chore(docker): improve base image and organize docker files

- Add wget, ripgrep, python3, and GitHub CLI (gh) to base image
- Add OPENCODE_ALLOW_ALL_MODELS=true to production ENV
- Move compose files, onboard-smoke Dockerfile to docker/
- Move entrypoint script to scripts/docker-entrypoint.sh
- Add Podman Quadlet unit files (pod, app, db containers)
- Add docker/README.md with build, compose, and quadlet docs
- Add scripts/docker-build-test.sh for local build validation
- Update all doc references for new file locations
- Keep main Dockerfile at project root (no .dockerignore changes needed)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

scripts/docker-build-test.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# Verify the Docker image builds successfully.
+# Skips gracefully when docker/podman is not available.
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+
+# Detect container runtime
+if command -v docker >/dev/null 2>&1; then
+  RUNTIME=docker
+elif command -v podman >/dev/null 2>&1; then
+  RUNTIME=podman
+else
+  echo "SKIP: neither docker nor podman found — skipping build test"
+  exit 0
+fi
+
+# Verify the daemon is reachable (docker may be installed but not running)
+if ! "$RUNTIME" info >/dev/null 2>&1; then
+  echo "SKIP: $RUNTIME is installed but not running — skipping build test"
+  exit 0
+fi
+
+IMAGE_TAG="paperclip-build-test:$$"
+trap '"$RUNTIME" rmi "$IMAGE_TAG" >/dev/null 2>&1 || true' EXIT
+
+echo "==> Testing Docker build with $RUNTIME"
+"$RUNTIME" build \
+  -f "$REPO_ROOT/Dockerfile" \
+  -t "$IMAGE_TAG" \
+  --target production \
+  "$REPO_ROOT"
+
+echo "==> Verifying key binaries in image"
+"$RUNTIME" run --rm "$IMAGE_TAG" sh -c '
+  set -e
+  node --version
+  git --version
+  gh --version
+  rg --version
+  python3 --version
+  curl --version | head -1
+  claude --version 2>/dev/null || echo "claude CLI not found (OK in minimal builds)"
+'
+
+echo "PASS: Docker build test succeeded"

scripts/docker-entrypoint.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+set -e
+
+# Capture runtime UID/GID from environment variables, defaulting to 1000
+PUID=${USER_UID:-1000}
+PGID=${USER_GID:-1000}
+
+# Adjust the node user's UID/GID if they differ from the runtime request
+# and fix volume ownership only when a remap is needed
+changed=0
+
+if [ "$(id -u node)" -ne "$PUID" ]; then
+    echo "Updating node UID to $PUID"
+    usermod -o -u "$PUID" node
+    changed=1
+fi
+
+if [ "$(id -g node)" -ne "$PGID" ]; then
+    echo "Updating node GID to $PGID"
+    groupmod -o -g "$PGID" node
+    usermod -g "$PGID" node
+    changed=1
+fi
+
+if [ "$changed" = "1" ]; then
+    chown -R node:node /paperclip
+fi
+
+exec gosu node "$@"

scripts/docker-onboard-smoke.sh

@@ -242,7 +242,7 @@ echo "==> Building onboard smoke image"
 docker build \
   --build-arg PAPERCLIPAI_VERSION="$PAPERCLIPAI_VERSION" \
   --build-arg HOST_UID="$HOST_UID" \
-  -f "$REPO_ROOT/Dockerfile.onboard-smoke" \
+  -f "$REPO_ROOT/docker/Dockerfile.onboard-smoke" \
   -t "$IMAGE_NAME" \
   "$REPO_ROOT"