fix: use USER directive instead of su-exec entrypoint for media permissions

The entrypoint script running mkdir/chown as root fails when the container
runtime (e.g. Cosmos Cloud) forces a non-root user. Since we use Docker
named volumes (not bind mounts), there's no UID mismatch to fix at
runtime. Switch to a simple USER directive -- the directory is created
and chowned at build time, which is sufficient.

Removes su-exec dependency and docker-entrypoint.sh usage.

https://claude.ai/code/session_0153nX7vQSjEFPpZTgZdDmu5

Author: claude

Dockerfile

@@ -42,9 +42,8 @@ RUN CGO_ENABLED=0 GOOS=linux go build -o /chronicle ./cmd/server
 # --- Stage 3: Runtime ---
 FROM alpine:3.20
 
-# Install CA certificates for HTTPS calls (if needed), timezone data, and
-# su-exec for dropping privileges in the entrypoint.
-RUN apk add --no-cache ca-certificates tzdata su-exec
+# Install CA certificates for HTTPS calls (if needed) and timezone data.
+RUN apk add --no-cache ca-certificates tzdata
 
 # Create non-root user for runtime security.
 RUN adduser -D -H -s /sbin/nologin chronicle
@@ -63,16 +62,10 @@ COPY --from=builder /src/db/migrations /app/db/migrations
 # Mount a volume at /app/data to persist media across container rebuilds.
 RUN mkdir -p /app/data/media && chown -R chronicle:chronicle /app/data
 
-# Copy entrypoint script that fixes bind-mount permissions before dropping to
-# the non-root chronicle user.
-COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
-RUN chmod +x /usr/local/bin/docker-entrypoint.sh
-
 WORKDIR /app
 
-# Container starts as root so the entrypoint can fix bind-mount ownership,
-# then drops to the chronicle user via su-exec.
-ENTRYPOINT ["docker-entrypoint.sh"]
+# Run as the unprivileged chronicle user.
+USER chronicle
 
 # The Go binary serves HTTP directly on this port.
 EXPOSE 8080