Container hardening for self-hosted deployments

Self-hosted containers now run as a non-root user with a read-only root filesystem, no Linux capabilities beyond what bootstrap requires, and no-new-privileges set everywhere. The web tier is isolated on a separate network from the data plane, so a compromised web container cannot reach the database or cache directly — every request must traverse the gateway’s auth, firewall, and plugin pipeline.

All bundled images are pinned to concrete versions. Every service has a health check, so a wedged dependency is visible to docker compose ps instead of appearing healthy. Graceful shutdown gives in-flight chats up to 30 seconds to finish during a deploy.

No application-level breaking changes. The gateway migrates volume ownership automatically on first start; first start may take a few extra seconds on installs with large upload volumes.