FROM node:20-alpine

# Install runtime dependencies
RUN apk add --no-cache \
        git \
        curl \
        ca-certificates \
        bash \
        ttyd

# Entrypoint used by the webui service (ttyd wrapping claude)
COPY --chmod=755 webui-entrypoint.sh /usr/local/bin/webui-entrypoint.sh

# Create non-root user (node:20-alpine reserves gid/uid 1000 for the node user)
RUN addgroup -g 1001 claude \
    && adduser -u 1001 -G claude -s /bin/bash -D claude

# Install Claude Code globally (runs as root for npm -g, then drops)
RUN npm install -g @anthropic-ai/claude-code

# Workspace and Claude config dir — both owned by claude user.
# Pre-creating ~/.claude ensures the named volume is initialised with the
# correct ownership when first mounted (Docker copies image content into
# an empty named volume on first use).
RUN mkdir -p /workspace /home/claude/.claude \
    && chown -R claude:claude /workspace /home/claude/.claude

USER claude
WORKDIR /workspace

# Proxy traffic through sidecar — override at runtime if needed
ENV HTTP_PROXY=http://proxy:3128
ENV HTTPS_PROXY=http://proxy:3128
ENV ALL_PROXY=http://proxy:3128
ENV NO_PROXY=localhost,127.0.0.1

ENTRYPOINT ["claude"]