# ─── Stage 1: Build ──────────────────────────────────────────────────────────
FROM oven/bun:1.3-alpine AS builder

WORKDIR /app

# Install dependencies first (cache layer)
COPY package.json bun.lock* ./
RUN bun install --frozen-lockfile

# Copy source
COPY . .

# Build Next.js
RUN bun run build

# ─── Stage 2: Production image ────────────────────────────────────────────────
FROM oven/bun:1.3-alpine AS runner

# Security: run as non-root user
RUN addgroup -g 1001 -S nodejs && adduser -S nextjs -u 1001

WORKDIR /app

ENV NODE_ENV=production
ENV NEXT_TELEMETRY_DISABLED=1

# Copy built output
COPY --from=builder /app/.next/standalone ./
COPY --from=builder /app/.next/static ./.next/static
COPY --from=builder /app/public ./public

# Copy server entrypoint
COPY --from=builder /app/server.ts ./server.ts

# Create data directory with correct permissions
RUN mkdir -p /app/data /app/backups && chown -R nextjs:nodejs /app/data /app/backups

USER nextjs

EXPOSE 3000

HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
  CMD wget -qO- http://localhost:3000/api/health || exit 1

CMD ["bun", "--bun", "run", "server.ts"]