harden: swap runtime base to Chainguard JRE, remove dead ENTRYPOINT

Replace eclipse-temurin:21-jre-alpine (musl) with cgr.dev/chainguard/jre:openjdk-21
(Wolfi/glibc, daily CVE refresh, signed images + SBOM). Remove the dead ENTRYPOINT
block — DeploymentExecutor overrides it at container creation anyway.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker/runtime-base/Dockerfile

@@ -1,19 +1,17 @@
-FROM eclipse-temurin:21-jre-alpine
+# Wolfi-based JRE, glibc, daily-rebuilt with near-zero baseline CVEs,
+# signed images + SBOM published, non-root by default. Pin by digest in
+# production overlays.
+FROM cgr.dev/chainguard/jre:openjdk-21
+
 WORKDIR /app
 
-# Agent JAR and log appender JAR are copied during CI build from Gitea Maven registry
+# Agent + log appender are baked in; tenant JAR is delivered at deploy
+# time by cameleer-runtime-loader into the RO-mounted /app/jars volume.
 COPY agent.jar /app/agent.jar
 COPY cameleer-log-appender.jar /app/cameleer-log-appender.jar
 
-ENTRYPOINT exec java \
-  -Dcameleer.export.type=${CAMELEER_EXPORT_TYPE:-HTTP} \
-  -Dcameleer.export.endpoint=${CAMELEER_SERVER_URL} \
-  -Dcameleer.agent.name=${HOSTNAME} \
-  -Dcameleer.agent.application=${CAMELEER_APPLICATION_ID:-default} \
-  -Dcameleer.agent.environment=${CAMELEER_ENVIRONMENT_ID:-default} \
-  -Dcameleer.routeControl.enabled=${CAMELEER_ROUTE_CONTROL_ENABLED:-false} \
-  -Dcameleer.replay.enabled=${CAMELEER_REPLAY_ENABLED:-false} \
-  -Dcameleer.health.enabled=true \
-  -Dcameleer.health.port=9464 \
-  -javaagent:/app/agent.jar \
-  -jar /app/app.jar
+# No ENTRYPOINT here. cameleer-server's DeploymentExecutor builds the
+# per-runtime-type entrypoint (spring-boot/quarkus: -jar; plain-java:
+# -cp + main; native: exec) and overrides via withCmd("sh","-c",...).
+# Setting one here only creates drift between this image and the actual
+# runtime command.