fix(stability-agent): run as uid 1000 with docker group access

stability-agent had no USER instruction and no user: in compose, running
as root and writing root-owned files to /opt/homelab bind-mount.

- Dockerfile: add useradd -m -u 1000 homelab + USER homelab
- docker-compose.yml: add user: "1000:1000" and group_add: ["999"]
  (GID 999 = docker group on VPS) to retain docker.sock:ro access

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

services/stability-agent/Dockerfile

@@ -5,6 +5,8 @@ WORKDIR /app
 # No extra dependencies needed beyond standard library for the current script
 # But we might need them if we decide to use libraries later.
 
+RUN useradd -m -u 1000 homelab
+
 COPY src/stability_agent.py .
 COPY healthcheck.sh .
 RUN chmod +x healthcheck.sh
@@ -12,5 +14,5 @@ RUN chmod +x healthcheck.sh
 # Create the expected directories
 RUN mkdir -p /opt/homelab/state /opt/homelab/events
 
-# Run the agent
+USER homelab
 CMD ["python", "stability_agent.py"]

services/stability-agent/docker-compose.yml

@@ -2,6 +2,9 @@ services:
   stability-agent:
     build: .
     container_name: stability-agent
+    user: "1000:1000"
+    group_add:
+      - "999"
     restart: unless-stopped
     volumes:
       - /opt/homelab:/opt/homelab