fix(docker): use multi-stage build to remove build-essential from runtime image (#1846)

* fix(docker): use multi-stage build to remove build-essential from runtime image

The build-essential toolchain (~200 MB) was only needed for compiling
native Python extensions during `uv sync` but remained in the final
image, increasing size and attack surface. Split the Dockerfile into
a builder stage (with build-essential) and a clean runtime stage that
copies only the compiled artifacts, Node.js, Docker CLI, and uv.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(docker): add dev stage and pin docker:cli per review feedback

Address Copilot review comments:
- Add a `dev` build stage (FROM builder) that retains build-essential
  so startup-time `uv sync` in dev containers can compile from source
- Update docker-compose-dev.yaml to use `target: dev` for gateway and
  langgraph services
- Keep the clean runtime stage (no build-essential) as the default
  final stage for production builds

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

docker/docker-compose-dev.yaml

@@ -113,6 +113,7 @@ services:
     build:
       context: ../
       dockerfile: backend/Dockerfile
+      target: dev
       # cache_from disabled - requires manual setup: mkdir -p /tmp/docker-cache-gateway
       args:
         APT_MIRROR: ${APT_MIRROR:-}
@@ -169,6 +170,7 @@ services:
     build:
       context: ../
       dockerfile: backend/Dockerfile
+      target: dev
       # cache_from disabled - requires manual setup: mkdir -p /tmp/docker-cache-langgraph
       args:
         APT_MIRROR: ${APT_MIRROR:-}