FROM python:3.12-slim

# Hugging Face Spaces inject secrets as env vars at runtime (HF_TOKEN, DATASET_REPO, ...).
WORKDIR /app

# TruffleHog: authoritative server-side secret-detection backstop (run on every
# donation before it is published). Single static Go binary — no toolchain.
RUN apt-get update \
    && apt-get install -y --no-install-recommends curl ca-certificates \
    && curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh \
       | sh -s -- -b /usr/local/bin \
    && apt-get purge -y curl && apt-get autoremove -y \
    && rm -rf /var/lib/apt/lists/* \
    && trufflehog --version

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# App code + the website it serves at "/" + the social-preview image at /og.png
COPY app.py scrub.py index.html og.png ./

# HF Spaces route traffic to port 7860.
EXPOSE 7860

CMD ["uvicorn", "app:app", "--host", "0.0.0.0", "--port", "7860"]