FROM debian:bookworm-slim

ARG TARGETARCH

LABEL org.opencontainers.image.source="https://github.com/always-further/nono"
LABEL org.opencontainers.image.description="Capability-based sandboxing for untrusted AI agents"
LABEL org.opencontainers.image.licenses="Apache-2.0"

RUN groupadd -r nono && useradd -r -g nono -s /bin/bash nono && \
    apt-get update && \
    apt-get install -y --no-install-recommends libdbus-1-3 ca-certificates && \
    rm -rf /var/lib/apt/lists/*

COPY nono-${TARGETARCH} /usr/bin/nono

WORKDIR /work
USER nono
ENTRYPOINT ["nono"]
