feat: migrate CI/CD from GHCR to local Harbor registry

- Makefile: GHCR -> registry.celestium.life/stonks-oracle
- GitHub Actions: login to Harbor, use HARBOR_PASSWORD secret
- infra/k8s/*.yaml: all image refs -> registry.celestium.life
- inttest pipeline: remove GHCR pull secret (local registry, no auth)
- Steering docs: update registry/git endpoints

.kiro/steering/project-context.md

@@ -29,18 +29,20 @@ Three-layer signal aggregation engine:
 - Trading Engine: `https://stonks-trading.celestium.life`
 - Superset: `https://stonks-dash.celestium.life`
 - Trino: `https://stonks-trino.celestium.life`
+- Gitea: `https://git.celestium.life`
+- Harbor Registry: `https://registry.celestium.life`
 
 ## Infrastructure
 - Kubernetes cluster: 4x NixOS nodes (gremlin-1 through gremlin-4), reachable via `kubectl`, `virtctl`, `ssh root@gremlin-{1,2,3,4}`
 - NixOS configs stored at `/etc/nixos` on gremlin-1, git-pushed to other hosts
 - Ingress: Traefik, domain `*.celestium.life`
 - Cert-Manager: `ca-issuer` (local CA) for internal services
-- Container registry: `ghcr.io/celesrenata/stonks-oracle`
+- Container registry: `registry.celestium.life/stonks-oracle`
 
 ## CI/CD
 - GitHub Actions workflow at `.github/workflows/build.yml`
-- Push to `main` triggers: lint → pytest → frontend vitest → build all service images + dashboard + superset → push to GHCR
-- Images tagged as `ghcr.io/celesrenata/stonks-oracle/<service>:<sha>` and `:latest`
+- Push to `main` triggers: lint → pytest → frontend vitest → build all service images + dashboard + superset → push to Harbor
+- Images tagged as `registry.celestium.life/stonks-oracle/<service>:<sha>` and `:latest`
 - Dashboard image: `frontend/Dockerfile` (multi-stage: node:24 → nginx-unprivileged on port 8080)
 - Superset image: `docker/Dockerfile.superset` (apache/superset + trino + psycopg2)
 - Python service images: `docker/Dockerfile` with `SERVICE_CMD` build arg