refactor(docker): migrate both images to Alpine

Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21.
Switch package management from apt to apk (--no-cache, no cleanup layer).
Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use
squid user (Alpine convention) and /var/cache/squid cache path.
Fix proxy/Dockerfile COPY path now that context is proxy/. Move
webui-entrypoint.sh into claude/ to match its build context. Fix
docker-compose.yml webui context to claude/, update proxy tmpfs path.

proxy/Dockerfile

@@ -0,0 +1,19 @@
+FROM alpine:3.21
+
+# squid: proxy. netcat-openbsd: health check
+RUN apk add --no-cache squid netcat-openbsd
+
+# squid user is created by the package (apk add squid)
+RUN mkdir -p /var/cache/squid /var/log/squid \
+    && chown -R squid:squid /var/cache/squid /var/log/squid /etc/squid
+
+COPY --chown=squid:squid squid.conf /etc/squid/squid.conf
+
+USER squid
+
+EXPOSE 3128
+
+HEALTHCHECK --interval=10s --timeout=5s --retries=3 \
+    CMD nc -z 127.0.0.1 3128 || exit 1
+
+CMD ["squid", "-N", "-f", "/etc/squid/squid.conf"]

proxy/squid.conf

@@ -14,7 +14,7 @@ cache_store_log none
 
 # ─── No disk cache ────────────────────────────────────────────────────────────
 cache deny all
-coredump_dir /var/spool/squid
+coredump_dir /var/cache/squid
 
 # ─── ACL Definitions ──────────────────────────────────────────────────────────
 acl SSL_ports  port 443
@@ -26,6 +26,8 @@ acl CONNECT    method CONNECT
 # Add domains here as needed. Leading dot matches all subdomains.
 acl allowed_sites dstdomain api.anthropic.com
 acl allowed_sites dstdomain statsig.anthropic.com
+acl allowed_sites dstdomain localhost
+acl allowed_sites dstdomain .local
 
 # ─── Access rules ─────────────────────────────────────────────────────────────
 # Block requests to non-standard ports