fix: run pocketbase as root + add healthcheck start_period

- Remove non-root user from pocketbase Docker image; the existing pb_data
  volume was created by the previous root-running image so files are owned
  by root — running as a non-root appuser caused an immediate permission
  error and container exit
- Increase healthcheck retries to 10 and add start_period=30s so migrations
  have time to run on first boot before liveness checks begin

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/Dockerfile

@@ -48,13 +48,11 @@ ENTRYPOINT ["/backend"]
 # On every `serve` startup it applies any pending migrations automatically.
 # Data is stored in /pb_data (mounted as a Docker volume in production).
 FROM alpine:3.21 AS pocketbase
-RUN apk add --no-cache ca-certificates wget && \
-    addgroup -S appgroup && adduser -S appuser -G appgroup
+RUN apk add --no-cache ca-certificates wget
 COPY --from=builder /out/pocketbase /pocketbase
-RUN mkdir -p /pb_data && chown appuser:appgroup /pb_data
+RUN mkdir -p /pb_data
 VOLUME /pb_data
 EXPOSE 8090
-USER appuser
 CMD ["/pocketbase", "serve", "--dir", "/pb_data", "--http", "0.0.0.0:8090"]
 
 # ── runner service ───────────────────────────────────────────────────────────

docker-compose.yml

@@ -91,7 +91,8 @@ services:
       test: ["CMD", "wget", "-qO-", "http://localhost:8090/api/health"]
       interval: 10s
       timeout: 5s
-      retries: 5
+      retries: 10
+      start_period: 30s
 
   # ─── Meilisearch (full-text search) ──────────────────────────────────────────
   meilisearch: