security: run container as non-root user

- Add appgroup and appuser (uid 1000)
- Set ownership of /app directory to appuser
- Switch to non-root user before running server

Dockerfile

@@ -26,13 +26,16 @@ WORKDIR /app
 # 安装运行时依赖
 RUN apk add --no-cache ca-certificates tzdata
 
+# 创建非 root 用户
+RUN addgroup -g 1000 appgroup && adduser -u 1000 -G appgroup -s /bin/sh -D appuser
+
 # 从构建阶段复制二进制文件
 COPY --from=builder /build/server .
 COPY --from=builder /build/configs ./configs
 COPY --from=builder /build/data ./data
 
-# 创建日志目录
-RUN mkdir -p /app/logs
+# 创建日志目录并设置权限
+RUN mkdir -p /app/logs && chown -R appuser:appgroup /app
 
 # 设置时区
 ENV TZ=Asia/Shanghai
@@ -45,5 +48,8 @@ EXPOSE 8080
 HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=5s \
     CMD wget -q --spider http://localhost:8080/api/v1/health || exit 1
 
+# 切换到非 root 用户
+USER appuser
+
 # 启动命令
 CMD ["./server"]