Update Dockerfile

Dockerfile

@@ -1,24 +1,48 @@
 FROM python:3.13.5-slim
 
-WORKDIR /app
+# Avoid interactive prompts during build
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Create non-root user for better security
+ARG APP_USER=appuser
+ARG APP_HOME=/home/${APP_USER}
 
 RUN apt-get update && apt-get install -y \
     build-essential \
     curl \
     git \
+    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
+# Create app user and working dir early so we can chown files later
+RUN useradd --create-home --home-dir ${APP_HOME} --shell /usr/sbin/nologin ${APP_USER}
+
+WORKDIR /app
+
+# Copy project files
 COPY requirements.txt ./
 COPY src/ ./src/
 
-# Ensure logs folder exists and is writable by the container at runtime.
-# Using permissive mode for simplicity; tighten permissions if you run as a non-root user.
-RUN mkdir -p /app/src/logs && chmod -R a+rwx /app/src/logs
+# Configure Hugging Face / transformers cache inside container to avoid permission issues
+ENV TRANSFORMERS_CACHE=/app/.cache/huggingface/transformers \
+    HUGGINGFACE_HUB_CACHE=/app/.cache/huggingface/hub \
+    HF_HOME=/app/.cache/huggingface \
+    XDG_CACHE_HOME=/app/.cache \
+    HOME=${APP_HOME}
+
+# Create cache + logs directories and ensure the app user owns them
+RUN mkdir -p /app/.cache/huggingface/transformers /app/.cache/huggingface/hub /app/src/logs && \
+    chown -R ${APP_USER}:${APP_USER} /app/.cache /app/src/logs /app/src
 
-RUN pip3 install -r requirements.txt
+# Install Python deps
+RUN pip3 install --no-cache-dir -r requirements.txt
 
 EXPOSE 8501
 
-HEALTHCHECK CMD curl --fail http://localhost:8501/_stcore/health
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
+  CMD curl --fail http://localhost:8501/_stcore/health || exit 1
+
+# Run as non-root user
+USER ${APP_USER}
 
 ENTRYPOINT ["streamlit", "run", "src/streamlit_app.py", "--server.port=8501", "--server.address=0.0.0.0"]