feat: Add sovereign infrastructure stack (Gitea + SeaweedFS)

Separate infrastructure services from application stack for operational
resilience. Following Gemini's architectural guidance.

Infrastructure Services:
- Gitea (git.corrosionmgmt.com) - Source control, CI/CD, releases
  * SQLite database (self-contained)
  * Port 8090: Web UI
  * Port 2222: SSH

- SeaweedFS (cdn.corrosionmgmt.com) - S3-compatible object storage
  * Port 8091: Filer UI (primary CDN interface)
  * Port 8092: S3 API (programmatic access)
  * Port 9333: Master UI (internal admin)
  * Port 8080: Volume server (internal)

Benefits:
- Restarting Corrosion app doesn't affect Git/CDN services
- No shared database dependencies (Gitea uses SQLite)
- Clear separation between infrastructure and application concerns
- Foundation for plugin ecosystem and map hosting

Deployment:
cd infra && docker compose up -d

See infra/README.md for full setup instructions and NPM configuration.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

infra/NPM-CONFIG.md

@@ -0,0 +1,119 @@
+# Nginx Proxy Manager Configuration
+
+## Required Proxy Hosts
+
+### 1. Gitea (Source Control)
+
+**Domain Names:**
+- `git.corrosionmgmt.com`
+
+**Details:**
+```
+Scheme: http
+Forward Hostname / IP: <asgard-internal-ip>
+Forward Port: 8090
+Cache Assets: No
+Block Common Exploits: Yes
+Websockets Support: Yes
+```
+
+**SSL:**
+```
+Force SSL: Yes
+HTTP/2 Support: Yes
+HSTS Enabled: Yes
+```
+
+**Advanced (if needed):**
+```nginx
+# For SSH git clone support over HTTPS (optional)
+location ~ ^/(.+\.git)/(git-upload-pack|git-receive-pack)$ {
+    proxy_pass http://<asgard-ip>:8090;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+}
+```
+
+---
+
+### 2. SeaweedFS CDN (Object Storage)
+
+**Domain Names:**
+- `cdn.corrosionmgmt.com`
+
+**Details:**
+```
+Scheme: http
+Forward Hostname / IP: <asgard-internal-ip>
+Forward Port: 8091
+Cache Assets: Yes (Enable caching for static files)
+Block Common Exploits: Yes
+Websockets Support: Yes
+```
+
+**SSL:**
+```
+Force SSL: Yes
+HTTP/2 Support: Yes
+HSTS Enabled: Yes
+```
+
+**Custom Locations (Optional):**
+
+If you want to expose the S3 API at a different path:
+
+```nginx
+# S3 API at cdn.corrosionmgmt.com/s3
+location /s3/ {
+    proxy_pass http://<asgard-ip>:8092/;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+}
+```
+
+---
+
+## Port Summary
+
+| Service | Container | Internal Port | Host Port | Domain |
+|---------|-----------|---------------|-----------|--------|
+| Gitea Web | corrosion-gitea | 3000 | 8090 | git.corrosionmgmt.com |
+| Gitea SSH | corrosion-gitea | 22 | 2222 | git.corrosionmgmt.com:2222 |
+| SeaweedFS Filer | corrosion-cdn | 8888 | 8091 | cdn.corrosionmgmt.com |
+| SeaweedFS S3 | corrosion-cdn | 8333 | 8092 | Internal only |
+| SeaweedFS Master | corrosion-cdn | 9333 | 9333 | Internal only |
+| SeaweedFS Volume | corrosion-cdn | 8080 | 8080 | Internal only |
+
+---
+
+## Testing
+
+After configuring NPM, test the proxies:
+
+```bash
+# Test Gitea
+curl -I https://git.corrosionmgmt.com
+
+# Test SeaweedFS CDN
+curl -I https://cdn.corrosionmgmt.com
+
+# Test S3 API (internal)
+curl http://<asgard-ip>:8092/
+```
+
+---
+
+## Firewall Rules (if applicable)
+
+If Asgard has a firewall, ensure these ports are accessible:
+
+**From Nginx Proxy Manager to Asgard:**
+- 8090 (Gitea)
+- 8091 (SeaweedFS Filer)
+
+**Optional (for internal access):**
+- 8092 (S3 API - for backend services)
+- 9333 (Master UI - for admin)
+
+**External SSH (if using git over SSH):**
+- 2222 (Gitea SSH)

infra/README.md

@@ -0,0 +1,103 @@
+# Corrosion Infrastructure Stack
+
+**Purpose**: Dedicated infrastructure services (Git, CDN) separated from application stack for operational resilience.
+
+## Services
+
+### Gitea (git.corrosionmgmt.com)
+- **Container**: `corrosion-gitea`
+- **Host Port**: 8090
+- **SSH Port**: 2222
+- **Database**: SQLite (self-contained)
+- **Purpose**: Source control, CI/CD, companion agent releases
+
+### SeaweedFS (cdn.corrosionmgmt.com)
+- **Container**: `corrosion-cdn`
+- **Filer UI Port**: 8091 (primary CDN interface)
+- **S3 API Port**: 8092 (programmatic access)
+- **Master Port**: 9333 (admin/monitoring)
+- **Volume Port**: 8080 (internal storage)
+- **Purpose**: Map hosting, plugin packages, companion binaries, backups
+
+## Deployment
+
+### First-time setup:
+```bash
+cd infra
+docker compose up -d
+```
+
+### Nginx Proxy Manager Configuration:
+
+**Proxy Host 1: Git**
+- Domain: `git.corrosionmgmt.com`
+- Forward IP: `<asgard-internal-ip>` (e.g., 192.168.x.x or 172.17.0.1)
+- Forward Port: `8090`
+- Websockets: ✅ Enable
+- SSL: ✅ Force SSL, HTTP/2 Support
+
+**Proxy Host 2: CDN**
+- Domain: `cdn.corrosionmgmt.com`
+- Forward IP: `<asgard-internal-ip>`
+- Forward Port: `8091`
+- Websockets: ✅ Enable
+- SSL: ✅ Force SSL
+
+## Architecture Benefits
+
+1. **Resilience**: Restarting Corrosion app doesn't affect Git/CDN
+2. **Simplicity**: No shared database dependencies
+3. **Separation**: Infrastructure vs application concerns
+4. **Scalability**: Can move to dedicated hardware later
+
+## Access Points
+
+- **Gitea Web**: https://git.corrosionmgmt.com
+- **Gitea SSH**: ssh://git@git.corrosionmgmt.com:2222
+- **CDN Filer UI**: https://cdn.corrosionmgmt.com
+- **S3 API**: http://<asgard-ip>:8092 (internal only, no proxy)
+- **SeaweedFS Master**: http://<asgard-ip>:9333 (internal only, no proxy)
+
+## First-time Gitea Setup
+
+1. Navigate to https://git.corrosionmgmt.com
+2. Initial setup wizard will appear
+3. Accept defaults (SQLite database pre-configured)
+4. Create admin account
+5. Enable Actions in admin panel
+
+## S3 Configuration (for Backend API)
+
+Add to Corrosion backend `.env`:
+```bash
+S3_ENDPOINT=http://<asgard-internal-ip>:8092
+S3_ACCESS_KEY=<generate-random-key>
+S3_SECRET_KEY=<generate-random-secret>
+S3_BUCKET=corrosion-maps
+S3_REGION=us-east-1
+```
+
+## Maintenance
+
+```bash
+# View logs
+docker compose logs -f
+
+# Restart services
+docker compose restart
+
+# Update images
+docker compose pull
+docker compose up -d
+
+# Backup data
+tar -czf gitea-backup-$(date +%Y%m%d).tar.gz gitea/
+tar -czf seaweedfs-backup-$(date +%Y%m%d).tar.gz seaweedfs/
+```
+
+## Integration with Corrosion
+
+- Companion agent binaries → Gitea releases
+- Map files → SeaweedFS buckets
+- Custom plugins → Gitea private repos (Phase 3)
+- Backup snapshots → SeaweedFS volumes

infra/docker-compose.yml

@@ -0,0 +1,52 @@
+version: "3.8"
+
+# Corrosion Infrastructure Stack (Sovereign Stack)
+# Separate from application stack for resilience
+# Domains: git.corrosionmgmt.com, cdn.corrosionmgmt.com
+
+services:
+  # ---------------------------------------------------------------------------
+  # TARGET 1: GITEA (Source Control & CI/CD Hub)
+  # Domain: git.corrosionmgmt.com
+  # ---------------------------------------------------------------------------
+  gitea:
+    image: gitea/gitea:latest
+    container_name: corrosion-gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+      - GITEA__database__DB_TYPE=sqlite3
+      - GITEA__server__DOMAIN=git.corrosionmgmt.com
+      - GITEA__server__SSH_DOMAIN=git.corrosionmgmt.com
+      - GITEA__server__ROOT_URL=https://git.corrosionmgmt.com/
+      - GITEA__security__INSTALL_LOCK=true # Change to false if fresh install fails
+    restart: always
+    volumes:
+      - ./gitea:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "8090:3000"  # Web UI (Map to git.corrosionmgmt.com)
+      - "2222:22"    # SSH (git clone ssh://git@git.corrosionmgmt.com:2222/...)
+
+  # ---------------------------------------------------------------------------
+  # TARGET 2: SEAWEEDFS (S3 Artifact Storage & CDN)
+  # Domain: cdn.corrosionmgmt.com
+  # ---------------------------------------------------------------------------
+  seaweedfs:
+    image: chrislusf/seaweedfs:latest
+    container_name: corrosion-cdn
+    # Running in "server" mode starts Master + Volume + Filer + S3 in one go
+    command: "server -s3 -filer -dir=/data -s3.port=8333 -filer.port=8888 -master.port=9333 -volume.port=8080"
+    restart: always
+    volumes:
+      - ./seaweedfs:/data
+    ports:
+      - "8091:8888" # Filer UI & CDN (Map to cdn.corrosionmgmt.com)
+      - "8092:8333" # S3 API (For CI/CD Artifact Uploads)
+      - "9333:9333" # Master (Internal Admin)
+      - "8080:8080" # Volume (Internal Data)
+
+networks:
+  default:
+    name: corrosion_infra