Fix Dockerfile.api permissions and PATH for non-root user execution

Co-authored-by: Neiland85 <164719485+Neiland85@users.noreply.github.com>

Author: Copilot

.dockerignore

@@ -47,9 +47,13 @@ neurobank.db
 *~
 .DS_Store
 
-# Documentation
-*.md
+# Documentation - exclude most but keep important ones
 docs/
+*.md
+!README.md
+!docker/README.md
+
+# Dependencies
 *.txt
 !requirements.txt
 !requirements-dev.txt

docker/Dockerfile.api

@@ -4,7 +4,7 @@
 # ============================================================================
 # Stage 1: Builder - Install dependencies
 # ============================================================================
-FROM python:3.11-slim as builder
+FROM python:3.11-slim AS builder
 
 # Set working directory
 WORKDIR /build
@@ -16,20 +16,29 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     libpq-dev \
     && rm -rf /var/lib/apt/lists/*
 
-# Copy requirements and install Python dependencies
+# Copy requirements and install Python dependencies to /opt/venv
+RUN python -m venv /opt/venv
+ENV PATH="/opt/venv/bin:$PATH"
+
 COPY requirements.txt .
 RUN pip install --no-cache-dir --upgrade pip setuptools wheel && \
-    pip install --no-cache-dir --user -r requirements.txt
+    pip install --no-cache-dir -r requirements.txt
 
 # ============================================================================
 # Stage 2: Runtime - Minimal production image
 # ============================================================================
 FROM python:3.11-slim
 
+# Build arguments for metadata
+ARG BUILD_DATE
+ARG VCS_REF
+
 # Set labels for image metadata
 LABEL maintainer="NeuroBank Development Team <dev@neurobank.com>"
 LABEL description="NeuroBank FastAPI Banking System - Production API"
 LABEL version="1.0.0"
+LABEL org.opencontainers.image.created="${BUILD_DATE}"
+LABEL org.opencontainers.image.revision="${VCS_REF}"
 
 # Set working directory
 WORKDIR /app
@@ -41,8 +50,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/* \
     && apt-get clean
 
-# Copy Python dependencies from builder stage
-COPY --from=builder /root/.local /root/.local
+# Copy Python virtual environment from builder stage
+COPY --from=builder /opt/venv /opt/venv
 
 # Copy application code
 COPY ./app ./app
@@ -63,7 +72,7 @@ ENV PYTHONPATH=/app \
     PYTHONDONTWRITEBYTECODE=1 \
     PORT=8000 \
     ENVIRONMENT=production \
-    PATH=/root/.local/bin:$PATH
+    PATH="/opt/venv/bin:$PATH"
 
 # Expose port (will be overridden by $PORT in cloud environments)
 EXPOSE 8000
@@ -73,12 +82,4 @@ HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
     CMD curl -f http://localhost:${PORT:-8000}/health || exit 1
 
 # Run the application with uvicorn
-# Use shell form to allow environment variable expansion
-CMD uvicorn app.main:app \
-    --host 0.0.0.0 \
-    --port ${PORT:-8000} \
-    --workers ${WORKERS:-1} \
-    --loop uvloop \
-    --timeout-keep-alive 120 \
-    --access-log \
-    --log-level info
+CMD ["sh", "-c", "uvicorn app.main:app --host 0.0.0.0 --port ${PORT:-8000} --workers ${WORKERS:-1} --loop uvloop --timeout-keep-alive 120 --access-log --log-level info"]