chore: harden compose + entrypoint; docs refresh; ignore artifacts; dependabot

- docker-compose.yml.example: drop privileged; add cap_add (NET_ADMIN, NET_RAW) and sysctls; quote env vars
- entrypoint.sh: add strict mode + traps; wait for service; idempotent iptables; graceful shutdown
- README.md: update to multi-arch + non-privileged run guidance; fix examples
- .gitignore: ignore sbom.spdx.json and results.sarif
- .github/dependabot.yml: monitor Dockerfiles weekly

No functional changes intended; improves security, robustness, and maintainability.

docker-compose.yml.example

@@ -5,11 +5,15 @@ services:
     container_name: zerotierbridge
     image: registry.dangerous.tech/dangeroustech/zerotierbridge
     restart: always
-    privileged: true
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    sysctls:
+      net.ipv4.ip_forward: "1"
     volumes:
       - zt_config:/var/lib/zerotier-one
     environment:
-      - ZT_NETWORKS=NETWORK_ID_1 NETWORK_ID_2 NETWORK_ID_3
-      - ZT_BRIDGE=true
+      ZT_NETWORKS: "NETWORK_ID_1 NETWORK_ID_2 NETWORK_ID_3"
+      ZT_BRIDGE: "true"
 volumes:
   zt_config: