FROM oven/bun:1.3.10-alpine AS base
WORKDIR /app

FROM base AS deps
COPY package.json bun.lock* ./
RUN bun install --frozen-lockfile --production

FROM base AS runner
WORKDIR /app

ENV NODE_ENV=production
ENV PORT=4000

RUN addgroup --system --gid 1001 nodejs && \
    adduser --system --uid 1001 --ingroup nodejs nucleus && \
    mkdir -p /app/uploads /app/storage && \
    chown -R nucleus:nodejs /app

COPY --from=deps --chown=nucleus:nodejs /app/node_modules ./node_modules
COPY --chown=nucleus:nodejs . .

RUN bunx nucleus-generate src/config.json src/drizzle

USER nucleus:nodejs

EXPOSE 4000

HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
    CMD bun --eval "fetch('http://localhost:4000/health').then(r => process.exit(r.ok ? 0 : 1)).catch(() => process.exit(1))"

CMD ["bun", "run", "src/index.ts"]
