FROM node:20

# Security: Drop all capabilities
USER root
RUN apt-get update && apt-get install -y libcap2-bin && \
  setcap cap_net_bind_service=+ep /usr/local/bin/node

WORKDIR /code

COPY package*.json ./

RUN npm install

COPY . .

RUN npm run build

RUN useradd -m sboxuser
RUN mkdir projects && chown -R sboxuser:sboxuser projects

# todo user namespace mapping

RUN apt-get install -y firejail

RUN echo '#!/bin/bash\nexec firejail --private=/projects --noprofile node dist/index.js' > /start.sh
RUN chmod +x /start.sh

USER sboxuser

EXPOSE 8000
EXPOSE 4000

CMD ["/start.sh"]