FROM python:3.12-slim

WORKDIR /opt/app

# Bump pip to a version with no known CVEs before installing anything.
# Without this, pip-audit flags CVE-2025-8869, CVE-2026-1703, CVE-2026-3219
# in pip itself. Pinned floor; pip is forward-compatible across 26.x.
RUN pip install --no-cache-dir --upgrade "pip>=26.0"

# requirements.txt is a fully-pinned lockfile generated from
# requirements.in via pip-compile (see scripts/regenerate-lockfile.sh).
# --require-hashes refuses to install any package whose sha256 doesn't
# match a hash in the file — defends against compromised upstream
# mirrors and accidental version drift.
COPY requirements.txt .
RUN pip install --no-cache-dir --require-hashes -r requirements.txt

COPY app/ ./app/

CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8084"]
