Run container as non-root user for security

Addresses security finding by adding dedicated agentmemory user.
Prevents privilege escalation if container is compromised.

Author: abrookins

Dockerfile

@@ -32,8 +32,15 @@ ADD . /app
 RUN --mount=type=cache,target=/root/.cache/uv \
     uv sync --frozen --no-dev
 
+# Create non-root user for security
+RUN groupadd -r agentmemory && useradd -r -g agentmemory agentmemory && \
+    chown -R agentmemory:agentmemory /app
+
 ENV PATH="/app/.venv/bin:$PATH"
 
+# Switch to non-root user
+USER agentmemory
+
 ENTRYPOINT []
 
 EXPOSE 8000