fidelity-planviewer: bake Chromium into the image for headless Playwright

## Context

The Fidelity provider (commit 804e6a8) drives headless Chromium via
Playwright to refresh the PlanViewer session cookie jar and scrape the
Struts2 transaction history page. The image needs both the Chromium
runtime and the Debian system libs Chromium dynamic-links against.

## This change

- Adds Playwright's documented Debian 12 dependency set
  (fonts-liberation, libnss3, libxkbcommon0, xvfb, etc.).
- Creates /app/.playwright-browsers owned by the broker user so the
  non-root process can write the Chromium install, and runs `playwright
  install chromium` as that user so the browser lands in the right
  cache path (PLAYWRIGHT_BROWSERS_PATH=/app/.playwright-browsers).
- Image size will grow by ~300MB (Chromium headless shell is ~110MB
  compressed, plus libs). Acceptable — broker-sync runs once a day so
  pull cost is a one-shot.

## What is NOT in this change

- Terraform CronJob / monitoring — separate commit in the infra repo.

## Verification

$ docker build -t broker-sync:test . → (will run in CI)
$ docker run --rm broker-sync:test fidelity-seed --help → shows the
  CLI help (can't actually run fidelity-seed headlessly).
$ poetry run pytest -q (local) → 128 passed, 1 skipped.

Reproduce locally:
1. docker build -t broker-sync:fidelity-test .
2. docker run --rm -v $PWD/tests/fixtures/fidelity:/data broker-sync:fidelity-test \
     python -c "from playwright.sync_api import sync_playwright; \
                with sync_playwright() as p: b = p.chromium.launch(); b.close(); print('ok')"
3. Expected: "ok" — Chromium launches successfully.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Dockerfile

@@ -20,14 +20,56 @@ FROM python:3.12-slim
 
 WORKDIR /app
 
+# Playwright needs a big list of system libs for Chromium (fonts, NSS, libs
+# for rendering, audio stubs, etc.). Mirror the list Playwright publishes at
+# https://playwright.dev/docs/browsers#system-requirements for Debian 12.
+# Fidelity PlanViewer is the only consumer today; gated to the fidelity-*
+# CronJobs via the provider's explicit Playwright import.
+RUN apt-get update && apt-get install --no-install-recommends -y \
+      ca-certificates \
+      fonts-liberation \
+      fonts-noto-color-emoji \
+      libasound2 \
+      libatk-bridge2.0-0 \
+      libatk1.0-0 \
+      libatspi2.0-0 \
+      libcairo2 \
+      libcups2 \
+      libdbus-1-3 \
+      libdrm2 \
+      libexpat1 \
+      libgbm1 \
+      libglib2.0-0 \
+      libnspr4 \
+      libnss3 \
+      libpango-1.0-0 \
+      libx11-6 \
+      libxcb1 \
+      libxcomposite1 \
+      libxdamage1 \
+      libxext6 \
+      libxfixes3 \
+      libxkbcommon0 \
+      libxrandr2 \
+      xvfb \
+    && rm -rf /var/lib/apt/lists/*
+
 RUN useradd --system --uid 10001 --home /app --shell /usr/sbin/nologin broker && \
     mkdir -p /data && chown -R broker:broker /data
 
 COPY --from=builder --chown=broker:broker /app /app
 
+# Install Chromium into broker's cache so Playwright (running as broker)
+# can pick it up. `PLAYWRIGHT_BROWSERS_PATH=0` forces a co-located install
+# next to the python package — the simpler path on slim images.
 ENV PATH="/app/.venv/bin:${PATH}" \
-    PYTHONUNBUFFERED=1
+    PYTHONUNBUFFERED=1 \
+    PLAYWRIGHT_BROWSERS_PATH=/app/.playwright-browsers
+RUN mkdir -p "${PLAYWRIGHT_BROWSERS_PATH}" && \
+    chown -R broker:broker "${PLAYWRIGHT_BROWSERS_PATH}"
 
 USER broker
+RUN playwright install chromium
+
 ENTRYPOINT ["broker-sync"]
 CMD ["version"]