Task 1.1 — Project scaffold

Phase 1 task 1.1 lands. Directus 11.17.4 boots locally end-to-end
against a TimescaleDB+PostGIS container; admin UI serves at :8055,
admin bootstrap from env vars works, named volumes preserve data
across down/up cycles.

Scaffold:
- Dockerfile — FROM directus/directus:11.17.4. Pre-installs
  postgresql16-client (ahead of task 1.2's db-init runner needing psql).
  Bakes in /directus/snapshots, /directus/db-init, /directus/scripts,
  /directus/extensions, /directus/entrypoint.sh.
- compose.dev.yaml — db (timescale/timescaledb-ha:pg16.6-ts2.17.2-all)
  + directus (local build), healthchecks, named volumes
  directus-pg-data + directus-uploads.
- entrypoint.sh — placeholder using upstream's actual flow
  (node cli.js bootstrap && pm2-runtime start ecosystem.config.cjs);
  the real db-init -> schema apply -> start wrapper lands in task 1.7.
- package.json — scripts-only (dev, dev:down, dev:reset,
  schema:snapshot, schema:apply, db:init), no runtime deps.
- .env.example — sectioned, fully documented, KEY/SECRET marked
  required with generation hints.
- .gitignore, .dockerignore — match the processor service conventions.
- snapshots/, db-init/, scripts/, extensions/ — empty with .gitkeep,
  filled by later Phase 1 tasks (1.3, 1.6) and Phase 5.

Lessons locked in (against the empirical pnpm dev boot):
- timescale/timescaledb-ha:pg16-latest does NOT exist on Docker Hub.
  Pin a concrete version (we used pg16.6-ts2.17.2-all).
- This image's data directory is /home/postgres/pgdata/data, not
  /pgdata or /var/lib/postgresql/data. PGDATA env var and the volume
  mount must both target it.
- The -all variant bundles PostGIS binaries but the extension is not
  auto-created on the directus database; CREATE EXTENSION lands in
  Phase 2 alongside the geofences/SLZs/waypoints collections.
- The upstream image's CMD is bootstrap + pm2-runtime, not a simple
  cli.js start. Bypassing pm2 would lose crash recovery.

These corrections folded into 01-project-scaffold.md (deliverable line
+ Done section), 08-gitea-ci-dryrun.md (CI service tag), and the
inline comments in compose.dev.yaml so future implementers don't
re-discover them.

Status: ROADMAP marks 1.1 done, Phase 1 in progress, 1.2 next.

.env.example

@@ -0,0 +1,98 @@
+# Environment variables for the TRM directus service.
+# Copy to .env and fill in values for local development.
+#   cp .env.example .env
+#
+# Required vars: DB_*, KEY, SECRET, ADMIN_EMAIL, ADMIN_PASSWORD, PUBLIC_URL.
+# .env is gitignored — never commit real credentials.
+
+# ---------------------------------------------------------------------------
+# Database connection — Postgres 16 + TimescaleDB + PostGIS
+# ---------------------------------------------------------------------------
+
+# Directus DB driver.  Always "pg" for this service.
+DB_CLIENT=pg
+
+# Hostname of the Postgres container (matches the compose service name when
+# running via compose.dev.yaml; change to your host/IP for external Postgres).
+DB_HOST=db
+
+# Postgres port.
+DB_PORT=5432
+
+# Database name.
+DB_DATABASE=directus
+
+# Postgres user.
+DB_USER=directus
+
+# Postgres password.
+DB_PASSWORD=directus
+
+# ---------------------------------------------------------------------------
+# Instance security — REQUIRED; generate fresh values for each environment.
+#
+#   KEY:    uuidgen (or openssl rand -hex 32)
+#   SECRET: openssl rand -hex 64
+#
+# IMPORTANT: two instances sharing the same KEY/SECRET will produce
+# colliding JWT tokens.  Use distinct values per environment.
+# ---------------------------------------------------------------------------
+
+KEY=replace-with-a-random-uuid
+SECRET=replace-with-a-long-random-string
+
+# ---------------------------------------------------------------------------
+# Admin bootstrap
+#
+# Applied on first boot when the users table is empty.  If the instance has
+# already been initialised these values are ignored — change the password via
+# the admin UI or Directus CLI instead.
+# ---------------------------------------------------------------------------
+
+ADMIN_EMAIL=admin@example.com
+ADMIN_PASSWORD=change-me-on-first-boot
+
+# ---------------------------------------------------------------------------
+# Public URL
+#
+# Used in password-reset emails, OAuth redirect URIs, and the Directus admin
+# UI's "share" links.  Set to the externally reachable URL in staging/prod.
+# ---------------------------------------------------------------------------
+
+PUBLIC_URL=http://localhost:8055
+
+# ---------------------------------------------------------------------------
+# Logging
+# ---------------------------------------------------------------------------
+
+# Log level: fatal | error | warn | info | debug | trace
+LOG_LEVEL=info
+
+# Log format: pretty (human-readable) | json (structured, for log aggregators)
+LOG_STYLE=pretty
+
+# ---------------------------------------------------------------------------
+# Cache (optional — disabled by default for local dev)
+# ---------------------------------------------------------------------------
+
+# Set to true to enable Directus's built-in response cache.
+# Requires a cache store (Redis or memory) when enabled.
+CACHE_ENABLED=false
+
+# ---------------------------------------------------------------------------
+# CORS (optional — disabled by default)
+# ---------------------------------------------------------------------------
+
+# Set to true to enable CORS headers.
+CORS_ENABLED=false
+
+# Allowed origin(s).  Accepts a URL string, comma-separated list, or "true"
+# to reflect any origin (development only — never use "true" in production).
+# CORS_ORIGIN=http://localhost:3000
+
+# ---------------------------------------------------------------------------
+# WebSockets (enabled by default — required for the SPA live channel)
+# ---------------------------------------------------------------------------
+
+# Set to false only when the SPA is not connected (e.g. API-only deployments).
+WEBSOCKETS_ENABLED=true