feat(web+infra): polished front page, app at /, tracker at /status

- apps/web: redesigned landing (Hero/Scanner/HowItWorks/Features/Footer),
  honest live-vs-coming-soon badges, same-origin /api/scan, ember theme.
- ecosystem.config.cjs: runnable — pyre-api/worker via `node --import tsx`,
  pyre-web via `next start`, fork mode, env wired. pm2 web+api verified online
  (api /health 200, scan 200, web 200).
- infra/nginx/feedthepyre.com.conf: app at / (proxy :3000), API at /api
  (proxy :4000, prefix preserved), dev tracker at /status (static).
- scripts/deploy-web.sh: sudo cutover (install vhost, nginx -t, reload,
  certbot --nginx --keep-until-expiring).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

infra/nginx/feedthepyre.com.conf

@@ -1,109 +1,63 @@
-# ============================================================================
-# PYRE / Prometheus Protocol — nginx virtual host for feedthepyre.com
-# ----------------------------------------------------------------------------
-# Install path:   /etc/nginx/sites-available/feedthepyre.com
-#                 (the provision script symlinks this into sites-enabled/)
+# =============================================================================
+# nginx vhost — feedthepyre.com
+# =============================================================================
+# Serves the PYRE app at /, the API at /api, and the dev status tracker at
+# /status. Installed to /etc/nginx/sites-available/feedthepyre.com by
+# scripts/deploy-web.sh; certbot --nginx mirrors this server to a 443 block and
+# adds the HTTP->HTTPS redirect.
 #
-# TLS:            Managed by certbot. Run `certbot --nginx` AFTER this config is
-#                 installed — it will inject the listen 443 ssl server block,
-#                 the ssl_certificate / ssl_certificate_key lines, and the
-#                 HTTP->HTTPS redirect automatically. Do NOT hand-edit those in.
-#
-# App ports (see docs/PYRE_MVP_DESIGN.md §11 and .env.example):
-#                 web (Next.js)  -> 127.0.0.1:3000   (WEB_PORT)
-#                 api (Fastify)  -> 127.0.0.1:4000   (API_PORT)
-#
-# Current behaviour: serves the static status dashboard from
-#                 /var/www/feedthepyre/status. The reverse-proxy blocks below
-#                 are commented out until the apps are deployed.
-# ============================================================================
+# Upstreams (pm2): web = 127.0.0.1:3000 (Next.js), api = 127.0.0.1:4000 (Fastify)
+# =============================================================================
 
 server {
     listen 80;
     listen [::]:80;
     server_name feedthepyre.com www.feedthepyre.com;
 
-    # --- Static status site (current site root) -----------------------------
-    root /var/www/feedthepyre/status;
-    index index.html;
-
-    # --- Logging ------------------------------------------------------------
     access_log /var/log/nginx/feedthepyre.access.log;
     error_log  /var/log/nginx/feedthepyre.error.log;
 
-    # --- ACME HTTP-01 challenge --------------------------------------------
-    # Explicit so certbot's HTTP-01 validation works even before its --nginx
-    # tweaks are applied. ^~ ensures this wins over the regex/proxy locations.
+    gzip on;
+    gzip_proxied any;
+    gzip_types text/plain text/css application/json application/javascript
+               application/xml image/svg+xml;
+
+    client_max_body_size 1m;
+
+    # Let's Encrypt HTTP-01 (kept so cert renewals work).
     location ^~ /.well-known/acme-challenge/ {
         root /var/www/feedthepyre/status;
         allow all;
     }
 
-    # --- Basic hardening ----------------------------------------------------
-    # gzip for text-ish content types.
-    gzip on;
-    gzip_comp_level 5;
-    gzip_min_length 256;
-    gzip_proxied any;
-    gzip_vary on;
-    gzip_types
-        text/plain
-        text/css
-        text/xml
-        text/javascript
-        application/javascript
-        application/json
-        application/xml
-        application/rss+xml
-        image/svg+xml;
-
-    # NOTE: `server_tokens off;` is intentionally NOT set here — it belongs in
-    # the http{} block of /etc/nginx/nginx.conf so it applies globally. Set it
-    # there once rather than duplicating it per-vhost.
-
-    # --- Site root ----------------------------------------------------------
-    # Serve the static status dashboard for now.
-    #
-    # LATER: when apps/web (Next.js) is deployed, switch this location from the
-    # static status page to a reverse proxy. Replace the try_files body with:
-    #
-    #     proxy_pass http://127.0.0.1:3000;
-    #     proxy_http_version 1.1;
-    #     proxy_set_header Host              $host;
-    #     proxy_set_header X-Real-IP         $remote_addr;
-    #     proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-    #     proxy_set_header X-Forwarded-Proto $scheme;
-    #     proxy_set_header Upgrade           $http_upgrade;
-    #     proxy_set_header Connection        $connection_upgrade;
-    #
-    location / {
-        try_files $uri $uri/ /index.html;
+    # --- Dev status tracker (static) -> /status -----------------------------
+    location = /status { return 301 /status/; }
+    location /status/ {
+        alias /var/www/feedthepyre/status/;
+        index index.html;
+        try_files $uri $uri/ /status/index.html;
     }
 
-    # ------------------------------------------------------------------------
-    # REVERSE-PROXY BLOCKS — enable when apps are running
-    # ------------------------------------------------------------------------
-    # Uncomment the /api/ block below once apps/api (Fastify, port 4000) is up.
-    # The trailing slash on proxy_pass strips the /api/ prefix so the backend
-    # sees /scan, /receipt, etc.
-    #
-    # location /api/ {
-    #     proxy_pass http://127.0.0.1:4000/;
-    #     proxy_http_version 1.1;
-    #     proxy_set_header Host              $host;
-    #     proxy_set_header X-Real-IP         $remote_addr;
-    #     proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-    #     proxy_set_header X-Forwarded-Proto $scheme;
-    #     proxy_set_header Upgrade           $http_upgrade;
-    #     proxy_set_header Connection        $connection_upgrade;
-    # }
-    #
-    # The websocket Upgrade/Connection headers above rely on a $connection_upgrade
-    # map. Add this once in the http{} block of /etc/nginx/nginx.conf:
-    #
-    #     map $http_upgrade $connection_upgrade {
-    #         default upgrade;
-    #         ''      close;
-    #     }
-    # ------------------------------------------------------------------------
+    # --- API (Fastify) ------------------------------------------------------
+    # No trailing slash on proxy_pass: the /api/ prefix is preserved, so the
+    # backend receives /api/scan (its actual route).
+    location /api/ {
+        proxy_pass http://127.0.0.1:4000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 60s;
+    }
+
+    # --- Web app (Next.js) --------------------------------------------------
+    location / {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
 }