FROM python:3.12-slim-bookworm AS runtime

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1

WORKDIR /app

# Apply latest OS security patches before installing anything else.
RUN apt-get update \
    && apt-get upgrade -y --no-install-recommends \
    && rm -rf /var/lib/apt/lists/*

# Copy application code
COPY pyproject.toml README.md LICENSE ./
COPY mmsafe/ ./mmsafe/
COPY datasets/ ./datasets/

# Install package and required runtime extras into the runtime interpreter.
RUN python -m pip install --no-cache-dir --upgrade pip \
    && python -m pip install --no-cache-dir ".[viz]"

# Create non-root user and writable artifacts path.
RUN groupadd -r mmsafe \
    && useradd -r -g mmsafe -d /app mmsafe \
    && mkdir -p /app/artifacts \
    && chown -R mmsafe:mmsafe /app

USER mmsafe

ENTRYPOINT ["mmsafe"]
CMD ["--help"]
