feat: add production container support with health check endpoint

Implements Phase 5 containerization specification:
- Add /health endpoint for container monitoring
- Create multi-stage Containerfile (Podman/Docker compatible)
- Add compose.yaml for orchestration
- Add Caddyfile.example for reverse proxy (auto-HTTPS)
- Add nginx.conf.example as alternative
- Update .env.example with container and RSS feed variables
- Add gunicorn WSGI server to requirements.txt

Container features:
- Multi-stage build for smaller image size
- Non-root user (starpunk:1000)
- Health check with database connectivity test
- Volume mount for data persistence
- Resource limits and logging configuration
- Security headers and HTTPS configuration examples

Health check endpoint:
- Tests database connectivity
- Verifies filesystem access
- Returns JSON with status, version, and environment

Following Phase 5 design in docs/designs/phase-5-rss-and-container.md

Caddyfile.example

@@ -0,0 +1,96 @@
+# Caddyfile for StarPunk Reverse Proxy
+# Caddy automatically handles HTTPS with Let's Encrypt
+#
+# Installation:
+#   1. Install Caddy: https://caddyserver.com/docs/install
+#   2. Copy this file: cp Caddyfile.example Caddyfile
+#   3. Update your-domain.com to your actual domain
+#   4. Run: caddy run --config Caddyfile
+#
+# Systemd service:
+#   sudo systemctl enable --now caddy
+
+# Replace with your actual domain
+your-domain.com {
+    # Reverse proxy to StarPunk container
+    # Container must be running on localhost:8000
+    reverse_proxy localhost:8000
+
+    # Logging
+    log {
+        output file /var/log/caddy/starpunk.log {
+            roll_size 10MiB
+            roll_keep 10
+        }
+        format console
+    }
+
+    # Security headers
+    header {
+        # Remove server identification
+        -Server
+
+        # HSTS - force HTTPS for 1 year
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+
+        # Prevent MIME type sniffing
+        X-Content-Type-Options "nosniff"
+
+        # Prevent clickjacking
+        X-Frame-Options "DENY"
+
+        # XSS protection (legacy browsers)
+        X-XSS-Protection "1; mode=block"
+
+        # Referrer policy
+        Referrer-Policy "strict-origin-when-cross-origin"
+
+        # Content Security Policy (adjust as needed)
+        Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';"
+    }
+
+    # Compression
+    encode gzip zstd
+
+    # Static file caching
+    @static {
+        path /static/*
+    }
+    header @static {
+        Cache-Control "public, max-age=31536000, immutable"
+    }
+
+    # RSS feed caching
+    @feed {
+        path /feed.xml
+    }
+    header @feed {
+        Cache-Control "public, max-age=300"
+    }
+
+    # API routes (no caching)
+    @api {
+        path /api/*
+    }
+    header @api {
+        Cache-Control "no-store, no-cache, must-revalidate"
+    }
+
+    # Health check endpoint (monitoring systems)
+    @health {
+        path /health
+    }
+    header @health {
+        Cache-Control "no-store, no-cache, must-revalidate"
+    }
+}
+
+# Optional: Redirect www to non-www
+# www.your-domain.com {
+#     redir https://your-domain.com{uri} permanent
+# }
+
+# Optional: Multiple domains
+# another-domain.com {
+#     reverse_proxy localhost:8000
+# }