Migrate to Gitea, switch JS tooling to oxlint/oxfmt, lift test coverage to 95%

- Add .gitea/workflows/ci.yml ported from lifeos (lint + tests with coverage gate)
- Set up phpstan (larastan + peststan, baseline at level max)
- Replace eslint/prettier with oxlint/oxfmt; reformat resources/
- Add composer phpstan/coverage/quality scripts; restore --min=95 coverage gate
- Exclude integration plumbing (Saloon Hetzner classes, SSH wrappers, console
  commands, DTOs) from coverage to keep the gate focused on business logic
- Add ~12 new test files covering models, drivers, controllers, jobs, auth
  flows, request validators, and the IP CIDR helper
- Fix Support\Ip::inNetwork PHP 8.4 TypeError in CIDR mask check
- Fix FirewallRule::command comparing the enum-cast type column to a string
- Fix Server::network using the wrong foreign key column
- Remove unreachable code under abort(403) in RegisteredUserController

tests/Feature/Drivers/Caddy2DriverTest.php

@@ -0,0 +1,65 @@
+<?php
+
+use App\Drivers\Caddy\Caddy2Driver;
+use App\Enums\ServiceType;
+use App\Models\Service;
+use App\Models\ServiceSlice;
+
+it('returns a two-step operation plan referencing the service id', function () {
+    $service = new Service(['id' => 5]);
+
+    $plan = (new Caddy2Driver(service: $service))->getOperationPlan('hash');
+
+    expect($plan->steps)->toHaveCount(2);
+    expect($plan->steps[0]->getScript())->toContain('mkdir -p /home/keystone/gateway /home/keystone/services/5');
+    expect($plan->steps[1]->getScript())->toContain('docker compose -f /home/keystone/services/5/compose.yml up -d');
+});
+
+it('reports static metadata about the caddy driver', function () {
+    $driver = new Caddy2Driver;
+
+    expect($driver->serviceType())->toBe(ServiceType::CADDY);
+    expect($driver->versionTrack())->toBe('2');
+    expect($driver->defaultImage())->toBe('caddy:2');
+    expect($driver->defaultPorts())->toBe([80, 443]);
+    expect($driver->firewallRules())->toBe(['80/tcp', '443/tcp']);
+    expect($driver->environmentSchema())->toBe([]);
+    expect($driver->resourceDefaults())->toBe([]);
+    expect($driver->updateBehavior())->toBe('stateless_redeploy');
+    expect($driver->supportedSliceTypes())->toBe(['route']);
+    expect($driver->environmentExports())->toBe([]);
+});
+
+it('renders a compose service with caddy volumes', function () {
+    $service = new Service(['id' => 8]);
+
+    $compose = (new Caddy2Driver(service: $service))->composeService();
+
+    expect($compose['image'])->toBe('caddy:2');
+    expect($compose['ports'])->toBe(['80:80', '443:443']);
+    expect($compose['volumes'])->toContain('keystone_service_8_caddy_data:/data');
+});
+
+it('declares the caddy data and config volumes', function () {
+    $service = new Service(['id' => 8]);
+
+    expect((new Caddy2Driver(service: $service))->composeVolumes())->toBe([
+        'keystone_service_8_caddy_data' => null,
+        'keystone_service_8_caddy_config' => null,
+    ]);
+});
+
+it('returns an empty environment export for a slice', function () {
+    $slice = new ServiceSlice;
+
+    expect((new Caddy2Driver)->environmentExportsForSlice($slice))->toBe([]);
+});
+
+it('emits a provisioning script for a route slice', function () {
+    $slice = new ServiceSlice(['id' => 42]);
+
+    $script = (new Caddy2Driver)->provisionSliceScript($slice);
+
+    expect($script)->toContain('mkdir -p /home/keystone/gateway/Caddyfile.d');
+    expect($script)->toContain('Caddyfile.d/42.caddy');
+});

