initial: zero-trust markdown tutorials site

Single-binary Go service that renders markdown pages from a runtime
volume mount. Targeted at public, no-auth, no-WAF deployment behind a
TLS ingress; security posture is defense-in-depth at every layer:

- goldmark with no WithUnsafe — raw HTML in author markdown is stripped
- CSP without 'unsafe-inline', plus HSTS, COOP, CORP, Permissions-Policy
- static handler rejects non-GET/HEAD, directory listings, dotfiles, traversal
- content loader rejects symlinks that escape the content root, dotfiles,
  and .md files larger than 1 MiB
- per-page template trees (cloned from layout) so define-blocks don't
  collide between home/category/page
- SIGHUP triggers atomic library swap — live edits on volume, no rebuild

Locale layout content/<locale>/<category>/<slug>.md. Categories without
_index.md still appear on the home page with a humanized name. Search is
a ~70-line vanilla JS scan over /search.json?lang=<locale>; swap for a
real indexer if the corpus ever balloons.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Dockerfile

@@ -0,0 +1,21 @@
+# --- build stage ---
+FROM golang:1.25-alpine AS build
+WORKDIR /src
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+RUN CGO_ENABLED=0 GOOS=linux go build -trimpath -ldflags='-s -w' \
+    -o /out/automc-tutorials ./cmd/automc-tutorials
+
+# --- runtime stage ---
+# Image carries only the binary. Content is provided at runtime via a volume
+# mount at /content (typically a Longhorn RWX PVC populated by `git pull` or
+# rsync from an admin shell). Live edits + SIGHUP reload = no rebuild needed.
+FROM gcr.io/distroless/static-debian12:nonroot
+WORKDIR /app
+COPY --from=build /out/automc-tutorials /app/automc-tutorials
+EXPOSE 8080
+ENV ADDR=:8080 CONTENT_DIR=/content DEFAULT_LOCALE=en
+VOLUME ["/content"]
+USER 65532:65532
+ENTRYPOINT ["/app/automc-tutorials"]