# PV Defect Classifier — HuggingFace Spaces
FROM python:3.11-slim

# Run as non-root user (UID 1000) per container security best practices
RUN useradd -m -u 1000 user

WORKDIR /app

# Install dependencies (cache layer)
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
RUN pip install --no-cache-dir gunicorn

# Copy application code (--chown avoids permission issues)
COPY --chown=user app.py .
COPY --chown=user templates/ templates/
COPY --chown=user models/ models/
COPY --chown=user test_images/ test_images/

# Switch to non-root user
USER user
ENV HOME=/home/user \
    PATH=/home/user/.local/bin:$PATH

# Bind to container-configured application port 7860
# 1 worker = 1 model copy in memory; timeout 120s for cold start
CMD ["gunicorn", "--bind", "0.0.0.0:7860", "--workers", "1", "--timeout", "120", "app:app"]