# =========================================================
# Stage 1: Build & Compilation Environment
# =========================================================
FROM node:20-alpine AS builder

# Set the active compilation folder
WORKDIR /usr/src/app

# Copy dependency mappings first to optimize layer caching performance
COPY package*.json ./

# Install development engines needed for compiling native Node modules
RUN apk add --no-cache python3 make g++

# Install all dependencies (including devDependencies if needed for builds)
RUN npm ci

# =========================================================
# Stage 2: Minimal Runtime Release Environment
# =========================================================
FROM node:20-alpine

# Set clean production context variables
ENV NODE_ENV=production
WORKDIR /usr/src/app

# --- FIXED: ADD DOCKER SECURITY & GROUP PERMISSION LAYERS ---
# 1. Install shadow to allow group modifications
# 2. Dynamically create a runtime docker group matching standard host setups (typically GID 999 or 998)
# 3. Add the native 'node' user to that group so Dockerode can read/write to the unix socket
RUN apk add --no-cache shadow && \
    groupadd -g 999 docker || groupadd docker && \
    usermod -aG docker node

# Copy essential runtime artifacts from the compilation stage
COPY --from=builder /usr/src/app/node_modules ./node_modules
COPY package*.json ./

# --- FIXED: COPY NEW MODULAR SERVICES DIRECTORY STACK ---
COPY server.js ./
COPY services/ ./services/
COPY public/ ./public/

# Explicitly assign absolute storage folder ownership to the non-root execution account
RUN mkdir -p data && chown -R node:node /usr/src/app

# Drop root shell access and run as the unprivileged native node account
USER node

# Inform Docker that the backend engine listens on network port 3000
EXPOSE 3000

# Fire up the Node manager backend engine
CMD ["node", "server.js"]