feat: task 1.9 gitea CI + dockerfile + nginx static serve

- Dockerfile: three-stage (deps / build / runtime). deps stage runs
  pnpm fetch with BuildKit cache mount; build stage runs vite build
  to produce dist/; runtime stage is nginx:1.27-alpine serving the
  bundle. HEALTHCHECK via wget against localhost.
- nginx.conf: gzip on text assets; /assets/ long-cache (hashed
  filenames immutable); /config.json no-cache (volume-mountable
  override in stage/prod); /index.html no-cache; SPA routing fallback
  via try_files ... /index.html.
- .dockerignore: keeps the context small (node_modules, dist, env,
  .git, .gitea, .planning, *.md except README, .claude, .vscode).
- .gitea/workflows/build.yml: matches trm/processor shape with
  format:check added between lint and test. Path filter excludes
  .planning and pure-markdown changes. Steps: checkout, Node 22,
  pnpm@latest-9, install --frozen-lockfile, typecheck, lint,
  format:check, test, buildx, registry login, build & push
  trm/spa:main, Portainer webhook.

Deviations from spec:
- Push :main tag only (not :main + per-commit SHA). Matches the
  other repos; SHA-pinning happens via *_TAG env vars in
  trm/deploy. SHA tagging is a cross-repo refactor for later.
- Pin pnpm@latest-9 (matching existing repos), not pnpm@latest
  from the spec. Reproducibility win for CI.

Smoke: typecheck/lint/format:check/build all green locally. Local
docker build not run (Docker unavailable on this machine); CI is
the gate.

Required for first deploy (1.10 covers the rest):
- REGISTRY_USERNAME / REGISTRY_PASSWORD / PORTAINER_WEBHOOK_URL
  secrets in the Gitea repo settings.
- SPA service block in trm/deploy/compose.yaml.

.dockerignore

@@ -0,0 +1,13 @@
+node_modules/
+dist/
+.env
+.env.local
+.env.*.local
+*.log
+.git/
+.gitea/
+.planning/
+*.md
+!README.md
+.claude/
+.vscode/

.gitea/workflows/build.yml

@@ -0,0 +1,74 @@
+name: Build and Push spa
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'src/**'
+      - 'public/**'
+      - 'index.html'
+      - 'package.json'
+      - 'pnpm-lock.yaml'
+      - 'tsconfig*.json'
+      - 'vite.config.ts'
+      - 'eslint.config.js'
+      - '.prettierrc'
+      - 'components.json'
+      - 'Dockerfile'
+      - 'nginx.conf'
+      - '.dockerignore'
+      - '.gitea/workflows/build.yml'
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node 22
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Enable pnpm
+        run: corepack enable && corepack prepare pnpm@latest-9 --activate
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Typecheck
+        run: pnpm typecheck
+
+      - name: Lint
+        run: pnpm lint
+
+      - name: Format check
+        run: pnpm format:check
+
+      - name: Test
+        run: pnpm test
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: docker-container
+
+      - name: Login to Gitea Registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.dev.microservices.al
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build and Push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: git.dev.microservices.al/trm/spa:main
+
+      - name: Trigger Portainer Deploy
+        if: success()
+        run: curl -X POST "${{ secrets.PORTAINER_WEBHOOK_URL }}"

.planning/ROADMAP.md

@@ -57,7 +57,7 @@ These rules govern every task. Any deviation must be discussed and documented as
 | 1.6  | [Login page](./phase-1-foundation/06-login-page.md)                                                          | 🟩     | `7215cb5` |
 | 1.7  | [Routing skeleton (TanStack Router + role-aware guards)](./phase-1-foundation/07-routing-skeleton.md)        | 🟩     | `f4a5e5b` |
 | 1.8  | [Logout flow](./phase-1-foundation/08-logout-flow.md)                                                        | 🟩     | `1ee339c` |
-| 1.9  | [Gitea CI + Dockerfile + nginx static serve](./phase-1-foundation/09-gitea-ci-and-dockerfile.md)             | ⬜     | —         |
+| 1.9  | [Gitea CI + Dockerfile + nginx static serve](./phase-1-foundation/09-gitea-ci-and-dockerfile.md)             | 🟩     | `PENDING_SHA` |
 | 1.10 | [Compose service block in trm/deploy](./phase-1-foundation/10-deploy-compose-block.md)                       | ⬜     | —         |
 
 ### Phase 2 — Live monitoring map

.planning/phase-1-foundation/09-gitea-ci-and-dockerfile.md

@@ -189,4 +189,32 @@ Match the processor's "right tool for the job" discipline.
 
