# matrix-bridge bot — Phase 1 container.
#
# Runs on the Spark (always-on Linux + Docker). docker-compose uses host networking so the
# bot reaches BOTH Synapse (clearnet TLS) and the Mac (WireGuard, via the `mac-bridge` SSH alias).
#
# The image is GENERIC: no deployment specifics and no secrets are baked in. At runtime
# docker-compose mounts .env, config.toml, and the SSH key (all read-only); the entrypoint
# generates ~/.ssh/config for the alias from config.toml's [mac] section before launching.
FROM python:3.12-slim

# openssh-client: the bot shells out to `ssh mac-bridge ...` (the proven Phase 0 seam).
RUN apt-get update \
    && apt-get install -y --no-install-recommends openssh-client \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

COPY src/ ./src/
COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
RUN chmod +x /usr/local/bin/docker-entrypoint.sh

# .env and config.toml arrive via read-only mounts at runtime (never baked).
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
CMD ["python", "-u", "src/bot.py"]