feat: add Docker infrastructure, migrations, CI/CD client, session cleanup, tests

Docker & Deployment:
- Add Dockerfile (multi-stage, alpine, non-root)
- Add docker-compose.yml (caddy, backend, postgres, watchtower)
- Add Caddyfile (TLS, file_server, reverse proxy)
- Add .env.example

Database:
- Add migrations/001_init.sql (all tables + indexes)

CI/CD:
- Add cmd/ci-release/main.go (launcher binary upload tool)

Session management:
- Add internal/session/cleanup.go (background expired session cleanup)
- Integrate cleanup worker into main.go

Bug fixes:
- Fix launcherLatest download URL to include version segment
- Fix serveLauncherAsset path to match route pattern
- Add Content-Type detection from file extension in CAS serveFile
- Add empty-field validation in webLogin
- Format string fix in ci-release (%d → %s for resp.Status)

Tests:
- Add internal/auth/auth_test.go (8 tests)
- Add internal/cas/cas_test.go (7 tests)
- Add internal/session/cleanup_test.go (1 test)
- Add internal/api/api_test.go (5 tests)
- All tests passing, go vet clean

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker-compose.yml

@@ -0,0 +1,80 @@
+# MrixsCraft — Production Docker Compose
+# Usage: docker compose up -d
+# Monitoring (when ready): docker compose --profile monitoring up -d
+
+services:
+  caddy:
+    image: caddy:2-alpine
+    container_name: mc-caddy
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - caddy_data:/data
+      - caddy_config:/config
+      - cdn_files:/var/www/cdn/files:ro
+
+  backend:
+    image: git.mrixs.me/Mrixs/MrixsCraft-server:latest
+    container_name: mc-backend
+    restart: unless-stopped
+    environment:
+      SERVER_PORT: 8080
+      DATABASE_URL: postgres://mcuser:${DB_PASSWORD}@postgres:5432/mcserver?sslmode=disable
+      CI_TOKEN: ${CI_TOKEN}
+      CAS_DIR: /var/www/cdn/files
+      SKINS_DIR: /var/www/cdn/skins
+      JWT_SECRET: ${JWT_SECRET}
+      BASE_URL: https://minecraft.mrixs.me
+    volumes:
+      - cdn_files:/var/www/cdn/files
+    depends_on:
+      postgres:
+        condition: service_healthy
+    expose:
+      - "8080"
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+
+  postgres:
+    image: postgres:16-alpine
+    container_name: mc-postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: mcserver
+      POSTGRES_USER: mcuser
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+      - ./migrations:/docker-entrypoint-initdb.d:ro
+      - ./backups:/backups
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U mcuser -d mcserver"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    expose:
+      - "5432"
+
+  watchtower:
+    image: containrrr/watchtower
+    container_name: mc-watchtower
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      WATCHTOWER_CLEANUP: "true"
+      WATCHTOWER_POLL_INTERVAL: 300
+      WATCHTOWER_LABEL_ENABLE: "true"
+
+volumes:
+  pgdata:
+    driver: local
+  cdn_files:
+    driver: local
+  caddy_data:
+    driver: local
+  caddy_config:
+    driver: local