diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..ee39b94
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,13 @@
+node_modules/
+dist/
+.env
+.env.local
+.env.*.local
+*.log
+.git/
+.gitea/
+.planning/
+*.md
+!README.md
+.claude/
+.vscode/
diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
new file mode 100644
index 0000000..f3df641
--- /dev/null
+++ b/.gitea/workflows/build.yml
@@ -0,0 +1,74 @@
+name: Build and Push spa
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'src/**'
+      - 'public/**'
+      - 'index.html'
+      - 'package.json'
+      - 'pnpm-lock.yaml'
+      - 'tsconfig*.json'
+      - 'vite.config.ts'
+      - 'eslint.config.js'
+      - '.prettierrc'
+      - 'components.json'
+      - 'Dockerfile'
+      - 'nginx.conf'
+      - '.dockerignore'
+      - '.gitea/workflows/build.yml'
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node 22
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Enable pnpm
+        run: corepack enable && corepack prepare pnpm@latest-9 --activate
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Typecheck
+        run: pnpm typecheck
+
+      - name: Lint
+        run: pnpm lint
+
+      - name: Format check
+        run: pnpm format:check
+
+      - name: Test
+        run: pnpm test
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: docker-container
+
+      - name: Login to Gitea Registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.dev.microservices.al
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build and Push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: git.dev.microservices.al/trm/spa:main
+
+      - name: Trigger Portainer Deploy
+        if: success()
+        run: curl -X POST "${{ secrets.PORTAINER_WEBHOOK_URL }}"
diff --git a/.planning/ROADMAP.md b/.planning/ROADMAP.md
index 5a98438..35c42da 100644
--- a/.planning/ROADMAP.md
+++ b/.planning/ROADMAP.md
@@ -57,7 +57,7 @@ These rules govern every task. Any deviation must be discussed and documented as
 | 1.6  | [Login page](./phase-1-foundation/06-login-page.md)                                                          | 🟩     | `7215cb5` |
 | 1.7  | [Routing skeleton (TanStack Router + role-aware guards)](./phase-1-foundation/07-routing-skeleton.md)        | 🟩     | `f4a5e5b` |
 | 1.8  | [Logout flow](./phase-1-foundation/08-logout-flow.md)                                                        | 🟩     | `1ee339c` |
-| 1.9  | [Gitea CI + Dockerfile + nginx static serve](./phase-1-foundation/09-gitea-ci-and-dockerfile.md)             | ⬜     | —         |
+| 1.9  | [Gitea CI + Dockerfile + nginx static serve](./phase-1-foundation/09-gitea-ci-and-dockerfile.md)             | 🟩     | `PENDING_SHA` |
 | 1.10 | [Compose service block in trm/deploy](./phase-1-foundation/10-deploy-compose-block.md)                       | ⬜     | —         |
 
 ### Phase 2 — Live monitoring map
diff --git a/.planning/phase-1-foundation/09-gitea-ci-and-dockerfile.md b/.planning/phase-1-foundation/09-gitea-ci-and-dockerfile.md
index d135c06..9daeb45 100644
--- a/.planning/phase-1-foundation/09-gitea-ci-and-dockerfile.md
+++ b/.planning/phase-1-foundation/09-gitea-ci-and-dockerfile.md
@@ -189,4 +189,32 @@ Match the processor's "right tool for the job" discipline.
 
