# Build context: bytelyst-devops-tools/dashboard/ (monorepo root)
# --- Stage 1: Build ---
FROM node:20-alpine AS builder

WORKDIR /app/backend

COPY backend/package.json backend/package-lock.json ./
RUN npm ci --ignore-scripts

COPY backend/tsconfig.json ./
COPY backend/src/ ./src/

# Build-time env vars (baked into the bundle)
ARG BYTELYST_COMMIT_SHA=unknown
ARG BYTELYST_COMMIT_SHA_FULL=unknown
ARG BYTELYST_BRANCH=unknown
ARG BYTELYST_BUILT_AT=unknown
ARG BYTELYST_COMMIT_AUTHOR=unknown
ARG BYTELYST_COMMIT_MESSAGE=unknown
ARG BYTELYST_DOCKER_IMAGE=devops-backend:latest

ENV BYTELYST_COMMIT_SHA=${BYTELYST_COMMIT_SHA} \
    BYTELYST_COMMIT_SHA_FULL=${BYTELYST_COMMIT_SHA_FULL} \
    BYTELYST_BRANCH=${BYTELYST_BRANCH} \
    BYTELYST_BUILT_AT=${BYTELYST_BUILT_AT} \
    BYTELYST_COMMIT_AUTHOR=${BYTELYST_COMMIT_AUTHOR} \
    BYTELYST_COMMIT_MESSAGE=${BYTELYST_COMMIT_MESSAGE} \
    BYTELYST_DOCKER_IMAGE=${BYTELYST_DOCKER_IMAGE}

RUN npm run build

# --- Stage 2: Run ---
# Use Debian slim (not Alpine) because vm-health-check.sh uses GNU df flags
# (--output=pcent, --output=avail) that BusyBox df does not support.
FROM node:20-slim AS runner

WORKDIR /app/backend

COPY backend/package.json backend/package-lock.json ./
RUN npm ci --omit=dev --ignore-scripts

# Install tools needed by the VM management module:
#   bash       — vm-health-check.sh and vm-cleanup.sh require bash
#   docker.io  — docker CLI to communicate with the host daemon via socket
#   python3    — used in inline python3 -c snippets inside the scripts
RUN apt-get update && apt-get install -y --no-install-recommends \
      curl bash docker.io python3 \
    && rm -rf /var/lib/apt/lists/*

# Non-root user setup (Phase 5 P2 mitigation roadmap, item #4).
# The backend doesn't strictly need root — its only privileged action is
# talking to the docker daemon, which group membership covers. We create
# the user + a docker group at a build-arg-configurable GID so the GID
# can match the host's docker group (`getent group docker` on the host).
#
# Default `BACKEND_USER=root` keeps the current behaviour so existing
# deployments don't break. Set `BACKEND_USER=app` to run non-root; this
# requires the bind-mounted log files in `/var/log/vm-*.log` and
# `/var/log/docker-watchdog.log` to be group-readable+writable by the
# matching docker GID (or world-readable for read-only paths). See
# `dashboard/DEPLOYMENT.md` Privilege Surface → "Running non-root".
ARG BACKEND_USER=root
ARG DOCKER_GID=999
RUN groupadd --system --gid "${DOCKER_GID}" docker || true \
    && useradd --system --create-home --uid 1001 --gid "${DOCKER_GID}" --shell /sbin/nologin app \
    && chown -R app:"${DOCKER_GID}" /app

COPY --from=builder --chown=app:${DOCKER_GID} /app/backend/dist ./dist

ENV NODE_ENV=production
ENV PORT=4004

EXPOSE 4004

# Switch to non-root only when explicitly opted in via build arg. If the
# arg is `app`, the next two layers actually drop privileges; if `root`,
# they're a no-op.
USER ${BACKEND_USER}

CMD ["node", "dist/server.js"]
