diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..2fccd66
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,15 @@
+node_modules/
+dist/
+.build/
+.env
+.env.*
+!.env.example
+.DS_Store
+*.log
+*.tsbuildinfo
+
+# PKI private keys — only ca.crt is committed
+deploy/pki/*.key
+deploy/pki/*.csr
+deploy/pki/*.srl
+deploy/pki/quinn-*.crt
diff --git a/qr-device-login/client/tsconfig.json b/qr-device-login/client/tsconfig.json
new file mode 100644
index 0000000..f583227
--- /dev/null
+++ b/qr-device-login/client/tsconfig.json
@@ -0,0 +1,9 @@
+{
+  "extends": "../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "types": ["node"]
+  },
+  "include": ["src/**/*"]
+}
diff --git a/qr-device-login/deploy/pki/.gitignore b/qr-device-login/deploy/pki/.gitignore
new file mode 100644
index 0000000..2d5eef5
--- /dev/null
+++ b/qr-device-login/deploy/pki/.gitignore
@@ -0,0 +1,5 @@
+*.key
+*.csr
+*.srl
+!ca.crt
+quinn-*.crt
diff --git a/qr-device-login/deploy/qr-device-login.env.example b/qr-device-login/deploy/qr-device-login.env.example
new file mode 100644
index 0000000..ffedee0
--- /dev/null
+++ b/qr-device-login/deploy/qr-device-login.env.example
@@ -0,0 +1,19 @@
+# Environment file for qr-device-login systemd unit.
+#
+# Deploy as /etc/qr-device-login/qr-device-login.env (chmod 640, owner root:qr-device-login).
+
+# Loopback port the service listens on. Nginx fronts everything.
+PORT=8787
+
+# Public base URL, used in the scan URL encoded into each QR code.
+PUBLIC_BASE_URL=https://qr-auth.lilith.live
+
+# Absolute path to the consumer registry YAML.
+CONSUMERS_PATH=/etc/qr-device-login/consumers.yaml
+
+# In-memory store tuning.
+MAX_PENDING_TOKENS=200
+TOKEN_TTL_MS=300000
+
+# Only nginx on loopback is trusted to set X-Client-CN.
+TRUSTED_PROXY_IPS=127.0.0.1,::1
diff --git a/qr-device-login/react/tsconfig.json b/qr-device-login/react/tsconfig.json
new file mode 100644
index 0000000..315ccb9
--- /dev/null
+++ b/qr-device-login/react/tsconfig.json
@@ -0,0 +1,11 @@
+{
+  "extends": "../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "lib": ["ES2022", "DOM", "DOM.Iterable"],
+    "jsx": "react-jsx",
+    "moduleResolution": "bundler"
+  },
+  "include": ["src/**/*"]
+}
diff --git a/qr-device-login/server/tsconfig.json b/qr-device-login/server/tsconfig.json
new file mode 100644
index 0000000..27047b5
--- /dev/null
+++ b/qr-device-login/server/tsconfig.json
@@ -0,0 +1,10 @@
+{
+  "extends": "../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "rootDir": ".",
+    "lib": ["ES2022"],
+    "types": ["node"]
+  },
+  "include": ["src/**/*", "test/**/*"]
+}
diff --git a/qr-device-login/shared/tsconfig.json b/qr-device-login/shared/tsconfig.json
new file mode 100644
index 0000000..03ce790
--- /dev/null
+++ b/qr-device-login/shared/tsconfig.json
@@ -0,0 +1,8 @@
+{
+  "extends": "../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "rootDir": "./src"
+  },
+  "include": ["src/**/*"]
+}