…config consts in 13 tests

Second wave of post-restructure test path-constant fixes that strike-3
and orchestrator residual cleanup missed:

A) "services" / "<svc>" split-path Pathlib calls (54 occurrences across
   11 files). Strike-3's substitution list used literal "services/<svc>"
   tokens but these were Pathlib-split as `"services" / "<svc>"`:
   - tests/acceptance/test_async_audit_emission.py (7)
   - tests/acceptance/test_avail.py (2)
   - tests/acceptance/test_brokered_call.py (2)
   - tests/acceptance/test_classical_key.py (3)
   - tests/acceptance/test_cross_tenant_token.py (2)
   - tests/acceptance/test_e2e_smoke.py (3)
   - tests/acceptance/test_e2e_trace.py (4)
   - tests/acceptance/test_golden_path.py (5)
   - tests/acceptance/test_observability.py (8)
   - tests/acceptance/test_proxy_latency.py (1)
   - tests/acceptance/test_token_issuance_perf.py (1)

   Sed: `/ "services" /` → `/ "apps" /`. Python-module `services/`
   subdirs (e.g., `admin_api/services/vault_client.py`) were NOT
   touched (the pattern only matches with REPO_ROOT/_ROOT prefix and
   no `admin_api` between).

B) obs-config constants in 2 more test files (10 lines):
   - tests/acceptance/test_observability.py: prometheus.yml,
     otel-collector-config.yaml, grafana/ → `infra/observability/`
   - tests/acceptance/test_ops_hardening.py: alert_rules.yml (4×),
     prometheus.yml (2×), grafana/ → `infra/observability/`

C) test_otel_collector_redaction.py:19 — _CONFIG_PATH points at the
   moved otel-collector-config.yaml under `infra/observability/`.

Verification: pytest --collect-only on the 13 changed files exits 0
(165 tests collected). Wide stale-path scan now clean across tests/.

PR #90 should pass Mintkey CI on next run. Trivy + Dependency Review
will still fail — those are documented by-design (see PR description).

Six remaining test bugs that CI-fix #2 unmasked (deeper in execution
order; earlier steps were fail-fast blocking these):

1. tests/acceptance/test_golden_path.py:210 + :713
   Inner Python-module "services" in admin_api/services/vault_client.py
   was OVER-SUBSTITUTED by CI-fix #2's `/ "services" /` → `/ "apps" /`
   sed. Reverted those 2 specific lines (Edit, not sed) — the Python
   module path stays `admin_api/services/vault_client.py` because the
   inner "services" is admin_api.services (Python module), NOT the
   moved top-level services/ directory.

2. tests/acceptance/test_async_audit_emission.py:312
   subprocess call `go test ./internal/auditq/...` →
   `go test ./packages/go/auditq/...`. After C-3 moved the package,
   the old internal/ path no longer exists.

3. tests/acceptance/test_multitenant_smoke.py:39-46
   _VERIFIER_GO multi-line Pathlib call had `/ "services" /` split
   across multiple lines. CI-fix #2's sed (line-based) didn't catch
   cross-line forms. Edited to `/ "apps" /` directly.

4. tests/acceptance/test_namespace_isolation.py:70-71
   `docker compose -f docker-compose.test.yml` → `-f infra/compose/
   docker-compose.test.yml`. Also updated `-f docker-compose.yml` to
   `-f infra/compose/docker-compose.yml` for canonical -f base+override
   semantics (don't mix shim and explicit override).

5. tests/acceptance/test_ops_hardening.py:97
   test_cadvisor_in_compose was reading the root shim (which only has
   `include:` directive). Changed to read the canonical
   `infra/compose/docker-compose.yml`.

6. tests/acceptance/test_observability.py:62, :65
   required_targets had `"apps/admin-api"` and `"apps/mcp-server"` from
   C-2's overzealous test sed. prometheus.yml job names are NOT
   path-based (they're container hostnames like `admin-api:8080`).
   Reverted to plain `admin-api` and `mcp-server`.

Verification: pytest --collect-only on all 6 changed files exits 0
(56 tests collected).

Trivy + Dep Review will still fail (by-design). Playwright Grafana
healthcheck issue under separate investigation — local `docker compose
config` shows correct path resolution; CI failure may be environmental
or a real Grafana-in-CI bug.

…vices, errors surface

Three restore-correctness bugs surfaced when validating that
backup → down -v → restore actually achieves the user's success
criterion ("after a restore I do not need to change anything").

Bug #4: dev-backup.sh:367 — `pg_dump` was called without `--clean
--if-exists`. The resulting dump had no DROP statements. When
dev-restore.sh piped it into psql against a non-empty schema (e.g.,
a freshly-seeded one), every INSERT failed with duplicate-key /
already-exists errors. Fix: add `--clean --if-exists` so the dump
emits `DROP INDEX IF EXISTS` + `DROP TABLE IF EXISTS` at the head.

Bug #5: dev-restore.sh:441 — `psql ... 2>/dev/null` silenced ALL
postgres errors. A 100%-broken restore would report "✅ pg_dump
restored to mintkey database" and the operator would not know.
Fix: remove `2>/dev/null`; add `--set ON_ERROR_STOP=on` so psql
exits non-zero on the FIRST error (rather than racing through
the dump leaving the DB partly-applied).

Bug #6: dev-restore.sh — did NOT stop services that hold open
postgres connections (keycloak, admin-api, mcp-server, broker,
kong-syncer, admin-ui). With the new `--clean` dump, the DROP
TABLE statements would block on row locks held by those services.
Fix: `docker compose stop` the connection-holders before psql,
then `docker compose up -d --wait` after.

Verification (this commit):
- Took a backup with the fix; decrypted+gunzipped the dump:
    DROP TABLE statements:  ~110
    DROP INDEX statements:  ~300
    CREATE TABLE statements: ~106
    INSERT INTO statements: ~5  (just the seed-job-default rows)
  → Bug #4 confirmed fixed.

End-to-end round-trip test (backup → down -v → restore → verify
agent+service intact) is the next step; user will create an
agent + service first so there's real data to round-trip.

Counts now of session-discovered backup/restore bugs:
  #1 ✅ fixed (51e7077) pg_dump silently skipped — Service field
  #2 ✅ fixed (a47a4e6) vault-adapter detection — same class
  #3 ✅ fixed (49d519a) host-file admin_password drift
  #3a ✅ fixed (77ab040) Makefile colon-pattern blocked make admin-password
  #4 ✅ fixed (this commit) pg_dump --clean
  #5 ✅ fixed (this commit) psql errors surfaced
  #6 ✅ fixed (this commit) restore stops dependent services

…pter + proxy-plugin

Round-trip validation surfaced 2 more bugs after #4 #5 #6 were fixed.

Bug #7: dev-backup.sh:367 — pg_dump was called with `--no-privileges`,
which strips ALL `GRANT` / `REVOKE` statements from the dump. After
restore (DROP TABLE + CREATE TABLE), `mintkey_app` and
`mintkey_subscriber` had zero privileges on every table → every query
from admin-api / mcp-server / kong-syncer / proxy-plugin failed with
"permission denied for table services|agents|...".

Fix: drop `--no-privileges`. The dump now emits the same GRANTs that
liquibase migration 009-roles.yaml normally creates (212 GRANTs in a
fresh dump vs 0 before). Verified post-restore: agent key → 200 OK
without manual GRANT intervention.

Bug #8: dev-restore.sh — the service stop-list before the postgres
restore did not include `vault-adapter` or `proxy-plugin`. Two
distinct failures result:

  - vault-adapter holds an open SQLite file handle on
    /var/lib/vault/vault.db inside the vault_data volume. When that
    volume is replaced from the backup tarball, the kernel keeps
    serving the OLD inode to vault-adapter's file descriptor. Net
    effect: `GetCredential` returns "not found" for every credential
    even though the restored sqlite file is correct on disk. Proxy
    call → HTTP 502 "vault error".

  - proxy-plugin caches DEKs in-memory keyed by service_id. If
    service IDs survive the restore (they do — same UUIDs in the
    dump), the cache may shortcut to a stale "not found" or to an
    encrypted-DEK that the restored KEK can no longer decrypt.

Fix: add both to the stop-list. They get cleanly restarted by the
post-restore `docker compose up -d --wait`.

End-to-end verification with both fixes (round-trip test):
  - backup → docker compose down -v → up → dev-restore.sh
  - Zero manual SQL, zero manual restarts needed
  - Agent key works, request_token issues JWT, proxy call to GitHub
    API returns 200 authenticated as ciprianiacobescu
  - make admin-password returns the PRE-backup password
  - postgres row counts match baseline exactly (1/1/1/1/1/1/8)

Counts of session-discovered backup/restore bugs (all fixed):
  #1 ✅ pg_dump silently skipped — Service field (51e7077)
  #2 ✅ vault-adapter detection — same class (a47a4e6)
  #3 ✅ host-file admin_password drift (49d519a)
  #3a ✅ Makefile colon-pattern blocked `make admin-password` (77ab040)
  #4 ✅ pg_dump --clean --if-exists (a1dc9e3)
  #5 ✅ psql errors surfaced (a1dc9e3)
  #6 ✅ restore stops dependent services (a1dc9e3)
  #7 ✅ this commit — pg_dump includes GRANTs
  #8 ✅ this commit — restore stops vault-adapter + proxy-plugin

…lthchecks

Round-trip validation v3 surfaced 2 more bugs after #4–#8 were fixed.

Bug #9: dev-restore.sh processed manifest entries in order. The pg_dump
iteration stopped services, applied the dump, restarted them. Then the
volume iterations (vault_data, vault_kek, bootstrap_secrets) restored
tarballs WHILE vault-adapter / proxy-plugin were already running with
stale file handles into those volumes. Net effect: post-restore the
volumes were correct on disk, but vault-adapter served "GetCredential
not found" from the old inode → proxy → HTTP 502 "vault error".

Fix: after the manifest loop completes (so ALL volumes + the pg_dump
are restored), restart every data-dependent service ONCE. This drops
all stale handles + in-memory caches regardless of manifest order.

Bug #10: `docker compose restart` is fire-and-forget. It returns as
soon as the docker daemon kicks the containers, NOT when they're
actually responsive. End-to-end test showed admin-ui returning fast
enough to confuse the verifier into "Connection reset by peer" while
uvicorn was still bootstrapping in mcp-server / admin-api.

Fix: chain `docker compose up -d --wait --timeout 180` after the
restart. up -d is a no-op for already-running containers, but --wait
blocks until every service's compose healthcheck passes (or times out).
Callers can now hit /v1/tools/list_services immediately after the
script returns and get a real response, not Connection-reset.

Round-trip test v3 (with #7 #8 #9 #10):
  backup → docker compose down -v → up → dev-restore.sh → verify
  WITHOUT ANY manual SQL, manual GRANTs, manual restarts, or sleeps:
    [1/4] list_services     HTTP 200  ✅
    [2/4] request_token     HTTP 200  ✅
    [3/4] proxy → GitHub    HTTP 200  ✅  authenticated as ciprianiacobescu
    [4/4] admin password    yAPal2y2J... ✅ matches pre-backup

Success criterion met: "after restore I do not need to change anything."

Final tally of session-discovered backup/restore bugs (all fixed):
  #1 ✅ pg_dump silently skipped — Service field (51e7077)
  #2 ✅ vault-adapter detection — same class (a47a4e6)
  #3 ✅ host-file admin_password drift (49d519a)
  #3a ✅ Makefile colon-pattern blocked make admin-password (77ab040)
  #4 ✅ pg_dump --clean --if-exists (a1dc9e3)
  #5 ✅ psql errors surfaced (a1dc9e3)
  #6 ✅ restore stops dependent services (a1dc9e3)
  #7 ✅ pg_dump includes GRANTs (2fba9c3)
  #8 ✅ restore stops vault-adapter + proxy-plugin (2fba9c3)
  #9 ✅ this commit — post-loop service restart, manifest-order independent
  #10 ✅ this commit — restart waits for healthchecks