FROM python:3.10-slim

# Env
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1
ENV HOME=/app
ENV PORT=7860

WORKDIR /app

# Create non-root user
RUN adduser --disabled-password --gecos '' appuser && \
    chown -R appuser:appuser /app

# Install Python deps first (better layer caching)
COPY requirements.txt .
RUN pip install --upgrade pip && \
    pip install --no-cache-dir -r requirements.txt

# Copy app code
COPY . .
RUN chown -R appuser:appuser /app

# Switch to non-root
USER appuser

# Expose the Gradio/FastAPI port
EXPOSE 7860

# HF Spaces will run this entrypoint; local dev works too
CMD ["python", "app.py"]