Phase 0 — NestJS + Zod foundation harness (F1–F8) (#1050)

Co-hosted NestJS app behind the existing Express server via a strangler-fig dispatcher, sharing the same better-sqlite3 connection and JWT httpOnly cookie. Additive and dormant: default routing stays on Express, Nest only serves its own /api/_nest diagnostics until a module opts in.

F1 @trek/shared Zod contract package; F2 Nest bootstrap co-hosted (fall-through, single Dockerfile/port); F3 shared better-sqlite3 provider; F4 JWT cookie auth guard (+ @CurrentUser, admin guard); F5 Zod validation pipe + error-envelope parity; F6 Nest test + coverage gates; F7 per-prefix strangler toggle (env, default Express); F8 CI build/typecheck/test/coverage.

Remaining F4/F6/F8 checklist items (trip-access + permission levels + MFA policy, e2e harness/seed + 80% gate, Nest↔Express parity test, Playwright PR-comment workflow) are tracked on the first consuming module cards (L1/A1/C1).

server/scripts/dev.mjs

@@ -0,0 +1,22 @@
+import { execSync, spawn } from 'node:child_process';
+
+// Dev runtime for the co-hosted NestJS + legacy Express server.
+// NestJS DI needs decorator metadata, which the old tsx/esbuild runtime does not
+// emit — so dev runs the tsc build with watchers (same toolchain as prod `dist`).
+// Initial build first so `node --watch dist/index.js` has something to start.
+console.log('[dev] initial build...');
+execSync('node scripts/build.mjs', { stdio: 'inherit' });
+
+const watchers = [
+  ['npx', ['tsc', '-w', '-p', 'tsconfig.build.json', '--preserveWatchOutput']],
+  ['npx', ['tsc-alias', '-w', '-p', 'tsconfig.build.json']],
+  ['node', ['--watch', 'dist/index.js']],
+];
+
+const children = watchers.map(([cmd, args]) =>
+  spawn(cmd, args, { stdio: 'inherit', shell: true }),
+);
+
+const stop = () => { children.forEach((c) => { try { c.kill(); } catch {} }); process.exit(0); };
+process.on('SIGINT', stop);
+process.on('SIGTERM', stop);