Explain why ca-certificates is required in the Node Dockerfile template (#849)

* Explain why ca-certificates is required in the Node Dockerfile template

The previous comment ("enables TLS/SSL for securely fetching dependencies")
implied this is generic Docker hygiene that could be skipped to shave layers.
That framing is misleading: @livekit/rtc-node ships a native Rust core that
reads the system trust store via rustls-tls-native-roots, not Node's bundled
CA roots. node:22-slim doesn't ship /etc/ssl/certs/ca-certificates.crt, so
without ca-certificates Room.connect() fails with the misleading
"failed to retrieve region info" error.

Rewrite the in-template comment to name the cause so a developer trimming the
image knows the line is load-bearing. No functional change.

* Tighten ca-certificates comment

* Restore TLS context and --no-install-recommends note; drop version-specific image name

Author: aryeila

pkg/agentfs/examples/node.Dockerfile

@@ -11,9 +11,10 @@ FROM node:${NODE_VERSION}-slim AS base
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
 
-# Install required system packages and pnpm, then clean up the apt cache for a smaller image
-# ca-certificates: enables TLS/SSL for securely fetching dependencies and calling HTTPS services
-# --no-install-recommends keeps the image minimal
+# Install ca-certificates (the system CA bundle used for TLS), then clean
+# the apt cache. Required by the LiveKit SDK: the native Rust core reads
+# the system trust store at runtime, which the slim base image doesn't ship.
+# --no-install-recommends keeps the image minimal.
 RUN apt-get update -qq && apt-get install --no-install-recommends -y ca-certificates && rm -rf /var/lib/apt/lists/*
 
 # Pin pnpm version for reproducible builds