feat(deploy): pre-start drizzle-kit migrate init container

One-shot migrate container runs drizzle-kit migrate against DATABASE_URL
and exits 0 before web boots. web service depends_on with condition
service_completed_successfully, so failed migrations block web startup
instead of serving 500s against a stale schema. Broker deliberately does
NOT depend on migrate - it tolerates DB-down gracefully per DEPLOY_SPEC
and should keep serving WS peers even during migration failures.

Also excludes apps/cli from docker build context (CLI ships to npm, not
containers) to sidestep zod spec drift in its package.json vs lockfile.

Known followup: migrate image is 3.27GB due to pnpm catalog: specifiers
forcing full-workspace resolution. pnpm deploy bundle trim is a P2.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.dockerignore

@@ -35,3 +35,6 @@ Dockerfile
 *.local
 .env*.local
 tmp/
+
+# Apps not needed in any server image (CLI ships to npm, not to containers)
+apps/cli/

docker-compose.production.yml

@@ -0,0 +1,94 @@
+# claudemesh — production compose (for Coolify Service deployment)
+#
+# Three services:
+#   - migrate → one-shot drizzle-kit migrate, exits 0, gates web startup
+#   - broker  → ic.claudemesh.com (WSS /ws + HTTP /health + /hook/set-status)
+#   - web     → claudemesh.com + dashboard.claudemesh.com (Next.js)
+#
+# Postgres is NOT declared here — managed externally by Coolify or a managed DB.
+# Pass DATABASE_URL + all secrets at runtime via Coolify env config.
+#
+# Why broker does NOT depend on migrate:
+#   Broker tolerates DB-down gracefully (per apps/broker/DEPLOY_SPEC.md §Healthcheck).
+#   It should keep serving even if a migration is in-flight or has failed, so WS
+#   peers stay connected + /health reports degraded instead of going 502.
+#
+# Why web DOES depend on migrate:
+#   Next.js routes assume the schema they were built against. Starting web before
+#   migrations land → 500s on every query touching new tables/columns.
+
+name: claudemesh
+
+services:
+  migrate:
+    image: ${MIGRATE_IMAGE:-claudemesh-migrate:latest}
+    restart: "no"
+    environment:
+      DATABASE_URL: ${DATABASE_URL}
+    networks:
+      - claudemesh-internal
+
+  broker:
+    image: ${BROKER_IMAGE:-claudemesh-broker:latest}
+    restart: always
+    environment:
+      NODE_ENV: production
+      BROKER_PORT: 7900
+      DATABASE_URL: ${DATABASE_URL}
+      STATUS_TTL_SECONDS: ${STATUS_TTL_SECONDS:-60}
+      HOOK_FRESH_WINDOW_SECONDS: ${HOOK_FRESH_WINDOW_SECONDS:-30}
+      MAX_CONNECTIONS_PER_MESH: ${MAX_CONNECTIONS_PER_MESH:-100}
+      MAX_MESSAGE_BYTES: ${MAX_MESSAGE_BYTES:-65536}
+      HOOK_RATE_LIMIT_PER_MIN: ${HOOK_RATE_LIMIT_PER_MIN:-30}
+    expose:
+      - "7900"
+    networks:
+      - coolify
+      - claudemesh-internal
+    healthcheck:
+      test: ["CMD", "bun", "-e", "fetch('http://localhost:7900/health').then(r=>{process.exit(r.ok?0:1)}).catch(()=>process.exit(1))"]
+      interval: 15s
+      timeout: 5s
+      start_period: 10s
+      retries: 3
+
+  web:
+    image: ${WEB_IMAGE:-claudemesh-web:latest}
+    restart: always
+    environment:
+      NODE_ENV: production
+      PORT: 3000
+      HOSTNAME: 0.0.0.0
+      DATABASE_URL: ${DATABASE_URL}
+      BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET}
+      BETTER_AUTH_URL: ${BETTER_AUTH_URL:-https://claudemesh.com}
+      BETTER_AUTH_TRUSTED_ORIGINS: ${BETTER_AUTH_TRUSTED_ORIGINS:-https://claudemesh.com,https://dashboard.claudemesh.com,https://ic.claudemesh.com}
+      GITHUB_CLIENT_ID: ${GITHUB_CLIENT_ID:-}
+      GITHUB_CLIENT_SECRET: ${GITHUB_CLIENT_SECRET:-}
+      GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID:-}
+      GOOGLE_CLIENT_SECRET: ${GOOGLE_CLIENT_SECRET:-}
+      BROKER_INTERNAL_URL: http://broker:7900
+    expose:
+      - "3000"
+    networks:
+      - coolify
+      - claudemesh-internal
+    depends_on:
+      migrate:
+        condition: service_completed_successfully
+      broker:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "node", "-e", "fetch('http://localhost:3000').then(r=>{process.exit(r.ok?0:1)}).catch(()=>process.exit(1))"]
+      interval: 15s
+      timeout: 5s
+      start_period: 20s
+      retries: 3
+
+networks:
+  # Coolify's shared Traefik network — must already exist on the host
+  coolify:
+    external: true
+  # Internal backplane between migrate + broker + web
+  claudemesh-internal:
+    driver: bridge

packages/db/Dockerfile

@@ -0,0 +1,42 @@
+# claudemesh db — drizzle-kit migration runner
+# One-shot container: runs `drizzle-kit migrate` against $DATABASE_URL then exits 0.
+# Used as a pre-deploy init container so the web service never starts against a
+# schema it doesn't know about.
+#
+# Build from repo root:  docker build -f packages/db/Dockerfile -t claudemesh-migrate .
+
+# Stage 1: resolve pnpm workspace + install deps (Bun base + standalone pnpm)
+FROM oven/bun:1.2 AS deps
+WORKDIR /app
+
+RUN apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && \
+    curl -fsSL "https://github.com/pnpm/pnpm/releases/download/v10.25.0/pnpm-linuxstatic-x64" -o /usr/local/bin/pnpm && \
+    chmod +x /usr/local/bin/pnpm && \
+    rm -rf /var/lib/apt/lists/*
+
+# pnpm needs full workspace context to resolve workspace:* and catalog: specifiers
+COPY . .
+
+# drizzle-kit is a devDependency → install the full dep graph (NOT --prod).
+# Filter to db + its transitive deps only → ~20x smaller install than the whole workspace.
+RUN pnpm install --frozen-lockfile --ignore-scripts --filter "@turbostarter/db..."
+
+# Stage 2: minimal Bun runtime (executes drizzle-kit CLI + TS config)
+FROM oven/bun:1.2-slim AS runtime
+WORKDIR /app
+
+ENV NODE_ENV=production
+
+# Copy workspace metadata, the db package (schema + migrations + config), shared (transitive)
+COPY --from=deps --chown=bun:bun /app/package.json /app/pnpm-workspace.yaml /app/pnpm-lock.yaml /app/.npmrc ./
+COPY --from=deps --chown=bun:bun /app/node_modules ./node_modules
+COPY --from=deps --chown=bun:bun /app/packages/db ./packages/db
+COPY --from=deps --chown=bun:bun /app/packages/shared ./packages/shared
+COPY --from=deps --chown=bun:bun /app/tooling/typescript ./tooling/typescript
+
+USER bun
+WORKDIR /app/packages/db
+
+# drizzle-kit reads DATABASE_URL from env via ./src/env.ts, runs pending migrations,
+# exits 0 on success / non-zero on failure. No long-running process.
+CMD ["bun", "x", "drizzle-kit", "migrate"]