perf(docker): single-stage with cache-friendly layer ordering (#139)

Reshape the Dockerfile so heavy deps live in a stable early layer (digest
reproducible across releases, users cache it) and per-release cocoindex +
cocoindex-code installs land in their own small layer at the end. Cuts
the per-release `docker pull` from ~5 GB to ~470 MB.

Specifically:
- Drop the multi-stage builder/model_cache layout; do everything in one
  runtime image so each install RUN produces its own distinct layer.
  BuildKit COPY in a multi-stage emits the full copied tree as a layer
  (not a diff) — that's what made the previous two-COPY split bloat the
  image to ~10 GB without saving any pull cost.
- Order layers so per-release content (the source-tree-dependent install)
  is last; everything before reuses across releases.
- Use `RUN --mount=type=bind,source=.,target=/ccc-src,rw=true` instead of
  `COPY . /ccc-src` so hatch-vcs can write `_version.py` during the PEP 517
  build without persisting the source tree as a layer in the final image.

Image sizes: slim 534 MB (was 598 MB), full 5.77 GB (was 5.83 GB).
Per-release layer: 468 MB (uv install on top of pre-installed ST).
Verified: docker E2E suite passes (6 passed, 2 Linux-only skipped on macOS).