FROM node:20-bookworm-slim AS base 

RUN groupadd -r app && useradd -r -g app app

WORKDIR /app

# ---- native build deps ----
RUN apt-get update -y && \
    apt-get install -y --no-install-recommends \
         build-essential python3 pkg-config && \
    rm -rf /var/lib/apt/lists/*
# ---------------------------

COPY package*.json ./
COPY public/ /app/public/  
RUN npm ci --unsafe-perm        
COPY . .

RUN mkdir -p /run/secrets && chown -R app:app /run/secrets

USER app
CMD ["node", "backend/server3.js"]