chore(embedded): cut v0.0.17-beta

When zddc-server runs inside a Kubernetes pod and shells out to
`podman run`, the inner podman tries to set up its own user namespace
via /usr/bin/newuidmap. The mapping fails inside the pod's namespace
even with privileged: true:

  newuidmap: write to uid_map failed: Invalid argument
  Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1

Adding --userns=host to the inner `podman run` tells it to reuse the
caller's user namespace instead of creating a new one — newuidmap
isn't invoked. The chart already runs the pod privileged so reusing
its userns adds no new privilege; --cap-drop=ALL + --network=none +
--read-only + --tmpfs continue to isolate the inner container.

On a bare-metal host invocation, --userns=host means "no userns
remapping at all", which is the default for rootful podman and works
identically to the prior behavior — the bitnest test setup and any
laptop dev runs are unaffected.

Smoke-tested locally with the exact flag set: pandoc/latex:latest in
a --userns=host --read-only container produces valid HTML from
`# Hello world` on stdin.

zddc/internal/apps/embedded/archive.html

@@ -2470,7 +2470,7 @@ td[data-field="trackingNumber"] {
                 </svg>
                 <div class="header-title-group">
                     <span class="app-header__title">ZDDC Archive</span>
-                    <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 16:14:42 · 6dca32b</span></span>
+                    <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 17:06:58 · dfdd767</span></span>
                 </div>
                 <button id="addDirectoryBtn" class="btn btn-primary">Add Local Directory</button>
                 <button id="refreshHeaderBtn" class="btn btn-secondary hidden" title="Refresh Data">⟳</button>

zddc/internal/apps/embedded/browse.html

@@ -1657,7 +1657,7 @@ html, body {
             </svg>
             <div class="header-title-group">
                 <span class="app-header__title">ZDDC Browse</span>
-                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 16:14:43 · 6dca32b</span></span>
+                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 17:06:58 · dfdd767</span></span>
             </div>
             <button id="addDirectoryBtn" class="btn btn-primary">Add Local Directory</button>
             <button id="refreshHeaderBtn" class="btn btn-secondary hidden" title="Refresh listing" aria-label="Refresh listing">⟳</button>

zddc/internal/apps/embedded/classifier.html

@@ -1681,7 +1681,7 @@ body.help-open .app-header {
                     </svg>
                     <div class="header-title-group">
                         <span class="app-header__title">ZDDC Classifier</span>
-                        <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 16:14:42 · 6dca32b</span></span>
+                        <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 17:06:58 · dfdd767</span></span>
                     </div>
                     <button id="addDirectoryBtn" class="btn btn-primary">Add Local Directory</button>
                     <button id="refreshHeaderBtn" class="btn btn-secondary hidden" title="Refresh and rescan directory" aria-label="Refresh" style="font-size:1.1rem;">⟳</button>

zddc/internal/apps/embedded/index.html

@@ -1424,7 +1424,7 @@ body {
             </svg>
             <div class="header-title-group">
                 <span class="app-header__title">ZDDC</span>
-                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 16:14:43 · 6dca32b</span></span>
+                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 17:06:58 · dfdd767</span></span>
             </div>
         </div>
         <div class="header-right">

zddc/internal/apps/embedded/transmittal.html

@@ -2523,7 +2523,7 @@ dialog.modal--narrow {
             </svg>
             <div class="header-title-group">
                 <span class="app-header__title">ZDDC Transmittal</span>
-                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 16:14:42 · 6dca32b</span></span>
+                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 17:06:57 · dfdd767</span></span>
             </div>
             <span id="no-js-notice" class="text-gray-400 text-xs italic">JavaScript not available</span>
             <!-- Publish split-button (Transmittal-specific primary action;

zddc/internal/apps/embedded/versions.txt

@@ -1,8 +1,8 @@
 # Generated by build.sh — do not edit. One <app>=<build label> per line.
-archive=v0.0.17-beta · 2026-05-13 16:14:42 · 6dca32b
-transmittal=v0.0.17-beta · 2026-05-13 16:14:42 · 6dca32b
-classifier=v0.0.17-beta · 2026-05-13 16:14:42 · 6dca32b
-landing=v0.0.17-beta · 2026-05-13 16:14:43 · 6dca32b
-form=v0.0.17-beta · 2026-05-13 16:14:43 · 6dca32b
-tables=v0.0.17-beta · 2026-05-13 16:14:43 · 6dca32b
-browse=v0.0.17-beta · 2026-05-13 16:14:43 · 6dca32b
+archive=v0.0.17-beta · 2026-05-13 17:06:58 · dfdd767
+transmittal=v0.0.17-beta · 2026-05-13 17:06:57 · dfdd767
+classifier=v0.0.17-beta · 2026-05-13 17:06:58 · dfdd767
+landing=v0.0.17-beta · 2026-05-13 17:06:58 · dfdd767
+form=v0.0.17-beta · 2026-05-13 17:06:58 · dfdd767
+tables=v0.0.17-beta · 2026-05-13 17:06:58 · dfdd767
+browse=v0.0.17-beta · 2026-05-13 17:06:58 · dfdd767

zddc/internal/convert/runner.go

@@ -203,6 +203,20 @@ func (cr *containerRunner) Run(ctx context.Context, image string, stdin []byte,
 		"--rm",
 		"--pull=missing",
 		"-i",
+		// --userns=host: reuse the calling process's user namespace
+		// instead of creating a new one. Required for the nested-
+		// podman case (zddc-server runs inside a Kubernetes pod and
+		// invokes podman from there): the kernel won't let the inner
+		// podman set up its own userns via newuidmap when /etc/subuid
+		// mappings don't resolve through the pod's namespace, even
+		// with CAP_SETUID via privileged: true. The chart already
+		// runs the pod privileged, so reusing its userns adds no new
+		// privilege escalation. On a bare-metal host invocation the
+		// outer userns is the host's, so --userns=host means "no
+		// userns remapping" — also fine; --cap-drop=ALL +
+		// --network=none + --read-only continue to isolate the
+		// inner container's process.
+		"--userns=host",
 		"--network=none",
 		"--read-only",
 		"--tmpfs=/tmp:size=128m,exec",

zddc/internal/handler/tables.html

@@ -1300,7 +1300,7 @@ body.help-open .app-header {
             </svg>
             <div class="header-title-group">
                 <span class="app-header__title" id="table-title">ZDDC Table</span>
-                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 16:14:43 · 6dca32b</span></span>
+                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.17-beta · 2026-05-13 17:06:58 · dfdd767</span></span>
             </div>
         </div>
         <div class="header-right">