phase 0+1: project scaffold, k8s manifests, CI pipeline, steering, hooks, tests

- Repository structure for all services, infra, lakehouse, dashboards
- K8s manifests targeting stonks-oracle namespace with GHCR images
- Ingress via Traefik with ca-issuer TLS for internal services
- ConfigMap wired to existing cluster services (pg, redis, minio, ollama)
- GitHub Actions workflow for lint, test, multi-service container builds
- Dockerfile with build-arg CMD per service
- Makefile for local build/push/deploy
- Steering rules for TDD workflow, K8s conventions, project context
- Agent hooks for lint-on-save, test-on-save, k8s-validate, phase-commit
- Ruff linter config, all lint issues fixed
- 14 passing tests for schemas, config, redis keys
- PostgreSQL migrations, Trino catalogs, Superset config, MinIO lifecycle

.kiro/steering/kubernetes-conventions.md

@@ -0,0 +1,33 @@
+---
+inclusion: fileMatch
+fileMatchPattern: "infra/k8s/**"
+---
+# Kubernetes Conventions
+
+## Namespace
+All Stonks Oracle workloads deploy to `stonks-oracle` namespace.
+
+## TLS
+- Internal services: use `ca-issuer` ClusterIssuer (local CA)
+- Public-facing services (Superset, Query API): use `celestium-le-production` ClusterIssuer (Let's Encrypt)
+- Annotate ingress with `cert-manager.io/cluster-issuer`
+
+## Ingress
+- Traefik ingress controller
+- Domain pattern: `<service>.celestium.life`
+- Always create both HTTP and HTTPS ingress rules
+
+## Service References
+- PostgreSQL: `postgresql-rw.postgresql-service.svc.cluster.local:5432`
+- Redis: `redis-master.redis-service.svc.cluster.local:6379`
+- MinIO API: `minio.minio-service.svc.cluster.local:80`
+- Ollama: `ollama.ollama-service.svc.cluster.local:11434`
+
+## Images
+- All images from `ghcr.io/celesrenata/stonks-oracle/<service>:latest`
+- Use `imagePullPolicy: Always` in production
+- Use `imagePullSecrets` referencing `ghcr-secret` if repo is private
+
+## Labels
+- `app.kubernetes.io/part-of: stonks-oracle`
+- `app: <service-name>`