FROM ubuntu:22.04

ENV DEBIAN_FRONTEND=noninteractive

# Update system and install basic dependencies first
RUN --mount=type=cache,target=/var/cache/apt,id=apt-cache-ubuntu-22.04,sharing=locked \
    --mount=type=cache,target=/var/lib/apt,id=apt-lib-ubuntu-22.04,sharing=locked \
    set -eu; \
    apt-get update; \
    apt-get install -y --no-install-recommends \
      ca-certificates \
      curl \
      bash \
      git; \
    rm -rf /var/lib/apt/lists/*;

# Create agent user
ENV AGENT_USER=agent
RUN useradd -m -s /bin/bash ${AGENT_USER}

# Comma-separated list of features to enable (e.g., "python,web-proxy,claude-code")
ARG FEATURES=""

# Make FEATURES visible at runtime so the entrypoint can see it too
ENV FEATURES="${FEATURES}"

# Set pip default timeout to 120 seconds to handle Playright download
ENV PIP_DEFAULT_TIMEOUT=120

# Each feature directory contains:
#   - install.sh   (idempotent build-time installer; no +x required)
#   - start.sh     (optional runtime script; no +x required)
#   - env          (optional environment variables; sourced by entrypoint)
#   - files/       (optional; copied into / at build if present)
COPY features/ /opt/features/
COPY --chmod=0755 scripts/*.sh /opt/scripts/

# Install features. Use BuildKit caches so apt/pip/npm downloads are reused between builds
RUN --mount=type=cache,target=/var/cache/apt,id=apt-cache-ubuntu-22.04,sharing=locked \
    --mount=type=cache,target=/var/lib/apt,id=apt-lib-ubuntu-22.04,sharing=locked \
    --mount=type=cache,target=/root/.cache/pip,id=pip-cache,sharing=locked \
    --mount=type=cache,target=/root/.npm,id=npm-cache,sharing=locked \
    /opt/scripts/install-features.sh

# Set up workspace directory
WORKDIR /workspace
RUN chown -R agent:agent /workspace

# Install inspect_tool_support with browser installation disabled
RUN /opt/scripts/install-python.sh
RUN pip install inspect-tool-support && \
    inspect-tool-support post-install --no-web-browser

# Set up git configuration
RUN git config --global user.email "agent@refactor-dev.local" && \
    git config --global user.name "Refactor Dev Agent" && \
    git config --global --add safe.directory /workspace

# Sources `env` files at container start (not build) so env is conditional
COPY --chmod=0755 entrypoint.sh /usr/local/bin/entrypoint.sh

USER agent

ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
CMD ["tail", "-f", "/dev/null"]
