Add CI/CD pipeline with Gitea Actions and production deployment

- Production Dockerfiles: backend (gunicorn + uvicorn workers),
  frontend (multi-stage Node build + nginx with API proxy)
- docker-compose.prod.yml: integrates with VPS nginx-proxy via
  VIRTUAL_HOST for auto-TLS at fit.cescalante.dev
- GitHub Actions workflow (Gitea Actions-compatible): builds images
  and deploys on push to main via self-hosted runner
- Make CORS origins configurable via CORS_ORIGINS env var

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

frontend/Dockerfile.prod

@@ -0,0 +1,15 @@
+# Stage 1: Build
+FROM node:20-slim AS build
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+ARG VITE_API_URL
+ENV VITE_API_URL=${VITE_API_URL}
+RUN npm run build
+
+# Stage 2: Serve
+FROM nginx:alpine
+COPY --from=build /app/dist /usr/share/nginx/html
+COPY nginx-frontend.conf /etc/nginx/conf.d/default.conf
+EXPOSE 80

frontend/nginx-frontend.conf

@@ -0,0 +1,26 @@
+server {
+    listen 80;
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # SPA fallback
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    # Proxy API to backend (same docker network)
+    location /api/ {
+        proxy_pass http://backend:8000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 120s;
+    }
+
+    # Cache immutable assets
+    location /assets/ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+}