Redesign deployment: only .env + docker-compose.yml needed on server

Custom Docker images embed all config so production servers no longer
need SQL files, kong.yml, or shell scripts. Kong generates config from
env vars at startup. Migrate container auto-detects fresh vs existing
DB and runs appropriate scripts.

New images: monacousa-db, monacousa-kong, monacousa-migrate
New commands: deploy.sh build-images, deploy.sh push-images

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker/kong/Dockerfile

@@ -0,0 +1,9 @@
+FROM kong:2.8.1
+
+# Embed the config template and wrapper script
+COPY kong.yml.template /var/lib/kong/kong.yml.template
+COPY docker-entrypoint-wrapper.sh /docker-entrypoint-wrapper.sh
+RUN chmod +x /docker-entrypoint-wrapper.sh
+
+ENTRYPOINT ["/docker-entrypoint-wrapper.sh"]
+CMD ["kong", "docker-start"]

docker/kong/docker-entrypoint-wrapper.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+set -e
+
+# Generate kong.yml from template by substituting env vars
+if [ -z "$ANON_KEY" ] || [ -z "$SERVICE_ROLE_KEY" ]; then
+  echo "ERROR: ANON_KEY and SERVICE_ROLE_KEY must be set"
+  exit 1
+fi
+
+sed \
+  -e "s|__ANON_KEY__|${ANON_KEY}|g" \
+  -e "s|__SERVICE_ROLE_KEY__|${SERVICE_ROLE_KEY}|g" \
+  /var/lib/kong/kong.yml.template > /var/lib/kong/kong.yml
+
+echo "Kong config generated from template with production API keys"
+
+# Hand off to the original Kong entrypoint
+exec /docker-entrypoint.sh "$@"

docker/kong/kong.yml.template

@@ -0,0 +1,180 @@
+_format_version: "2.1"
+_transform: true
+
+consumers:
+  - username: ANON
+    keyauth_credentials:
+      - key: __ANON_KEY__
+  - username: SERVICE_ROLE
+    keyauth_credentials:
+      - key: __SERVICE_ROLE_KEY__
+
+acls:
+  - consumer: ANON
+    group: anon
+  - consumer: SERVICE_ROLE
+    group: admin
+
+services:
+  - name: auth-verify-redirect
+    url: http://portal:3000/auth/verify
+    routes:
+      - name: auth-verify-redirect
+        strip_path: false
+        paths:
+          - /auth/verify
+        preserve_host: false
+    plugins:
+      - name: cors
+
+  - name: auth-v1-open
+    url: http://auth:9999/verify
+    routes:
+      - name: auth-v1-open
+        strip_path: true
+        paths:
+          - /auth/v1/verify
+    plugins:
+      - name: cors
+
+  - name: auth-v1-open-callback
+    url: http://auth:9999/callback
+    routes:
+      - name: auth-v1-open-callback
+        strip_path: true
+        paths:
+          - /auth/v1/callback
+    plugins:
+      - name: cors
+
+  - name: auth-v1-open-authorize
+    url: http://auth:9999/authorize
+    routes:
+      - name: auth-v1-open-authorize
+        strip_path: true
+        paths:
+          - /auth/v1/authorize
+    plugins:
+      - name: cors
+
+  - name: auth-v1
+    url: http://auth:9999/
+    routes:
+      - name: auth-v1
+        strip_path: true
+        paths:
+          - /auth/v1/
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+
+  - name: rest-v1
+    url: http://rest:3000/
+    routes:
+      - name: rest-v1
+        strip_path: true
+        paths:
+          - /rest/v1/
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+
+  - name: realtime-v1-ws
+    url: http://realtime:4000/socket
+    routes:
+      - name: realtime-v1-ws
+        strip_path: true
+        paths:
+          - /realtime/v1/websocket
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+
+  - name: realtime-v1
+    url: http://realtime:4000/
+    routes:
+      - name: realtime-v1
+        strip_path: true
+        paths:
+          - /realtime/v1/
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+
+  - name: storage-v1-public
+    url: http://storage:5000/object/public
+    routes:
+      - name: storage-v1-public
+        strip_path: true
+        paths:
+          - /storage/v1/object/public
+    plugins:
+      - name: cors
+
+  - name: storage-v1
+    url: http://storage:5000/
+    routes:
+      - name: storage-v1
+        strip_path: true
+        paths:
+          - /storage/v1/
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+
+  - name: meta
+    url: http://meta:8080/
+    routes:
+      - name: meta
+        strip_path: true
+        paths:
+          - /pg/
+    plugins:
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin