✨(all) add organizations, resources, channels, and infra migration (#34)

Add multi-tenant organization model populated from OIDC claims with
org-scoped user discovery, CalDAV principal filtering, and cross-org
isolation at the SabreDAV layer.

Add bookable resource principals (rooms, equipment) with CalDAV
auto-scheduling that handles conflict detection, auto-accept/decline,
and org-scoped booking enforcement. Fixes #14.

Replace CalendarSubscriptionToken with a unified Channel model
supporting CalDAV integration tokens and iCal feed URLs, with
encrypted token storage and role-based access control. Fixes #16.

Migrate task queue from Celery to Dramatiq with async ICS import,
progress tracking, and task status polling endpoint.

Replace nginx with Caddy for both the reverse proxy and frontend
static serving. Switch frontend package manager from yarn/pnpm to
npm and upgrade Node to 24, Next.js to 16, TypeScript to 5.9.

Harden security with fail-closed entitlements, RSVP rate limiting
and token expiry, CalDAV proxy path validation blocking internal
API routes, channel path scope enforcement, and ETag-based
conflict prevention.

Add frontend pages for resource management and integration channel
CRUD, with resource booking in the event modal.

Restructure CalDAV paths to /calendars/users/ and
/calendars/resources/ with nested principal collections in SabreDAV.

src/frontend/Dockerfile

@@ -1,13 +1,12 @@
-FROM node:22-alpine AS frontend-deps
+FROM node:24-alpine AS frontend-deps
 
 WORKDIR /home/frontend/
 
 COPY ./package.json ./package.json
-COPY ./yarn.lock ./yarn.lock
+COPY ./package-lock.json ./package-lock.json
 COPY ./apps/calendars/package.json ./apps/calendars/package.json
 
-
-RUN yarn install --frozen-lockfile
+RUN npm ci
 
 COPY .dockerignore ./.dockerignore
 # COPY ./.prettierrc.js ./.prettierrc.js
@@ -26,16 +25,16 @@ WORKDIR /home/frontend/apps/calendars
 
 FROM frontend-deps AS calendars-dev
 
-WORKDIR /home/frontend/apps/calendars
+WORKDIR /home/frontend
 
 EXPOSE 3000
 
-RUN yarn build-theme
+RUN cd apps/calendars && npm run build-theme
 
 # Build open-calendar package if dist doesn't exist, then start dev server
-CMD ["/bin/sh", "-c", "cd /home/frontend/apps/calendars && yarn dev"]
+CMD ["/bin/sh", "-c", "cd /home/frontend/apps/calendars && npm run dev"]
 
-# Tilt will rebuild calendars target so, we dissociate calendars and calendars-builder 
+# Tilt will rebuild calendars target so, we dissociate calendars and calendars-builder
 # to avoid rebuilding the app at every changes.
 FROM calendars AS calendars-builder
 
@@ -44,28 +43,20 @@ WORKDIR /home/frontend/apps/calendars
 ARG API_ORIGIN
 ENV NEXT_PUBLIC_API_ORIGIN=${API_ORIGIN}
 
-RUN yarn build
+RUN npm run build
 
 # ---- Front-end image ----
-FROM nginxinc/nginx-unprivileged:alpine3.22 AS frontend-production
+FROM caddy:2-alpine AS frontend-production
 
 # Upgrade system packages to install security updates
-USER root
 RUN apk update && \
   apk upgrade && \
   rm -rf /var/cache/apk/*
 
-# Un-privileged user running the application
-ARG DOCKER_USER
-USER ${DOCKER_USER}
-
 COPY --from=calendars-builder \
   /home/frontend/apps/calendars/out \
-  /usr/share/nginx/html
+  /srv
 
-COPY ./apps/calendars/conf/default.conf /etc/nginx/conf.d
-COPY ./docker/files/usr/local/bin/entrypoint /usr/local/bin/entrypoint
+COPY ./Caddyfile /etc/caddy/Caddyfile
 
-ENTRYPOINT [ "/usr/local/bin/entrypoint" ]
-
-CMD ["nginx", "-g", "daemon off;"]
+CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]