docker: drop VOLUME/USER/pre-created dir for rootless podman

The images created /srv/metacrypt and chowned it to a non-root user with
VOLUME + USER, which fails to unpack under rootless podman (mkdir
/srv/metacrypt: operation not permitted). MCP bind-mounts /srv/metacrypt
and runs --user 0:0, so none of that is needed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Dockerfile.api

@@ -12,25 +12,17 @@ RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.version=${VERSION}"
 
 FROM alpine:3.21
 
-RUN apk add --no-cache ca-certificates tzdata \
-    && addgroup -S metacrypt \
-    && adduser -S -G metacrypt -h /srv/metacrypt -s /sbin/nologin metacrypt \
-    && mkdir -p /srv/metacrypt && chown metacrypt:metacrypt /srv/metacrypt
+RUN apk add --no-cache ca-certificates tzdata
 
 COPY --from=builder /metacrypt /usr/local/bin/metacrypt
 
-# /srv/metacrypt is the single volume mount point.
-# It must contain:
-#   metacrypt.toml  — configuration file
-#   certs/          — TLS certificate and key
-#   metacrypt.db    — created automatically on first run
-VOLUME /srv/metacrypt
-WORKDIR /srv/metacrypt
+# /srv/metacrypt (config, certs/, metacrypt.db) is bind-mounted at runtime by
+# MCP. No VOLUME / pre-created dir / USER — the agent supplies --user 0:0, so
+# the image unpacks and runs cleanly under rootless podman.
+WORKDIR /
 
 EXPOSE 8443
 EXPOSE 9443
 
-USER metacrypt
-
 ENTRYPOINT ["metacrypt"]
 CMD ["server", "--config", "/srv/metacrypt/metacrypt.toml"]