feat: add MIT license file and update README to reference licensing

[ditahkk]

What changed

Why

Checklist

• pnpm fmt && pnpm lint && pnpm typecheck && pnpm build all pass
• Content is accurate and tested against the live portal/CLI/API
• No internal infrastructure details, credentials, or IPs included
• Screenshots replaced with :::note Screenshot pending::: if unavailable

Summary by CodeRabbit

• Chores

  • LICENSE updated to MIT for 2026 and clarified that documentation is not covered.
  • README license section clarified; package.json now declares pnpm version.
  • Added CODEOWNERS.

• CI / Deployment

  • New reusable CI workflow plus dev/stg/prod deploy workflows.
  • Added composite Node setup action, Docker multi-stage build, and Caddy configs for dev/stg/prd.

• Tools / Scripts

  • Added deploy orchestration and smoke-test scripts for automated deploy verification.

[coderabbitai]

Warning

Review limit reached

@ditahkk, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 30 minutes and 56 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3438abae-7257-4bc1-b9ed-622aeeb785d9

📥 Commits

Reviewing files that changed from the base of the PR and between 9c64d81 and 07b8628.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (9)

• .github/actions/setup-node/action.yml
• .github/scripts/dokploy-deploy.sh
• .github/workflows/00-ci.yml
• .github/workflows/10-deploy-dev.yml
• .github/workflows/20-deploy-stg.yml
• .github/workflows/30-deploy-prd.yml
• Dockerfile
• astro.config.mjs
• package.json

📝 Walkthrough

Walkthrough

Adds an MIT LICENSE (explicitly excluding documentation), updates README license lines and CODEOWNERS, declares pnpm packageManager, and introduces a composite Node setup action, CI workflow, deploy pipelines (dev/stg/prd), deploy helper scripts, a multi-stage Dockerfile, and Caddy configs for each environment.

Changes

License and repository metadata

Layer / File(s)	Summary
License, README, CODEOWNERS, packageManager LICENSE, README.md, .github/CODEOWNERS, package.json	MIT LICENSE file rewritten with a “Software” definition excluding documentation; README license lines updated; global CODEOWNERS added; packageManager: "pnpm@10.33.0" declared.

CI, build, and deploy pipelines

Layer / File(s)	Summary
Node setup action and CI workflow .github/actions/setup-node/action.yml, .github/workflows/00-ci.yml	Adds composite Setup Node.js action (pnpm + Node setup + install) and a reusable 00: CI workflow running lint, typecheck, security audit, and build with dist/ validation.
Dokploy deploy script, smoke-test, and Dev workflow .github/scripts/dokploy-deploy.sh, .github/scripts/smoke-test.sh, .github/workflows/10-deploy-dev.yml	Adds Dokploy deploy/polling script, a retrying smoke-test script, and a Dev deployment workflow that runs CI, triggers Dokploy, and runs smoke tests.
Staging workflow and branch switch .github/workflows/20-deploy-stg.yml	Adds staging manual deploy workflow that validates branch, runs CI, switches Dokploy GitHub branch via API, triggers deploy polling, and runs staging smoke tests.
Production deploy workflow (manual, gated) .github/workflows/30-deploy-prd.yml	Adds production manual deploy workflow gated by branch/staging checks, reuses CI, builds, verifies dist/, deploys via SSH/rsync with secrets, and runs production smoke tests.
Runtime Docker build and Caddy configs Dockerfile, deploy/caddy/dev.Caddyfile, deploy/caddy/stg.Caddyfile, deploy/caddy/prd.Caddyfile	Introduces multi-stage Docker build (Node builder + Caddy runtime) with selectable Caddyfile and HEALTHCHECK, and per-environment Caddyfiles with security headers, caching rules, SPA fallback, and JSON logging.

Sequence Diagram

sequenceDiagram
  participant GitHub as GitHub Actions
  participant Setup as Setup-Node Action
  participant CI as 00: CI Workflow
  participant Dokploy as Dokploy API
  participant Runner as zsoftly-iaas Runner
  participant Smoke as smoke-test.sh
  participant Site as docs site

  GitHub->>Setup: invoke composite setup-node (pnpm + node)
  GitHub->>CI: run lint/typecheck/audit/build
  CI->>Dokploy: trigger dokploy-deploy.sh (POST deploy)
  Dokploy->>Runner: schedule deployment job
  Runner->>Dokploy: poll status (dokploy-deploy.sh)
  Dokploy->>Runner: return status (building/done/error)
  Runner->>Smoke: run smoke-test.sh against target domain
  Smoke->>Site: HTTP checks on configured paths

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

I’m a rabbit in the CI glade, hopping through each line,
A license stamped for twenty-twenty-six, the README’s now aligned,
Workflows hum and scripts take flight, deployments roll on through,
Caddy, Docker, smoke tests stroll — the pipeline’s stitched anew,
I twitch my nose, release the build, and celebrate with stew 🐇✨

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title describes only a subset of changes (license and README), but the PR includes extensive additions for CI/CD workflows, deployment, Docker configuration, and infrastructure tooling.	Revise the title to accurately reflect all major changes, such as 'feat: add licensing, CI/CD workflows, deployment scripts, and Docker configuration' or provide a more comprehensive description.
Description check	⚠️ Warning	The PR description contains only placeholder template text with empty sections and unchecked checklist items. No actual explanation of changes, rationale, or implementation details is provided.	Complete the PR description by filling in the 'What changed' and 'Why' sections with details about all significant changes (licensing, CI/CD, workflows, deployment scripts) and verify/check the checklist items.
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch issues/add-license

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@LICENSE`:
- Around line 23-27: Update the LICENSE to remove ambiguity by modifying the
definition of "Software" and adding a clear statement about documentation:
change the "Software" definition (the quoted term "Software" in the license
header/definitions) to explicitly exclude documentation files (e.g., "Software
does not include documentation files; see below"), and immediately add a short
clause stating the documentation license status—either specify the separate
license that governs documentation content or assert "Documentation is not
licensed under the MIT License and is All rights reserved by ZSoftly
Technologies Inc." so readers know whether docs are covered or reserved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bacfadf0-9703-4379-b3a9-eafed9c0ff30

📥 Commits

Reviewing files that changed from the base of the PR and between 4f3583c and b672913.

📒 Files selected for processing (2)

• LICENSE
• README.md

[coderabbitai]

Actionable comments posted: 7

🧹 Nitpick comments (3)

Dockerfile (1)

18-33: ⚖️ Poor tradeoff

Consider running the runtime stage as non-root.

The final image runs as root (Trivy DS-0002). For a static file server this is avoidable hardening. Note the caveat: binding :80 as non-root requires either CAP_NET_BIND_SERVICE or switching to a high port (e.g. set SITE_DOMAIN=:8080, EXPOSE 8080, and have the proxy target it), so validate the deployment topology before adding a USER directive.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 18 - 33, The image currently runs as root (risk
DS-0002); update the runtime stage to run Caddy as a non-root user by either
granting CAP_NET_BIND_SERVICE to allow binding :80 or (simpler) switching to an
unprivileged port and user: set ENV SITE_DOMAIN=:8080 and EXPOSE 8080 (and
adjust any upstream proxy), then add a USER directive (e.g., USER caddy or
create a dedicated non-root user) so the container process runs non-root; ensure
HEALTHCHECK and the copied files still work with the chosen user and that
CADDYFILE, SITE_ROOT, SITE_DOMAIN and EXPOSE are updated consistently.

.github/scripts/smoke-test.sh (1)

28-28: 💤 Low value

curl -k skips TLS verification.

-k (insecure) means the smoke test will pass even if the site is served with an invalid/expired/wrong-host certificate, so a TLS misconfiguration on a fresh deploy goes undetected. If the cert is expected to be valid post-deploy, drop -k; keep it only if certs are still provisioning at check time.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/scripts/smoke-test.sh at line 28, The curl invocation that sets the
status variable in .github/scripts/smoke-test.sh currently uses the
-k/--insecure flag which skips TLS verification; remove the -k (and
corresponding short form if present) from the curl command that assigns status
(the line with status=$(curl -sk --max-time 15 -o /dev/null -w "%{http_code}"
"https://${DOMAIN}${path}")) so TLS certs are validated, or alternatively gate
-k behind an explicit env toggle (e.g., ALLOW_INSECURE_TLS) so the script only
disables verification when intentionally configured.

