chore: slim down agent container image using node:22-bookworm-slim

AGENTS.md

@@ -204,7 +204,9 @@ The codebase follows a modular architecture with clear separation of concerns:
 - **Firewall Exemption:** Allowed unrestricted outbound access via iptables rule `-s 172.30.0.10 -j ACCEPT`
 
 **Agent Execution Container** (`containers/agent/`)
-- Based on `ubuntu:22.04` with iptables, curl, git, nodejs, npm, docker-cli
+- Based on `node:22-bookworm-slim` (smaller than ubuntu:22.04, includes Node.js 22/npm/npx)
+- Docker CLI copied from official `docker:27.4.1-cli` image
+- Minimal package footprint: iptables, git, ca-certificates
 - Mounts entire host filesystem at `/host` and user home directory for full access
 - Mounts Docker socket (`/var/run/docker.sock`) for docker-in-docker support
 - `NET_ADMIN` capability required for iptables manipulation

containers/agent/Dockerfile

@@ -1,27 +1,29 @@
-FROM ubuntu:22.04
+# Use node:22-bookworm-slim as base (includes Node.js 22, npm, and common utilities)
+# This is much smaller than ubuntu:22.04 + nodejs installation
+FROM node:22-bookworm-slim
 
-# Install required packages and Node.js 22
+# Copy Docker CLI from official Docker image (avoids network downloads during build)
+COPY --from=docker:27.4.1-cli /usr/local/bin/docker /usr/local/bin/docker
+
+# Install only required packages:
+# - iptables: NAT redirection to Squid proxy
+# - git: required for git safe.directory config and user workflows
+# - ca-certificates: HTTPS certificate verification
+#
+# Removed packages (not required for core functionality):
+# - dnsutils: dig/nslookup not used in scripts
+# - net-tools: netstat not used in scripts
+# - netcat-openbsd: not used in agent scripts (only in squid healthcheck)
+# - curl: not needed in final image (was only for Docker install)
+# - gnupg: not needed (was only for Docker repo key)
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
     iptables \
-    curl \
-    ca-certificates \
     git \
-    gnupg \
-    dnsutils \
-    net-tools \
-    netcat-openbsd && \
-    # Install Node.js 22 from NodeSource
-    curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
-    apt-get install -y nodejs && \
-    # Install Docker CLI for MCP servers that run as containers
-    install -m 0755 -d /etc/apt/keyrings && \
-    curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc && \
-    chmod a+r /etc/apt/keyrings/docker.asc && \
-    echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && \
-    apt-get update && \
-    apt-get install -y docker-ce-cli && \
-    rm -rf /var/lib/apt/lists/*
+    ca-certificates && \
+    # Clean up apt cache to reduce image size
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 # Copy iptables setup script and docker wrapper
 COPY setup-iptables.sh /usr/local/bin/setup-iptables.sh
@@ -30,8 +32,8 @@ COPY docker-wrapper.sh /usr/local/bin/docker-wrapper.sh
 RUN chmod +x /usr/local/bin/setup-iptables.sh /usr/local/bin/entrypoint.sh /usr/local/bin/docker-wrapper.sh
 
 # Install docker wrapper to intercept docker commands
-# Rename real docker binary and replace with wrapper
-RUN mv /usr/bin/docker /usr/bin/docker-real && \
+# Move real docker binary to docker-real and replace with wrapper
+RUN mv /usr/local/bin/docker /usr/bin/docker-real && \
     ln -s /usr/local/bin/docker-wrapper.sh /usr/bin/docker
 
 # Set working directory