# Use a slim base image to reduce potential vulnerabilities
FROM python:3.10-slim-bookworm

# Set the working directory
WORKDIR /usr/src/app

# Copy the requirements file and install the dependencies
COPY requirements.txt .

# Install uv and the dependencies without caching to reduce image size
RUN pip install --no-cache-dir uv==0.4.28 && \
    pip install --no-cache-dir -r requirements.txt

# Copy the application code
COPY . .

# Create a non-root user and group
RUN groupadd -r appuser && useradd --no-log-init -r -g appuser appuser

# Change ownership of the app directory to the new user
RUN chown -R appuser:appuser /usr/src/app

# Restrict permissions on all directories except /usr/src/app and /tmp
RUN chmod -R o-rwx / && \
    chmod -R o+rx /usr/src/app /tmp

# Switch to the non-root user
USER appuser

# Expose the application port
EXPOSE 7860

# Set environment variables
ENV GRADIO_SERVER_NAME="0.0.0.0"

# Run the application
CMD ["python", "app.py"]