install system dependencies
RUN apt-get update && apt-get install -y \
    htop \
    vim \
    curl \
    tar \
    python3-dev \
    postgresql-client \
    build-essential \
    libpq-dev \
    gcc \
    cmake \
    netcat-openbsd \
    nodejs \
    npm \
    # bubblewrap for handler sandboxing (works inside gVisor unlike nsjail)
    bubblewrap \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

RUN uv pip install --system --upgrade pip setuptools wheel

ENV UV_HTTP_TIMEOUT=1000

# Copy just the pyproject.toml file to optimize caching
COPY from_init/pyproject.toml /app/from_init/pyproject.toml

WORKDIR /app/from_init

# Install the required Python packages using uv
RUN uv pip install --system .

# Copy the source code
COPY from_init/src /app/from_init/src

# Set environment variables
ENV PYTHONPATH=/app

# Run the agent using uvicorn
ENTRYPOINT ["uvicorn", "src.agent:server", "--host", "0.0.0.0"]