FROM python:3.12-slim

LABEL org.opencontainers.image.title="WasteLine Quickstart"
LABEL org.opencontainers.image.description="Read-only cloud waste scanner — packaging-only image, installs wasteline from public PyPI"
LABEL org.opencontainers.image.source="https://wasteline.optimnow.io"

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PIP_NO_CACHE_DIR=1 \
    PIP_DISABLE_PIP_VERSION_CHECK=1

# socat forwards 0.0.0.0:6420 -> 127.0.0.1:6420 inside the container when the
# dashboard command runs, so the dashboard (which binds the container's
# loopback) is reachable through Docker's host port mapping. ca-certificates
# is required for HTTPS calls to AWS, PyPI, and the Anthropic API.
RUN apt-get update \
 && apt-get install -y --no-install-recommends socat ca-certificates \
 && rm -rf /var/lib/apt/lists/*

# Install WasteLine from public PyPI. No source baked in. No AWS credentials
# baked in — credentials come from the runtime mount (~/.aws) and env vars.
RUN pip install --upgrade pip \
 && pip install wasteline

# Non-root user. UID 1000 matches the typical first Linux desktop user, so
# bind-mounted ./output stays writable on Linux hosts without chown gymnastics.
# Docker Desktop on macOS / Windows handles ownership transparently.
RUN useradd --create-home --shell /bin/bash --uid 1000 wasteline \
 && mkdir -p /output \
 && chown -R wasteline:wasteline /output

# Entrypoint wrapper: starts socat only when the user invokes `browser`. For
# every other subcommand it is a transparent passthrough to `wasteline`.
COPY entrypoint.sh /usr/local/bin/wasteline-entrypoint.sh
RUN sed -i 's/\r$//' /usr/local/bin/wasteline-entrypoint.sh \
 && chmod +x /usr/local/bin/wasteline-entrypoint.sh

USER wasteline
WORKDIR /output

ENTRYPOINT ["/usr/local/bin/wasteline-entrypoint.sh"]
CMD ["--help"]
