v2.2.0 Docker plugin installs + privacy hardening

Install non-Packagist plugins into the Docker image, stop leaking visitor IPs to a third-party CDN, and a generic "deploy a site as a Scriptor fork" guide. All additive; no breaking changes since 2.1.0.

Added

• SCRIPTOR_PLUGIN_REPOS Docker build-arg. Scriptor's own composer.json ships clean (no plugin VCS sources), so the image needs a generic way to learn where to fetch non-Packagist plugins. The new build-arg takes a space-separated list of VCS URLs and registers each via composer config repositories.* ahead of the existing SCRIPTOR_PLUGINS require. Orthogonal args: REPOS = where,
  PLUGINS = which. (docs/install.md, docs/demo.md.)
• "Deploy a site as a Scriptor fork" guide (docs/deploy-as-fork.md). Two remotes (origin = site, upstream = Scriptor), the additive "never edit Scriptor's files" rule, 3-way-merge behaviour, tag-based updates, and the docker-compose.override.yml overlay plus the prod overlay. Linked from the README.

Fixed

• The basic theme bundles UIkit locally instead of the jsDelivr CDN. It loaded uikit.min.css/js from cdn.jsdelivr.net, sending every visitor's IP to a third-party CDN on page load. A privacy/GDPR concern. UIkit 3.9.4 (the exact version the CDN served) is now vendored under the theme's public assets and referenced via themeAssetUrl().
• Plugin VCS repos register with no-api for reproducible builds. Composer otherwise resolved github.com metadata through the rate-limited GitHub API and fell back to an SSH clone the build container has no key for. Each repo is now {"type":"vcs","url":…,"no-api":true}, so public repos build with no token and no SSH key.
• Site::$version / Editor::$version report the real version. Both were stuck at 2.0.0-dev since 2.0.0; they now read 2.2.0.

Changed

• composer.json drops the bigins/* plugin VCS repositories. Scriptor ships as a clean, generic CMS; plugin source URLs are consumer concerns, supplied by whatever site installs the plugins (e.g. scriptor-cms-site at Docker build time).