PRE-RELEASE 0.9.1: Makefile, Debian packaging, versioned UDP

Build and release tooling:
- Makefile with help as default; targets: build/build-amd64/build-arm64,
  test, lint, proto, pkg-deb, docker, docker-push, clean, plus
  install-deps (+ three sub-targets for apt / Go toolchain / Go tools).
- internal/version package; -ldflags -X injects Version/Commit/Date into
  every binary. -version flag on all four binaries (nginx-logtail version
  for the CLI).
- Dockerfile takes VERSION/COMMIT/DATE build-args and forwards them.
- .deb output lands in build/; .gitignore ignores /build/.

Debian package:
- debian/build-deb.sh packages all four static binaries into a single
  nginx-logtail_<ver>_<arch>.deb using dpkg-deb.
- Binary layout: /usr/sbin/nginx-logtail-{collector,aggregator,frontend}
  and /usr/bin/nginx-logtail.
- nginx-logtail(8) manpage.
- Three systemd units (collector, aggregator, frontend) shipped under
  /lib/systemd/system/. Installed but never enabled or started — the
  operator opts in per host.
- Collector runs as _logtail:www-data (log access); aggregator and
  frontend as _logtail:_logtail. postinst creates the system user/group
  idempotently.
- Single shared env file /etc/default/nginx-logtail rendered from a
  template at first install with %HOSTNAME% substituted. Sensible
  defaults for every COLLECTOR_*, AGGREGATOR_*, FRONTEND_* variable;
  plus COLLECTOR_ARGS / AGGREGATOR_ARGS / FRONTEND_ARGS escape hatches
  appended to ExecStart. Not a dpkg conffile: operator edits survive
  upgrades and dpkg --purge removes it.

Versioned UDP wire format:
- ParseUDPLine dispatches on a leading "v<N>\t" tag; v1 routes to the
  existing 12-field parser. Unknown/missing versions fail closed so
  future v2 parsers can land before emitters are upgraded.
- Tests updated; design.md FR-2.2 rewritten to make the version tag
  normative.

Docs:
- README.md gains a Quick Start (Debian / Docker Compose / from source).
- user-guide.md rewritten around Installation and Configuration: full
  env-var table, UDP-only default explained, precise file/UDP log_format
  layouts, note that operators can emit "0" for unknown \$is_tor / \$asn.
- Drilldown cycle, frontend filter table, and CLI --group-by list all
  include source_tag. UDP counters documented in the Prometheus section.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

cmd/collector/parser.go

@@ -63,17 +63,33 @@ func ParseLine(line string, v4bits, v6bits int) (LogRecord, bool) {
 	}, true
 }
 
-// ParseUDPLine parses a tab-separated logtail log line from the UDP listener:
+// ParseUDPLine dispatches on the version prefix emitted by
+// nginx-ipng-stats-plugin's ipng_stats_logtail directive. The wire format is
+// "v<N>\t<payload>", where <payload> is version-specific. Unknown or missing
+// versions return false so operators can roll out a v2 parser before
+// upgrading emitters.
+func ParseUDPLine(line string, v4bits, v6bits int) (LogRecord, bool) {
+	i := strings.IndexByte(line, '\t')
+	if i < 0 {
+		return LogRecord{}, false
+	}
+	switch line[:i] {
+	case "v1":
+		return parseUDPLineV1(line[i+1:], v4bits, v6bits)
+	default:
+		return LogRecord{}, false
+	}
+}
+
+// parseUDPLineV1 parses the v1 payload (12 tab-separated fields):
 //
 //	$host \t $remote_addr \t $request_method \t $request_uri \t $status \t
 //	$body_bytes_sent \t $request_time \t $is_tor \t $asn \t
 //	$ipng_source_tag \t $server_addr \t $scheme
 //
-// All 12 fields are required. server_addr and scheme are consumed but not
-// propagated. Returns false for any malformed packet (wrong field count,
-// bad IP).
-func ParseUDPLine(line string, v4bits, v6bits int) (LogRecord, bool) {
-	fields := strings.Split(line, "\t")
+// server_addr and scheme are parsed but discarded.
+func parseUDPLineV1(payload string, v4bits, v6bits int) (LogRecord, bool) {
+	fields := strings.Split(payload, "\t")
 	if len(fields) != 12 {
 		return LogRecord{}, false
 	}