Update

Dockerfile

@@ -1,7 +1,6 @@
-# Base image with uv + Python 3.12
 FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim
 
-# ---------- build-time args ----------
+# ---------- build args ----------
 ARG PORT=8001
 ARG TRANSPORT_SERVER_URL=https://blanchon-robothub-transportserver.hf.space/api
 
@@ -12,60 +11,54 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
         ffmpeg git \
     && apt-get clean && rm -rf /var/lib/apt/lists/*
 
-# ---------- non-root user ----------
+# ---------- app user ----------
 RUN groupadd -r appuser && useradd -m -r -g appuser -s /bin/bash appuser
+USER appuser                           # ←─── switch early!
 
-# ---------- working dir ----------
-WORKDIR /app
-
-# ---------- copy manifests (as root, but owned by appuser) ----------
-COPY --chown=appuser:appuser pyproject.toml uv.lock* ./
-COPY --chown=appuser:appuser external/ ./external/
-
-# ---------- switch to non-root BEFORE anything that downloads ----------
-USER appuser
-
-# ---------- cache locations (all writable) ----------
+# ---------- directories & env ----------
+ENV HOME=/home/appuser
 ENV \
-    # generic caches
-    XDG_CACHE_HOME=/home/appuser/.cache \
-    # huggingface-hub + datasets
-    HF_HOME=/home/appuser/.cache \
-    HF_HUB_CACHE=/home/appuser/.cache/hub \
-    HUGGINGFACE_HUB_CACHE=/home/appuser/.cache/hub \
-    # transformers
-    TRANSFORMERS_CACHE=/home/appuser/.cache/huggingface/hub \
-    # uv & app settings
+    # Hugging-Face / transformers caches
+    HF_HOME=$HOME/.cache \
+    HF_HUB_CACHE=$HOME/.cache/hub \
+    HUGGINGFACE_HUB_CACHE=$HOME/.cache/hub \
+    TRANSFORMERS_CACHE=$HOME/.cache/huggingface/hub \
+    # uv’s compilation / wheel cache
+    UV_CACHE_DIR=$HOME/.cache/uv \
+    # python / app settings
     PYTHONUNBUFFERED=1 \
     PYTHONDONTWRITEBYTECODE=1 \
     UV_SYSTEM_PYTHON=1 \
     UV_COMPILE_BYTECODE=1 \
-    UV_CACHE_DIR=/tmp/uv-cache \
     PORT=${PORT} \
     TRANSPORT_SERVER_URL=${TRANSPORT_SERVER_URL}
 
-# make sure cache dirs exist
-RUN mkdir -p $HF_HUB_CACHE $TRANSFORMERS_CACHE
+RUN mkdir -p "$HF_HUB_CACHE" "$TRANSFORMERS_CACHE" "$UV_CACHE_DIR"
 
-# ---------- install dependencies ----------
-RUN --mount=type=cache,target=/tmp/uv-cache \
+# ---------- workdir ----------
+WORKDIR /app
+
+# ---------- copy manifests first ----------
+COPY --chown=appuser:appuser pyproject.toml uv.lock* ./
+COPY --chown=appuser:appuser external/ ./external/
+
+# ---------- install deps ----------
+RUN --mount=type=cache,target=$UV_CACHE_DIR,uid=1000,gid=1000 \
     uv sync --locked --no-install-project --no-dev
 
-# ---------- copy application code ----------
+# ---------- copy source ----------
 COPY --chown=appuser:appuser . .
 
-# ---------- install project itself ----------
-RUN --mount=type=cache,target=/tmp/uv-cache \
+# ---------- install the project itself ----------
+RUN --mount=type=cache,target=$UV_CACHE_DIR,uid=1000,gid=1000 \
     uv sync --locked --no-editable --no-dev
 
 # ---------- virtual-env path ----------
 ENV PATH="/app/.venv/bin:$PATH"
 
-# ---------- network / health ----------
+# ---------- runtime ----------
 EXPOSE ${PORT}
-
 HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
     CMD python -c "import urllib.request, os; urllib.request.urlopen(f'http://localhost:{os.getenv(\"PORT\")}/api/health')" || exit 1
 
-# ---------- run ----------
 CMD ["sh", "-c", "python launch_simple.py --host 0.0.0.0 --port ${PORT} --transport-server-url ${TRANSPORT_SERVER_URL}"]