FROM python:3.11-slim

# System deps (added curl for HEALTHCHECK)
RUN apt-get update && apt-get install -y --no-install-recommends \
    build-essential git curl && \
    rm -rf /var/lib/apt/lists/*

# Add a non-root user (Hugging Face Spaces runs as 1000)
RUN useradd -m -u 1000 appuser

WORKDIR /app

# Step 1: Install torch CPU
RUN pip install --no-cache-dir torch==2.6.0

# Step 2: Install torch extensions from PyG wheels
RUN pip install --no-cache-dir torch_scatter torch_sparse -f https://data.pyg.org/whl/torch-2.6.0+cpu.html

# Step 3: Other Python deps
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Copy app code and set ownership
COPY --chown=appuser:appuser . .

# Set environment variables
ENV PYTHONPATH=/app:$PYTHONPATH \
    HOME=/home/appuser

# Streamlit config (placed in the correct HOME directory)
RUN mkdir -p /home/appuser/.streamlit && \
    printf '[server]\nheadless = true\nport = 7860\nenableCORS = false\nenableXsrfProtection = false\n' > /home/appuser/.streamlit/config.toml && \
    chown -R appuser:appuser /home/appuser/.streamlit /app

# Switch to the non-root user
USER appuser

EXPOSE 7860

HEALTHCHECK CMD curl --fail http://localhost:7860/_stcore/health || exit 1

ENTRYPOINT ["streamlit", "run", "app/main.py", "--server.port=7860", "--server.address=0.0.0.0"]