FROM python:3.11-slim

# System deps
RUN apt-get update && apt-get install -y --no-install-recommends curl && \
    rm -rf /var/lib/apt/lists/*

# Non-root user
RUN useradd -m -u 1000 appuser

WORKDIR /app

# ── Python deps (changes only when requirements.txt changes) ──────
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# ── App code (changes often — always last) ────────────────────────
COPY --chown=appuser:appuser . .

ENV PYTHONPATH=/app:$PYTHONPATH \
    HOME=/home/appuser

RUN mkdir -p /home/appuser/.streamlit && \
    printf '[server]\nheadless = true\nport = 7860\nenableCORS = false\nenableXsrfProtection = false\n' > /home/appuser/.streamlit/config.toml && \
    chown -R appuser:appuser /home/appuser/.streamlit /app

USER appuser
EXPOSE 7860
HEALTHCHECK --interval=30s --timeout=60s --start-period=120s --retries=3 \
    CMD curl --fail http://localhost:7860/_stcore/health || exit 1

ENTRYPOINT ["streamlit", "run", "app/main.py", "--server.port=7860", "--server.address=0.0.0.0"]