FROM rust:1.94-bookworm AS builder

WORKDIR /app
COPY . .
RUN cargo build --release -p compliance-agent

FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y ca-certificates libssl3 git curl python3 python3-pip npm golang-go php-cli && rm -rf /var/lib/apt/lists/*

# Install Cargo (minimal, for cargo metadata / cargo audit / generate-lockfile)
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal
ENV PATH="/root/.cargo/bin:${PATH}"
RUN cargo install cargo-audit

# Install Composer for PHP dependency resolution
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer

# Install Bundler for Ruby dependency resolution
RUN apt-get update && apt-get install -y ruby && rm -rf /var/lib/apt/lists/* && gem install bundler

# Install syft for SBOM generation
RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

# Install gitleaks for secret detection
RUN curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
    | tar -xz -C /usr/local/bin gitleaks

# Install semgrep for static analysis
RUN pip3 install --break-system-packages semgrep

# Install ruff for Python linting
RUN pip3 install --break-system-packages ruff

COPY --from=builder /app/target/release/compliance-agent /usr/local/bin/compliance-agent

# Copy documentation for the help chat assistant
COPY --from=builder /app/README.md /app/README.md
COPY --from=builder /app/docs /app/docs
ENV HELP_DOCS_PATH=/app

# Ensure SSH key directory exists
RUN mkdir -p /data/compliance-scanner/ssh

EXPOSE 3001 3002

ENTRYPOINT ["compliance-agent"]