fix: infrastructure hardening and documentation improvements

- Add *.sqlite* patterns to .gitignore
- Expand .dockerignore to exclude chart/, docs/, .github/, etc.
- Add HEALTHCHECK instruction to Dockerfile
- Fix Helm chart: preserve JWT secret across upgrades (lookup),
  add securityContext, conditional PVC creation, resource defaults
- Remove hardcoded demo credentials from MCP.md
- Complete .env.example with all configurable environment variables

https://claude.ai/code/session_01SoQKcF5Rz9Y8Nzo4PzkxY8

chart/templates/deployment.yaml

@@ -20,10 +20,16 @@ spec:
         - name: {{ .name }}
         {{- end }}
       {{- end }}
+      securityContext:
+        fsGroup: 1000
       containers:
         - name: trek
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           ports:
             - containerPort: 3000
           envFrom:

chart/templates/pvc.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.persistence.enabled }}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -23,3 +24,4 @@ spec:
   resources:
     requests:
       storage: {{ .Values.persistence.uploads.size }}
+{{- end }}

chart/templates/secret.yaml

@@ -11,13 +11,19 @@ data:
 {{- end }}
 
 {{- if and (not .Values.existingSecret) (.Values.generateJwtSecret) }}
+{{- $secretName := printf "%s-secret" (include "trek.fullname" .) }}
+{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "trek.fullname" . }}-secret
+  name: {{ $secretName }}
   labels:
     app: {{ include "trek.name" . }}
 type: Opaque
 stringData:
+  {{- if and $existingSecret $existingSecret.data }}
+  {{ .Values.existingSecretKey | default "JWT_SECRET" }}: {{ index $existingSecret.data (.Values.existingSecretKey | default "JWT_SECRET") | b64dec }}
+  {{- else }}
   {{ .Values.existingSecretKey | default "JWT_SECRET" }}: {{ randAlphaNum 32 }}
+  {{- end }}
 {{- end }}

chart/values.yaml

@@ -38,7 +38,13 @@ persistence:
   uploads:
     size: 1Gi
 
-resources: {}
+resources:
+  requests:
+    cpu: 100m
+    memory: 256Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi
 
 ingress:
   enabled: false