fix: run container as non-root user

[TomerFi]

Summary

• Fix potential RCE privilege escalation by running the container as a non-root user, as recommended by Sourcery AI.
• Add a dedicated appuser system user and chown the workdir to it.
• Set USER appuser before EXPOSE/CMD so the application runs unprivileged.
• Port 8000 is unprivileged, so no capability adjustments are needed.

Validation

• actionlint passes (no workflow changes).
• Dockerfile change is minimal — CI will validate the multi-platform build.

[coderabbitai]

Warning

Rate limit exceeded

@TomerFi has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 4 minutes and 40 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/dockerfile-non-root-user

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[TomerFi]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

Test Results

66 tests   66 ✅  1s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit 2f8e195.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.02%. Comparing base (4e48df1) to head (2f8e195).
⚠️ Report is 1 commits behind head on dev.

Additional details and impacted files

@@           Coverage Diff           @@
##              dev     #951   +/-   ##
=======================================
  Coverage   96.02%   96.02%           
=======================================
  Files           1        1           
  Lines         327      327           
=======================================
  Hits          314      314           
  Misses         13       13           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.