build: pin base images and improve Docker setup

[pixel365]

📝 Description

Improve Docker image reproducibility and reduce runtime size.

• Pin golang and alpine base images by sha256 to ensure deterministic builds.
• Remove explicit wget installation (use BusyBox-provided wget).
• Reduce final image size.
• Add optional PICOCLAW_CONFIG_FILE variable for docker-compose to allow flexible config mounting.
• Minor Dockerfile cleanup and simplification.

No application logic changes.

🗣️ Type of Change

• 🐞 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 📖 Documentation update
• ⚡ Code refactoring (no functional changes, no api changes)

🤖 AI Code Generation

• 🤖 Fully AI-generated (100% AI, 0% Human)
• 🛠️ Mostly AI-generated (AI draft, Human verified/modified)
• 👨‍💻 Mostly Human-written (Human lead, AI assisted or none)

🔗 Related Issue

N/A

📚 Technical Context (Skip for Docs)

• Reasoning: Improve build reproducibility, reduce image size, and simplify Docker configuration without changing runtime behavior.

🧪 Test Environment

• Hardware: PC
• OS: Fedora

📸 Evidence (Optional)

Click to view Logs/Screenshots

• Image size reduced from ~48 MB to ~39 MB
• Healthcheck verified using BusyBox wget
• docker-compose config override tested with PICOCLAW_CONFIG_FILE

☑️ Checklist

• My code/docs follow the style of this project.
• I have performed a self-review of my own changes.
• I have updated the documentation accordingly.

[nikolasdehor]

Solid Docker hardening. Image pinning with SHA256 digests is great for reproducible builds and supply chain security. Moving user creation to the builder stage and copying passwd/group is a clean pattern that avoids installing shadow in the runtime image. Removing curl in favor of BusyBox wget reduces attack surface.

The PICOCLAW_CONFIG_FILE env var in docker-compose is a nice UX touch. LGTM.

[nikolasdehor]

Solid improvement to the Docker setup. The sha256 pinning, non-root user, and image size reduction are all good practices.

A few observations:

1. /etc/passwd overwrite — COPY --from=builder /etc/passwd_picoclaw /etc/passwd replaces the entire /etc/passwd in the runtime image, removing root, nobody, and other system users. This can break processes that need to resolve UIDs (e.g., crond, syslogd, or anything su/setuid). A safer approach is to COPY --from=builder the passwd/group files under a different name and then cat >> /etc/passwd to append, or just run the adduser in Stage 2 directly (it's a single layer either way).

2. vendor/ in .gitignore — This is fine if the project doesn't vendor dependencies, but worth noting in the PR description since it's a separate concern from Docker changes.

3. The PICOCLAW_CONFIG_FILE env var in docker-compose is a nice touch for flexibility.

Minor point on (1) aside, LGTM. The overall direction is correct and the size reduction from ~48MB to ~39MB is meaningful.