feat(container): M-Box 1-8 — stack-agnostic standalone Docker container

Shade now ships as a self-contained Docker image. Deploy one container
per project, any stack (Bun, Python, Go, Rust, Kotlin) can talk to it via
plain HTTP. Zero coupling to consumer codebases.

M-Box 1: Stale identity cleanup API
- touchIdentity + purgeStaleIdentities on PrekeyStore interface
- Implemented for Memory, SQLite, and Postgres backends
- SQLite adds last_activity_at column with migration ALTER for existing DBs
- Postgres adds the same via raw SQL with IF NOT EXISTS guards
- Routes call touchIdentity on register, bundle fetch, replenish
- 4 new tests for the cleanup API

M-Box 2: Stale cleanup background task
- StaleCleanupTask runs purge on startup + every 24h (configurable)
- Reads SHADE_STALE_DAYS (default 30) and SHADE_CLEANUP_INTERVAL_HOURS
- Wired into standalone.ts, stopped on graceful shutdown
- 5 new tests for the task

M-Box 3: Observer baked into the container
- standalone.ts conditionally mounts @shade/observer at /shade-observer
  when SHADE_OBSERVER_TOKEN is set (and >= 16 chars)
- Shared PrekeyServerEvents emitter feeds both routes and observer
- @shade/observer added as optional dependency of @shade/server

M-Box 4: Dockerfile with dashboard build
- Multi-stage build: oven/bun:1 builder → oven/bun:1-alpine runtime
- COPY packages/ wholesale so workspace lockfile resolves cleanly
- RUN bun run build inside shade-dashboard → dist/ → observer/dist/
- Non-root shade user, /data volume, healthcheck, env defaults
- Final image: 260 MB

M-Box 5: OpenAPI spec for stack-agnostic clients
- packages/shade-server/openapi.yaml documents all 9 endpoints with
  request/response schemas, security (Ed25519 signatures + bearer token)
- createOpenApiRoutes serves /openapi.yaml and /docs (Redoc viewer)
- Any language can generate a client with openapi-generator

M-Box 6: Docker CI pipeline
- .gitea/workflows/docker.yml builds + pushes on git tag v*
- scripts/build-docker.ts for local builds, supports --push with GITEA_TOKEN
- Root package.json: build:docker, publish:docker scripts

M-Box 7: Deployment documentation
- packages/shade-server/README rewritten: 5-line quickstart with the image
- docs/DEPLOYMENT.md: full reference, env vars, backup, Dokploy, PG setup
- examples/05-dokploy-deployment/docker-compose.yml updated to pull
  published image (gt.zyon.no/stian/shade-prekey:latest)
- Root README deployment section rewritten

M-Box 8: End-to-end verification
- Image builds locally (bun run build:docker)
- /health, /openapi.yaml, /docs, /metrics, /shade-observer all respond
- 401 without observer token, 200 with
- Real SDK client round-trip: Alice → container → Bob → reply → Alice
- Persistence: identity + prekeys survive container restart (count 20→18
  as expected from two bundle fetches)

285 tests passing, 0 failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

packages/shade-storage-postgres/src/ensure-tables.ts

@@ -66,9 +66,19 @@ export async function ensurePrekeyServerTables(sql: Sql): Promise<void> {
     CREATE TABLE IF NOT EXISTS shade_server_identities (
       address TEXT PRIMARY KEY,
       identity_signing_key TEXT NOT NULL,
-      identity_dh_key TEXT NOT NULL
+      identity_dh_key TEXT NOT NULL,
+      last_activity_at BIGINT NOT NULL DEFAULT 0
     )
   `;
+  // Migrate existing deployments (no-op if column exists)
+  await sql`
+    ALTER TABLE shade_server_identities
+    ADD COLUMN IF NOT EXISTS last_activity_at BIGINT NOT NULL DEFAULT 0
+  `;
+  await sql`
+    CREATE INDEX IF NOT EXISTS shade_server_identities_activity_idx
+    ON shade_server_identities(last_activity_at)
+  `;
   await sql`
     CREATE TABLE IF NOT EXISTS shade_server_signed_prekeys (
       address TEXT PRIMARY KEY,

packages/shade-storage-postgres/src/postgres-prekey-store.ts

@@ -34,11 +34,12 @@ export class PostgresPrekeyStore implements PrekeyStore {
 
   async saveIdentity(address: string, identitySigningKey: Uint8Array, identityDHKey: Uint8Array): Promise<void> {
     await this.sql`
-      INSERT INTO shade_server_identities (address, identity_signing_key, identity_dh_key)
-      VALUES (${address}, ${toBase64(identitySigningKey)}, ${toBase64(identityDHKey)})
+      INSERT INTO shade_server_identities (address, identity_signing_key, identity_dh_key, last_activity_at)
+      VALUES (${address}, ${toBase64(identitySigningKey)}, ${toBase64(identityDHKey)}, ${Date.now()})
       ON CONFLICT (address) DO UPDATE SET
         identity_signing_key = EXCLUDED.identity_signing_key,
-        identity_dh_key = EXCLUDED.identity_dh_key
+        identity_dh_key = EXCLUDED.identity_dh_key,
+        last_activity_at = EXCLUDED.last_activity_at
     `;
   }
 
@@ -122,4 +123,31 @@ export class PostgresPrekeyStore implements PrekeyStore {
       await sql`DELETE FROM shade_server_one_time_prekeys WHERE address = ${address}`;
     });
   }
+
+  // ─── Stale cleanup ──────────────────────────────────────
+
+  async touchIdentity(address: string): Promise<void> {
+    await this.sql`
+      UPDATE shade_server_identities
+      SET last_activity_at = ${Date.now()}
+      WHERE address = ${address}
+    `;
+  }
+
+  async purgeStaleIdentities(olderThanMs: number): Promise<number> {
+    const cutoff = Date.now() - olderThanMs;
+    const rows = await this.sql<Array<{ address: string }>>`
+      SELECT address FROM shade_server_identities
+      WHERE last_activity_at < ${cutoff}
+    `;
+    if (rows.length === 0) return 0;
+
+    const addresses = rows.map((r) => r.address);
+    await this.sql.begin(async (sql) => {
+      await sql`DELETE FROM shade_server_identities WHERE address = ANY(${addresses})`;
+      await sql`DELETE FROM shade_server_signed_prekeys WHERE address = ANY(${addresses})`;
+      await sql`DELETE FROM shade_server_one_time_prekeys WHERE address = ANY(${addresses})`;
+    });
+    return addresses.length;
+  }
 }