feat: add Docker support and deployment workflow

[maximedogawa]

• Introduced a Dockerfile for building the pengine web image, serving the static bundle.
• Added a docker-compose.yml for deploying the web app on a remote host.
• Created a GitHub Actions workflow for automated deployment of the web app to GHCR and SSH rollout.
• Updated .env.production to define the public site URL.
• Enhanced the application to support lazy loading of routes for improved performance.
• Updated versioning across package.json and Cargo files to 1.0.2.

Summary by CodeRabbit

• New Features

  • Added web application deployment infrastructure with automated containerized releases and remote deployment pipeline.
  • Implemented route-based code-splitting for faster initial page load performance.

• Documentation

  • Added comprehensive deployment guide covering the end-to-end web app release and rollout process.

• Chores

  • Bumped version to 1.0.2.
  • Optimized build configuration with improved dependency chunking strategy.

[coderabbitai]

Warning

Rate limit exceeded

@maximedogawa has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 48 minutes and 17 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 48 minutes and 17 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8a83b687-6d5e-40d6-aeda-77dbfc730339

📥 Commits

Reviewing files that changed from the base of the PR and between 3c5fdb6 and da40924.

📒 Files selected for processing (4)

• .github/workflows/web-deploy.yml
• doc/guides/deploying-web.md
• src/main.tsx
• src/shared/appMeta.ts

📝 Walkthrough

Walkthrough

This PR introduces a complete web application deployment pipeline. It adds Docker containerization for the web frontend, a GitHub Actions CI/CD workflow that builds and deploys to a remote host via SSH, production environment configuration, frontend code-splitting optimizations, and comprehensive deployment documentation. Application version is bumped to 1.0.2 across package metadata files.

Changes

Cohort / File(s)	Summary
Docker Infrastructure .dockerignore, deploy/Dockerfile, deploy/docker-compose.yml	Multi-stage Docker build for static web frontend using bun and static-web-server. Compose config runs the container on port 80 internally, published to 127.0.0.1:1420. Health check monitors container availability.
CI/CD Pipeline .github/workflows/web-deploy.yml	New GitHub Actions workflow triggered on version tags (v*) or manual dispatch. Builds Docker image for linux/amd64, pushes to GHCR with versioned and latest tags, then deploys via SSH by copying docker-compose file, pulling image, and restarting services.
Deployment Documentation doc/README.md, doc/guides/deploying-web.md	Added deployment guide covering end-to-end pipeline: Docker image creation with embedded origin URL, GHCR push, SSH-based remote deployment with docker-compose, host bootstrap setup, and local testing procedures.
Environment & Build Configuration .env.production, package.json, vite.config.ts	Production origin URL defined (https://pengine.net). Package version bumped to 1.0.2. Build scripts reorganized: build now delegates to new build:web task. Vite config adds manual code-splitting for vendor chunks (react, router, ui, tauri, qrcode) and preview server on port 1422.
Frontend Code & Type Declarations src/App.tsx, src/shared/appMeta.ts, src/vite-env.d.ts	App routes now use code-splitting via React.lazy() with Suspense boundary and loading fallback. New APP_ORIGIN constant reads from VITE_APP_ORIGIN env var. TypeScript ambient types added for Vite environment variable.
Version Updates src-tauri/Cargo.toml, src-tauri/tauri.conf.json	Version fields updated from 1.0.0 to 1.0.2 across Rust and Tauri configuration files.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore: add ESLint configuration and integrate linting scripts #7: Modifies package.json to add lint and format scripts alongside devDependencies, related through package.json file-level changes.

Poem

🐰 A Docker image hops with care,
Through GitHub Actions in the air,
SSH tunnels code does bear,
To distant hosts without despair,
Web apps now deploy with flair! 🚀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: Docker support (Dockerfile, .dockerignore, docker-compose.yml) and deployment workflow (GitHub Actions web-deploy.yml) are the primary additions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 52-bug-chunks-size-to-big

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

src/shared/appMeta.ts (1)

1-2: Consider logging/asserting when the fallback is used in production.

