fix(ci): Dockerfile COPY invariant check — prevent missing internal/<pkg> Docker failures (#1316) (#1432)

## Summary

- Adds `scripts/check-dockerfile-internal-pkgs.sh`: reads `replace =>
../../internal/<pkg>` directives from `cmd/server/go.mod` and
`cmd/ingestor/go.mod`, then verifies each referenced package has the
correct number of `COPY internal/<pkg>/` lines in `Dockerfile` (one per
builder section that needs it)
- Wired into CI as a step in the `go-test` job, before CSS lint — runs
on every PR, adds ~0.1s
- Prevents the recurring failure pattern (#1316): new `internal/<pkg>`
added to go.mod but COPY line forgotten in Dockerfile; non-Docker CI
passes, Docker build fails after merge with a cryptic module error

Key details:
- Counts COPY occurrences per package: if a pkg is referenced in both
go.mods (both binaries need it), it must appear in at least 2 builder
sections
- Anchored regex: only matches actual `replace` directives (not
comments)
- Anchored grep: skips commented-out `COPY internal/...` lines

Closes #1316.

## Test plan

- [ ] Run `bash scripts/check-dockerfile-internal-pkgs.sh` locally —
exits 0 on current Dockerfile
- [ ] Manually remove a `COPY internal/perfio/` line from Dockerfile →
script exits 1 with a clear error
- [ ] CI step visible in the `go-test` job on this PR

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

.github/workflows/deploy.yml

@@ -81,6 +81,9 @@ jobs:
           go test ./...
           echo "--- Decrypt CLI tests passed ---"
 
+      - name: Verify Dockerfile COPY invariants (issue #1316)
+        run: bash scripts/check-dockerfile-internal-pkgs.sh
+
       - name: Lint CSS variables (issue #1128)
         run: |
           set -e