deploy: Dockerfile + docker-compose.yml for mDock, manual first roll

Pulls the deploy infra forward from §10 so m can see slice 1 on his LAN.

- Dockerfile: multi-stage golang:1.25-alpine → distroless/static-debian12.
  CGO_ENABLED=0 (modernc.org/sqlite is pure Go). USER 1000:1000 so the
  bind-mount on mDock (owned by m:m) is writable without chowning the
  host dir. -trimpath + -s -w; 12.2MB final image.
- docker-compose.yml: matches the mDock convention surveyed earlier
  (container_name explicit, restart: unless-stopped, env_file in
  /home/m/secrets/mcables/.env, bind-mount /home/m/stacks/mcables/data,
  port 7777 exposed on LAN). Image temporarily under the mai/ namespace
  on mgit.msbls.de because mAi doesn't have write access to m/* today —
  documented in a comment so retagging is one line when permissions land.
- .dockerignore: keeps .git, .worktrees, .m, data/, docs/, *.md,
  editor cruft out of the build context.

Manual deploy verified end-to-end:
- docker build → image sha256:76624f17 (12.2MB)
- mAi-authenticated push to mgit.msbls.de/mai/mcables:latest
- ssh mdock anonymous pull works (registry allows public reads on this
  namespace)
- POST /api/projects {"name":"LOFT"} returns the row, GET /api/projects
  shows it; docker compose restart preserves it on disk; second GET
  still shows LOFT.

Gitea Actions auto-deploy left for a follow-up task per the head's
instruction — gets us the moving parts right first.

README.md

@@ -75,6 +75,68 @@ PATCH  /api/cable-types/:id               ← partial — affects every project
 DELETE /api/cable-types/:id               ← 409 in_use if any cable references it
 ```
 
+## Deploy to mDock
+
+mCables runs on **mDock** at `http://mdock:7777` as a docker-compose
+service under `/home/m/stacks/mcables/`. Pattern matches the other
+mDock services (mgreen-journal, mgeo, msports-garmin, …) — no Dokploy,
+no reverse proxy, LAN-trusted.
+
+### Manual deploy (first roll)
+
+1. **Build + push the image** (from any host with docker; today the
+   image lives in mAi's Gitea namespace because mAi doesn't have write
+   access to `m/`):
+
+   ```sh
+   docker build -t mgit.msbls.de/mai/mcables:latest .
+   awk '/machine mgit.msbls.de/{getline; getline; print $2}' ~/.netrc-mai \
+     | docker login mgit.msbls.de -u mAi --password-stdin
+   docker push mgit.msbls.de/mai/mcables:latest
+   ```
+
+2. **Prepare directories on mDock** (one-time):
+
+   ```sh
+   ssh mdock 'mkdir -p /home/m/stacks/mcables/data /home/m/secrets/mcables \
+              && touch /home/m/secrets/mcables/.env \
+              && chmod 0600 /home/m/secrets/mcables/.env'
+   scp docker-compose.yml mdock:/home/m/stacks/mcables/docker-compose.yml
+   ```
+
+3. **Pull + start**:
+
+   ```sh
+   ssh mdock 'cd /home/m/stacks/mcables && docker compose pull && docker compose up -d'
+   ```
+
+4. **Verify** from any LAN host:
+
+   ```sh
+   curl http://mdock:7777/api/healthz       # → {"status":"ok"}
+   curl http://mdock:7777/api/cable-types   # → the 5 seeded types
+   ```
+
+To **update** to a new build: rebuild + push the image, then
+`ssh mdock 'cd /home/m/stacks/mcables && docker compose pull && docker compose up -d'`.
+
+### Persistence
+
+SQLite lives at `/home/m/stacks/mcables/data/mcables.db` on the host
+(bind-mounted into the container at `/app/data`). Container runs as
+UID 1000:1000 to align with `m:m` ownership on mDock — DB files end
+up owned by `m`, the host user.
+
+`docker compose restart` keeps the data intact (tested 2026-05-15).
+
+### Automation — follow-up task
+
+This first roll is **manual**. A Gitea Actions workflow on the
+self-hosted runner already on mDock (`/home/m/act-runner/`, label
+`self-hosted:host`) — build → push → `docker compose up -d` on every
+push to `main` — is a separate task per the design's §10. Tracking
+spawned by the head if/when wanted.
+
 ## Design + project conventions
 
 - `docs/design.md` — full v3 design (schema, API, importer/export