Docker Security enhancements

[zieddhf]

These issues are found after a SAST scan with Fluidattacks tools, scan results can be found here

• Excessive Privileges, containers must run as non-root

[baderdean]

Proposed acceptance criteria

• Docker runtime runs as non-root user by default.
• Container capabilities are minimized (no unnecessary privileged flags/capabilities).
• Filesystem is read-only where possible, with explicit writable mounts only when required.
• Security hardening changes are documented in deployment docs.
• Existing local/dev workflows still start successfully after hardening.