fix(2.4.8): replace gosu with setpriv to clear 50 Go stdlib CVEs

[ttlequals0]

Summary

Replaces gosu with setpriv (from util-linux) in entrypoint.sh and drops the gosu package from both GPU and CPU images. Clears 50 of 52 vulnerabilities from the current Docker Scout report (3 CRITICAL, 19 HIGH, 26 MEDIUM, 2 LOW) — all from the Go stdlib 1.22.2 baked into Ubuntu 24.04's gosu 1.17 binary.

Why setpriv

• Already in the base image (util-linux 2.39.3, verified in ubuntu:24.04 and nvidia/cuda:12.9.1-runtime-ubuntu24.04).
• No Go runtime -> no Go-stdlib CVE drip in future scans.
• Upstream-recommended gosu alternative; flags reproduce gosu defaults:
  • --reuid=minuspod + --regid=minuspod (setuid+setgid)
  • --init-groups (supplementary groups from /etc/group)
  • --inh-caps=-all (drop inheritable caps)

What changed

• entrypoint.sh:51 — gosu minuspod gunicorn ... -> setpriv --reuid=minuspod --regid=minuspod --init-groups --inh-caps=-all -- gunicorn ...
• Dockerfile + Dockerfile.cpu — removed gosu from apt install, replaced gosu nobody true smoke test with the setpriv equivalent
• docker-compose.yml + docker-compose.cpu.yml + README.md — comment / docs sync
• Version bump 2.4.7 -> 2.4.8 (version.py, openapi.yaml, CHANGELOG)

Remaining CVEs

2 torch CVEs (local DoS, LOW + MEDIUM) require a torch 2.6.0 -> 2.8.0 upgrade. Tracked separately; deferred from this PR.

Test plan

• 1178 pytest tests pass locally
• Frontend tsc --noEmit clean
• /simplify + /code-review run, all findings addressed
• CI green (CodeQL, pip-audit)
• GPU image builds and trivy scan confirms 50 gosu CVEs gone
• CPU image builds and trivy scan clean
• Container starts, gunicorn drops to UID 1000, /api/v1/health returns 200