Security Audit Flags Critical Docker Hardening Gap: Server Container Runs as Root

A security audit of the project's Docker configuration has identified a critical hardening failure. The primary server container is configured to run with the default root user, creating a significant security exposure. This failure to implement a fundamental principle of container security dramatically increases the potential impact of any future container escape or remote code execution vulnerability, effectively removing a primary containment layer.

The issue is isolated to the `apps/server/Dockerfile`, specifically lines 1-29, which never execute a `USER` directive to switch away from the privileged root account. This configuration directly contradicts the project's own documented hardening guidelines outlined in the `SECURITY_AUDIT.md` file. Running application processes as root within a container grants them excessive permissions, both within the container's own filesystem and, in a breakout scenario, potentially on the underlying host.

This oversight represents a clear and present risk to the security posture of any deployment using this container image. It signals a potential gap between documented security policy and actual implementation, raising immediate questions about the rigor of the project's build and release processes. For organizations relying on this software, the finding necessitates urgent review and remediation to limit the potential 'blast radius' of a future compromise.