chore(runtime): point shipped image defaults to registry.cameleer.io

Customers running this server with no overrides reach the public registry
alias, not the internal hostname. registry.cameleer.io and gitea.siegeln.net
resolve to the same registry — buildtime CI keeps pushing to gitea.siegeln.net,
runtime defaults pull via the public alias.

- application.yml: baseimage, loaderimage defaults
- DeploymentExecutor.java: matching @Value defaults
- docker-orchestration.md: updates the documented default and notes the
  buildtime/public split so future changes don't "fix" the asymmetry

Out of scope (intentionally still on gitea.siegeln.net):
- LoaderHardeningIT and the two DockerRuntimeOrchestrator unit tests.
  Tests are buildtime artifacts; LoaderHardeningIT pulls the real image
  via CI's pre-authenticated docker login to gitea.siegeln.net.
- deploy/base/*.yaml and deploy/overlays/main/*.yaml (internal k3s,
  customers don't use these manifests).
- pom.xml, .npmrc, ui/Dockerfile (build dependency sources).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

cameleer-server-app/src/main/java/io/cameleer/server/app/runtime/DeploymentExecutor.java

@@ -36,7 +36,7 @@ public class DeploymentExecutor {
     @Autowired(required = false)
     private DockerNetworkManager networkManager;
 
-    @Value("${cameleer.server.runtime.baseimage:gitea.siegeln.net/cameleer/cameleer-runtime-base:latest}")
+    @Value("${cameleer.server.runtime.baseimage:registry.cameleer.io/cameleer/cameleer-runtime-base:latest}")
     private String baseImage;
 
     @Value("${cameleer.server.runtime.dockernetwork:cameleer}")
@@ -69,7 +69,7 @@ public class DeploymentExecutor {
     @Value("${cameleer.server.runtime.certresolver:}")
     private String globalCertResolver;
 
-    @Value("${cameleer.server.runtime.loaderimage:gitea.siegeln.net/cameleer/cameleer-runtime-loader:latest}")
+    @Value("${cameleer.server.runtime.loaderimage:registry.cameleer.io/cameleer/cameleer-runtime-loader:latest}")
     private String loaderImage;
 
     @Value("${cameleer.server.runtime.artifacttokenttlseconds:600}")

cameleer-server-app/src/main/resources/application.yml

@@ -45,7 +45,7 @@ cameleer:
     runtime:
       enabled: ${CAMELEER_SERVER_RUNTIME_ENABLED:true}
       jarstoragepath: ${CAMELEER_SERVER_RUNTIME_JARSTORAGEPATH:/data/jars}
-      baseimage: ${CAMELEER_SERVER_RUNTIME_BASEIMAGE:gitea.siegeln.net/cameleer/cameleer-runtime-base:latest}
+      baseimage: ${CAMELEER_SERVER_RUNTIME_BASEIMAGE:registry.cameleer.io/cameleer/cameleer-runtime-base:latest}
       dockernetwork: ${CAMELEER_SERVER_RUNTIME_DOCKERNETWORK:cameleer}
       # Container runtime override. Empty (default) auto-detects: uses runsc
       # (gVisor) if the daemon has it registered, otherwise the daemon default
@@ -65,7 +65,7 @@ cameleer:
       # short-lived sidecar that downloads the JAR from a signed URL into a
       # per-replica named volume, which the main container then mounts RO at
       # /app/jars. See issue #152 close-out + .claude/rules/docker-orchestration.md.
-      loaderimage: ${CAMELEER_SERVER_RUNTIME_LOADERIMAGE:gitea.siegeln.net/cameleer/cameleer-runtime-loader:latest}
+      loaderimage: ${CAMELEER_SERVER_RUNTIME_LOADERIMAGE:registry.cameleer.io/cameleer/cameleer-runtime-loader:latest}
       artifacttokenttlseconds: ${CAMELEER_SERVER_RUNTIME_ARTIFACTTOKENTTLSECONDS:600}
       artifactbaseurl: ${CAMELEER_SERVER_RUNTIME_ARTIFACTBASEURL:}
     indexer: