Work in the `platform` repo and use the existing Gitea issues as the source of truth.

Repo:
- `yusiboyz/platform`

Primary tracking issue:
- `#1 Production Security and Readiness Remediation`

Current status from latest audit:
- Fixed: `#2` registration disable, frontend proxy auth, Trips share protection, Fitness authz repair, gateway cookie hardening, budget dependency fix
- Partial/Open: `#2`, `#5`, `#6`, `#7`, `#9`, `#10`

Your job:
- Read issue `#1` and child issues `#2` through `#10`
- Re-verify the repo state before changing anything
- Then fix the remaining open items in priority order
- Make code changes directly
- After each issue-sized change, verify it and post a concise Gitea comment with:
  - what changed
  - files touched
  - verification performed
  - what still remains, if anything
- Close only issues whose acceptance criteria are fully satisfied

Priority order:
1. `#6 Repository Hygiene: Remove Tracked Secrets and Runtime Databases`
2. `#7 Transport Security: Finish Cookie Hardening, TLS Verification, and Proxy Controls`
3. `#2 Auth Boundary: Registration and Default Credentials`
4. `#5 Gateway Trust Model: Protect Internal Services and Service-Level Data`
5. `#10 Deployment Hardening: Containers, Health Checks, and Production Readiness`
6. `#9 Performance Hardening: Cache and De-risk Summary Endpoints`

Specific required fixes:
- `#6`
  - Stop tracking live `.env` and `.db` artifacts
  - Add or correct ignore rules
  - Replace tracked secrets with safe example/config templates where needed
  - Clearly separate code changes from any manual secret rotation steps
- `#7`
  - Remove insecure internal TLS config that disables hostname/cert verification
  - Keep secure cookie behavior consistent across login/logout and relevant services
- `#2`
  - Enforce fail-fast startup for missing required auth secrets where appropriate
  - Remove remaining weak/default credential behavior from runtime config paths
- `#5`
  - Reduce gateway service-global trust where feasible
  - Tighten internal service auth expectations and documentation
  - Remove or protect remaining overly permissive internal/debug surfaces
- `#10`
  - Harden remaining Dockerfiles, especially Node services
  - Add health checks and non-root users where missing
- `#9`
  - Address the worst full-scan summary endpoints first
  - Prefer targeted, minimal performance fixes over broad refactors

Constraints:
- Do not revert unrelated user changes
- Keep changes minimal and production-oriented
- Do not claim something is fixed unless code and verification support it
- If a fix requires an ops action outside the repo, note it explicitly in the issue comment and final summary

Final output format:
- `Completed:` issue numbers fully resolved
- `Partial:` issue numbers partially resolved and what remains
- `Blocked:` issue numbers blocked and why
- `Manual ops actions:` exact actions still required outside code