# ── Stage 1: install production dependencies ──────────────────────────────────
# node:20-alpine is used only for npm ci; it never ships to production.
FROM node:20-alpine AS deps

WORKDIR /app

# package-lock.json* — the wildcard makes the COPY succeed even if the lock
# file is absent, so the image can be built from a clean checkout without any
# local Node installation.
COPY package.json package-lock.json* ./
RUN if [ -f package-lock.json ]; then npm ci --omit=dev; else npm install --omit=dev; fi

# ── Stage 2: hardened, minimal runtime ────────────────────────────────────────
# gcr.io/distroless/nodejs20-debian12:nonroot contains only the Node runtime.
# No shell, no package manager, no OS utilities → drastically reduced attack
# surface and near-zero CVEs from OS packages.  Runs as uid 65532 (nonroot).
FROM gcr.io/distroless/nodejs20-debian12:nonroot

WORKDIR /app

COPY --from=deps /app/node_modules ./node_modules

# Copy application source
COPY server ./server
COPY public ./public
COPY config ./config

ENV NODE_ENV=production
ENV PORT=8080

EXPOSE 8080

# Health-check: no wget/curl in distroless — use the bundled Node binary
# directly via exec form (no shell needed).
HEALTHCHECK --interval=15s --timeout=5s --start-period=30s --retries=3 \
  CMD ["/nodejs/bin/node", "server/healthcheck.js"]

# The distroless ENTRYPOINT is already /nodejs/bin/node; CMD is the argument.
CMD ["server/index.js"]