Description

This PR tightens Calrissian’s default container security context as requested in #188
Specifically:

• readOnlyRootFilesystem: true by default for all step containers, with default cwltool flag --no-read-only to restore a writable root if needed

• allowPrivilegeEscalation: false set explicitly on all step containers

• privileged: false set explicitly on all step containers (This is already the normal default in Kubernetes, but we now declare it for clarity)

Tests

Unit tests verifying:

• Default container securityContext includes readOnlyRootFilesystem: true, allowPrivilegeEscalation: false, privileged: false

• --no-read-only flips only readOnlyRootFilesystem to false

Backwards compatibility

• Workflows that rely on a writable root filesystem can pass --no-read-only

• No change to existing --no-match-user behavior