feat(deploy): containerize api + web for single-host docker-compose

- apps/api/Dockerfile: multi-stage build, runs prisma migrate deploy on
  boot. Workspace package.json "main/exports" rewritten to dist so Node
  ESM resolves compiled JS at runtime.
- apps/web/Dockerfile + nginx.conf: static build served by nginx with
  SPA fallback, gzip, cache-bust on hashed assets, and /api reverse
  proxy to the internal api service.
- docker-compose.yml: production-oriented stack — api (SQLite on a
  named volume), web (exposes WEB_PORT), redis (for the upcoming
  worker). Postgres dropped since schema still targets SQLite.
- .dockerignore: keep build context lean.
- ci: add docker job gated on push-to-main that builds and pushes both
  images to ${{ vars.REGISTRY_URL }} using ${{ secrets.REGISTRY_TOKEN }}.
  Tags :latest + :${github.sha}.

.dockerignore

@@ -0,0 +1,28 @@
+**/node_modules
+**/dist
+**/.turbo
+**/coverage
+**/tsconfig.tsbuildinfo
+
+# env + local files
+**/.env
+**/.env.*.local
+**/*.local
+
+# VCS + tooling
+.git
+.gitea
+.github
+.claude
+.vscode
+.idea
+
+# playwright artifacts
+apps/e2e/test-results
+apps/e2e/playwright-report
+
+# logs + local databases
+**/*.log
+**/dev.db
+**/dev.db-journal
+

.gitea/workflows/ci.yaml

@@ -90,3 +90,42 @@ jobs:
           name: playwright-report
           path: apps/e2e/playwright-report
           retention-days: 7
+
+  docker:
+    name: Build & push images
+    runs-on: ubuntu-latest
+    needs: check
+    # Only push from main, and only on direct pushes (not PRs from forks).
+    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Log in to ${{ vars.REGISTRY_URL }}
+        run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login "${{ vars.REGISTRY_URL }}" --username "${{ github.actor }}" --password-stdin
+
+      - name: Build & push API image
+        run: |
+          IMAGE="${{ vars.REGISTRY_URL }}/vector-api"
+          docker build \
+            -f apps/api/Dockerfile \
+            -t "$IMAGE:${{ github.sha }}" \
+            -t "$IMAGE:latest" \
+            .
+          docker push "$IMAGE:${{ github.sha }}"
+          docker push "$IMAGE:latest"
+
+      - name: Build & push Web image
+        run: |
+          IMAGE="${{ vars.REGISTRY_URL }}/vector-web"
+          docker build \
+            -f apps/web/Dockerfile \
+            -t "$IMAGE:${{ github.sha }}" \
+            -t "$IMAGE:latest" \
+            .
+          docker push "$IMAGE:${{ github.sha }}"
+          docker push "$IMAGE:latest"
+
+      - name: Log out
+        if: always()
+        run: docker logout "${{ vars.REGISTRY_URL }}"

apps/api/Dockerfile

@@ -0,0 +1,50 @@
+# syntax=docker/dockerfile:1.7
+
+# ---------- build ----------
+FROM node:22-alpine AS build
+RUN apk add --no-cache openssl
+RUN corepack enable && corepack prepare pnpm@10.33.0 --activate
+WORKDIR /repo
+
+# Manifests first for cache-friendly installs.
+COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./
+COPY apps/api/package.json        ./apps/api/
+COPY apps/web/package.json        ./apps/web/
+COPY apps/e2e/package.json        ./apps/e2e/
+COPY packages/db/package.json     ./packages/db/
+COPY packages/shared/package.json ./packages/shared/
+COPY packages/ui/package.json     ./packages/ui/
+COPY packages/config/package.json ./packages/config/
+RUN pnpm install --frozen-lockfile
+
+COPY . .
+
+RUN pnpm -C packages/shared build \
+ && pnpm -C packages/db     build \
+ && pnpm -C packages/db     exec prisma generate \
+ && pnpm -C apps/api        build
+
+# Point workspace package.json "main/exports" at compiled JS so Node
+# (ESM) resolves dist/ at runtime instead of the original .ts sources.
+RUN for p in packages/db packages/shared; do \
+      node -e "const fs=require('fs');const j=JSON.parse(fs.readFileSync('$p/package.json'));j.main='./dist/index.js';j.types='./dist/index.d.ts';j.exports={'.':{types:'./dist/index.d.ts',default:'./dist/index.js'}};fs.writeFileSync('$p/package.json',JSON.stringify(j,null,2));" ; \
+    done
+
+# ---------- runtime ----------
+FROM node:22-alpine
+RUN apk add --no-cache openssl wget
+RUN corepack enable && corepack prepare pnpm@10.33.0 --activate
+WORKDIR /app
+
+COPY --from=build /repo /app
+
+ENV NODE_ENV=production
+ENV PORT=3001
+EXPOSE 3001
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
+  CMD wget -qO- http://localhost:3001/healthz || exit 1
+
+WORKDIR /app/apps/api
+# Apply pending migrations before booting. Prisma reads DATABASE_URL from env.
+CMD ["sh", "-c", "pnpm -C ../../packages/db exec prisma migrate deploy && node dist/index.js"]

