FROM python:3.13.5-slim AS builder

ENV DEBIAN_FRONTEND=noninteractive \
    PYTHONUNBUFFERED=1

# Install build dependencies in one RUN to keep image layers small
RUN apt-get update && apt-get install -y --no-install-recommends \
        build-essential \
        python3-dev \
        gcc \
        curl \
        git \
        ca-certificates \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /wheels

# Copy requirements and build wheels to /wheels
COPY requirements.txt .
RUN pip3 wheel --no-cache-dir -r requirements.txt -w /wheels

# ---------------- final image ----------------
FROM python:3.13.5-slim

ENV DEBIAN_FRONTEND=noninteractive \
    PYTHONUNBUFFERED=1 \
    APP_USER=appuser \
    APP_HOME=/home/appuser \
    APP_DIR=/app \
    # Hugging Face cache dirs inside container (avoid /root/.cache permissions issues)
    HF_HOME=/app/.cache/huggingface \
    HUGGINGFACE_HUB_CACHE=/app/.cache/huggingface/hub \
    TRANSFORMERS_CACHE=/app/.cache/huggingface/transformers \
    XDG_CACHE_HOME=/app/.cache

# Install minimal runtime deps and cleanup in one RUN
RUN apt-get update && apt-get install -y --no-install-recommends \
        curl \
        ca-certificates \
    && rm -rf /var/lib/apt/lists/*

# Create non-root user and app dirs
RUN useradd --create-home --home-dir ${APP_HOME} --shell /usr/sbin/nologin ${APP_USER} \
    && mkdir -p ${APP_DIR} ${APP_HOME} /app/.cache/huggingface/transformers /app/.cache/huggingface/hub /app/src/logs \
    && chown -R ${APP_USER}:${APP_USER} ${APP_DIR} ${APP_HOME} /app/.cache /app/src/logs

WORKDIR ${APP_DIR}

# Copy project source and wheels from builder
COPY --chown=${APP_USER}:${APP_USER} src/ ./src/
COPY requirements.txt ./
COPY --from=builder /wheels /wheels

# Install Python dependencies from built wheels (faster, reproducible)
RUN pip3 install --no-cache-dir --no-index --find-links=/wheels -r requirements.txt \
    && rm -rf /wheels

EXPOSE 8501

HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
  CMD curl --fail http://localhost:8501/_stcore/health || exit 1

# Run as non-root user
USER ${APP_USER}

# NOTE:
# - The entrypoint expects your Streamlit app at src/streamlit_app.py.
# - If your file is named src/streamlitapp.py (no underscore), update the ENTRYPOINT accordingly.
ENTRYPOINT ["streamlit", "run", "src/streamlit_app.py", "--server.port=8501", "--server.address=0.0.0.0"]