# Reference image for `super factory run` — autonomous mode.
#
# The image bundles:
#   * Node 22 + pnpm + the @super-repo/cli + @super-repo/factory binaries
#   * git, gh, openssh-client (commit signing + push + GitHub API)
#   * a non-root `factory` user (uid 10001)
#   * a default git config wired for SSH commit signing under the
#     `interc0der` identity. Override at runtime with -e GIT_USER_NAME / -e GIT_USER_EMAIL.
#
# Private SSH keys are NEVER baked into the image. At runtime, mount the
# host's SSH agent socket (preferred) or the host's ~/.ssh dir read-only.
# See docker/compose.example.yml for both patterns.

FROM node:22-bookworm-slim AS base

ARG FACTORY_VERSION=latest

RUN apt-get update \
 && apt-get install -y --no-install-recommends \
      git \
      openssh-client \
      ca-certificates \
      curl \
      gnupg \
 && curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
      | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
 && chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
 && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
      > /etc/apt/sources.list.d/github-cli.list \
 && apt-get update \
 && apt-get install -y --no-install-recommends gh \
 && rm -rf /var/lib/apt/lists/* \
 && corepack enable \
 && corepack prepare pnpm@10.33.0 --activate \
 && pnpm add -g @super-repo/cli@${FACTORY_VERSION} @super-repo/factory@${FACTORY_VERSION}

# Non-root user with a stable uid for bind mounts.
RUN groupadd --gid 10001 factory \
 && useradd --uid 10001 --gid factory --create-home --shell /bin/bash factory

# Git identity + SSH signing config baked into /etc/gitconfig so it applies
# regardless of which user runs commands. Override at runtime via env vars
# (see entrypoint.sh).
RUN install -d -o factory -g factory /etc/factory \
 && cat > /etc/gitconfig <<'EOF'
[user]
    name = interc0der
    email = 86900618+interc0der@users.noreply.github.com
    signingkey = /etc/factory/signing.pub
[gpg]
    format = ssh
[gpg "ssh"]
    allowedSignersFile = /etc/factory/allowed_signers
[commit]
    gpgsign = true
[tag]
    gpgsign = true
[init]
    defaultBranch = main
EOF

COPY entrypoint.sh /usr/local/bin/factory-entrypoint
RUN chmod +x /usr/local/bin/factory-entrypoint \
 && install -d -o factory -g factory /workspace

USER factory
WORKDIR /workspace

ENV SUPER_FACTORY_HOME=/workspace
ENV NODE_OPTIONS=--no-warnings

ENTRYPOINT ["/usr/local/bin/factory-entrypoint"]
CMD ["super", "factory", "run"]
