FROM node:22-bookworm-slim

# Pin exact, current CLI versions instead of mutable `latest`/`stable` tags so
# the runtime image stays reproducible while still tracking the current tested
# host/runtime contract.
ARG CODEX_VERSION=0.130.0
ARG OPENCODE_VERSION=1.4.6

RUN apt-get update \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        bash \
        ca-certificates \
        curl \
        ffmpeg \
        file \
        git \
        jq \
        less \
        lsof \
        openssh-client \
        poppler-utils \
        procps \
        python3 \
        python3-pip \
        python3-venv \
        ripgrep \
        tini \
        tree \
        unzip \
        xz-utils \
        zip \
        zstd \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

RUN npm install -g \
    "@openai/codex@${CODEX_VERSION}" \
    "opencode-ai@${OPENCODE_VERSION}"

RUN useradd --create-home --shell /bin/bash lionclaw

USER lionclaw
WORKDIR /workspace
ENTRYPOINT ["/usr/bin/tini", "--"]
