fix(infra): harden AI service — graceful shutdown, rate limiting, API key auth, pinned deps, Grafana secrets

- Add dumb-init + --timeout-graceful-shutdown 30 to AI service Dockerfile
- Add slowapi rate limiting (configurable via AI_RATE_LIMIT) and X-API-Key auth middleware
- Pin all Python dependencies to exact versions for reproducible builds
- Move Grafana admin credentials from env vars to Docker secrets in production compose

Co-Authored-By: Paperclip <noreply@paperclip.ing>

libs/ai-services/app/middleware.py

@@ -0,0 +1,23 @@
+import hmac
+from typing import Optional
+
+from fastapi import Depends, HTTPException, Security, status
+from fastapi.security import APIKeyHeader
+
+from app.config import settings
+
+api_key_header = APIKeyHeader(name="X-API-Key", auto_error=False)
+
+
+async def verify_api_key(
+    api_key: Optional[str] = Security(api_key_header),
+) -> str:
+    """Validate X-API-Key header. Skipped when AI_API_KEY is not configured."""
+    if not settings.api_key:
+        return "no-auth"
+    if not api_key or not hmac.compare_digest(api_key, settings.api_key):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid or missing API key",
+        )
+    return api_key