FROM node:18-alpine

# Arbeitsverzeichnis
WORKDIR /app

# User anlegen (kein root!)
RUN addgroup -S appgroup && adduser -S appuser -G appgroup

# Dependencies zuerst (Cache Vorteil)
COPY package*.json ./
RUN npm install --production

# Rest kopieren
COPY . .

# Volume für Output
VOLUME ["/data"]

# Rechte setzen
RUN chown -R appuser:appgroup /app /data

# User wechseln
USER appuser

# Port (falls Webapp)
EXPOSE 8080

# Healthcheck
HEALTHCHECK --interval=30s --timeout=5s \
  CMD wget -qO- http://localhost:8080 || exit 1

# Start
CMD ["npm", "start"]