refactor(infra): remove zitare + clock NestJS backends, add shared-hono package

Both apps are fully local-first via Dexie.js + mana-sync. Their NestJS
backends were pure CRUD wrappers (20 + 31 source files) that are no
longer needed.

Changes:
- Add packages/shared-hono: JWT auth via JWKS (jose), Drizzle DB factory,
  health route, generic GDPR admin handler, error middleware
- Migrate zitare lists page from fetch() to listsStore (local-first)
- Rewrite clock timers store from API-based to timerCollection (Dexie)
- Update clock +layout.svelte CommandBar search to use local collections
- Remove zitare-backend + clock-backend from docker-compose, CI/CD,
  Prometheus, env generation, setup scripts
- Add docs/TECHNOLOGY_AUDIT_2026_03.md with full repo analysis

Net result: -2 Docker containers, -2 ports, -2728 lines of code

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/ci.yml

@@ -58,7 +58,6 @@ jobs:
       todo-web: ${{ steps.changes.outputs.todo-web }}
       calendar-backend: ${{ steps.changes.outputs.calendar-backend }}
       calendar-web: ${{ steps.changes.outputs.calendar-web }}
-      clock-backend: ${{ steps.changes.outputs.clock-backend }}
       clock-web: ${{ steps.changes.outputs.clock-web }}
       contacts-backend: ${{ steps.changes.outputs.contacts-backend }}
       contacts-web: ${{ steps.changes.outputs.contacts-web }}
@@ -72,7 +71,6 @@ jobs:
       skilltree-backend: ${{ steps.changes.outputs.skilltree-backend }}
       skilltree-web: ${{ steps.changes.outputs.skilltree-web }}
       mana-matrix-bot: ${{ steps.changes.outputs.mana-matrix-bot }}
-      zitare-backend: ${{ steps.changes.outputs.zitare-backend }}
       any-changes: ${{ steps.changes.outputs.any-changes }}
     steps:
       - name: Checkout code
@@ -95,7 +93,6 @@ jobs:
             echo "todo-web=true" >> $GITHUB_OUTPUT
             echo "calendar-backend=true" >> $GITHUB_OUTPUT
             echo "calendar-web=true" >> $GITHUB_OUTPUT
-            echo "clock-backend=true" >> $GITHUB_OUTPUT
             echo "clock-web=true" >> $GITHUB_OUTPUT
             echo "contacts-backend=true" >> $GITHUB_OUTPUT
             echo "contacts-web=true" >> $GITHUB_OUTPUT
@@ -109,7 +106,6 @@ jobs:
             echo "skilltree-backend=true" >> $GITHUB_OUTPUT
             echo "skilltree-web=true" >> $GITHUB_OUTPUT
             echo "mana-matrix-bot=true" >> $GITHUB_OUTPUT
-            echo "zitare-backend=true" >> $GITHUB_OUTPUT
             echo "any-changes=true" >> $GITHUB_OUTPUT
             exit 0
           fi
@@ -136,7 +132,6 @@ jobs:
             echo "todo-web=true" >> $GITHUB_OUTPUT
             echo "calendar-backend=true" >> $GITHUB_OUTPUT
             echo "calendar-web=true" >> $GITHUB_OUTPUT
-            echo "clock-backend=true" >> $GITHUB_OUTPUT
             echo "clock-web=true" >> $GITHUB_OUTPUT
             echo "contacts-backend=true" >> $GITHUB_OUTPUT
             echo "contacts-web=true" >> $GITHUB_OUTPUT
@@ -150,7 +145,6 @@ jobs:
             echo "skilltree-backend=true" >> $GITHUB_OUTPUT
             echo "skilltree-web=true" >> $GITHUB_OUTPUT
             echo "mana-matrix-bot=true" >> $GITHUB_OUTPUT
-            echo "zitare-backend=true" >> $GITHUB_OUTPUT
             echo "any-changes=true" >> $GITHUB_OUTPUT
             exit 0
           fi
@@ -255,13 +249,7 @@ jobs:
             echo "calendar-web=false" >> $GITHUB_OUTPUT
           fi
 
-          # clock-backend
-          CLOCK_BACKEND_CHANGED=$(check_pattern "apps/clock/apps/backend/|apps/clock/packages/")
-          if [ "$COMMON_CHANGED" == "true" ] || [ "$SHARED_AUTH_CHANGED" == "true" ] || [ "$CLOCK_BACKEND_CHANGED" == "true" ]; then
-            echo "clock-backend=true" >> $GITHUB_OUTPUT
-          else
-            echo "clock-backend=false" >> $GITHUB_OUTPUT
-          fi
+          # clock-backend: REMOVED — migrated to local-first
 
           # clock-web
           CLOCK_WEB_CHANGED=$(check_pattern "apps/clock/apps/web/|apps/clock/packages/")
@@ -367,13 +355,7 @@ jobs:
             echo "mana-matrix-bot=false" >> $GITHUB_OUTPUT
           fi
 
-          # zitare-backend
-          ZITARE_BACKEND_CHANGED=$(check_pattern "apps/zitare/apps/backend/|apps/zitare/packages/")
-          if [ "$COMMON_CHANGED" == "true" ] || [ "$SHARED_AUTH_CHANGED" == "true" ] || [ "$ZITARE_BACKEND_CHANGED" == "true" ]; then
-            echo "zitare-backend=true" >> $GITHUB_OUTPUT
-          else
-            echo "zitare-backend=false" >> $GITHUB_OUTPUT
-          fi
+          # zitare-backend: REMOVED — migrated to local-first
 
           # Check if any service needs building
           if grep -q "=true" $GITHUB_OUTPUT; then
@@ -397,7 +379,7 @@ jobs:
           echo "| todo-web | ${{ steps.changes.outputs.todo-web }} |" >> $GITHUB_STEP_SUMMARY
           echo "| calendar-backend | ${{ steps.changes.outputs.calendar-backend }} |" >> $GITHUB_STEP_SUMMARY
           echo "| calendar-web | ${{ steps.changes.outputs.calendar-web }} |" >> $GITHUB_STEP_SUMMARY
-          echo "| clock-backend | ${{ steps.changes.outputs.clock-backend }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| clock-backend | removed |" >> $GITHUB_STEP_SUMMARY
           echo "| clock-web | ${{ steps.changes.outputs.clock-web }} |" >> $GITHUB_STEP_SUMMARY
           echo "| contacts-backend | ${{ steps.changes.outputs.contacts-backend }} |" >> $GITHUB_STEP_SUMMARY
           echo "| contacts-web | ${{ steps.changes.outputs.contacts-web }} |" >> $GITHUB_STEP_SUMMARY
@@ -410,7 +392,7 @@ jobs:
           echo "| nutriphi-web | ${{ steps.changes.outputs.nutriphi-web }} |" >> $GITHUB_STEP_SUMMARY
           echo "| skilltree-backend | ${{ steps.changes.outputs.skilltree-backend }} |" >> $GITHUB_STEP_SUMMARY
           echo "| skilltree-web | ${{ steps.changes.outputs.skilltree-web }} |" >> $GITHUB_STEP_SUMMARY
-          echo "| zitare-backend | ${{ steps.changes.outputs.zitare-backend }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| zitare-backend | removed |" >> $GITHUB_STEP_SUMMARY
 
   # ===========================================
   # Validation job - runs on PRs
@@ -737,34 +719,7 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-  build-clock-backend:
-    name: Build clock-backend
-    runs-on: ubuntu-latest
-    needs: detect-changes
-    if: needs.detect-changes.outputs.clock-backend == 'true'
-    steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: docker/metadata-action@v5
-        id: meta
-        with:
-          images: ghcr.io/${{ github.repository_owner }}/clock-backend
-          tags: type=raw,value=latest
-      - uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: apps/clock/apps/backend/Dockerfile
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+  # build-clock-backend: REMOVED — migrated to local-first
 
   build-clock-web:
     name: Build clock-web
@@ -1149,34 +1104,4 @@ jobs:
           cache-to: type=gha,mode=max
 
   # ===========================================
-  # Zitare Backend
-  # ===========================================
-
-  build-zitare-backend:
-    name: Build zitare-backend
-    runs-on: ubuntu-latest
-    needs: detect-changes
-    if: needs.detect-changes.outputs.zitare-backend == 'true'
-    steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: docker/metadata-action@v5
-        id: meta
-        with:
-          images: ghcr.io/${{ github.repository_owner }}/zitare-backend
-          tags: type=raw,value=latest
-      - uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: apps/zitare/apps/backend/Dockerfile
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+  # Zitare Backend: REMOVED — migrated to local-first