Dockerfile.agentic-base

FROM ubuntu:24.04

ARG CODEX_VERSION=0.130.0
ARG CURSOR_AGENT_VERSION=2026.05.09-0afadcc

# Install system dependencies including Python 3.11.
# Use manual deadsnakes PPA setup to avoid add-apt-repository network issues.
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
        curl \
        ca-certificates \
        gpg \
        git \
        build-essential \
        nodejs \
        npm && \
    curl -fsSL "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xF23C5A6CF475977595C89F51BA6932366A755776" \
      | gpg --dearmor -o /usr/share/keyrings/deadsnakes.gpg && \
    echo "deb [signed-by=/usr/share/keyrings/deadsnakes.gpg] https://ppa.launchpadcontent.net/deadsnakes/ppa/ubuntu noble main" \
      > /etc/apt/sources.list.d/deadsnakes.list && \
    apt-get update && \
    apt-get install -y --no-install-recommends \
        python3.11 \
        python3.11-venv \
        python3.11-dev && \
    rm -rf /var/lib/apt/lists/*

# Install uv for Python package management
RUN curl -LsSf https://astral.sh/uv/0.9.14/install.sh | sh
ENV PATH="/app/.venv/bin:/home/harbor/.local/bin:/root/.local/bin:${PATH}"

# Set Python 3.11 as the default python3
RUN update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.11 1

# Create a non-root user for running the NAT agent.
# Note: /data is used for shared DB and files blob storage.
#
# The harbor harness's per-trial install.sh runs as this user and
# unconditionally calls ``apt-get update && apt-get install -y curl procps``
# (it has no way to know curl is already in this image). Chown apt's
# working dirs to harbor so that step doesn't error with a permission
# denial; the install becomes a fast no-op since the packages are
# already present.
RUN useradd -m -u 1001 -s /bin/bash harbor && \
    mkdir -p /app /logs /installed-agent /data /var/lib/apt/lists/partial && \
    chown -R harbor:harbor \
      /app /logs /installed-agent /data \
      /var/lib/apt /var/cache/apt /var/lib/dpkg

# Install Claude Code as the non-root harbor user, then wrap it so all calls
# include --dangerously-skip-permissions (required in this containerized flow).
RUN runuser -u harbor -- bash -lc "curl -fsSL https://claude.ai/install.sh | bash" && \
    mv /home/harbor/.local/bin/claude /home/harbor/.local/bin/claude-real && \
    printf '#!/bin/bash\nexec /home/harbor/.local/bin/claude-real --dangerously-skip-permissions "$@"\n' \
      > /home/harbor/.local/bin/claude && \
    chmod +x /home/harbor/.local/bin/claude && \
    chown harbor:harbor /home/harbor/.local/bin/claude /home/harbor/.local/bin/claude-real

# Install pinned headless coding agents used by the agentic-use benchmark matrix.
# Cursor Agent releases are published under
# downloads.cursor.com/lab/<version>/linux/<arch>/agent-cli-package.tar.gz.
RUN npm install -g "@openai/codex@${CODEX_VERSION}" && \
    set -eux; \
    case "$(uname -m)" in \
        x86_64|amd64) cursor_arch="x64" ;; \
        aarch64|arm64) cursor_arch="arm64" ;; \
        *) echo "Unsupported architecture: $(uname -m)" >&2; exit 1 ;; \
    esac; \
    cursor_dir="/home/harbor/.local/share/cursor-agent/versions/${CURSOR_AGENT_VERSION}"; \
    mkdir -p "${cursor_dir}" /home/harbor/.local/bin; \
    curl -fSL "https://downloads.cursor.com/lab/${CURSOR_AGENT_VERSION}/linux/${cursor_arch}/agent-cli-package.tar.gz" \
      | tar --strip-components=1 -xzf - -C "${cursor_dir}"; \
    ln -sfn "${cursor_dir}/cursor-agent" /home/harbor/.local/bin/agent; \
    ln -sfn "${cursor_dir}/cursor-agent" /home/harbor/.local/bin/cursor-agent; \
    chown -R harbor:harbor /home/harbor/.local

# Set working directory
WORKDIR /app

# Copy the entire NeMo Platform repository
COPY --chown=harbor:harbor . /app

# Install NeMo Platform dependencies with uv (as root for now, but accessible to harbor user).
# Note: Not using --frozen to allow uv to resolve packages for the container's platform.
# Use --all-packages to ensure all workspace members are installed.
RUN uv sync --all-packages && \
    chown -R harbor:harbor /app/.venv

