🚀 Release: beta → master

.dockerignore

@@ -1,21 +1,15 @@
-# Root .dockerignore — used when Docker build context is the monorepo root
+# Root .dockerignore — build context is the repo root
 
 # Version control
 .git
 .gitignore
 
-# All node_modules (each app installs its own in Docker)
+# All node_modules (Docker installs fresh)
 node_modules
-apps/*/node_modules
-packages/*/node_modules
-
-# Frontend — exclude all web source, but keep package.json for workspace resolution
-apps/web/**
-!apps/web/package.json
 
 # Build artefacts (Docker regenerates these)
-apps/api/dist
-packages/*/dist
+dist
+*.tsbuildinfo
 
 # Environment files
 .env
@@ -34,6 +28,10 @@ docs
 *.md
 .github
 
-# Infra and scripts not needed in image
+# Infra, supabase and other repo artefacts
 infra
 supabase
+codeql-db
+results
+apps
+packages

apps/api/.env.example → .env.example

@@ -1,5 +1,5 @@
 # =============================================================================
-# FieldTrack 2.0 — API Environment
+# FieldTrack API — Environment
 # Copy to .env and fill values. Do NOT commit real secrets.
 # =============================================================================
 
@@ -21,6 +21,8 @@ CORS_ORIGIN=
 SUPABASE_URL=https://your-project-ref.supabase.co
 SUPABASE_ANON_KEY=
 SUPABASE_SERVICE_ROLE_KEY=
+# JWT signing secret — for local test server only (tests/setup/test-server.ts).
+# NOT validated by env.ts. NOT required in production (production uses JWKS via Supabase auth).
 SUPABASE_JWT_SECRET=
 
 # --- Redis ---
@@ -31,16 +33,24 @@ METRICS_SCRAPE_TOKEN=
 
 # --- Observability ---
 TEMPO_ENDPOINT=http://tempo:4318
-SERVICE_NAME=fieldtrack-backend
+SERVICE_NAME=fieldtrack-api
 # GITHUB_SHA= (auto-injected)
 
 # --- HTTP ---
 BODY_LIMIT_BYTES=1000000
 REQUEST_TIMEOUT_MS=30000
 
 # --- Workers ---
+# Set to true in production (Redis must be provisioned). false in dev/CI.
+WORKERS_ENABLED=false
 MAX_QUEUE_DEPTH=1000
 MAX_POINTS_PER_SESSION=50000
 MAX_SESSION_DURATION_HOURS=168
 WORKER_CONCURRENCY=1
-ANALYTICS_WORKER_CONCURRENCY=5
+ANALYTICS_WORKER_CONCURRENCY=5
+WEBHOOK_WORKER_CONCURRENCY=5
+
+# --- Webhook DLQ ---
+WEBHOOK_DLQ_MAX_SIZE=10000
+WEBHOOK_DLQ_RETENTION_DAYS=30
+WEBHOOK_MAX_PAYLOAD_BYTES=262144

.github/pull_request_template.md

@@ -38,10 +38,8 @@ Closes #
 
 ## Testing
 
-- [ ] `npm run typecheck -w apps/api` passes
-- [ ] `npm run test -w apps/api` passes
-- [ ] `npm run type-check -w apps/web` passes (if frontend changed)
-- [ ] `npm run build -w apps/web` passes (if frontend changed)
+- [ ] `npm run typecheck` passes
+- [ ] `npm test` passes
 - [ ] Integration tests pass locally
 - [ ] Manually tested the changed flows end-to-end
 - [ ] No special deployment steps required

.github/workflows/codeql.yml

@@ -38,23 +38,15 @@ jobs:
         with:
           node-version: 24
           cache: npm
-          cache-dependency-path: '**/package-lock.json'
+          cache-dependency-path: package-lock.json
 
-      # ✅ Install ALL workspace deps
+      # ✅ Install ALL dependencies
       - name: Install dependencies
         run: npm ci
 
-      # ✅ Build shared packages first (important for TS resolution)
-      - name: Build shared packages
-        run: npm run build -w packages/types || true
-
       # ✅ Build API (critical for CodeQL flow analysis)
       - name: Build API
-        run: npm run build -w apps/api || true
-
-      # (optional but useful)
-      - name: Build Web
-        run: npm run build -w apps/web || true
+        run: npm run build || true
 
       # ✅ Initialize CodeQL AFTER dependencies
       - name: Initialize CodeQL