Migrate to Stack A: PHP-fpm + nginx + supervisord, drop flat HTML + Python API

- Remove old flat HTML pages (index, about, blog, contact, reviews, services/*, locations/*)
- Remove Python/Flask API container (api/)
- Remove old root nginx.conf and components/
- Add infra/: full nginx.conf (http block at /etc/nginx/nginx.conf), php-fpm-pool.conf (TCP listen), supervisord.conf, entrypoint.sh (auto-generates ALTCHA_HMAC_KEY)
- Add src/: PHP router, page/service/location/blog templates, contact handler, altcha handler, promo endpoint, SQLite data files
- Rewrite Dockerfile: single container, tini PID 1, healthcheck, all env vars declared
- Update docker-compose.yml: port 8096, env_file, healthcheck
- Update .dockerignore: exclude .env.*, include robots.txt/sitemap.xml/404.html/500.html
- Update assets: tokens.css, promo-popup.css/js, altcha.min.js, refactored form.js/main.js

Verified: all 17 routes 200, protection audit PASS, Resend confirmed working

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

infra/entrypoint.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+set -e
+if [ -z "$ALTCHA_HMAC_KEY" ]; then
+    export ALTCHA_HMAC_KEY="$(openssl rand -hex 32)"
+    echo "Generated ALTCHA_HMAC_KEY" >&2
+fi
+exec "$@"

infra/nginx.conf

@@ -0,0 +1,131 @@
+user www-data;
+worker_processes auto;
+error_log /dev/stderr warn;
+pid /run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent"';
+    access_log /dev/stdout main;
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+
+    gzip on;
+    gzip_types text/html text/css application/javascript image/svg+xml;
+    gzip_min_length 1024;
+
+    limit_req_zone $binary_remote_addr zone=contact_limit:10m rate=5r/m;
+
+    server {
+        listen 80 default_server;
+        server_name _;
+        root /var/www/html;
+        index index.php;
+
+        server_tokens off;
+        client_max_body_size 16k;
+
+        location = /robots.txt  { access_log off; try_files $uri =404; }
+        location = /sitemap.xml { access_log off; try_files $uri =404; }
+        location = /404.html    { internal; }
+        location = /500.html    { internal; }
+
+        location ~ /\. {
+            deny all;
+            return 404;
+        }
+
+        location ~* \.(env|conf|yml|yaml|py|pyc|sh|sql|log|bak|swp|sqlite)$ {
+            deny all;
+            return 404;
+        }
+
+        location ~* \.(css|js|webp|jpg|jpeg|png|svg|ico|woff2?|mp4|webm)$ {
+            expires 30d;
+            add_header Cache-Control "public, immutable";
+            access_log off;
+            try_files $uri =404;
+        }
+
+        location = /promo/ {
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME /var/www/html/src/api/promo.php;
+            fastcgi_param QUERY_STRING    "";
+            fastcgi_pass  127.0.0.1:9000;
+        }
+
+        location = /altcha-challenge/ {
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME /var/www/html/src/api/altcha-challenge.php;
+            fastcgi_param QUERY_STRING    "";
+            fastcgi_pass  127.0.0.1:9000;
+        }
+
+        location = /contact/ {
+            limit_req zone=contact_limit burst=3 nodelay;
+            limit_req_status 429;
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME /var/www/html/src/api/router.php;
+            fastcgi_param QUERY_STRING    type=page&slug=contact;
+            fastcgi_pass  127.0.0.1:9000;
+        }
+
+        set $router /var/www/html/src/api/router.php;
+
+        location = / {
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $router;
+            fastcgi_param QUERY_STRING    type=page&slug=home;
+            fastcgi_pass  127.0.0.1:9000;
+        }
+
+        location ~ ^/(about|reviews|blog|services|locations)/$ {
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $router;
+            fastcgi_param QUERY_STRING    type=page&slug=$1;
+            fastcgi_pass  127.0.0.1:9000;
+        }
+
+        location ~ ^/services/([a-z0-9-]+)/$ {
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $router;
+            fastcgi_param QUERY_STRING    type=service&slug=$1;
+            fastcgi_pass  127.0.0.1:9000;
+        }
+
+        location ~ ^/locations/([a-z0-9-]+)/$ {
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $router;
+            fastcgi_param QUERY_STRING    type=location&slug=$1;
+            fastcgi_pass  127.0.0.1:9000;
+        }
+
+        location ~ ^/blog/([a-z0-9-]+)/$ {
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $router;
+            fastcgi_param QUERY_STRING    type=blog&slug=$1;
+            fastcgi_pass  127.0.0.1:9000;
+        }
+
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+
+        error_page 404 /404.html;
+        error_page 500 502 503 504 /500.html;
+    }
+}

infra/php-fpm-pool.conf

@@ -0,0 +1,14 @@
+[www]
+user = www-data
+group = www-data
+listen = 127.0.0.1:9000
+
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+
+clear_env = no
+
+access.log = /dev/null

infra/supervisord.conf

@@ -0,0 +1,25 @@
+[supervisord]
+nodaemon=true
+logfile=/dev/null
+logfile_maxbytes=0
+pidfile=/var/run/supervisord.pid
+
+[program:php-fpm]
+command=/usr/local/sbin/php-fpm --nodaemonize
+autostart=true
+autorestart=true
+priority=10
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:nginx]
+command=/usr/sbin/nginx -g "daemon off;"
+autostart=true
+autorestart=true
+priority=20
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0