chore(deps): update apache/age, spicedb, and ubi9 base images (#304)

* feat(infrastructure): add SQLAlchemy async database foundation with Alembic

- Add SQLAlchemy 2.0 with asyncpg for async database operations
- Add Alembic for schema migrations
- Add python-ulid for ULID support instead of UUID
- Create read/write engine separation with connection pooling
- Create FastAPI dependency injection for database sessions
- Create SQLAlchemy declarative base with timestamp mixin
- Initialize Alembic with async migration support
- Create initial migration for teams table (ULID primary key)
- Add comprehensive unit tests for engines and dependencies
- Configure Alembic to use settings module for database URL
- Enable ruff post-write hook for migration formatting

Refs: AIHCM-121

* feat(shared-kernel): add authorization abstractions and SpiceDB client

- Add authzed library for SpiceDB integration
- Add python-ulid for ULID support
- Create ResourceType, RelationType, Permission enums (using Group not Team)
- Create AuthorizationProvider protocol for swappable implementations
- Implement SpiceDBClient with async methods for relationships and permissions
- Create SpiceDB schema (.zed) with Tenant→Workspace→Group hierarchy
- Create AuthorizationProbe for domain-oriented observability
- Move ObservationContext to shared_kernel (fix architectural boundary)
- Add 35 unit tests for types and probes
- All 410 tests passing

Refs: AIHCM-122

* ci: automerge mintmaker non-major upgrades if tests pass

* fix(deploy): set postgres uid/gid to 001379999

* refactor(api.iam): rename Role to GroupRole

* refactor(api.iam): add TenantMember value object

* refactor(api.iam): add TenantMemberAdded event and method

* refactor(api.iam): add TenantMemberRemoved event and method

* feat(iam.presentation): add workspace DTOs and router skeleton

Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>

* feat(iam.presentation): implement POST /workspaces endpoint with TDD

Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>

* feat(iam.presentation): implement GET /workspaces/{id} endpoint and add route documentation

Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>

* feat(iam.presentation): implement GET /workspaces list endpoint with TDD

Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>

* feat(iam.presentation): implement DELETE /workspaces/{id} endpoint with TDD

Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>

* fix(shared_kernel): align SpiceDB schema with translator implementation

Fix workspace definition in schema.zed and ConfigMap to match the
relationships actually created by the IAM outbox translator.

Schema changes (workspace definition):
- Add `relation tenant: tenant` for organizational ownership
- Change `relation parent: tenant` to `relation parent: workspace` for hierarchy
- Rename `owner` to `admin` for consistency with tenant/group definitions
- Rename `permission delete` to `permission manage` for consistency
- Add Phase 3 comments for member/permission usage

ConfigMap changes (full sync with schema.zed):
- Apply all workspace definition fixes above
- Add missing `relation member: user` to tenant definition
- Fix tenant `permission view = admin` to `permission view = admin + member`
- Add missing `permission administrate = admin` to tenant definition
- Add missing `api_key` definition (was in schema.zed but not ConfigMap)
- Add future resource type comments

Inconsistencies found and documented:
1. Schema had `relation parent: tenant` but translator writes
   `workspace#tenant@tenant` (relation name 'tenant') and
   `workspace#parent@workspace` (parent type 'workspace')
2. ConfigMap was missing tenant `member` relation, `administrate`
   permission, and entire `api_key` definition
3. RelationType.WORKSPACE enum exists but is unused by any translator
4. Permission.DELETE enum value corresponds to removed `permission delete`
   in workspace; may need cleanup in Phase 3
5. Schema `owner` relation on workspace renamed to `admin` to align with
   tenant and group naming conventions

All 970 unit tests pass (3 pre-existing SSL failures unrelated).

Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>

* refactor(shared_kernel): remove unused authorization enum values

Remove RelationType.WORKSPACE and Permission.DELETE which have no usage
in the codebase. Neither value corresponds to any relation or permission
in the current SpiceDB schema. They can be re-added when future resource
types (knowledge_graph, data_source) are implemented.

Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>

* fix(shared_kernel): update future schema references to use admin relation

Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>

* chore(deps): update apache/age, spicedb, and ubi9 base images

- apache/age: release_PG17_1.6.0 → release_PG18_1.7.0
- authzed/spicedb: v1.48.0 → v1.50.0
- ubi9/python-312: pin to digest sha256:d7b4607a...

