FROM node:20-bookworm-slim AS base

RUN groupadd -r app && useradd -r -g app app
WORKDIR /app

# add curl for healthchecks (+ CA bundle)
RUN apt-get update -y && \
    apt-get install -y --no-install-recommends \
      build-essential python3 pkg-config curl ca-certificates && \
    rm -rf /var/lib/apt/lists/*

COPY package*.json ./
RUN npm ci --unsafe-perm --omit=dev

# app payload (only what runtime needs)
COPY --chown=app:app backend/    ./backend/
COPY --chown=app:app src/ai/     ./src/ai/
COPY --chown=app:app src/assets/ ./src/assets/
COPY --chown=app:app backend/data/ ./backend/data/

RUN mkdir -p /run/secrets && chown -R app:app /run/secrets
USER app
CMD ["node", "backend/server3.js"]