# ─────────────────────────────────────────────────────────────
# Sandbox Dockerfile — JavaScript/TypeScript execution
# Minimal image with strict security constraints
# ─────────────────────────────────────────────────────────────

FROM node:20-alpine

# Create sandbox user (non-root)
RUN adduser -D -u 1000 sandbox

# Create workspace
RUN mkdir -p /sandbox && chown sandbox:sandbox /sandbox

# Install TypeScript runtime
RUN npm install -g tsx typescript

# Remove package manager to prevent installs
RUN rm -rf /usr/local/bin/npm /usr/local/bin/npx /usr/local/bin/corepack

# Switch to sandbox user
USER sandbox
WORKDIR /sandbox

# Default entrypoint
ENTRYPOINT ["sh", "-c"]