Marcel 1aca4c4a41 security(ocr): add non-root user and set HOME/HF_HOME in Dockerfile ...

CIS Docker §4.1: run uvicorn as UID 1000 (ocr) instead of root.
Creates /home/ocr and /app/cache with correct ownership so named
volumes inherit ocr:ocr on first Docker mount. Sets HOME and HF_HOME
so ~ expansion and Hugging Face caching resolve under /app, not /root.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-17 16:46:25 +02:00

1.0 KiB

Raw Blame History

View Raw