Update Dockerfile

Dockerfile

@@ -1,20 +1,45 @@
 FROM python:3.10-slim
 
+# Set environment variables to make Python and Pip output unbuffered (good for logs)
+ENV PYTHONUNBUFFERED=1
+
 # Install system dependencies including ffmpeg
 RUN apt-get update && \
     apt-get install -y --no-install-recommends ffmpeg libsm6 libxext6 && \
+    apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
-WORKDIR /app
+# Create a non-root user and group
+ARG APP_USER_UID=1000
+ARG APP_USER_GID=1000
+RUN groupadd --gid $APP_USER_GID appgroup && \
+    useradd --uid $APP_USER_UID --gid appgroup --shell /bin/bash --create-home appuser
+
+# Set the working directory (this will also be appuser's home directory due to --create-home)
+WORKDIR /home/appuser/app
 
+# Copy requirements first to leverage Docker cache
 COPY requirements.txt ./
+
+# Install Python dependencies
+# Ensure pip is up to date, then install requirements
 RUN pip install --no-cache-dir --upgrade pip
 RUN pip install --no-cache-dir -r requirements.txt
 
+# Copy the rest of the application code
 COPY . .
 
+# Change ownership of the app directory to the appuser
+# (WORKDIR is /home/appuser/app, so chown this path)
+RUN chown -R appuser:appgroup /home/appuser/app
+
+# Switch to the non-root user
+USER appuser
+
 # Expose Streamlit's default port
 EXPOSE 8501
 
 # Command to run Streamlit
-CMD ["streamlit", "run", "app.py"]
+# Using server.headless=true is good practice for containers.
+# Streamlit will try to create .streamlit in the user's home dir (/home/appuser)
+CMD ["streamlit", "run", "app.py", "--server.headless=true"]