FROM python:3.11-slim
WORKDIR /app

RUN useradd -m -u 1000 user

# Dev tools agents will exec — gh CLI, ripgrep, pandoc added Sprint 6
RUN apt-get update && apt-get install -y --no-install-recommends \
    bash git curl wget nodejs npm ripgrep pandoc \
    && curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
       | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
       > /etc/apt/sources.list.d/github-cli.list \
    && apt-get update && apt-get install -y gh \
    && rm -rf /var/lib/apt/lists/*

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

COPY . .

RUN mkdir -p workspace/code workspace/reports workspace/scratch workspace/shared \
    .vault_history && chown -R user:user /app

USER user
EXPOSE 7860
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "7860"]