FROM python:3.10-slim

# Create a non-root user for safer execution
RUN useradd -m -u 1000 user
USER user
ENV PATH="/home/user/.local/bin:$PATH"
WORKDIR /app

# Make cache + static directories and ensure permissions
RUN mkdir -p /app/cache /app/static

# Set HF cache env vars so diffusers/transformers don't try to write to /.cache
ENV HF_HOME=/app/cache
ENV TRANSFORMERS_CACHE=/app/cache

# Copy requirements & install
COPY --chown=user requirements.txt requirements.txt
RUN python -m pip install --no-cache-dir --upgrade pip
RUN python -m pip install --no-cache-dir -r requirements.txt

# Copy app
COPY --chown=user . /app

# Expose port (Spaces uses 7860 default)
CMD ["uvicorn", "app:app", "--host", "0.0.0.0", "--port", "7860"]