Fix Azure SQL integration: connection caching, lazy import, safe error handling, and Dockerfile hardening

[Copilot]

Review feedback on the initial Azure SQL integration surfaced several reliability, security, and correctness issues. This PR addresses all of them.

main.py

• Lazy pyodbc import — moved out of module scope into _get_sql_connection() with ImportError handling; API now starts cleanly without pyodbc present
• Connection caching — mirrors the existing _blob_container_client pattern: None = untried, False = permanently disabled, object = live connection; includes a driver-level liveness check (getinfo(2)) with automatic reconnect on stale connections
• Sanitized error logging — logs only type(e).__name__ instead of the full exception string, preventing server hostnames, usernames, or connection string fragments from leaking into logs
• Transaction/cursor safety — cursor initialized to None before try; finally block guarantees closure; rollback() called on failure; cached connection set to None (retryable) rather than False on transient execute errors

# Before: new connection every call, raw exception logged, no cursor cleanup guarantee
def _get_sql_connection():
    try:
        return pyodbc.connect(SQL_CONNECTION_STRING, timeout=10)
    except Exception as e:
        print(f"Azure SQL connection failed: {e}")  # leaks conn string details
        return None

# After: cached, lazy-imported, sanitized
_sql_connection: Any = None  # None | False | connection

def _get_sql_connection():
    global _sql_connection
    if _sql_connection is False:
        return None
    if _sql_connection is not None:
        try:
            _sql_connection.getinfo(2)
            return _sql_connection
        except Exception:
            _sql_connection = None
    try:
        import pyodbc
    except ImportError:
        print("pyodbc is not installed; Azure SQL saving disabled.")
        _sql_connection = False
        return None
    try:
        _sql_connection = pyodbc.connect(SQL_CONNECTION_STRING, timeout=10)
        return _sql_connection
    except Exception as e:
        print(f"Azure SQL connection failed ({type(e).__name__}); SQL saving disabled.")
        _sql_connection = False
        return None

Dockerfile

• Replaced deprecated apt-key add with modern /etc/apt/keyrings/microsoft.gpg + signed-by= in source list
• Added --no-install-recommends to both apt-get install calls
• Clean apt cache (rm -rf /var/lib/apt/lists/*) after installs
• Added ca-certificates (required for keyring-based key import)
• Updated layer comment to reflect actual purpose

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.