# 核心镜像：Node 22 slim 保证了环境的现代性与轻量化
FROM node:22-slim

# 1. 安装系统依赖
# 包含：git (拉取依赖), openssh-client (解决构建报错), build-essential/g++/make (编译原生模块), python3 (运行同步脚本)
# 新增：curl, chromium (浏览器工具支持), 以及运行 Chromium 所需的库, tzdata (设置时区)
RUN apt-get update && apt-get install -y --no-install-recommends \
    git openssh-client build-essential python3 python3-pip \
    g++ make ca-certificates curl chromium tzdata \
    libnss3 libatk1.0-0 libatk-bridge2.0-0 libcups2 libdrm2 \
    libxcomposite1 libxdamage1 libxext6 libxfixes3 libxrandr2 \
    libgbm1 libasound2 libpangocairo-1.0-0 libpango-1.0-0 \
    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
    && echo "Asia/Shanghai" > /etc/timezone \
    && rm -rf /var/lib/apt/lists/*

# 2. 安装 Hugging Face 命令行工具
RUN pip3 install --no-cache-dir huggingface_hub --break-system-packages

# 3. 构建环境优化
# 修复 Git 证书问题并将所有 SSH 协议重定向为 HTTPS
RUN update-ca-certificates && \
    git config --global http.sslVerify false && \
    git config --global url."https://github.com/".insteadOf ssh://git@github.com/

# 4. 全局安装 OpenClaw
ENV HOME=/root
RUN npm install -g openclaw@latest zod --unsafe-perm

# 5. 设置环境变量
ENV PORT=7860 \
    OPENCLAW_GATEWAY_MODE=local \
    OPENCLAW_BROWSER_PATH=/usr/bin/chromium

# 6. 核心同步引擎 (sync.py)
# 针对 OpenClaw 新版 MEMORY.md 机制进行了全路径覆盖
RUN echo 'import os, sys, tarfile\n\
from huggingface_hub import HfApi, hf_hub_download\n\
from datetime import datetime, timedelta\n\
api = HfApi()\n\
repo_id = os.getenv("HF_DATASET")\n\
token = os.getenv("HF_TOKEN")\n\
\n\
def restore():\n\
    try:\n\
        print(f"--- [SYNC] 启动恢复流程, 目标仓库: {repo_id} ---")\n\
        if repo_id and token:\n\
            files = api.list_repo_files(repo_id=repo_id, repo_type="dataset", token=token)\n\
            now = datetime.now()\n\
            found = False\n\
            for i in range(5):\n\
                day = (now - timedelta(days=i)).strftime("%Y-%m-%d")\n\
                name = f"backup_{day}.tar.gz"\n\
                if name in files:\n\
                    print(f"--- [SYNC] 发现备份文件: {name}, 正在下载... ---")\n\
                    path = hf_hub_download(repo_id=repo_id, filename=name, repo_type="dataset", token=token)\n\
                    with tarfile.open(path, "r:gz") as tar: tar.extractall(path="/root/.openclaw/")\n\
                    print(f"--- [SYNC] 恢复成功! 数据已覆盖至 /root/.openclaw/ ---")\n\
                    found = True; break\n\
            if not found: print("--- [SYNC] 未找到最近 5 天的备份包 ---")\n\
        else: print("--- [SYNC] 跳过恢复: 未配置 HF_DATASET 或 HF_TOKEN ---")\n\
\n\
        # 强制清理所有残留的 .lock 文件，防止 session 锁定错误\n\
        count = 0\n\
        for root, _, fs in os.walk("/root/.openclaw/"):\n\
            for f in fs:\n\
                if f.endswith(".lock"):\n\
                    try:\n\
                        os.remove(os.path.join(root, f))\n\
                        count += 1\n\
                    except: pass\n\
        if count > 0: print(f"--- [SYNC] 已清理 {count} 个残留的锁定文件 ---")\n\
        return True\n\
    except Exception as e: print(f"--- [SYNC] 恢复异常: {e} ---")\n\
\n\
def backup():\n\
    try:\n\
        day = datetime.now().strftime("%Y-%m-%d")\n\
        name = f"backup_{day}.tar.gz"\n\
        print(f"--- [SYNC] 正在执行全量备份: {name} ---")\n\
        def lock_filter(tarinfo):\n\
            if tarinfo.name.endswith(".lock"): return None\n\
            return tarinfo\n\
        with tarfile.open(name, "w:gz") as tar:\n\
            for target in ["sessions", "workspace", "agents", "memory", "plugins", "openclaw.json"]:\n\
                full_path = f"/root/.openclaw/{target}"\n\
                if os.path.exists(full_path):\n\
                    tar.add(full_path, arcname=target, filter=lock_filter)\n\
        api.upload_file(path_or_fileobj=name, path_in_repo=name, repo_id=repo_id, repo_type="dataset", token=token)\n\
        print(f"--- [SYNC] 备份上传成功! ---")\n\
    except Exception as e: print(f"--- [SYNC] 备份失败: {e} ---")\n\
\n\
if __name__ == "__main__":\n\
    if len(sys.argv) > 1 and sys.argv[1] == "backup": backup()\n\
    else: restore()' > /usr/local/bin/sync.py

