FROM python:3.11-slim AS base

WORKDIR /app

# Install dependencies
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Copy app
COPY app/ app/

# Data dir (will be bind-mounted read-only in production) + non-root user
RUN mkdir -p /data && \
    useradd -r -u 1001 appuser && \
    chown -R appuser /app /data
USER appuser

EXPOSE 8001

ENV PORT=8001

CMD ["sh", "-c", "python -m uvicorn app.main:app --host 0.0.0.0 --port ${PORT}"]