fix(docker): remediate all DockerSpec violations for field trial

- Replace docker-compose.yml → compose.yaml (modern Compose Spec, no version header)
- Replace docker-compose.monitoring.yml → compose.monitoring.yaml
- Remove deprecated version: '3.x' headers from both compose files
- Add dedicated app-tier bridge network (no default bridge)
- Add restart: unless-stopped to all services
- Add deploy.resources.limits (memory + cpu) to all services
- Add healthcheck to app service (curl /health)
- Add healthchecks to prometheus and grafana in monitoring overlay
- Externalize postgres credentials to env vars (POSTGRES_USER/PASSWORD/DB)
- Externalize grafana admin password to GF_ADMIN_PASSWORD env var
- Make env_file optional (required: false) for CI/field-trial environments
- Update Dockerfile: node:18-alpine → node:20.11-bookworm-slim (pinned version)
- Add explicit non-root system user/group (nodejs:1001/nodeapp:1001)
- Add curl install to final stage for healthcheck probe
- Copy src/db/migrations from build stage (not host bind)
- Expand .dockerignore: tmp/, temp/, *.env.*, compose files, Dockerfiles
- Add .env.example to git (was ignored by .env.* rule — add !.env.example exception)
- Add POSTGRES_USER/PASSWORD/DB and GF_ADMIN_PASSWORD to .env.example

All compose files pass: docker compose config --quiet ✅

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

compose.monitoring.yaml

@@ -0,0 +1,69 @@
+# SentryAgent.ai AgentIdP — Monitoring Overlay
+# Compose Specification (no version header — deprecated per modern Compose Spec)
+# Usage: docker compose -f compose.yaml -f compose.monitoring.yaml up
+
+services:
+  prometheus:
+    image: prom/prometheus:v2.53.0
+    volumes:
+      - ./monitoring/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
+      - prometheus-data:/prometheus
+    command:
+      - '--config.file=/etc/prometheus/prometheus.yml'
+      - '--storage.tsdb.path=/prometheus'
+      - '--web.console.libraries=/etc/prometheus/console_libraries'
+      - '--web.console.templates=/etc/prometheus/consoles'
+      - '--web.enable-lifecycle'
+    ports:
+      - '9090:9090'
+    networks:
+      - app-tier
+    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          memory: 256m
+          cpus: '0.5'
+    healthcheck:
+      test: ['CMD', 'wget', '--no-verbose', '--tries=1', '--spider', 'http://localhost:9090/-/healthy']
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+
+  grafana:
+    image: grafana/grafana:11.2.0
+    volumes:
+      - grafana-data:/var/lib/grafana
+      - ./monitoring/grafana/provisioning:/etc/grafana/provisioning:ro
+      - ./monitoring/grafana/dashboards:/var/lib/grafana/dashboards:ro
+    environment:
+      GF_SECURITY_ADMIN_PASSWORD: ${GF_ADMIN_PASSWORD}
+      GF_USERS_ALLOW_SIGN_UP: 'false'
+      GF_AUTH_ANONYMOUS_ENABLED: 'false'
+    ports:
+      - '3001:3000'
+    networks:
+      - app-tier
+    depends_on:
+      - prometheus
+    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          memory: 256m
+          cpus: '0.5'
+    healthcheck:
+      test: ['CMD', 'wget', '--no-verbose', '--tries=1', '--spider', 'http://localhost:3000/api/health']
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+
+volumes:
+  prometheus-data:
+  grafana-data:
+
+networks:
+  app-tier:
+    external: true