chore(deploy): production Dockerfiles for broker + web + env template

- apps/broker/Dockerfile: oven/bun 1.2-slim runtime, multi-stage, pnpm deps,
  non-root bun user, GIT_SHA build-arg, /health-based HEALTHCHECK, port 7900
- apps/web/Dockerfile: Next.js 15 standalone, multi-stage, non-root nextjs
  user, NEXT_PUBLIC_* baked as build args, port 3000
- .env.production.template: DATABASE_URL, BetterAuth, OAuth, broker caps;
  no secrets
- Build context: repo root (pnpm workspace needs root pnpm-lock.yaml +
  pnpm-workspace.yaml); build with -f apps/{broker,web}/Dockerfile .

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.env.production.template

@@ -0,0 +1,30 @@
+# claudemesh — production env template
+# Copy to .env.production and fill in real values. NEVER commit .env.production.
+# Generate secrets with: openssl rand -base64 32
+
+# ── Database (managed by Coolify or external) ────────────────────────────────
+DATABASE_URL=postgres://claudemesh:CHANGE_ME@db:5432/claudemesh
+
+# ── Broker ───────────────────────────────────────────────────────────────────
+BROKER_PORT=7900
+STATUS_TTL_SECONDS=60
+HOOK_FRESH_WINDOW_SECONDS=30
+# Hardening caps (see apps/broker/DEPLOY_SPEC.md)
+MAX_CONNECTIONS_PER_MESH=100
+MAX_MESSAGE_BYTES=65536
+HOOK_RATE_LIMIT_PER_MIN=30
+
+# ── Auth (BetterAuth) ────────────────────────────────────────────────────────
+BETTER_AUTH_SECRET=CHANGE_ME_openssl_rand_base64_32
+BETTER_AUTH_URL=https://claudemesh.com
+BETTER_AUTH_TRUSTED_ORIGINS=https://claudemesh.com,https://dashboard.claudemesh.com,https://ic.claudemesh.com
+
+# ── OAuth providers ──────────────────────────────────────────────────────────
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+
+# ── Image refs (set by CI/CD after docker push) ──────────────────────────────
+BROKER_IMAGE=registry.claudemesh.com/claudemesh/broker:latest
+WEB_IMAGE=registry.claudemesh.com/claudemesh/web:latest