feat: docker compose dev environment

Replaces the bare-metal `composer run dev` workflow with a fully
containerized 9-service stack orchestrated by docker compose. Single
command brings up the full app — three subdomains (marketing /
account / admin) reachable via Traefik with TLS, MariaDB + Valkey
+ Mailpit + Vite HMR + Horizon + scheduler all wired in.

Components:
- docker-compose.yml: traefik, app (php-fpm), web (nginx), mariadb,
  valkey, mailpit, vite, horizon, scheduler.
- docker/: Dockerfiles, nginx config, entrypoint scripts.
- Makefile: convenience targets (up / down / logs / shell / migrate
  / seed / test / pint / etc).
- .env.docker.example: template for Docker-stack environment vars
  (separate from website/.env so bare-metal devs aren't disrupted).
- website/vite.config.ts: server.host / origin / hmr / cors hooks
  driven by VITE_HOST / VITE_ORIGIN / VITE_HMR_HOST so the same
  config serves both bare-metal and Docker.
- website/bootstrap/app.php: redirectGuestsTo() now uses
  request()->getScheme() so http: dev hosts don't get force-https
  redirects.
- composer.json: drops laravel/sail (replaced by this stack).
- docs/superpowers/specs/2026-04-25-docker-compose-dev-environment-design.md:
  full design spec.

Bare-metal `composer run dev` workflow stays usable for anyone who
prefers it — Docker stack reads .env.docker, doesn't fight
website/.env.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docker/app/Dockerfile

@@ -0,0 +1,64 @@
+FROM php:8.3-fpm-bookworm
+
+ARG UID=1000
+ARG GID=1000
+
+ENV COMPOSER_ALLOW_SUPERUSER=1 \
+    COMPOSER_NO_INTERACTION=1 \
+    COMPOSER_MEMORY_LIMIT=-1
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        git \
+        unzip \
+        curl \
+        ca-certificates \
+        libzip-dev \
+        libpng-dev \
+        libjpeg-dev \
+        libfreetype6-dev \
+        libwebp-dev \
+        libicu-dev \
+        libonig-dev \
+        libxml2-dev \
+        libcurl4-openssl-dev \
+        libssl-dev \
+        pkg-config \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN docker-php-ext-configure gd --with-freetype --with-jpeg --with-webp \
+    && docker-php-ext-install -j"$(nproc)" \
+        pdo_mysql \
+        intl \
+        bcmath \
+        gd \
+        zip \
+        pcntl \
+        posix \
+        exif \
+        sockets \
+        opcache
+
+RUN pecl install redis \
+    && docker-php-ext-enable redis
+
+COPY --from=composer:2 /usr/bin/composer /usr/local/bin/composer
+
+RUN groupmod -g ${GID} www-data \
+    && usermod -u ${UID} -g ${GID} www-data \
+    && mkdir -p /var/www/.composer \
+    && chown -R www-data:www-data /var/www
+
+COPY php.ini       /usr/local/etc/php/conf.d/zz-app.ini
+COPY opcache.ini   /usr/local/etc/php/conf.d/zz-opcache.ini
+COPY php-fpm.conf  /usr/local/etc/php-fpm.d/zz-app.conf
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+
+WORKDIR /var/www/html
+USER www-data
+
+EXPOSE 9000
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+CMD ["php-fpm"]

docker/app/entrypoint.sh

@@ -0,0 +1,55 @@
+#!/bin/sh
+set -e
+
+# ==============================================================================
+# EZSCALE app container entrypoint
+# Used by `app`, `horizon`, and `scheduler` services. Idempotent.
+# ==============================================================================
+
+cd /var/www/html
+
+# Wait for MariaDB. depends_on: condition: service_healthy already gates this,
+# but the belt-and-braces loop is cheap and survives healthcheck regressions.
+if [ -n "${DB_HOST:-}" ]; then
+    echo "[entrypoint] waiting for ${DB_HOST}:${DB_PORT:-3306}..."
+    until php -r "new PDO('mysql:host=${DB_HOST};port=${DB_PORT:-3306}', '${DB_USERNAME}', '${DB_PASSWORD}');" 2>/dev/null; do
+        sleep 1
+    done
+    echo "[entrypoint] mariadb is up."
+fi
+
+# Bootstrap .env on first boot. We bind-mount the website/ source, so .env may
+# already exist from a previous bare-metal `composer run dev` workflow.
+if [ ! -f .env ]; then
+    if [ -f /var/www/html/.env.docker ]; then
+        echo "[entrypoint] copying .env.docker -> .env"
+        cp /var/www/html/.env.docker .env
+    elif [ -f .env.example ]; then
+        echo "[entrypoint] copying .env.example -> .env (fallback)"
+        cp .env.example .env
+    fi
+fi
+
+# Vendor dir bootstrapping — first-clone convenience. Skipped if already present.
+if [ ! -d vendor ] || [ ! -f vendor/autoload.php ]; then
+    echo "[entrypoint] vendor/ missing; running composer install"
+    composer install --no-interaction --prefer-dist --no-progress
+fi
+
+# Generate APP_KEY if blank. `key:generate` writes to .env in place.
+if ! grep -qE '^APP_KEY=base64:' .env; then
+    echo "[entrypoint] generating APP_KEY"
+    php artisan key:generate --force --no-interaction
+fi
+
+# Run migrations only when this container is the `app` (php-fpm) role.
+# Horizon and scheduler share this image but skip migrations to avoid races.
+case "$1" in
+    php-fpm|php-fpm*)
+        echo "[entrypoint] running migrations"
+        php artisan migrate --force --no-interaction || true
+        php artisan storage:link || true
+        ;;
+esac
+
+exec "$@"

docker/app/opcache.ini

@@ -0,0 +1,18 @@
+; ==============================================================================
+; OPcache — DEV configuration
+; In prod, flip validate_timestamps to 0 and lock the cache.
+; ==============================================================================
+
+opcache.enable = 1
+opcache.enable_cli = 1
+opcache.memory_consumption = 256
+opcache.interned_strings_buffer = 32
+opcache.max_accelerated_files = 20000
+
+; Recheck files on every request — edits show up immediately
+opcache.validate_timestamps = 1
+opcache.revalidate_freq = 0
+
+opcache.fast_shutdown = 1
+opcache.jit = tracing
+opcache.jit_buffer_size = 100M

docker/app/php-fpm.conf

@@ -0,0 +1,23 @@
+; ==============================================================================
+; PHP-FPM pool — DEV configuration
+; ==============================================================================
+
+[www]
+user = www-data
+group = www-data
+
+listen = 9000
+listen.backlog = 511
+
+pm = dynamic
+pm.max_children = 25
+pm.start_servers = 4
+pm.min_spare_servers = 2
+pm.max_spare_servers = 8
+pm.max_requests = 1000
+
+; Surface FPM logs to stdout/stderr so `docker compose logs app` shows them
+access.log = /proc/self/fd/2
+catch_workers_output = yes
+decorate_workers_output = no
+clear_env = no

docker/app/php.ini

@@ -0,0 +1,24 @@
+; ==============================================================================
+; EZSCALE dev overrides — applied AFTER php.ini-development
+; ==============================================================================
+
+memory_limit = 512M
+max_execution_time = 120
+post_max_size = 50M
+upload_max_filesize = 50M
+max_input_vars = 5000
+
+display_errors = On
+display_startup_errors = On
+error_reporting = E_ALL
+log_errors = On
+
+date.timezone = UTC
+
+; Session handling delegated to Laravel; keep PHP-side defaults sane
+session.cookie_httponly = 1
+session.cookie_samesite = "Lax"
+
+; Realpath cache helps Composer/Laravel reload cycles
+realpath_cache_size = 4096K
+realpath_cache_ttl = 600