feat: add buildMode "docker" — one isolated container per site

[vianmora]

Closes #5

What this adds

A new buildMode: "docker" for POST /publish. Instead of running a raw Node subprocess, each site gets its own isolated Docker container. The publisher builds the image once and routes all hostnames (publish domain + custom domains) to it via the existing proxy.

How it works

POST /publish { buildId, builderOrigin, buildMode: "docker" }
  → webstudio sync + build --template docker
  → patches generated [_image].$.ts and writes a NavLink fix script
  → writes optimized multi-stage Dockerfile (BuildKit cache mounts)
  → docker build -t ws-<domain> .
  → docker stop/rm ; docker run -d --restart=unless-stopped
  → docker image prune -f
  → all hostnames registered in proxy

On publisher restart, existing Docker containers are detected via docker inspect and restarted if stopped. Mode transitions (SSG↔Docker) clean up the previous state before building.

Why this is useful for self-hosters

• Isolation — a crash or memory leak on one site doesn't affect others
• Restart resilience — --restart=unless-stopped survives host reboots without publisher involvement
• Operational clarity — docker ps shows all sites; docker logs <name> per site
• Faster rebuilds — multi-stage Dockerfile with BuildKit npm cache mounts: packages are not re-downloaded on republish

Infra requirement

The publisher container needs access to the host Docker daemon:

volumes:
  - /var/run/docker.sock:/var/run/docker.sock

A warning is logged at startup if the socket is not accessible.

Bug fixes included

SSG — stale pages after rename (fix(ssg))

When a page is renamed or deleted in the builder, webstudio build --template ssg updates __generated__/ but leaves orphaned +Page.tsx files in pages/. Vite then fails to resolve the broken import. Fix: clean pages/ and app/ before each build.

Docker — images not loading (fix(docker): fix IPX image loading)

Two issues prevented images from loading in Docker SSR containers:

1. The npm CLI template generates ipxFSStorage({ dir: "./public" }), but public/ is absent from the final multi-stage image — Vite moves assets to build/client/ at build time. The publisher patches [_image].$.ts after webstudio build to use the correct path.
2. Passing a DOMAINS allowlist to IPX blocked images served from the public builder URL (403 IPX_FORBIDDEN_HOST). Fix: pass IPX_HTTP_ALLOW_ALL_DOMAINS=true to the container instead.

Docker — hover styles always active on hash anchor links (fix(docker): NavLink aria-current)

In SSR, all /#section links got aria-current="page" because they share the pathname / with every root page. NavLink with end={true} still marks them all as active.

The fix is in @webstudio-is/sdk-components-react-router/src/link.tsx (fork PR pending), but the npm CLI installs the upstream package so the fix doesn't apply automatically. The publisher writes a patch-navlink.cjs script into the workDir; the Dockerfile runs it after npm ci to patch the compiled lib/components.js before the React Router build.