fix: chown wizard_config volume to nonroot uid via init sidecar

The abstract-wizard image runs as nonroot (65532), but the named
volume is created with root:root ownership, causing PUT writes to
harborforge.json to return 500. Add a busybox wizard_init service
that chowns /config to 65532:65532 before wizard starts.

docker-compose.yml

@@ -80,6 +80,14 @@ services:
     networks:
       - app-network
 
+  wizard_init:
+    image: busybox:1.36
+    restart: "no"
+    user: "0:0"
+    volumes:
+      - wizard_config:/config
+    command: ["sh", "-c", "chown -R 65532:65532 /config"]
+
   wizard:
     image: git.hangman-lab.top/nav/abstract-wizard:latest
     ports:
@@ -91,6 +99,9 @@ services:
       LISTEN_ADDR: "0.0.0.0:8080"
       MAX_BACKUPS: "5"
       CORS_ORIGINS: ${HF_FRONTEND_HOST}
+    depends_on:
+      wizard_init:
+        condition: service_completed_successfully
     networks:
       - app-network