fix: compile privacy-core Rust library in Docker backend image

The MLS gate encryption system requires libprivacy_core.so — a Rust
shared library that was only compiled locally on the dev machine.
Docker users got "active gate identity is not mapped into the MLS
group" because the library was never built or included in the image.

Add a multi-stage Docker build:
- Stage 1: rust:1.87-slim-bookworm compiles privacy-core to .so
- Stage 2: copies libprivacy_core.so into the Python backend image
- Set PRIVACY_CORE_LIB env var so Python finds the library

Also track the privacy-core Rust source (Cargo.toml, Cargo.lock,
src/lib.rs) in git — they were previously untracked, which is why
the Docker build never had access to them.

Add root .dockerignore to exclude build caches and large directories
from the Docker build context.

.dockerignore

@@ -0,0 +1,23 @@
+# Exclude build artifacts, caches, and large directories from Docker context
+.git/
+.git_backup/
+node_modules/
+.next/
+__pycache__/
+*.pyc
+venv/
+.venv/
+.ruff_cache/
+
+# privacy-core build caches (source is needed, artifacts are not)
+privacy-core/target/
+privacy-core/target-test/
+privacy-core/.codex-tmp/
+
+# Large data/cache files
+*.db
+*.sqlite
+*.xlsx
+*.log
+extra/
+prototype/

backend/Dockerfile

@@ -1,3 +1,16 @@
+# ---- Stage 1: Compile privacy-core Rust library ----
+FROM rust:1.87-slim-bookworm AS rust-builder
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    pkg-config libssl-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY privacy-core /build/privacy-core
+WORKDIR /build/privacy-core
+RUN cargo build --release --lib \
+    && ls -la target/release/libprivacy_core.so
+
+# ---- Stage 2: Python backend ----
 FROM python:3.11-slim-bookworm
 
 WORKDIR /app
@@ -35,6 +48,9 @@ RUN npm ci --omit=dev
 # Clean up workspace scaffold
 RUN rm -rf /workspace
 
+# Copy compiled privacy-core library from Rust builder stage
+COPY --from=rust-builder /build/privacy-core/target/release/libprivacy_core.so /app/libprivacy_core.so
+ENV PRIVACY_CORE_LIB=/app/libprivacy_core.so
 
 # Create a non-root user for security
 # Grant write access to /app so the auto-updater can extract files

privacy-core/Cargo.toml

@@ -0,0 +1,17 @@
+[package]
+name = "privacy-core"
+version = "0.1.0"
+edition = "2021"
+description = "Rust privacy core for ShadowBroker / Infonet private messaging primitives"
+license = "MIT"
+publish = false
+
+[lib]
+name = "privacy_core"
+crate-type = ["cdylib", "rlib"]
+
+[dependencies]
+mls-rs = { git = "https://github.com/awslabs/mls-rs", rev = "027d9051437f88b81f4214c5a0a3a8fd7bbb8501", package = "mls-rs", default-features = false, features = ["std", "private_message"] }
+mls-rs-crypto-rustcrypto = { git = "https://github.com/awslabs/mls-rs", rev = "027d9051437f88b81f4214c5a0a3a8fd7bbb8501", package = "mls-rs-crypto-rustcrypto", default-features = false, features = ["std"] }
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"