refactor: build out dockerfile for production use

Dockerfile

@@ -1,14 +1,45 @@
-FROM python:3.10-slim
+FROM python:3.10-slim AS builder
+
+ENV PYTHONDONTWRITEBTYECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PIP_NO_CACHE_DIR=1
 
 WORKDIR /app
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential gcc \
+ && rm -rf /var/lib/apt/lists/*
+
 COPY requirements.txt .
 
-RUN pip install --no-cache-dir -r requirements.txt
-COPY . .
+RUN python -m pip install --upgrade pip && \
+    pip wheel --no-deps -r requirements.txt -w /wheels
 
-EXPOSE 5000
+FROM python:3.10 AS runtime
 
-ENV FLASK_APP=server.py
-ENV FLASK_RUN_HOST=0.0.0.0
+ENV PYTHONDONTWRITEBTYECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PIP_NO_CACHE_DIR=1 \
+    PORT=8000 \
+    WSGI_MODULE=server:app \
+    GUNICORN_WORKERS=2 \
+    GUNICORN_THREDS=4 \
+    GUNICORN_TIMEOUT=60 \
+    GUNICORN_CMD_ARGS="--bind=0.0.0.0:${PORT} --workers=${GUNICORN_WORKERS} --threads=${GUNICORN_THREADS} --timeout=${GUNICORN_TIMEOUT} --access-logfile=- --error-logfile=- --keep-alive=5"
 
-CMD ["flask", "run"]
+WORKDIR /app
+
+RUN groupadd -g 10001 app && useradd -m -u 10001 -g app app
+USER app
+
+COPY --from=builder /wheels /wheels
+RUN pip install --no-cache-dir /wheels/* && pip install --no-cache-dir gunicorn && rm -rf /wheels
+
+COPY --chown=app:app . .
+
+EXPOSE 8000
+
+HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
+  CMD python -c "import os,socket; s=socket.socket(); s.settimeout(2); s.connect(('127.0.0.1', int(os.getenv('PORT', '8000')))); s.close()"
+
+CMD sh -c "exec gunicorn ${WSGI_MODULE}"