FROM python:3.13.5-slim

WORKDIR /app

# Install system dependencies
RUN apt-get update && apt-get install -y \
    build-essential \
    curl \
    git \
    && rm -rf /var/lib/apt/lists/*

# Create a non-root user
RUN useradd -m -u 1000 appuser

# Create cache directories with proper permissions
RUN mkdir -p /app/.cache/huggingface /app/.streamlit && \
    chown -R appuser:appuser /app

# Copy requirements and install Python dependencies as root (for system-wide packages)
COPY requirements.txt ./
RUN pip3 install --no-cache-dir -r requirements.txt

# Copy source code and set ownership
COPY src/ ./src/
RUN chown -R appuser:appuser /app

# Install NLTK tokenizers
RUN python -m nltk.downloader punkt punkt_tab


# Switch to non-root user
USER appuser

# Set environment variables for cache directories
ENV HF_HOME=/app/.cache/huggingface
ENV STREAMLIT_CONFIG_DIR=/app/.streamlit

EXPOSE 8501

HEALTHCHECK CMD curl --fail http://localhost:8501/_stcore/health

ENTRYPOINT ["streamlit", "run", "src/streamlit_app.py", "--server.port=8501", "--server.address=0.0.0.0"]