# Single image for both dev and prod; Compose files differentiate behavior.
FROM python:3.12-slim

WORKDIR /app

# Install dependencies
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Application code
COPY config.py main.py ./
COPY handlers/ ./handlers/

# Run as non-root
RUN adduser --disabled-password --gecos "" botuser && chown -R botuser:botuser /app
USER botuser

CMD ["python", "main.py"]