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore(deps): pin spicedb-migrate version and update postgres client to PG18

- Pin spicedb-migrate to v1.50.0 to match spicedb service
- Update db-init job and compose postgres client from 17-alpine to 18-alpine

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>

Author: jsell-rh

.github/workflows/tests.yml

@@ -18,7 +18,7 @@ jobs:
 
     services:
       postgres:
-        image: apache/age:release_PG17_1.6.0
+        image: apache/age:release_PG18_1.7.0
         env:
           POSTGRES_USER: kartograph
           POSTGRES_PASSWORD: kartograph_dev_password
@@ -52,7 +52,7 @@ jobs:
           -p 50051:50051 \
           -p 50052:50052 \
           --entrypoint spicedb \
-          quay.io/authzed/spicedb:v1.48.0 \
+          quay.io/authzed/spicedb:v1.50.0 \
           serve-testing
 
       - name: Set up uv

compose.yaml

@@ -25,7 +25,7 @@ services:
       start_period: 30s
 
   spicedb:
-    image: authzed/spicedb:v1.48.0
+    image: authzed/spicedb:v1.50.0
     command: "serve"
     env_file:
       - env/spicedb.env
@@ -52,7 +52,7 @@ services:
       start_period: 10s
 
   spicedb-migrate:
-    image: "authzed/spicedb"
+    image: "authzed/spicedb:v1.50.0"
     command: "migrate head"
     restart: "on-failure"
     networks:
@@ -67,7 +67,7 @@ services:
 
   # Transient service to ensure the 'spicedb' database exists
   db-init:
-    image: postgres:17-alpine
+    image: postgres:18-alpine
     networks:
       - kartograph
     env_file:
@@ -82,7 +82,7 @@ services:
         condition: service_healthy
 
   postgres:
-    image: apache/age:release_PG17_1.6.0
+    image: apache/age:release_PG18_1.7.0
     env_file:
       - env/postgres.env
     ports:

deploy/apps/kartograph/base/job-db-init.yaml

@@ -17,7 +17,7 @@ spec:
       initContainers:
         # Wait for Postgres to be ready
         - name: wait-for-postgres
-          image: postgres:17-alpine
+          image: postgres:18-alpine
           imagePullPolicy: IfNotPresent
           command:
             - sh
@@ -30,7 +30,7 @@ spec:
               echo "PostgreSQL is ready!"
       containers:
         - name: init
-          image: postgres:17-alpine
+          image: postgres:18-alpine
           imagePullPolicy: IfNotPresent
           env:
             - name: PGHOST

deploy/apps/kartograph/base/job-spicedb-migrate.yaml

@@ -39,7 +39,7 @@ spec:
               echo "DB init complete!"
       containers:
         - name: migrate
-          image: authzed/spicedb:v1.48.0
+          image: authzed/spicedb:v1.50.0
           imagePullPolicy: IfNotPresent
           args:
             - migrate

deploy/apps/kartograph/base/postgres-deployment.yaml

@@ -19,7 +19,7 @@ spec:
       securityContext: {}
       containers:
         - name: postgres
-          image: apache/age:release_PG17_1.6.0
+          image: apache/age:release_PG18_1.7.0
           securityContext:
             runAsNonRoot: true
             allowPrivilegeEscalation: false

deploy/apps/kartograph/base/spicedb-deployment.yaml

@@ -39,7 +39,7 @@ spec:
               echo "Migration complete!"
       containers:
         - name: spicedb
-          image: authzed/spicedb:v1.48.0
+          image: authzed/spicedb:v1.50.0
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

src/api/Dockerfile

@@ -1,5 +1,5 @@
 # Build stage - using Red Hat UBI9 Python image
-FROM registry.access.redhat.com/ubi9/python-312:9.7-1765181854 AS builder
+FROM registry.access.redhat.com/ubi9/python-312@sha256:d7b4607a07e0e831e7ea9a66d91dc39251ae3ce17bad540f2d19e44407073f9b AS builder
 
 # Install build dependencies for psycopg2 compilation
 USER 0
@@ -37,7 +37,7 @@ RUN --mount=type=cache,target=/root/.cache/uv \
 
 
 # Production stage - using Red Hat UBI9 Python image
-FROM registry.access.redhat.com/ubi9/python-312:9.7-1765181854
+FROM registry.access.redhat.com/ubi9/python-312@sha256:d7b4607a07e0e831e7ea9a66d91dc39251ae3ce17bad540f2d19e44407073f9b
 # It is important to use the image that matches the builder, as the path to the
 # Python executable must be the same