FROM node:20-alpine

RUN apk add --no-cache curl

WORKDIR /app

# Install deps first (cache layer)
COPY package.json ./
RUN npm install --omit=dev && npm cache clean --force

# Copy sources
COPY src ./src
COPY views ./views
COPY public ./public

# Non-root user
RUN addgroup -g 1001 app && adduser -D -u 1001 -G app app && chown -R app:app /app
USER app

EXPOSE 3000

HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
  CMD curl -fsS http://127.0.0.1:3000/api/health || exit 1

CMD ["node", "src/server.js"]