# Add workspace package source directories to PYTHONPATH as fallback for editable installs.
# /switchyard is the container mount point for agentic-use runs that need a
# sibling Switchyard checkout; nat_runner passes the bind mount through
# DOCKER_EXTRA_ARGS from the notebook/.env environment.
ENV PYTHONPATH="/switchyard:/app/services/core/jobs/src:/app/services/core/entities/src:/app/services/core/auth/src:/app/services/core/models/src:/app/services/core/files/src:/app/services/core/secrets/src:/app/services/core/inference-gateway/src:/app/services/core/mcp/src:/app/packages/nmp_platform/src:/app/packages/nmp_common/src"

# Verify critical modules can be imported (fail build early if not)
RUN /app/.venv/bin/python -c "import nmp.core.jobs; import nmp.core.entities; print('All critical modules imported successfully')"

# Install NAT and related components used by runner backends:
# - nvidia-nat[most]: nat runtime with common plugin set.
# - nvidia-nat-atif: ATIF schema models for trajectory validation.
# - nvidia-nat-eval: nat eval / optimize support.
# - nvidia-nat-mcp: mcp_client function type support.
# - plugins/nemo-agents: exposes `nemo agents ...` commands.
# - examples/calculator-agent: registers `_type: calculator` function group.
#
# All nvidia-nat* packages MUST be pinned to the same version. The CLI/meta
# package historically lagged the plugin packages (e.g. nvidia-nat==1.4.3 vs
# nvidia-nat-core/eval/langchain==1.7.0), which caused ImportErrors at plugin
# discovery (e.g. register_dataset_loader) and crashed `nat start fastapi`.
RUN uv pip install --python /app/.venv/bin/python \
        "nvidia-nat[most]==1.7.0" nvidia-nat-atif==1.7.0 nvidia-nat-eval==1.7.0 nvidia-nat-mcp==1.7.0 && \
    uv pip install --python /app/.venv/bin/python -e /app/plugins/nemo-agents && \
    uv pip install --python /app/.venv/bin/python -e /app/plugins/nemo-agents/examples/calculator-agent && \
    chown -R harbor:harbor /app/.venv

# Set environment variable for NeMo Platform API base URL
ENV NMP_BASE_URL=http://localhost:8080
ENV DATABASE_DIALECT=sqlite
ENV DATABASE_PATH=/data/nmp-platform.db
ENV NMP_FILES_DEFAULT_STORAGE_CONFIG='{"type":"local","path":"/data/files_storage"}'
ENV CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS=1

# Enable secrets encryption key creation (required since !6106 moved
# quickstart defaults to env vars instead of config files).
ENV NMP_SECRETS_ALLOW_KEY_CREATION=1

# Expose port for NeMo Platform API server
EXPOSE 8080

# Use ENTRYPOINT to start the NeMo Platform API server, wait for it to become healthy,
# then exec the provided command as the harbor user.
#
# The nat_runner.py orchestrator invokes backend-specific commands in this image
# (AUT via `nemo agents invoke`, workflow via `nat run`, or `claude -p`).
#
# NVIDIA_API_KEY must be provided at runtime via ``docker run -e NVIDIA_API_KEY=...``
ENTRYPOINT ["/bin/bash", "-c", "\
cd /app && /app/.venv/bin/nemo services run > /tmp/nmp-api.log 2>&1 & API_PID=$!; \
echo 'Started API server with PID: '$API_PID; \
CONSECUTIVE_SUCCESS=0; \
for i in {1..60}; do \
    if curl -s http://localhost:8080/status > /dev/null 2>&1; then \
        CONSECUTIVE_SUCCESS=$((CONSECUTIVE_SUCCESS+1)); \
        echo 'Health check passed ('$CONSECUTIVE_SUCCESS'/3)'; \
        if [ $CONSECUTIVE_SUCCESS -ge 3 ]; then \
            echo 'NeMo Platform API ready and stable'; \
            break; \
        fi; \
    else \
        CONSECUTIVE_SUCCESS=0; \
    fi; \
    sleep 1; \
done; \
if [ $CONSECUTIVE_SUCCESS -lt 3 ]; then \
    echo 'API failed to become stable!'; \
    cat /tmp/nmp-api.log; \
    kill $API_PID 2>/dev/null; \
    exit 1; \
fi; \
exec runuser -u harbor -- \"$@\"", "--"]
CMD ["sleep", "infinity"]