Multi-stage Dockerfile: remove gcc/psql from runtime image (PT-11)

Convert to two-stage build: builder stage installs gcc and compiles
Python C extensions, runtime stage copies only the installed packages.
Removes gcc and postgresql-client from the production image, reducing
attack surface. postgresql-client was unused (healthchecks use urllib).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/Dockerfile

@@ -1,16 +1,22 @@
+# ── Build stage: compile C extensions ──────────────────────────────────
+FROM python:3.12-slim AS builder
+
+WORKDIR /build
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    gcc \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY requirements.txt .
+RUN pip install --no-cache-dir --prefix=/install -r requirements.txt
+
+# ── Runtime stage: lean production image ───────────────────────────────
 FROM python:3.12-slim
 
 WORKDIR /app
 
-# Install system dependencies
+# Copy pre-built Python packages from builder
-RUN apt-get update && apt-get install -y \
+COPY --from=builder /install /usr/local
-    gcc \
-    postgresql-client \
-    && rm -rf /var/lib/apt/lists/*
-
-# Copy requirements and install Python dependencies
-COPY requirements.txt .
-RUN pip install --no-cache-dir -r requirements.txt
 
 # Copy application code
 COPY . .
@@ -19,7 +25,6 @@ COPY . .
 RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app
 USER appuser
 
-# Expose port
 EXPOSE 8000
 
 # Run migrations and start server