HF docker permission fixes

Dockerfile

@@ -2,8 +2,14 @@ FROM python:3.10-slim
 
 ENV DEBIAN_FRONTEND=noninteractive
 ENV PYTHONUNBUFFERED=1
+ENV XDG_CACHE_HOME=/app/.cache
+ENV PIP_CACHE_DIR=/app/.cache/pip
+ENV MPLCONFIGDIR=/app/.cache/matplotlib
+ENV HF_HOME=/app/.cache/huggingface
+
+RUN groupadd --gid 1000 appuser && \
+    useradd --uid 1000 --gid 1000 --create-home --shell /bin/bash appuser
 
-# (ffmpeg, latexmk, texlive-full, libcairo2-dev, pkg-config)
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ffmpeg \
     latexmk \
@@ -18,20 +24,26 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 WORKDIR /app
 
-COPY requirements.txt .
+COPY --chown=appuser:appuser requirements.txt .
 
+# Install Python dependencies as root (some might need system access)
+# but use the user-writable pip cache dir
 RUN pip install --no-cache-dir --upgrade pip && \
     pip install --no-cache-dir -r requirements.txt
 
-COPY src/ ./src/
+COPY --chown=appuser:appuser src/ ./src/
+
+RUN mkdir -p /app/.cache/pip /app/.cache/matplotlib /app/.cache/huggingface \
+             media/videos/generated_video/1080p60 media/Tex media/texts media/images && \
+    chown -R appuser:appuser /app
 
-RUN mkdir -p media/videos/generated_video/1080p60 media/Tex media/texts media/images
+USER appuser
 
 EXPOSE 7860
-#streamlit checks
+
 HEALTHCHECK --interval=15s --timeout=5s --start-period=30s \
-  CMD curl --fail http://localhost:8501/_stcore/health || exit 1
+  CMD curl --fail http://localhost:7860/_stcore/health || exit 1
 
 # Pass GEMINI_API_KEY as an environment variable during `docker run`
-# Example: docker run -p 8501:8501 -e GEMINI_API_KEY='your_api_key' manimator-image
+# Example: docker run -p 7860:7860 -e GEMINI_API_KEY='your_api_key' manimator-image
 CMD ["streamlit", "run", "src/app.py", "--server.port=7860", "--server.address=0.0.0.0"]