Fix Dockerfile: create /data as root before switching to appuser

mkdir /data was running after USER appuser — no permission to write to /.
Move mkdir + chown into the same RUN layer before USER switch.

Dockerfile

@@ -9,13 +9,12 @@ RUN pip install --no-cache-dir -r requirements.txt
 # Copy app
 COPY app/ app/
 
-# Non-root user
-RUN useradd -r -u 1001 appuser && chown -R appuser /app
+# Data dir (will be bind-mounted read-only in production) + non-root user
+RUN mkdir -p /data && \
+    useradd -r -u 1001 appuser && \
+    chown -R appuser /app /data
 USER appuser
 
-# Data dir (will be bind-mounted read-only in production)
-RUN mkdir -p /data
-
 EXPOSE 8001
 
 ENV PORT=8001