# Devcontainer image for the scaffolded repo.
# Bakes the OS tooling (Doppler, gcloud, gh) into image layers so it's cached.
# Per-developer config (npm ci, git identity, auth) runs in post-create.sh.
#
# Port of dark-factory-platform's .devcontainer/Dockerfile, generalized for
# sage-blueprint consumers. Originating cycle:
# https://github.com/momentiq-ai/dark-factory-platform/blob/main/docs/roadmap/cycles/cycle13-claude-code-cloud-envs.md

FROM mcr.microsoft.com/devcontainers/typescript-node:1-22-bookworm

ARG DEBIAN_FRONTEND=noninteractive
USER root

# Doppler + gcloud + gh from their official apt repos.
RUN apt-get update \
 && apt-get install -y --no-install-recommends \
      curl gnupg apt-transport-https ca-certificates lsb-release \
 \
 && curl -sSfL https://packages.doppler.com/public/cli/gpg.DE2A7741A397C129.key \
      | gpg --batch --yes --dearmor -o /usr/share/keyrings/doppler-archive-keyring.gpg \
 && echo "deb [signed-by=/usr/share/keyrings/doppler-archive-keyring.gpg] https://packages.doppler.com/public/cli/deb/debian any-version main" \
      > /etc/apt/sources.list.d/doppler-cli.list \
 \
 && curl -sSfL https://packages.cloud.google.com/apt/doc/apt-key.gpg \
      | gpg --batch --yes --dearmor -o /usr/share/keyrings/cloud.google.gpg \
 && echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" \
      > /etc/apt/sources.list.d/google-cloud-sdk.list \
 \
 && curl -sSfL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
      | gpg --batch --yes --dearmor -o /usr/share/keyrings/githubcli-archive-keyring.gpg \
 && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
      > /etc/apt/sources.list.d/github-cli.list \
 \
 && apt-get update \
 && apt-get install -y --no-install-recommends \
      doppler google-cloud-cli gh \
 && rm -rf /var/lib/apt/lists/*

# Subscription critics (codex / cursor-agent) are intentionally NOT installed —
# their OAuth requires a browser the container cannot reach (Anthropic
# devcontainer docs explicitly discourage mounting host Keychain state).
# In this env, the hosted W3 critic is the merge gate via branch protection.
# See docs/runbooks/RUNBOOK-claude-code-cloud-envs.md § Push from a cloud env.

USER node
