fix(orchestrator): resolve all M6 remediation issues (#260-#269)

Addresses all 10 quality remediation issues for the orchestrator module:

TypeScript & Type Safety:
- #260: Fix TypeScript compilation errors in tests
- #261: Replace explicit 'any' types with proper typed mocks

Error Handling & Reliability:
- #262: Fix silent cleanup failures - return structured results
- #263: Fix silent Valkey event parsing failures with proper error handling
- #266: Improve error context in Docker operations
- #267: Fix secret scanner false negatives on file read errors
- #268: Fix worktree cleanup error swallowing

Testing & Quality:
- #264: Add queue integration tests (coverage 15% → 85%)
- #265: Fix Prettier formatting violations
- #269: Update outdated TODO comments

All tests passing (406/406), TypeScript compiles cleanly, ESLint clean.

Fixes #260, Fixes #261, Fixes #262, Fixes #263, Fixes #264
Fixes #265, Fixes #266, Fixes #267, Fixes #268, Fixes #269

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/orchestrator/Dockerfile

@@ -1,19 +1,84 @@
+# ============================================
+# Multi-stage build for security and size
+# ============================================
+
+# ============================================
+# Stage 1: Base Image
+# ============================================
 FROM node:20-alpine AS base
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
 RUN corepack enable
 
+# ============================================
+# Stage 2: Dependencies
+# ============================================
+FROM base AS dependencies
+WORKDIR /app
+
+# Copy dependency files
+COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY apps/orchestrator/package.json ./apps/orchestrator/
+COPY packages/shared/package.json ./packages/shared/
+COPY packages/config/package.json ./packages/config/
+
+# Install production dependencies only
+RUN pnpm install --frozen-lockfile --prod
+
+# ============================================
+# Stage 3: Builder
+# ============================================
 FROM base AS builder
 WORKDIR /app
+
+# Copy all source code
 COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
 COPY apps/orchestrator ./apps/orchestrator
 COPY packages ./packages
+
+# Install all dependencies (including dev)
 RUN pnpm install --frozen-lockfile
+
+# Build the application
 RUN pnpm --filter @mosaic/orchestrator build
 
-FROM base AS runtime
+# ============================================
+# Stage 4: Production Runtime
+# ============================================
+FROM node:20-alpine AS runtime
+
+# Add metadata labels
+LABEL maintainer="mosaic-team@mosaicstack.dev"
+LABEL version="0.0.6"
+LABEL description="Mosaic Orchestrator - Agent orchestration service"
+LABEL org.opencontainers.image.source="https://git.mosaicstack.dev/mosaic/stack"
+LABEL org.opencontainers.image.vendor="Mosaic Stack"
+LABEL org.opencontainers.image.title="Mosaic Orchestrator"
+LABEL org.opencontainers.image.description="Agent orchestration service for Mosaic Stack"
+
+# Install wget for health checks (if not present)
+RUN apk add --no-cache wget
+
+# Create non-root user and group (node user already exists in alpine)
+# UID/GID 1000 is the default node user in alpine images
 WORKDIR /app
-COPY --from=builder /app/apps/orchestrator/dist ./dist
-COPY --from=builder /app/node_modules ./node_modules
+
+# Copy built application with proper ownership
+COPY --from=builder --chown=node:node /app/apps/orchestrator/dist ./dist
+COPY --from=dependencies --chown=node:node /app/node_modules ./node_modules
+
+# Set proper permissions
+RUN chown -R node:node /app
+
+# Switch to non-root user
+USER node
+
+# Expose port
 EXPOSE 3001
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
+  CMD wget --no-verbose --tries=1 --spider http://localhost:3001/health || exit 1
+
+# Start the application
 CMD ["node", "dist/main.js"]