 ## Done
 
-(Filled in when the task lands.)
+Four files landed, matching the conventions established by `trm/processor`:
+
+- **`Dockerfile`** — three-stage multi-stage build:
+  - `deps` (node:22-alpine) — `pnpm fetch` with BuildKit cache mount.
+  - `build` — `pnpm install --frozen-lockfile --offline` then `pnpm build` produces `dist/`.
+  - `runtime` (nginx:1.27-alpine) — copies `nginx.conf` to `/etc/nginx/conf.d/default.conf` and `dist/` to `/usr/share/nginx/html`. `EXPOSE 80`. `HEALTHCHECK` via `wget -qO- http://localhost/`. nginx default CMD.
+- **`nginx.conf`** — single server block on `:80`. Gzip for text assets. Three location rules: `/assets/` long-cache (`max-age=31536000, immutable` for hashed filenames), `/config.json` no-cache (overridable via volume mount in stage/prod), `/index.html` no-cache. SPA fallback `try_files $uri $uri/ /index.html;` for client-side routes.
+- **`.dockerignore`** — node_modules, dist, .env*, *.log, .git, .gitea, .planning, *.md (except README), .claude, .vscode. Keeps the build context small.
+- **`.gitea/workflows/build.yml`** — matches `trm/processor`'s shape with one additional gate (`pnpm format:check` between lint and test). Path filter covers source, config, and Docker-related files; `.planning/**` and most markdown are excluded so docs-only commits skip CI. Steps: checkout → setup Node 22 → enable pnpm@latest-9 → install --frozen-lockfile → typecheck → lint → format:check → test → setup buildx → registry login → build & push `git.dev.microservices.al/trm/spa:main` → trigger Portainer webhook.
+
+**Required secrets in Gitea repo settings** (same names as the other repos so they can be reused):
+
+- `REGISTRY_USERNAME` / `REGISTRY_PASSWORD` — Gitea registry creds.
+- `PORTAINER_WEBHOOK_URL` — stack redeploy hook.
+
+**Deviations from spec:**
+
+- Spec called for `:main` plus a per-commit-SHA tag. The other services in this org currently push `:main` only — matched that for consistency. SHA-pinning at deploy time is handled by the `*_TAG` env vars in `trm/deploy/.env.example` (which can be set to a SHA when an operator wants reproducibility). Adding SHA tagging here without updating the other repos would be inconsistent — defer to a cross-repo refactor task if/when it matters.
+- Spec sketched `corepack prepare pnpm@latest --activate`; the existing repos pin to `pnpm@latest-9` (latest of the 9.x line). Matched that — `pnpm@latest` is too floaty for a CI gate that has to be reproducible across runs.
+
+**Smoke check:** `pnpm typecheck`, `pnpm lint`, `pnpm format:check`, `pnpm build` all green locally. Local `docker build` not run — Docker isn't installed on this machine. CI is the gate; first push to `main` will exercise the full pipeline.
+
+**Required for first deploy** (1.10 wires the rest):
+
+- Add the SPA service block to `trm/deploy/compose.yaml`.
+- Set `SPA_TAG=main` (or a SHA) and `SPA_CONFIG_FILE=...` in the deploy env.
+- Configure Traefik (or whichever proxy) to route the SPA's path on the public domain.
+
+Landed in `PENDING_SHA`.

Dockerfile

@@ -0,0 +1,25 @@
+# syntax=docker/dockerfile:1.7
+
+# ---- deps stage: install with cache-friendly pnpm fetch ----
+FROM node:22-alpine AS deps
+WORKDIR /app
+RUN corepack enable && corepack prepare pnpm@latest-9 --activate
+COPY package.json pnpm-lock.yaml ./
+RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
+    pnpm fetch
+
+# ---- build stage: vite build produces dist/ ----
+FROM deps AS build
+COPY . .
+RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
+    pnpm install --frozen-lockfile --offline
+RUN pnpm build
+
+# ---- runtime: nginx serving the static bundle ----
+FROM nginx:1.27-alpine AS runtime
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+COPY --from=build /app/dist /usr/share/nginx/html
+EXPOSE 80
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
+  CMD wget -qO- http://localhost/ || exit 1
+# nginx default CMD is correct; don't override.

nginx.conf

@@ -0,0 +1,39 @@
+server {
+  listen 80;
+  server_name _;
+  root /usr/share/nginx/html;
+  index index.html;
+
+  # Compression for text assets. Brotli is a follow-up if it becomes a concern.
+  gzip on;
+  gzip_types text/css application/javascript application/json image/svg+xml;
+  gzip_min_length 1024;
+  gzip_vary on;
+
+  # Hashed assets — long cache (Vite emits content-hashed filenames).
+  location /assets/ {
+    add_header Cache-Control "public, max-age=31536000, immutable";
+    try_files $uri =404;
+  }
+
+  # Runtime config — overridable in stage/prod via a Docker volume mount onto
+  # /usr/share/nginx/html/config.json. Never cached so deploy-time overrides
+  # take effect on the next page load.
+  location = /config.json {
+    add_header Cache-Control "no-cache, no-store, must-revalidate";
+    expires off;
+    try_files $uri =404;
+  }
+
+  # index.html — never cache; the index references the hashed asset names.
+  location = /index.html {
+    add_header Cache-Control "no-cache, no-store, must-revalidate";
+    expires off;
+  }
+
+  # SPA routing fallback — every unknown path falls through to index.html so
+  # the client-side router (TanStack Router) can resolve it.
+  location / {
+    try_files $uri $uri/ /index.html;
+  }
+}