build(docker): mount git credentials as buildkit secret for pallas SSH→HTTP fetch

The pallas patch in [patch.crates-io] is now ssh://git@gitea after the
2026-05-06 token-scrub. Inside a docker build the rust container has no
SSH key and no known_hosts for gitea, so cargo's libgit2 / system-git
both reject the fetch.

Mount /root/.git-credentials as a BuildKit secret (mode=0400, required)
and set a build-time `url.HTTP.insteadOf SSH` rewrite. Cargo.toml and
Cargo.lock keep their SSH URLs — the rewrite is git-CLI-level so no
credential ever lands in the lock file or in any image layer.

Build invocation:
  docker build --secret id=git_credentials,src=<creds-file> ...

where <creds-file> is one line `http://USER:PAT@192.168.0.5:3001`.

This mirrors the pattern crafting-table already uses on its runner
(.git-credentials + url.insteadOf rewrite). nightly-builds.sh on Lucy
will need an analogous --secret arg before it can rebuild this branch.

Dockerfile

@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1.4
 # aldabra — Cardano lite wallet over MCP.
 #
 # Multi-stage:
@@ -44,7 +45,15 @@ COPY crates ./crates
 # trick above leaves stale build artifacts otherwise.
 RUN find crates -name '*.rs' -exec touch {} +
 
-RUN cargo build --release --bin aldabra && \
+# Fetch the pallas patch dep via HTTP+PAT at build time. Source URLs
+# stay SSH (Cargo.toml + Cargo.lock) — the rewrite is git-CLI-level
+# only, so no credential gets baked into the lock file or the image.
+# Pass `--secret id=git_credentials,src=<file>` where <file> is one
+# line: http://USER:PAT@192.168.0.5:3001
+RUN --mount=type=secret,id=git_credentials,target=/root/.git-credentials,mode=0400,required=true \
+    git config --global credential.helper store && \
+    git config --global url."http://192.168.0.5:3001/".insteadOf "ssh://git@192.168.0.5:23/" && \
+    cargo build --release --bin aldabra && \
     strip target/release/aldabra
 
 FROM debian:bookworm-slim AS runtime