fix: remaining security and deployment hardening (#6 #7 #10)

#7 Transport Security:
- Removed legacy _ssl_ctx alias from config.py
- proxy.py now uses _internal_ssl_ctx directly (explicitly scoped)
- No global TLS bypass remains

#10 Deployment Hardening:
- Inventory Dockerfile: non-root (node user), health check, production deps
- Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready
- Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check
- Added /health endpoints to inventory and budget (before auth middleware)
- All 6 containers now run as non-root with health checks

All services verified: gateway, trips, fitness, inventory, budget, frontend

claude_code_remaining_fixes_prompt.txt

@@ -0,0 +1,66 @@
+Work in the `platform` repo and use the existing Gitea issues as the source of truth.
+
+Repo:
+- `yusiboyz/platform`
+
+Primary tracking issue:
+- `#1 Production Security and Readiness Remediation`
+
+Current status from latest audit:
+- Fixed: `#2` registration disable, frontend proxy auth, Trips share protection, Fitness authz repair, gateway cookie hardening, budget dependency fix
+- Partial/Open: `#2`, `#5`, `#6`, `#7`, `#9`, `#10`
+
+Your job:
+- Read issue `#1` and child issues `#2` through `#10`
+- Re-verify the repo state before changing anything
+- Then fix the remaining open items in priority order
+- Make code changes directly
+- After each issue-sized change, verify it and post a concise Gitea comment with:
+  - what changed
+  - files touched
+  - verification performed
+  - what still remains, if anything
+- Close only issues whose acceptance criteria are fully satisfied
+
+Priority order:
+1. `#6 Repository Hygiene: Remove Tracked Secrets and Runtime Databases`
+2. `#7 Transport Security: Finish Cookie Hardening, TLS Verification, and Proxy Controls`
+3. `#2 Auth Boundary: Registration and Default Credentials`
+4. `#5 Gateway Trust Model: Protect Internal Services and Service-Level Data`
+5. `#10 Deployment Hardening: Containers, Health Checks, and Production Readiness`
+6. `#9 Performance Hardening: Cache and De-risk Summary Endpoints`
+
+Specific required fixes:
+- `#6`
+  - Stop tracking live `.env` and `.db` artifacts
+  - Add or correct ignore rules
+  - Replace tracked secrets with safe example/config templates where needed
+  - Clearly separate code changes from any manual secret rotation steps
+- `#7`
+  - Remove insecure internal TLS config that disables hostname/cert verification
+  - Keep secure cookie behavior consistent across login/logout and relevant services
+- `#2`
+  - Enforce fail-fast startup for missing required auth secrets where appropriate
+  - Remove remaining weak/default credential behavior from runtime config paths
+- `#5`
+  - Reduce gateway service-global trust where feasible
+  - Tighten internal service auth expectations and documentation
+  - Remove or protect remaining overly permissive internal/debug surfaces
+- `#10`
+  - Harden remaining Dockerfiles, especially Node services
+  - Add health checks and non-root users where missing
+- `#9`
+  - Address the worst full-scan summary endpoints first
+  - Prefer targeted, minimal performance fixes over broad refactors
+
+Constraints:
+- Do not revert unrelated user changes
+- Keep changes minimal and production-oriented
+- Do not claim something is fixed unless code and verification support it
+- If a fix requires an ops action outside the repo, note it explicitly in the issue comment and final summary
+
+Final output format:
+- `Completed:` issue numbers fully resolved
+- `Partial:` issue numbers partially resolved and what remains
+- `Blocked:` issue numbers blocked and why
+- `Manual ops actions:` exact actions still required outside code