fix: container install flow, filebrowser auth, AppCard enrichment

- Fix .198-style fresh installs: systemd service ExecStartPre creates
  /run/user/1000, enable podman.socket, chmod 644 /etc/hosts
- Filebrowser: add /data volume for database (fixes read-only crash),
  secure auth with random password via backend RPC (no more admin/admin)
- AppCard: enrich installing state with marketplace metadata (icon,
  title, description, tier badge, author, version)
- Registry: btcpayserver 1.13.5 → 1.13.7, images mirrored
- ReadWritePaths: add home container paths for rootless podman

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

scripts/first-boot-containers.sh

@@ -700,12 +700,17 @@ fi
 track_container "onlyoffice"
 if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q filebrowser; then
   log "Creating File Browser..."
-  mkdir -p /var/lib/archipelago/filebrowser /var/lib/archipelago/filebrowser-db
+  mkdir -p /var/lib/archipelago/filebrowser /var/lib/archipelago/filebrowser-data
   $DOCKER run -d --name filebrowser --restart unless-stopped \
     --health-cmd="curl -sf http://localhost:80/ || exit 1" --health-interval=30s --health-timeout=5s --health-retries=3 \
     --memory=$(mem_limit filebrowser) \
-    -p 8083:80 -v /var/lib/archipelago/filebrowser:/srv \
-    "$FILEBROWSER_IMAGE" 2>>"$LOG" || true
+    --cap-drop ALL --security-opt no-new-privileges:true \
+    --read-only --tmpfs=/tmp:rw,noexec,nosuid,size=256m --tmpfs=/run:rw,noexec,nosuid,size=64m \
+    -p 8083:80 \
+    -v /var/lib/archipelago/filebrowser:/srv \
+    -v /var/lib/archipelago/filebrowser-data:/data \
+    "$FILEBROWSER_IMAGE" \
+    --database=/data/database.db --root=/srv --address=0.0.0.0 --port=80 2>>"$LOG" || true
 fi
 track_container "filebrowser"
 if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q nginx-proxy-manager; then