Add deployment artifacts and rift config (Phase 13)

Dockerfiles for API server and web UI (multi-stage, alpine:3.21,
non-root mcr user). systemd units with security hardening. Idempotent
install script. Rift-specific config with MCIAS service token, TLS
paths, and Docker compose with loopback port bindings for mc-proxy
fronting (28443/29443/28080).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

PROGRESS.md

@@ -6,8 +6,8 @@ See `PROJECT_PLAN.md` for the implementation roadmap and
 
 ## Current State
 
-**Phase:** 12 complete, ready for Phase 13
-**Last updated:** 2026-03-19
+**Phase:** 13 complete
+**Last updated:** 2026-03-25
 
 ### Completed
 
@@ -31,7 +31,30 @@ See `PROJECT_PLAN.md` for the implementation roadmap and
 
 ### Next Steps
 
-1. Phase 13 (deployment artifacts)
+1. Deploy to rift (issue MCR service token, generate TLS cert, update mc-proxy routes)
+
+### 2026-03-25 — Phase 13: Deployment Artifacts
+
+**Task:** Create Dockerfiles, systemd units, install script, and rift deployment config.
+
+**Changes:**
+
+Step 13.1 — Dockerfiles:
+- `Dockerfile.api`: Multi-stage build for mcrsrv (golang:1.25-alpine → alpine:3.21,
+  non-root `mcr` user, ports 8443/9443, volume /srv/mcr)
+- `Dockerfile.web`: Multi-stage build for mcr-web (same pattern, port 8080)
+
+Step 13.2 — systemd units:
+- `deploy/systemd/mcr.service`: Registry server with full security hardening
+- `deploy/systemd/mcr-web.service`: Web UI with read-only /srv/mcr
+- `deploy/systemd/mcr-backup.service`: Oneshot snapshot + 30-day prune
+- `deploy/systemd/mcr-backup.timer`: Daily 02:00 UTC with 5-min jitter
+
+Step 13.3 — Install script and configs:
+- `deploy/scripts/install.sh`: Idempotent install (user, binaries, dirs, units)
+- `deploy/mcr-rift.toml`: Rift-specific config (MCIAS auth, TLS, storage paths)
+- `deploy/docker/docker-compose-rift.yml`: Docker compose for rift with
+  loopback port bindings (28443, 29443, 28080) for mc-proxy fronting
 
 ---