.github/workflows/10-deploy-dev.yml (1)

1-39: ⚡ Quick win

Add a least-privilege permissions block.

Without an explicit permissions: block the workflow gets the default (often broad) GITHUB_TOKEN scopes. This workflow only checks out and calls the Dokploy API, so it needs no write scopes.

🔒 Suggested hardening

 concurrency:
   group: deploy-dev
   cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:

Two related supply-chain items (also apply to 20-deploy-stg.yml and 30-deploy-prd.yml): consider pinning actions/checkout@v5 to a commit SHA, and scoping secrets: inherit to only the Dokploy secrets the called workflow actually needs.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/10-deploy-dev.yml around lines 1 - 39, Add a
least-privilege permissions block to the 10: Deploy — Dev workflow by giving the
GITHUB_TOKEN only the minimal read scope required (e.g., contents: read) at the
top-level of the workflow, replace actions/checkout@v5 in the '00: Checkout'
step with a pinned commit SHA for that action, and stop using secrets: inherit
for the ci job—explicitly pass only the Dokploy secrets needed by the
.github/scripts/dokploy-deploy.sh step (DOKPLOY_API_URL, DOKPLOY_API_KEY,
DOKPLOY_APP_ID_DEV) instead of inheriting all secrets from the parent workflow.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/scripts/dokploy-deploy.sh:
- Around line 50-89: The poll loop incorrectly sets SAW_RUNNING=true for both
"running" and "idle"; change the logic in the while loop that examines STATUS so
SAW_RUNNING is set only when STATUS == "running" (leave "idle" as a non-building
state and print a different/info message), e.g. update the branch that currently
tests [ "$STATUS" = "running" ] || [ "$STATUS" = "idle" ] to only set
SAW_RUNNING on "running" and handle "idle" separately; this affects the
variables STATUS and SAW_RUNNING and the messages that follow.

In @.github/workflows/00-ci.yml:
- Around line 16-20: The workflow lacks an explicit permissions block so jobs
inherit broad GITHUB_TOKEN scopes; add a top-level permissions entry in the
workflow YAML (at the same level as concurrency and jobs) that grants minimal
read-only access required for lint/typecheck/audit/build, e.g. set permissions:
contents: read and any other needed read scopes (packages: read, pull-requests:
read, etc.) to enforce least privilege for the entire workflow.
- Around line 25-26: Replace floating action tags with the specified commit SHAs
and disable credential persistence for checkout: change uses:
actions/checkout@v5 to uses:
actions/checkout@7018347005dd679b9f7fc620591f40c76174da3e and add with:
persist-credentials: false to each checkout step (occurrences of
actions/checkout in the file); also pin the upload artifact action by replacing
uses: actions/upload-artifact@v5 with uses:
actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4. Ensure you
update all instances mentioned (the multiple checkout occurrences and the single
upload-artifact occurrence) so the workflow is pinned and checkout credentials
are not persisted.

In @.github/workflows/20-deploy-stg.yml:
- Around line 24-61: The workflow is vulnerable to shell injection because
github.event.inputs.branch is inlined into run scripts; bind the input to an env
var and use the quoted variable everywhere: add env: BRANCH: ${{
github.event.inputs.branch }} on the steps that run shell (notably the '00:
Checkout' and '01: Switch app branch in Dokploy' steps), replace all occurrences
of ${{ github.event.inputs.branch }} inside those run blocks with the quoted
shell variable "$BRANCH" (including the BRANCH assignment, the curl -d JSON body
and the final echo), and ensure the JSON payload in the curl call is constructed
using "$BRANCH" with proper quoting/escaping so the branch value cannot break
out of the string.

