FROM docker.io/library/node:22-slim

USER root

RUN apt-get update && apt-get install -y --no-install-recommends \
        git \
        ca-certificates \
        curl \
        openssh-client \
        build-essential \
        python3 \
        ripgrep \
        fd-find \
    && rm -rf /var/lib/apt/lists/* \
    && ln -s /usr/bin/fdfind /usr/local/bin/fd

# Install Claude Code CLI (latest stable).
# --ignore-scripts skips npm postinstall hooks for ALL packages in the
# dependency tree (defense-in-depth against malicious transitive
# postinstalls). Then run claude-code's own install.cjs explicitly —
# it's required to wire `/usr/local/bin/claude` (which is a symlink to
# `bin/claude.exe`) to the platform-native binary downloaded into
# `node_modules/@anthropic-ai/claude-code-linux-<arch>/claude`. Without
# this step the symlinked `claude.exe` is a no-shebang error stub that
# exec()s with ENOEXEC (issue #132).
RUN npm install -g --ignore-scripts @anthropic-ai/claude-code \
    && node /usr/local/lib/node_modules/@anthropic-ai/claude-code/install.cjs

# agentcage introspection: bake a short "you are sandboxed" brief into Claude
# Code's user memory (~/.claude/CLAUDE.md) so the agent discovers it is caged
# with zero setup. agentcage stages the canonical AGENTS.md brief into the
# build context (see agentcage.scaffold_brief) — it is not committed per-scaffold.
#
# Delivered as a plain, writable, node-owned file — deliberately NOT a
# read-only bind mount over ~/.claude/CLAUDE.md (that makes the runtime create
# ~/.claude root-owned, breaking `claude login`, settings, and history) and
# NOT an `@import` (a Claude-Code-only directive). Claude keeps full ownership
# of ~/.claude, so it still saves credentials and its own appended memories
# there. The same one-line pattern works for any agent — just change the
# destination to that agent's memory file.
RUN mkdir -p /home/node/.claude
COPY AGENTS.md /home/node/.claude/CLAUDE.md
RUN chown -R node:node /home/node/.claude

# node:22-slim already has user node (1000:1000)
USER node
WORKDIR /workspace
