feat: Add self-hosted Betterbase deployment support

Implements full self-hosting capability with Docker Compose:
- New @betterbase/server package with admin API routes
- Database schema migrations for metadata (admin_users, projects, etc.)
- Device auth flow for CLI (OAuth 2.0 device code)
- CLI updates for self-hosted server URL support
- Docker Compose stack: postgres, minio, server, dashboard, nginx
- Environment configuration and documentation

Includes:
- Server package with auth, projects, users, metrics, storage, webhooks, functions, logs
- Migration runner and database pool management
- CLI credentials with server_url for self-hosted targeting
- Device auth endpoints for bb login flow
- Dockerfiles and nginx config for full stack deployment
- SELF_HOSTED.md documentation

Author: ZiadKhaled999

BetterBase_SelfHosted_Spec.md

@@ -0,0 +1,88 @@
+# Self-Hosting Betterbase
+
+## Prerequisites
+
+- Docker and Docker Compose
+- Ports 80 (or your chosen `HTTP_PORT`) available
+
+## Quick Start
+
+**1. Copy the example env file:**
+```bash
+cp .env.self-hosted.example .env
+```
+
+**2. Edit `.env` — at minimum set these two values:**
+```bash
+BETTERBASE_JWT_SECRET=your-random-string-here   # min 32 chars
+BETTERBASE_ADMIN_EMAIL=you@example.com
+BETTERBASE_ADMIN_PASSWORD=yourpassword
+```
+Generate a secret: `openssl rand -base64 32`
+
+**3. Start everything:**
+```bash
+docker compose -f docker-compose.self-hosted.yml up -d
+```
+
+**4. Open the dashboard:**
+Navigate to `http://localhost` (or your configured `BETTERBASE_PUBLIC_URL`).
+
+**5. Connect your CLI:**
+```bash
+bb login --url http://localhost
+```
+
+---
+
+## What Runs
+
+| Service | Internal Port | Description |
+|---------|--------------|-------------|
+| nginx | 80 (public) | Reverse proxy — only public-facing port |
+| betterbase-server | 3001 (internal) | API server |
+| betterbase-dashboard | 80 (internal) | Dashboard UI |
+| postgres | 5432 (internal) | Betterbase metadata database |
+| minio | 9000 (internal) | S3-compatible object storage |
+
+---
+
+## CLI Usage Against Self-Hosted
+
+After `bb login --url http://your-server`, all CLI commands automatically target your server.
+
+```bash
+bb login --url http://localhost    # authenticate
+bb init my-project                 # create a project (registered to your local instance)
+bb sync                            # sync local project to server
+```
+
+---
+
+## Production Checklist
+
+- [ ] `BETTERBASE_JWT_SECRET` is a random 32+ character string
+- [ ] `POSTGRES_PASSWORD` changed from default
+- [ ] `STORAGE_ACCESS_KEY` and `STORAGE_SECRET_KEY` changed from defaults
+- [ ] `BETTERBASE_PUBLIC_URL` set to your actual domain
+- [ ] SSL/TLS termination configured (add HTTPS to the nginx config or use a load balancer)
+- [ ] Remove `BETTERBASE_ADMIN_EMAIL` / `BETTERBASE_ADMIN_PASSWORD` from `.env` after first start (or keep — seeding is idempotent)
+
+---
+
+## Troubleshooting
+
+**Server won't start:**
+Check that `BETTERBASE_JWT_SECRET` is set (minimum 32 characters). Run:
+```bash
+docker compose -f docker-compose.self-hosted.yml logs betterbase-server
+```
+
+**Can't log in with CLI:**
+Ensure `BETTERBASE_PUBLIC_URL` in your `.env` matches the URL you pass to `bb login --url`.
+
+**Storage not working:**
+The `minio-init` container initialises the default bucket on first start. Check its logs:
+```bash
+docker compose -f docker-compose.self-hosted.yml logs minio-init
+```

SELF_HOSTED.md

@@ -0,0 +1,34 @@
+# Dashboard Dockerfile placeholder
+# This is a placeholder. The actual dashboard needs to be created first.
+# If the dashboard uses Bun instead of npm, replace node:20-alpine with oven/bun:1.2-alpine
+# and replace npm install with bun install and npm run build with bun run build
+
+FROM node:20-alpine AS builder
+
+WORKDIR /app
+
+COPY apps/dashboard/package.json apps/dashboard/package-lock.json* ./
+RUN npm install --frozen-lockfile
+
+COPY apps/dashboard ./
+
+# Inject API URL at build time
+ARG VITE_API_URL=http://localhost
+ENV VITE_API_URL=$VITE_API_URL
+
+RUN npm run build
+
+# --- Runtime: serve static files with nginx ---
+FROM nginx:alpine
+
+COPY --from=builder /app/dist /usr/share/nginx/html
+
+# SPA routing: serve index.html for all unknown paths
+RUN echo 'server { \
+  listen 80; \
+  root /usr/share/nginx/html; \
+  index index.html; \
+  location / { try_files $uri $uri/ /index.html; } \
+}' > /etc/nginx/conf.d/default.conf
+
+EXPOSE 80

