feat(core): implement production deployment and project deep copy (phase-12)

- B-12.1: Deep project copy with ID mapping (member_tags, task_templates,
  todo_templates, data_schemas, task_template_tags, memories, tool_configs,
  permission_settings)
- B-12.2: Rate limiting (global 100/s, auth 10/min, AI 5/min), security
  headers (X-Content-Type-Options, X-Frame-Options, HSTS, CSP), CORS
  middleware from APP_CORS_ORIGINS env var
- F-12.1: Frontend PWA support (vite-plugin-pwa), vendor chunk splitting,
  service worker with API caching
- S-12.1: Multi-stage Dockerfile (Rust + Node.js builders + slim runtime),
  Dockerfile.dev, .dockerignore
- S-12.2: Production docker-compose with Caddy, deploy script, env example
- S-12.3: Database backup/restore scripts, file backup, crontab example

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

Author: yoyo930021

.dockerignore

@@ -0,0 +1,48 @@
+# Build artifacts
+target/
+frontend/node_modules/
+frontend/dist/
+node_modules/
+
+# Version control
+.git/
+.gitignore
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# Environment files (secrets)
+.env
+.env.*
+!.env.prod.example
+
+# Docker
+Dockerfile*
+docker-compose*.yml
+.dockerignore
+
+# Documentation
+docs/plans/
+*.md
+!README.md
+
+# CI/CD
+.github/
+
+# Backups and logs
+*.log
+backups/
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Test artifacts
+coverage/
+*.profraw
+
+# Batch config
+batch-config.json

.env.prod.example

@@ -0,0 +1,60 @@
+# ──────────────────────────────────────────────────────────────
+# Conf-Ops Production Environment Variables
+# Copy this file to .env.prod and fill in the values
+# ──────────────────────────────────────────────────────────────
+
+# ── Database ─────────────────────────────────────────────────
+DATABASE_URL=postgres://confops:CHANGE_ME@postgres:5432/confops
+DATABASE_MAX_CONNECTIONS=20
+DATABASE_MIN_CONNECTIONS=5
+
+# ── Auth ─────────────────────────────────────────────────────
+AUTH_JWT_SECRET=CHANGE_ME_TO_RANDOM_SECRET
+AUTH_JWT_ISSUER=conf-ops
+JWT_ACCESS_EXPIRY=900
+JWT_REFRESH_EXPIRY=604800
+AUTH_WEBAUTHN_RP_ID=confops.dev
+AUTH_WEBAUTHN_RP_ORIGIN=https://confops.dev
+AUTH_WEBAUTHN_RP_NAME=Conf-Ops
+
+# ── App ──────────────────────────────────────────────────────
+APP_HOST=0.0.0.0
+APP_PORT=8080
+APP_LOG_LEVEL=info,conf_ops=debug
+APP_BASE_URL=https://confops.dev
+APP_CORS_ORIGINS=https://confops.dev
+FRONTEND_URL=https://confops.dev
+
+# ── Storage ──────────────────────────────────────────────────
+STORAGE_BASE_PATH=/data/files
+STORAGE_MAX_IMAGE_SIZE=10485760
+STORAGE_MAX_DOCUMENT_SIZE=52428800
+STORAGE_MAX_FILE_SIZE=20971520
+
+# ── Email (SMTP) ────────────────────────────────────────────
+SMTP_HOST=smtp.example.com
+SMTP_PORT=587
+SMTP_USERNAME=noreply@confops.dev
+SMTP_PASSWORD=CHANGE_ME
+SMTP_FROM=noreply@confops.dev
+EMAIL_DOMAIN=confops.dev
+EMAIL_INBOUND_API_KEY=CHANGE_ME_INBOUND_KEY
+
+# ── AI (Google Gemini) ──────────────────────────────────────
+GEMINI_API_KEY=CHANGE_ME_GEMINI_KEY
+GEMINI_MODEL=gemini-2.5-flash
+
+# ── Web Push (VAPID) ────────────────────────────────────────
+WEB_PUSH_VAPID_PRIVATE_KEY=CHANGE_ME_VAPID_PRIVATE
+WEB_PUSH_VAPID_PUBLIC_KEY=CHANGE_ME_VAPID_PUBLIC
+
+# ── CRDT WebSocket ──────────────────────────────────────────
+CRDT_WS_MAX_CONNECTIONS_PER_TASK=50
+CRDT_WS_HEARTBEAT_INTERVAL_SECS=30
+CRDT_WS_IDLE_TIMEOUT_SECS=300
+
+# ── Authorization ───────────────────────────────────────────
+AUTHZ_CACHE_TTL_SECS=300
+
+# ── Caddy Domain (used in Caddyfile) ────────────────────────
+DOMAIN=api.confops.dev

.gitignore

@@ -16,6 +16,7 @@ __pycache__/
 .env
 .env.*
 !.env.example
+!.env.prod.example
 
 # OS
 .DS_Store

Caddyfile

@@ -0,0 +1,21 @@
+# Caddyfile - Production reverse proxy configuration
+# Replace {$DOMAIN} with your actual domain or set it as an environment variable
+{$DOMAIN:api.confops.dev} {
+    # HTTP API and WebSocket proxy
+    reverse_proxy confops-app:8080 {
+        # WebSocket support (auto-detects Upgrade header)
+        flush_interval -1
+    }
+
+    # Access logging
+    log {
+        output stdout
+        format json
+    }
+
+    # Security headers (supplement to application-level headers)
+    header {
+        # Remove server identification
+        -Server
+    }
+}

Cargo.lock

@@ -6,7 +6,7 @@ resolver = "2"
 name = "conf-ops"
 version = "0.1.0"
 edition = "2021"
-rust-version = "1.75"
+rust-version = "1.82"
 
