fix(pii): listen on 5001 to avoid app :3000 collision (awsvpc) (#5182)

* fix(pii): bind a configurable $PORT to avoid app :3000 collision

The pii image hardcoded uvicorn --port 3000 and ignored env. In the app ECS
task (awsvpc) all containers share one network namespace, and the app owns
3000 — so the sidecar must listen elsewhere (the stock presidio images honored
PORT and ran on 5002/5001). Bind ${PORT} (shell-form CMD), default 5001, and
update EXPOSE/HEALTHCHECK accordingly so the taskdef can set PORT=5001.

Verified: default binds 5001; PORT=5002 override binds 5002; /analyze works on
the overridden port.

* fix(pii): hardcode port 5001 (drop $PORT indirection)

EXPOSE can't be parameterized, so the configurable-PORT approach left EXPOSE
showing 5001 regardless (Greptile P2). We own both the image and the taskdef
and only ever need 5001, so hardcode it: exec-form CMD on 5001, EXPOSE 5001,
healthcheck on 5001. Runtime cmdline is identical to the verified ${PORT}
default (uvicorn ... --port 5001).

Author: TheodoreSpeaks

docker/pii.Dockerfile

@@ -38,11 +38,13 @@ RUN groupadd -g 1001 pii && \
     chown -R pii:pii /app
 USER pii
 
-EXPOSE 3000
+# Listen on 5001. In the ECS task all containers share one network namespace
+# (awsvpc) and the app owns 3000, so this sidecar must not use 3000.
+EXPOSE 5001
 
 # start-period is generous: five large spaCy models load at import before
 # /health responds. Tune against measured cold-start once built.
 HEALTHCHECK --interval=30s --timeout=5s --start-period=180s --retries=3 \
-    CMD curl -fsS http://localhost:3000/health || exit 1
+    CMD curl -fsS http://localhost:5001/health || exit 1
 
-CMD ["uvicorn", "server:app", "--host", "0.0.0.0", "--port", "3000"]
+CMD ["uvicorn", "server:app", "--host", "0.0.0.0", "--port", "5001"]