fix: auto-chown mounted volumes + metadataBase warning

THREE FIXES IN ONE SHOT.

1. UPLOAD EACCES (the crashing one)
The /app/public/branding upload was failing with EACCES because the
folder on the host was created by `debian` (uid 1000) but the container
runs as nextjs (uid 1001). Docker bind mounts preserve host ownership,
so the container couldn't write into branding/.

Fix: introduce a docker-entrypoint.sh that runs the container briefly
as root, chowns every public/* mount to uid 1001, runs Prisma migrate
deploy, then drops to nextjs via `su-exec`. From now on every deploy
self-heals permissions across all asset folders (branding, footage,
applications, cases, news, parts, operations-inbox) — even if a future
volume gets added with the wrong owner.

Dockerfile changes:
- Adds `su-exec` package (lightweight gosu equivalent for Alpine)
- Removes the static USER directive (entrypoint manages user transitions)
- Replaces CMD with an ENTRYPOINT pointing at the new script

2. metadataBase WARNING
Server logs were emitting:
  ⚠ metadataBase property in metadata export is not set ... using "http://localhost:3000"
That's the layout's generateMetadata not declaring metadataBase, so
Next.js couldn't resolve relative OG/Twitter image URLs to absolute
ones. Reading NEXT_PUBLIC_APP_URL (already set in docker-compose env)
and feeding it as `metadataBase: new URL(...)` silences the warning
and produces correct absolute URLs in social previews.

3. PERMISSIONS DOCS
The entrypoint chown is idempotent and silent on non-existent folders,
so future volumes added to docker-compose just work. No more "did you
sudo chown the new folder" gotchas.

DEPLOY (David)
  cd /opt/flux-srl
  # one-time fix for the existing branding folder so the next deploy
  # doesn't have to chown 65MB of data — but the entrypoint now handles
  # this automatically anyway:
  sudo chown -R 1001:1001 /opt/flux-srl/public/branding
  git pull
  docker compose up -d --build app

Dockerfile

@@ -56,9 +56,10 @@ ENV NODE_ENV=production
 ENV NEXT_TELEMETRY_DISABLED=1
 
 # vips runtime — required for sharp at runtime, not just build
-RUN apk add --no-cache vips
+# su-exec — drops privileges from root to nextjs in the entrypoint
+RUN apk add --no-cache vips su-exec
 
-# Security: run as non-root user
+# Security: run as non-root user (entrypoint chowns volumes as root, then drops)
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 nextjs
 
@@ -82,14 +83,15 @@ COPY --from=builder /app/node_modules/.prisma ./node_modules/.prisma
 # i18n message files (required by next-intl at runtime)
 COPY --from=builder /app/messages ./messages
 
-USER nextjs
-
 EXPOSE 3000
 
 ENV PORT=3000
 ENV HOSTNAME="0.0.0.0"
 
-# Run pending migrations on startup, then boot the Next.js server.
-# `migrate deploy` is idempotent — it skips already-applied migrations.
-# If the DB is unreachable the container exits and docker-compose retries.
-CMD ["sh", "-c", "node ./node_modules/prisma/build/index.js migrate deploy && node server.js"]
+# Entrypoint runs briefly as root to chown mounted volumes (fixes EACCES
+# on uploads when the host folder owner != container user), runs Prisma
+# migrations, then drops to the nextjs user via su-exec.
+COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]

scripts/docker-entrypoint.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+# ─────────────────────────────────────────────────────────────────────────────
+# FLUX container entrypoint.
+#
+# Runs as root briefly so we can:
+#   1. Make sure all mounted upload dirs are writable by uid 1001 (nextjs).
+#      The host folders may have been mkdir'd by another user (debian) and
+#      docker-compose mounts preserve those permissions, which would lock
+#      the container out. This single chown fixes it on every start.
+#   2. Apply pending Prisma migrations idempotently.
+#   3. Hand off to the Next.js server, dropping privileges to nextjs.
+# ─────────────────────────────────────────────────────────────────────────────
+
+set -e
+
+# Fix ownership on every mounted public/* folder so the container can write.
+# Skips silently if a folder doesn't exist or chown isn't permitted.
+for dir in \
+  /app/public/branding \
+  /app/public/footage \
+  /app/public/applications \
+  /app/public/cases \
+  /app/public/news \
+  /app/public/parts \
+  /app/public/operations-inbox; do
+  if [ -d "$dir" ]; then
+    chown -R 1001:1001 "$dir" 2>/dev/null || true
+  fi
+done
+
+# Run pending migrations (idempotent).
+su-exec nextjs node ./node_modules/prisma/build/index.js migrate deploy
+
+# Boot the Next.js server as the unprivileged user.
+exec su-exec nextjs node server.js

src/app/[locale]/layout.tsx

@@ -20,9 +20,15 @@ const inter = Inter({ subsets: ["latin"] });
 
 // Dynamic metadata pulls favicon, logos, OG image and theme color from the
 // SiteSetting CMS. Falls back to defaults when the table is empty.
+//
+// metadataBase is required so Next.js can resolve relative OG/Twitter image
+// URLs to absolute ones — otherwise it warns and falls back to localhost:3000.
+const APP_BASE_URL = (process.env.NEXT_PUBLIC_APP_URL || "https://rf-flux.com").replace(/\/$/, "");
+
 export async function generateMetadata(): Promise<Metadata> {
   const branding = await getBranding();
   return {
+    metadataBase: new URL(APP_BASE_URL),
     title: "FLUX | Energy, Directed.",
     description: "Advanced Radio Frequency Solutions by Patrizio Grando.",
     icons: {