Dockerfile.prod explicitly listed copied directories and omitted
scripts/, so the migration script was absent from the prod image.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds complete k8s/ manifest tree: Namespace, VaultAuth + VaultStaticSecret
CRDs (VSO secret sync from Vault KV v2), API and UI Deployments and Services,
nginx Ingress with cert-manager TLS, MinIO StatefulSet with PVC and init Job,
and Alembic init container on the API Deployment for automatic schema
migrations. Includes .yamllint.yml config and validate-k8s Makefile target.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Two-stage build (uv builder + python:3.12-slim runtime) with non-root
user (UID 1001), no dev deps, layer-cache-optimised dep install, and
graceful SIGTERM shutdown. Verified by api/tests/build/verify_production_image.sh
covering build, health endpoint, non-root, stdout logging, secret-free
layers, missing-env-var exit, and dep-layer cache hit. All 102 integration
tests still pass; shellcheck clean.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
