fix(docker): improve Dockerfile best practices

Changes:
- Parameterize NODE_VERSION in runtime stage (was hardcoded to 20.x)
- Move RUN commands before USER switch (RUN can't execute as non-root)
- Fix .version file creation before switching to peikarband user
- Reorder security hardening to run before USER switch

This ensures all file system operations complete before dropping privileges.

Dockerfile

@@ -86,7 +86,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && apt-get clean
 
 # Install Node.js runtime
-RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
+ARG NODE_VERSION=20
+RUN curl -fsSL https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash - \
     && apt-get install -y --no-install-recommends nodejs \
     && rm -rf /var/lib/apt/lists/* \
     && apt-get clean
@@ -105,6 +106,13 @@ COPY --from=builder /build /app
 # Fix ownership
 RUN chown -R peikarband:peikarband /home/peikarband/.local /app
 
+# Add version info (must be before USER switch)
+RUN echo "${VERSION}" > /app/.version && \
+    chown peikarband:peikarband /app/.version
+
+# Security: Remove unnecessary setuid/setgid permissions
+RUN find / -perm /6000 -type f -exec chmod a-s {} \; 2>/dev/null || true
+
 # Set environment variables
 ENV PATH=/home/peikarband/.local/bin:$PATH \
     PYTHONUNBUFFERED=1 \
@@ -115,9 +123,6 @@ ENV PATH=/home/peikarband/.local/bin:$PATH \
     REFLEX_ENV=production \
     ENVIRONMENT=production
 
-# Security: Remove unnecessary setuid/setgid permissions
-RUN find / -perm /6000 -type f -exec chmod a-s {} \; 2>/dev/null || true
-
 # Switch to non-root user
 USER peikarband
 
@@ -128,9 +133,6 @@ EXPOSE 3000 8000
 HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
     CMD curl -f -s -o /dev/null -w "%{http_code}" http://localhost:8000/ping | grep -q "200" || exit 1
 
-# Add version info endpoint
-RUN echo "${VERSION}" > /app/.version
-
 # Use tini as init system for proper signal handling
 ENTRYPOINT ["/usr/bin/tini", "--"]