Initial SDP skeleton

Sandbox Deployment Platform — Go control plane + agents, NextJS dashboard,
nginx reverse proxy. Cross-compile via Docker; deploy via sshpass to
172.18.136.92 (micro) and 172.18.139.186 (gateway).

- control-plane: HTTP API, WS hub, SQLite (modernc.org/sqlite) for
  progress, .log files for log persistence
- agent-micro / agent-gateway: alpine:3.20 + bind-mounted repo,
  binary exec'd in container, no Dockerfile build step
- dashboard: NextJS static export + shadcn/ui components, single
  WebSocket hook
- docker-compose.yml: three services on alpine:latest with docker
  socket bind for agents
- scripts/: build.sh (golang:1.23-alpine cross-compile), deploy.sh,
  patch-nginx.sh (idempotent nginx splice), ssh wrappers

Runtime model: pass-through Bitbucket creds per deploy, never logged or
persisted on the agent. Control plane never touches git or docker
directly — agents do all the work locally.

nginx/nginx.conf

@@ -0,0 +1,51 @@
+# SDP nginx — serves the static NextJS export and proxies API + WS
+# to the Go control plane.
+#
+# try_files: any unknown path falls back to /index.html so client-side
+# routing works. /api and /ws are matched first and proxied upstream.
+
+upstream control_plane {
+    server 127.0.0.1:8080;
+    keepalive 16;
+}
+
+server {
+    listen 80;
+    server_name _;
+
+    # Long-lived WS connections need a generous read timeout.
+    proxy_read_timeout 3600s;
+    proxy_send_timeout 3600s;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+    # --- API: control plane ---
+    location /api/ {
+        proxy_pass http://control_plane;
+    }
+
+    # --- WebSocket: agent + dashboard subscriptions ---
+    location /ws/ {
+        proxy_pass http://control_plane;
+    }
+
+    # --- Static dashboard ---
+    root /var/www/sdp/dashboard/out;
+    index index.html;
+
+    # ponytail: try_files does all the work. _next chunks, images, etc. are
+    # served as files; unknown paths fall back to /index.html for SPA routing.
+    location / {
+        try_files $uri $uri/ $uri.html /index.html;
+    }
+
+    # Cache static assets aggressively; never cache index.html.
+    location /_next/static/ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+}