FROM crystallang/crystal:1.9.2-alpine AS builder

# Install build dependencies
RUN apk add --no-cache \
    yaml-dev \
    openssl-dev \
    zlib-dev \
    sqlite-dev \
    postgresql-dev

WORKDIR /app

# Copy shard files
COPY shard.yml shard.lock ./

# Install dependencies
RUN shards install --production

# Copy source code
COPY . .

# Build the binary
RUN crystal build --release --static src/billing_manager.cr -o billing-service

# Runtime stage
FROM alpine:3.19

# Install runtime dependencies
RUN apk add --no-cache \
    ca-certificates \
    tzdata \
    openssl \
    yaml

WORKDIR /app

# Copy the binary from builder
COPY --from=builder /app/billing-service .

# Create non-root user
RUN adduser -D billing && \
    chown -R billing:billing /app

USER billing

# Set security-related environment variables
ENV PORT=3000
ENV KEMAL_ENV=production
ENV SECURE_PROCESSING=true
ENV PCI_COMPLIANCE=true

# Set security-related options
RUN chmod 500 /app/billing-service && \
    chmod -R 400 /app

# Expose ports
EXPOSE 3000

# Use exec form for proper signal handling
ENTRYPOINT ["/app/billing-service"]