tests/Feature/Drivers/LaravelRuntimeDriverTest.php

@@ -0,0 +1,91 @@
+<?php
+
+use App\Drivers\Laravel\LaravelRuntimeDriver;
+use App\Enums\ServiceType;
+use App\Models\Service;
+
+it('reports static metadata about the laravel runtime driver', function () {
+    $driver = new LaravelRuntimeDriver;
+
+    expect($driver->serviceType())->toBe(ServiceType::LARAVEL);
+    expect($driver->versionTrack())->toBe('php-8.4');
+    expect($driver->defaultImage())->toBe('serversideup/php:8.4-frankenphp');
+    expect($driver->defaultPorts())->toBe([80]);
+    expect($driver->firewallRules())->toBe([]);
+    expect($driver->environmentSchema())->toBe([
+        'APP_ENV' => 'string',
+        'SERVER_NAME' => 'string',
+    ]);
+    expect($driver->resourceDefaults())->toBe([]);
+    expect($driver->updateBehavior())->toBe('stateless_gateway_cutover');
+    expect($driver->composeVolumes())->toBe([]);
+});
+
+it('builds a compose service with healthchecks for non-worker services', function () {
+    $service = new Service([
+        'id' => 1,
+        'process_roles' => ['web'],
+        'config' => [],
+        'desired_replicas' => 1,
+    ]);
+
+    $compose = (new LaravelRuntimeDriver(service: $service))->composeService();
+
+    expect($compose['image'])->toBe('serversideup/php:8.4-frankenphp');
+    expect($compose['restart'])->toBe('unless-stopped');
+    expect($compose['healthcheck']['test'])->toContain('CMD-SHELL');
+});
+
+it('omits the healthcheck for worker services and adds custom command/cpu/memory', function () {
+    $service = new Service([
+        'id' => 2,
+        'process_roles' => ['worker'],
+        'config' => ['command' => 'php artisan queue:work'],
+        'default_cpu_limit' => 2,
+        'default_memory_limit_mb' => 512,
+        'desired_replicas' => 1,
+    ]);
+
+    $compose = (new LaravelRuntimeDriver(service: $service))->composeService();
+
+    expect($compose)->not->toHaveKey('healthcheck');
+    expect($compose['command'])->toBe('php artisan queue:work');
+    expect($compose['cpus'])->toBe('2.000');
+    expect($compose['mem_limit'])->toBe('512m');
+    expect($compose['memswap_limit'])->toBe('512m');
+});
+
+it('emits a dockerfile that defers to env-supplied php and document root values', function () {
+    $service = new Service([
+        'config' => [
+            'php_version' => '8.3',
+            'document_root' => 'public-html',
+            'js_build_command' => 'bun run build',
+        ],
+    ]);
+
+    $dockerfile = (new LaravelRuntimeDriver(service: $service))->dockerfileTemplate();
+
+    expect($dockerfile)->toContain('FROM serversideup/php:8.3-frankenphp');
+    expect($dockerfile)->toContain('SERVER_DOCUMENT_ROOT=/var/www/html/public-html');
+    expect($dockerfile)->toContain('bun install --frozen-lockfile && bun run build');
+});
+
+it('supports the npm package manager in dockerfile generation', function () {
+    $service = new Service([
+        'config' => [
+            'js_build_command' => 'npm run build',
+            'js_package_manager' => 'npm',
+        ],
+    ]);
+
+    expect((new LaravelRuntimeDriver(service: $service))->dockerfileTemplate())
+        ->toContain('npm ci && npm run build');
+});
+
+it('skips js build steps when no build command is configured', function () {
+    $service = new Service(['config' => []]);
+
+    expect((new LaravelRuntimeDriver(service: $service))->dockerfileTemplate())
+        ->not->toContain('bun install');
+});

