docker: multi-stage build with alpine runtime

Split into builder (node:21-slim, full deps + tsc/gulp) and runtime
(node:21-alpine, production deps only). Drops ~hundreds of MB from
the published image and removes dev tooling from the runtime layer.

Dockerfile

@@ -1,20 +1,28 @@
-FROM node:21-slim
-
-ENV PORT 5000
-EXPOSE $PORT
+# syntax=docker/dockerfile:1
+FROM node:21-slim AS builder
 
 WORKDIR /app
 
-COPY package.json .
-COPY package-lock.json .
-
-COPY gulpfile.js .
-COPY tsconfig.json .
-COPY healthcheck.js .
+COPY package.json package-lock.json ./
+RUN npm ci
 
+COPY tsconfig.json gulpfile.js ./
 COPY public ./public
 COPY src ./src
+RUN npm run build && npm prune --omit=dev && npm cache clean --force
 
-RUN npm install && npm run build && npm cache clean --force
+FROM node:21-alpine AS runtime
 
-CMD [ "node", "./build/server/index.js"]
+ENV NODE_ENV=production
+ENV PORT=5000
+EXPOSE 5000
+
+WORKDIR /app
+
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/build ./build
+COPY --from=builder /app/public ./public
+COPY --from=builder /app/package.json ./package.json
+COPY healthcheck.js ./healthcheck.js
+
+CMD ["node", "./build/server/index.js"]