# PicoSentry — Enterprise Docker Image
# Multi-stage build with pinned digests for secure, reproducible CI/CD pipeline scanning.
#
# Build:
#   docker build -t picosentry:latest .
#   docker build --build-arg VERSION=0.15.0 -t picosentry:0.15.0 .
#
# Run:
#   docker run --rm -v $(pwd):/scan picosentry scan /scan
#   docker run --rm -v $(pwd):/scan picosentry workspace /scan --format json
#   docker run --rm -v $(pwd):/scan picosentry check /scan --fail-on high --fail-on-rule-error
#
# Security: runs as non-root, no network at scan time, read-only scan dir.
# Base images pinned by digest for supply-chain integrity.

# ── Stage 1: Builder ──────────────────────────────────
# python:3.12-slim (bookworm) — digest varies; update periodically.
# Verify: docker pull python:3.12-slim@sha256:...
FROM python:3.12-slim@sha256:9d3abd9fc11d06998ccdbdd93b4dd49b5ad7d67fcbbc11c016eb0eb2c2194891 AS builder

RUN apt-get update && apt-get install -y --no-install-recommends \
    git \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /build

# Copy only what's needed for install
COPY pyproject.toml README.md LICENSE ./
COPY src/ ./src/

# Install into a clean venv
RUN python3 -m venv /opt/venv && \
    /opt/venv/bin/pip install --no-cache-dir -e . && \
    # Install pyyaml for pnpm workspace support
    /opt/venv/bin/pip install --no-cache-dir pyyaml

# Verify installation
RUN /opt/venv/bin/picosentry --version

# ── Stage 2: Runner ───────────────────────────────────
FROM python:3.12-slim@sha256:9d3abd9fc11d06998ccdbdd93b4dd49b5ad7d67fcbbc11c016eb0eb2c2194891 AS runner

LABEL org.opencontainers.image.title="PicoSentry"
LABEL org.opencontainers.image.description="Deterministic supply-chain scanner for npm/pnpm — enterprise CI/CD"
LABEL org.opencontainers.image.url="https://github.com/KirkForge/PicoSentry"
LABEL org.opencontainers.image.vendor="KirkForge"
LABEL org.opencontainers.image.licenses="MIT"
LABEL org.opencontainers.image.authors="KirkForge"
LABEL org.opencontainers.image.documentation="https://github.com/KirkForge/PicoSentry"
LABEL org.opencontainers.image.source="https://github.com/KirkForge/PicoSentry"
LABEL org.opencontainers.image.version="0.15.0"

# Create non-root user
RUN groupadd -r picosentry && useradd -r -g picosentry -d /home/picosentry -s /bin/bash picosentry && \
    mkdir -p /home/picosentry/.local/share/picosentry/corpus && \
    mkdir -p /scan && \
    chown -R picosentry:picosentry /home/picosentry /scan

# Copy venv from builder
COPY --from=builder /opt/venv /opt/venv

# Set PATH to use venv binaries
ENV PATH="/opt/venv/bin:$PATH"
ENV PYTHONUNBUFFERED=1
ENV PYTHONDONTWRITEBYTECODE=1

# Drop to non-root user
USER picosentry
WORKDIR /home/picosentry

# Default scan directory
VOLUME ["/scan"]

# Health check: verify scanner works
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD picosentry --version || exit 1

ENTRYPOINT ["picosentry"]
CMD ["--help"]
