FROM python:3.11-slim

WORKDIR /srv

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

COPY app/ ./app/
COPY fixed/ ./fixed/

# Drop privileges -- the lab should never run as root.
RUN useradd --create-home lab
USER lab

# Overridden per-service in docker-compose.yml.
CMD ["uvicorn", "app.vulnerable_app:app", "--host", "0.0.0.0", "--port", "8000"]
