# syntax=docker/dockerfile:1.7
# ─────────────────────────────────────────────────────────────────────────────
#  Production Dockerfile for CryptoWallet API
#  Multi-stage: deps → build → prod-deps → runtime
#  Runtime: non-root user, tini (signal handling), wget (healthcheck)
# ─────────────────────────────────────────────────────────────────────────────

ARG NODE_VERSION=20.19-alpine
ARG PNPM_VERSION=10.28.2

# ─────────────────────────────────────────────────────────────────────────────
# Base: node + pnpm
# ─────────────────────────────────────────────────────────────────────────────
FROM node:${NODE_VERSION} AS base
ARG PNPM_VERSION
RUN corepack enable && corepack prepare pnpm@${PNPM_VERSION} --activate
WORKDIR /app
ENV NODE_ENV=production \
    CI=true \
    HUSKY=0

# ─────────────────────────────────────────────────────────────────────────────
# deps: install ALL deps (incl. dev) for TypeScript build
# ─────────────────────────────────────────────────────────────────────────────
FROM base AS deps
COPY pnpm-lock.yaml pnpm-workspace.yaml package.json ./
COPY apps/api/package.json apps/api/
RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
    pnpm install --frozen-lockfile --prod=false

# ─────────────────────────────────────────────────────────────────────────────
# build: compile TypeScript → dist/
# ─────────────────────────────────────────────────────────────────────────────
FROM base AS build
COPY --from=deps /app/node_modules ./node_modules
COPY --from=deps /app/apps/api/node_modules ./apps/api/node_modules
COPY pnpm-lock.yaml pnpm-workspace.yaml package.json ./
COPY apps/api ./apps/api
RUN cd apps/api && pnpm build

# ─────────────────────────────────────────────────────────────────────────────
# prod-deps: only production dependencies (smaller image)
# ─────────────────────────────────────────────────────────────────────────────
FROM base AS prod-deps
COPY pnpm-lock.yaml pnpm-workspace.yaml package.json ./
COPY apps/api/package.json apps/api/
RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
    pnpm install --frozen-lockfile --prod

# ─────────────────────────────────────────────────────────────────────────────
# runtime: minimal production image
# ─────────────────────────────────────────────────────────────────────────────
FROM node:${NODE_VERSION} AS runtime

# tini for proper PID 1 / signal handling
# wget for healthcheck
RUN apk add --no-cache tini wget && \
    addgroup -S -g 1001 app && \
    adduser -S -u 1001 -G app app

WORKDIR /app/apps/api

# Copy production dependencies
COPY --from=prod-deps --chown=app:app /app/node_modules /app/node_modules
COPY --from=prod-deps --chown=app:app /app/apps/api/node_modules ./node_modules

# Copy compiled code + static assets
COPY --from=build --chown=app:app /app/apps/api/dist ./dist
COPY --from=build --chown=app:app /app/apps/api/swagger.json ./swagger.json
COPY --from=build --chown=app:app /app/apps/api/package.json ./package.json

USER app

ENV NODE_ENV=production \
    API_PORT=3001

EXPOSE 3001

HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
    CMD wget -qO- http://localhost:3001/api/health || exit 1

ENTRYPOINT ["/sbin/tini", "--"]
CMD ["node", "dist/index.js"]