FROM python:3.12-slim

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1

WORKDIR /app

# System deps: git (worktrees, branches), curl (healthcheck), jq (agent bash),
# openssh-client (optional SSH git), gh CLI (draft PRs)
RUN apt-get update && apt-get install -y --no-install-recommends \
    git curl openssh-client jq nodejs npm && \
    # Install GitHub CLI
    curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
        | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg && \
    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
        | tee /etc/apt/sources.list.d/github-cli.list > /dev/null && \
    apt-get update && apt-get install -y --no-install-recommends gh && \
    # Install OpenCode CLI v1.2+ for opencode provider (with run --model support)
    curl -fsSL https://opencode.ai/install | bash && \
    # Install Codex CLI for codex runtime provider
    npm install -g @openai/codex && \
    codex_path="$(command -v codex)" && \
    mv "${codex_path}" /usr/local/bin/codex-real && \
    printf '%s\n' \
    '#!/usr/bin/env bash' \
    'set -euo pipefail' \
    '' \
    'auth_mode="${SWE_CODEX_AUTH_MODE:-auto}"' \
    '' \
    'case "${auth_mode}" in' \
    '  chatgpt)' \
    '    unset OPENAI_API_KEY' \
    '    ;;' \
    '  api_key)' \
    '    if [ -z "${OPENAI_API_KEY:-}" ]; then' \
    '      echo "SWE_CODEX_AUTH_MODE=api_key requires OPENAI_API_KEY to be set" >&2' \
    '      exit 2' \
    '    fi' \
    '    ;;' \
    '  auto)' \
    '    ;;' \
    '  *)' \
    '    echo "Invalid SWE_CODEX_AUTH_MODE: ${auth_mode}. Expected one of: auto, chatgpt, api_key" >&2' \
    '    exit 2' \
    '    ;;' \
    'esac' \
    '' \
    'exec /usr/local/bin/codex-real "$@"' \
    > /usr/local/bin/codex && \
    chmod +x /usr/local/bin/codex && \
    rm -rf /var/lib/apt/lists/*

# Add OpenCode to PATH for non-interactive shells
ENV PATH="/root/.opencode/bin:${PATH}"

# Tell OpenCode to read its model AND small_model from the deployer's
# HARNESS_MODEL env var via {env:...} interpolation. Without this config,
# OpenCode auto-selects a small_model from whatever providers it finds
# keys for — landing on DeepSeek V3.1 in our environment, bypassing every
# env var the deployer set. Per-call -m on `opencode run` pins the main
# model regardless; small_model is what falls through to config, so it
# has to honor the same env var the rest of the stack uses.
#
# Default HARNESS_MODEL inside the image so a fresh container with no
# env override has *some* value to interpolate. Railway / docker-compose
# overrides win because their env injects after the image's ENV.
ENV HARNESS_MODEL=openrouter/moonshotai/kimi-k2.6
RUN mkdir -p /root/.config/opencode && \
    echo '{"$schema":"https://opencode.ai/config.json","model":"{env:HARNESS_MODEL}","small_model":"{env:HARNESS_MODEL}","provider":{"openrouter":{"options":{"apiKey":"{env:OPENROUTER_API_KEY}"}}}}' \
    > /root/.config/opencode/opencode.json

# Git identity — env vars take highest precedence and are inherited by all
# subprocesses including Claude Code agent instances spawned by the SDK
ENV GIT_AUTHOR_NAME="SWE-AF" \
    GIT_AUTHOR_EMAIL="eng@agentfield.ai" \
    GIT_COMMITTER_NAME="SWE-AF" \
    GIT_COMMITTER_EMAIL="eng@agentfield.ai"

# Configure git identity and use gh CLI as credential helper so all git
# HTTPS operations (clone, push, fetch) authenticate via GH_TOKEN at runtime.
RUN git config --global user.name "SWE-AF" && \
    git config --global user.email "eng@agentfield.ai" && \
    gh auth setup-git --hostname github.com --force

# Install uv for fast package installation
RUN pip install --no-cache-dir uv

# Install project dependencies
COPY requirements-docker.txt /app/requirements.txt
RUN uv pip install --system -r /app/requirements.txt

# Copy application code
COPY . /app/

# Pre-create /workspaces so named-volume mounts inherit correct permissions
# (without this, Docker creates it as root read-only on fresh deployments)
RUN mkdir -p /workspaces && chmod 777 /workspaces

EXPOSE 8003

ENV PORT=8003 \
    AGENTFIELD_SERVER=http://control-plane:8080 \
    NODE_ID=swe-planner

HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
    CMD curl -f http://localhost:${PORT}/health || exit 1

CMD ["python", "-m", "swe_af"]
