update Dockerfile for HF Spaces (non-root user, proper permissions)

Dockerfile

@@ -1,31 +1,36 @@
 FROM python:3.10-slim
 
+# HF Spaces requires a non-root user
+RUN useradd -m -u 1000 user
+ENV PATH="/home/user/.local/bin:$PATH"
+
 WORKDIR /app
 
-# install system deps
+# system deps
 RUN apt-get update && apt-get install -y --no-install-recommends \
     build-essential \
     && rm -rf /var/lib/apt/lists/*
 
-# copy requirements first for layer caching
-COPY requirements.txt .
-RUN pip install --no-cache-dir -r requirements.txt
+# install python deps first (layer caching)
+COPY --chown=user requirements.txt .
+RUN pip install --no-cache-dir --upgrade -r requirements.txt
+
+# copy project files
+COPY --chown=user src/ src/
+COPY --chown=user frontend/ frontend/
+COPY --chown=user evaluation/ evaluation/
+COPY --chown=user setup.py .
+COPY --chown=user README.md .
+COPY --chown=user .env.example .env
 
-# copy source code
-COPY src/ src/
-COPY frontend/ frontend/
-COPY setup.py .
-COPY .env.example .env
+# writable dirs for data pipeline + logs
+RUN mkdir -p /app/data/processed && chown -R user:user /app
+
+USER user
 
-# HF Spaces sets PORT=7860 by default
 ENV PORT=7860
 ENV PYTHONUNBUFFERED=1
 
-# the data pipeline runs on first startup via the lifespan hook
-# but we can also pre-run it in the build step for faster cold starts
-# NOTE: this requires the OPENAI_API_KEY to be set as a build secret
-# If not available, setup will run at first request instead
-
 EXPOSE 7860
 
 CMD ["uvicorn", "src.api:app", "--host", "0.0.0.0", "--port", "7860"]