1. Kuma import now maps push monitor tokens (generates crypto/rand
token) and paused state (Active=false → Paused=true). Previously
push monitors imported with empty token sat DOWN forever, and
paused Kuma monitors came in unpaused and started alerting.
2. Dockerfile adds HEALTHCHECK against /api/health on port 8080.
Container orchestrators can now detect unhealthy instances.
3. migrate-secrets sets the encryptor before loading alerts, so
already-encrypted settings are decrypted correctly on second run
instead of failing with a JSON unmarshal error.
4. docker-compose.yml adds container hardening: read_only filesystem,
cap_drop ALL, no-new-privileges, tmpfs for /tmp.
lerko
