fix: remaining security and deployment hardening (#6 #7 #10)

#7 Transport Security:
- Removed legacy _ssl_ctx alias from config.py
- proxy.py now uses _internal_ssl_ctx directly (explicitly scoped)
- No global TLS bypass remains

#10 Deployment Hardening:
- Inventory Dockerfile: non-root (node user), health check, production deps
- Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready
- Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check
- Added /health endpoints to inventory and budget (before auth middleware)
- All 6 containers now run as non-root with health checks

All services verified: gateway, trips, fitness, inventory, budget, frontend

services/budget/Dockerfile

@@ -2,13 +2,17 @@ FROM node:20-alpine
 
 WORKDIR /app
 
-COPY package.json ./
-RUN npm install --production
+COPY package.json package-lock.json ./
+RUN npm ci --production
 
 COPY server.js ./
 
-RUN mkdir -p /app/data
+RUN mkdir -p /app/data && chown -R node:node /app/data
 
 EXPOSE 3001
+ENV NODE_ENV=production
 
+HEALTHCHECK --interval=30s --timeout=5s --retries=3 CMD wget -qO- http://localhost:3001/health || exit 1
+
+USER node
 CMD ["node", "server.js"]

services/budget/server.js

@@ -11,6 +11,9 @@ const app = express();
 app.use(cors());
 app.use(express.json());
 
+// Health check (before auth middleware)
+app.get('/health', (req, res) => res.json({ status: 'ok', ready }));
+
 // API key auth middleware — require X-API-Key header on all routes
 const SERVICE_API_KEY = process.env.SERVICE_API_KEY || '';
 if (SERVICE_API_KEY) {