feat(p83): wire BUILD_SHA through all Dockerfiles + compose + CI check

check-rebuild-needed.sh war seit Mai funktionsfähig nur fuer 3 von 10
Containern. Die anderen 7 Dockerfiles hatten kein ARG/ENV BUILD_SHA und
docker-compose.yml hat fuer KEINEN Service den Wert durchgereicht — daher
defaultete BUILD_SHA ueberall auf "unknown" und die Drift-Check war
zahnlos.

- ARG BUILD_SHA + ENV BUILD_SHA in 8 zusaetzlichen Dockerfiles
  (ai-compliance-sdk, developer-portal, document-crawler, dsms-gateway,
  compliance-tts-service, docs-src, docs-site, dsms-node)
- docker-compose.yml: BUILD_SHA: \${BUILD_SHA:-unknown} in jedem build:
  Block (10 Services)
- .gitea/workflows/ci.yaml: neuer Job build-sha-integrity validiert dass
  jedes Dockerfile ARG+ENV hat und jeder compose-build den Arg durchreicht.
  Faellt bei jedem PR/Push gegen master, der einen neuen Service oder
  Dockerfile ohne BUILD_SHA einfuehrt.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitea/workflows/ci.yaml

@@ -411,6 +411,50 @@ jobs:
           pip install --quiet --no-cache-dir pytest pytest-asyncio
           python -m pytest test_main.py -v --tb=short
 
+  # ── P83: BUILD_SHA integrity (always) ────────────────────────────────────
+  # Every Dockerfile must declare ARG BUILD_SHA + ENV BUILD_SHA so the
+  # check-rebuild-needed.sh script can detect "old code in container" drift.
+  # Every docker-compose build: block must pass BUILD_SHA through as a build
+  # arg — otherwise the ARG defaults to "unknown" and the check is toothless.
+  build-sha-integrity:
+    runs-on: docker
+    container: alpine:3.20
+    steps:
+      - name: Checkout
+        run: |
+          apk add --no-cache git python3
+          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+      - name: Validate every Dockerfile + compose block declares BUILD_SHA
+        run: |
+          python3 - <<'PY'
+          import re, sys, glob
+          fails = []
+          # 1. Each Dockerfile must have ARG BUILD_SHA + ENV BUILD_SHA=${BUILD_SHA}
+          for df in sorted(glob.glob("*/Dockerfile")):
+              # Skip nested non-canonical Dockerfiles (e.g. admin-compliance/ai-compliance-sdk/Dockerfile)
+              if df.count("/") > 1: continue
+              src = open(df).read()
+              if "ARG BUILD_SHA" not in src:
+                  fails.append(f"{df}: missing ARG BUILD_SHA")
+              if "ENV BUILD_SHA" not in src:
+                  fails.append(f"{df}: missing ENV BUILD_SHA")
+          # 2. Every build: block in docker-compose.yml must pass BUILD_SHA
+          import yaml
+          compose = yaml.safe_load(open("docker-compose.yml"))
+          for name, svc in (compose.get("services") or {}).items():
+              build = svc.get("build")
+              if not isinstance(build, dict):
+                  continue  # skipping pre-built image refs
+              args = (build.get("args") or {})
+              if "BUILD_SHA" not in args:
+                  fails.append(f"docker-compose.yml: service '{name}' build.args missing BUILD_SHA")
+          if fails:
+              print("::error::BUILD_SHA integrity check failed:")
+              for f in fails: print(f"  - {f}")
+              sys.exit(1)
+          print(f"OK: BUILD_SHA wired in all Dockerfiles + compose build blocks.")
+          PY
+
   # ── OpenAPI contract validation (always) ─────────────────────────────────
   validate-canonical-controls:
     runs-on: docker