FROM node:20-alpine

# Create non-root user/group before switching context
RUN addgroup -S appgroup && adduser -S appuser -G appgroup

WORKDIR /app

# Install dependencies first for better layer caching
COPY package.json package-lock.json ./
RUN npm ci --omit=dev

# Copy application source
COPY server ./server
COPY public ./public
COPY config ./config

# Drop to non-root user
USER appuser

ENV NODE_ENV=production
ENV PORT=8080

EXPOSE 8080

# Health-check: lightweight wget is available in node:alpine
HEALTHCHECK --interval=15s --timeout=5s --start-period=30s --retries=3 \
  CMD wget -qO- http://localhost:8080/api/config > /dev/null || exit 1

CMD ["node", "server/index.js"]