 [lints.clippy]
 all = { level = "deny", priority = -1 }
@@ -50,6 +50,7 @@ tokio-util = { version = "0.7", features = ["io"] }
 regex = "1.12.3"
 aho-corasick = "1"
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls", "stream"] }
+tower-http = { version = "0.6", features = ["cors"] }
 
 [dev-dependencies]
 http-body-util = "0.1.3"

Cargo.toml

@@ -0,0 +1,74 @@
+# ── Stage 1: Rust builder ────────────────────────────────────
+FROM rust:1.82-bookworm AS rust-builder
+
+WORKDIR /app
+
+# Copy Cargo files first for dependency caching
+COPY Cargo.toml Cargo.lock ./
+COPY xtask/ xtask/
+
+# Create dummy source to build dependencies
+RUN mkdir src && echo "fn main() {}" > src/main.rs && \
+    echo "pub fn lib() {}" > src/lib.rs
+RUN cargo build --release 2>/dev/null || true
+RUN rm -rf src
+
+# Copy actual source and build
+COPY src/ src/
+COPY migrations/ migrations/
+COPY .sqlx/ .sqlx/
+
+ENV SQLX_OFFLINE=true
+RUN touch src/main.rs src/lib.rs && cargo build --release
+
+# ── Stage 2: Node.js builder (frontend) ────────────────────
+FROM node:20-slim AS frontend-builder
+
+WORKDIR /app/frontend
+
+# Install pnpm
+RUN corepack enable && corepack prepare pnpm@latest --activate
+
+# Copy package files for dependency caching
+COPY frontend/package.json frontend/pnpm-lock.yaml ./
+
+RUN pnpm install --frozen-lockfile
+
+# Copy frontend source and build
+COPY frontend/ ./
+COPY docs/api/openapi-generated.yaml /app/docs/api/openapi-generated.yaml
+
+RUN pnpm run build-only
+
+# ── Stage 3: Runtime ────────────────────────────────────────
+FROM debian:bookworm-slim
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends ca-certificates curl && \
+    rm -rf /var/lib/apt/lists/*
+
+# Create non-root user
+RUN groupadd -r confops && useradd -r -g confops confops
+
+# Copy binary
+COPY --from=rust-builder /app/target/release/conf-ops /usr/local/bin/confops
+
+# Copy migrations
+COPY --from=rust-builder /app/migrations /app/migrations
+
+# Copy frontend build output
+COPY --from=frontend-builder /app/frontend/dist /app/static
+
+# Create file storage directory
+RUN mkdir -p /data/files && chown -R confops:confops /data/files
+
+WORKDIR /app
+
+USER confops
+
+EXPOSE 8080
+
+HEALTHCHECK --interval=30s --timeout=5s --retries=3 --start-period=10s \
+    CMD curl -f http://localhost:8080/healthz || exit 1
+
+ENTRYPOINT ["confops"]

Dockerfile

@@ -0,0 +1,19 @@
+# Development Dockerfile with cargo-watch for hot reload
+FROM rust:1.82-bookworm
+
+WORKDIR /app
+
+# Install cargo-watch for development hot reload
+RUN cargo install cargo-watch
+
+# Install sqlx-cli for migrations
+RUN cargo install sqlx-cli --no-default-features --features postgres,rustls
+
+# Copy source (will be overridden by volume mount in dev)
+COPY . .
+
+ENV SQLX_OFFLINE=true
+
+EXPOSE 8080
+
+CMD ["cargo", "watch", "-x", "run"]

Dockerfile.dev

@@ -0,0 +1,126 @@
+services:
+  caddy:
+    image: caddy:2-alpine
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"  # HTTP/3
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - caddy_data:/data
+      - caddy_config:/config
+    depends_on:
+      confops-app:
+        condition: service_healthy
+    deploy:
+      resources:
+        limits:
+          memory: 128M
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+
+  confops-app:
+    image: ghcr.io/org/confops:latest
+    restart: unless-stopped
+    env_file: .env.prod
+    ports:
+      - "127.0.0.1:8080:8080"
+    volumes:
+      - file_storage:/data/files
+    depends_on:
+      postgres:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/healthz"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+          cpus: "1.0"
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+
+  # IMPORTANT: confops-worker must remain a single replica.
+  # The Reminder Scheduler depends on single-instance execution to avoid
+  # duplicate notifications. If multi-replica is needed in the future,
+  # implement PostgreSQL Advisory Lock or SELECT ... FOR UPDATE SKIP LOCKED
+  # (see docs/system/10-notification-system.md).
+  confops-worker:
+    image: ghcr.io/org/confops:latest
+    restart: unless-stopped
+    command: ["confops", "--worker"]
+    env_file: .env.prod
+    volumes:
+      - file_storage:/data/files
+    depends_on:
+      postgres:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/healthz"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+    deploy:
+      replicas: 1  # Do not increase; see above comment
+      resources:
+        limits:
+          memory: 512M
+          cpus: "0.5"
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+
+  postgres:
+    image: postgres:16
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: confops
+      POSTGRES_USER: confops
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+    secrets:
+      - db_password
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U confops"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
+
+volumes:
+  caddy_data:
+  caddy_config:
+  pgdata:
+  file_storage:
+    driver: local
+    driver_opts:
+      type: none
+      o: bind
+      device: /data/confops/files
+
+secrets:
+  db_password:
+    file: ./secrets/db_password.txt

docker-compose.prod.yml

@@ -45,6 +45,7 @@
     "oxlint": "~1.48.0",
     "typescript": "~5.9.3",
     "vite": "8.0.0-beta.15",
+    "vite-plugin-pwa": "^1.2.0",
     "vitest": "^4.0.18",
     "vue-tsc": "^3.2.4"
   },