fix(infra): audit round 2 — token guard, frozen-lockfile, build cache, docs

- Add require_gitea_token() guard — fail early with actionable message
  if GITEA_NPM_TOKEN is empty after restore (prevents silent failures
  in Phase 4/5/7)
- Wire require_gitea_token() into phase4_build and setup_compose_env
- Remove --frozen-lockfile from admin-web + tracker-web Dockerfiles
  (Docker context is missing services/ and scripts/ workspace members;
  Phase 4 reconciles lockfile so --frozen-lockfile is unnecessary)
- Add docker builder prune after Phase 7 builds (reclaim 20-40 GB)
- Update README: pre-flight thresholds, Ollama stop/restart behavior,
  Loki + Azurite in port map, updated memory pressure note

dashboards/admin-web/Dockerfile

@@ -18,7 +18,7 @@ COPY package.json pnpm-workspace.yaml pnpm-lock.yaml tsconfig.base.json ./
 COPY packages/ packages/
 COPY dashboards/admin-web/package.json dashboards/admin-web/
 
-RUN pnpm install --frozen-lockfile --ignore-scripts
+RUN pnpm install --ignore-scripts
 
 COPY dashboards/admin-web/ dashboards/admin-web/
 

dashboards/tracker-web/Dockerfile

@@ -18,7 +18,7 @@ COPY package.json pnpm-workspace.yaml pnpm-lock.yaml tsconfig.base.json ./
 COPY packages/ packages/
 COPY dashboards/tracker-web/package.json dashboards/tracker-web/
 
-RUN pnpm install --frozen-lockfile --ignore-scripts
+RUN pnpm install --ignore-scripts
 
 COPY dashboards/tracker-web/ dashboards/tracker-web/
 

docs/devops/single_azure_vm/README.md

@@ -63,13 +63,13 @@ sudo ./setup.sh --help             # Show full usage
 
 | Phase | Duration | Description |
 |-------|----------|-------------|
-| 1. System | ~3 min | Install Docker, Node.js 22, pnpm 10.6.5, Ollama, git, jq |
+| 1. System | ~3 min | Pre-flight checks (disk ≥40 GB, RAM ≥16 GB), install Docker, Node.js 22, pnpm 10.6.5, Ollama, git, jq, build-essential |
 | 2. Gitea | ~1 min | Start Gitea Docker container, create admin + org + API token |
 | 3. Clone | ~3 min | Clone all 11 repos to `/opt/bytelyst/` |
 | 4. Build | ~5 min | `pnpm install && pnpm -r build` all `@bytelyst/*` packages |
 | 5. Publish | ~3 min | Publish all packages to local Gitea npm registry |
 | 6. Env | instant | Generate `.env.ecosystem` with Cosmos emulator key, Azurite key, JWT secret |
-| 7. Deploy | ~10 min | Per-service Docker build + deploy (30 services, with fallback) |
+| 7. Deploy | ~10 min | Stop Ollama (free RAM), per-service Docker build + deploy (30 services, with fallback), prune build cache, restart Ollama |
 | 8. Verify | ~1 min | Health-check all 30+ endpoints + create `/opt/bytelyst/check-health.sh` |
 
 ## Port Map (after deployment)
@@ -80,8 +80,9 @@ sudo ./setup.sh --help             # Show full usage
 | Gitea (npm registry) | 3300 | `http://<vm-ip>:3300` |
 | Ollama (LLM API) | 11434 | `http://<vm-ip>:11434` |
 | Cosmos Data Explorer | 1234 | `http://<vm-ip>:1234` |
-| Azurite (Blob) | 10000 | — |
+| Azurite (Blob) | 10000 | `http://<vm-ip>:10000` |
 | Mailpit UI | 8025 | `http://<vm-ip>:8025` |
+| Loki (Logs) | 3100 | `http://<vm-ip>:3100/ready` |
 | Grafana | 3000 | `http://<vm-ip>:3000` |
 | Traefik Dashboard | 8080 | `http://<vm-ip>:8080` |
 
@@ -183,5 +184,5 @@ All optional — defaults work for most setups:
 
 - **Remote browser access:** Product web apps fall back to `http://localhost:<port>` for API calls. This works when browsing from the VM itself but **not from a remote browser** (e.g., laptop accessing `http://<vm-ip>:3060`). For remote access, set up a reverse proxy (Traefik rules) or SSH port-forwarding. Health checks and server-side rendering still work regardless.
 - **Cosmos emulator is x86-only:** Do not use ARM-based VMs (e.g., Dpsv6). Stick with `Standard_D8s_v5` or similar Intel/AMD instances.
-- **Memory pressure:** 30 Docker builds + Cosmos emulator (~3 GB) + Ollama (~3 GB) compete for RAM on 32 GB. If builds OOM, retry with `sudo ./setup.sh --phase=7` (per-service fallback skips what already built).
+- **Memory pressure:** Phase 7 automatically stops Ollama (~3 GB) during Docker builds and restarts it after. If builds still OOM on 32 GB, retry with `sudo ./setup.sh --phase=7` (per-service fallback skips what already built).
 - **Corporate proxy in Dockerfiles:** Already removed at source across all repos. No runtime stripping needed.

docs/devops/single_azure_vm/setup.sh

@@ -145,6 +145,13 @@ restore_gitea_token() {
   fi
 }
 
+# Guard: fail early if GITEA_NPM_TOKEN is still empty after restore
+require_gitea_token() {
+  if [ -z "${GITEA_NPM_TOKEN:-}" ]; then
+    fail "GITEA_NPM_TOKEN not set. Re-run phase 2: sudo ./setup.sh --phase=2"
+  fi
+}
+
 # ═══════════════════════════════════════════════════════════════════════
 # PHASE 1: System Dependencies
 # ═══════════════════════════════════════════════════════════════════════
@@ -386,6 +393,8 @@ phase4_build() {
   log "Phase 4: Building @bytelyst/* packages..."
 
   local plat_dir="${INSTALL_DIR}/learning_ai_common_plat"
+  restore_gitea_token
+  require_gitea_token
 
   # Configure .npmrc for the common-plat workspace (publish target)
   cat > "${plat_dir}/.npmrc" <<NPMRC
@@ -573,6 +582,7 @@ setup_compose_env() {
   cd "$plat_dir"
 
   restore_gitea_token
+  require_gitea_token
 
   local docker_host_ip
   docker_host_ip=$(detect_docker_host_ip)
@@ -689,6 +699,10 @@ phase7_deploy() {
     --env-file "${plat_dir}/.env.ecosystem" \
     up -d "${start_services[@]}" 2>&1 | tail -10 || true
 
+  # Reclaim disk space from Docker build cache
+  log "  Pruning Docker build cache..."
+  docker builder prune -f --filter "until=1h" > /dev/null 2>&1 || true
+
   # Restart Ollama (stopped at start of phase 7 to free RAM)
   if command -v ollama &>/dev/null; then
     log "  Restarting Ollama..."