Add Docker Compose deployment, security headers, and VPS docs

[Spbd1]

Motivation

• Make the app straightforward to deploy on a VPS with or without Docker by providing Dockerfiles, Compose configuration, and practical deployment docs.
• Ensure safe defaults for local testing while making it clear secrets must be changed before production.
• Avoid exposing Postgres publicly and require explicit migrations so the app does not silently lose data.
• Improve runtime security with basic HTTP headers and a Content-Security-Policy that is production-aware.

Description

• Add a Dockerfile using Node 20 that generates the Prisma client, builds the Next app, exposes port 3000, and starts the app with npm run start.
• Add docker-compose.yml with app and private postgres services, a persistent postgres_data volume, local-safe environment defaults, and ports bound to 127.0.0.1:3000:3000 so Postgres is not exposed by default.
• Update .env.example with Docker-friendly Postgres defaults and placeholder secrets and add a .dockerignore to keep sensitive/build files out of the image context.
• Add production-aware security headers and a reasonable CSP in next.config.mjs (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Content-Security-Policy), with CSP relaxed for development only.
• Document migration workflow and operational steps in docs/DEPLOYMENT.md, including the explicit migration command docker compose exec app npm run db:migrate and guidance to run migrations manually so data is not lost.
• Add docs/DATA_COLLECTION.md describing how submissions flow from participants to POST /api/submissions, how to confirm and export data (CSV/JSON), completeness flags, and safe deletion procedures.
• Add docs/RESEARCH_NOTES.md with concise study motivation, manipulation details, measures, computed metrics, ethics/limitations, and recommended pilot steps.

Testing

• git diff --check passed successfully.
• node -e "import('./next.config.mjs').then((m) => m.default.headers().then((h) => console.log(h[0].headers.length)))" executed successfully to validate header configuration.
• docker-compose.yml YAML parsing was validated (ruby YAML load returned OK).
• npm install failed due to registry access: 403 Forbidden when attempting to fetch @prisma/client, so TypeScript typecheck (npm run typecheck) and next-based lint/build (npm run lint, npm run build) could not complete and were blocked.
• docker compose config / docker compose build could not be run in this environment because Docker is not available, so Compose start was not executed here; the Compose file is written to support docker compose up --build in a Docker-enabled VPS environment.

---

Codex Task