feat: add Docker containerization with multi-stage build

Includes .dockerignore, Dockerfile with cargo-chef caching, and Justfile commands for building/running containerized app. Updates console-logger to support both JSON and pretty-printed logs based on LOG_JSON env var.

Dockerfile

@@ -0,0 +1,135 @@
+# ========== Stage 1: Cargo Chef Base ==========
+FROM rust:1.91-alpine AS chef
+WORKDIR /build
+
+RUN apk add --no-cache musl-dev pkgconfig openssl-dev openssl-libs-static && \
+    cargo install cargo-chef --locked
+
+# ========== Stage 2: Recipe Planner ==========
+FROM chef AS planner
+
+COPY Cargo.toml Cargo.lock ./
+COPY src/ ./src/
+
+RUN cargo chef prepare --recipe-path recipe.json
+
+# ========== Stage 3: Rust Builder ==========
+FROM chef AS builder
+
+# Cook dependencies (cached until Cargo.toml/Cargo.lock change)
+COPY --from=planner /build/recipe.json recipe.json
+RUN cargo chef cook --release --recipe-path recipe.json
+
+# Copy source and build
+COPY Cargo.toml Cargo.lock ./
+COPY src/ ./src/
+
+# Create placeholder for embedded assets (will be replaced in final build)
+RUN mkdir -p web/build/client && \
+    echo "placeholder" > web/build/client/.gitkeep
+
+RUN cargo build --release && \
+    strip target/release/api
+
+# ========== Stage 4: Frontend Builder ==========
+FROM oven/bun:1 AS frontend
+WORKDIR /build
+
+# Install dependencies (cached until package.json/bun.lock change)
+COPY web/package.json web/bun.lock ./
+RUN bun install --frozen-lockfile
+
+# Build frontend
+COPY web/ ./
+RUN bun run build
+
+# ========== Stage 5: Final Rust Build (with embedded assets) ==========
+FROM chef AS final-builder
+
+# Cook dependencies (cached from earlier)
+COPY --from=planner /build/recipe.json recipe.json
+RUN cargo chef cook --release --recipe-path recipe.json
+
+# Copy source
+COPY Cargo.toml Cargo.lock ./
+COPY src/ ./src/
+
+# Copy frontend client assets for embedding
+COPY --from=frontend /build/build/client ./web/build/client
+
+# Build with real assets
+RUN cargo build --release && \
+    strip target/release/api
+
+# ========== Stage 6: Runtime ==========
+FROM oven/bun:1-alpine AS runtime
+WORKDIR /app
+
+# Install runtime dependencies
+RUN apk add --no-cache ca-certificates tzdata
+
+# Copy Rust binary
+COPY --from=final-builder /build/target/release/api ./api
+
+# Copy Bun SSR server
+COPY --from=frontend /build/build/server ./web/build/server
+COPY --from=frontend /build/build/*.js ./web/build/
+COPY web/console-logger.js ./web/
+
+# Create inline entrypoint script
+RUN cat > /entrypoint.sh << 'EOF'
+#!/bin/sh
+set -e
+
+cleanup() {
+    kill "$BUN_PID" "$RUST_PID" 2>/dev/null || true
+    rm -f /tmp/api.sock /tmp/bun.sock
+    exit 0
+}
+trap cleanup SIGTERM SIGINT
+
+# Start Bun SSR (propagate LOG_JSON to Bun process)
+cd /app/web/build
+SOCKET_PATH=/tmp/bun.sock LOG_JSON="${LOG_JSON}" bun --preload /app/web/console-logger.js index.js &
+BUN_PID=$!
+
+# Wait for Bun socket
+timeout=50
+while [ ! -S /tmp/bun.sock ] && [ $timeout -gt 0 ]; do
+    sleep 0.1
+    timeout=$((timeout - 1))
+done
+
+if [ ! -S /tmp/bun.sock ]; then
+    echo "ERROR: Bun failed to create socket within 5s"
+    exit 1
+fi
+
+# Start Rust server
+# Note: [::] binds to both IPv4 and IPv6 on Linux
+/app/api \
+    --listen "[::]:${PORT:-8080}" \
+    --listen /tmp/api.sock \
+    --downstream /tmp/bun.sock &
+RUST_PID=$!
+
+# Wait for either process to exit
+wait -n "$BUN_PID" "$RUST_PID" 2>/dev/null || wait "$BUN_PID" "$RUST_PID"
+cleanup
+EOF
+RUN chmod +x /entrypoint.sh
+
+# Environment configuration
+# RUST_LOG - optional, overrides LOG_LEVEL with full tracing filter syntax
+# LOG_JSON - defaults to true in Docker, false outside
+ENV PORT=8080 \
+    LOG_LEVEL=info \
+    LOG_JSON=true \
+    TZ=Etc/UTC
+
+EXPOSE 8080
+
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD wget -q --spider http://localhost:${PORT}/api/health || exit 1
+
+ENTRYPOINT ["/entrypoint.sh"]