# Per-agent git-gate sidecar image (PRD 0008).
#
# Runs `git daemon --enable=receive-pack` so the agent in the bottle
# can push to it over git://. A shared pre-receive hook runs gitleaks
# against each incoming ref; on clean, it forwards the ref to the real
# upstream using a credential the gate holds. The agent never sees the
# upstream credential.
#
# The agent-facing leg sits on a Docker --internal network with no
# default route, so the image is fully self-contained: no apk pulls at
# boot, no remote registry lookups during the entrypoint.

FROM alpine:3.20

# git for the daemon + push-to-upstream;
# openssh-client for the upstream SSH transport;
# gitleaks is the actual scanner the pre-receive hook calls.
RUN apk add --no-cache git openssh-client gitleaks

# Layout the gate uses at runtime:
#   /git-gate-entrypoint.sh          — docker-cp'd at start time
#   /etc/git-gate/pre-receive         — shared hook, docker-cp'd at start
#   /git-gate/creds/<name>-key         — per-upstream identity, docker-cp'd
#   /git-gate/creds/<name>-known_hosts — per-upstream known_hosts, docker-cp'd
#   /git/<name>.git                    — bare repos, created by the entrypoint
#
# The intermediate directories must exist before `docker cp` runs (cp
# does not create them); the bare-repo parent (/git) is also pre-created
# defensively.
RUN mkdir -p /etc/git-gate /git-gate/creds /git

ENTRYPOINT ["/bin/sh", "/git-gate-entrypoint.sh"]