fix: add .dockerignore to api/ui build contexts (SEC_REVIEW F19)

Without a .dockerignore, `COPY . ./` in both Dockerfiles bakes
everything in the build context — including any future `.env` /
`.env.local`, `tests/` (with fixtures), dev-tooling caches, and the
host `vendor/` (which silently clobbers the deps-stage vendor copied
from `--from=deps`).

Add explicit deny lists at api/.dockerignore and ui/.dockerignore.
Things that ARE needed at runtime stay in the context: src/, public/,
config/, db/migrations/, db/seeds/, bin/console, openapi.php,
docker/, composer.json, composer.lock; ui/ also keeps resources/
(twig views), package.json/package-lock.json,
tailwind.config.js/postcss.config.js (consumed by the assets stage).

Verification: rebuilt both images; verified excluded paths are
absent from the final image and required paths are present; api
phpunit suite is 429/430 (the lone failure is the timing-sensitive
BlocklistPerfTest perf-budget assertion, unrelated); ui phpunit is
134/134.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

api/.dockerignore

@@ -0,0 +1,47 @@
+# SEC_REVIEW F19: explicit allow/deny for the api build context.
+# `Dockerfile` does `COPY . ./` for the runtime stage, so anything
+# not listed here is baked into the image.
+
+# Secrets — block any future `.env` / `.env.local` dropped in this
+# directory from silently shipping in the image. Compose loads `.env`
+# from the repo root, not from `api/`, so nothing here is needed.
+.env
+.env.*
+
+# Version control
+.git
+.gitignore
+.gitattributes
+
+# Editor / IDE noise
+.idea/
+.vscode/
+*.swp
+*~
+.DS_Store
+
+# Tests and dev tooling — not needed at runtime, and `tests/` may hold
+# fixtures that double as LFI targets.
+tests/
+.phpunit.cache/
+.phpunit.result.cache
+.phpstan.cache/
+.php-cs-fixer.cache
+.php-cs-fixer.dist.php
+phpstan.neon
+phpunit.xml
+
+# Host vendor/ — the deps stage installs a clean vendor and copies it
+# in via `COPY --from=deps`; leaving the host vendor in the context
+# would let the subsequent `COPY . ./` clobber the deps-stage tree.
+vendor/
+
+# Project metadata and docs — not consumed by the runtime.
+CHANGELOG.md
+
+# Build artifacts that don't belong in the runtime image.
+.dockerignore
+Dockerfile
+
+# Claude Code session state
+.claude/

ui/.dockerignore

@@ -0,0 +1,48 @@
+# SEC_REVIEW F19: explicit allow/deny for the ui build context.
+# `Dockerfile` does `COPY . ./` for the runtime stage, so anything
+# not listed here is baked into the image.
+
+# Secrets — block any future `.env` / `.env.local` dropped in this
+# directory from silently shipping in the image. Compose loads `.env`
+# from the repo root, not from `ui/`, so nothing here is needed.
+.env
+.env.*
+
+# Version control
+.git
+.gitignore
+.gitattributes
+
+# Editor / IDE noise
+.idea/
+.vscode/
+*.swp
+*~
+.DS_Store
+
+# Tests and dev tooling — not needed at runtime, and `tests/` may hold
+# fixtures that double as LFI targets.
+tests/
+.phpunit.cache/
+.phpunit.result.cache
+.phpstan.cache/
+.php-cs-fixer.cache
+.php-cs-fixer.dist.php
+phpstan.neon
+phpunit.xml
+
+# Dependencies — the deps / assets stages install clean trees and
+# copy them in via `COPY --from=...`; leaving the host versions in
+# the context would let the subsequent `COPY . ./` clobber them.
+vendor/
+node_modules/
+
+# Project metadata and docs — not consumed by the runtime.
+CHANGELOG.md
+
+# Build artifacts that don't belong in the runtime image.
+.dockerignore
+Dockerfile
+
+# Claude Code session state
+.claude/