prod: sync production fixes - agent lifecycle, docker fallback, compose hardening

docker/Dockerfile.agent-worker

@@ -18,10 +18,22 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
     ./cmd/agent-worker
 
 # ─── Stage 2: Runtime ──────────────────────────────────────────────────────────
-# Минимальный образ: только бинарь + CA certs (для HTTPS к LLM API)
 FROM alpine:3.21
 
-RUN apk add --no-cache ca-certificates tzdata
+# Runtime tools needed by the agent's tool executor:
+#   bash    — shell_exec uses bash -c (falls back to sh)
+#   curl    — http_request + docker socket API fallback in docker_exec
+#   wget    — healthcheck
+#   jq      — JSON processing in shell scripts
+#   python3 — docker_exec socket fallback (docker ps via API)
+RUN apk add --no-cache \
+    ca-certificates \
+    tzdata \
+    bash \
+    curl \
+    wget \
+    jq \
+    python3
 
 WORKDIR /app