In @.github/workflows/30-deploy-prd.yml:
- Around line 88-96: The deploy step currently writes the SSH private key to
/tmp/deploy_key and runs rsync directly which can abort and leave the key on
disk, and it disables host key checking via StrictHostKeyChecking=no; modify the
step to (1) create a temporary key file as you already do but register a shell
trap (trap 'rm -f /tmp/deploy_key' EXIT) before running rsync so the file is
removed regardless of rsync exit status, and (2) replace the
StrictHostKeyChecking=no usage by pinning the target host key in a known_hosts
file and pass -o UserKnownHostsFile=/tmp/known_hosts (or add it to
~/.ssh/known_hosts) so rsync/ssh uses the pinned host key instead of accepting
any key.
- Around line 26-42: The run steps currently inline GitHub input interpolation
into the shell (BRANCH="${{ github.event.inputs.branch }}") which can be unsafe;
instead set BRANCH via the step's env: (e.g., env: BRANCH: ${{
github.event.inputs.branch }}) and then reference it inside the script as
"$BRANCH" (quoted) everywhere — update both the branch-validate step and the
'01: Verify branch was deployed to stg' step to use env-provided BRANCH and
replace direct interpolations in the python/curl/ENCODED_INPUT commands with the
quoted "$BRANCH" variable to avoid shell evaluation and word-splitting.

In `@Dockerfile`:
- Around line 3-4: The OCI LABEL instructions are currently applied to the
earlier "builder" stage and thus get discarded; move the two LABEL lines
(org.opencontainers.image.source and org.opencontainers.image.description) into
the final stage that uses caddy:2-alpine so the produced runtime image carries
those labels (i.e., place the LABEL entries after the final FROM caddy:2-alpine
(or inside the final stage) rather than in the builder stage).

---

Nitpick comments:
In @.github/scripts/smoke-test.sh:
- Line 28: The curl invocation that sets the status variable in
.github/scripts/smoke-test.sh currently uses the -k/--insecure flag which skips
TLS verification; remove the -k (and corresponding short form if present) from
the curl command that assigns status (the line with status=$(curl -sk --max-time
15 -o /dev/null -w "%{http_code}" "https://${DOMAIN}${path}")) so TLS certs are
validated, or alternatively gate -k behind an explicit env toggle (e.g.,
ALLOW_INSECURE_TLS) so the script only disables verification when intentionally
configured.

In @.github/workflows/10-deploy-dev.yml:
- Around line 1-39: Add a least-privilege permissions block to the 10: Deploy —
Dev workflow by giving the GITHUB_TOKEN only the minimal read scope required
(e.g., contents: read) at the top-level of the workflow, replace
actions/checkout@v5 in the '00: Checkout' step with a pinned commit SHA for that
action, and stop using secrets: inherit for the ci job—explicitly pass only the
Dokploy secrets needed by the .github/scripts/dokploy-deploy.sh step
(DOKPLOY_API_URL, DOKPLOY_API_KEY, DOKPLOY_APP_ID_DEV) instead of inheriting all
secrets from the parent workflow.

In `@Dockerfile`:
- Around line 18-33: The image currently runs as root (risk DS-0002); update the
runtime stage to run Caddy as a non-root user by either granting
CAP_NET_BIND_SERVICE to allow binding :80 or (simpler) switching to an
unprivileged port and user: set ENV SITE_DOMAIN=:8080 and EXPOSE 8080 (and
adjust any upstream proxy), then add a USER directive (e.g., USER caddy or
create a dedicated non-root user) so the container process runs non-root; ensure
HEALTHCHECK and the copied files still work with the chosen user and that
CADDYFILE, SITE_ROOT, SITE_DOMAIN and EXPOSE are updated consistently.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1b34998b-632a-40e2-84f5-7c79c08eeb96

📥 Commits

Reviewing files that changed from the base of the PR and between b672913 and 9c64d81.

📒 Files selected for processing (14)

• .github/CODEOWNERS
• .github/actions/setup-node/action.yml
• .github/scripts/dokploy-deploy.sh
• .github/scripts/smoke-test.sh
• .github/workflows/00-ci.yml
• .github/workflows/10-deploy-dev.yml
• .github/workflows/20-deploy-stg.yml
• .github/workflows/30-deploy-prd.yml
• Dockerfile
• LICENSE
• deploy/caddy/dev.Caddyfile
• deploy/caddy/prd.Caddyfile
• deploy/caddy/stg.Caddyfile
• package.json

✅ Files skipped from review due to trivial changes (3)

• package.json
• .github/CODEOWNERS
• .github/actions/setup-node/action.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• LICENSE