fix(infra): harden AI service — graceful shutdown, rate limiting, API key auth, pinned deps, Grafana secrets

- Add dumb-init + --timeout-graceful-shutdown 30 to AI service Dockerfile
- Add slowapi rate limiting (configurable via AI_RATE_LIMIT) and X-API-Key auth middleware
- Pin all Python dependencies to exact versions for reproducible builds
- Move Grafana admin credentials from env vars to Docker secrets in production compose

Co-Authored-By: Paperclip <noreply@paperclip.ing>

libs/ai-services/Dockerfile

@@ -2,21 +2,22 @@ FROM python:3.12-slim
 
 WORKDIR /app
 
-# Install system deps for underthesea / numpy
+# Install system deps for underthesea / numpy + dumb-init for signal handling
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends gcc g++ && \
+    apt-get install -y --no-install-recommends gcc g++ dumb-init && \
     rm -rf /var/lib/apt/lists/*
 
 COPY pyproject.toml .
 RUN pip install --no-cache-dir . 2>/dev/null || pip install --no-cache-dir \
-    "fastapi>=0.115.0" \
-    "uvicorn[standard]>=0.32.0" \
-    "xgboost>=2.1.0" \
-    "numpy>=1.26.0" \
-    "underthesea>=6.8.0" \
-    "pydantic>=2.9.0" \
-    "pydantic-settings>=2.5.0" \
-    "httpx>=0.27.0"
+    "fastapi==0.115.0" \
+    "uvicorn[standard]==0.32.0" \
+    "xgboost==2.1.0" \
+    "numpy==1.26.4" \
+    "underthesea==6.8.0" \
+    "pydantic==2.9.0" \
+    "pydantic-settings==2.5.0" \
+    "httpx==0.27.0" \
+    "slowapi==0.1.9"
 
 COPY app/ ./app/
 
@@ -28,4 +29,5 @@ EXPOSE 8000
 HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
     CMD python -c "import httpx; httpx.get('http://localhost:8000/health').raise_for_status()"
 
-CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]
+ENTRYPOINT ["dumb-init", "--"]
+CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--timeout-graceful-shutdown", "30"]