FROM python:3.11

RUN useradd -m -u 1000 user

RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    build-essential \
    git \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

RUN --mount=type=secret,id=REPO,mode=0444,required=true \
    git clone $(cat /run/secrets/REPO) leafcat-mcp

RUN cd leafcat-mcp \
    && pip install --no-cache-dir -r requirements.txt

RUN chown -R user: /app

WORKDIR /app/leafcat-mcp

USER user

EXPOSE 7860

ENTRYPOINT ["python", "app.py"]