fix: run Docker container as non-root user (closes #34)

- Switch to gcr.io/distroless/cc-debian12:nonroot
- Add explicit USER 65534:65534 directive
- Add Docker security CI job verifying non-root UID, :nonroot base, and USER directive
- Document CIS Docker Benchmark compliance in SECURITY.md
- Add tests and edge cases for container security

src/identity/mod.rs

@@ -0,0 +1,9 @@
+//! Identity module — portable AI identity framework
+//!
+//! Supports multiple identity formats:
+//! - **AIEOS** (AI Entity Object Specification v1.1) — JSON-based portable identity
+//! - **OpenClaw** (default) — Markdown files (IDENTITY.md, SOUL.md, etc.)
+
+pub mod aieos;
+
+pub use aieos::{AieosEntity, AieosIdentity, load_aieos_identity};