feat(docker-watcher): phase 12 - hardening

Blue-green zero-downtime deploys, promote flow validation.
Dual auth: local (bcrypt + JWT) and OAuth2/OIDC (any provider).
Auth middleware, login page, auth settings UI.
Structured logging (slog JSON), config export to YAML.
Graceful shutdown with deploy draining.
Multi-stage Dockerfile and production docker-compose.yml.
Swap phase order: Volumes & Env before UI Polish.

docker-compose.yml

@@ -0,0 +1,46 @@
+services:
+  docker-watcher:
+    build: .
+    image: docker-watcher:latest
+    container_name: docker-watcher
+    restart: unless-stopped
+    ports:
+      - "8080:8080"
+    volumes:
+      # Mount Docker socket for container management.
+      - /var/run/docker.sock:/var/run/docker.sock
+      # Persistent data (SQLite database).
+      - docker-watcher-data:/app/data
+      # Optional seed config (read on first launch only).
+      - ./docker-watcher.yaml:/app/docker-watcher.yaml:ro
+    environment:
+      # Required: protects all credentials stored in the database.
+      - ENCRYPTION_KEY=${ENCRYPTION_KEY:?Set ENCRYPTION_KEY in .env}
+      # Optional: default admin password on first launch (default: "admin").
+      - ADMIN_PASSWORD=${ADMIN_PASSWORD:-admin}
+      # Optional: override seed file location.
+      - SEED_FILE=/app/docker-watcher.yaml
+      # Optional: override data directory.
+      - DATA_DIR=/app/data
+      # Optional: override listen address.
+      - LISTEN_ADDR=:8080
+      # Optional: override NPM URL (otherwise uses value from settings).
+      # - NPM_URL=http://npm:81
+      # Optional: override polling interval.
+      # - POLLING_INTERVAL=5m
+    networks:
+      - staging-net
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/api/auth/login"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+
+volumes:
+  docker-watcher-data:
+    driver: local
+
+networks:
+  staging-net:
+    external: true