feat(scaffold): Next 16 + Payload 3 scaffold with Kaniko CI and Swarm deploy

Initial app scaffold wired end-to-end: Payload 3.82 CMS integrated with Next
16.2 App Router (standalone output), PostgreSQL 17 adapter, Lexical rich text,
Tailwind 3 with Material 3 token palette ported from the stitch technical-
editorial design, self-hosted Space Grotesk + Inter via next/font, and
lucide-react icons. Admin lives at /admin, REST/GraphQL at /api/*, and
/api/health returns build SHA/REV for deploy verification.

Seven collections (Users, Media, Categories, Projects, Posts, Gear,
ContactSubmissions) and six globals (Home, About, Contact, Resume,
Navigation, SEO) model the content outlined in docs/PRD.md.

Multi-stage Dockerfile builds a non-root standalone runner; Woodpecker
pipeline lints, typechecks, builds, audits, builds with Kaniko to
git.mosaicstack.dev, scans with Trivy, and links the package. Swarm
compose mirrors the mosaic-stack-website Traefik entrypoints=web pattern
with www->apex redirect and immutable WEB_IMAGE_TAG.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.env.example

@@ -0,0 +1,48 @@
+# =============================================================================
+# jasonwoltje.com — environment variables
+# =============================================================================
+# Actual values live in Portainer stack env vars (prod) or .env (local dev).
+# Never commit .env — see .gitignore.
+
+# ---- Payload / Database ----
+# Local dev convenience: pnpm dev reads these directly.
+# In prod, DATABASE_URI is composed in docker-compose.swarm.yml from PAYLOAD_POSTGRES_*.
+DATABASE_URI=postgres://payload:payload@localhost:5432/payload
+PAYLOAD_POSTGRES_USER=payload
+PAYLOAD_POSTGRES_PASSWORD=replace-me-local-only
+PAYLOAD_POSTGRES_DB=payload
+PAYLOAD_SECRET=replace-with-32-plus-char-random-string
+
+# ---- Public URLs ----
+PAYLOAD_PUBLIC_SERVER_URL=http://localhost:3000
+NEXT_PUBLIC_SITE_URL=http://localhost:3000
+
+# ---- Build-time metadata (Status Terminal) ----
+# CI overrides these during docker-build; local dev falls back to "dev" / "local".
+NEXT_PUBLIC_BUILD_SHA=dev
+NEXT_PUBLIC_BUILD_REV=local
+
+# ---- Cloudflare Turnstile (contact form CAPTCHA) ----
+TURNSTILE_SITE_KEY=
+TURNSTILE_SECRET_KEY=
+
+# ---- Umami analytics (self-hosted; empty disables tracker) ----
+NEXT_PUBLIC_UMAMI_SRC=
+NEXT_PUBLIC_UMAMI_WEBSITE_ID=
+
+# ---- Contact form email (choose one path) ----
+# Option A: Resend
+RESEND_API_KEY=
+RESEND_FROM=no-reply@jasonwoltje.com
+RESEND_TO=jason@diversecanvas.com
+
+# Option B: SMTP relay
+# SMTP_HOST=
+# SMTP_PORT=587
+# SMTP_USER=
+# SMTP_PASSWORD=
+# SMTP_FROM=no-reply@jasonwoltje.com
+# SMTP_TO=jason@diversecanvas.com
+
+# ---- Mautic newsletter (not deployed yet; leave empty) ----
+MAUTIC_FORM_URL=