This Pull Request fixes the Qdrant startup error on the Staging and Testing environments.
### 🔍 Cause of the Bug
The official `qdrant/qdrant:latest` image is built on `debian-slim` and **does not contain `curl` or `wget`**. Changing the healthcheck to `curl` caused Qdrant to exit with status `127` (command not found), marking the service as unhealthy/error in Docker.
### 🛠️ Solution
Reverts the healthcheck in both `docker-compose.stage.yml` and `docker-compose.test.yml` to the robust, built-in bash TCP socket check:
```yaml
healthcheck:
test: ["CMD-SHELL", "bash -c 'exec 3<>/dev/tcp/127.0.0.1/6333'"]
```
Successfully validated locally and tested compilation.
---------
Co-authored-by: Marek Jasiński <jasins.marek@gmail.com>
Reviewed-on: #68
Co-authored-by: Antigravity <antigravity@google.com>
Co-committed-by: Antigravity <antigravity@google.com>
This pull request introduces the dedicated containerized infrastructure and configuration for deploying NexusReader's beta version in the Test environment.
### Summary of Changes
1. **Docker Infrastructure & Secrets**:
- **`docker-compose.test.yml`**: Configured dedicated database and auxiliary services (PostgreSQL 17, Qdrant, Neo4j) on isolated, non-standard ports to ensure zero conflict with the existing server configurations.
- **`.env.test.template`**: Provided an environment variable template showing required setups, including mandatory database passwords, API keys, and admin custom passwords.
- **`.gitignore`**: Excluded local `.env` files to prevent accidental commits of production or staging secrets.
2. **Database Hardening**:
- Configured Neo4j with basic authentication (`IDriver` instantiation uses basic auth when credentials are provided in configuration).
- Configured PostgreSQL to use mandatory authentication.
- Configured the admin seeder (`DbInitializer.cs`) to dynamically use `NEXUS_ADMIN_PASSWORD` from environment variables, falling back to a default password in local Development only.
3. **Feature-Flagged Restrictions**:
- **`appsettings.Test.json`**: Implemented `Features:AllowRegistration` and `Features:AllowPasswordReset` flags set to `false`.
- **Middleware Enforcement (`Program.cs`)**: Intercepts requests to `/identity/register` and `/identity/forgotPassword` (and their MVC/form variations) and rejects them with a `403 Forbidden` response in restricted environments.
- **OAuth Provisioning Guard (`Program.cs`)**: Blocks new account provisioning via Google OAuth callback by checking the `Features:AllowRegistration` configuration, redirecting users to the login page with a descriptive error.
- **UI Protection (`Login.razor`, `Register.razor`)**: Conditionally hides registration/password reset links and intercepts manual navigation attempts to `/account/register` by redirecting to login with a warning.
---------
Co-authored-by: Marek Jasiński <jasins.marek@gmail.com>
Reviewed-on: #56
Co-authored-by: Antigravity <antigravity@google.com>
Co-committed-by: Antigravity <antigravity@google.com>