# =============================================================================
# OpenClaw Customization Overlay - 第三层
# =============================================================================
# 在 openclaw 镜像基础上注入 subagent-coordinator 插件、Hermes Agent 和项目技能
#
# 构建顺序:
#   1. docker build -t openclaw:base-X.Y.Z -f Dockerfile.openclaw-base .
#   2. docker build -t openclaw:app-X.Y.Z -f Dockerfile.openclaw-app . --build-arg OPENCLAW_VERSION=X.Y.Z
#   3. docker build -t openclaw:X.Y.Z -f Dockerfile.openclaw-overlay .
#
# 统一构建:使用 build-openclaw.sh 脚本
# =============================================================================

ARG OPENCLAW_APP_IMAGE=openclaw:app-2026.5.22
FROM ${OPENCLAW_APP_IMAGE} AS overlay-base

LABEL org.opencontainers.image.title="OpenClaw Customization Overlay"
LABEL org.opencontainers.image.description="OpenClaw + subagent-coordinator + hermes + skills overlay"
LABEL org.openclaw.layer="overlay"

USER root

# 注入项目技能(部署时通过 --skills 参数与宿主机合并)
ARG SKILLS_SRC=./skills
COPY --chown=root:root ${SKILLS_SRC}/. /home/node/.openclaw/skills-shared/
RUN chown -R node:node /home/node/.openclaw/skills-shared/ && \
    chmod -R 755 /home/node/.openclaw/skills-shared/

# 注入 subagent-coordinator 插件(OpenClaw 要求插件目录所有者为 root)
COPY --chown=root:root subagent-coordinator-dist/plugins/. /app/extensions/

# TypeScript 输出的 import 不带 .js,需修复相对路径导入
RUN for f in $(find /app/extensions/subagent-exec-monitor /app/extensions/subagent-observability /app/extensions/subagent-taskr -name "*.js" -type f); do \
        sed -i -E 's/(from "\.(\.\.)?\/[^"]+)"/\1.js"/g' "$f"; \
    done

# 启用 subagent 插件
RUN for f in /app/extensions/subagent-exec-monitor/openclaw.plugin.json /app/extensions/subagent-observability/openclaw.plugin.json /app/extensions/subagent-taskr/openclaw.plugin.json; do \
        sed -i 's/"id":/"enabledByDefault": true,\n  "id":/g' "$f" 2>/dev/null || true; \
    done

# 修复插件权限(world-writable 会被 OpenClaw 安全检查拒绝)
RUN find /app/extensions/subagent-exec-monitor /app/extensions/subagent-observability /app/extensions/subagent-taskr -type d -exec chmod 755 {} \; && \
    find /app/extensions/subagent-exec-monitor /app/extensions/subagent-observability /app/extensions/subagent-taskr -type f -exec chmod 644 {} \;

# 预装 Hermes Agent(使用本地源码,避免容器内 git clone)
COPY --chown=node:node hermes-src /home/node/.hermes/hermes-agent
RUN cd /home/node/.hermes/hermes-agent && \
    python3 -m venv venv && \
    ./venv/bin/python -m ensurepip && \
    ./venv/bin/python -m pip install --upgrade pip && \
    ./venv/bin/pip install -e "." && \
    ln -sf /home/node/.hermes/hermes-agent/venv/bin/hermes /usr/local/bin/hermes && \
    chown -R node:node /home/node/.hermes

# 支持MCP
RUN npm install -g mcporter --legacy-peer-deps

# 修复运行时文件所有权(node 用户需读写 /app/dist, /app/docs, /home/node)
RUN chown -R node:node /app/dist && \
    chown -R node:node /app/docs && \
    chown -R node:node /home/node

# ── SSH 主机密钥(首次生成)─────────────────────────────────────────────────
RUN ssh-keygen -A 2>/dev/null || true

RUN echo '#!/bin/sh\nexec node /app/dist/index.js "$@"' > /usr/local/bin/openclaw && \
    chmod +x /usr/local/bin/openclaw && \
    chown node:node /usr/local/bin/openclaw

ENV PATH="/root/.bun/bin:/home/node/.local/bin:/usr/local/bin:$PATH"
ENV NODE_OPTIONS="--max-old-space-size=1536"

# 工作目录
WORKDIR /app

EXPOSE 2222 18789 18792

CMD ["node", "openclaw.mjs", "gateway"]