FROM hhvm/hhvm:latest

# Create a non-root user for security
RUN useradd -m -u 1000 -s /bin/bash hhuser

# Set working directory
WORKDIR /var/www/html

# Install system dependencies
RUN apt-get update && apt-get install -y \
    git \
    curl \
    libpng-dev \
    libonig-dev \
    libxml2-dev \
    zip \
    unzip \
    supervisor \
    && rm -rf /var/lib/apt/lists/*

# Install Composer
COPY --from=composer:latest /usr/bin/composer /usr/bin/composer

# Copy application files
COPY . /var/www/html

# Install PHP dependencies, ignoring platform requirements for build
RUN composer install --no-dev --optimize-autoloader --ignore-platform-reqs

# Change ownership to the non-root user
RUN chown -R hhuser:hhuser /var/www/html

# Make sure scripts are executable (if we have any)
RUN chmod +x /var/www/html/deploy.sh 2>/dev/null || true

# Expose port 18000 as specified in AGENTS.md for qwen/hack
EXPOSE 18000

# Use dumb-init to handle signals properly for k8s
RUN set -eux; \
    wget -O /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64; \
    chmod +x /usr/bin/dumb-init

# Switch to the non-root user
USER hhuser

# Start the application
ENTRYPOINT ["/usr/bin/dumb-init", "--"]
CMD ["hhvm", "-m", "server", "-p", "18000", "-v", "Server.Type=proxygen", "-v", "Server.SourceRoot=/var/www/html/public"]

# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD curl -f http://localhost:18000/ || exit 1