# ---------- build ----------
  FROM node:20-alpine AS build
  WORKDIR /app
  
  # deps
  COPY package.json package-lock.json* ./
  RUN npm ci --no-audit --no-fund || npm i --no-audit --no-fund
  
  # app source
  COPY . .
  
  # Mount HF secrets at build-time, write .env.production, then build
  # (These IDs MUST match your Secrets names in the Settings tab)
  RUN --mount=type=secret,id=VITE_SUPABASE_URL,mode=0444,required=true \
      --mount=type=secret,id=VITE_SUPABASE_ANON_KEY,mode=0444,required=true \
      sh -lc '\
        URL="$(cat /run/secrets/VITE_SUPABASE_URL)"; \
        ANON="$(cat /run/secrets/VITE_SUPABASE_ANON_KEY)"; \
        printf "VITE_SUPABASE_URL=%s\nVITE_SUPABASE_ANON_KEY=%s\n" "$URL" "$ANON" > .env.production; \
        echo "--- .env.production ---"; cat .env.production; echo "-----------------------"; \
        npm run build \
      '
  
  # ---------- runtime ----------
  FROM node:20-alpine AS runtime
  WORKDIR /app
  
  # serve built assets
  COPY --from=build /app/dist ./dist
  RUN npm i -g serve@14
  
  EXPOSE 4173
  CMD ["serve", "-s", "dist", "-l", "4173"]