FROM python:3.9-slim

WORKDIR /app

# Install system dependencies
RUN apt-get update && apt-get install -y \
    build-essential \
    curl \
    git \
    && rm -rf /var/lib/apt/lists/*

# Create a non-root user and give permissions to /app
RUN useradd -m -u 1000 streamlituser && \
    chown -R streamlituser:streamlituser /app

# Switch to non-root user
USER streamlituser

# Copy requirements first to leverage Docker cache
COPY --chown=streamlituser:streamlituser requirements.txt ./

# Install Python dependencies
RUN pip install --no-cache-dir -r requirements.txt

# Copy application code
COPY --chown=streamlituser:streamlituser src/ ./src/

# Environment variables
ENV STREAMLIT_GATHER_USAGE_STATS=False \
    STREAMLIT_SERVER_PORT=8501 \
    STREAMLIT_SERVER_ADDRESS=0.0.0.0

# Healthcheck
HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \
    CMD curl --fail http://localhost:8501/_stcore/health

# Expose port
EXPOSE 8501

# Entrypoint
ENTRYPOINT ["streamlit", "run", "src/streamlit_app.py"]