apps/dashboard/Dockerfile

@@ -0,0 +1,132 @@
+version: "3.9"
+
+services:
+  # ─── Postgres ──────────────────────────────────────────────────────────────
+  postgres:
+    image: postgres:16-alpine
+    container_name: betterbase-postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: betterbase
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-betterbase}
+      POSTGRES_DB: betterbase
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U betterbase"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - betterbase-internal
+
+  # ─── MinIO (S3-compatible storage) ─────────────────────────────────────────
+  minio:
+    image: minio/minio:latest
+    container_name: betterbase-minio
+    restart: unless-stopped
+    command: server /data --console-address ":9001"
+    environment:
+      MINIO_ROOT_USER: ${STORAGE_ACCESS_KEY:-minioadmin}
+      MINIO_ROOT_PASSWORD: ${STORAGE_SECRET_KEY:-minioadmin}
+    volumes:
+      - minio_data:/data
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - betterbase-internal
+
+  # ─── MinIO bucket init (runs once, exits) ──────────────────────────────────
+  minio-init:
+    image: minio/mc:latest
+    container_name: betterbase-minio-init
+    depends_on:
+      minio:
+        condition: service_healthy
+    entrypoint: >
+      /bin/sh -c "
+        mc alias set local http://minio:9000 ${STORAGE_ACCESS_KEY:-minioadmin} ${STORAGE_SECRET_KEY:-minioadmin};
+        mc mb --ignore-existing local/betterbase;
+        mc anonymous set public local/betterbase;
+        echo 'MinIO bucket initialized.';
+      "
+    networks:
+      - betterbase-internal
+
+  # ─── Betterbase Server ─────────────────────────────────────────────────────
+  betterbase-server:
+    build:
+      context: .
+      dockerfile: packages/server/Dockerfile
+    container_name: betterbase-server
+    restart: unless-stopped
+    depends_on:
+      postgres:
+        condition: service_healthy
+      minio:
+        condition: service_healthy
+    environment:
+      DATABASE_URL: postgresql://betterbase:${POSTGRES_PASSWORD:-betterbase}@postgres:5432/betterbase
+      BETTERBASE_JWT_SECRET: ${BETTERBASE_JWT_SECRET:?JWT secret required - set BETTERBASE_JWT_SECRET in .env}
+      BETTERBASE_ADMIN_EMAIL: ${BETTERBASE_ADMIN_EMAIL:-}
+      BETTERBASE_ADMIN_PASSWORD: ${BETTERBASE_ADMIN_PASSWORD:-}
+      BETTERBASE_PUBLIC_URL: ${BETTERBASE_PUBLIC_URL:-http://localhost}
+      STORAGE_ENDPOINT: http://minio:9000
+      STORAGE_ACCESS_KEY: ${STORAGE_ACCESS_KEY:-minioadmin}
+      STORAGE_SECRET_KEY: ${STORAGE_SECRET_KEY:-minioadmin}
+      PORT: "3001"
+      NODE_ENV: production
+      CORS_ORIGINS: ${CORS_ORIGINS:-http://localhost}
+    networks:
+      - betterbase-internal
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://localhost:3001/health || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  # ─── Dashboard ─────────────────────────────────────────────────────────────
+  betterbase-dashboard:
+    build:
+      context: .
+      dockerfile: apps/dashboard/Dockerfile   # Dashboard Dockerfile — see SH-25
+    container_name: betterbase-dashboard
+    restart: unless-stopped
+    depends_on:
+      betterbase-server:
+        condition: service_healthy
+    environment:
+      VITE_API_URL: ${BETTERBASE_PUBLIC_URL:-http://localhost}
+    networks:
+      - betterbase-internal
+
+  # ─── Nginx Reverse Proxy ───────────────────────────────────────────────────
+  nginx:
+    image: nginx:alpine
+    container_name: betterbase-nginx
+    restart: unless-stopped
+    depends_on:
+      - betterbase-server
+      - betterbase-dashboard
+    ports:
+      - "${HTTP_PORT:-80}:80"
+    volumes:
+      - ./docker/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+    networks:
+      - betterbase-internal
+    healthcheck:
+      test: ["CMD", "nginx", "-t"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+volumes:
+  postgres_data:
+  minio_data:
+
+networks:
+  betterbase-internal:
+    driver: bridge

docker-compose.self-hosted.yml

@@ -0,0 +1,74 @@
+events {
+  worker_connections 1024;
+}
+
+http {
+  upstream betterbase_server {
+    server betterbase-server:3001;
+  }
+
+  upstream betterbase_dashboard {
+    server betterbase-dashboard:80;
+  }
+
+  upstream minio {
+    server minio:9000;
+  }
+
+  server {
+    listen 80;
+    server_name _;
+
+    # API + admin + device auth
+    location /admin/ {
+      proxy_pass http://betterbase_server;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_read_timeout 60s;
+    }
+
+    location /device/ {
+      proxy_pass http://betterbase_server;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+    }
+
+    location /health {
+      proxy_pass http://betterbase_server;
+    }
+
+    # Storage (MinIO)
+    location /storage/ {
+      rewrite ^/storage/(.*) /$1 break;
+      proxy_pass http://minio;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      client_max_body_size 100m;
+    }
+
+    # Dashboard (catch-all)
+    location / {
+      proxy_pass http://betterbase_dashboard;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      # SPA fallback
+      proxy_intercept_errors on;
+      error_page 404 = @dashboard_fallback;
+    }
+
+    location @dashboard_fallback {
+      proxy_pass http://betterbase_dashboard;
+      proxy_set_header Host $host;
+    }
+
+    # WebSocket support for realtime
+    location /realtime/ {
+      proxy_pass http://betterbase_server;
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_set_header Host $host;
+      proxy_read_timeout 3600s;
+    }
+  }
+}