Infra update: Add Dockerfiles, .env template, and Coolify config

.env.template

@@ -0,0 +1,5 @@
+# .env.template – copy to .env and fill in real values
+DB_USER=freight_user
+DB_PASSWORD=secure_password_here
+SUPABASE_URL=https://your-project.supabase.co
+SUPABASE_ANON_KEY=your-anon-key-here

.github/workflows/ci.yml

@@ -0,0 +1,50 @@
+name: CI/CD Pipeline
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install PWA Dependencies
+        run: |
+          npm install
+          npm run type-check
+          npm run lint
+
+      - name: Build PWA
+        run: npm run build
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install Backend Dependencies
+        run: |
+          pip install fastapi uvicorn pydantic
+
+      - name: Test Backend
+        run: |
+          # Add your test command here, e.g., pytest
+          echo "Running backend tests..."
+
+  deploy:
+    needs: build-and-test
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Deploy to Coolify
+        run: |
+          curl -X POST "${{ secrets.COOLIFY_WEBHOOK_URL }}"

AGENTS.md

@@ -0,0 +1,52 @@
+# Collaboration Playbook (AGENTS.md)
+
+## 1. Roles & Responsibilities
+- **Frontend Lead** (`@frontend-lead`): Owns the Next.js/TanStack PWA, UI consistency, and Supabase integration.
+- **Backend Lead** (`@backend-lead`): Maintains the FastAPI service, data models, audit logging, and security hardening.
+- **DevOps / CI‑CD Engineer** (`@devops-engineer`): Manages GitHub Actions pipelines, Docker images, Coolify deployments, and monitoring.
+- **Quality Assurance** (`@qa-engineer`): Writes and reviews automated tests, conducts code reviews, and verifies security compliance.
+- **Product Owner** (`@product-owner`): Prioritises backlog items, defines acceptance criteria, and ensures alignment with freight‑forwarding use‑cases.
+
+## 2. Pull‑Request Workflow
+1. **Branch Naming** – `feature/<short‑description>` or `bugfix/<issue‑id>`.
+2. **Commit Conventions** – Use conventional commits (e.g., `feat: add soft‑delete endpoint`, `fix: correct audit timestamp`).
+3. **PR Title** – Clear, prefixed with type (`feat:`, `fix:`, `chore:`).
+4. **PR Description** – Include:
+   - What problem it solves.
+   - How it aligns with the freight‑forwarding roadmap (tracking, bidding, payments).
+   - Any required migrations or DB changes.
+   - Screenshots or API examples if UI changes.
+5. **Review Process** – At least one reviewer from a different role must approve.
+   - Frontend PR → reviewed by Backend Lead (or QA).
+   - Backend PR → reviewed by Frontend Lead (or QA).
+6. **Merging** – Squash and merge; delete the branch after merge.
+7. **Post‑merge** – CI runs automatically; if successful, the DevOps Engineer triggers the Coolify deployment via the webhook.
+
+## 3. Backlog & Issue Tagging
+- **Labels** (GitHub):
+  - `enhancement` – new feature (e.g., in‑app bidding).
+  - `bug` – defect or security issue.
+  - `tech‑debt` – refactoring, performance, or security improvements.
+  - `api‑change` – breaking change to the FastAPI contract.
+  - `frontend` – UI/PWA related work.
+  - `backend` – backend service changes.
+- **Milestones** – Align with release cycles (e.g., `v1.0‑beta`, `v1.0‑release`).
+- **Sprint Planning** – Use the `kanban-worker` skill to break down high‑level epics into actionable tickets.
+
+## 4. Commit & Release Cadence
+- **Daily** – Small, incremental commits; push to `main` after CI passes.
+- **Weekly** – Dedicated “integration” day to test end‑to‑end flows (API ↔ PWA ↔ Supabase).
+- **Release** – Tag a new version (`vX.Y.Z`) after a successful deployment to Coolify and verification of critical paths (auth, soft‑delete, audit log).
+
+## 5. Security & Compliance
+- All API endpoints must validate input and return proper HTTP status codes.
+- Sensitive data (DB passwords, Supabase keys) are stored in GitHub Secrets and injected at runtime.
+- Audit logs are immutable; they are shipped to a separate log store (e.g., CloudWatch) via a background worker.
+- Run `npm audit` and `pip audit` in CI; fail the job on high‑severity findings.
+
+## 6. Communication Channels
+- **Slack/Discord** – `#freight‑dev` for quick questions; `#announcements` for release notes.
+- **GitHub Discussions** – For design proposals and long‑term roadmap discussions.
+- **Weekly Sync** – 30‑minute video call to review progress, blockers, and upcoming priorities.
+
+*Document last updated: 2026‑06‑10* 

Dockerfile.api

@@ -0,0 +1,13 @@
+# Dockerfile.api - FastAPI Backend
+FROM python:3.11-slim
+
+WORKDIR /app
+
+# Install uvicorn for async server
+RUN pip install uvicorn fastapi pydantic
+
+COPY ./backend.py .
+
+EXPOSE 8000
+
+CMD ["uvicorn", "backend:app", "--host", "0.0.0.0", "--port", "8000"]

Dockerfile.pwa

@@ -0,0 +1,25 @@
+# Dockerfile.pwa - Next.js PWA
+FROM node:20-alpine AS builder
+
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm ci
+
+COPY . .
+RUN npm run build
+
+FROM node:20-alpine AS runtime
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm ci --omit=dev
+
+COPY --from=builder /app/.next ./.next
+COPY --from=builder /app/public ./public
+COPY --from=builder /app/node_modules ./node_modules
+
+EXPOSE 3000
+
+ENV NODE_ENV=production
+CMD ["npm", "run", "start"]

coolify.yml

@@ -0,0 +1,49 @@
+version: '3.8'
+
+services:
+  postgres:
+    image: postgres:15-alpine
+    environment:
+      POSTGRES_DB: freight
+      POSTGRES_USER: ${DB_USER}
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    ports:
+      - "5432:5432"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${DB_USER} -d freight"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  fastapi:
+    build:
+      context: .
+      dockerfile: Dockerfile.api
+    environment:
+      DATABASE_URL: postgresql://${DB_USER}:${DB_PASSWORD}@postgres:5432/freight
+      SUPABASE_URL: ${SUPABASE_URL}
+      SUPABASE_ANON_KEY: ${SUPABASE_ANON_KEY}
+    ports:
+      - "8000:8000"
+    depends_on:
+      postgres:
+        condition: service_healthy
+    deploy:
+      replicas: 2
+
+  pwa:
+    build:
+      context: .
+      dockerfile: Dockerfile.pwa
+    environment:
+      NEXT_PUBLIC_SUPABASE_URL: ${SUPABASE_URL}
+      NEXT_PUBLIC_SUPABASE_ANON_KEY: ${SUPABASE_ANON_KEY}
+    ports:
+      - "3000:3000"
+    deploy:
+      replicas: 2
+
+volumes:
+  postgres_data: