feat(platform): harden access scoping and delivery baseline

tooling/deploy/deploy-compose.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+DEPLOY_ENV="${1:-unknown}"
+COMPOSE_FILE="${COMPOSE_FILE:-docker-compose.cicd.yml}"
+APP_ENV_FILE="${APP_ENV_FILE:-.env.production}"
+DEPLOY_ENV_FILE="${DEPLOY_ENV_FILE:-deploy.env}"
+READY_URL="${READY_URL:-http://127.0.0.1:${APP_HOST_PORT:-3000}/api/ready}"
+READY_ATTEMPTS="${READY_ATTEMPTS:-60}"
+READY_SLEEP_SECONDS="${READY_SLEEP_SECONDS:-5}"
+
+if [ -f "${APP_ENV_FILE}" ]; then
+  set -a
+  # Load application secrets so docker compose interpolation sees them.
+  . "${APP_ENV_FILE}"
+  set +a
+fi
+
+if [ -f "${DEPLOY_ENV_FILE}" ]; then
+  set -a
+  . "${DEPLOY_ENV_FILE}"
+  set +a
+fi
+
+: "${APP_IMAGE:?APP_IMAGE must be set}"
+: "${MIGRATOR_IMAGE:?MIGRATOR_IMAGE must be set}"
+: "${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set}"
+
+echo "Deploy environment: ${DEPLOY_ENV}"
+echo "Compose file: ${COMPOSE_FILE}"
+echo "App env file: ${APP_ENV_FILE}"
+echo "App image: ${APP_IMAGE}"
+echo "Migrator image: ${MIGRATOR_IMAGE}"
+
+if [ -n "${GHCR_USERNAME:-}" ] && [ -n "${GHCR_TOKEN:-}" ]; then
+  printf '%s\n' "${GHCR_TOKEN}" | docker login ghcr.io -u "${GHCR_USERNAME}" --password-stdin
+fi
+
+docker compose -f "${COMPOSE_FILE}" pull app migrator
+docker compose -f "${COMPOSE_FILE}" up -d postgres redis
+docker compose -f "${COMPOSE_FILE}" run --rm migrator
+docker compose -f "${COMPOSE_FILE}" up -d app
+
+for attempt in $(seq 1 "${READY_ATTEMPTS}"); do
+  if curl -fsS "${READY_URL}" >/dev/null 2>&1; then
+    echo "Application ready after attempt ${attempt}"
+    docker compose -f "${COMPOSE_FILE}" ps
+    exit 0
+  fi
+
+  sleep "${READY_SLEEP_SECONDS}"
+done
+
+echo "Deployment failed readiness check: ${READY_URL}" >&2
+docker compose -f "${COMPOSE_FILE}" ps >&2
+docker compose -f "${COMPOSE_FILE}" logs --tail 200 app >&2
+exit 1