apps/web/Dockerfile

@@ -0,0 +1,31 @@
+# syntax=docker/dockerfile:1.7
+
+# ---------- build ----------
+FROM node:22-alpine AS build
+RUN corepack enable && corepack prepare pnpm@10.33.0 --activate
+WORKDIR /repo
+
+COPY pnpm-workspace.yaml pnpm-lock.yaml package.json ./
+COPY apps/api/package.json        ./apps/api/
+COPY apps/web/package.json        ./apps/web/
+COPY apps/e2e/package.json        ./apps/e2e/
+COPY packages/db/package.json     ./packages/db/
+COPY packages/shared/package.json ./packages/shared/
+COPY packages/ui/package.json     ./packages/ui/
+COPY packages/config/package.json ./packages/config/
+RUN pnpm install --frozen-lockfile
+
+COPY . .
+
+RUN pnpm -C packages/shared build \
+ && pnpm -C apps/web build
+
+# ---------- runtime ----------
+FROM nginx:alpine
+RUN apk add --no-cache wget
+COPY apps/web/nginx.conf /etc/nginx/conf.d/default.conf
+COPY --from=build /repo/apps/web/dist /usr/share/nginx/html
+
+EXPOSE 80
+HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
+  CMD wget -qO- http://localhost/ || exit 1

apps/web/nginx.conf

@@ -0,0 +1,37 @@
+server {
+  listen 80;
+  server_name _;
+
+  root /usr/share/nginx/html;
+  index index.html;
+
+  gzip on;
+  gzip_types text/plain text/css text/javascript application/javascript application/json application/xml image/svg+xml;
+  gzip_min_length 256;
+  gzip_vary on;
+
+  # Reverse-proxy API calls to the internal api service on the compose network.
+  location /api/ {
+    proxy_pass http://api:3001/api/;
+    proxy_http_version 1.1;
+    proxy_set_header Host              $host;
+    proxy_set_header X-Real-IP         $remote_addr;
+    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_buffering off;
+    client_max_body_size 10m;
+  }
+
+  # Hashed assets — cache aggressively, never revalidate.
+  location ~* \.(?:js|css|woff2?|svg|png|jpg|jpeg|gif|ico|webp)$ {
+    expires 1y;
+    add_header Cache-Control "public, immutable";
+    try_files $uri =404;
+  }
+
+  # SPA fallback — always serve fresh index.html.
+  location / {
+    try_files $uri $uri/ /index.html;
+    add_header Cache-Control "no-cache";
+  }
+}

docker-compose.yml

@@ -1,28 +1,66 @@
-services:
-  postgres:
-    image: postgres:16-alpine
-    container_name: vector-postgres
+# Vector — single-instance production deployment.
+#
+# Quick start:
+#   1. Create a .env file next to this compose file containing at minimum:
+#        JWT_SECRET=<64+ char random hex>
+#        CLIENT_ORIGIN=http://your-host:8080
+#        WEB_PORT=8080
+#      For registry-pushed images (optional):
+#        REGISTRY_URL=registry.example.com/josh
+#        TAG=latest
+#
+#   2. Bring up the stack:
+#        docker compose up -d --build
+#      or pull pre-built images from the registry:
+#        docker compose pull && docker compose up -d
+#
+# Data lives in the `vector-data` volume (SQLite db). Redis is included
+# in anticipation of the BullMQ worker follow-up; the API does not yet
+# depend on it.
+
+x-restart: &restart
   restart: unless-stopped
+
+services:
+  api:
+    <<: *restart
+    image: ${REGISTRY_URL:-vector}/vector-api:${TAG:-latest}
+    build:
+      context: .
+      dockerfile: apps/api/Dockerfile
     environment:
-      POSTGRES_USER: vector
-      POSTGRES_PASSWORD: vector
-      POSTGRES_DB: vector
-    ports:
-      - "5432:5432"
+      NODE_ENV: production
+      PORT: 3001
+      DATABASE_URL: file:/data/vector.db
+      JWT_SECRET: ${JWT_SECRET:?JWT_SECRET is required — see .env.example}
+      CLIENT_ORIGIN: ${CLIENT_ORIGIN:-http://localhost:8080}
     volumes:
-      - vector-pgdata:/var/lib/postgresql/data
+      - vector-data:/data
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U vector -d vector"]
-      interval: 5s
+      test: ["CMD-SHELL", "wget -qO- http://localhost:3001/healthz || exit 1"]
+      interval: 30s
       timeout: 5s
-      retries: 10
+      retries: 3
+      start_period: 20s
+    depends_on:
+      redis:
+        condition: service_healthy
+
+  web:
+    <<: *restart
+    image: ${REGISTRY_URL:-vector}/vector-web:${TAG:-latest}
+    build:
+      context: .
+      dockerfile: apps/web/Dockerfile
+    ports:
+      - "${WEB_PORT:-8080}:80"
+    depends_on:
+      api:
+        condition: service_healthy
 
   redis:
+    <<: *restart
     image: redis:7-alpine
-    container_name: vector-redis
-    restart: unless-stopped
-    ports:
-      - "6379:6379"
     volumes:
       - vector-redisdata:/data
     healthcheck:
@@ -32,5 +70,5 @@ services:
       retries: 10
 
 volumes:
-  vector-pgdata:
+  vector-data:
   vector-redisdata: