FROM node:20-slim

# Install ripgrep (used by search_code tool) and git
RUN apt-get update && apt-get install -y --no-install-recommends \
    ripgrep \
    git \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

# Install dependencies first (layer cache)
COPY package*.json ./
RUN npm ci --omit=dev

# Copy compiled output (build before docker build, or use multi-stage)
COPY dist/ ./dist/

# Create workspace dir and non-root user
RUN useradd -r -m -s /bin/bash agent && \
    mkdir -p /workspaces && \
    chown -R agent:agent /workspaces /app

USER agent

EXPOSE 3333

ENV NODE_ENV=production
ENV PORT=3333

CMD ["node", "dist/server.js"]