harden: swap cameleer-saas runtime stage to Chainguard JRE

Replace eclipse-temurin:21-jre-alpine with cgr.dev/chainguard/jre:openjdk-21
for the SaaS management plane image. Use Chainguard's built-in nonroot user
instead of custom adduser. Build stages unchanged (ephemeral).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Dockerfile

@@ -20,12 +20,12 @@ COPY src/ src/
 COPY --from=frontend /ui/dist/ src/main/resources/static/
 RUN --mount=type=cache,target=/root/.m2/repository ./mvnw package -DskipTests -U -B
 
-# Runtime: target platform (amd64)
-FROM eclipse-temurin:21-jre-alpine
+# Runtime: Chainguard Wolfi-based JRE (glibc, daily CVE refresh, non-root by default)
+FROM cgr.dev/chainguard/jre:openjdk-21
 WORKDIR /app
-RUN addgroup -S cameleer && adduser -S cameleer -G cameleer \
- && mkdir -p /data/jars && chown -R cameleer:cameleer /data
-COPY --from=build /build/target/*.jar app.jar
-USER cameleer
+USER root
+RUN mkdir -p /data/jars && chown -R nonroot:nonroot /data
+COPY --chown=nonroot:nonroot --from=build /build/target/*.jar app.jar
+USER nonroot
 EXPOSE 8080
 ENTRYPOINT ["java", "-jar", "app.jar"]