feat: Phase 0 walking skeleton — monorepo, API, web, ML stub

Sets up the full Phase 0 foundation:

- pnpm workspaces + turbo build graph; native module build approval
- packages/shared-types: HTTP contracts (Tip, Auth, Integrations, User)
- services/api: Express modular monolith with better-sqlite3/drizzle
  - auth: Google OAuth2 + PKCE via openid-client v6, cookie sessions
  - integrations: Todoist OAuth2 connect/disconnect, token vault
  - recommender: RandomPolicy over Todoist tasks, feedback sink
  - user: profile, consent capture, full account deletion (GDPR)
- apps/web: Next.js 15, three pages (sign-in → connect → tip)
  - tip page: black canvas, hold-to-act gesture, action sheet
  - PWA manifest + theme
- ml/serving: FastAPI stub implementing the POST /score contract
- infra: docker-compose (core/full profiles), Dockerfiles, CI skeleton
- .env.example with all required vars documented

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

infra/ci/ci.yml

@@ -0,0 +1,35 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  type-check-and-lint:
+    name: Type-check & lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 10
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm build --filter=@oo/shared-types
+      - run: pnpm type-check
+
+  ml-lint:
+    name: Python lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - run: pip install ruff
+      - run: ruff check ml/serving/

infra/docker/Dockerfile.api

@@ -0,0 +1,32 @@
+FROM node:22-alpine AS base
+RUN npm install -g pnpm
+
+FROM base AS deps
+WORKDIR /app
+COPY package.json pnpm-workspace.yaml pnpm-lock.yaml* ./
+COPY packages/shared-types/package.json ./packages/shared-types/
+COPY services/api/package.json ./services/api/
+RUN pnpm install --frozen-lockfile
+
+FROM base AS builder
+WORKDIR /app
+COPY --from=deps /app/node_modules ./node_modules
+COPY --from=deps /app/packages/shared-types/node_modules ./packages/shared-types/node_modules
+COPY --from=deps /app/services/api/node_modules ./services/api/node_modules
+COPY tsconfig.base.json ./
+COPY packages/shared-types ./packages/shared-types
+COPY services/api ./services/api
+RUN pnpm --filter @oo/shared-types build
+RUN pnpm --filter @oo/api build
+
+FROM node:22-alpine AS runner
+WORKDIR /app
+RUN npm install -g pnpm
+COPY package.json pnpm-workspace.yaml ./
+COPY packages/shared-types/package.json ./packages/shared-types/
+COPY services/api/package.json ./services/api/
+RUN pnpm install --prod --frozen-lockfile
+COPY --from=builder /app/packages/shared-types/dist ./packages/shared-types/dist
+COPY --from=builder /app/services/api/dist ./services/api/dist
+WORKDIR /app/services/api
+CMD ["node", "dist/index.js"]

infra/docker/Dockerfile.ml

@@ -0,0 +1,6 @@
+FROM python:3.12-slim
+WORKDIR /app
+COPY ml/serving/requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+COPY ml/serving/main.py .
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]

infra/docker/Dockerfile.web

@@ -0,0 +1,29 @@
+FROM node:22-alpine AS base
+RUN npm install -g pnpm
+
+FROM base AS deps
+WORKDIR /app
+COPY package.json pnpm-workspace.yaml pnpm-lock.yaml* ./
+COPY packages/shared-types/package.json ./packages/shared-types/
+COPY apps/web/package.json ./apps/web/
+RUN pnpm install --frozen-lockfile
+
+FROM base AS builder
+WORKDIR /app
+COPY --from=deps /app/node_modules ./node_modules
+COPY --from=deps /app/packages/shared-types/node_modules ./packages/shared-types/node_modules
+COPY --from=deps /app/apps/web/node_modules ./apps/web/node_modules
+COPY tsconfig.base.json ./
+COPY packages/shared-types ./packages/shared-types
+COPY apps/web ./apps/web
+RUN pnpm --filter @oo/shared-types build
+ENV NEXT_TELEMETRY_DISABLED=1
+RUN pnpm --filter @oo/web build
+
+FROM node:22-alpine AS runner
+ENV NODE_ENV=production NEXT_TELEMETRY_DISABLED=1
+WORKDIR /app
+COPY --from=builder /app/apps/web/.next/standalone ./
+COPY --from=builder /app/apps/web/.next/static ./apps/web/.next/static
+COPY --from=builder /app/apps/web/public ./apps/web/public
+CMD ["node", "apps/web/server.js"]

infra/docker/docker-compose.yml

@@ -0,0 +1,56 @@
+name: oo
+
+services:
+  # ── core profile ──────────────────────────────────────────────────────────
+
+  api:
+    build:
+      context: ../..
+      dockerfile: infra/docker/Dockerfile.api
+    profiles: [core, full]
+    env_file: ../../.env.local
+    environment:
+      DATABASE_PATH: /data/oo.db
+      PORT: "3001"
+      NODE_ENV: production
+    volumes:
+      - api-data:/data
+    ports:
+      - "3001:3001"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3001/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  web:
+    build:
+      context: ../..
+      dockerfile: infra/docker/Dockerfile.web
+    profiles: [core, full]
+    env_file: ../../.env.local
+    environment:
+      NEXT_PUBLIC_API_URL: ""   # rewrites proxy to /api, no cross-origin needed in prod
+    ports:
+      - "3000:3000"
+    depends_on:
+      api:
+        condition: service_healthy
+
+  # ── full profile ──────────────────────────────────────────────────────────
+
+  ml-serving:
+    build:
+      context: ../..
+      dockerfile: infra/docker/Dockerfile.ml
+    profiles: [full]
+    ports:
+      - "8000:8000"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+volumes:
+  api-data: