FROM node:20-alpine AS base
RUN corepack enable && corepack prepare pnpm@latest --activate

FROM base AS deps
RUN apk add --no-cache libc6-compat
WORKDIR /app

# Copy workspace root config + relevant package.jsons for install
COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./
COPY packages/db/package.json ./packages/db/package.json
COPY apps/harness/package.json ./apps/harness/package.json

RUN pnpm install --frozen-lockfile --filter @homelab/harness...

FROM base AS builder
WORKDIR /app
COPY --from=deps /app ./
COPY packages/db ./packages/db
COPY apps/harness ./apps/harness
RUN pnpm --filter @homelab/harness build

FROM base AS runner
WORKDIR /app
ENV NODE_ENV=production

# System tools needed by agent executors
RUN apk add --no-cache git github-cli curl ca-certificates

# Agent CLIs (installed globally before dropping to non-root)
RUN npm install -g @anthropic-ai/claude-code @openai/codex
RUN curl -fsSL https://opencode.ai/install | sh || \
    echo "WARN: opencode install failed, skipping"

RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs

# Workspace directory for git worktrees (ephemeral)
RUN mkdir -p /data/harness && chown nextjs:nodejs /data/harness

COPY --from=builder /app/apps/harness/public ./public
COPY --from=builder --chown=nextjs:nodejs /app/apps/harness/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/apps/harness/.next/static ./.next/static
USER nextjs
EXPOSE 3100
ENV PORT=3100
CMD ["node", "server.js"]