FROM node:22-bookworm

# Install Bun (required for build scripts)
RUN curl -fsSL https://bun.sh/install | bash
ENV PATH="/root/.bun/bin:${PATH}"

RUN corepack enable

WORKDIR /app

ARG OPENCLAW_DOCKER_APT_PACKAGES=""
RUN if [ -n "$OPENCLAW_DOCKER_APT_PACKAGES" ]; then \
      apt-get update && \
      DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends $OPENCLAW_DOCKER_APT_PACKAGES && \
      apt-get clean && \
      rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*; \
    fi

COPY package.json pnpm-lock.yaml pnpm-workspace.yaml .npmrc ./
COPY ui/package.json ./ui/package.json
COPY patches ./patches
COPY scripts ./scripts

RUN pnpm install --frozen-lockfile

COPY . .
RUN OPENCLAW_A2UI_SKIP_MISSING=1 pnpm build
# Force pnpm for UI build (Bun may fail on ARM/Synology architectures)
ENV OPENCLAW_PREFER_PNPM=1
RUN pnpm ui:build

ENV NODE_ENV=production
ENV OPENCLAW_SKIP_CHANNELS=1
ENV CLAWDBOT_SKIP_CHANNELS=1
ENV OPENCLAW_GATEWAY_BIND=lan

# Security hardening: Run as non-root user
# The node:22-bookworm image includes a 'node' user (uid 1000)
# This reduces the attack surface by preventing container escape via root privileges
USER node

EXPOSE 7860
CMD ["bash", "-lc", "if [ -z \"${OPENCLAW_GATEWAY_TOKEN:-}\" ]; then echo \"Missing OPENCLAW_GATEWAY_TOKEN. Set it in Hugging Face Space Secrets.\" >&2; exit 1; fi; STATE_DIR=\"${OPENCLAW_STATE_DIR:-/tmp/openclaw}\"; mkdir -p \"$STATE_DIR\"; export OPENCLAW_STATE_DIR=\"$STATE_DIR\"; PORT_VALUE=\"${PORT:-7860}\"; export OPENCLAW_GATEWAY_PORT=\"$PORT_VALUE\"; node openclaw.mjs gateway --allow-unconfigured --port \"$PORT_VALUE\" --bind \"${OPENCLAW_GATEWAY_BIND:-lan}\""]