chore(docker): silence Trivy DS-0026 on Dockerfile.test via HEALTHCHECK NONE

  Trivy raised DS-0026 ("No HEALTHCHECK defined") against Dockerfile.test
  on every run of the security workflow. The test image is a one-shot
  pytest runner — there's no service to probe, so any HEALTHCHECK we
  invented would be cargo-cult noise that fires once and means nothing.

  HEALTHCHECK NONE is the documented Docker directive to explicitly opt
  out of any inherited HEALTHCHECK and is the way Trivy itself expects
  projects to signal "this image is intentionally not a long-running
  service." Adding it closes code-scanning alert #813 cleanly.

  Note: the perl-base CVE-2026-8376 alert (#811) is left open for now
  and dismissed in the GitHub UI as "Won't fix - no upstream patch"
  because Debian Trixie has not yet shipped a fixed perl-base; the
  patched build will land automatically on the next base-image refresh.

Dockerfile.test

@@ -37,6 +37,11 @@ ENV PYTHONUNBUFFERED=1
 ENV DATA_DIR=/app/data
 ENV TESTING=1
 
+# Test image runs pytest and exits — there is no long-running service
+# to probe. HEALTHCHECK NONE is the documented Docker opt-out and
+# silences Trivy DS-0026 without adding meaningless probe logic.
+HEALTHCHECK NONE
+
 # Default command runs pytest (excluding docker integration tests).
 # -v dropped: 5300+ "PASSED foo::bar" lines per worker eat noticeable
 # stdout I/O time and clutter test_docker.sh output. --tb=short still