feat: one-click cloud deployment — Caddy HTTPS, Ollama, systemd, cloud-init

Add complete production deployment stack so Timmy can be deployed to any
cloud provider (DigitalOcean, AWS, Hetzner, etc.) with a single command.

New files:
- docker-compose.prod.yml: production stack (Caddy auto-HTTPS, Ollama LLM,
  Dashboard, Timmy agent, Watchtower auto-updates)
- deploy/Caddyfile: reverse proxy with security headers and WebSocket support
- deploy/setup.sh: interactive one-click setup script for any Ubuntu/Debian server
- deploy/cloud-init.yaml: paste as User Data when creating a cloud VM
- deploy/timmy.service: systemd unit for auto-start on boot
- deploy/digitalocean/create-droplet.sh: create a DO droplet via doctl CLI

Updated:
- Dockerfile: non-root user, healthcheck, missing deps (GitPython, moviepy, redis)
- Makefile: cloud-deploy, cloud-up/down/logs/status/update/scale targets
- .env.example: DOMAIN setting for HTTPS
- .dockerignore: exclude deploy configs from image

https://claude.ai/code/session_018CduUZoEJzFynBwMsxaP8T

deploy/Caddyfile

@@ -0,0 +1,36 @@
+# ── Timmy Time — Caddy Reverse Proxy ─────────────────────────────────────────
+#
+# Automatic HTTPS via Let's Encrypt.
+# Set DOMAIN env var or replace {$DOMAIN} below.
+#
+# For local/IP-only access (no domain), Caddy serves on :80 without TLS.
+
+{$DOMAIN:localhost} {
+	# Reverse proxy to the FastAPI dashboard
+	reverse_proxy dashboard:8000
+
+	# WebSocket support (swarm live updates)
+	@websocket {
+		header Connection *Upgrade*
+		header Upgrade websocket
+	}
+	reverse_proxy @websocket dashboard:8000
+
+	# Security headers
+	header {
+		X-Content-Type-Options nosniff
+		X-Frame-Options SAMEORIGIN
+		Referrer-Policy strict-origin-when-cross-origin
+		X-XSS-Protection "1; mode=block"
+		-Server
+	}
+
+	# Gzip compression
+	encode gzip zstd
+
+	# Access logging
+	log {
+		output stdout
+		format console
+	}
+}