tools/local-dev: docker-compose stack for UI development

Adds tools/local-dev/ with postgres + redis + mailpit + backend +
gateway plus a Make wrapper, so `make -C tools/local-dev up` brings
the full authenticated stack online and `pnpm -C ui/frontend dev`
talks to it directly. The committed `.env.development` already
points at the stack and pins the matching gateway response public
key from the dev keypair under tools/local-dev/keys/.

The backend ships a new opt-in env, BACKEND_AUTH_DEV_FIXED_CODE
(`tools/local-dev/.env` defaults it to 123456). When set,
ConfirmEmailCode accepts that literal in addition to the real
bcrypt-verified code; SendEmailCode still queues a real email so
Mailpit captures the issued code at http://localhost:8025/, and
both paths coexist. The override is rejected as non-six-digit by
config validation and emits a loud warning at backend startup.

The local-dev Dockerfiles mirror backend/Dockerfile and
gateway/Dockerfile but switch the runtime stage to alpine so
docker-compose healthchecks can wget /healthz; the gateway
Dockerfile additionally copies ui/core/ into the build context
because gateway/go.mod's `replace galaxy/core => ../ui/core` is
required to compile the gateway main.

Smoke tested:
- `make -C tools/local-dev up` boots all five services to healthy.
- send-email-code + confirm-email-code with code=123456 returns a
  device_session_id; a real code in Mailpit also redeems
  successfully.
- `pnpm test` 14/14, `pnpm exec playwright test` 44/44.
- `go test ./backend/internal/config/...` green.

Docs: tools/local-dev/README.md, tools/local-dev/keys/README.md,
new "Local development stack" section in ui/docs/testing.md, and a
short pointer in ui/README.md.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

tools/local-dev/keys/README.md

@@ -0,0 +1,34 @@
+# `tools/local-dev/keys/`
+
+DEV-ONLY cryptographic material used by the `tools/local-dev/` stack.
+
+**Never use any key in this directory in a non-local environment.**
+
+## Files
+
+- `gateway-response.pem` — gateway response-signing private key, PKCS#8
+  PEM, Ed25519. Mounted into the gateway container at
+  `/run/secrets/gateway-response.pem` and pointed to via
+  `GATEWAY_RESPONSE_SIGNER_PRIVATE_KEY_PEM_PATH`.
+- `gateway-response.pub` — matching raw 32-byte public key, standard
+  base64. Copied verbatim into `ui/frontend/.env.development` as
+  `VITE_GATEWAY_RESPONSE_PUBLIC_KEY`.
+
+## Regenerating
+
+The keypair is committed because it must be deterministic across
+developer checkouts (the UI's `.env.development` ships the exact
+base64 of the public half). Rotate only when a leak is suspected; the
+keys never reach a non-local environment in normal operation.
+
+To regenerate from a Go one-shot:
+
+```sh
+cd tools/local-dev/keys
+go run ./regenerate.go
+```
+
+The helper writes a fresh PEM, prints the matching public-key base64,
+and updates `gateway-response.pub`. After regeneration, copy the new
+`VITE_GATEWAY_RESPONSE_PUBLIC_KEY` value from `gateway-response.pub`
+into `ui/frontend/.env.development` and commit both changes together.

tools/local-dev/keys/gateway-response.pem

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIHqW94EpSePdiujbP1Wh1GIz+vuDnFU8HDeFfaNwcovi
+-----END PRIVATE KEY-----

tools/local-dev/keys/gateway-response.pub

@@ -0,0 +1,4 @@
+# DEV-ONLY gateway response-signing public key (raw 32-byte Ed25519,
+# standard non-URL-safe base64). Pairs with `gateway-response.pem`.
+# Never use in any non-local environment.
+nIG54tCuNiIKrazt8Hh7YxmmU/BhpseGhIIgj164Chw=

tools/local-dev/keys/regenerate.go

@@ -0,0 +1,47 @@
+// Regenerate `gateway-response.pem` and `gateway-response.pub`.
+//
+// Run from this directory: `go run ./regenerate.go`. The keys are
+// committed and used only by the `tools/local-dev/` stack; rotate by
+// re-running and committing both files together with the matching
+// `VITE_GATEWAY_RESPONSE_PUBLIC_KEY` update in
+// `ui/frontend/.env.development`.
+
+//go:build ignore
+
+package main
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"fmt"
+	"os"
+)
+
+func main() {
+	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "generate:", err)
+		os.Exit(1)
+	}
+	pkcs8, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		fmt.Fprintln(os.Stderr, "marshal:", err)
+		os.Exit(1)
+	}
+	pemBytes := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: pkcs8})
+	if err := os.WriteFile("gateway-response.pem", pemBytes, 0o600); err != nil {
+		fmt.Fprintln(os.Stderr, "write pem:", err)
+		os.Exit(1)
+	}
+
+	pubB64 := base64.StdEncoding.EncodeToString(pub)
+	pubBlock := fmt.Sprintf("# DEV-ONLY gateway response-signing public key (raw 32-byte Ed25519,\n# standard non-URL-safe base64). Pairs with `gateway-response.pem`.\n# Never use in any non-local environment.\n%s\n", pubB64)
+	if err := os.WriteFile("gateway-response.pub", []byte(pubBlock), 0o644); err != nil {
+		fmt.Fprintln(os.Stderr, "write pub:", err)
+		os.Exit(1)
+	}
+	fmt.Printf("VITE_GATEWAY_RESPONSE_PUBLIC_KEY=%s\n", pubB64)
+}