* fix(docker): remove misleading ENV, add explicit UID/GID, add .dockerignore
- Removed `ENV DEEPSEEK_API_KEY=""` and `ENV DEEPSEEK_NO_COLOR=""`:
API keys should never be baked into image layers, even as empty strings.
Added comments documenting runtime secret passing patterns.
- Added explicit UID/GID (1000:1000) for the `deepseek` user:
Makes filesystem ownership unambiguous when mounting volumes and
avoids the default auto-assigned UID shifting between hosts.
- Added `.dockerignore`:
Prevents accidental inclusion of .env files, local runtime state,
documentation, dev configs, and build artifacts into the build
context, keeping the image smaller and avoiding secret leaks.
* fix(docker): keep nested build inputs in context
---------
Co-authored-by: Hunter Bown <hmbown@gmail.com>
Hunter Bown