# syntax=docker/dockerfile:1.7
# ---------------------------------------------------------------------------
# Cial — per-tenant container image (cial-tenant).
#
# One container per tenant. Five processes inside, single exposed port.
#
#   PID 1 (root) tini → node supervisor
#                         ├─ edge           (cial)   :8080  (only exposed)
#                         ├─ core-back      (cial)   :4000
#                         ├─ core-front     (cial)   :4001  basePath=/.cial
#                         ├─ platform-back  (agent)  :3001  internal-only
#                         └─ platform-front (agent)  :3000
#
# Two Linux users:
#   - cial   (uid 1000) — owns /cial/core (mode 0700).
#                         Runs edge + back + front. Agent cannot read it.
#   - agent  (uid 1001) — owns /cial/platform.
#                         Runs platform-back + platform-front + (later) the AI agent.
#
# Built from the repo root:
#   docker build -f core/docker/Dockerfile -t cial-tenant:dev .
# ---------------------------------------------------------------------------

ARG NODE_VERSION=22.12.0

# ---------------------------------------------------------------------------
# Base — pnpm + native build toolchain (better-sqlite3 / sharp need it)
# ---------------------------------------------------------------------------
FROM node:${NODE_VERSION}-bookworm-slim AS base
ENV PNPM_HOME=/pnpm \
    PATH=/pnpm:$PATH
RUN corepack enable && corepack prepare pnpm@9.15.0 --activate
RUN apt-get update \
 && apt-get install -y --no-install-recommends \
        python3 make g++ ca-certificates git \
 && rm -rf /var/lib/apt/lists/*
WORKDIR /cial

# ---------------------------------------------------------------------------
# Builder — install deps + build every workspace this image needs
# ---------------------------------------------------------------------------
FROM base AS builder
ENV NODE_ENV=development

COPY pnpm-workspace.yaml pnpm-lock.yaml* package.json turbo.json tsconfig.base.json eslint.config.js ./
COPY core ./core
COPY platform ./platform
COPY app ./app
COPY docs ./docs
COPY .claude ./.claude

RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
    pnpm install --frozen-lockfile=false

# Render mode-specific Claude skills. Prod is always restricted (no
# CIAL_UNRESTRICTED env), so the agent ships with the platform-only
# variants of cial:self-edit, cial:build, cial:restart.
RUN node core/scripts/render-skills.mjs .claude/skills.src .claude/skills

RUN pnpm turbo run build \
      --filter @cial/protocol \
      --filter @cial/sdk \
      --filter @cial/back \
      --filter @cial/edge \
      --filter @cial/front \
      --filter @cial/platform-back \
      --filter @cial/platform-front

# ---------------------------------------------------------------------------
# Runtime — two users + tini + gosu, the supervisor as PID 1
# ---------------------------------------------------------------------------
FROM node:${NODE_VERSION}-bookworm-slim AS runtime

ENV NODE_ENV=production

RUN apt-get update \
 && apt-get install -y --no-install-recommends tini gosu ca-certificates \
 && rm -rf /var/lib/apt/lists/* \
 # The base node image ships a `node` user at uid 1000 / gid 1000. Drop it so
 # we can claim 1000 for `cial` (keeps uids stable + matches the builder stage,
 # which also owns files as uid 0 → re-chowned below).
 && userdel --remove node 2>/dev/null || true \
 && groupdel node 2>/dev/null || true \
 && groupadd --system --gid 1000 cial \
 && useradd  --system --uid 1000 --gid 1000 --home /home/cial  --create-home --shell /bin/bash cial \
 && groupadd --system --gid 1001 agent \
 && useradd  --system --uid 1001 --gid 1001 --home /home/agent --create-home --shell /bin/bash agent \
 && mkdir -p /cial /cial/data \
 && chown cial:cial /cial/data \
 && chmod 0700 /cial/data

# ── Claude Code CLI (Phase 5c) ─────────────────────────────────────────
# The AI sessions engine spawns the `claude` binary directly. Installing
# globally puts it on PATH for the `cial` user without per-tenant npm work.
# Per-tenant `~/.claude` (auth tokens, projects/, session-env/) lives in
# the mounted /cial/data volume so credentials survive container
# replacement.
RUN npm install -g @anthropic-ai/claude-code \
 && ln -sf /usr/local/bin/claude /usr/bin/claude

# Copy the entire built workspace (root-owned by default) so node_modules
# symlinks line up.
COPY --from=builder /cial /cial

# Lock down /cial/core to user `cial` only (mode 0700).
# Agent literally cannot enter the directory — the filesystem enforces the
# Core/Platform boundary.
RUN chown -R cial:cial   /cial/core \
 && chmod -R u=rwX,go=   /cial/core \
 && chown -R agent:agent /cial/platform \
 && chmod -R u=rwX,go=rX /cial/platform \
 # /cial/app sources were copied for parity with the workspace, but the tenant
 # container never builds or runs them — drop the directory to shrink the image
 # and avoid confusion (App is a separate deploy).
 # to avoid confusion + shrink image.
 && rm -rf /cial/app

WORKDIR /cial
EXPOSE 8080
ENTRYPOINT ["/usr/bin/tini", "--", "node", "/cial/core/edge/dist/supervisor.js"]
