#13953: feat(docker): add .env template and improve Dockerfile

## Summary Improves Docker deployment experience with a documented .env template and Dockerfile hardening. ### Changes #### docker-compose.env.example (NEW) - Complete .env template with all Docker Compose variables - Documented defaults and explanations for each variable - Covers: gateway config, data dirs, image selection, browser sidecar, AI provider keys #### Dockerfile improvements - **Security**: Replace `curl | bash` Bun installer with pinned version downloaded from GitHub releases (addresses #9479) - **Orchestration**: Add `HEALTHCHECK` instruction so container runtimes can monitor gateway health - Pin Bun to v1.2.4 via `BUN_VERSION` build arg for reproducible builds ### Motivation Lowers the barrier to Docker deployment. New users can copy the .env template and get started without reading source code. Related to #6900 (Docker support improvements). ### Testing - `docker compose config` validates with the .env template - Dockerfile builds successfully on amd64 <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> Adds a comprehensive `.env` template (`docker-compose.env.example`) documenting all Docker Compose configuration variables and hardens the Dockerfile by replacing the insecure `curl | bash` Bun installer with a pinned release download. Also adds a `HEALTHCHECK` instruction for container orchestration monitoring. **Key improvements:** - **Security**: Replaces `curl | bash` pattern with explicit Bun v1.2.4 download from GitHub releases (addresses security concern #9479) - **Usability**: New `.env` template provides clear documentation for gateway config, data directories, image selection, browser sidecar, and AI provider keys - **Reliability**: Pinned Bun version via `BUN_VERSION` build arg ensures reproducible builds - **Observability**: `HEALTHCHECK` allows container runtimes to monitor gateway health **Note**: The browser sidecar env vars in `docker-compose.env.example` are documented but not referenced in `docker-compose.yml` - these appear to be passed to browser containers spawned by the gateway at runtime rather than docker-compose services. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - The changes are well-scoped improvements to Docker deployment: removing a security anti-pattern (curl pipe to bash), adding useful documentation, and improving container health monitoring. The Bun installation is now deterministic and verifiable. The .env template is purely documentation. One minor suggestion about healthcheck port configurability doesn't affect functionality. - No files require special attention <!-- greptile_other_comments_section --> _{(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!} <!-- /greptile_comment -->