fix(selfhost): remove grafana database access

[JSONbored]

Motivation

• Prevent Grafana from gaining direct filesystem or query access to the live application SQLite DB and thereby exposing or mutating sensitive tables that contain keys, auth sessions, and private scoring data.
• Close an introduced configuration gap where a provisioned SQLite datasource plus a read-write volume mount created an unintended authorization boundary for the app database.
• Provide a safer baseline for the observability profile by steering dashboards to Prometheus/GitHub or a separate reporting replica instead of the live DB.

Description

• Removed the Grafana mount of the application data volume and dropped the frser-sqlite-datasource plugin from docker-compose.yml so Grafana no longer receives /appdb access.
• Replaced grafana/provisioning/datasources/sqlite.yml with an intentionally empty datasources: [] and a comment explaining that direct DB access is not allowed.
• Replaced live-database panels in grafana/dashboards/maintainer-reviews.json with a disabled/notice text panel and updated grafana/dashboards/resource-hub.json wording to no longer claim the DB is surfaced via Grafana.
• Changes touch only operational/dashboard provisioning files: docker-compose.yml, grafana/provisioning/datasources/sqlite.yml, grafana/dashboards/maintainer-reviews.json, and grafana/dashboards/resource-hub.json.

Testing

• Ran git diff --check and it passed.
• Validated modified Grafana dashboards parse as JSON using node and validated changed YAML files parse (via Ruby), both checks succeeded.
• npm run test:ci could not be completed in this environment due to external network/DNS issues and an actionlint fallback that rejected a custom self-hosted runner label, so the full CI gate was blocked rather than failing.
• npm audit --audit-level=moderate could not be completed due to the npm audit endpoint returning 403 Forbidden, so dependency-audit steps were blocked.

---

Codex Task

[gittensory-orb]

Tip

🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩

✅ Gittensory review — safe to merge

4 files · 1 AI reviewers · no blockers · readiness 48/100 · CI green · blocked

✅ Approved — safe to merge

Signal	Result	Evidence
Code review	✅ No blockers	1 reviewers, synthesized
Linked issue	⚠️ Missing	No linked issue or no-issue rationale found.
Related work	⚠️ 3 scoped overlaps	Top overlaps are listed below; lower-confidence bulk is hidden.
Review load	❌ 8/20	Readiness component derived from cached public PR metadata and labels; size label size:XS.
Validation evidence	❌ 5/25	Cached preflight status is hold.
Open PR queue	❌ 3/10	48 open PR(s), 9 likely reviewable, 39 unlinked.
Contributor context	✅ Confirmed Gittensor contributor	JSONbored; Gittensor profile; 81 PR(s), 261 issue(s).
Gate result	✅ Passing	No configured blocker found.

Nits — 2 non-blocking

• Repository config was not parsed
• No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.

Review context

• Author: JSONbored
• Role context: owner (maintainer lane)
• Public audience mode: oss maintainer
• Lane context: Repository registration is not available in the local Gittensory cache.
• Public profile languages: not available
• Official Gittensor activity: 81 PR(s), 261 issue(s).
• Related work: Titles/paths share 6 meaningful terms. (PR #1392)
• Related work: Titles/paths share 6 meaningful terms. (PR #1558)
• Related work: Titles/paths share 6 meaningful terms. (PR #1563)
• Additional title-only matches omitted; title-only overlap does not block.

Contributor next steps

• Treat this as maintainer-lane context rather than normal contributor-lane activity.
• Explain no-issue PR.
• Review top overlaps.
• Add scope summary.
• Fix blocker.
• Expect slower review.
• Refresh registry data or choose a registered active repo.
• Link the issue being solved, or explicitly explain why this is a no-issue PR.
• Check active issues and PRs before submitting.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Review load = cached public PR metadata such as size labels, changed paths, and preflight status.
• Open PR queue = repo-wide review pressure; it is not a PR quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

_{🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed}

---

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

• Re-run Gittensory review