FROM python:3.12

# Create a dedicated non-root user & group
RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser

# Create working dirs
WORKDIR /app
RUN mkdir -p /app/logs && mkdir -p /app/venv && chown -R appuser:appgroup /app

# Copy code and requirements
COPY . /app/

# Install venv + dependencies as root
RUN python -m venv /app/venv \
 && /app/venv/bin/pip install --upgrade pip \
 && /app/venv/bin/pip install --no-cache-dir -r requirements.txt

# Switch to non-root user
USER appuser

# Default command always uses venv Python
CMD ["/app/venv/bin/python", "manager.py"]