chore: optimize Docker image and publish latest tag on release

[jrhuerta]

Summary

• Multi-stage Docker build with venv isolation — strips pip, setuptools, and build artifacts from the final image (213MB → 183MB, ~14% reduction)
• Trim production dependencies — change mcp[cli] to mcp since the server uses stdio transport, not the CLI tools. Drops pygments (9.2MB), rich (2.9MB), typer, click, etc. mcp[cli] moved to dev extras
• Add .dockerignore — excludes tests, docs, .git, .env from build context
• Publish latest tag — CI now pushes both the version tag and latest on GitHub Release
• Update docs — README and AGENTS.md reference :latest instead of hardcoded version tags

Test plan

• Built optimized image locally and verified all 3 MCP tools work end-to-end
• Verified security controls: DROP blocked, SELECT * blocked (strict policy), non-policy table blocked
• Verified published v0.1.0 GHCR image works end-to-end (prior to these changes)
• CI passes (lint, type check, tests, Docker build)
• Next release should push both v* and latest tags to GHCR