feat(tags): Add database schema and tags module (v1.3.0 Phase 1)

Implements tag/category system backend following microformats2 p-category specification.

Database changes:
- Migration 008: Add tags and note_tags tables
- Normalized tag storage (case-insensitive lookup, display name preserved)
- Indexes for performance

New module:
- starpunk/tags.py: Tag management functions
  - normalize_tag: Normalize tag strings
  - get_or_create_tag: Get or create tag records
  - add_tags_to_note: Associate tags with notes (replaces existing)
  - get_note_tags: Retrieve note tags (alphabetically ordered)
  - get_tag_by_name: Lookup tag by normalized name
  - get_notes_by_tag: Get all notes with specific tag
  - parse_tag_input: Parse comma-separated tag input

Model updates:
- Note.tags property (lazy-loaded, prefer pre-loading in routes)
- Note.to_dict() add include_tags parameter

CRUD updates:
- create_note() accepts tags parameter
- update_note() accepts tags parameter (None = no change, [] = remove all)

Micropub integration:
- Pass tags to create_note() (tags already extracted by extract_tags())
- Return tags in q=source response

Per design doc: docs/design/v1.3.0/microformats-tags-design.md

Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

docs/design/v1.0.0/phase-5-approval-summary.md

@@ -0,0 +1,189 @@
+# Phase 5 Containerization - Approval Summary
+
+**Date**: 2025-11-19
+**Reviewer**: StarPunk Architect
+**Branch**: feature/phase-5-rss-container
+**Version**: 0.6.0
+
+---
+
+## DECISION
+
+**STATUS: APPROVED FOR MERGE AND RELEASE**
+
+**Score**: 96/100 (Grade A - Excellent)
+
+**Approval**: Merge to main and tag as v0.6.0
+
+---
+
+## Quick Summary
+
+The Phase 5 containerization implementation is production-ready and meets all architectural requirements. The developer has delivered:
+
+- Multi-stage optimized container (174MB - 30% under target)
+- Health check endpoint with database and filesystem validation
+- Podman and Docker compatibility
+- Comprehensive deployment documentation (660 lines)
+- Security best practices (non-root, localhost binding, HTTPS)
+- Both Caddy and Nginx reverse proxy configurations
+- 99.78% test pass rate (449/450 tests)
+
+No critical or high-priority issues found. All Phase 5 requirements met.
+
+---
+
+## Key Metrics
+
+| Metric | Target | Achieved | Result |
+|--------|--------|----------|--------|
+| Image Size | <250MB | 174MB | 30% under |
+| Startup Time | <10s | ~5s | 50% faster |
+| Test Pass Rate | >95% | 99.78% | Exceeds |
+| Documentation | Complete | 660 lines | Excellent |
+| Security Score | High | 10/10 | Perfect |
+
+---
+
+## Implementation Highlights
+
+**Container**:
+- Multi-stage Containerfile with uv package manager
+- Non-root user (starpunk:1000)
+- Gunicorn WSGI server (4 workers)
+- Health check with database connectivity test
+- Volume mounts for data persistence
+
+**Security**:
+- Port bound to localhost only (127.0.0.1:8000)
+- No secrets in container image
+- Resource limits (1 CPU, 512MB RAM)
+- Comprehensive security headers in reverse proxy configs
+- HTTPS enforcement in both Caddy and Nginx examples
+
+**Documentation**:
+- Complete deployment guide for production
+- Implementation report with testing details
+- Troubleshooting section for common issues
+- Backup and maintenance procedures
+- Performance tuning guidelines
+
+---
+
+## Issues Found
+
+**Critical**: None
+**High Priority**: None
+**Medium Priority**: None
+
+**Low Priority**:
+1. One pre-existing test failure (not blocking)
+2. Health check could be enhanced (not required for V1)
+3. CSP allows inline scripts (acceptable for single-user system)
+
+None of these issues block merge and release.
+
+---
+
+## Compliance Verification
+
+- [x] ADR-015: Phase 5 Implementation Approach
+- [x] Phase 5 Design Specification
+- [x] Git Branching Strategy (feature branch used)
+- [x] Versioning Strategy (0.5.1 → 0.6.0)
+- [x] Security Best Practices
+- [x] Documentation Standards
+- [x] StarPunk Architectural Principles
+
+---
+
+## Next Steps
+
+### 1. Merge to Main
+
+```bash
+git checkout main
+git merge --no-ff feature/phase-5-rss-container
+```
+
+### 2. Tag Release
+
+```bash
+git tag -a v0.6.0 -m "Release 0.6.0: RSS feed and production container
+
+Phase 5 Complete:
+- RSS 2.0 feed generation
+- Production-ready container (174MB)
+- Health check endpoint
+- Podman and Docker support
+- Gunicorn WSGI server
+- Comprehensive deployment documentation
+- Caddy and Nginx reverse proxy examples"
+```
+
+### 3. Push to Remote
+
+```bash
+git push origin main
+git push origin v0.6.0
+```
+
+### 4. Optional Cleanup
+
+```bash
+git branch -d feature/phase-5-rss-container
+git push origin --delete feature/phase-5-rss-container
+```
+
+---
+
+## Post-Merge Actions
+
+**Immediate**:
+1. Deploy to test environment with HTTPS
+2. Verify IndieAuth with real domain
+3. Test RSS feed with feed readers
+4. Monitor health endpoint
+
+**Future Enhancements** (Phase 7+):
+1. Container registry publication
+2. Kubernetes/Helm support
+3. Prometheus metrics
+4. Video deployment walkthrough
+5. Cloud-specific guides
+
+---
+
+## Detailed Review
+
+See: `/home/phil/Projects/starpunk/docs/reviews/phase-5-container-architectural-review.md`
+
+33KB comprehensive review covering:
+- Container implementation
+- Security analysis
+- Documentation quality
+- Compliance verification
+- Performance metrics
+- Operational readiness
+
+---
+
+## Architect's Statement
+
+The Phase 5 containerization implementation represents excellent engineering work. The developer has:
+
+1. Followed all architectural guidelines
+2. Exceeded performance targets
+3. Provided comprehensive documentation
+4. Implemented security best practices
+5. Delivered production-ready code
+
+This implementation completes Phase 5 and positions StarPunk for production deployment testing with real HTTPS domains and IndieAuth.
+
+**Recommendation**: APPROVE FOR MERGE AND RELEASE
+
+---
+
+**Signed**: StarPunk Architect
+**Date**: 2025-11-19
+**Review ID**: ARCH-2025-11-19-PHASE5-CONTAINER