# syntax=docker/dockerfile:1
#
# Voltry Probe container — the read-only agent on the NVIDIA CUDA base.
# Multi-arch (amd64 + arm64; arm64 covers Grace). Build from the REPO ROOT so the
# evidence-schema contract (a workspace sibling, not on PyPI) is in the build context:
#
#   docker buildx build -f packages/voltry-probe/Dockerfile \
#     --platform linux/amd64,linux/arm64 \
#     -t ghcr.io/voltry/voltry-probe:0.1.0 .
#
# Collects NO PII (NGC GDPR posture): identity is device-level only; account linkage is
# server-side. No secrets are baked in (no keys/.env copied; see .dockerignore). Image is
# signed (cosign) and CVE-scanned (Trivy) in CI.
ARG CUDA_TAG=12.6.2-base-ubuntu22.04
FROM nvcr.io/nvidia/cuda:${CUDA_TAG}

# Pinned uv binary from the official image (no `curl | sh`).
COPY --from=ghcr.io/astral-sh/uv:0.11.21 /uv /uvx /usr/local/bin/

ENV DEBIAN_FRONTEND=noninteractive \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1

RUN apt-get update \
    && apt-get install -y --no-install-recommends python3.12 python3.12-venv ca-certificates \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /opt/voltry
# evidence-schema (the contract) must be installed before the probe that depends on it.
COPY packages/evidence-schema /opt/voltry/evidence-schema
COPY packages/voltry-probe    /opt/voltry/voltry-probe
RUN uv pip install --system --python python3.12 ./evidence-schema ./voltry-probe

# Run unprivileged; the agent is read-only and collects no PII.
RUN useradd --create-home --uid 10001 voltry
USER voltry
WORKDIR /home/voltry

ENTRYPOINT ["voltry"]
CMD ["--help"]
