feat: bring repo up to REPO_POLICIES standards (#6)

## Summary

This PR brings the webhooker repo into full REPO_POLICIES compliance, addressing both [issue #1](#1) and [issue #2](#2).

## Changes

### New files
- **`cmd/webhooker/main.go`** — The missing application entry point. Uses Uber fx to wire together all internal packages (config, database, logger, server, handlers, middleware, healthcheck, globals, session). Minimal glue code.
- **`REPO_POLICIES.md`** — Fetched from authoritative source (`sneak/prompts`)
- **`.editorconfig`** — Fetched from authoritative source
- **`.dockerignore`** — Sensible Go project exclusions
- **`.gitea/workflows/check.yml`** — CI workflow that runs `docker build .` on push to any branch (Gitea Actions format, actions/checkout pinned by sha256)
- **`configs/config.yaml.example`** — Moved from root `config.yaml`

### Modified files
- **`Makefile`** — Complete rewrite with all REPO_POLICIES required targets: `test`, `lint`, `fmt`, `fmt-check`, `check`, `build`, `hooks`, `docker`, `clean`, plus `dev`, `run`, `deps`
- **`Dockerfile`** — Complete rewrite:
  - Builder: `golang:1.24` (Debian-based, pinned by `sha256:d2d2bc1c84f7...`). Debian needed because `gorm.io/driver/sqlite` pulls `mattn/go-sqlite3` (CGO) which fails on Alpine musl.
  - golangci-lint v1.64.8 installed from GitHub release archive with sha256 verification (v1.x because `.golangci.yml` uses v1 config format)
  - Runs `make check` (fmt-check + lint + test + build) as build step
  - Final stage: `alpine:3.21` (pinned by `sha256:c3f8e73fdb79...`) with non-root user, healthcheck, port 8080
- **`README.md`** — Rewritten with all required REPO_POLICIES sections: description line with name/purpose/category/license/author, Getting Started, Rationale, Design, TODO (integrated from TODO.md), License, Author
- **`.gitignore`** — Fixed `webhooker` pattern to `/webhooker` (was blocking `cmd/webhooker/`), added `config.yaml` to prevent committing runtime config with secrets
- **`static/static.go`** — Removed `vendor` from embed directive (directory was empty/missing)
- **`internal/database/database_test.go`** — Fixed to use in-memory config via `afero.MemMapFs` instead of depending on `config.yaml` on disk. Test is now properly isolated.
- **`go.mod`/`go.sum`** — `go mod tidy`

### Removed files
- **`TODO.md`** — Content integrated into README.md TODO section
- **`config.yaml`** — Moved to `configs/config.yaml.example`

## Verification
- `docker build .` passes (lint ✅, test ✅, build ✅)
- All existing tests pass with no modifications to assertions or test logic
- `.golangci.yml` untouched

closes #1
closes #2

Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de>
Reviewed-on: #6
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>

configs/config.yaml.example

@@ -0,0 +1,50 @@
+environments:
+  dev:
+    config:
+      port: 8080
+      debug: true
+      maintenanceMode: false
+      developmentMode: true
+      environment: dev
+      # Database URL for local development
+      dburl: postgres://webhooker:webhooker@localhost:5432/webhooker_dev?sslmode=disable
+      # Basic auth for metrics endpoint in dev
+      metricsUsername: admin
+      metricsPassword: admin
+      # Dev admin credentials for testing
+      devAdminUsername: devadmin
+      devAdminPassword: devpassword
+    secrets:
+      # Use default insecure session key for development
+      sessionKey: d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=
+      # Sentry DSN - usually not needed in dev
+      sentryDSN: ""
+
+  prod:
+    config:
+      port: $ENV:PORT
+      debug: $ENV:DEBUG
+      maintenanceMode: $ENV:MAINTENANCE_MODE
+      developmentMode: false
+      environment: prod
+      dburl: $ENV:DBURL
+      metricsUsername: $ENV:METRICS_USERNAME
+      metricsPassword: $ENV:METRICS_PASSWORD
+      # Dev admin credentials should not be set in production
+      devAdminUsername: ""
+      devAdminPassword: ""
+    secrets:
+      sessionKey: $ENV:SESSION_KEY
+      sentryDSN: $ENV:SENTRY_DSN
+
+configDefaults:
+  # These defaults apply to all environments unless overridden
+  port: 8080
+  debug: false
+  maintenanceMode: false
+  developmentMode: false
+  environment: dev
+  metricsUsername: ""
+  metricsPassword: ""
+  devAdminUsername: ""
+  devAdminPassword: ""