feat: team module, multi-stage Dockerfile, doctor utils, AI config overhaul

- Team module: POST /api/team/members (in-place employee creation with
  temp password + Redis cache), PUT /api/team/members/:id, GET temp
  password endpoint. Uses signUpInWorkspace — no email invites.
- Dockerfile: rewritten as multi-stage build (builder + runtime) so
  native modules compile for target arch. Fixes darwin→linux crash.
- .dockerignore: exclude dist, node_modules, .env, .git, data/
- package-lock.json: regenerated against public npmjs.org (was
  pointing at localhost:4873 Verdaccio — broke docker builds)
- Doctor utils: shared DOCTOR_VISIT_SLOTS_FRAGMENT + normalizeDoctors
  helper for visit-slot-aware queries across 6 consumers
- AI config: full admin CRUD (GET/PUT/POST reset), workspace-scoped
  setup-state with workspace ID isolation, AI prompt defaults overhaul
- Agent config: camelCase field fix for SDK-synced workspaces
- Session service: workspace-scoped Redis key prefixing for setup state
- Recordings/supervisor/widget services: updated to use doctor-utils
  shared fragments instead of inline visitingHours queries

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Dockerfile

@@ -1,7 +1,58 @@
+# syntax=docker/dockerfile:1.7
+#
+# Multi-stage build for the helix-engage sidecar.
+#
+# Why multi-stage instead of "build on host, COPY dist + node_modules"?
+# The host (developer Mac, CI runner) is rarely the same architecture
+# as the target (linux/amd64 EC2 / VPS). Copying a host-built
+# node_modules brings darwin-arm64 native bindings (sharp, livekit,
+# fsevents, etc.) into the runtime image, which crash on first import.
+# This Dockerfile rebuilds inside the target-platform container so
+# native bindings are downloaded/compiled for the right arch.
+#
+# The build stage runs `npm ci` + `nest build`, then `npm prune` to
+# strip dev deps. The runtime stage carries forward only `dist/`,
+# the pruned `node_modules/`, and `package.json`.
+
+# --- Builder stage ----------------------------------------------------------
+FROM node:22-slim AS builder
+WORKDIR /app
+
+# Build deps for any native modules whose prebuilt binaries miss the
+# target arch. Kept minimal — node:22-slim already ships most of what's
+# needed for the deps in this project, but python/make/g++ are the
+# canonical "I might need to gyp-rebuild" trio.
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+        python3 \
+        make \
+        g++ \
+ && rm -rf /var/lib/apt/lists/*
+
+# Lockfile-only install first so this layer caches when only source
+# changes — much faster repeat builds.
+COPY package.json package-lock.json ./
+RUN npm ci --no-audit --no-fund --loglevel=verbose
+
+# Source + build config
+COPY tsconfig.json tsconfig.build.json nest-cli.json ./
+COPY src ./src
+
+RUN npm run build
+
+# Strip dev dependencies so the runtime image stays small.
+RUN npm prune --omit=dev
+
+
+# --- Runtime stage ----------------------------------------------------------
 FROM node:22-slim
 WORKDIR /app
-COPY dist ./dist
-COPY node_modules ./node_modules
-COPY package.json ./
+
+# Bring across only what the runtime needs. Source, dev deps, build
+# tooling all stay in the builder stage and get discarded.
+COPY --from=builder /app/dist ./dist
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/package.json ./
+
 EXPOSE 4100
 CMD ["node", "dist/main.js"]