# ─── Build stage ────────────────────────────────────────────
FROM oven/bun:1 AS builder

WORKDIR /build

# Copy workspace root
COPY package.json bun.lock ./
COPY tsconfig.json ./

# Copy all packages we depend on
COPY packages/shade-core ./packages/shade-core
COPY packages/shade-crypto-web ./packages/shade-crypto-web
COPY packages/shade-server ./packages/shade-server
COPY packages/shade-storage-sqlite ./packages/shade-storage-sqlite
COPY packages/shade-storage-postgres ./packages/shade-storage-postgres

RUN bun install --frozen-lockfile

# ─── Production stage ───────────────────────────────────────
FROM oven/bun:1-alpine

LABEL org.opencontainers.image.title="Shade Prekey Server"
LABEL org.opencontainers.image.description="E2EE prekey distribution server (Signal Protocol)"
LABEL org.opencontainers.image.source="https://github.com/Sterister/Shade"
LABEL org.opencontainers.image.licenses="MIT"

# Install curl for healthcheck
RUN apk add --no-cache curl

# Non-root user
RUN addgroup -S shade && adduser -S shade -G shade

WORKDIR /app
COPY --from=builder --chown=shade:shade /build /app

# Persistent data directory
RUN mkdir -p /data && chown shade:shade /data
VOLUME ["/data"]

USER shade

EXPOSE 3900

# Default to SQLite on the persistent volume
ENV SHADE_PREKEY_DB_PATH=/data/shade-prekeys.db
ENV PORT=3900

HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
  CMD curl -fsS http://localhost:${PORT}/health || exit 1

CMD ["bun", "run", "packages/shade-server/src/standalone.ts"]
