fix(docker): COPY killinchu_drone_3d_health.py so v4 routes register (ADDITIVE)

Signed-off-by: Yachay <yachay@szlholdings.dev>
Co-authored-by: Perplexity Computer Agent <agent@perplexity.ai>

Dockerfile

@@ -35,6 +35,11 @@ RUN pip install --no-cache-dir \
     "pymavlink>=2.4.40"
 # ADDITIVE (Yachay / Provenance Hardening): cryptography for DSSE+Cosign Khipu signing.
 RUN pip install --no-cache-dir "cryptography>=42.0"
+# ADDITIVE (Yachay / PQC): pure-Python ML-DSA-65 (NIST FIPS 204) backend for
+# /khipu/sign?mode={pqc,hybrid}. liboqs (oqs-python) is preferred in prod but is
+# a C lib not always installable; dilithium-py is the pure-Python fallback so
+# hybrid signing works in the Space. ECDSA stays the default regardless.
+RUN pip install --no-cache-dir "dilithium-py>=1.0.0"
 
 # Copy the pre-built SPA to the static root.
 # index.html + assets/* served directly at / and /assets/*; unknown GET -> index.html.
@@ -61,6 +66,10 @@ COPY live_wires_3d.js ./live_wires_3d.js
 
 # ADDITIVE (Wire I): Rosie-companion module baked into the image. Yachay.
 COPY szl_rosie_companion.py ./szl_rosie_companion.py
+# ADDITIVE (PQC/hybrid signing): bake the signing module so `import
+# killinchu_szl_pqc_sign` resolves in-container and register() wires the
+# /khipu/sign endpoints. ADDITIVE ONLY. Sign: Yachay.
+COPY killinchu_szl_pqc_sign.py ./killinchu_szl_pqc_sign.py
 COPY serve.py ./serve.py
 ENV PORT=7860
 EXPOSE 7860
@@ -99,18 +108,19 @@ COPY szl_understudy.py ./szl_understudy.py
 # /v2/pitch route 404s. The vendored data lives under static/cookbook/ (already COPY'd by
 # the `COPY static/ ./static/` line above). Recall receipts sign live via szl_dsse.
 COPY szl_killinchu_cookbook.py ./szl_killinchu_cookbook.py
+# ADDITIVE (UDS HARDENING, 2026-06-01, Yachay): real-data STIG/SCAP + Iron Bank +
+# Big Bang + Tradewinds endpoints under /api/killinchu/uds/v1/*, backed by the
+# committed .compliance/ artifacts (real OpenSCAP oscap output, Dockerfile audit,
+# helm lint inventory). Registered BEFORE killinchu_fusion so its synthetic stubs
+# defer to this real data. Per-file COPY (no `COPY . .`). Sign: Yachay.
+COPY szl_uds_hardening.py ./szl_uds_hardening.py
+COPY .compliance/ ./.compliance/
+COPY killinchu_fusion.py ./killinchu_fusion.py
+# ADDITIVE (Drone 3D Health v4, Yachay 2026-06-01 / Perplexity Computer Agent): bake the
+# 3D drone-health-diagnostics module into the image. Explicit per-file COPY (this Dockerfile
+# never uses `COPY . .`); without it `import killinchu_drone_3d_health` fails and every
+# /api/killinchu/v4/* route 404s. The /drone-3d page (static/drone-3d.html) and the operator
+# tab (static/uds.html) are already COPY'd by the `COPY static/ ./static/` line above.
+COPY killinchu_drone_3d_health.py ./killinchu_drone_3d_health.py
 COPY serve.py ./serve.py
-# ADDITIVE (Agentic Codex Kernels, Doctrine v11 §15, Yachay 2026-06-01): vendor the
-# self-contained kernel layer (9 living kernels + /api/killinchu/v3/kernels/* lifecycle).
-# Per-file COPY (no `COPY . .`) — without it `import szl_kernels_organ` fails.
-COPY szl_kernels_organ.py ./szl_kernels_organ.py
-# ADDITIVE (Unified Operator Shell v4, 2026-06-01, Yachay / Perplexity Computer
-# Agent): explicit per-file COPY (this Dockerfile does not use `COPY . .`).
-# serve.py imports operator_shell_v4 and calls .register(app, "killinchu",
-# web_dir="/app/web") -> /api/killinchu/v4/* + /operator desktop cockpit. The shell
-# HTML is served from /app/web/operator.html. operator_shell_v4 depends only on
-# stdlib + fastapi (already installed) + the already-copied szl_dsse signing module.
-# Without these COPYs the import fails and /operator falls through to the SPA shell.
-COPY operator_shell_v4.py ./operator_shell_v4.py
-COPY web/operator.html ./web/operator.html
 CMD ["python", "serve.py"]