FROM python:3.9-bullseye

# Create non-root user (HF requirement)
RUN useradd -m -u 1000 user
USER user

ENV PATH="/home/user/.local/bin:$PATH"
WORKDIR /app

# System deps
USER root
RUN apt-get update && apt-get install -y \
    libgl1 \
    libglib2.0-0 \
    git \
    && rm -rf /var/lib/apt/lists/*
USER user

# Python deps
COPY --chown=user requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# App code
COPY --chown=user . .

# Upload dir
RUN mkdir -p static/uploads

EXPOSE 7860

CMD ["gunicorn", "-b", "0.0.0.0:7860", "app:app"]