FROM python:3.11-slim

# Install runtime tools for healthcheck and clean signal handling
RUN apt-get update && apt-get install -y --no-install-recommends \
      curl tini \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

# Python/env knobs
ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PIP_NO_CACHE_DIR=1

# Create a non-root user
RUN useradd -m -u 10001 appuser

# Install deps first for better layer caching
COPY requirements.txt .
RUN python -m pip install --upgrade pip && \
    pip install --no-cache-dir -r requirements.txt

# App code
COPY . .

# Drop privileges
USER appuser

EXPOSE 8000

# Use tini as PID 1 to handle signals/reaping
ENTRYPOINT ["tini", "--"]

# Run uvicorn via module so it’s always found
CMD ["python", "-m", "uvicorn", "app:app", "--host", "0.0.0.0", "--port", "8000"]