deploy: containerize arcade-eval-ref MCP server + ACR build/push action

Replace the cloudflared quick-tunnel dev pattern with a permanent in-cluster
deployment so the self-hosted Arcade engine reaches the echo/add/whoami reference
server over stable cluster DNS.

- lib/mcp_server/Dockerfile: python:3.12-slim, pip install ., HTTP transport via
  ARCADE_SERVER_{TRANSPORT,HOST,PORT} env overrides (no server.py change needed),
  non-root user, port 8000.
- .github/workflows/build-push-acr.yml: build + push
  servicetitandev.azurecr.io/arcade-eval-ref:1.0.<run_number>. Adapted from
  servicetitan/mem0; needs repo secrets ACR_DEV_USERNAME / ACR_DEV_PASSWORD.
- docs/superpowers/specs design record.

K8s manifests live in k8s-backstage-v2 apps/mcp/arcade-eval-ref/ (separate branch).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

lib/mcp_server/Dockerfile

@@ -0,0 +1,35 @@
+# syntax=docker/dockerfile:1
+#
+# arcade-eval reference MCP server (echo / add / whoami).
+#
+# Runs over HTTP so the self-hosted Arcade engine can reach it in-cluster via a
+# stable Service URL — replacing the ephemeral cloudflared tunnel used in dev.
+# Deployed to backstage-wus2-v4 under apps/mcp/arcade-eval-ref/ (k8s-backstage-v2).
+FROM python:3.12-slim
+
+WORKDIR /app
+
+# Install the package + runtime deps (arcade-mcp-server, httpx) declared in pyproject.toml.
+COPY pyproject.toml ./
+COPY src ./src
+RUN pip install --no-cache-dir .
+
+# arcade_mcp_server's app.run() reads these env vars via _get_configuration_overrides():
+#   - ARCADE_SERVER_TRANSPORT=http  -> serve MCP at /mcp and worker routes at /worker/*
+#   - ARCADE_SERVER_HOST=0.0.0.0    -> bind all interfaces (server.py hardcodes 127.0.0.1;
+#                                      this env override is what makes it reachable in-cluster)
+#   - ARCADE_SERVER_PORT=8000
+# ARCADE_WORKER_SECRET is injected by Kubernetes at runtime (from a SealedSecret); it
+# authenticates the engine->worker connection and enables the /worker/* routes.
+ENV ARCADE_SERVER_TRANSPORT=http \
+    ARCADE_SERVER_HOST=0.0.0.0 \
+    ARCADE_SERVER_PORT=8000
+
+# Run as an unprivileged user.
+RUN useradd --create-home --uid 10001 appuser
+USER appuser
+
+EXPOSE 8000
+
+# server.py's __main__ calls app.run(); the env vars above override transport/host/port.
+CMD ["python", "-m", "mcp_server.server"]