Remove dead public headful payloads

[IlyaasK]

Summary

This is the public-repo equivalent of the private dead-payload cleanup PR, with the additional public-only tracked server/api binary removed.

What changed:

• Deletes images/chromium-headful/image-chromium/, including old demo HTML, Streamlit config, static-content files, tint2 config, and legacy startup scripts.
• Removes the broad COPY images/chromium-headful/image-chromium/ / from the public headful Dockerfile.
• Deletes the tracked server/api binary artifact.
• Adds server/api to .dockerignore so local rebuilt API binaries do not get sent in Docker build context.
• Leaves the current supervised headful runtime path intact: the image still copies Neko config, supervisor service definitions, WebRTC client output, Envoy config, cert bootstrap, API binary from the builder stage, Chromium launcher, wrapper, Playwright daemon bundle, and extensions via current explicit Dockerfile steps.

Why

The removed image-chromium directory was an old payload copied directly into / during the headful image build. The current image no longer uses that legacy startup/demo path, and the broad root copy makes it easy for unrelated files under image-chromium to silently land in the final runtime image.

The tracked server/api binary is a local build artifact. The Dockerfile compiles/copies the runtime API binary from the build stages; it does not need a checked-in executable under server/api. Keeping it tracked increases repository size and can invalidate Docker build context/layers when the binary changes.

Git History / Removal Rationale

removed item	likely reason it was added	why it is removed here
entrypoint.sh, start_all.sh, xvfb_startup.sh, mutter_startup.sh, tint2_startup.sh	Added with the WebRTC OSS launch (5c71470, PR #13) from the old headful demo image. These scripts manually started Xvfb, tint2, mutter, x11vnc/noVNC, then launched a demo server.	The current headful image uses supervisor service definitions, wrapper scripts, Neko/WebRTC components, and explicit Dockerfile copies. These legacy scripts are not the active process model.
http_server.py, index.html, static_content/index.html, .streamlit/config.toml	Added with the same demo payload. The old entrypoint started a Python static server and Streamlit demo app and printed local demo instructions.	The current public runtime does not launch that demo stack. Keeping this content in / only preserves stale files that are not part of the current browser/session path.
.config/tint2/*	Added to support the old desktop panel configuration used by the demo/Xvfb/tint2 startup scripts.	Current headful runtime behavior is managed by the current image service/config path; this tint2 payload is only reachable through the removed legacy startup scripts.
COPY images/chromium-headful/image-chromium/ /	Added during the save/reuse user-data and supervisor transition. It preserved the old root payload while the image moved toward explicit supervised services.	The broad copy is now the risky part: any file under the legacy directory silently mutates the final root filesystem. Current-purpose files are already copied explicitly elsewhere in the Dockerfile.
server/api	Added as a 14 MB executable in 0fba5a0 (PR #148), alongside smooth mouse movement source changes. A later PR (9816e34, PR #164) added server/api to .gitignore, which strongly suggests it was recognized as a local build artifact but was already tracked.	The image build compiles the API from source; the tracked binary is not referenced by Dockerfiles or runtime code. This PR removes it from git and adds .dockerignore coverage so local rebuilds do not pollute Docker context.

Validation

Ran locally:

• docker build --check -f images/chromium-headful/Dockerfile .
• cd server && go test -run TestDoesNotExist ./e2e
• cd server && go test $(go list ./... | grep -v '/e2e$')
• rg -n "image-chromium|entrypoint.sh|http_server.py|start_all.sh|tint2_startup|xvfb_startup|mutter_startup|server/api" -S . || true

Unknowns / Final Gates

• The deleted legacy payload did not have current references after removal. Full image CI/e2e still needs to pass on the pushed branch.
• Public does not have the private CapMonster e2e test file that changed in private PR security: vulnerability remediation #200, so this PR does not include that private-only test hardening.
• The tracked server/api binary is removed from git, but local developers can still build a local server/api; .gitignore and now .dockerignore keep it out of commits and Docker build context.

Fast Docker Review

This PR follows the fast-build guidance by removing dead build context and a broad root copy from the headful image.

Against the checklist:

• The old image-chromium root payload copy is removed, so files cannot silently land in / just because they sit under a legacy directory.
• The tracked server/api binary is removed and added to .dockerignore, so local binary rebuilds do not invalidate image build context or layers.
• The current runtime files continue to be copied explicitly where the Dockerfile needs them.
• No build tools are added to runtime images, and no source copies are moved earlier in the Dockerfile.