# syntax=docker/dockerfile:1.7

# ─── Stage 1: install deps (cacheable) ──────────────────────────────────────
FROM node:22-alpine AS deps
WORKDIR /app
# libc6-compat helps some native deps (bcryptjs is pure JS so not strictly
# needed, but cheap insurance for pg / future native deps).
RUN apk add --no-cache libc6-compat
COPY package.json package-lock.json ./
RUN npm ci

# ─── Stage 2: build ──────────────────────────────────────────────────────────
FROM node:22-alpine AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .

# next.config.ts has `output: "standalone"`, which writes a minimal Node
# server bundle to .next/standalone — used by the runtime stage below.
RUN npm run build

# ─── Stage 3: runtime ────────────────────────────────────────────────────────
FROM node:22-alpine AS runner
WORKDIR /app

ENV NODE_ENV=production \
    PORT=3000 \
    HOSTNAME=0.0.0.0 \
    NEXT_TELEMETRY_DISABLED=1

# Non-root user for the app process.
RUN addgroup --system --gid 1001 nodejs \
 && adduser --system --uid 1001 --ingroup nodejs nextjs

# Standalone output bundles only the files needed to run the server, plus a
# trimmed node_modules. Public assets and .next/static are still external.
COPY --from=builder --chown=nextjs:nodejs /app/public ./public
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static

USER nextjs
EXPOSE 3000

# server.js is generated by Next's standalone output; it reads PORT/HOSTNAME
# from the environment at startup, so docker compose can inject them.
CMD ["node", "server.js"]