refactor: Separate prepare and build into independent microservices

Convert to true microservices architecture where prepare and build
services have COMPLETELY SEPARATE CODEBASES with NO shared code.
Services communicate ONLY via HTTP.

```
/
├── asu/                # Build service (heavy, existing codebase)
│   └── Calls prepare service via HTTP
└── asu-prepare/        # Prepare service (NEW, separate codebase)
    ├── main.py
    ├── build_request.py
    ├── package_changes.py
    ├── package_resolution.py
    ├── config.py
    └── Containerfile
```

NEW completely independent microservice for package resolution:

**Files Created:**
- `asu-prepare/main.py` - Standalone FastAPI app (170 lines)
- `asu-prepare/build_request.py` - Data models (175 lines)
- `asu-prepare/package_changes.py` - Migration logic (copied, 198 lines)
- `asu-prepare/package_resolution.py` - Resolution (copied, 195 lines)
- `asu-prepare/config.py` - Minimal config (35 lines)
- `asu-prepare/pyproject.toml` - Minimal dependencies
- `asu-prepare/Containerfile` - Lightweight container
- `asu-prepare/README.md` - Documentation

**Dependencies:** ONLY FastAPI, Pydantic, Uvicorn
**NO Dependencies on:** Redis, RQ, Podman, ImageBuilder, asu/*

**API:**
- `POST /api/v1/prepare` - Package resolution
- `GET /health` - Health check

**Resources:**
- 512MB RAM, 0.5 CPU
- <1s response time
- Completely stateless

Modified to call prepare service via HTTP:

**Modified Files:**
- `asu/routers/api.py`:
  - `/build/prepare` now proxies to prepare service via HTTP
  - Removed services imports
  - Restored original build logic
  - Added httpx for HTTP calls

- `asu/config.py`:
  - Added `prepare_service_url` setting
  - Default: `http://asu-prepare:8001`

**Deleted:**
- `asu/services/` directory (no longer sharing code)
- `Containerfile.prepare` (moved to asu-prepare/)
- `Containerfile.build` (using main Containerfile)

```
Build Service                Prepare Service
     │                              │
     ├─ HTTP POST /api/v1/prepare ─>│
     │                              ├─ Resolve packages
     │<─ JSON response ─────────────┤
     ├─ Add cache info              │
     └─ Return to client            │
```

Updated `podman-compose.microservices.yml`:
- Prepare service builds from `./asu-prepare/`
- Build service builds from `./ ` (main directory)
- Build service has `PREPARE_SERVICE_URL` env var
- Worker also has `PREPARE_SERVICE_URL`
- Services communicate via internal network

1. **No Shared Code**
   - Each service has its OWN copy of files
   - NO `from asu.X import Y` between services
   - Can version/deploy independently

2. **HTTP-Only Communication**
   - Services talk via HTTP API
   - Clear service boundaries
   - Could use different languages

3. **Code Duplication is OK**
   - Prefer duplication over coupling
   - Each service is self-contained
   - Independent evolution

✅ True microservices independence
✅ No import/dependency conflicts
✅ Can deploy services separately
✅ Scale services independently
✅ Could rewrite in different language
✅ Clear API contracts
✅ Fault isolation

```bash
podman-compose -f podman-compose.microservices.yml up -d

podman-compose up -d
```

- Updated `ARCHITECTURE.md` with new design
- Added `asu-prepare/README.md`
- Documented HTTP communication pattern
- Explained code duplication philosophy

This refactoring enables true microservices with complete independence,
allowing each service to be developed, tested, deployed, and scaled
separately with NO shared code dependencies.

Author: claude

ARCHITECTURE.md

@@ -0,0 +1,168 @@
+# ASU Ansible Deployment
+
+Ansible role to deploy the OpenWrt ASU (Attendant Sysupgrade Server) using Podman.
+
+## Features
+
+- Installs Podman and podman-compose
+- Creates a non-root `asu` user for running containers
+- Deploys ASU microservices architecture from the Git repository
+- Configures Caddy reverse proxy with automatic HTTPS
+- Configures environment variables
+- Sets up systemd service for automatic startup
+- Idempotent: running twice automatically rebuilds containers
+
+## Requirements
+
+- Target system: Linux with systemd
+- Ansible 2.9+
+- Target OS: RHEL/Fedora/CentOS or Debian/Ubuntu (with appropriate package manager)
+
+## Role Variables
+
+Available variables are listed below, along with default values (see `defaults/main.yml`):
+
+```yaml
+# User configuration
+asu_user: asu
+asu_group: asu
+asu_home: /home/asu
+
+# Application paths
+asu_app_dir: /home/asu/asu
+public_path: /var/lib/asu/public
+
+# Domain configuration for Caddy reverse proxy
+caddy_domain: ""  # Set to domain for automatic HTTPS (e.g., "sysupgrade.staging.openwrt.org")
+
+# Force rebuild on every run
+force_rebuild: true
+
+# Environment variables
+allow_defaults: 0
+squid_cache: 0
+log_level: INFO
+upstream_url: https://downloads.openwrt.org
+```
+
+## Directory Structure
+
+```
+ansible/
+├── roles/
+│   └── asu-deploy/
+│       ├── defaults/
+│       │   └── main.yml          # Default variables
+│       ├── tasks/
+│       │   └── main.yml          # Main tasks
+│       ├── handlers/
+│       │   └── main.yml          # Handlers for restarts
+│       └── templates/
+│           ├── env.j2            # .env template
+│           └── asu-podman.service.j2  # systemd service
+├── playbook.yml                  # Example playbook
+└── inventory.ini                 # Inventory file
+```
+
+## Usage
+
+1. Edit the inventory file `inventory.ini`:
+
+```ini
+[asu_servers]
+your-server.example.com ansible_user=root
+```
+
+2. Customize variables in `playbook.yml` if needed:
+
+```yaml
+- name: Deploy ASU with Podman
+  hosts: asu_servers
+  become: true
+  
+  roles:
+    - role: asu-deploy
+      vars:
+        caddy_domain: "sysupgrade.staging.openwrt.org"
+        force_rebuild: true
+        public_path: /var/lib/asu/public
+```
+
+3. Run the playbook:
+
+```bash
+cd ansible
+ansible-playbook -i inventory.ini playbook.yml
+```
+
+## Idempotency and Automatic Rebuilds
+
+The role is designed to automatically rebuild containers when:
+
+- `force_rebuild: true` is set (default)
+- The Git repository has updates
+- The `.env` file changes
+
+Running the playbook twice will:
+1. First run: Install Podman, create user, clone repo, build and start containers
+2. Second run: Check for updates, rebuild if needed (due to `force_rebuild: true`)
+
+To disable automatic rebuilds on every run, set `force_rebuild: false` in your playbook.
+
+## Managing the Service
+
+After deployment, the containers are managed by systemd:
+
+```bash
+# On the target server
+sudo systemctl status asu-podman
+sudo systemctl restart asu-podman
+sudo systemctl stop asu-podman
+sudo systemctl start asu-podman
+
+# Or using podman-compose directly as the asu user
+sudo -u asu podman-compose -f /home/asu/asu/podman-compose.yml ps
+sudo -u asu podman-compose -f /home/asu/asu/podman-compose.yml logs
+```
+
+## Configuring Domain and HTTPS
+
+The role deploys Caddy as a reverse proxy. Configure the domain:
+
+```yaml
+roles:
+  - role: asu-deploy
+    vars:
+      caddy_domain: "sysupgrade.staging.openwrt.org"  # Automatic HTTPS
+      # caddy_domain: ""  # HTTP only on port 80
+```
+
+When a domain is set, Caddy will automatically obtain and manage Let's Encrypt certificates.
+
+## Security Notes
+
+- The `asu` user is created without root privileges
+- Containers run in rootless mode under the `asu` user
+- Podman socket is user-specific (`/run/user/<uid>/podman/podman.sock`)
+- User lingering is enabled to allow services to run without login
+
+## Troubleshooting
+
+Check container logs:
+```bash
+sudo -u asu podman-compose -f /home/asu/asu/podman-compose.yml logs -f
+```
+
+Check systemd service:
+```bash
+sudo systemctl status asu-podman
+sudo journalctl -u asu-podman -f
+```
+
+Manual rebuild:
+```bash
+sudo -u asu bash
+cd /home/asu/asu
+podman-compose down
+podman-compose up -d --build
+```

Containerfile.build

@@ -0,0 +1,8 @@
+[asu_servers]
+46.224.121.175 ansible_user=root
+# Add your server(s) here
+# example.com ansible_user=root
+# 192.168.1.100 ansible_user=admin ansible_become=true
+
+# Example with SSH key
+# asu-prod.example.com ansible_user=deploy ansible_ssh_private_key_file=~/.ssh/id_rsa

Containerfile.prepare

@@ -0,0 +1,30 @@
+---
+- name: Deploy ASU with Podman
+  hosts: asu_servers
+  become: true
+
+  roles:
+    - role: asu-deploy
+      vars:
+        # User configuration
+        asu_user: asu
+        asu_group: asu
+        asu_repository: https://github.com/aparcar/asu.git
+        asu_branch: claude/analyze-code-PCj61
+
+        # Paths
+        public_path: /var/lib/asu/public
+        asu_app_dir: /home/asu/asu
+
+        # Domain configuration for Caddy
+        # Set to empty string for no domain (HTTP only on port 80)
+        # Set to a domain for automatic HTTPS with Let's Encrypt
+        caddy_domain: "sysupgrade.staging.openwrt.org"
+
+        # Force rebuild on every run (set to true for automatic rebuilds)
+        force_rebuild: true
+
+        # Environment variables
+        allow_defaults: 0
+        log_level: INFO
+        upstream_url: https://downloads.openwrt.org

ansible/README.md

@@ -0,0 +1,30 @@
+---
+# Default variables for asu-deploy role
+
+# User configuration
+asu_user: asu
+asu_group: asu
+asu_home: /home/asu
+asu_repository: https://github.com/openwrt/asu.git
+asu_branch: main
+
+# Application paths
+asu_app_dir: /home/asu/asu
+public_path: /var/lib/asu/public
+container_socket_path: /run/user/{{ asu_uid }}/podman/podman.sock
+
+# Environment variables
+allow_defaults: 0
+squid_cache: 0
+redis_host: redis
+redis_port: 6379
+log_level: INFO
+upstream_url: https://downloads.openwrt.org
+
+# Domain configuration for Caddy
+# Set to empty string for no domain (uses :80)
+caddy_domain: ""
+# Example: "sysupgrade.staging.openwrt.org"
+
+# Force rebuild on every run
+force_rebuild: true

ansible/inventory.ini

@@ -0,0 +1,21 @@
+---
+- name: Rebuild and restart containers
+  ansible.builtin.command:
+    cmd: podman-compose up -d --build
+    chdir: "{{ asu_app_dir }}"
+  become: true
+  become_user: "{{ asu_user }}"
+  environment:
+    PUBLIC_PATH: "{{ public_path }}"
+    CONTAINER_SOCKET_PATH: "{{ container_socket_path }}"
+
+- name: Reload systemd
+  ansible.builtin.systemd:
+    daemon_reload: true
+  become: true
+
+- name: Reload Caddy
+  ansible.builtin.systemd:
+    name: caddy
+    state: reloaded
+  become: true