Since VITE_APP_ORIGIN is substituted at build time, a misconfigured Docker build (missing --build-arg) would silently bake in the https://pengine.net fallback with no indication. The current default is correct for the intended prod host, but if this module is ever reused in another deployment the silent fallback could mask a misconfiguration. Optional: narrow the fallback to dev-only, or emit a one-time warning when import.meta.env.PROD && !import.meta.env.VITE_APP_ORIGIN.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/shared/appMeta.ts` around lines 1 - 2, Detect when
import.meta.env.VITE_APP_ORIGIN is missing and import.meta.env.PROD is true, and
emit a one-time warning or throw to avoid silently using the fallback;
specifically modify APP_ORIGIN initialization in appMeta.ts to check
import.meta.env.VITE_APP_ORIGIN and import.meta.env.PROD, and if PROD && no
VITE_APP_ORIGIN then either console.error/processLogger.error or assert/throw
(or restrict the fallback to dev-only) so the missing build arg is surfaced;
ensure the check is performed at module load and references APP_ORIGIN,
import.meta.env.VITE_APP_ORIGIN and import.meta.env.PROD.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/web-deploy.yml:
- Around line 89-94: Replace the runtime ssh-keyscan approach in the "Trust host
key" step: stop using ssh-keyscan -H "$DEPLOY_HOST" and instead read the
expected host key or fingerprint from a secret (e.g. a new secret like
DEPLOY_HOST_KEY or DEPLOY_HOST_FINGERPRINT) and write that exact value into
~/.ssh/known_hosts before connecting; update the step that references
DEPLOY_HOST and known_hosts to use the secret variable rather than generating
keys at deploy time so the workflow trusts only the pre-provisioned host key.
- Around line 40-56: The checkout step is still using the default workflow ref
so manual deployments can build the wrong commit; update the actions/checkout@v4
invocation to check out the requested tag when provided by the manual input (the
same TAG/VERSION logic used in the Resolve version step with id ver) by passing
the input tag/ref (e.g. use the TAG value or github.event.inputs.tag ||
github.ref) into the checkout step’s ref parameter so the job actually checks
out the requested tag before building and pushing the image.

In `@doc/guides/deploying-web.md`:
- Line 3: The Markdown link to the production env file is incorrect
(../.env.production resolves to doc/.env.production); update the link in
doc/guides/deploying-web.md so it points to the repository root file (change the
reference '../.env.production' to '../../.env.production') so the
VITE_APP_ORIGIN reference resolves correctly for the Vite production build.

---

Nitpick comments:
In `@src/shared/appMeta.ts`:
- Around line 1-2: Detect when import.meta.env.VITE_APP_ORIGIN is missing and
import.meta.env.PROD is true, and emit a one-time warning or throw to avoid
silently using the fallback; specifically modify APP_ORIGIN initialization in
appMeta.ts to check import.meta.env.VITE_APP_ORIGIN and import.meta.env.PROD,
and if PROD && no VITE_APP_ORIGIN then either console.error/processLogger.error
or assert/throw (or restrict the fallback to dev-only) so the missing build arg
is surfaced; ensure the check is performed at module load and references
APP_ORIGIN, import.meta.env.VITE_APP_ORIGIN and import.meta.env.PROD.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 471c5123-010e-4032-a3cd-4ad0736b378c

📥 Commits

Reviewing files that changed from the base of the PR and between 4e27524 and 3c5fdb6.

⛔ Files ignored due to path filters (2)

• package-lock.json is excluded by !**/package-lock.json
• src-tauri/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (14)

• .dockerignore
• .env.production
• .github/workflows/web-deploy.yml
• deploy/Dockerfile
• deploy/docker-compose.yml
• doc/README.md
• doc/guides/deploying-web.md
• package.json
• src-tauri/Cargo.toml
• src-tauri/tauri.conf.json
• src/App.tsx
• src/shared/appMeta.ts
• src/vite-env.d.ts
• vite.config.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid trusting the deploy host key from the network during the deploy.

ssh-keyscan accepts whatever key is presented at runtime, so a MITM at deploy time can get trusted. Prefer storing the expected host key/fingerprint as a secret and writing that to known_hosts.

🔐 Proposed fix

       - name: Trust host key
         env:
           DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
+          DEPLOY_HOST_KEY: ${{ secrets.DEPLOY_HOST_KEY }}
         run: |
           mkdir -p ~/.ssh
-          ssh-keyscan -H "$DEPLOY_HOST" >>~/.ssh/known_hosts 2>/dev/null
+          printf '%s\n' "$DEPLOY_HOST_KEY" >>~/.ssh/known_hosts

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Trust host key
	env:
	DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
	run: |
	mkdir -p ~/.ssh
	ssh-keyscan -H "$DEPLOY_HOST" >>~/.ssh/known_hosts 2>/dev/null
	- name: Trust host key
	env:
	DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
	DEPLOY_HOST_KEY: ${{ secrets.DEPLOY_HOST_KEY }}
	run: |
	mkdir -p ~/.ssh
	printf '%s\n' "$DEPLOY_HOST_KEY" >>~/.ssh/known_hosts

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/web-deploy.yml around lines 89 - 94, Replace the runtime
ssh-keyscan approach in the "Trust host key" step: stop using ssh-keyscan -H
"$DEPLOY_HOST" and instead read the expected host key or fingerprint from a
secret (e.g. a new secret like DEPLOY_HOST_KEY or DEPLOY_HOST_FINGERPRINT) and
write that exact value into ~/.ssh/known_hosts before connecting; update the
step that references DEPLOY_HOST and known_hosts to use the secret variable
rather than generating keys at deploy time so the workflow trusts only the
pre-provisioned host key.