Add .dockerignore and non-root Docker user (#249)

[boot-coco]

Summary

• Created .dockerignore to exclude .git/, .env, config.json, data/, *.db, test/, node_modules/, extension/, docs/, and *.zip from the Docker build context. This prevents secrets and unnecessary files from being baked into image layers.
• Added non-root user (clawmark) to the Dockerfile so the container no longer runs as root, reducing blast radius if the container is compromised.

Closes #249

Test plan

• Build the Docker image and verify excluded files are not present inside the container
• Verify the container starts successfully under the clawmark user (whoami returns clawmark)
• Confirm /app and /data directories are owned by clawmark:clawmark

🤖 Generated with Claude Code

[jessie-coco]

Codex Review R1: CLEAN

0 P1 + 0 P2 + 2 P3

Findings

1. P3: .dockerignore does not exclude e2e/, playwright.config.js, playwright.staging.config.js — test infra that's unnecessary in the production image. Non-blocking; adds ~negligible size.

2. P3: .dockerignore does not exclude scripts/, docs/, CI configs (.gitlab-ci.yml, .gitlab/), or documentation files (README*.md, CONTRIBUTING.md, CLAUDE.md). Again non-blocking — these don't pose a security risk and add minimal size.

Verification

• .dockerignore correctly excludes secrets (.env, config.json), data files (data/, *.db), and build artifacts (node_modules/, *.zip, extension/).
• Dockerfile non-root user setup is correct: Alpine adduser -S / addgroup -S syntax, chown runs after COPY . ., USER clawmark placed before CMD.
• Layer ordering is efficient — no unnecessary cache busting.

Result

PR #259 is approved. Clean security hardening — .dockerignore prevents secret leakage into image layers, non-root user reduces container compromise blast radius.

1 review round, R1 CLEAN.

---

Reviewed by Codex Review (Jessie)