Add /admin/version endpoint exposing alembic_version and expected head

[madebygps]

Follow-up from incident #432.

Background

Today, to answer "is the prod DB at the schema this code expects?" you have to either psql with Entra auth or grep Log Analytics. A simple endpoint would expose this to dashboards, ops scripts, and ad-hoc curl checks.

Proposed implementation

New route GET /admin/version (auth-gated to admins; or unauth and rate-limited if it's just public metadata). Returns:

{
  "git_sha": "fe8e385...",
  "image_built_at": "2026-05-21T22:17Z",
  "alembic_db_head": "0023_rename_ci_status_submission_type",
  "alembic_code_head": "0023_rename_ci_status_submission_type",
  "in_sync": true
}

alembic_code_head comes from ScriptDirectory.from_config(...).get_heads() at boot (cached); alembic_db_head from MigrationContext.configure(conn).get_current_heads() on each request (cheap). in_sync is the equality check.

Acceptance criteria

• Endpoint returns 200 with the four fields when DB is reachable.
• in_sync: false when DB head doesn't match code head.
• Cached enough to handle dashboard polling without per-call DB hits if that becomes a concern (e.g., 30s TTL on the DB read).

Source

Tier 3 follow-up from the post-mortem for #432. Gives ops a programmatic always-on schema-status check.