perf: Separate scheduler + harden deploy sync

.gitea/workflows/deploy.yml

@@ -28,6 +28,10 @@ jobs:
           rsync -az --delete \
             -e "ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=yes" \
             --exclude ".git" \
+            --exclude ".venv" \
+            --exclude "venv" \
+            --exclude "backend/.venv" \
+            --exclude "backend/venv" \
             --exclude "frontend/node_modules" \
             --exclude "frontend/.next" \
             --exclude "**/__pycache__" \
@@ -54,7 +58,9 @@ jobs:
           env = {
             # Core
             "ENVIRONMENT": "production",
-            "ENABLE_SCHEDULER": "true",
+            # Scheduler will run in separate container (pounce-scheduler)
+            "ENABLE_SCHEDULER": "false",
+            "DEBUG": "false",
             "COOKIE_SECURE": "true",
             "CORS_ORIGINS": "https://pounce.ch,https://www.pounce.ch",
             "SITE_URL": "https://pounce.ch",
@@ -68,6 +74,8 @@ jobs:
             # DB/Redis
             "DATABASE_URL": os.environ["DATABASE_URL"],
             "REDIS_URL": "redis://pounce-redis:6379/0",
+            # Rate limiting must be shared across workers in production
+            "RATE_LIMIT_STORAGE_URI": "redis://pounce-redis:6379/2",
 
             # Auth
             "SECRET_KEY": os.environ["SECRET_KEY"],

docker-compose.prod.yml

@@ -11,8 +11,9 @@ services:
       - pounce-network
       - supabase-network
     environment:
-      - DATABASE_URL=postgresql+asyncpg://pounce:PounceDB2024!@supabase-db-n0488s44osgoow4wgo04ogg0:5432/pounce
+      # NOTE: Do NOT hardcode credentials in git.
-      - JWT_SECRET=${JWT_SECRET:-pounce-super-secret-jwt-key-2024-production}
+      - DATABASE_URL=${DATABASE_URL}
+      - JWT_SECRET=${JWT_SECRET}
       - FRONTEND_URL=http://pounce.185-142-213-170.sslip.io
       - ENVIRONMENT=production
       - ENABLE_SCHEDULER=true