FROM python:3.10-slim

# Create a non-root user and group
RUN adduser --disabled-password --gecos '' myuser

# Set working directory
WORKDIR /app

# Copy requirements and install dependencies as root (needed for system-wide install)
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Copy app code
COPY app.py .

# Change to non-root user
USER myuser

# Expose port and start app
EXPOSE 8080
CMD ["gunicorn", "--bind", "0.0.0.0:8080", "app:app"]