FROM python:3.12-slim

# Set working directory
WORKDIR /app

# Install dependencies first (layer caching)
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Copy application code
COPY app.py .
COPY templates/ templates/

# Create non-root user for security
RUN useradd -m -r appuser && chown -R appuser /app
USER appuser

# Expose port
EXPOSE 5000

# Entrypoint: initialise DB then launch with gunicorn
CMD ["sh", "-c", "python -c 'import app; app.init_db()' && gunicorn --bind 0.0.0.0:5000 --workers 2 --timeout 60 app:app"]