feat(wardrobe): module foundation — garments + outfits space-scoped data layer (M1)

M1 of docs/plans/wardrobe-module.md — pure data layer + backend plumbing,
zero UI (that's M2). A user can now hold a digital wardrobe per space:
brand merch, club Trikots, family Kleiderschrank, team Kostüme, practice
Dresscode, and personal closet all live as separate pools under the same
Dexie tables, space-scoped like tags/scenes/agents after Phase 2c.

Data model — two tables, no join:

- wardrobeGarments (Dexie v41): single clothing items / accessories.
  Indexed on `category` + `createdAt` + `isArchived`. Encrypted:
  name/brand/color/size/material/tags/notes. Plaintext: category,
  mediaIds, counters, timestamps — all indexed or structural.
  `mediaIds[0]` is the primary photo used for try-on; additional
  ids are alternate views (back, detail) for M7.

- wardrobeOutfits (Dexie v41): named compositions referencing
  garment ids. Encrypted: name/description/tags. Plaintext:
  garmentIds (FK array), occasion (closed enum — useful for
  undecrypted filtering), season, booleans, lastTryOn snapshot.

- picture.images gains `wardrobeOutfitId?: string | null` as a
  plaintext back-reference. Try-on results land in the Picture
  gallery like any other generation; the outfit detail view
  queries them via this id rather than maintaining a third table.

Space scope:

- `wardrobe` added to all five explicit allowlists in shared-types/
  spaces.ts (personal is wildcard, no edit needed). Each space type
  gets a one-line comment explaining the real-world use case.
- App registry: `wardrobe` entry in shared-branding/mana-apps.ts
  with a rose→fuchsia gradient icon (T-shirt on hanger silhouette),
  color #e11d48, tier 'beta', status 'beta'.
- Module registry: wardrobeModuleConfig imported + appended to
  MODULE_CONFIGS so SYNC_APP_MAP picks it up automatically.

Backend:

- MAX_REFERENCE_IMAGES bumped 4 → 8 in picture/generate-with-
  reference (plus the client-side default in ReferenceImagePicker).
  Justified with a comment: face + body + top + bottom + shoes +
  outerwear + 2 accessories = 8. Cost doesn't scale with ref count
  (OpenAI bills per output), so the bump is a pure capability
  expansion with no credit-side risk.
- New POST /api/v1/wardrobe/garments/upload wraps uploadImageToMedia
  with app='wardrobe'. Registered under /api/v1/wardrobe in index.ts.
  Pattern 1:1 with the profile/me-images/upload endpoint; tier-gating
  falls out of wardrobe NOT being in RESOURCE_MODULES (tier='guest'
  works — consistent with picture's plain CRUD).

Stores emit domain events (WardrobeGarmentAdded, WardrobeOutfitCreated,
WardrobeOutfitTryOn, etc.) so later mana-ai missions can observe
activity without polling.

No UI in this commit. M2 (Garments-Grundlayer) wires the route + grid
+ upload-zone; M3 the Outfit composer; M4 the Try-On integration.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/api/src/modules/website/publish.ts

@@ -11,6 +11,7 @@ import { z } from 'zod';
 import { and, desc, eq } from 'drizzle-orm';
 import type { AuthVariables } from '@mana/shared-hono';
 import { errorResponse, validationError } from '../../lib/responses';
+import { websitePublishTotal, websitePublishDuration } from '../../lib/metrics';
 import { db, publishedSnapshots, submissions } from './schema';
 import { isValidSlug } from './reserved-slugs';
 
@@ -63,6 +64,7 @@ const DraftSnapshotSchema = z.object({
 // ─── POST /sites/:id/publish ────────────────────────────
 
 routes.post('/sites/:id/publish', async (c) => {
+	const publishTimer = websitePublishDuration.startTimer();
 	const userId = c.get('userId');
 	// Space id flows in via an explicit header (mana-auth doesn't yet
 	// embed the active space in JWT claims). Nullable — full membership
@@ -71,18 +73,30 @@ routes.post('/sites/:id/publish', async (c) => {
 	const spaceId = spaceIdHeader && /^[0-9a-f-]{36}$/i.test(spaceIdHeader) ? spaceIdHeader : null;
 	const siteId = c.req.param('id');
 
-	if (!siteId) return errorResponse(c, 'siteId required', 400);
+	if (!siteId) {
+		websitePublishTotal.inc({ result: 'invalid' });
+		publishTimer();
+		return errorResponse(c, 'siteId required', 400);
+	}
 
 	const parsed = DraftSnapshotSchema.safeParse(await c.req.json().catch(() => null));
-	if (!parsed.success) return validationError(c, parsed.error.issues);
+	if (!parsed.success) {
+		websitePublishTotal.inc({ result: 'invalid' });
+		publishTimer();
+		return validationError(c, parsed.error.issues);
+	}
 
 	const draft = parsed.data;
 	if (draft.site.id !== siteId) {
+		websitePublishTotal.inc({ result: 'invalid' });
+		publishTimer();
 		return errorResponse(c, 'Site id mismatch between path and body', 400, {
 			code: 'SITE_ID_MISMATCH',
 		});
 	}
 	if (!isValidSlug(draft.site.slug)) {
+		websitePublishTotal.inc({ result: 'invalid' });
+		publishTimer();
 		return errorResponse(c, `Slug "${draft.site.slug}" is invalid or reserved`, 400, {
 			code: 'INVALID_SLUG',
 		});
@@ -97,6 +111,8 @@ routes.post('/sites/:id/publish', async (c) => {
 		)
 		.limit(1);
 	if (conflicting[0] && conflicting[0].siteId !== siteId) {
+		websitePublishTotal.inc({ result: 'slug_taken' });
+		publishTimer();
 		return errorResponse(
 			c,
 			`Slug "${draft.site.slug}" is already taken by another published site`,
@@ -139,6 +155,8 @@ routes.post('/sites/:id/publish', async (c) => {
 
 		if (!result) throw new Error('Insert returned no row');
 
+		websitePublishTotal.inc({ result: 'success' });
+		publishTimer();
 		return c.json(
 			{
 				snapshotId: result.id,
@@ -151,10 +169,14 @@ routes.post('/sites/:id/publish', async (c) => {
 		// Postgres unique-constraint violation → slug conflict we didn't
 		// catch in the pre-check (classic race).
 		if (err instanceof Error && /unique/i.test(err.message)) {
+			websitePublishTotal.inc({ result: 'slug_taken' });
+			publishTimer();
 			return errorResponse(c, `Slug "${draft.site.slug}" was taken by a concurrent publish`, 409, {
 				code: 'SLUG_TAKEN',
 			});
 		}
+		websitePublishTotal.inc({ result: 'error' });
+		publishTimer();
 		throw err;
 	}
 });