feat: dockerfile (node runtime), startup migration, README, runtime env config

server/utils/auth.ts

@@ -45,14 +45,13 @@ function splitCsv(v: unknown): string[] {
 
 let _cached: ReturnType<typeof makeVerifier> | null = null;
 
-/** Process-wide verifier built from runtime config (Nitro server context). */
+/** Process-wide verifier built from environment (read at runtime, not baked at build). */
 export function getVerifier() {
   if (!_cached) {
-    const c = useRuntimeConfig();
     _cached = makeVerifier({
-      issuer: c.zitadelIssuer,
-      audiences: splitCsv(c.zitadelAudience),
-      allowedSubs: splitCsv(c.allowedUserIds),
+      issuer: process.env.ZITADEL_ISSUER || "https://auth.kuns.dev",
+      audiences: splitCsv(process.env.ZITADEL_AUDIENCE),
+      allowedSubs: splitCsv(process.env.ALLOWED_USER_IDS),
     });
   }
   return _cached;

server/utils/schema.ts

@@ -0,0 +1,23 @@
+// Canonical schema for the Online Inbox. Single source of truth, applied idempotently by
+// the Nitro startup plugin (server/plugins/migrate.ts) and the CLI (server/db/migrate.ts).
+export const INIT_SQL = `
+create table if not exists lists (
+  id         text primary key,            -- GUID supplied by the desktop, reused verbatim
+  name       text not null,
+  updated_at timestamptz not null default now()
+);
+
+create table if not exists tasks (
+  id          text primary key,           -- GUID; shared id space (web + desktop)
+  list_id     text not null references lists(id) on delete cascade,
+  title       text not null,
+  description text,
+  source      text not null,              -- 'web' | 'desktop'
+  consumed    boolean not null default false,  -- web->desktop handoff flag
+  created_at  timestamptz not null default now(),
+  updated_at  timestamptz not null default now()
+);
+
+create index if not exists idx_tasks_list_id on tasks(list_id);
+create index if not exists idx_tasks_unconsumed on tasks(consumed) where consumed = false;
+`;