Dockerfile

# syntax=docker/dockerfile:1.7
#
# Schema Summary Evaluator - production container.
#
# Multi-stage build:
#   1. deps    - install prod npm dependencies in a clean layer (cacheable).
#   2. build   - install dev deps and compile TypeScript to dist/.
#   3. runtime - copy prod deps + compiled output into a slim runtime image.
#
# The image runs as a non-root user, listens on PORT (default 8080), and
# expects GROVE_API_KEY in the environment (the Grove gateway proxies
# Anthropic). Optional CREDLY_* vars enable badge issuance; without them
# the evaluator runs in dry-run mode.
#
# Build:
#   docker build -t evaluator:latest .
#
# Run:
#   docker run --rm -p 8080:8080 \
#     -e GROVE_API_KEY=$GROVE_API_KEY \
#     -e CREDLY_DRY_RUN=1 \
#     evaluator:latest
#
# Deploy targets verified: GCP Cloud Run, AWS App Runner, AWS ECS Fargate,
# AWS Lambda (container image runtime), Fly.io, Railway.

ARG NODE_VERSION=24-alpine

# ---------- 1. deps (prod only) ----------
FROM node:${NODE_VERSION} AS deps
WORKDIR /app

COPY package.json package-lock.json* ./
RUN npm ci --omit=dev --no-audit --no-fund

# ---------- 2. build (TypeScript -> dist/) ----------
FROM node:${NODE_VERSION} AS build
WORKDIR /app

COPY package.json package-lock.json* tsconfig.json ./
RUN npm ci --no-audit --no-fund

COPY backend ./backend
RUN npx tsc

# ---------- 3. runtime ----------
FROM node:${NODE_VERSION} AS runtime
WORKDIR /app

RUN addgroup -S app && adduser -S app -G app

COPY --from=deps  --chown=app:app /app/node_modules ./node_modules
COPY --from=build --chown=app:app /app/dist         ./dist
COPY              --chown=app:app package.json      ./
COPY              --chown=app:app frontend          ./frontend

USER app

ENV NODE_ENV=production
ENV PORT=8080
EXPOSE 8080

# Liveness probe target: GET /healthz (defined in backend/server.ts).
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
  CMD wget -qO- http://127.0.0.1:${PORT}/healthz || exit 1

CMD ["node", "dist/backend/server.js"]