Revert gVisor (runsc) from Docker setup

gVisor is incompatible with OrbStack bind mounts on macOS — writes to
/mnt/mac are blocked by the gVisor filesystem sandbox. Removing
runtime: runsc from docker-compose.yml, the gVisor setup docs from
README.md, and the runsc assertion test from rebuild.rs.

The existing Docker hardening (read-only root, cap_drop ALL,
no-new-privileges, resource limits) remains in place.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

server/src/rebuild.rs

@@ -189,23 +189,6 @@ mod tests {
     use crate::transport::MessageId;
     use std::sync::Mutex;
 
-    // ── AC: docker-compose.yml specifies runtime: runsc ──────────────────
-
-    // docker-compose.yml embedded at compile time for a hermetic test.
-    const DOCKER_COMPOSE_YML: &str =
-        include_str!(concat!(env!("CARGO_MANIFEST_DIR"), "/../docker/docker-compose.yml"));
-
-    /// The docker-compose.yml must opt the container into the gVisor runtime
-    /// so that all container syscalls are intercepted in userspace.
-    #[test]
-    fn docker_compose_specifies_runsc_runtime() {
-        assert!(
-            DOCKER_COMPOSE_YML.contains("runtime: runsc"),
-            "docker/docker-compose.yml must contain `runtime: runsc` \
-             to enable gVisor sandboxing"
-        );
-    }
-
     /// In-memory transport that records sent messages.
     struct CapturingTransport {
         sent: Mutex<Vec<(String, String)>>,