 ## Done
 
-(Filled in when the task lands.)
+Four files landed, matching the conventions established by `trm/processor`:
+
+- **`Dockerfile`** — three-stage multi-stage build:
+  - `deps` (node:22-alpine) — `pnpm fetch` with BuildKit cache mount.
+  - `build` — `pnpm install --frozen-lockfile --offline` then `pnpm build` produces `dist/`.
+  - `runtime` (nginx:1.27-alpine) — copies `nginx.conf` to `/etc/nginx/conf.d/default.conf` and `dist/` to `/usr/share/nginx/html`. `EXPOSE 80`. `HEALTHCHECK` via `wget -qO- http://localhost/`. nginx default CMD.
+- **`nginx.conf`** — single server block on `:80`. Gzip for text assets. Three location rules: `/assets/` long-cache (`max-age=31536000, immutable` for hashed filenames), `/config.json` no-cache (overridable via volume mount in stage/prod), `/index.html` no-cache. SPA fallback `try_files $uri $uri/ /index.html;` for client-side routes.
+- **`.dockerignore`** — node_modules, dist, .env*, *.log, .git, .gitea, .planning, *.md (except README), .claude, .vscode. Keeps the build context small.
+- **`.gitea/workflows/build.yml`** — matches `trm/processor`'s shape with one additional gate (`pnpm format:check` between lint and test). Path filter covers source, config, and Docker-related files; `.planning/**` and most markdown are excluded so docs-only commits skip CI. Steps: checkout → setup Node 22 → enable pnpm@latest-9 → install --frozen-lockfile → typecheck → lint → format:check → test → setup buildx → registry login → build & push `git.dev.microservices.al/trm/spa:main` → trigger Portainer webhook.
+
+**Required secrets in Gitea repo settings** (same names as the other repos so they can be reused):
+
+- `REGISTRY_USERNAME` / `REGISTRY_PASSWORD` — Gitea registry creds.
+- `PORTAINER_WEBHOOK_URL` — stack redeploy hook.
+
+**Deviations from spec:**
+
+- Spec called for `:main` plus a per-commit-SHA tag. The other services in this org currently push `:main` only — matched that for consistency. SHA-pinning at deploy time is handled by the `*_TAG` env vars in `trm/deploy/.env.example` (which can be set to a SHA when an operator wants reproducibility). Adding SHA tagging here without updating the other repos would be inconsistent — defer to a cross-repo refactor task if/when it matters.
+- Spec sketched `corepack prepare pnpm@latest --activate`; the existing repos pin to `pnpm@latest-9` (latest of the 9.x line). Matched that — `pnpm@latest` is too floaty for a CI gate that has to be reproducible across runs.
+
+**Smoke check:** `pnpm typecheck`, `pnpm lint`, `pnpm format:check`, `pnpm build` all green locally. Local `docker build` not run — Docker isn't installed on this machine. CI is the gate; first push to `main` will exercise the full pipeline.
+
+**Required for first deploy** (1.10 wires the rest):
+
+- Add the SPA service block to `trm/deploy/compose.yaml`.
+- Set `SPA_TAG=main` (or a SHA) and `SPA_CONFIG_FILE=...` in the deploy env.
+- Configure Traefik (or whichever proxy) to route the SPA's path on the public domain.
+
+Landed in `PENDING_SHA`.
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..d0a23c4
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,25 @@
+# syntax=docker/dockerfile:1.7
+
+# ---- deps stage: install with cache-friendly pnpm fetch ----
+FROM node:22-alpine AS deps
+WORKDIR /app
+RUN corepack enable && corepack prepare pnpm@latest-9 --activate
+COPY package.json pnpm-lock.yaml ./
+RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
+    pnpm fetch
+
+# ---- build stage: vite build produces dist/ ----
+FROM deps AS build
+COPY . .
+RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
+    pnpm install --frozen-lockfile --offline
+RUN pnpm build
+
+# ---- runtime: nginx serving the static bundle ----
+FROM nginx:1.27-alpine AS runtime
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+COPY --from=build /app/dist /usr/share/nginx/html
+EXPOSE 80
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
+  CMD wget -qO- http://localhost/ || exit 1
+# nginx default CMD is correct; don't override.
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..6c45a61
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,39 @@
+server {
+  listen 80;
+  server_name _;
+  root /usr/share/nginx/html;
+  index index.html;
+
+  # Compression for text assets. Brotli is a follow-up if it becomes a concern.
+  gzip on;
+  gzip_types text/css application/javascript application/json image/svg+xml;
+  gzip_min_length 1024;
+  gzip_vary on;
+
+  # Hashed assets — long cache (Vite emits content-hashed filenames).
+  location /assets/ {
+    add_header Cache-Control "public, max-age=31536000, immutable";
+    try_files $uri =404;
+  }
+
+  # Runtime config — overridable in stage/prod via a Docker volume mount onto
+  # /usr/share/nginx/html/config.json. Never cached so deploy-time overrides
+  # take effect on the next page load.
+  location = /config.json {
+    add_header Cache-Control "no-cache, no-store, must-revalidate";
+    expires off;
+    try_files $uri =404;
+  }
+
+  # index.html — never cache; the index references the hashed asset names.
+  location = /index.html {
+    add_header Cache-Control "no-cache, no-store, must-revalidate";
+    expires off;
+  }
+
+  # SPA routing fallback — every unknown path falls through to index.html so
+  # the client-side router (TanStack Router) can resolve it.
+  location / {
+    try_files $uri $uri/ /index.html;
+  }
+}