feat(cards-server): Phase α.4 — Dockerfile + compose + tunnel route

Wires cards-server into the Mac-mini stack so we can deploy alongside
the rest of the Mana services.

  - Dockerfile mirrors the mana-credits 2-stage pattern (node+pnpm
    installer → bun runtime), exposes :3072, includes a /health
    healthcheck.
  - docker-compose.macmini.yml: new cards-server block right after
    mana-credits — depends on postgres + mana-auth, 128m mem, all the
    env knobs from the Phase-α config (author payout BPS, community-
    verified thresholds, sibling-service URLs).
  - cloudflared-config.yml: cards-api.mana.how → :3072. Distinct from
    cards.mana.how (the user-facing PWA) so the API surface is clearly
    separated.
  - sso-origins.ts: cards-api.mana.how added to PRODUCTION_TRUSTED_ORIGINS.
  - mana-auth CORS_ORIGINS in compose: cards-api.mana.how added.
    Restored whopxl.mana.how that had drifted out — sso-config.spec.ts
    had been flagging it but the missing entry surfaced when I added
    cards-api. spec is back to 8/8 green.

Deploy plan (next steps, not in this commit):
  1. ./scripts/mac-mini/build-app.sh cards-server
  2. docker exec mana-app-cards-server bun run db:push  (creates the
     `cards` schema + 16 tables in mana_platform)
  3. ./scripts/mac-mini/sync-tunnel-config.sh
  4. Smoke: curl https://cards-api.mana.how/health → 200

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

cloudflared-config.yml

@@ -152,6 +152,8 @@ ingress:
     service: http://localhost:3065
   - hostname: research.mana.how
     service: http://localhost:3068
+  - hostname: cards-api.mana.how
+    service: http://localhost:3072
   - hostname: feedback.mana.how
     service: http://localhost:3064
 

docker-compose.macmini.yml

@@ -250,7 +250,7 @@ services:
       # Enforced by services/mana-auth/src/auth/sso-config.spec.ts.
       # All productivity modules now live under mana.how (path-based) —
       # no per-module subdomain entries required here.
-      CORS_ORIGINS: https://mana.how,https://auth.mana.how,https://cards.mana.how
+      CORS_ORIGINS: https://mana.how,https://auth.mana.how,https://whopxl.mana.how,https://cards.mana.how,https://cards-api.mana.how
     ports:
       - "3001:3001"
     healthcheck:
@@ -350,6 +350,46 @@ services:
       - "traefik.http.routers.mana-credits.tls=true"
       - "traefik.http.services.mana-credits.loadbalancer.server.port=3002"
 
+  cards-server:
+    # Cards-Marketplace + Community backend. See
+    # apps/cards/docs/MARKETPLACE_PLAN.md for the full design.
+    build:
+      context: .
+      dockerfile: services/cards-server/Dockerfile
+    image: cards-server:local
+    container_name: mana-app-cards-server
+    restart: always
+    mem_limit: 128m
+    depends_on:
+      postgres:
+        condition: service_healthy
+      mana-auth:
+        condition: service_healthy
+    environment:
+      NODE_ENV: production
+      PORT: 3072
+      DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD:-mana123}@postgres:5432/mana_platform
+      MANA_AUTH_URL: http://mana-auth:3001
+      MANA_CREDITS_URL: http://mana-credits:3002
+      MANA_LLM_URL: http://mana-llm:3025
+      MANA_MEDIA_URL: http://mana-media:3015
+      MANA_NOTIFY_URL: http://mana-notify:3040
+      MANA_SERVICE_KEY: ${MANA_SERVICE_KEY}
+      CORS_ORIGINS: https://cards.mana.how,https://mana.how
+      AUTHOR_PAYOUT_STANDARD_BPS: 8000
+      AUTHOR_PAYOUT_VERIFIED_BPS: 9000
+      COMMUNITY_VERIFY_STARS: 500
+      COMMUNITY_VERIFY_FEATURED: 3
+      COMMUNITY_VERIFY_SUBSCRIBERS: 200
+    ports:
+      - "3072:3072"
+    healthcheck:
+      test: ["CMD", "bun", "-e", "fetch('http://127.0.0.1:3072/health').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))"]
+      interval: 120s
+      timeout: 10s
+      retries: 3
+      start_period: 15s
+
   mana-research:
     build:
       context: .

services/cards-server/Dockerfile

@@ -0,0 +1,40 @@
+# Install stage: use node + pnpm to resolve workspace dependencies.
+# Cards-server is bun-runtime, but pnpm is the only sane way to do
+# workspace deps with @mana/shared-hono symlinks.
+FROM node:22-alpine AS installer
+
+RUN corepack enable && corepack prepare pnpm@9.15.0 --activate
+
+WORKDIR /app
+
+COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY services/cards-server/package.json ./services/cards-server/
+COPY packages/shared-hono ./packages/shared-hono
+COPY packages/shared-logger ./packages/shared-logger
+COPY packages/shared-types ./packages/shared-types
+
+# Workspace name is `@mana/cards-server`; the trailing `...` includes
+# its workspace dependencies.
+RUN pnpm install --filter @mana/cards-server... --no-frozen-lockfile --ignore-scripts
+
+# Runtime stage: bun
+FROM oven/bun:1 AS production
+
+WORKDIR /app
+
+COPY --from=installer /app/node_modules ./node_modules
+COPY --from=installer /app/services/cards-server/node_modules ./services/cards-server/node_modules
+COPY --from=installer /app/packages ./packages
+
+COPY services/cards-server/package.json ./services/cards-server/
+COPY services/cards-server/src ./services/cards-server/src
+COPY services/cards-server/tsconfig.json services/cards-server/drizzle.config.ts ./services/cards-server/
+
+WORKDIR /app/services/cards-server
+
+EXPOSE 3072
+
+HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
+  CMD bun -e "fetch('http://localhost:3072/health').then(r => process.exit(r.ok ? 0 : 1)).catch(() => process.exit(1))"
+
+CMD ["bun", "run", "src/index.ts"]

services/mana-auth/src/auth/sso-origins.ts

@@ -26,6 +26,7 @@ export const PRODUCTION_TRUSTED_ORIGINS = [
 	// Separate apps (not part of the unified app)
 	'https://whopxl.mana.how', // Games
 	'https://cards.mana.how', // Cards spaced-repetition spinoff (own SvelteKit container, not the unified app)
+	'https://cards-api.mana.how', // Cards marketplace + community backend (cards-server)
 ] as const;
 
 /** Local dev origins — web dev server + the auth server itself. */