FROM python:3.12-slim

# Security: non-root user
RUN groupadd -r craft && useradd -r -g craft craft

WORKDIR /app

# Dependencies (cached separately from code)
COPY pyproject.toml README.md ./
COPY src/craft_easy/__init__.py src/craft_easy/__init__.py
RUN pip install --no-cache-dir .

# Application code
COPY src/ src/

USER craft

HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
    CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health')"

EXPOSE 8000

CMD ["uvicorn", "craft_easy.app:create_app", "--factory", "--host", "0.0.0.0", "--port", "8000"]
