Align with engineering standards (steps 1-5)

- Rename dist/ -> deploy/ with subdirs examples/, scripts/,
  systemd/ per standard repository layout
- Update .gitignore: gitignore all of dist/ (build output only)
- Makefile: all target is now vet->lint->test->build; add vet,
  proto-lint, devserver targets; CGO_ENABLED=0 for builds
  (modernc.org/sqlite is pure-Go, no C toolchain needed);
  CGO_ENABLED=1 retained for tests (race detector)
- Dockerfile: builder -> golang:1.26-alpine, runtime ->
  alpine:3.21; drop libc6 dep; add /srv/mcias/certs and
  /srv/mcias/backups to image
- deploy/systemd/mcias.service: add RestrictSUIDSGID=true
- deploy/systemd/mcias-backup.service: new oneshot backup unit
- deploy/systemd/mcias-backup.timer: daily 02:00 UTC, 5m jitter
- deploy/scripts/install.sh: install backup units and enable
  timer; create certs/ and backups/ subdirs in /srv/mcias
- buf.yaml: add proto linting config for proto-lint target
- internal/db: add Snapshot and SnapshotDir methods (VACUUM INTO)
- cmd/mciasdb: add snapshot subcommand; no master key required

Dockerfile

@@ -1,7 +1,11 @@
 # Dockerfile — MCIAS multi-stage container image
 #
 # Stage 1 (builder): Compiles all four MCIAS binaries.
-# Stage 2 (runtime): Minimal Debian image containing only the binaries.
+# Stage 2 (runtime): Minimal Alpine image containing only the binaries.
+#
+# modernc.org/sqlite is a pure-Go, CGo-free SQLite port. CGO_ENABLED=0
+# produces fully static binaries with no C library dependencies, which
+# deploy cleanly onto a minimal Alpine runtime image.
 #
 # The final image:
 #   - Runs as non-root uid 10001 (mcias)
@@ -24,7 +28,7 @@
 # ---------------------------------------------------------------------------
 # Stage 1 — builder
 # ---------------------------------------------------------------------------
-FROM golang:1.26-bookworm AS builder
+FROM golang:1.26-alpine AS builder
 
 WORKDIR /build
 
@@ -35,35 +39,29 @@ RUN go mod download
 # Copy source.
 COPY . .
 
-# CGO_ENABLED=1 is required by modernc.org/sqlite (pure-Go CGo-free SQLite).
+# CGO_ENABLED=0: modernc.org/sqlite is pure Go; no C toolchain required.
 # -trimpath removes local file system paths from the binary.
 # -ldflags="-s -w" strips the DWARF debug info and symbol table to reduce
 # image size.
-RUN CGO_ENABLED=1 go build -trimpath -ldflags="-s -w" -o /out/mciassrv    ./cmd/mciassrv    && \
-    CGO_ENABLED=1 go build -trimpath -ldflags="-s -w" -o /out/mciasctl    ./cmd/mciasctl    && \
-    CGO_ENABLED=1 go build -trimpath -ldflags="-s -w" -o /out/mciasdb     ./cmd/mciasdb     && \
-    CGO_ENABLED=1 go build -trimpath -ldflags="-s -w" -o /out/mciasgrpcctl ./cmd/mciasgrpcctl
+RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /out/mciassrv    ./cmd/mciassrv    && \
+    CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /out/mciasctl    ./cmd/mciasctl    && \
+    CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /out/mciasdb     ./cmd/mciasdb     && \
+    CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /out/mciasgrpcctl ./cmd/mciasgrpcctl
 
 # ---------------------------------------------------------------------------
 # Stage 2 — runtime
 # ---------------------------------------------------------------------------
-FROM debian:bookworm-slim
+FROM alpine:3.21
 
-# Install runtime dependencies.
 # ca-certificates: required to validate external TLS certificates.
-# libc6:           required by CGo-compiled binaries (sqlite).
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-        ca-certificates \
-        libc6 && \
-    rm -rf /var/lib/apt/lists/*
+RUN apk add --no-cache ca-certificates
 
 # Create a non-root user for the service.
 # uid/gid 10001 is chosen to be well above the range typically assigned to
 # system users (1–999) and human users (1000+), reducing the chance of
 # collision with existing uids on the host when using host networking.
-RUN groupadd --gid 10001 mcias && \
-    useradd --uid 10001 --gid 10001 --no-create-home --shell /usr/sbin/nologin mcias
+RUN addgroup -g 10001 mcias && \
+    adduser -u 10001 -G mcias -H -s /sbin/nologin -D mcias
 
 # Copy compiled binaries from the builder stage.
 COPY --from=builder /out/mciassrv     /usr/local/bin/mciassrv
@@ -73,8 +71,8 @@ COPY --from=builder /out/mciasgrpcctl /usr/local/bin/mciasgrpcctl
 
 # Create the data directory.
 # /srv/mcias is mounted from the host with config, TLS certs, and database.
-RUN mkdir -p /srv/mcias && \
-    chown mcias:mcias /srv/mcias && \
+RUN mkdir -p /srv/mcias/certs /srv/mcias/backups && \
+    chown -R mcias:mcias /srv/mcias && \
     chmod 0750 /srv/mcias
 
 # Declare /srv/mcias as a volume so the operator must explicitly mount it.
@@ -92,6 +90,6 @@ USER mcias
 # Default entry point and config path.
 # The operator mounts /srv/mcias from the host containing mcias.toml,
 # TLS cert/key, and the SQLite database.
-# See dist/mcias.conf.docker.example for a suitable template.
+# See deploy/examples/mcias.conf.docker.example for a suitable template.
 ENTRYPOINT ["mciassrv"]
 CMD ["-config", "/srv/mcias/mcias.toml"]