feat: configurable k8s resources, CSIC training pipeline, unified Dockerfile

- Make K8s namespace, TLS secret, and config ConfigMap names configurable
  via [kubernetes] config section (previously hardcoded to "ingress")
- Add CSIC 2010 dataset converter and auto-download for scanner training
- Unify Dockerfile for local and production builds (remove cross-compile path)
- Bake ML models directory into container image
- Update CSIC dataset URL to self-hosted mirror (src.sunbeam.pt)
- Fix rate_limit pipeline log missing fields
- Consolidate docs/README.md into root README.md

Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>

Dockerfile

@@ -1,17 +1,10 @@
 # ── Stage 1: build ──────────────────────────────────────────────
-# rust:slim tracks the latest stable Rust release.
-# Multi-arch image; Docker buildx selects the native platform image.
 FROM rust:slim AS builder
 
 ARG TARGETARCH
 
-# musl-tools: musl-gcc for static linking.
-# curl: download tini init binary.
-# No cmake/go needed: we use the rustls feature flag (pure Rust TLS).
 RUN apt-get update && apt-get install -y musl-tools curl cmake && rm -rf /var/lib/apt/lists/*
 
-# Map Docker TARGETARCH to the appropriate Rust musl target,
-# then configure Cargo to use musl-gcc as the linker for that target.
 RUN case "${TARGETARCH}" in \
       "amd64") RUST_TARGET="x86_64-unknown-linux-musl" ;; \
       "arm64") RUST_TARGET="aarch64-unknown-linux-musl" ;; \
@@ -26,24 +19,17 @@ RUN case "${TARGETARCH}" in \
 ENV RUSTFLAGS="-C target-feature=+crt-static"
 WORKDIR /build
 
-# Cache dependency compilation separately from source changes.
-# RUSTFLAGS must match the real build or Cargo will recompile everything.
 COPY Cargo.toml Cargo.lock ./
 RUN mkdir src && \
     echo 'fn main() {}' > src/main.rs && \
     cargo build --release --target "$(cat /rust-target)" ; \
     rm -rf src
 
-# Build the real binary.
 COPY src/ ./src/
 RUN touch src/main.rs && \
     cargo build --release --target "$(cat /rust-target)" && \
     cp "target/$(cat /rust-target)/release/sunbeam-proxy" /sunbeam-proxy
 
-# Download tini static init binary (musl, no glibc dependency).
-# tini as PID 1 ensures the container stays alive when Pingora re-execs itself
-# during a graceful upgrade: the new process is re-parented to tini, and tini
-# correctly reaps the old process when it exits after draining connections.
 RUN case "${TARGETARCH}" in \
       "amd64") TINI_ARCH="amd64" ;; \
       "arm64") TINI_ARCH="arm64" ;; \
@@ -54,14 +40,12 @@ RUN case "${TARGETARCH}" in \
     chmod +x /tini
 
 # ── Stage 2: distroless final ────────────────────────────────────
-# cgr.dev/chainguard/static is multi-arch (amd64 + arm64).
-# No shell, no package manager — minimal attack surface.
 FROM cgr.dev/chainguard/static:latest
 
 COPY --from=builder /tini                       /tini
 COPY --from=builder /sunbeam-proxy              /usr/local/bin/sunbeam-proxy
+COPY models/ /models/
 
 EXPOSE 80 443
 
-# tini as PID 1 so Pingora's graceful-upgrade re-exec doesn't kill the container.
 ENTRYPOINT ["/tini", "--", "/usr/local/bin/sunbeam-proxy"]