deploy: Dockerfile + docker-compose.yml for mDock, manual first roll

Pulls the deploy infra forward from §10 so m can see slice 1 on his LAN.

- Dockerfile: multi-stage golang:1.25-alpine → distroless/static-debian12.
  CGO_ENABLED=0 (modernc.org/sqlite is pure Go). USER 1000:1000 so the
  bind-mount on mDock (owned by m:m) is writable without chowning the
  host dir. -trimpath + -s -w; 12.2MB final image.
- docker-compose.yml: matches the mDock convention surveyed earlier
  (container_name explicit, restart: unless-stopped, env_file in
  /home/m/secrets/mcables/.env, bind-mount /home/m/stacks/mcables/data,
  port 7777 exposed on LAN). Image temporarily under the mai/ namespace
  on mgit.msbls.de because mAi doesn't have write access to m/* today —
  documented in a comment so retagging is one line when permissions land.
- .dockerignore: keeps .git, .worktrees, .m, data/, docs/, *.md,
  editor cruft out of the build context.

Manual deploy verified end-to-end:
- docker build → image sha256:76624f17 (12.2MB)
- mAi-authenticated push to mgit.msbls.de/mai/mcables:latest
- ssh mdock anonymous pull works (registry allows public reads on this
  namespace)
- POST /api/projects {"name":"LOFT"} returns the row, GET /api/projects
  shows it; docker compose restart preserves it on disk; second GET
  still shows LOFT.

Gitea Actions auto-deploy left for a follow-up task per the head's
instruction — gets us the moving parts right first.

.dockerignore

@@ -0,0 +1,32 @@
+# Source-control + worktree noise
+.git
+.gitignore
+.gitea
+.worktrees
+
+# mai worker-local logs
+.m
+
+# Local runtime state (mounted as a volume in production)
+data
+*.db
+*.db-wal
+*.db-shm
+
+# Build artefacts
+bin
+mcables
+
+# Editor cruft
+.vscode
+.idea
+*.swp
+
+# Documentation (lives in git, not in the image)
+docs
+CLAUDE.md
+README.md
+
+# Test files (build still respects them via go.mod, this only strips
+# the test fixtures we might check in later)
+**/testdata