CI/CD container deployment via ain-js

Chose CI/CD deployment over Docker-in-Docker because Docker socket mounting gives containers root-level host access. Instead, GitHub Actions builds the image, pushes to GHCR, and calls ain.deployment.deploy() via ain-js SDK. The AIN node ContainerManager pulls from authorized GHCR registries only (bound via passkey). Secrets stay encrypted in GitHub Actions, never exposed via docker inspect.