FROM python:3.9-slim

WORKDIR /app

# System deps + non-root user
RUN apt-get update && apt-get install -y git && \
    useradd -m appuser && chown -R appuser:appuser /app

USER appuser

# Python dependencies
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# App files
COPY --chown=appuser:appuser . .

CMD ["uvicorn", "app:app", "--host", "0.0.0.0", "--port", "7860"]