FROM node:22-alpine
WORKDIR /app

# Pre-built by turbo before deploy — dist has workspace @lilith/* compiled in via SWC.
# Registry @lilith/* packages (e.g. gov-detection) are pre-staged by deploy.sh into
# .vendor-lilith/ since the VPS cannot reach Verdaccio.
COPY dist ./dist

# Install public registry deps only — all @lilith/* are handled separately.
COPY package.json ./
RUN node -e " \
  const p = JSON.parse(require('fs').readFileSync('./package.json', 'utf8')); \
  p.dependencies = Object.fromEntries( \
    Object.entries(p.dependencies || {}).filter(([k]) => !k.startsWith('@lilith/')) \
  ); \
  delete p.devDependencies; \
  require('fs').writeFileSync('./package.json', JSON.stringify(p, null, 2)); \
" && npm install --production --ignore-scripts

# Stage @lilith registry packages AFTER npm install (which manages node_modules/).
# Workspace @lilith deps are compiled into dist/ by SWC. Registry ones (e.g.
# gov-detection) are pre-resolved locally by deploy.sh and staged here.
COPY .vendor-lilith/ ./node_modules/

EXPOSE 4001
USER node
CMD ["node", "dist/main.js"]
