chore: scaffold PYRE MVP monorepo (structure + docs)

pnpm + TypeScript workspace per design doc §13:
- apps/{web,api,worker} skeletons (Next.js 16, Fastify 5, BullMQ)
- packages/{core,solana,prometheus,db,config} (core has real types/DTOs;
  solana/prometheus are stubs)
- programs/pyre-core placeholder (future Anchor, v1.0)
- docs/: PYRE_MVP_DESIGN (canonical), ARCHITECTURE, SECURITY, TOKEN_CLASSIFICATION
- CLAUDE.md, README, .env.example (no private-key var by design)

Skeleton + docs only — no Solana/business logic yet. All workspaces typecheck clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

apps/api/src/index.ts

@@ -0,0 +1,57 @@
+// PYRE backend API — SKELETON ONLY.
+//
+// Minimal Fastify bootstrap. Only `/health` is wired up. The §14 endpoints
+// below are intentionally NOT implemented — no scan/classify/build logic here.
+//
+// Trust rules (§16): never request private keys, never sign custodially,
+// always build an unsigned tx the client decodes + previews before signing,
+// validate wallet pubkeys, validate token-account ownership, never trust
+// client-submitted classifications (recompute server-side), log all tx-build
+// requests, rate-limit scan endpoints, protect admin endpoints.
+
+import Fastify from "fastify";
+
+const app = Fastify({ logger: true });
+
+app.get("/health", async () => {
+  return { status: "ok", service: "@pyre/api" };
+});
+
+// TODO (§14): implement the following routes as real, validated handlers.
+//   POST /api/scan
+//     in:  { wallet }
+//     out: { scanId, wallet, summary, accounts[] }
+//
+//   POST /api/build/close-empty
+//     in:  { wallet, accountAddresses[] }
+//     out: { transactionBase64, preview: { accountsToClose,
+//            estimatedRentReturnedLamports, rentDestination } }
+//
+//   POST /api/build/burn
+//     in:  { wallet, items[] }
+//     out: { transactionBase64, preview: { tokensToBurn, accountsPotentiallyClosable } }
+//
+//   POST /api/receipt
+//     in:  { wallet, txSignature, scanId }
+//     out: { receiptId, txSignature, rentReturnedLamports, closedAccounts,
+//            burnedTokens, skippedTokens }
+//
+//   POST /api/prometheus/generate   (enqueue BullMQ job for @pyre/worker)
+//     in:  { receiptId, chaos, operatorSeed? }
+//     out: { generationId, spawnName, ticker, lore, imagePrompt, metadata, riskFlags }
+//
+//   Admin endpoints — review/approve/reject Spawn generations (protected).
+
+const port = Number(process.env.PORT ?? 3001);
+const host = process.env.HOST ?? "0.0.0.0";
+
+// TODO: load + validate config via @pyre/config instead of reading process.env here.
+app
+  .listen({ port, host })
+  .then((address) => {
+    app.log.info(`@pyre/api listening on ${address}`);
+  })
+  .catch((err) => {
+    app.log.error(err);
+    process.exit(1);
+  });