security(ocr): add non-root user and set HOME/HF_HOME in Dockerfile

CIS Docker §4.1: run uvicorn as UID 1000 (ocr) instead of root.
Creates /home/ocr and /app/cache with correct ownership so named
volumes inherit ocr:ocr on first Docker mount. Sets HOME and HF_HOME
so ~ expansion and Hugging Face caching resolve under /app, not /root.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ocr-service/Dockerfile

@@ -23,8 +23,16 @@ RUN pip install --no-cache-dir -r requirements.txt
 
 COPY . .
 
+RUN useradd --no-create-home --shell /usr/sbin/nologin --uid 1000 ocr \
+    && mkdir -p /home/ocr /app/models /app/cache \
+    && chown -R ocr:ocr /app /home/ocr
 RUN chmod +x /app/entrypoint.sh
 
+ENV HOME=/home/ocr
+ENV HF_HOME=/app/cache
+
+USER ocr
+
 EXPOSE 8000
 
 CMD ["/app/entrypoint.sh"]