# syntax=docker/dockerfile:1.3
#
# RUNTIME REQUIREMENTS for bubblewrap sandboxing:
#   - When running in gVisor (GKE Sandbox / minikube with gVisor addon):
#       No special capabilities needed - gVisor handles syscall isolation
#   - When running in standard Docker/containerd:
#       docker run --cap-add=SYS_ADMIN ...
#
# bubblewrap is used instead of nsjail because nsjail requires prctl(PR_SET_SECUREBITS)
# which gVisor hasn't implemented. bubblewrap provides equivalent filesystem isolation.
#
FROM python:3.12-slim
COPY --from=ghcr.io/astral-sh/uv:0.6.4 /uv /uvx /bin/

# Install system dependencies (cached via BuildKit)
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt,sharing=locked \
    apt-get update && apt-get install -y --no-install-recommends \
    curl \
    tar \
    netcat-openbsd \
    bubblewrap \
    && rm -rf /var/lib/apt/lists/*

RUN --mount=type=cache,target=/root/.cache/uv \
    uv pip install --system --upgrade pip setuptools wheel

ENV UV_HTTP_TIMEOUT=1000

# Copy terminaluse package to /app (so ../.. from examples/claude_agent_sdk resolves to /app)
COPY pyproject.toml /app/pyproject.toml
COPY src /app/src
COPY README.md /app/README.md

# Copy the test_agent source files (path must match ../.. reference in tool.uv.sources)
COPY examples/test_agent/pyproject.toml /app/examples/test_agent/pyproject.toml
COPY examples/test_agent/src /app/examples/test_agent/src

WORKDIR /app/examples/test_agent

# Install the required Python packages using uv (cached via BuildKit)
RUN --mount=type=cache,target=/root/.cache/uv \
    uv pip install --system .

# Set environment variables
ENV PYTHONPATH=/app

# Run the agent using uvicorn
ENTRYPOINT ["uvicorn", "src.agent:server", "--host", "0.0.0.0"]