R3: split the landing into its own static container

- gateway/Dockerfile gains a `landing` target: caddy:2-alpine + the shared
  Vite build (identical build args keep the ui stage a single cached build);
  the gateway target drops landing.html from the embed.
- The contour caddy routes /app/, /telegram/ and the Connect path to the
  gateway; the catch-all — the landing at / and any stray path — goes to the
  new landing service, so junk traffic is absorbed by static file serving.
- deploy/landing/Caddyfile mirrors the webui caching (immutable assets,
  no-cache shells) and falls back unknown paths to the landing shell.
- The gateway's / now 308-redirects to /app/ (keeps a local no-caddy run
  usable); webui placeholder landing.html removed.
- CI deploy probe checks both / (landing) and /app/ (gateway).

Verified: both images build; the landing container serves landing.html at /
(no-cache) with junk-path fallback; the gateway image redirects / to /app/
and carries no landing content.

deploy/docker-compose.yml

@@ -75,6 +75,7 @@ services:
     build:
       context: ..
       dockerfile: gateway/Dockerfile
+      target: gateway
       args:
         VITE_TELEGRAM_BOT_ID: ${VITE_TELEGRAM_BOT_ID:-}
         VITE_TELEGRAM_LINK: ${VITE_TELEGRAM_LINK:-}
@@ -100,6 +101,28 @@ services:
       # caddy owns the /_gm Basic-Auth and routes /_gm to the backend directly.
     networks: [internal]
 
+  # --- Landing (static) -------------------------------------------------------
+  # The public landing page in its own caddy container (R3): the contour caddy
+  # routes the catch-all (notably /) here, the gateway keeps only /app/,
+  # /telegram/ and the Connect edge. Shares the gateway Dockerfile's UI build
+  # stage — identical build args keep that stage a single cached build.
+  landing:
+    container_name: scrabble-landing
+    image: scrabble-landing:latest
+    build:
+      context: ..
+      dockerfile: gateway/Dockerfile
+      target: landing
+      args:
+        VITE_TELEGRAM_BOT_ID: ${VITE_TELEGRAM_BOT_ID:-}
+        VITE_TELEGRAM_LINK: ${VITE_TELEGRAM_LINK:-}
+        VITE_TELEGRAM_GAME_CHANNEL_NAME_EN: ${VITE_TELEGRAM_GAME_CHANNEL_NAME_EN:-}
+        VITE_TELEGRAM_GAME_CHANNEL_NAME_RU: ${VITE_TELEGRAM_GAME_CHANNEL_NAME_RU:-}
+        VITE_GATEWAY_URL: ${VITE_GATEWAY_URL:-}
+        VITE_APP_VERSION: ${APP_VERSION:-dev}
+    restart: unless-stopped
+    networks: [internal]
+
   # --- Telegram connector (egress via the VPN sidecar) -----------------------
   vpn:
     container_name: scrabble-telegram-vpn
@@ -145,12 +168,13 @@ services:
       OTEL_EXPORTER_OTLP_ENDPOINT: http://otelcol:4317
       OTEL_EXPORTER_OTLP_INSECURE: "true"
 
-  # --- Edge reverse proxy (single /_gm Basic-Auth; SPA + Connect -> gateway) --
+  # --- Edge reverse proxy (single /_gm Basic-Auth; SPA + Connect -> gateway;
+  #     the catch-all incl. the landing -> the static landing container) -------
   caddy:
     container_name: scrabble-caddy
     image: caddy:2-alpine
     restart: unless-stopped
-    depends_on: [gateway, backend, grafana]
+    depends_on: [gateway, backend, grafana, landing]
     environment:
       # Test: ":80" (host caddy terminates TLS). Prod: a domain for own ACME.
       CADDY_SITE_ADDRESS: ${CADDY_SITE_ADDRESS:-:80}