From 0b26cac7859048a8c5d42ea010d02f6a5195e92d Mon Sep 17 00:00:00 2001
From: Marwa <marwabensalem30@gmail.com>
Date: Sun, 19 Apr 2026 20:02:31 -0400
Subject: [PATCH] fix(env): revert Docker base to python:3.12 + sync stale
 260->263 in CI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two related fixes shipped together:

1. Reverts the Dependabot-merged Docker base bump from python:3.14 to
   python:3.12-slim-bookworm. Reason: Step 5 architectural rule #3
   ("what is tested locally = what runs in prod") was broken by the
   bump — CI test job pins PYTHON_VERSION="3.12" while the production
   Docker image was running 3.14. Tests would not have caught a
   future 3.14-only regression. Python 3.14 is brand-new (Oct 2025);
   conservative choice for a portfolio project is to track 3.12 in
   both surfaces until 3.14 is the enterprise norm. Aligns with the
   sibling portfolio projects which also pin 3.12.

2. Updates two stale "260-test suite" / "260 hermetic tests" comments
   in .github/workflows/ci.yml to "263" — the actual current count
   after the README-rewrite PR added 2 new section-heading tests.
   Same kind of stale-string we caught in the UI footer earlier.

Risk removed: env divergence between CI and prod (the kind of bug
that ships silently and only surfaces when a 3.14-specific issue
appears, by which point CI confidence is already broken).

Future: when the 3.14 Dependabot PR re-opens, close it with a comment
explaining the env-pin policy until 3.14 is mainstream.

Tests: 263 still passing locally.
---
 .github/workflows/ci.yml | 4 ++--
 Dockerfile               | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ac7b754..5c4a7f7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,7 +1,7 @@
 name: CI + Deploy to HuggingFace Space
 
 # GitHub = single source of truth. HF Space = deployed runtime mirror.
-# On every push to main: run privacy audit + 260-test suite, then (only
+# On every push to main: run privacy audit + 263-test suite, then (only
 # if both green) force-push the tree to the HF Space.
 #
 # Constraints enforced here:
@@ -52,7 +52,7 @@ jobs:
           echo "✓ No private artefacts tracked. Safe to build."
 
   test:
-    name: Unit tests (260 hermetic tests)
+    name: Unit tests (263 hermetic tests)
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
diff --git a/Dockerfile b/Dockerfile
index 1a1d02e..34b62e4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -17,7 +17,7 @@
 # - No mutation of /app at container start.
 # - Provider selection is surfaced in the UI; no hidden switching.
 
-FROM python:3.14-slim-bookworm
+FROM python:3.12-slim-bookworm
 
 # HF Spaces require uid 1000 to own /home/user/app. Create the user first.
 RUN useradd -m -u 1000 user