Harden prod deploy: versioned secrets, healthchecks, migration lock, dry-run

Swarm stack
- Resource limits on all services, stop_grace_period 60s on api/worker/admin
- Dozzle bound to manager loopback only (ssh -L required for access)
- Worker health server on :6060, admin /api/health endpoint
- Redis 200M LRU cap, B2/S3 env vars wired through to api service

Deploy script
- DRY_RUN=1 prints plan + exits
- Auto-rollback on failed healthcheck, docker logout at end
- Versioned-secret pruning keeps last SECRET_KEEP_VERSIONS (default 3)
- PUSH_LATEST_TAG default flipped to false
- B2 all-or-none validation before deploy

Code
- cmd/api takes pg_advisory_lock on a dedicated connection before
  AutoMigrate, serialising boot-time migrations across replicas
- cmd/worker exposes an HTTP /health endpoint with graceful shutdown

Docs
- deploy/DEPLOYING.md: step-by-step walkthrough for a real deploy
- deploy/shit_deploy_cant_do.md: manual prerequisites + recurring ops
- deploy/README.md updated with storage toggle, worker-replica caveat,
  multi-arch recipe, connection-pool tuning, renumbered sections

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.dockerignore

@@ -0,0 +1,54 @@
+# Git
+.git
+.gitignore
+.gitattributes
+.github
+.gitea
+
+# Deploy inputs (never bake into images)
+deploy/*.env
+deploy/secrets/*.txt
+deploy/secrets/*.p8
+deploy/scripts/
+
+# Local env files
+.env
+.env.*
+!.env.example
+
+# Node (admin)
+admin/node_modules
+admin/.next
+admin/out
+admin/.turbo
+admin/.vercel
+admin/npm-debug.log*
+
+# Go build artifacts
+bin/
+dist/
+tmp/
+*.test
+*.out
+coverage.out
+coverage.html
+
+# Tooling / editor
+.vscode
+.idea
+*.swp
+*.swo
+.DS_Store
+
+# Logs
+*.log
+logs/
+
+# Tests / docs (not needed at runtime)
+docs/
+*.md
+!README.md
+
+# CI/compose locals (not needed for swarm image build)
+docker-compose*.yml
+Makefile