Vulnerable demo target

This is an intentionally misconfigured static site used by s32_security_scanner to exercise the DAST (OWASP ZAP) stage. It serves only static files, runs as a non-root user and is fully sandboxed, so it cannot harm the Docker host.