# Stage 1: Build stage
FROM golang:1.23.2-alpine AS builder

# Install necessary system dependencies
RUN apk add --no-cache git ca-certificates

# Set working directory
WORKDIR /app

COPY go.mod go.sum /app/

RUN go mod download

COPY . /app/

RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -trimpath -buildvcs=false -o agent ./cmd/agent

#
# AIG-PromptSecurity + MCP-SCAN runtime
#
FROM python:3.12-slim

ENV DEBIAN_FRONTEND=noninteractive \
    PIP_NO_CACHE_DIR=1 \
    DEEPEVAL_TELEMETRY_OPT_OUT=YES \
    DEEPTEAM_TELEMETRY_OPT_OUT=YES

WORKDIR /app/AIG-PromptSecurity

RUN set -eux; \
    apt-get update --allow-releaseinfo-change; \
    apt-get install -y --no-install-recommends \
        git \
        curl \
        nmap \
        chromium \
        chromium-sandbox \
        fonts-wqy-microhei \
        fonts-wqy-zenhei \
        fontconfig \
        tzdata \
        build-essential \
        vim \
        gcc

RUN fc-cache -fv

RUN pip install --no-cache-dir uv
COPY ./AIG-PromptSecurity /app/AIG-PromptSecurity/
WORKDIR /app/AIG-PromptSecurity
RUN uv sync



COPY ./mcp-scan /app/mcp-scan/
WORKDIR /app/mcp-scan
RUN pip install --no-cache-dir -r requirements.txt

COPY ./agent-scan /app/agent-scan/
WORKDIR /app/agent-scan
RUN pip install --no-cache-dir -r requirements.txt


RUN set -eux; \
    apt-get purge -y --auto-remove \
        build-essential \
        gcc

COPY --from=builder /app/agent /app/agent
COPY --from=builder /app/data /app/data

# Create a non-root user
RUN useradd -m -u 1000 agent && \
    chown -R agent:agent /app

RUN chmod 4755 /usr/lib/chromium/chrome-sandbox || \
    chmod 4755 /usr/lib/chromium/chromium-sandbox || \
    chmod 4755 /usr/lib/chromium-browser/chrome-sandbox || \
    true

# Switch to non-root user
USER agent

ENTRYPOINT ["/app/agent"]
