# Claude Code sandboxed container
# Runs Claude Code CLI inside Docker so it can't access your host filesystem
# directly — only the directory you mount in.

FROM debian:12-slim

# ── Core system packages ────────────────────────────────────────────────
RUN apt-get update && apt-get install -y \
    bash \
    ca-certificates \
    cmake \
    curl \
    build-essential \
    fd-find \
    git \
    jq \
    less \
    libclang-dev \
    libssl-dev \
    musl-tools \
    musl-dev \
    gosu \
    sudo \
    openssh-client \
    pkg-config \
    python3 \
    python3-pip \
    ripgrep \
    tar \
    tree \
    unzip \
    zip \
    nodejs \
    npm \
    vim \
    wget \
    && rm -rf /var/lib/apt/lists/*

# Install GitHub CLI
RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
       -o /usr/share/keyrings/githubcli-archive-keyring.gpg \
    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
       > /etc/apt/sources.list.d/github-cli.list \
    && apt-get update && apt-get install -y gh \
    && rm -rf /var/lib/apt/lists/*

# Playwright browser dependencies + install
RUN apt-get update && apt-get install -y \
    libnspr4 \
    libnss3 \
    libnss3-tools \
    libatk1.0-0 \
    libatk-bridge2.0-0 \
    libcups2 \
    libdrm2 \
    libxkbcommon0 \
    libxcomposite1 \
    libxdamage1 \
    libxfixes3 \
    libxrandr2 \
    libgbm1 \
    libpango-1.0-0 \
    libcairo2 \
    libasound2 \
    libatspi2.0-0 \
    libwayland-client0 \
    libxshmfence1 \
    libglib2.0-0 \
    libdbus-1-3 \
    fonts-liberation \
    && rm -rf /var/lib/apt/lists/*

RUN pip install --break-system-packages playwright && \
    python3 -m playwright install --with-deps chromium

# Provide fd alias for fd-find (Debian names the binary fdfind)
RUN ln -s /usr/bin/fdfind /usr/local/bin/fd

# ── Claude Code CLI ────────────────────────────────────────────────────
RUN curl -fsSL https://claude.ai/install.sh | bash && \
    /root/.local/bin/claude --version

# ── Optional tools (uncomment what you need) ───────────────────────────
# These are included because this project uses them — feel free to remove
# any you don't need to speed up the build.

# Hugo (static site generator)
ARG HUGO_VERSION=0.154.5
ARG TARGETARCH
RUN set -eux; \
    arch="${TARGETARCH:-amd64}"; \
    case "$arch" in \
        amd64) hugo_arch="linux-amd64" ;; \
        arm64) hugo_arch="linux-arm64" ;; \
        *) echo "Unsupported arch: $arch"; exit 1 ;; \
    esac; \
    curl -fsSL "https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_${hugo_arch}.tar.gz" -o /tmp/hugo.tar.gz; \
    tar -xzf /tmp/hugo.tar.gz -C /tmp; \
    mv /tmp/hugo /usr/local/bin/hugo; \
    rm -f /tmp/hugo.tar.gz; \
    hugo version

# Terraform
ARG TERRAFORM_VERSION=1.11.2
RUN set -eux; \
    arch="${TARGETARCH:-amd64}"; \
    curl -fsSL "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_${arch}.zip" -o /tmp/terraform.zip; \
    unzip /tmp/terraform.zip -d /usr/local/bin/; \
    rm -f /tmp/terraform.zip; \
    terraform version

# Rust (rustup + cargo)
RUN curl https://sh.rustup.rs -sSf | sh -s -- -y && \
    /root/.cargo/bin/rustup target add x86_64-unknown-linux-musl

# abra (Co-op Cloud CLI)
RUN curl -fsSL https://install.abra.coopcloud.tech | bash

# Caddy (web server / reverse proxy)
RUN curl -fsSL https://dl.cloudsmith.io/public/caddy/stable/gpg.key \
       | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg && \
    echo "deb [signed-by=/usr/share/keyrings/caddy-stable-archive-keyring.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main" \
       > /etc/apt/sources.list.d/caddy-stable.list && \
    apt-get update && apt-get install -y caddy && \
    rm -rf /var/lib/apt/lists/*

# Tailscale (VPN / mesh networking)
RUN curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.noarmor.gpg \
       -o /usr/share/keyrings/tailscale-archive-keyring.gpg && \
    curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.list \
       -o /etc/apt/sources.list.d/tailscale.list && \
    apt-get update && apt-get install -y tailscale && \
    rm -rf /var/lib/apt/lists/*

# ── PATH & permissions ─────────────────────────────────────────────────
ENV PATH="/root/.local/bin:/root/.claude/bin:/root/.cargo/bin:${PATH}"

# Make Claude Code + abra binaries readable by non-root users
RUN chmod 755 /root && \
    mkdir -p /root/.claude /root/.local/bin /root/.config && \
    chmod -R a+rx /root/.claude /root/.local /root/.config && \
    chmod a+rx /usr/local/bin/abra 2>/dev/null || true

# Pre-create home directory for the claude user
RUN mkdir -p /home/claude/.claude /home/claude/.local/bin /home/claude/.config /home/claude/.abra && \
    chmod -R 755 /home/claude

COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

WORKDIR /workspace

ENTRYPOINT ["/entrypoint.sh"]
CMD []