FROM python:3.11-slim

WORKDIR /app
# Create a non-root user with a fixed numeric UID/GID so Kubernetes can verify runAsNonRoot
RUN groupadd -g 1000 appgroup \
    && useradd -u 1000 -g 1000 -m appuser \
    && chown -R 1000:1000 /app
# Use numeric UID to avoid "non-numeric user" errors in Kubernetes
USER 1000

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
EXPOSE 8000
CMD alembic upgrade head && uvicorn app.app:app --host 0.0.0.0 --port 8000