add suite: all-in-one Docker image with noc + Gitea

- Switch to rustls (drop OpenSSL dependency) for musl static build
- Add deploy/ with Dockerfile and entrypoint (Gitea auto-setup + admin token)
- Add Makefile targets: build-musl, docker
- Add doc/suite.md: design doc for human-AI collaboration interfaces

deploy/Dockerfile

@@ -0,0 +1,35 @@
+FROM debian:bookworm-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        ca-certificates git curl sqlite3 jq \
+    && rm -rf /var/lib/apt/lists/*
+
+# install gitea
+ARG GITEA_VERSION=1.23.7
+RUN curl -fSL "https://dl.gitea.com/gitea/${GITEA_VERSION}/gitea-${GITEA_VERSION}-linux-amd64" \
+        -o /usr/local/bin/gitea \
+    && chmod +x /usr/local/bin/gitea
+
+# noc binary (pre-built musl static binary)
+COPY noc /usr/local/bin/noc
+RUN chmod +x /usr/local/bin/noc
+
+COPY tools/ /opt/noc/tools/
+COPY config.example.yaml /opt/noc/config.example.yaml
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+RUN useradd -m -s /bin/bash noc \
+    && mkdir -p /data/gitea /data/noc \
+    && chown -R noc:noc /data /opt/noc
+VOLUME ["/data"]
+USER noc
+
+ENV RUST_LOG=noc=info \
+    NOC_CONFIG=/data/noc/config.yaml \
+    NOC_STATE=/data/noc/state.json \
+    GITEA_WORK_DIR=/data/gitea
+
+EXPOSE 3000
+
+ENTRYPOINT ["/entrypoint.sh"]

deploy/entrypoint.sh

@@ -0,0 +1,90 @@
+#!/bin/bash
+set -euo pipefail
+
+GITEA_DATA="/data/gitea"
+NOC_DATA="/data/noc"
+GITEA_DB="$GITEA_DATA/gitea.db"
+GITEA_INI="$GITEA_DATA/app.ini"
+GITEA_TOKEN_FILE="$NOC_DATA/gitea-token"
+
+GITEA_ADMIN_USER="${GITEA_ADMIN_USER:-noc}"
+GITEA_ADMIN_PASS="${GITEA_ADMIN_PASS:-noc-admin-changeme}"
+GITEA_ADMIN_EMAIL="${GITEA_ADMIN_EMAIL:-noc@localhost}"
+GITEA_HTTP_PORT="${GITEA_HTTP_PORT:-3000}"
+
+mkdir -p "$GITEA_DATA" "$NOC_DATA"
+
+# ── gitea config ────────────────────────────────────────────────────
+if [ ! -f "$GITEA_INI" ]; then
+    cat > "$GITEA_INI" <<EOF
+[server]
+HTTP_PORT = ${GITEA_HTTP_PORT}
+ROOT_URL = http://localhost:${GITEA_HTTP_PORT}/
+LFS_START_SERVER = false
+
+[database]
+DB_TYPE = sqlite3
+PATH = ${GITEA_DB}
+
+[security]
+INSTALL_LOCK = true
+
+[service]
+DISABLE_REGISTRATION = true
+
+[log]
+MODE = console
+LEVEL = Warn
+EOF
+    echo "[gitea] created $GITEA_INI"
+fi
+
+# ── start gitea in background ──────────────────────────────────────
+echo "[suite] starting gitea..."
+gitea web --config "$GITEA_INI" --custom-path "$GITEA_DATA/custom" &
+GITEA_PID=$!
+
+# wait for gitea to be ready
+for i in $(seq 1 30); do
+    if curl -sf "http://localhost:${GITEA_HTTP_PORT}/api/v1/version" > /dev/null 2>&1; then
+        echo "[suite] gitea ready"
+        break
+    fi
+    if [ "$i" -eq 30 ]; then
+        echo "[suite] ERROR: gitea failed to start"
+        exit 1
+    fi
+    sleep 1
+done
+
+# ── create admin user + token ──────────────────────────────────────
+if ! gitea admin user list --config "$GITEA_INI" 2>/dev/null | grep -q "$GITEA_ADMIN_USER"; then
+    gitea admin user create \
+        --config "$GITEA_INI" \
+        --username "$GITEA_ADMIN_USER" \
+        --password "$GITEA_ADMIN_PASS" \
+        --email "$GITEA_ADMIN_EMAIL" \
+        --admin
+    echo "[suite] created admin user: $GITEA_ADMIN_USER"
+fi
+
+if [ ! -f "$GITEA_TOKEN_FILE" ]; then
+    TOKEN=$(curl -sf -X POST \
+        "http://localhost:${GITEA_HTTP_PORT}/api/v1/users/${GITEA_ADMIN_USER}/tokens" \
+        -u "${GITEA_ADMIN_USER}:${GITEA_ADMIN_PASS}" \
+        -H "Content-Type: application/json" \
+        -d "{\"name\":\"noc-suite\",\"scopes\":[\"all\"]}" \
+        | jq -r '.sha1')
+    echo "$TOKEN" > "$GITEA_TOKEN_FILE"
+    echo "[suite] admin token saved to $GITEA_TOKEN_FILE"
+fi
+
+# ── copy default noc config if missing ─────────────────────────────
+if [ ! -f "$NOC_DATA/config.yaml" ]; then
+    cp /opt/noc/config.example.yaml "$NOC_DATA/config.yaml"
+    echo "[suite] copied default config to $NOC_DATA/config.yaml — edit before use"
+fi
+
+# ── start noc ──────────────────────────────────────────────────────
+echo "[suite] starting noc..."
+exec noc