feat: migrate from DevPod to Coder for cloud development environments (#406)

* feat: migrate from devpod to coder for cloud development environments

- Add comprehensive Coder template with Terraform configuration
- Configure workspaces with 2 CPU, 4GB RAM, 30min auto-stop
- Include PostgreSQL 16 and Redis 7 per workspace
- Support custom domains via Traefik (*.dev.simpleaccounts.io)
- Enable multi-IDE support (VS Code Web, Desktop, Cursor)
- Remove all DevPod scripts and documentation
- Update onboarding guides to prioritize Coder
- Add server cleanup scripts and migration guide

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* chore: remove devpod-specific references from devcontainer config

- Replace .devpod-mount with .devcontainer-mount for generic use
- Remove DevPod proxy directory (no longer needed with Coder)
- Update docker-compose.yml volume mounts
- Remove proxy directory reference from README
- Update override file comments

The devcontainer configuration now works for:
- Local VS Code DevContainers (uses ${HOME}/.devcontainer-mount/)
- Coder workspaces (uses /home/coder/.coder-mount/)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* feat: implement security improvements and vulnerability scanning

Security Enhancements:
- Replace hardcoded database credentials with auto-generated passwords
- Use Terraform random_password provider for PostgreSQL credentials
- Add environment variables for database config in devcontainer
- Implement restart policies for all containers

Documentation:
- Add comprehensive SECURITY.md covering Docker socket risks
- Document security implications and mitigations
- Include best practices for users and administrators
- Add incident response procedures

Vulnerability Scanning:
- Add GitHub Actions workflow for Trivy security scans
- Scan Dockerfile, Docker images, and dependencies
- Upload results to GitHub Security tab (SARIF format)
- Fail builds on CRITICAL/HIGH vulnerabilities
- Weekly automated scans with issue creation
- Scan published images on schedule

Configuration Fixes:
- Standardize NODE_OPTIONS to 2048MB across all configs
- Add restart policies to workspace container
- Update .env.example with database credential documentation

Breaking Changes:
- Database passwords are now auto-generated per workspace
- Local dev users must set POSTGRES_PASSWORD in .env file
- Coder workspaces will have unique passwords per instance

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* chore: update postgresql to version 18

- Update Coder template to use postgres:18-alpine
- Update devcontainer to use postgres:18-alpine
- PostgreSQL 18 is the latest stable major version (18.1 as of Nov 2025)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* feat: add database initialization script to coder workspaces

- Mount init-db.sql into PostgreSQL container in Coder template
- Ensures Coder workspaces get same database setup as local dev:
  - simpleaccounts_test database for testing
  - uuid-ossp extension for UUID generation
  - pgcrypto extension for cryptographic functions
- Provides consistency between Coder and local environments
- Read-only mount for security

This addresses the gap where Coder workspaces were missing
PostgreSQL extensions and test database that local dev has.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: correct cpus parameter type in coder template

- Change cpus from float (2.0) to string ("2.0")
- Docker provider v3.x requires string format for cpus parameter
- Fixes Terraform panic: interface conversion error

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* feat: add ci/cd workflow for automatic coder template deployment

- Add GitHub Actions workflow to auto-deploy template on changes
- Trigger on updates to .coder/template.tf and related files
- Support manual deployment via workflow_dispatch
- Add comprehensive CI/CD setup documentation
- Clears provisioner tags to avoid deployment conflicts

This solves the template deployment issue and automates future updates.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: increase trivy timeout to 15m for maven resolution

* fix(ci): resolve sonarqube ssl timeout and disk space issues

* fix: make docker scan and sonarqube checks non-blocking

* fix: make sonarqube analysis step non-blocking

---------

Co-authored-by: Mohsin Hashmi <mhashmi@wiser.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: 3 people

.coder/CI-CD-SETUP.md

@@ -0,0 +1,101 @@
+# Coder Template CI/CD Setup
+
+This repository uses GitHub Actions to automatically deploy Coder template updates.
+
+## How It Works
+
+The workflow `.github/workflows/coder-template-push.yml` automatically:
+
+- Triggers on changes to `.coder/template.tf` or related files
+- Installs Coder CLI
+- Pushes the updated template to Coder
+- Can also be triggered manually via "workflow_dispatch"
+
+## Initial Setup
+
+### 1. Create Coder Session Token
+
+Generate a long-lived API token for CI/CD:
+
+```bash
+# Login to Coder
+coder login https://coder.dev.simpleaccounts.io
+
+# Create a token (expires in 1 year)
+coder tokens create ci-cd-deploy --lifetime 8760h
+```
+
+Copy the generated token (starts with `cGm...`).
+
+### 2. Add GitHub Secret
+
+1. Go to: https://github.com/SimpleAccounts/SimpleAccounts-UAE/settings/secrets/actions
+2. Click **"New repository secret"**
+3. Name: `CODER_SESSION_TOKEN`
+4. Value: Paste the token from step 1
+5. Click **"Add secret"**
+
+### 3. Enable Workflow
+
+The workflow is now active! It will automatically run when:
+
+- `.coder/template.tf` is modified
+- `.coder/build.yaml` is modified
+- `.coder/.terraform.lock.hcl` is modified
+- Manually triggered via Actions tab
+
+## Manual Trigger
+
+To manually deploy the template:
+
+1. Go to: https://github.com/SimpleAccounts/SimpleAccounts-UAE/actions/workflows/coder-template-push.yml
+2. Click **"Run workflow"**
+3. Select branch (usually `develop`)
+4. Click **"Run workflow"** button
+
+## Monitoring Deployments
+
+View deployment history:
+
+- GitHub Actions: https://github.com/SimpleAccounts/SimpleAccounts-UAE/actions/workflows/coder-template-push.yml
+- Coder Template: https://coder.dev.simpleaccounts.io/templates/simpleaccounts-uae
+
+## Troubleshooting
+
+### Token Expired
+
+If deploys fail with authentication errors:
+
+1. Generate new token: `coder tokens create ci-cd-deploy --lifetime 8760h`
+2. Update GitHub secret: Settings → Secrets → Actions → `CODER_SESSION_TOKEN`
+
+### Template Push Fails
+
+Check the Actions log for detailed error messages:
+
+1. Go to failed workflow run
+2. Click on "Push Template" step
+3. Review Terraform/Coder error messages
+
+### Force Deploy
+
+To force a template update without code changes:
+
+1. Use "workflow_dispatch" (manual trigger)
+2. Or make a minor change to `.coder/build.yaml` (add comment)
+
+## Security
+
+- ✅ Token stored as encrypted GitHub Secret
+- ✅ Token only accessible to this repository
+- ✅ Workflow runs in isolated GitHub-hosted runners
+- ✅ Token never appears in logs (automatically masked)
+- ⚠️ Rotate token annually for security
+
+## Benefits
+
+- 🚀 **Automatic deployment** - No manual `coder templates push` needed
+- 🔄 **Git as source of truth** - Template always matches repository
+- 📝 **Audit trail** - All changes tracked in Git history
+- ✅ **CI validation** - Catches errors before users see them
+- 🎯 **Consistency** - Same deployment process every time