launch hardening: TC bit, Dockerfile, platform-aware deploy

- Set TC (truncation) bit when response exceeds 4096-byte buffer
  instead of dropping the response silently. Clients can retry via TCP.
- Log when upstream response is truncated in forward.rs.
- Dockerfile: bump to Rust 1.88, include site/service files, use
  alpine runtime instead of scratch, add cmake/perl for aws-lc-sys.
- Makefile deploy: platform-aware — codesign on macOS, systemctl on Linux.
- README: trim roadmap to near-term items only.
- Verified: Docker build + smoke test passes on Linux (Alpine musl).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Makefile

@@ -22,7 +22,11 @@ clean:
 deploy:
 	cargo build --release
 	sudo cp target/release/numa /usr/local/bin/numa
+ifeq ($(shell uname -s),Darwin)
 	sudo codesign -f -s - /usr/local/bin/numa
 	sudo kill $$(pgrep -f /usr/local/bin/numa) 2>/dev/null || true
+else
+	sudo systemctl restart numa 2>/dev/null || sudo kill $$(pgrep -f /usr/local/bin/numa) 2>/dev/null || true
+endif
 	@sleep 1
 	@dig @127.0.0.1 google.com +short +time=3 > /dev/null && echo "Service restarted successfully" || echo "Warning: DNS not responding yet"