fix: run full Docker image as non-root

[mldangelo-oai]

Summary

• Add a dedicated non-root appuser to Dockerfile.full, matching the slim image hardening pattern.
• Create and chown /data so the existing full-image entrypoint test helper has a writable default location without requiring root.
• Switch the runtime image to USER appuser before the entrypoint.

Validation

• docker --version
• docker buildx version (not available in this local Docker CLI, so Dockerfile syntax was inspected directly)
• uv run ruff format --check modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
• uv run ruff check modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
• uv run mypy modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/
• PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest -n auto -m "not slow and not integration" --maxfail=1

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5eeaf09b36

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Give appuser a writable home directory

Setting appuser home to /nonexistent with --no-create-home breaks default cache behavior for remote scans. The CLI uses Path.home() to build cache paths (~/.modelaudit/cache), and cache initialization creates directories immediately. As UID 10001 cannot create /nonexistent/..., modelaudit scan against hf://, s3://, etc. can fail with PermissionError in the full image.

Useful? React with 👍 / 👎.