FROM python:3.10-alpine

WORKDIR /app

# Set environment variables
ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PYTHONPATH=/app \
    ADMIN_API_KEY=super-secret-admin-key-123

# Install runtime dependencies and create runtime user
RUN apk add --no-cache sqlite-libs \
    && addgroup -S appgroup \
    && adduser -S -G appgroup appuser

# Copy requirements first (optimization for caching)
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Copy application code
COPY . .

# Create data directory with proper permissions
RUN mkdir -p /data/db \
    && chown -R appuser:appgroup /data/db \
    && chmod -R 755 /data/db

# Set proper permissions for application directory
RUN chown -R appuser:appgroup /app \
    && chmod -R 755 /app

# Switch to non-root user
USER appuser

# Expose port
EXPOSE 5000

# Run the application
CMD ["python", "main.py"]