# Use a slim Python image FROM python:3.12-slim # Install uv COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv # Install system dependencies (Required for Postgres and Healthchecks) RUN apt-get update && apt-get install -y \ libpq5 \ postgresql-client \ curl \ && rm -rf /var/lib/apt/lists/* # Set working directory WORKDIR /app # Copy dependency files (lockfile pins exact versions — SEC-05) COPY pyproject.toml uv.lock ./ # Install the locked dependency set into the system environment. # `uv export --frozen` fails the build if uv.lock is out of sync with pyproject.toml, # so image builds are reproducible and can't silently pull newer packages. RUN uv export --frozen --no-dev --no-emit-project --format requirements-txt -o /tmp/requirements.txt \ && uv pip install --system -r /tmp/requirements.txt \ && rm /tmp/requirements.txt # Copy the rest of the application COPY . . # Security: Run as a non-privileged user (standard for 24/7 telemetry) RUN useradd -m telemetry-user USER telemetry-user # CMD is handled by docker-compose.yml to differentiate movement vs events