FROM quay.io/centos/centos:stream10

# Enable CRB and EPEL for additional packages
RUN dnf install -y dnf-plugins-core && \
    dnf config-manager --set-enabled crb && \
    dnf install -y epel-release && \
    dnf install -y --allowerasing \
        git \
        curl \
        wget \
        rsync \
        bind-utils \
        iputils \
        jq \
        perl \
        make \
        ca-certificates \
        glibc-langpack-en \
        python3.12 \
        python3.12-pip \
        procps-ng \
        tmux \
        which \
        coreutils \
        findutils \
        grep \
        sed \
        socat \
        gawk \
        diffutils \
        less \
        file \
        tar \
        gzip \
        xz \
        unzip \
        zip \
        tree \
    && dnf clean all && \
    alternatives --install /usr/bin/python python /usr/bin/python3.12 1 && \
    alternatives --install /usr/bin/python3 python3 /usr/bin/python3.12 1

# Set UTF-8 locale
ENV LANG=en_US.UTF-8
ENV LC_ALL=en_US.UTF-8

# Install uv package manager system-wide (available to root for pip_install builds)
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN curl -LsSf https://astral.sh/uv/install.sh | UV_INSTALL_DIR=/usr/local/bin sh \
    && uv --version
SHELL ["/bin/sh", "-c"]

# Install tini init process for zombie reaping (not available in EPEL 10)
ARG TINI_VERSION=v0.19.0
RUN ARCH=$(uname -m) && \
    case "$ARCH" in \
        x86_64) TINI_ARCH="amd64" ;; \
        aarch64) TINI_ARCH="arm64" ;; \
        *) echo "Unsupported architecture: $ARCH" && exit 1 ;; \
    esac && \
    curl -fsSL "https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-${TINI_ARCH}" \
        -o /usr/local/bin/tini && \
    chmod +x /usr/local/bin/tini && \
    tini --version

# Install pre-commit for automatic hook support in git-synced repos
RUN pip3.12 install pre-commit

# Install GitHub CLI (gh)
RUN curl -fsSL https://cli.github.com/packages/rpm/gh-cli.repo -o /etc/yum.repos.d/gh-cli.repo && \
    dnf install -y gh && \
    dnf clean all

# Create non-root user with GID 0 for OpenShift compatibility
RUN useradd -M -d /home/paude -s /bin/bash -g 0 paude && \
    umask 0002 && \
    mkdir -p /home/paude/.claude /home/paude/.config && \
    chown -R paude:0 /home/paude

# NOTE: Claude Code is NOT installed here due to licensing restrictions.
# It gets installed at user-side build time via a runtime layer.
# See src/paude/config/claude_layer.py for the installation logic.

# Copy entrypoints
USER root
COPY --chmod=755 entrypoint.sh /usr/local/bin/entrypoint.sh
COPY --chmod=755 entrypoint-session.sh /usr/local/bin/entrypoint-session.sh
COPY --chmod=755 entrypoint-lib-credentials.sh /usr/local/bin/entrypoint-lib-credentials.sh
COPY --chmod=755 entrypoint-lib-config.sh /usr/local/bin/entrypoint-lib-config.sh
COPY --chmod=755 entrypoint-lib-install.sh /usr/local/bin/entrypoint-lib-install.sh
COPY --chmod=755 entrypoint-lib-openclaw.sh /usr/local/bin/entrypoint-lib-openclaw.sh
COPY --chmod=755 patch-proxy-fetch.sh /usr/local/bin/patch-proxy-fetch.sh
COPY --chmod=755 patch-gemini-otel-proxy.sh /usr/local/bin/patch-gemini-otel-proxy.sh
COPY --chmod=755 patch-openclaw-otel-proxy.sh /usr/local/bin/patch-openclaw-otel-proxy.sh
COPY --chmod=755 patch-openclaw-otel-logs.sh /usr/local/bin/patch-openclaw-otel-logs.sh
COPY --chmod=664 tmux.conf /home/paude/.tmux.conf

USER paude
WORKDIR /home/paude
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
