Implement rootless containers for all services

- backend: appuser UID/GID 1001 via useradd, USER directive, --chown on COPY
- frontend builder: appuser UID/GID 1001 via adduser, USER directive
- frontend prod: switch to nginxinc/nginx-unprivileged:alpine (nginx UID 101), listen on 8080
- docker-compose: explicit user: for all services (70:70 db, 1001:1001 backend/frontend-dev, 101:101 frontend-prod)
- nginx.conf: listen 8080 to match unprivileged image

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.yml

@@ -3,6 +3,7 @@ services:
   # ── Database ────────────────────────────────────────────────────────────────
   db:
     image: postgres:16-alpine
+    user: "70:70"  # postgres user UID:GID in alpine image (fixed by image)
     restart: unless-stopped
     environment:
       POSTGRES_USER: ${POSTGRES_USER:-postgres}
@@ -24,6 +25,7 @@ services:
       context: ./backend
       dockerfile: Dockerfile
       network: host
+    user: "1001:1001"
     restart: unless-stopped
     env_file: ./backend/.env
     environment:
@@ -40,9 +42,10 @@ services:
       context: ./frontend
       dockerfile: Dockerfile
       network: host
+    user: "101:101"  # nginx user UID:GID in nginx-unprivileged:alpine
     restart: unless-stopped
     ports:
-      - "80:80"
+      - "80:8080"
     depends_on:
       - backend