Securely mount HF token during build

Dockerfile

@@ -10,19 +10,19 @@ COPY download_models.py .
 RUN pip install --no-cache-dir -r requirements_local.txt
 
 # --- Pre-download and Cache Models ---
-# FIX: This RUN command is now simplified.
-# The HUGGING_FACE_HUB_TOKEN is automatically provided as an environment variable
-# by the Hugging Face Spaces secrets manager. The python script will read it directly.
-# The ARG line is no longer needed.
+# FIX: The RUN command is now updated to securely access the HF_TOKEN secret.
+# 1. --mount=type=secret... makes the secret available at a temporary path.
+# 2. The environment variable is set by reading from that secret path.
 RUN --mount=type=cache,target=/root/.cache/huggingface \
-    python download_models.py
+    --mount=type=secret,id=HUGGING_FACE_HUB_TOKEN \
+    HUGGING_FACE_HUB_TOKEN=$(cat /run/secrets/HUGGING_FACE_HUB_TOKEN) python download_models.py
 
 # Copy the main application code
-COPY app.py .
+COPY main.py .
 
 # Expose the port the app runs on
 EXPOSE 8000
 
 # Command to run the application
-CMD ["uvicorn", "app:app", "--host", "0.0.0.0", "--port", "8000"]
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]