Merge branch 'recovery-branch' into react-django

backend/Dockerfile

@@ -3,6 +3,10 @@
 # Use an official Python runtime as a parent image
 FROM python:3.12-slim
 
+# --- Add arguments for user/group IDs ---
+ARG UID=1000
+ARG GID=1000
+
 # Set environment variables
 ENV PYTHONDONTWRITEBYTECODE 1
 ENV PYTHONUNBUFFERED 1
@@ -10,18 +14,27 @@ ENV PYTHONUNBUFFERED 1
 # Set work directory
 WORKDIR /app
 
+# --- Create a non-root user and group ---
+RUN groupadd -g $GID -o archivist && \
+    useradd -u $UID -g $GID -o -m -s /bin/bash archivist
+    # -o allows reusing UID/GID if needed, -m creates home dir, -s sets shell
+
 # Install Python dependencies
 # Copy only requirements first to leverage Docker cache
 COPY requirements.txt ./
 RUN pip install --no-cache-dir -r requirements.txt
 
 # Copy the entrypoint script first
-COPY ./entrypoint.sh /app/entrypoint.sh
+COPY --chown=archivist:archivist ./entrypoint.sh /app/entrypoint.sh
+
 # Ensure it's executable inside the container too
 RUN chmod +x /app/entrypoint.sh
 
 # Copy the rest of the backend source code
-COPY . .
+COPY --chown=archivist:archivist . .
+
+# --- Swithc the user to the archivist user ---
+USER archivist
 
 # Set the entrypoint script
 ENTRYPOINT ["/app/entrypoint.sh"]