Improve GHCR pull troubleshooting and post-publish visibility checks

[dhruv7539]

Summary

• document GHCR auth fallback steps when docker pull ghcr.io/gleanwork/local-mcp-server:latest returns denied / 403
• add source-build fallback instructions in local server docs
• add a post-publish workflow job that verifies anonymous pull access and emits a warning when the image is not publicly pullable

Why

Issue reports indicate users may hit GHCR permission errors while trying to adopt Docker-based local MCP server deployment. This change improves user-facing troubleshooting and adds CI visibility when package/image visibility drifts from expected public access.

Validation

• npx -y pnpm@9.15.9 -r test
• npx -y pnpm@9.15.9 exec prettier --check packages/local-mcp-server/README.md docs/troubleshooting.md .github/workflows/publish-docker.yml

Related to #318
Related to #106

[dhruv7539]

Pushed a follow-up commit to strengthen the GHCR side of this PR:\n\n- switched anonymous GHCR verification from warning-only to enforced check (with retry for propagation delay)\n- added anonymous docker pull + runtime smoke test (node --version and MCP initialize handshake)\n- updated troubleshooting docs to mention short GHCR propagation windows after publish\n\nCommit: 7d0a94f