Dockerfile

# ---- Builder Stage ----
FROM python:3.13.3-slim-bookworm AS builder

WORKDIR /virtualenvs

# Install uv
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

ENV PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1 \
    UV_COMPILE_BYTECODE=1 \
    UV_LINK_MODE=copy \
    PATH="/virtualenvs/.venv/bin:$PATH"

# Copy dependency files
COPY pyproject.toml uv.lock /virtualenvs/

# Install dependencies (excluding project itself)
RUN --mount=type=cache,target=/root/.cache/uv \
    cd /virtualenvs && \
    uv sync --frozen --no-install-project

# ---- Development Stage ----
FROM python:3.13.3-slim-bookworm AS development

RUN useradd -m -u 1000 appuser

WORKDIR /src

ENV PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1 \
    VIRTUAL_ENV=/virtualenvs/.venv \
    PATH="/virtualenvs/.venv/bin:$PATH"

# Install system dependencies
RUN apt-get update && apt-get install -y netcat-openbsd && rm -rf /var/lib/apt/lists/*

# Install uv in the runtime stage
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

# Copy virtual environment from builder stage
COPY --from=builder ${VIRTUAL_ENV} ${VIRTUAL_ENV}

# Copy application code
COPY . /src

# Ensure permissions so non-root can read/execute env and write to repo dirs if needed
RUN chown -R appuser:appuser /virtualenvs /src

# Streamlit config: use the non-root user's home and disable telemetry writes
ENV HOME=/home/appuser

USER appuser

EXPOSE 8501
HEALTHCHECK CMD curl --fail http://localhost:8501/_stcore/health || exit 1

ENTRYPOINT ["streamlit", "run", "src/streamlit_app.py", "--server.port=8501", "--server.address=0.0.0.0", "--server.enableXsrfProtection=false"]