# 1. Use an official lightweight Python image
FROM python:3.9-slim

# 2. Set environment variables
ENV PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1 \
    PIP_NO_CACHE_DIR=1

# 3. Create a non-root user (Security Best Practice for HF Spaces)
RUN useradd -m -u 1000 user
USER user
ENV PATH="/home/user/.local/bin:$PATH"

# 4. Set the working directory
WORKDIR /app

# 5. Install system dependencies
USER root
RUN apt-get update && apt-get install -y \
    git \
    build-essential \
    && rm -rf /var/lib/apt/lists/*
USER user

# 6. Copy requirements first
COPY --chown=user requirements.txt ./

# 7. Install Python dependencies
RUN pip install --upgrade pip && \
    pip install -r requirements.txt

# 8. Copy the rest of the application files
COPY --chown=user . .

# 9. Expose the port
EXPOSE 7860

# 10. Run the Streamlit app (WITH THE SECURITY FIXES)
CMD ["streamlit", "run", "app.py", \
     "--server.address", "0.0.0.0", \
     "--server.port", "7860", \
     "--server.enableXsrfProtection=false", \
     "--server.enableCORS=false", \
     "--server.fileWatcherType", "none"]