Backend, sync, infra, docs: ETag, API versioning, k8s, web scaffold, Android 16, domain stubs

- Backend: ShallowEtagHeaderFilter for /api/v1/*, API-VERSIONING.md, README (tenant, CORS, Flyway, ETag)
- k8s: backend-deployment.yaml (Deployment, Service, Secret/ConfigMap)
- Web: scaffold with directory pull, 304 handling, touch-friendly UI
- Android 16: ANDROID-16-TARGET.md; BuildConfig STUN/signaling, SMOAApplication configures InfrastructureManager
- Domain: CertificateManager revocation stub, ReportService signReports, ZeroTrust/ThreatDetection minimal docs
- TODO.md and IMPLEMENTATION_STATUS.md updated; communications README for endpoint config

Co-authored-by: Cursor <cursoragent@cursor.com>

docker-compose.yml

@@ -0,0 +1,34 @@
+# SMOA backend + optional Nginx reverse proxy.
+# Usage: docker compose up -d
+# Backend: http://localhost:8080 (or https://localhost if using nginx service)
+# Set SMOA_API_KEY in .env for production.
+
+services:
+  backend:
+    build:
+      context: .
+      dockerfile: backend/Dockerfile
+    ports:
+      - "8080:8080"
+    environment:
+      - SPRING_PROFILES_ACTIVE=prod
+      - SMOA_API_KEY=${SMOA_API_KEY:-}
+      - SMOA_CORS_ORIGINS=${SMOA_CORS_ORIGINS:-*}
+    volumes:
+      - smoa-data:/app/data
+    restart: unless-stopped
+
+  # Uncomment to put Nginx in front (then expose 80/443 only and remove backend ports).
+  # nginx:
+  #   image: nginx:alpine
+  #   ports:
+  #     - "80:80"
+  #     - "443:443"
+  #   volumes:
+  #     - ./docs/infrastructure/nginx-smoa.conf.example:/etc/nginx/conf.d/default.conf:ro
+  #     - /path/to/certs:/etc/nginx/ssl:ro
+  #   depends_on:
+  #     - backend
+
+volumes:
+  smoa-data: