FROM python:3.11-slim AS base

WORKDIR /app

# Install dependencies
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Copy app
COPY app/ app/

# Non-root user
RUN useradd -r -u 1001 appuser && chown -R appuser /app
USER appuser

# Data dir (will be bind-mounted read-only in production)
RUN mkdir -p /data

EXPOSE 8001

ENV PORT=8001

CMD ["sh", "-c", "python -m uvicorn app.main:app --host 0.0.0.0 --port ${PORT}"]