FROM node:20-slim AS builder
ARG COMMIT_SHA=unknown
ARG BRANCH=unknown
WORKDIR /app

# Copy manifests + lockfiles for deterministic installs.
# Both packages ship their own package-lock.json; `npm ci` enforces the
# lock and never mutates it (in contrast to `npm install` which could
# silently bump transitive deps). shell-dashboard is deliberately NOT
# part of the root pnpm workspace (flat, standalone Next.js app), so
# using npm here is the correct tool — not a workaround.
COPY showcase/scripts/package.json showcase/scripts/package-lock.json ./scripts/
COPY showcase/shell-dashboard/package.json showcase/shell-dashboard/package-lock.json ./shell-dashboard/

RUN cd scripts && npm ci \
    && cd ../shell-dashboard && npm ci

# Copy source
COPY showcase/shared/ ./shared/
COPY showcase/integrations/ ./integrations/
COPY showcase/scripts/ ./scripts/
# probe-docs.ts checks for MDX files in shell-docs/src/content/docs/ to
# determine docs reachability status. Only the content directory is needed.
COPY showcase/shell-docs/src/content/ ./shell-docs/src/content/
COPY showcase/shell-dashboard/ ./shell-dashboard/

# Bake commit info into Next.js build (NEXT_PUBLIC_* are compiled in).
ENV NEXT_PUBLIC_COMMIT_SHA=${COMMIT_SHA}
ENV NEXT_PUBLIC_BRANCH=${BRANCH}

# Generate registry + docs status, then build Next.js
RUN cd scripts && node node_modules/tsx/dist/cli.mjs generate-registry.ts \
    && node node_modules/tsx/dist/cli.mjs probe-docs.ts \
    && cd ../shell-dashboard && npx next build

# Prod-deps-only stage: re-install shell-dashboard deps with --omit=dev so
# the runtime image doesn't ship vitest/playwright/tailwind-postcss/etc.
# The builder stage's node_modules includes the full dev tree because
# `next build` needs types + tailwind + postcss at compile time; copying
# that tree straight into runtime roughly doubles the image size and ships
# test tooling to prod. Using `npm ci --omit=dev` off the same lockfile
# gives us a deterministic, prod-only tree without needing Next's
# `output: 'standalone'` mode (which requires a next.config.ts change in a
# package owned by another workstream).
FROM node:20-slim AS prod-deps
WORKDIR /app/shell-dashboard
COPY showcase/shell-dashboard/package.json showcase/shell-dashboard/package-lock.json ./
# `--ignore-scripts` skips the package.json `postinstall` hook, which
# runs `cd ../scripts && npm install` — only needed at build time for
# the generator scripts. Runtime has no need for sibling packages.
RUN npm ci --omit=dev --ignore-scripts --silent

FROM node:20-slim AS runner
WORKDIR /app
ENV NODE_ENV=production
ENV PORT=10000
# URL env vars (POCKETBASE_URL / SHELL_URL / OPS_BASE_URL) are read at
# runtime by `src/lib/runtime-config.ts` from the Railway service env —
# no Dockerfile ARG/ENV plumbing required for them.
# COMMIT_SHA / BRANCH stay build-baked because they identify the artifact,
# not the deploy. See showcase/RAILWAY.md and runtime-config.ts.

# Copy build artifacts with `node:node` ownership so the runtime process
# (dropped to USER node below) can read them. The `node` user/group ships
# in the node:20-slim base image at uid/gid 1000 — no useradd needed.
COPY --chown=node:node --from=builder /app/shell-dashboard/.next ./.next
COPY --chown=node:node --from=prod-deps /app/shell-dashboard/node_modules ./node_modules
COPY --chown=node:node --from=builder /app/shell-dashboard/package.json ./

# Drop root privileges — parity with showcase/harness/Dockerfile. Reduces
# blast radius of any RCE in Next.js or a transitive dep.
USER node

EXPOSE 10000
CMD ["npx", "next", "start", "-p", "10000"]
