so. many. changes. (sorry)

Dockerfile

@@ -1,47 +1,69 @@
-# Use Python 3.13 slim image
-FROM python:3.13-slim
+# Ultra-minimal Docker image using distroless
+FROM python:3.13-slim AS builder
 
-# Set working directory
-WORKDIR /app
-
-# Install system dependencies and build tools
-RUN apt-get update && apt-get install -y \
-    curl \
+# Install build dependencies and Python
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    python3-venv \
     gcc \
-    g++ \
-    build-essential \
-    python3-dev \
+    libc6-dev \
+    zlib1g \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Hatch
-RUN pip install --no-cache-dir hatch
+WORKDIR /app
 
-# Copy project files
+# Create virtual environment in /usr/local
+RUN python3 -m venv /usr/local
+ENV PATH="/usr/local/bin:$PATH"
+
+# Install hatch and generate requirements
+RUN pip install --no-cache-dir hatch
 COPY pyproject.toml ./
-COPY LICENSE ./
-COPY README.md ./
+RUN hatch dep show requirements > requirements.txt
+RUN pip install --no-cache-dir --compile -r requirements.txt
+
+# Copy source and build
 COPY src/ ./src/
 COPY templates/ ./templates/
+COPY LICENSE README.md ./
+RUN hatch build -t wheel
+RUN pip install --no-cache-dir --compile dist/*.whl
 
-# Install project and dependencies using Hatch
-RUN hatch build -t wheel && \
-    pip install --no-cache-dir dist/*.whl && \
-    rm -rf dist/ build/
+# Clean up build artifacts and unnecessary files
+RUN find /usr/local -name "*.pyc" -delete && \
+    find /usr/local -name "__pycache__" -type d -exec rm -rf {} + && \
+    find /usr/local -name "*.pyo" -delete && \
+    find /usr/local -name "tests" -type d -exec rm -rf {} + && \
+    find /usr/local -name "test" -type d -exec rm -rf {} + && \
+    find /usr/local -name "*.egg-info" -type d -exec rm -rf {} + && \
+    find /usr/local -name "*.dist-info" -type d -exec rm -rf {} + && \
+    rm -rf /usr/local/share/man /usr/local/share/doc
 
-# Create non-root user for security
-RUN useradd --create-home --shell /bin/bash app \
-    && chown -R app:app /app
-USER app
+RUN rm -rf /usr/local/lib/python3.13/site-packages/pip* && \
+    rm -rf /usr/local/lib/python3.13/site-packages/virtualenv* && \
+    rm -rf /usr/local/lib/python3.13/site-packages/hatch* && \
+    rm -rf /usr/local/lib/python3.13/site-packages/hatchling
 
-# Set environment variable to indicate container environment
-ENV DOCKER_CONTAINER=1
+RUN rm -rf /usr/local/bin/uv
+
+# Using distroless as a main runtime image
+FROM gcr.io/distroless/cc-debian12:nonroot
+
+# Copy Python interpreter and the package from the builder stage
+COPY --from=builder /usr/local /usr/local
+COPY --from=builder /usr/lib/x86_64-linux-gnu/libz.so.1.2.13 /usr/lib/x86_64-linux-gnu/libz.so.1
+COPY --from=builder /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0
+COPY --from=builder /app/templates /app/templates/
+
+# Set environment variables
+ENV PATH="/usr/local/bin:$PATH"
+ENV PYTHONPATH="/usr/local/lib/python3.13/site-packages"
+ENV PYTHONUNBUFFERED=1
+
+# Run as non-root
+USER nonroot
 
 # Expose port
-EXPOSE 8000
-
-# Health check
-HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
-    CMD curl -f http://localhost:8000/ || exit 1
+EXPOSE 80
 
 # Run the application
-CMD ["uvicorn", "random_access.main:app", "--host", "0.0.0.0", "--port", "8000"]
+ENTRYPOINT ["/usr/local/bin/python", "-m", "uvicorn", "random_access.main:app", "--host", "0.0.0.0", "--port", "80"]