feat(mcp-docugen): scaffold service + Docker stack con gateway Caddy

Task 0 del piano (adattato a workspace uv):
- services/mcp-docugen/: pyproject.toml, src/mcp_docugen/, tests/unit+integration/,
  README, .env.example. Package rinominato da docugen_mcp -> mcp_docugen.
- Root pyproject.toml: aggiunto services/mcp-docugen a workspace members.
- .python-version: 3.11
- uv.lock committato.

Docker stack stile CerberoSuite/Cerbero con prefisso "arca-":
- docker/base.Dockerfile -> arca-base:latest
- docker/mcp-docugen.Dockerfile -> arca-mcp-docugen:dev (porta interna 9100,
  label arca.service, runtime multi-stage, user non-root, healthcheck)
- docker-compose.yml root: gateway Caddy unica porta host (8080) + mcp-docugen
  su rete interna. Security defaults cap_drop ALL, no-new-privileges, read_only
  ove applicabile, restart unless-stopped.
- gateway/Caddyfile: reverse proxy /mcp-docugen/* -> mcp-docugen:9100 + landing.
- gateway/public/index.html: landing page minimale.

.env.example root aggiornato con DOCUGEN_API_KEY + OPENROUTER_API_KEY condivisa.

Task 1-12 (implementazione TDD effettiva) ancora da fare.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docker-compose.yml

@@ -0,0 +1,58 @@
+networks:
+  internal:
+    driver: bridge
+
+volumes:
+  docugen-data:
+  caddy-data:
+  caddy-config:
+
+x-common-security: &common-security
+  cap_drop: [ALL]
+  security_opt:
+    - no-new-privileges:true
+  restart: unless-stopped
+  networks: [internal]
+
+services:
+
+  # ========================================================
+  # GATEWAY — unica porta host, reverse proxy + landing page
+  # ========================================================
+  gateway:
+    image: caddy:2-alpine
+    restart: unless-stopped
+    networks: [internal]
+    security_opt:
+      - no-new-privileges:true
+    ports: ["${GATEWAY_PORT:-8080}:8080"]
+    volumes:
+      - ./gateway/Caddyfile:/etc/caddy/Caddyfile:ro
+      - ./gateway/public:/srv:ro
+      - caddy-data:/data
+      - caddy-config:/config
+    depends_on:
+      mcp-docugen: { condition: service_healthy }
+    healthcheck:
+      test: ["CMD", "wget", "-q", "--spider", "http://localhost:8080/"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+
+  # ========================================================
+  # MCP — accessibili solo via gateway (nessuna porta host)
+  # ========================================================
+  mcp-docugen:
+    image: arca-mcp-docugen:dev
+    build:
+      context: .
+      dockerfile: docker/mcp-docugen.Dockerfile
+    <<: *common-security
+    user: "1000:1000"
+    environment:
+      API_KEY: ${DOCUGEN_API_KEY}
+      OPENROUTER_API_KEY: ${OPENROUTER_API_KEY}
+      PUBLIC_BASE_URL: ${PUBLIC_BASE_URL:-http://localhost:8080/mcp-docugen}
+      DATA_DIR: /data
+    volumes:
+      - docugen-data:/data