Initial SDP skeleton

Sandbox Deployment Platform — Go control plane + agents, NextJS dashboard,
nginx reverse proxy. Cross-compile via Docker; deploy via sshpass to
172.18.136.92 (micro) and 172.18.139.186 (gateway).

- control-plane: HTTP API, WS hub, SQLite (modernc.org/sqlite) for
  progress, .log files for log persistence
- agent-micro / agent-gateway: alpine:3.20 + bind-mounted repo,
  binary exec'd in container, no Dockerfile build step
- dashboard: NextJS static export + shadcn/ui components, single
  WebSocket hook
- docker-compose.yml: three services on alpine:latest with docker
  socket bind for agents
- scripts/: build.sh (golang:1.23-alpine cross-compile), deploy.sh,
  patch-nginx.sh (idempotent nginx splice), ssh wrappers

Runtime model: pass-through Bitbucket creds per deploy, never logged or
persisted on the agent. Control plane never touches git or docker
directly — agents do all the work locally.

README.md

@@ -0,0 +1,65 @@
+# Sandbox Deployment Platform (SDP)
+
+Internal deployment platform for Backend/QA. Lets a developer deploy a feature
+branch into an isolated sandbox, with the API Gateway routing selected
+services to the sandbox and the rest to OCP. See [REQUIREMENTS.md](REQUIREMENTS.md)
+for the full spec.
+
+## Layout
+
+```
+.
+├── protocol/         # shared wire types (Event, DeployRequest)
+├── control-plane/    # Go. HTTP API + WS hub + SQLite/.log persistence
+├── agent-micro/      # Go. Runs on 172.18.136.92, deploys Go microservices
+├── agent-gateway/    # Go. Runs on 172.18.139.186, deploys the API Gateway
+├── dashboard/        # NextJS static export, served by nginx
+└── nginx/            # reverse proxy + try_files for the dashboard
+```
+
+## End-to-end smoke (manual)
+
+Prereqs: Go 1.22+, Node 18+, Docker on each agent VM, alpine:3.20 loaded
+locally (`docker load -i alpine.tar`).
+
+1. Build everything:
+   ```bash
+   cd protocol && go build ./...
+   cd ../control-plane && go build -o bin/control-plane ./cmd/control-plane
+   cd ../agent-micro && go build -o bin/agent-micro ./cmd/agent-micro
+   cd ../agent-gateway && go build -o bin/agent-gateway ./cmd/agent-gateway
+   cd ../dashboard && npm install && npm run build
+   ```
+
+2. Start the control plane:
+   ```bash
+   ./control-plane/bin/control-plane -addr :8080 -data ./data
+   ```
+
+3. Start the micro agent on 172.18.136.92:
+   ```bash
+   SDP_CP_URL=ws://172.18.139.186:8080/ws/agent SDP_NODE_ID=micro \
+     ./agent-micro/bin/agent-micro
+   ```
+
+4. Start the gateway agent on 172.18.139.186:
+   ```bash
+   SDP_CP_URL=ws://172.18.139.186:8080/ws/agent SDP_NODE_ID=gateway \
+     ./agent-gateway/bin/agent-gateway
+   ```
+
+5. Point nginx at the dashboard build (`dashboard/out/`) and the control
+   plane (`:8080`). See `nginx/nginx.conf`.
+
+6. Open `http://<nginx-host>/`, sign in with any Bitbucket creds, pick
+   `account` → `feature/login-error`, click Deploy. Watch the stage
+   checkmarks and the log stream.
+
+## Notes
+
+- Credentials are passed per-operation to the agent and never persisted
+  on the agent longer than the operation.
+- The runtime model is `alpine:3.20` + bind-mounted repo + exec'd binary.
+  No Dockerfile build step on the agent.
+- Logs persist to `<data>/logs/<deploymentId>.log`. SQLite holds progress
+  snapshots and final state.