The binary doubles as its own healthcheck client via the SDK's -healthcheck flag, so the probe works in the scratch image (no shell, no curl, no wget).
Add USER 65534:65534 to the scratch runtime image so the checker process does not run as root.
