Run container as non-root stellar user

[fnando]

Note

Needs #14 to be merged first.

Summary

Adds a stellar user (UID 1000) and drops to USER stellar in the runtime stage, with /stellar as the home directory. Pre-creates and chowns /source, /config, /data; sets CARGO_HOME=/stellar/.cargo; copies the CLI binary root-owned at mode 0755. repro_test.py now invokes the image with --user $(id -u):$(id -g) and -e CARGO_HOME=/tmp/cargo, which lets the workdir teardown collapse to a plain shutil.rmtree. The README documents the four well-known paths (/source, /config, /data, /stellar) in a table and explains how mounting a host directory at /stellar both persists the cargo cache across runs and unblocks --user overrides on Linux hosts whose UID is not 1000.

Why

On Linux, the previous root-default container left bind-mounted build output (target/wasm32v1-none/release/*.wasm, Cargo.lock) owned by root:root on the host — forcing sudo chown after every build. The pain showed up in our own CI: repro_test.py carried a workaround that ran a second container just to wipe root-owned files from a temp directory. macOS+OrbStack and Docker Desktop hid the issue via UID translation; native Linux did not. Switching to a non-privileged UID also narrows the runc/containerd escape blast radius and clears Hadolint DL3002.

Test plan

• Local image build succeeds (build_image.py --stellar-cli-version 26.0.0 --rust-version 1.94.0-slim-trixie).
• smoke_test_image.py passes against the rebuilt image.
• repro_test.py --contract token passes (build A == build B) with no root-owned files left in the temp workdir.
• CI build.yml is green end-to-end on a Linux runner.