feat(docker): add isolated Claude Code environment with proxy sidecar

Two-container setup: claude (UID 1000, internal-only network) and proxy
(Squid, UID 13). The internal Docker network uses internal: true so the
claude container has no direct internet route. All egress is tunnelled
through the Squid sidecar which enforces a domain allowlist. Both
containers drop all capabilities and set no-new-privileges. claude.sh
provides start/stop/run/update/logs/status/shell lifecycle management.

.dockerignore

@@ -0,0 +1,8 @@
+.env
+*.log
+.git
+README.md
+claude.sh
+.gitignore
+.env.example
+.dockerignore