# Investigator runtime — Bun + TS worker that spawns `claude -p` subprocesses
# (Sonnet 4.6 via OAuth) and writes Investigation Bureau outputs to disk + DB.

FROM oven/bun:1.1-slim AS base

# Tools we shell out to: `claude` CLI (OAuth) + git for sha256 over PDFs.
# The claude install script downloads the binary; no API key needed at build.
RUN apt-get update && apt-get install -y --no-install-recommends \
    curl ca-certificates git \
 && curl -fsSL https://claude.ai/install.sh | bash \
 && cp /root/.local/bin/claude /usr/local/bin/claude \
 && claude --version \
 && apt-get purge -y curl && apt-get autoremove -y && rm -rf /var/lib/apt/lists/*

WORKDIR /app

# Install pg deps first so they cache.
COPY package.json bun.lockb* ./
RUN bun install --production || bun install

COPY tsconfig.json ./
COPY src ./src
COPY prompts ./prompts

# Default healthcheck: the worker writes /tmp/healthy when its LISTEN
# connection is up. Container is unhealthy if that file is older than 90s.
HEALTHCHECK --interval=30s --timeout=10s --start-period=20s --retries=3 \
  CMD test -f /tmp/healthy && find /tmp/healthy -mmin -1.5 | grep -q healthy

CMD ["bun", "run", "src/main.ts"]