# VaultMesh Sentinel Verifier
# Minimal image for deterministic verification tasks
# No daemon, no ports, stateless

FROM python:3.12-slim

LABEL org.opencontainers.image.title="VaultMesh Sentinel"
LABEL org.opencontainers.image.description="Deterministic seal bundle verifier"
LABEL org.opencontainers.image.source="https://gitlab.com/vaultsovereign/ops"

# Avoid interactive prompts
ENV DEBIAN_FRONTEND=noninteractive
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1

# Install minimal dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
    git \
    && rm -rf /var/lib/apt/lists/*

# Create non-root user
RUN useradd --create-home --shell /bin/bash sentinel
USER sentinel
WORKDIR /home/sentinel

# Install Python dependencies
COPY --chown=sentinel:sentinel pyproject.toml requirements.txt* ./
RUN pip install --user --no-cache-dir click blake3

# Copy application code
COPY --chown=sentinel:sentinel cli/ ./cli/
COPY --chown=sentinel:sentinel tools/ ./tools/
COPY --chown=sentinel:sentinel ledger/ ./ledger/

# Set PATH for user-installed packages
ENV PATH="/home/sentinel/.local/bin:${PATH}"

# Default entrypoint - verifier help
ENTRYPOINT ["python3"]
CMD ["tools/vm_verify_sentinel_bundle.py", "--help"]