# Wolfi-based JRE, glibc, daily-rebuilt with near-zero baseline CVEs,
# signed images + SBOM published, non-root by default. Pin by digest in
# production overlays.
FROM cgr.dev/chainguard/jre:openjdk-21

WORKDIR /app

# Agent + log appender are baked in; tenant JAR is delivered at deploy
# time by cameleer-runtime-loader into the RO-mounted /app/jars volume.
COPY agent.jar /app/agent.jar
COPY cameleer-log-appender.jar /app/cameleer-log-appender.jar

# No ENTRYPOINT here. cameleer-server's DeploymentExecutor builds the
# per-runtime-type entrypoint (spring-boot/quarkus: -jar; plain-java:
# -cp + main; native: exec) and overrides via withCmd("sh","-c",...).
# Setting one here only creates drift between this image and the actual
# runtime command.