FROM node:22-alpine AS builder
WORKDIR /app
RUN apk add --no-cache libc6-compat

COPY package-lock.json ./
COPY package.json ./
RUN npm ci

COPY . .
RUN npm run build

FROM node:22-alpine AS runner
WORKDIR /app
RUN apk add --no-cache libc6-compat
ENV NODE_ENV=production

# Run as non-root user to limit impact of any future compromise
RUN addgroup --system --gid 1001 nodejs && \
    adduser --system --uid 1001 nextjs
COPY --from=builder /app/.next ./.next
COPY --from=builder /app/public ./public
COPY --from=builder /app/node_modules ./node_modules
COPY --from=builder /app/package-lock.json ./
COPY --from=builder /app/package.json ./
RUN chown -R nextjs:nodejs /app
USER nextjs
EXPOSE 3000

# Run Next directly (no shell) to reduce attack surface
CMD ["node", "node_modules/next/dist/bin/next", "start"]