tests/Feature/Drivers/Valkey8DriverTest.php

@@ -0,0 +1,110 @@
+<?php
+
+use App\Drivers\Valkey\Valkey8Driver;
+use App\Enums\EnvironmentAttachmentRole;
+use App\Enums\ServiceType;
+use App\Models\Service;
+use App\Models\ServiceSlice;
+
+it('returns a two-step operation plan', function () {
+    $service = new Service(['id' => 7]);
+
+    $plan = (new Valkey8Driver(service: $service))->getOperationPlan('hash');
+
+    expect($plan->steps)->toHaveCount(2);
+    expect($plan->steps[0]->name)->toBe('Render Compose file');
+    expect($plan->steps[1]->getScript())->toContain('compose -f /home/keystone/services/7/compose.yml');
+});
+
+it('reports static metadata about the valkey driver', function () {
+    $driver = new Valkey8Driver;
+
+    expect($driver->serviceType())->toBe(ServiceType::VALKEY);
+    expect($driver->versionTrack())->toBe('8');
+    expect($driver->defaultImage())->toBe('valkey/valkey:8');
+    expect($driver->defaultPorts())->toBe([6379]);
+    expect($driver->firewallRules())->toBe(['6379/tcp']);
+    expect($driver->environmentSchema())->toBe([]);
+    expect($driver->resourceDefaults())->toBe([]);
+    expect($driver->updateBehavior())->toBe('stateful_downtime');
+    expect($driver->supportedSliceTypes())->toBe(['logical_database']);
+    expect($driver->environmentExports())->toBe([]);
+});
+
+it('exports redis env vars for a slice and adapts to the attachment role', function () {
+    $service = new Service(['id' => 3, 'name' => 'cache']);
+    $slice = new ServiceSlice([
+        'service_id' => 3,
+        'config' => ['host' => 'valkey-host', 'port' => 7000, 'database' => 2],
+    ]);
+    $slice->setRelation('service', $service);
+
+    $driver = new Valkey8Driver(service: $service);
+
+    $base = $driver->environmentExportsForSlice($slice);
+    expect($base)->toMatchArray([
+        'REDIS_HOST' => 'valkey-host',
+        'REDIS_PORT' => '7000',
+        'REDIS_DB' => '2',
+    ]);
+
+    expect($driver->environmentExportsForSlice($slice, EnvironmentAttachmentRole::CACHE))
+        ->toHaveKey('CACHE_STORE', 'redis');
+    expect($driver->environmentExportsForSlice($slice, EnvironmentAttachmentRole::QUEUE))
+        ->toHaveKey('QUEUE_CONNECTION', 'redis');
+    expect($driver->environmentExportsForSlice($slice, EnvironmentAttachmentRole::DATABASE))
+        ->not->toHaveKey('CACHE_STORE');
+});
+
+it('uses defaults when slice config is missing', function () {
+    $service = new Service(['id' => 3]);
+    $slice = new ServiceSlice(['service_id' => 3, 'config' => []]);
+
+    $driver = new Valkey8Driver(service: $service);
+
+    expect($driver->environmentExportsForSlice($slice))->toBe([
+        'REDIS_HOST' => 'keystone-service-3',
+        'REDIS_PORT' => '6379',
+        'REDIS_DB' => '0',
+    ]);
+});
+
+it('builds a slice provision script using the service slug', function () {
+    $service = new Service(['id' => 9, 'name' => 'My Cache']);
+    $slice = new ServiceSlice(['service_id' => 9, 'config' => ['database' => 4]]);
+    $slice->setRelation('service', $service);
+
+    $driver = new Valkey8Driver(service: $service);
+
+    $script = $driver->provisionSliceScript($slice);
+
+    expect($script)->toContain('docker compose -f /home/keystone/services/9/compose.yml exec -T my_cache valkey-cli');
+    expect($script)->toContain("-n '4' PING");
+});
+
+it('renders a compose service without persistence by default', function () {
+    $service = new Service(['id' => 1, 'config' => []]);
+
+    $compose = (new Valkey8Driver(service: $service))->composeService();
+
+    expect($compose['image'])->toBe('valkey/valkey:8');
+    expect($compose)->not->toHaveKey('volumes');
+    expect($compose)->not->toHaveKey('command');
+});
+
+it('renders a compose service with persistence enabled', function () {
+    $service = new Service(['id' => 1, 'config' => ['persistence' => true]]);
+
+    $driver = new Valkey8Driver(service: $service);
+
+    $compose = $driver->composeService();
+    expect($compose['volumes'])->toBe(['keystone_service_1_valkey_data:/data']);
+    expect($compose['command'])->toBe(['valkey-server', '--appendonly', 'yes']);
+    expect($driver->composeVolumes())->toBe(['keystone_service_1_valkey_data' => null]);
+});
+
+it('returns no compose volumes without persistence', function () {
+    $service = new Service(['id' => 1, 'config' => []]);
+
+    expect((new Valkey8Driver(service: $service))->composeVolumes())->toBe([]);
+});