app #0: cube.famzheng.me 入口门户 + 平台脚手架

monorepo 第一刀：
- workspace + crates/cube-core（base router / healthz / ServeDir SPA fallback / JSON tracing / SIGTERM shutdown）
- apps/cube：axum 主程序 + Vite + Vue 3 + TS 门户（暗色调 + 渐变 logo + app 卡片网格）
- Dockerfile：scratch + musl 静态二进制，镜像 2.6MB
- k8s/：cube-cube ns + Deployment + Service + Ingress（cube.famzheng.me，traefik LE 自动签）
- registry：新增 registry.famzheng.me ingress 反代到 gitea 内置 container registry，
  自动化身份用 mochi（registry.famzheng.me/mochi/cube）
- CI：.gitea/workflows/deploy-cube.yml，host shell runner（gnoc），
  build → push → kubectl rollout 五步流水
- README：把宪法段改成 monorepo 模式 + monorepo 目录结构
- 新增宪法条款：前端视图状态走 URL（path + query）保证可 bookmark

.gitea/workflows/deploy-cube.yml

@@ -0,0 +1,52 @@
+name: deploy cube
+# app #0：cube.famzheng.me 入口门户。host shell runner（gnoc 用户）。
+
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'apps/cube/**'
+      - 'crates/cube-core/**'
+      - 'Cargo.toml'
+      - 'Cargo.lock'
+      - '.gitea/workflows/deploy-cube.yml'
+  workflow_dispatch:
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest:host  # host shell executor，PATH 需要手动加 ~/.cargo/bin
+    env:
+      APP: cube
+      IMAGE: registry.famzheng.me/mochi/cube
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Resolve image tag
+        id: tag
+        run: |
+          echo "sha=$(git rev-parse --short=12 HEAD)" >> "$GITHUB_OUTPUT"
+
+      - name: Build rust (musl static)
+        run: |
+          export PATH="$HOME/.cargo/bin:$PATH"
+          cargo build --release --target x86_64-unknown-linux-musl -p "$APP"
+
+      - name: Build frontend
+        run: |
+          cd "apps/$APP/frontend"
+          npm ci
+          npm run build
+
+      - name: Build & push image
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+        run: |
+          echo "$REGISTRY_TOKEN" | docker login registry.famzheng.me -u mochi --password-stdin
+          docker build -f "apps/$APP/Dockerfile" -t "$IMAGE:${{ steps.tag.outputs.sha }}" .
+          docker push "$IMAGE:${{ steps.tag.outputs.sha }}"
+
+      - name: Roll out to k3s
+        # runner 是 gnoc 用户 host shell 模式，直接用 ~/.kube/config（已配好），无需 secret
+        run: |
+          kubectl -n "cube-$APP" set image "deploy/$APP" "$APP=$IMAGE:${{ steps.tag.outputs.sha }}"
+          kubectl -n "cube-$APP" rollout status "deploy/$APP" --timeout=120s