infra: .dockerignore, remove exposed port, healthcheck, pin caddy

- add repo-root .dockerignore (target, node_modules, .git, dist)
- colony: expose instead of ports (internal network only)
- colony: healthcheck via /api/health
- caddy: pin to 2.11, mount Caddyfile read-only
- caddy: depends_on service_healthy

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.dockerignore

@@ -0,0 +1,9 @@
+target/
+**/node_modules/
+**/dist/
+.git/
+*.db
+*.db-wal
+*.db-shm
+.claude/
+docs/

infra/colony/docker-compose.yml

@@ -9,23 +9,30 @@ services:
       - DATABASE_URL=sqlite:/data/colony.db?mode=rwc
     volumes:
       - colony_data:/data
-    ports:
-      - "3001:3001"
+    # No ports exposed — Caddy reverse proxies on internal network
+    expose:
+      - "3001"
     restart: always
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3001/api/health"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
 
   caddy:
-    image: caddy:latest
+    image: caddy:2.11
     container_name: colony-caddy
     ports:
       - "80:80"
       - "443:443"
     volumes:
-      - ./Caddyfile:/etc/caddy/Caddyfile
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
       - caddy_data:/data
       - caddy_config:/config
     restart: always
     depends_on:
-      - colony
+      colony:
+        condition: service_healthy
 
 volumes:
   colony_data: