FROM debian:stable-slim AS go-tools-builder

ARG NUCLEI_VERSION=3.1.0
ARG SUBFINDER_VERSION=2.6.3
ARG TARGETARCH=amd64
ARG GO_VERSION=1.22.4

RUN apt-get update && apt-get install -y --no-install-recommends \
    wget ca-certificates unzip \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /tools

RUN wget -q "https://go.dev/dl/go${GO_VERSION}.linux-${TARGETARCH}.tar.gz" \
    && tar -C /usr/local -xzf go${GO_VERSION}.linux-${TARGETARCH}.tar.gz \
    && rm go${GO_VERSION}.linux-${TARGETARCH}.tar.gz

ENV PATH="/usr/local/go/bin:/root/go/bin:${PATH}"

RUN go install github.com/ramkansal/gofang/cmd/gofang@v1.0.0

RUN wget -q "https://github.com/projectdiscovery/nuclei/releases/download/v${NUCLEI_VERSION}/nuclei_${NUCLEI_VERSION}_linux_${TARGETARCH}.zip" \
    && unzip nuclei_*.zip -d /tools \
    && rm nuclei_*.zip \
    && chmod +x /tools/nuclei

RUN wget -q "https://github.com/projectdiscovery/subfinder/releases/download/v${SUBFINDER_VERSION}/subfinder_${SUBFINDER_VERSION}_linux_${TARGETARCH}.zip" \
    && unzip subfinder_*.zip -d /tools \
    && rm subfinder_*.zip \
    && chmod +x /tools/subfinder

FROM debian:stable-slim AS runtime

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

ENV DEBIAN_FRONTEND=noninteractive \
    PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1 \
    PATH=/usr/local/bin:$PATH \
    ZAP_VERSION=2.16.1 \
    ZAP_SHA256=5b2eb8319b085121a6e8ad50d69d67dbef8c867166f71a937bfc888d247a2ac1 \
    INSTALL_DIR=/opt/zap \
    SYMLINK=/usr/local/bin/zap.sh \
    ZAP_PORT=8888 \
    ZAP_LOG=/var/log/zap.log \
    TRANSPORT=stdio \
    MCP_HOST=0.0.0.0 \
    MCP_PORT=8080

WORKDIR /opt/pentest-mcp

RUN apt-get update && apt-get install -y --no-install-recommends \
    python3 python3-pip \
    nmap gobuster sqlmap \
    curl wget whois dnsutils iputils-ping \
    git procps ca-certificates \
    openjdk-21-jre-headless \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

COPY --from=go-tools-builder /tools/nuclei /usr/local/bin/nuclei
COPY --from=go-tools-builder /tools/subfinder /usr/local/bin/subfinder
COPY --from=go-tools-builder /root/go/bin/gofang /usr/local/bin/gofang

RUN nuclei -update-templates -silent || true

COPY requirements.txt .
RUN pip3 install --no-cache-dir --break-system-packages -r requirements.txt

RUN git clone --depth 1 https://gitlab.com/exploit-database/exploitdb.git /opt/exploitdb \
    && ln -sf /opt/exploitdb/searchsploit /usr/local/bin/searchsploit \
    && rm -rf /opt/exploitdb/.git

RUN wget -qO zap.tar.gz "https://github.com/zaproxy/zaproxy/releases/download/v${ZAP_VERSION}/ZAP_${ZAP_VERSION}_Linux.tar.gz" \
    && echo "${ZAP_SHA256}  zap.tar.gz" | sha256sum -c - \
    && mkdir -p ${INSTALL_DIR} \
    && tar -xzf zap.tar.gz -C ${INSTALL_DIR} --strip-components=1 \
    && ln -sf ${INSTALL_DIR}/zap.sh ${SYMLINK} \
    && rm zap.tar.gz

RUN pip3 install --no-cache-dir --break-system-packages \
    git+https://github.com/laramies/theHarvester.git

COPY config.xml /root/.ZAP/config.xml
COPY tools/ ./tools/
COPY utils/ ./utils/
COPY seclists/ ./seclists/
COPY pentestMCP.py start_services.sh ./
RUN chmod +x start_services.sh

EXPOSE 8080

HEALTHCHECK --interval=30s --timeout=10s --start-period=15s --retries=3 \
    CMD curl -f http://localhost:${MCP_PORT}/health 2>/dev/null || exit 0

CMD ["./start_services.sh"]