fix: nextjs primary group + auto-create asset folders on entity create

THREE INTERLOCKING FIXES so editors stop hitting permission walls.

1) DOCKERFILE — gid 65533 (nogroup) on uploaded files
The container was creating files as 1001:65533 because Alpine's
`adduser --system --uid 1001 nextjs` doesn't set a primary group.
Files written through /api/assets ended up with `nogroup` ownership,
which surprised host sysadmins and made `chown -R 1001:1001` revert
on each fresh container start.

Fix: `adduser --system --uid 1001 --ingroup nodejs nextjs`. Now
every file written by the container is 1001:1001 (nextjs:nodejs),
matching the host conventions and the existing chown automation.

2) ENTRYPOINT — recursively normalise existing files
The recursive chown in scripts/docker-entrypoint.sh now sweeps every
subfolder of /app/public/branding|footage|applications|cases|news|
parts|operations-inbox|heritage on each container start, fixing any
files that previously slipped through with the wrong group. Single
fast pass, idempotent. Adds /app/public/heritage to the list (was
missing).

3) AUTO-CREATE ASSET BUCKETS on entity create
The big editor UX win: when an admin creates a Case (GlobalNode), an
Application or a News article in HQ Command, the server now also
mkdir's the well-known asset subfolders for that entity. So after
creating "Acme Industries" as a case, the editor immediately gets
/public/cases/acme-industries/{videos,renders,gallery,datasheet,models}
ready — no more "EACCES because the dir wasn't created" gotcha
when they upload their first video.

Implementation:
- src/lib/assetFolders.ts: typed helper with per-scope bucket lists
  + a titleToSlug helper that mirrors the front-end's slugger so the
  folder name matches what ApplicationClient expects when rendering
  /cases/<slug>/videos/<file>.
- network/actions.ts: createNode -> ensureAssetFolders("cases", slug).
  Plus a new server action ensureNodeAssetFolders(id) so the editor
  can fix existing nodes without recreating them (one-click "Repair").
- news/actions.ts: createNewsArticle -> ensureAssetFolders("news",slug)
- applications/actions.ts: createApplication -> ensureAssetFolders(...)

DEPLOY (David)
  cd /opt/flux-srl
  git pull
  docker compose up -d --build app
  # The entrypoint will fix existing 1001:65533 files automatically
  # as the container boots — no manual chown needed.

scripts/docker-entrypoint.sh

@@ -3,18 +3,20 @@
 # FLUX container entrypoint.
 #
 # Runs as root briefly so we can:
-#   1. Make sure all mounted upload dirs are writable by uid 1001 (nextjs).
-#      The host folders may have been mkdir'd by another user (debian) and
-#      docker-compose mounts preserve those permissions, which would lock
-#      the container out. This single chown fixes it on every start.
+#   1. Make sure every mounted upload dir AND every file inside is owned by
+#      uid 1001 / gid 1001 (nextjs:nodejs). Without this, files written
+#      previously when nextjs had nogroup (gid 65533) stay 1001:65533 and
+#      sysadmins on the host see a wrong group.
 #   2. Apply pending Prisma migrations idempotently.
 #   3. Hand off to the Next.js server, dropping privileges to nextjs.
 # ─────────────────────────────────────────────────────────────────────────────
 
 set -e
 
-# Fix ownership on every mounted public/* folder so the container can write.
-# Skips silently if a folder doesn't exist or chown isn't permitted.
+# Recursively normalise ownership on every mounted public/* folder. Recursive
+# is fine because (a) Prisma and Next.js never read /app/public except from
+# fs APIs that don't care about ownership, and (b) the chown is fast on local
+# disk even with thousands of files — runs once per container start.
 for dir in \
   /app/public/branding \
   /app/public/footage \
@@ -22,7 +24,8 @@ for dir in \
   /app/public/cases \
   /app/public/news \
   /app/public/parts \
-  /app/public/operations-inbox; do
+  /app/public/operations-inbox \
+  /app/public/heritage; do
   if [ -d "$dir" ]; then
     chown -R 1001:1001 "$dir" 2>/dev/null || true
   fi