feat(docker): bundle codex and claude CLIs, mount host agent auth

[chihsuan]

Context

The Docker setup shipped only the Elixir runtime, leaving agent CLI install + auth wiring to operators. Anyone trying Symphony in Docker had to build a derived image.

TL;DR

Bundle Codex and Claude Code CLIs into the Docker image and bind-mount host agent auth so the default compose flow just works.

Summary

• Dockerfile: install Node + @openai/codex and @anthropic-ai/claude-code at pinned versions; pre-create /workspace/{logs,state,workspaces,repos}.
• docker-compose.yml: replace symphony-codex-home / symphony-claude-home named volumes with bind mounts to host ~/.codex and ~/.claude (rw).
• docker-compose.yml: add read-only ~/.ssh mount; reference .env in the required-var error messages.
• README.md: rewrite around the "single image, both agents, host auth bind-mounted" model; drop derived-image / read-only-auth discussion.
• .gitignore: ignore /symphony.docker.yml alongside the existing local config.

Alternatives

• Keep the derived-image pattern. Rejected: forces every operator to repeat the same CLI install + auth wiring before the dashboard is usable.
• Keep named volumes for ~/.codex / ~/.claude and document seeding. Rejected: breaks host token refresh and forces a second login inside the container.
• Install only one agent CLI. Rejected: operators routinely switch between agent.kind: codex and agent.kind: claude and a single image keeps that a config edit, not a rebuild.

Test Plan

• make all
• docker compose -f docker/docker-compose.yml up --build boots with agent.kind: codex
• Same with agent.kind: claude
• Dashboard reachable at http://127.0.0.1:4000
• Host ~/.codex / ~/.claude token refresh works from inside the container
• docker compose down -v does not touch host ~/.codex / ~/.claude