initial scaffold: emdash catalog, helm chart, woodpecker pipeline, ddev

- app/: Emdash scaffold (Astro 6, node target) with cmses/plugins/pages collections
- app/seed/seed.json: WordPress→Emdash parity for kotkanagrilli.fi (~30 entries)
- Dockerfile + docker/entrypoint.sh: multi-stage build, single PVC at /app/state
- deploy/helm/: chart mirroring emdash-kotkanagrilli (single-replica, sqlite, kotkan)
- deploy/fleet-overlay/: HelmRelease/source/image-automation templates for
  anton-helm-workloads (staging + production)
- .woodpecker/container.yaml: arm64 build, three OCI tags per push
  (immutable 0.1.<pipeline> + floating <branch> + <branch>-latest)
- .ddev/: local dev with nginx proxy to emdash on :4321
- README/DEPLOYMENT/ARCHITECTURE/CLAUDE: docs covering the three-repo
  pipeline (cms-plugins + anton-helm-workloads + Gitea OCI registry)

.ddev/config.yaml

@@ -0,0 +1,19 @@
+name: cms-plugins
+type: generic
+docroot: ""
+disable_settings_management: true
+
+# DDEV's web container is used purely as a reverse proxy in front of
+# the emdash service (defined in docker-compose.emdash.yaml). nginx
+# is rewritten via .ddev/web-entrypoint.d/00-emdash-proxy.sh.
+webserver_type: nginx-fpm
+
+# No DB service — emdash uses SQLite inside its own container.
+omit_containers:
+  - db
+
+use_dns_when_possible: true
+
+hooks:
+  post-start:
+    - exec: "echo 'cms-plugins up at https://${DDEV_PROJECT}.ddev.site/'"

.ddev/docker-compose.emdash.yaml

@@ -0,0 +1,48 @@
+# Development container for the emdash app. Bind-mounts ../app from
+# the host and runs `npx emdash dev` so source edits hot-reload. The
+# production image is built separately from the root Dockerfile and
+# consumed by deploy/helm/ — DDEV is *not* a prod-parity smoke test.
+
+services:
+  emdash:
+    container_name: ddev-${DDEV_SITENAME}-emdash
+    image: node:22-bookworm-slim
+    working_dir: /app
+    restart: "no"
+    expose:
+      - "4321"
+    env_file:
+      - ../app/.env
+    environment:
+      HOST: "0.0.0.0"
+      PORT: "4321"
+      NODE_ENV: "development"
+      EMDASH_ALLOWED_ORIGINS: "https://cms-plugins.ddev.site"
+      EMDASH_SITE_URL: "https://cms-plugins.ddev.site"
+    volumes:
+      - ../app:/app:cached
+      # Anonymous-ish named volume for node_modules so the host's
+      # (possibly empty / wrong-arch) directory doesn't shadow what
+      # the container installs.
+      - emdash-node-modules:/app/node_modules
+    command:
+      - sh
+      - -c
+      - |
+        set -eu
+        if [ ! -d node_modules ] || [ -z "$$(ls -A node_modules 2>/dev/null)" ]; then
+          echo "[emdash] installing deps"
+          apt-get update && apt-get install -y --no-install-recommends python3 make g++ ca-certificates >/dev/null
+          npm install
+        fi
+        if [ ! -f data.db ]; then
+          echo "[emdash] running emdash init"
+          node_modules/.bin/emdash init
+        fi
+        exec npx emdash dev
+    labels:
+      com.ddev.site-name: ${DDEV_SITENAME}
+      com.ddev.approot: $DDEV_APPROOT
+
+volumes:
+  emdash-node-modules:

.ddev/web-entrypoint.d/00-emdash-proxy.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# Runs in DDEV's web container after start.sh has copied
+# /mnt/ddev_config/nginx_full/ → /etc/nginx/sites-enabled/, but before
+# supervisord boots nginx. We rewrite the generated site config to
+# reverse-proxy everything to the emdash service.
+set -eu
+
+cat > /etc/nginx/sites-enabled/nginx-site.conf <<'NGINX'
+# Forward `Connection: upgrade` only when the client is actually
+# upgrading (Vite's HMR WebSocket lives at wss://<host>/?token=...).
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+server {
+    listen 80 default_server;
+    listen 443 ssl default_server;
+
+    ssl_certificate /etc/ssl/certs/master.crt;
+    ssl_certificate_key /etc/ssl/certs/master.key;
+
+    include /etc/nginx/monitoring.conf;
+
+    sendfile off;
+    error_log /dev/stdout info;
+    access_log /var/log/nginx/access.log;
+
+    proxy_buffering off;
+    proxy_http_version 1.1;
+    client_max_body_size 100m;
+
+    location / {
+        proxy_pass http://ddev-cms-plugins-emdash:4321;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_read_timeout 86400s;
+        proxy_send_timeout 86400s;
+    }
+}
+NGINX
+
+rm -f /etc/nginx/sites-enabled/seconddocroot.conf.example \
+      /etc/nginx/sites-enabled/README.nginx_full.txt \
+      /etc/nginx/conf.d/connection-upgrade.conf