FROM node:22-alpine AS build
WORKDIR /app
# Copy schema/config first so the `postinstall: prisma generate` hook in
# package.json can find the schema during `npm ci`.
COPY package*.json prisma.config.ts ./
COPY prisma ./prisma
RUN npm ci
COPY . .
RUN npm run build

FROM node:22-alpine AS production
WORKDIR /app
COPY --from=build --chown=node:node /app/dist ./dist
COPY --from=build --chown=node:node /app/generated ./generated
COPY --from=build --chown=node:node /app/node_modules ./node_modules
COPY --from=build --chown=node:node /app/package*.json ./
COPY --from=build --chown=node:node /app/prisma ./prisma
COPY --from=build --chown=node:node /app/prisma.config.ts ./prisma.config.ts
COPY --from=build --chown=node:node /app/docker/entrypoint.sh ./docker/entrypoint.sh
# Strip the bundled npm CLI (and yarn/corepack) from the runtime image. The
# entrypoint calls ./node_modules/.bin/prisma directly, so we don't need
# npm at runtime — and dropping it eliminates CVEs in npm's bundled deps
# (e.g. picomatch CVE-2026-33671) that node:22-alpine inherits.
RUN chmod +x ./docker/entrypoint.sh \
 && rm -rf /usr/local/lib/node_modules \
           /usr/local/bin/npm /usr/local/bin/npx \
           /usr/local/bin/corepack \
           /opt/yarn-v1.22.22 /usr/local/bin/yarn /usr/local/bin/yarnpkg
USER node
EXPOSE 3000
ENTRYPOINT ["./docker/entrypoint.sh"]