# 7. 容器入口脚本 (start-openclaw)
# 负责恢复数据 -> 生成配置 -> 启动网关 -> 定时备份
RUN echo "#!/bin/bash\n\
set -e\n\
mkdir -p /root/.openclaw/sessions\n\
mkdir -p /root/.openclaw/workspace\n\
mkdir -p /root/.openclaw/plugins\n\
mkdir -p /root/.openclaw/agents/main/sessions\n\
mkdir -p /root/.openclaw/credentials\n\
ln -s /root/.openclaw/workspace /root/.openclaw/memory\n\
chmod 700 /root/.openclaw\n\
\n\
# 启动前执行数据恢复\n\
python3 /usr/local/bin/sync.py restore\n\
\n\
# 设置 CLI 认证 Token\n\
export OPENCLAW_GATEWAY_TOKEN=\"\$OPENCLAW_GATEWAY_PASSWORD\"\n\
\n\
# 清理 API Base 地址\n\
CLEAN_BASE=\$(echo \"\$OPENAI_API_BASE\" | sed \"s|/chat/completions||g\" | sed \"s|/v1/|/v1|g\" | sed \"s|/v1\$|/v1|g\")\n\
\n\
# 生成 openclaw.json 配置文件\n\
cat > /root/.openclaw/openclaw.json <<EOF\n\
{\n\
  \"models\": {\n\
    \"mode\": \"merge\",\n\
    \"providers\": {\n\
      \"cliproxy\": {\n\
        \"baseUrl\": \"\$OPENAI_API_BASE\",\n\
        \"apiKey\": \"\$OPENAI_API_KEY\",\n\
        \"api\": \"openai-completions\",\n\
        \"models\": [\n\
          {\"id\": \"gemini-2.5-pro\", \"name\": \"gemini-2.5-pro\", \"contextWindow\": 200000, \"maxTokens\": 8192},\n\
          {\"id\": \"gemini-2.5-flash\", \"name\": \"gemini-2.5-flash\", \"contextWindow\": 200000, \"maxTokens\": 8192},\n\
          {\"id\": \"gemini-3-flash-preview\", \"name\": \"gemini-3-flash-preview\", \"contextWindow\": 200000, \"maxTokens\": 8192},\n\
          {\"id\": \"gemini-3-pro-preview\", \"name\": \"gemini-3-pro-preview\", \"contextWindow\": 200000, \"maxTokens\": 8192}\n\
        ]\n\
      }\n\
    }\n\
  },\n\
  \"agents\": {\n\
    \"defaults\": {\n\
      \"model\": {\"primary\": \"cliproxy/gemini-3-flash-preview\", \"fallbacks\": [\"cliproxy/gemini-3-pro-preview\"]},\n\
      \"workspace\": \"~/.openclaw/workspace\"\n\
    }\n\
  },\n\
  \"gateway\": {\n\
    \"mode\": \"local\", \"bind\": \"lan\", \"port\": \$PORT,\n\
    \"trustedProxies\": [\"0.0.0.0/0\", \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\"],\n\
    \"auth\": { \"mode\": \"token\", \"token\": \"\$OPENCLAW_GATEWAY_PASSWORD\" },\n\
    \"controlUi\": { \"allowInsecureAuth\": true }\n\
  },\n\
  \"channels\": {\n\
    \"feishu\": {\n\
      \"enabled\": \${FEISHU_ENABLED:-false},\n\
      \"appId\": \"\$FEISHU_APP_ID\",\n\
      \"appSecret\": \"\$FEISHU_APP_SECRET\",\n\
      \"domain\": \"\${FEISHU_DOMAIN:-feishu}\",\n\
      \"connectionMode\": \"\${FEISHU_CONNECTION_MODE:-websocket}\",\n\
      \"dmPolicy\": \"open\",\n\
      \"ignoreEvents\": [\"im.message.message_read_v1\", \"im.chat.access_event.bot_p2p_chat_entered_v1\"]\n\
    }\n\
  }\n\
}\n\
EOF\n\
\n\
# 启动定时备份进程 (每 3 小时执行一次，增强安全性)\n\
(while true; do sleep 10800; python3 /usr/local/bin/sync.py backup; done) &\n\
\n\
# 启动 OpenClaw 网关\n\
openclaw doctor --fix\n\
exec openclaw gateway run --port \$PORT\n\
" > /usr/local/bin/start-openclaw && chmod +x /usr/local/bin/start-openclaw

EXPOSE 7860
CMD ["/usr/local/bin/start-openclaw"]