fix: app container has no healthcheck - orchestrators cannot detect unhealthy FastAPI

[pankaj-bind]

Problem
The db service has a proper healthcheck and app correctly waits on it via condition: service_healthy. But the app container itself has zero health observability:

1. Dockerfile - no HEALTHCHECK instruction. Docker marks the container as running the moment the process starts, regardless of whether Uvicorn is actually accepting connections.
2. docker-compose.yml app service - no healthcheck block. The downstream tunnel service does a blind depends_on: app with no condition, so Cloudflare Tunnel will start forwarding traffic to a potentially unready or stuck backend.

This means:

• docker ps never shows (unhealthy) for the app, even if the FastAPI lifespan hangs, LLM verification fails, or the server enters a broken state.
• Container orchestrators (Compose, Swarm, ECS, K8s with Docker healthcheck bridge) have no signal to restart or drain the container.
• The tunnel service can start routing external traffic to a backend that isn't ready to serve.
• We already expose GET /api/health- we're just not using it.

Root Cause
Oversight. The health endpoint was built but never wired into the container infrastructure.

@njbrake Happy to raise a PR

[njbrake]

Thanks for the report! You can look, this may have been fixed as a side effect of some of my overhaul of the memory system and docker GitHub action testing