feat: implement 15 production items (SSE, security, observability, features, infra)

Performance:
- SSE dashboard streaming endpoint (GET /v1/admin/status/stream)
- Web Worker for markdown rendering (offload from main thread)
- IndexedDB chat persistence (replace localStorage, 500msg support)

Security:
- CSRF protection middleware (Origin/Referer validation)
- Content Security Policy + security headers middleware
- API key rotation endpoint (POST /v1/admin/keys/rotate)

Observability:
- OpenTelemetry tracing with graceful NoOp fallback
- Structured error codes (FAGI-xxxx taxonomy with ErrorResponse schema)
- Audit log export (CSV + JSON at /v1/admin/audit/export/*)

Features:
- Multi-session management hook (parallel conversations)
- Conversation export (markdown/JSON/text download + clipboard)
- Head customization UI (enable/disable + weight sliders for 12 heads)

Infrastructure:
- Kubernetes Helm chart (Deployment, Service, HPA, Ingress)
- Database migration versioning (generate, verify commands)
- Blue-green deployment manifests (color-based traffic switching)

Tests: 598 Python + 56 frontend = 654 total, 0 ruff errors
Co-Authored-By: Nakamoto, S <defi@defi-oracle.io>

migrations/migrate.py

@@ -107,6 +107,49 @@ def show_status(db_path: str = DEFAULT_DB) -> None:
         print(f"  {version}: {status}")
 
 
+def generate(name: str) -> Path:
+    """Generate a new numbered migration file.
+
+    Args:
+        name: Migration description (e.g., "add_tenants_table").
+
+    Returns:
+        Path to the newly created migration file.
+    """
+    existing = get_migration_files()
+    next_num = len(existing) + 1
+    version = f"{next_num:03d}_{name}"
+    path = VERSIONS_DIR / f"{version}.sql"
+    path.write_text("-- UP\n-- Write your migration SQL here\n\n-- DOWN\n-- Write your rollback SQL here\n")
+    print(f"Generated: {path}")
+    return path
+
+
+def verify(db_path: str = DEFAULT_DB) -> bool:
+    """Verify that all migrations can be applied cleanly.
+
+    Creates a temporary in-memory database and applies all migrations.
+
+    Returns:
+        True if all migrations apply successfully.
+    """
+    import tempfile
+
+    with tempfile.NamedTemporaryFile(suffix=".db", delete=True) as f:
+        temp_path = f.name
+
+    try:
+        count = migrate_up(temp_path)
+        print(f"Verification passed: {count} migrations applied cleanly")
+        return True
+    except Exception as e:
+        print(f"Verification FAILED: {e}")
+        return False
+    finally:
+        if os.path.exists(temp_path):
+            os.unlink(temp_path)
+
+
 if __name__ == "__main__":
     cmd = sys.argv[1] if len(sys.argv) > 1 else "status"
     db = sys.argv[2] if len(sys.argv) > 2 else DEFAULT_DB
@@ -116,5 +159,10 @@ if __name__ == "__main__":
         migrate_down(db)
     elif cmd == "status":
         show_status(db)
+    elif cmd == "generate":
+        name = sys.argv[2] if len(sys.argv) > 2 else "unnamed"
+        generate(name)
+    elif cmd == "verify":
+        verify(db)
     else:
-        print(f"Unknown command: {cmd}. Use: up, down, status")
+        print(f"Unknown command: {cmd}. Use: up, down, status, generate, verify")

migrations/versions/002_add_sessions_and_audit.sql

@@ -0,0 +1,42 @@
+-- UP
+CREATE TABLE IF NOT EXISTS sessions (
+    session_id TEXT PRIMARY KEY,
+    user_id TEXT,
+    tenant_id TEXT DEFAULT 'default',
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    metadata TEXT DEFAULT '{}'
+);
+
+CREATE TABLE IF NOT EXISTS audit_log (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    action TEXT NOT NULL,
+    actor TEXT,
+    resource_type TEXT,
+    resource_id TEXT,
+    details TEXT DEFAULT '{}',
+    ip_address TEXT,
+    tenant_id TEXT DEFAULT 'default'
+);
+
+CREATE TABLE IF NOT EXISTS api_keys (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    key_prefix TEXT NOT NULL,
+    key_hash TEXT NOT NULL,
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    expires_at TIMESTAMP,
+    rotated_at TIMESTAMP,
+    active INTEGER DEFAULT 1,
+    tenant_id TEXT DEFAULT 'default'
+);
+
+CREATE INDEX IF NOT EXISTS idx_sessions_tenant ON sessions(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_audit_timestamp ON audit_log(timestamp);
+CREATE INDEX IF NOT EXISTS idx_audit_action ON audit_log(action);
+CREATE INDEX IF NOT EXISTS idx_api_keys_prefix ON api_keys(key_prefix);
+
+-- DOWN
+DROP TABLE IF EXISTS api_keys;
+DROP TABLE IF EXISTS audit_log;
+DROP TABLE IF EXISTS sessions;