fix(ci): pass Quaternions registry token as Docker build secret

cargo fetch --locked was failing with "failed to parse manifest" because
.cargo/config.toml (which registers the Quaternions sparse index) was
never copied into the build image, and the registry's auth token was
never supplied.

Changes:
- COPY .cargo/config.toml into the builder stage so Cargo knows the
  Quaternions registry URL.
- Replace bare `cargo fetch` and `cargo build` with
  `--mount=type=secret,id=cargo_token` variants that set
  CARGO_REGISTRIES_QUATERNIONS_TOKEN from the mounted secret — token
  never appears in image layers or docker history.
- Workflow: pass CI_TOKEN as the `cargo_token` build secret.
- Add solitaire_engine/** and solitaire_server/Dockerfile to trigger
  paths so engine changes and Dockerfile edits kick off rebuilds.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/docker-build.yml

@@ -8,8 +8,10 @@ on:
       - 'solitaire_server/**'
       - 'solitaire_sync/**'
       - 'solitaire_core/**'
+      - 'solitaire_engine/**'
       - 'Cargo.toml'
       - 'Cargo.lock'
+      - 'solitaire_server/Dockerfile'
       - '.gitea/workflows/docker-build.yml'
 
 env:
@@ -55,6 +57,8 @@ jobs:
             ${{ env.IMAGE }}:latest
           cache-from: type=registry,ref=${{ env.IMAGE }}:buildcache
           cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max
+          secrets: |
+            cargo_token=${{ secrets.CI_TOKEN }}
 
       - name: Install kustomize
         run: |

solitaire_server/Dockerfile

@@ -12,6 +12,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 # Copy only the files needed to build the server crate.
 # Layer order: workspace manifests first so dependency fetches are cached.
+COPY .cargo/config.toml            ./.cargo/config.toml
 COPY Cargo.toml Cargo.lock ./
 COPY solitaire_core/Cargo.toml     ./solitaire_core/Cargo.toml
 COPY solitaire_sync/Cargo.toml     ./solitaire_sync/Cargo.toml
@@ -33,7 +34,11 @@ RUN for crate in solitaire_core solitaire_sync solitaire_data solitaire_engine \
     echo "fn main() {}" > solitaire_app/src/main.rs && \
     echo "fn main() {}" > solitaire_assetgen/src/main.rs
 
-RUN cargo fetch --locked
+# The Quaternions registry requires authentication. CI passes CI_TOKEN as a
+# build secret so it never appears in image layers or docker history.
+RUN --mount=type=secret,id=cargo_token,required=true \
+    CARGO_REGISTRIES_QUATERNIONS_TOKEN="Bearer $(cat /run/secrets/cargo_token)" \
+    cargo fetch --locked
 
 # Now copy real source and build in release mode.
 COPY solitaire_core/src ./solitaire_core/src
@@ -46,7 +51,9 @@ COPY solitaire_server/migrations ./solitaire_server/migrations
 COPY .sqlx ./.sqlx
 
 ENV SQLX_OFFLINE=true
-RUN cargo build --release --locked -p solitaire_server --bin solitaire_server
+RUN --mount=type=secret,id=cargo_token,required=true \
+    CARGO_REGISTRIES_QUATERNIONS_TOKEN="Bearer $(cat /run/secrets/cargo_token)" \
+    cargo build --release --locked -p solitaire_server --bin solitaire_server
 
 # --- Runtime stage ---
 FROM debian:bookworm-slim