# Pin to a specific slim tag. Resolve and pin the digest in an environment with
# registry access for full supply-chain reproducibility.
FROM python:3.12-slim-bookworm AS build
WORKDIR /src
COPY . .
RUN pip install --no-cache-dir build && python -m build --wheel

FROM python:3.12-slim-bookworm
RUN useradd --create-home --uid 1000 ragproof
COPY --from=build /src/dist/*.whl /tmp/
RUN pip install --no-cache-dir /tmp/*.whl && rm -f /tmp/*.whl
USER ragproof
WORKDIR /work
ENTRYPOINT ["ragproof"]
CMD ["--help"]
