feat(infra): add local pull-through mirrors for NuGet, npm, Docker Hub

docker-compose.mirror.yml:
  - BaGet  (port 5101) → proxies nuget.org
  - Verdaccio (port 4873) → proxies npmjs.com
  - registry:2 (port 5100) → proxies Docker Hub

nuget.mirror.config: points dotnet restore at http://mirror:5101
mirrors/verdaccio/config.yaml: open reads, upstream npmjs fallback

CI workflow:
  - All container jobs: --add-host=mirror:host-gateway
  - dotnet restore --configfile nuget.mirror.config
  - npm install --registry http://mirror:4873

First run: packages fetched from upstream through the VPS.
All subsequent runs: served from local disk, no CDN needed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

mirrors/verdaccio/config.yaml

@@ -0,0 +1,44 @@
+# Verdaccio — npm pull-through proxy
+# All packages are served anonymously (no login needed in CI).
+# On first request: fetches from npmjs.org, caches locally.
+# On subsequent requests: served from local disk.
+
+storage: /verdaccio/storage
+plugins: /verdaccio/plugins
+
+# Listen on all interfaces inside the container
+listen: 0.0.0.0:4873
+
+# No auth required for reading (CI-friendly)
+auth:
+  htpasswd:
+    file: /verdaccio/conf/htpasswd
+    max_users: -1      # disable self-registration; reads stay open
+
+uplinks:
+  npmjs:
+    url: https://registry.npmjs.org/
+    timeout: 120s
+    maxage: 10m
+    max_fails: 3
+    fail_timeout: 5m
+
+packages:
+  # Scoped packages (@org/package)
+  "@*/*":
+    access: $all
+    publish: $all
+    proxy: npmjs
+
+  # All other packages
+  "**":
+    access: $all
+    publish: $all
+    proxy: npmjs
+
+# Cache settings
+publish:
+  allow_offline: true   # serve cached version even if upstream is unreachable
+
+logs:
+  - { type: stdout, format: pretty, level: http }