launch hardening: TC bit, Dockerfile, platform-aware deploy

- Set TC (truncation) bit when response exceeds 4096-byte buffer
  instead of dropping the response silently. Clients can retry via TCP.
- Log when upstream response is truncated in forward.rs.
- Dockerfile: bump to Rust 1.88, include site/service files, use
  alpine runtime instead of scratch, add cmake/perl for aws-lc-sys.
- Makefile deploy: platform-aware — codesign on macOS, systemctl on Linux.
- README: trim roadmap to near-term items only.
- Verified: Docker build + smoke test passes on Linux (Alpine musl).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/forward.rs

@@ -21,7 +21,11 @@ pub async fn forward_query(
     socket.send_to(send_buffer.filled(), upstream).await?;
 
     let mut recv_buffer = BytePacketBuffer::new();
-    timeout(timeout_duration, socket.recv_from(&mut recv_buffer.buf)).await??;
+    let (size, _) = timeout(timeout_duration, socket.recv_from(&mut recv_buffer.buf)).await??;
+
+    if size >= recv_buffer.buf.len() {
+        log::debug!("upstream response truncated ({} bytes, buffer {})", size, recv_buffer.buf.len());
+    }
 
     DnsPacket::from_buffer(&mut recv_buffer)
 }