fix(docker): harden production deployment config for all services

- Add resource limits (memory/CPU) and reservations for all services
- Add security hardening: read_only, no-new-privileges, tmpfs for temp dirs
- Add missing prod services: loki, promtail, pg-backup from dev compose
- Fix API healthcheck to include catch() for proper exit codes
- Add json-file logging driver with rotation limits across all services
- Remove exposed PostgreSQL port in prod (internal only)
- Add shm_size for PostgreSQL shared memory
- Add non-root user (appuser) to AI services Dockerfile
- Add --chown=node:node to COPY directives in API/Web Dockerfiles
- Harden .dockerignore: exclude IDE files, OS files, docker-compose files
- Fix Redis URL to include password authentication
- Add JWT_REFRESH_SECRET to API environment
- Add Grafana dependency on Loki for log datasource

Co-Authored-By: Paperclip <noreply@paperclip.ing>

libs/ai-services/Dockerfile

@@ -24,10 +24,14 @@ COPY app/ ./app/
 # Pre-download underthesea models at build time
 RUN python -c "from underthesea import word_tokenize; word_tokenize('test')" 2>/dev/null || true
 
+RUN useradd --create-home --shell /bin/bash appuser && chown -R appuser:appuser /app
+
 EXPOSE 8000
 
 HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
     CMD python -c "import httpx; httpx.get('http://localhost:8000/health').raise_for_status()"
 
+USER appuser
+
 ENTRYPOINT ["dumb-init", "--"]
 CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--timeout-graceful-shutdown", "30"]