build(docker): exclude local runtime state from build context

[BXL1015]

Summary

• Exclude local DeerFlow configuration files from Docker build contexts, including root-level and legacy backend/ config paths.
• Exclude local runtime state directories (.deer-flow/ and backend/.deer-flow/).
• Keep Docker build inputs aligned with files that are already treated as local-only by .gitignore.

The documented Docker setup has contributors create config.yaml before Docker image builds. Without matching .dockerignore entries, these local config/runtime files can still be sent in the Docker build context. In particular, backend/.deer-flow/ can be copied into backend image layers by COPY backend ./backend.

This is a build hygiene hardening change, not a security vulnerability report.

Test plan

• git diff --check -- .dockerignore
• Built a temporary Docker sentinel context with local config/runtime files and verified they are excluded while normal backend files remain included

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the Docker build context exclusions to prevent project configuration files and related directories from being sent to the Docker daemon during builds.

Changes:

• Added config file patterns (YAML/JSON and backups) to .dockerignore
• Added .deer-flow/ directories (root and backend) to .dockerignore

[BXL1015]

Keeping the root/backend entries explicit is intentional: those are the supported local config locations today. A broader ** pattern would also exclude unrelated fixture or nested config files.

[BXL1015]

These files are runtime/local configs rather than Docker build inputs. The checked-in templates remain included, and Compose mounts runtime configs; the sentinel build also verified normal backend files still enter the context.

[CLAassistant]

All committers have signed the CLA.