Fix Dockerfile: add curl for HEALTHCHECK and configure UID 1000 permissions

Dockerfile

@@ -1,12 +1,15 @@
 FROM python:3.11-slim
 
-WORKDIR /app
-
-# System deps
+# System deps (added curl for HEALTHCHECK)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    build-essential git && \
+    build-essential git curl && \
     rm -rf /var/lib/apt/lists/*
 
+# Add a non-root user (Hugging Face Spaces runs as 1000)
+RUN useradd -m -u 1000 appuser
+
+WORKDIR /app
+
 # Step 1: Install torch CPU
 RUN pip install --no-cache-dir torch==2.6.0
 
@@ -17,18 +20,23 @@ RUN pip install --no-cache-dir torch_scatter torch_sparse -f https://data.pyg.or
 COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
 
-# Copy app code
-COPY . .
+# Copy app code and set ownership
+COPY --chown=appuser:appuser . .
+
+# Set environment variables
+ENV PYTHONPATH=/app:$PYTHONPATH \
+    HOME=/home/appuser
 
-# Add project root to Python path (no setup.py needed)
-ENV PYTHONPATH=/app:$PYTHONPATH
+# Streamlit config (placed in the correct HOME directory)
+RUN mkdir -p /home/appuser/.streamlit && \
+    printf '[server]\nheadless = true\nport = 7860\nenableCORS = false\nenableXsrfProtection = false\n' > /home/appuser/.streamlit/config.toml && \
+    chown -R appuser:appuser /home/appuser/.streamlit /app
 
-# Streamlit config
-RUN mkdir -p /root/.streamlit && \
-    printf '[server]\nheadless = true\nport = 7860\nenableCORS = false\nenableXsrfProtection = false\n' > /root/.streamlit/config.toml
+# Switch to the non-root user
+USER appuser
 
 EXPOSE 7860
 
-HEALTHCHECK CMD curl --fail http://localhost:7860/_stcore/health
+HEALTHCHECK CMD curl --fail http://localhost:7860/_stcore/health || exit 1
 
 ENTRYPOINT ["streamlit", "run", "app/main.py", "--server.port=7860", "--server.address=0.0.0.0"]