FROM python:3.13-slim

RUN pip install --no-cache-dir \
    "jupyter_kernel_gateway" \
    "ipykernel" \
    "ipython>=9.8.0" \
    "matplotlib" \
    "matplotlib-inline"

# Non-root user for safer container execution.
RUN useradd --create-home --shell /bin/bash sandbox
USER sandbox
WORKDIR /workspace

EXPOSE 8888

# Read the auth token from JUPYTER_TOKEN (set by DockerExecutor to a random value).
# Fall back to generating one if the variable is empty — never start unauthenticated.
CMD ["/bin/sh", "-c", \
     "TOKEN=${JUPYTER_TOKEN:-$(python -c 'import secrets; print(secrets.token_urlsafe(32))')}; \
      exec jupyter kernelgateway \
        --KernelGatewayApp.ip=0.0.0.0 \
        --KernelGatewayApp.port=8888 \
        --KernelGatewayApp.auth_token=\"$TOKEN\""]
