launch hardening: TC bit, Dockerfile, platform-aware deploy

- Set TC (truncation) bit when response exceeds 4096-byte buffer
  instead of dropping the response silently. Clients can retry via TCP.
- Log when upstream response is truncated in forward.rs.
- Dockerfile: bump to Rust 1.88, include site/service files, use
  alpine runtime instead of scratch, add cmake/perl for aws-lc-sys.
- Makefile deploy: platform-aware — codesign on macOS, systemctl on Linux.
- README: trim roadmap to near-term items only.
- Verified: Docker build + smoke test passes on Linux (Alpine musl).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Dockerfile

@@ -1,15 +1,17 @@
-FROM rust:1.85-alpine AS builder
-RUN apk add --no-cache musl-dev
+FROM rust:1.88-alpine AS builder
+RUN apk add --no-cache musl-dev cmake make perl
 WORKDIR /app
 COPY Cargo.toml Cargo.lock ./
 RUN mkdir src && echo 'fn main() {}' > src/main.rs && echo '' > src/lib.rs
 RUN cargo build --release 2>/dev/null || true
 RUN rm -rf src
 COPY src/ src/
+COPY site/ site/
+COPY numa.toml com.numa.dns.plist numa.service ./
 RUN touch src/main.rs src/lib.rs
 RUN cargo build --release
 
-FROM scratch
-COPY --from=builder /app/target/release/numa /numa
-EXPOSE 53/udp 5380/tcp
-ENTRYPOINT ["/numa"]
+FROM alpine:3.20
+COPY --from=builder /app/target/release/numa /usr/local/bin/numa
+EXPOSE 53/udp 80/tcp 443/tcp 5380/tcp
+ENTRYPOINT ["numa"]