FROM node:lts-alpine

# Use a non-root working directory
WORKDIR /app

# Copy package files first to leverage Docker layer caching
COPY package.json package-lock.json ./

# Install production dependencies deterministically
# --omit=dev keeps devDependencies out of the final install
RUN npm ci --omit=dev --no-audit --no-fund

# Copy the rest of the application
COPY . .

# Install tiny helper to drop privileges at container start
# and keep image small (no cache)
RUN apk add --no-cache su-exec

# Runtime entrypoint ensures the data dir ownership and drops privileges
COPY scripts/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

ENV NODE_ENV=production
ENV DB_PATH=/app/data/data.db

EXPOSE 3000

ENTRYPOINT ["/entrypoint.sh"]
CMD ["node", "server.js"]