feat(cards-server): Phase α.4 — Dockerfile + compose + tunnel route

Wires cards-server into the Mac-mini stack so we can deploy alongside the rest of the Mana services. - Dockerfile mirrors the mana-credits 2-stage pattern (node+pnpm installer → bun runtime), exposes :3072, includes a /health healthcheck. - docker-compose.macmini.yml: new cards-server block right after mana-credits — depends on postgres + mana-auth, 128m mem, all the env knobs from the Phase-α config (author payout BPS, community- verified thresholds, sibling-service URLs). - cloudflared-config.yml: cards-api.mana.how → :3072. Distinct from cards.mana.how (the user-facing PWA) so the API surface is clearly separated. - sso-origins.ts: cards-api.mana.how added to PRODUCTION_TRUSTED_ORIGINS. - mana-auth CORS_ORIGINS in compose: cards-api.mana.how added. Restored whopxl.mana.how that had drifted out — sso-config.spec.ts had been flagging it but the missing entry surfaced when I added cards-api. spec is back to 8/8 green. Deploy plan (next steps, not in this commit): 1. ./scripts/mac-mini/build-app.sh cards-server 2. docker exec mana-app-cards-server bun run db:push (creates the `cards` schema + 16 tables in mana_platform) 3. ./scripts/mac-mini/sync-tunnel-config.sh 4. Smoke: curl https://cards-api.mana.how/health → 200 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 20:21:09 +02:00 · 2026-05-07 16:22:48 +02:00 · 2026-05-07 16:22:48 +02:00 · 71ec5e7123
commit 71ec5e7123
parent a7b62ea8ae
4 changed files with 84 additions and 1 deletions
--- a/services/cards-server/Dockerfile
+++ b/services/cards-server/Dockerfile
@ -0,0 +1,40 @@
+# Install stage: use node + pnpm to resolve workspace dependencies.
+# Cards-server is bun-runtime, but pnpm is the only sane way to do
+# workspace deps with @mana/shared-hono symlinks.
+FROM node:22-alpine AS installer
+
+RUN corepack enable && corepack prepare pnpm@9.15.0 --activate
+
+WORKDIR /app
+
+COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY services/cards-server/package.json ./services/cards-server/
+COPY packages/shared-hono ./packages/shared-hono
+COPY packages/shared-logger ./packages/shared-logger
+COPY packages/shared-types ./packages/shared-types
+
+# Workspace name is `@mana/cards-server`; the trailing `...` includes
+# its workspace dependencies.
+RUN pnpm install --filter @mana/cards-server... --no-frozen-lockfile --ignore-scripts
+
+# Runtime stage: bun
+FROM oven/bun:1 AS production
+
+WORKDIR /app
+
+COPY --from=installer /app/node_modules ./node_modules
+COPY --from=installer /app/services/cards-server/node_modules ./services/cards-server/node_modules
+COPY --from=installer /app/packages ./packages
+
+COPY services/cards-server/package.json ./services/cards-server/
+COPY services/cards-server/src ./services/cards-server/src
+COPY services/cards-server/tsconfig.json services/cards-server/drizzle.config.ts ./services/cards-server/
+
+WORKDIR /app/services/cards-server
+
+EXPOSE 3072
+
+HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
+  CMD bun -e "fetch('http://localhost:3072/health').then(r => process.exit(r.ok ? 0 : 1)).catch(() => process.exit(1))"
+
+CMD ["bun", "run", "src/index.ts"]
--- a/services/mana-auth/src/auth/sso-origins.ts
+++ b/services/mana-auth/src/auth/sso-origins.ts
@ -26,6 +26,7 @@ export const PRODUCTION_TRUSTED_ORIGINS = [
 	// Separate apps (not part of the unified app)
 	'https://whopxl.mana.how', // Games
 	'https://cards.mana.how', // Cards spaced-repetition spinoff (own SvelteKit container, not the unified app)
+	'https://cards-api.mana.how', // Cards marketplace + community backend (cards-server)
 ] as const;

 /** Local dev origins — web dev server + the auth server itself. */