feat(devops): CI/CD + Docker + Monitoring infrastructure

- Multi-stage Dockerfile (builder+runner, <500MB target)
- docker-compose.yml: app(x4) + postgres + redis + prometheus + grafana + nginx
- .env.example with all required secrets (never hardcoded)
- requirements.txt with all dependencies including prometheus-client, alembic
- GitHub Actions CI: lint (flake8+bandit+safety) + tests + Docker build/push
- GitHub Actions CD: staging deploy -> smoke tests -> production deploy + rollback
- Alembic migration setup + initial PostgreSQL schema (001_initial_schema)
- SQLite→PostgreSQL data migration script
- Prometheus metrics module (HTTP, ML, DB, business metrics)
- Prometheus alert rules (5xx >1%, latency >2s, disk >80%, ML accuracy)
- Grafana dashboard (overview: req/s, p95, ML accuracy, error rate)
- Nginx reverse proxy config (HTTPS/TLS, rate limiting, security headers)
- Structured JSON logging module
- Automated daily DB backup script (pg_dump + 30-day retention)

Branch: feature/devops-cicd

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.env.example

@@ -0,0 +1,82 @@
+# =============================================================
+# H3R7Tech Turf SaaS — Environment Variables Template
+# Copy this file to .env and fill in your values.
+# NEVER commit .env to version control.
+# =============================================================
+
+# ----------------------------------------------------------------
+# PostgreSQL
+# ----------------------------------------------------------------
+POSTGRES_HOST=postgres
+POSTGRES_PORT=5432
+POSTGRES_DB=turf_saas
+POSTGRES_USER=turf
+POSTGRES_PASSWORD=CHANGE_ME_STRONG_PASSWORD
+
+# Full DSN used by SQLAlchemy / Alembic
+DATABASE_URL=postgresql://turf:CHANGE_ME_STRONG_PASSWORD@postgres:5432/turf_saas
+
+# ----------------------------------------------------------------
+# Redis
+# ----------------------------------------------------------------
+REDIS_HOST=redis
+REDIS_PORT=6379
+REDIS_PASSWORD=CHANGE_ME_REDIS_PASSWORD
+REDIS_URL=redis://:CHANGE_ME_REDIS_PASSWORD@redis:6379/0
+
+# ----------------------------------------------------------------
+# Flask / App
+# ----------------------------------------------------------------
+FLASK_ENV=production
+SECRET_KEY=CHANGE_ME_FLASK_SECRET_KEY_64CHARS
+DEBUG=false
+LOG_LEVEL=INFO
+
+# DB path for legacy SQLite (kept for migration, set to /app/data/db/)
+DB_PATH=/app/data/db/turf_saas.db
+
+# ----------------------------------------------------------------
+# Domain & TLS
+# ----------------------------------------------------------------
+DOMAIN=turf.h3r7.tech
+ADMIN_EMAIL=admin@h3r7.tech
+
+# ----------------------------------------------------------------
+# Stripe (Billing)
+# ----------------------------------------------------------------
+STRIPE_SECRET_KEY=sk_live_CHANGE_ME
+STRIPE_WEBHOOK_SECRET=whsec_CHANGE_ME
+STRIPE_PUBLISHABLE_KEY=pk_live_CHANGE_ME
+
+# ----------------------------------------------------------------
+# LLM / AI API keys
+# ----------------------------------------------------------------
+OPENROUTER_API_KEY=CHANGE_ME
+OPENAI_API_KEY=CHANGE_ME
+LLM_BASE_URL=https://openrouter.ai/v1
+LLM_MODEL=liquid/lfm-2.5-1.2b-instruct:free
+
+# ----------------------------------------------------------------
+# External APIs
+# ----------------------------------------------------------------
+RESEND_API=CHANGE_ME
+BRAVE_SEARCH_API=CHANGE_ME
+
+# ----------------------------------------------------------------
+# Monitoring
+# ----------------------------------------------------------------
+GRAFANA_ADMIN_USER=admin
+GRAFANA_ADMIN_PASSWORD=CHANGE_ME_GRAFANA_PASSWORD
+
+# Slack webhook for CI/CD notifications (optional)
+SLACK_WEBHOOK_URL=https://hooks.slack.com/services/CHANGE_ME
+
+# Telegram bot for notifications (optional)
+TELEGRAM_BOT_TOKEN=CHANGE_ME
+TELEGRAM_CHAT_ID=CHANGE_ME
+
+# ----------------------------------------------------------------
+# Docker registry (for CD pipeline)
+# ----------------------------------------------------------------
+REGISTRY=ghcr.io
+IMAGE_NAME=h3r7tech/turf-saas