# =============================================================================
# DEVELOPMENT DOCKER COMPOSE - Security Hardened
# =============================================================================
# Note: Dev containers need write access to volumes for hot-reload.
# Production containers run as non-root with read-only filesystem.
# =============================================================================

services:
  backend-dev:
    image: node:22-slim
    working_dir: /app
    command: sh -c "npm install && npm run dev"
    volumes:
      - ./backend:/app
      - backend_node_modules:/app/node_modules
      - ./backend/data:/app/data
    env_file:
      - .env
    ports:
      - "3000:3000"
    security_opt:
      - no-new-privileges:true
    healthcheck:
      test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:3000/health', (r) => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))\""]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

  frontend-dev:
    image: node:22-slim
    working_dir: /app
    command: sh -c "npm install && npm run dev -- --host --port 5173"
    volumes:
      - ./frontend:/app
      - frontend_node_modules:/app/node_modules
    ports:
      - "5173:5173"
    security_opt:
      - no-new-privileges:true
    depends_on:
      - backend-dev

volumes:
  backend_node_modules:
  frontend_node_modules: