Add Docker CI rollout baseline

[ohmyfelix]

What changed

• Added the standard Dockette Docker workflow with Test, Build, and Docs jobs.
• Added Makefile build, test, and run targets with dry-run shell/config smoke checks only.
• Normalized README badges to the dockette/copybara style and added repo-local AGENTS/CLAUDE instructions.

Why

• Establishes the Dockette CI rollout baseline for dockette/letsencrypt without making real ACME or Let's Encrypt calls in CI.

[f3l1x]

Suggested change: run CI on PRs, but keep publish strictly master-only

Right now this workflow has no pull_request trigger, so the Test job never validates the PR — and the publish (Build) job calls the reusable workflow with secrets: inherit with no master guard. Adding pull_request without guarding the publish job would expose registry secrets on every PR.

Two changes fix both:

 on:
   workflow_dispatch:
+
+  pull_request:

   push:
     branches: ["master"]
@@
   build:
     name: "Build"
     needs: ["test"]
+    if: github.ref == 'refs/heads/master'
     uses: dockette/.github/.github/workflows/docker.yml@master
     secrets: inherit

Result: a PR runs only the Test job (builds the image locally with load: true, runs make test, no secrets); Build (publish) and Docs run only on master. This matches the canonical shape already used in dockette/mockbin#2 and dockette/perl#2.