refactor: move deployment files from web/ to repo root

Moves Dockerfile, docker-compose.yml, docker-compose.prod.yml, deploy.sh,
litestream.yml, and router/ from web/ to the monorepo root so copier update
can manage them from the template.

Dockerfile updated for monorepo layout:
- CSS build stage: COPY web/src/ ./web/src/ (Tailwind input path updated)
- Python build stage: copies root uv.lock + web/pyproject.toml separately,
  runs `uv sync --package beanflows` (not full workspace sync)
- Runtime CSS copy path updated to web/src/beanflows/static/css/output.css

deploy.sh: fixed sops path ($APP_DIR/.env.prod.sops, was $APP_DIR/../)

supervisor.py:
- web_code_changed(): Dockerfile path is now root-level (was web/Dockerfile)
- tick(): deploy script is now ./deploy.sh (was ./web/deploy.sh)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.prod.yml

@@ -0,0 +1,132 @@
+services:
+  # ── Always-on infrastructure ──────────────────────────────
+
+  router:
+    image: nginx:alpine
+    restart: unless-stopped
+    ports:
+      - "5000:80"
+    volumes:
+      - ./router/default.conf:/etc/nginx/conf.d/default.conf:ro
+    networks:
+      - net
+    healthcheck:
+      test: ["CMD", "nginx", "-t"]
+      interval: 30s
+      timeout: 5s
+
+  litestream:
+    image: litestream/litestream:latest
+    restart: unless-stopped
+    command: replicate -config /etc/litestream.yml
+    volumes:
+      - app-data:/app/data
+      - ./litestream.yml:/etc/litestream.yml:ro
+
+  # ── Blue slot ─────────────────────────────────────────────
+
+  blue-app:
+    profiles: ["blue"]
+    build:
+      context: .
+    restart: unless-stopped
+    env_file: ./.env
+    environment:
+      - DATABASE_PATH=/app/data/app.db
+      - SERVING_DUCKDB_PATH=/data/materia/analytics.duckdb
+    volumes:
+      - app-data:/app/data
+      - /data/materia/analytics.duckdb:/data/materia/analytics.duckdb:ro
+    networks:
+      - net
+    healthcheck:
+      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:5000/health')"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 15s
+
+  blue-worker:
+    profiles: ["blue"]
+    build:
+      context: .
+    restart: unless-stopped
+    command: python -m beanflows.worker
+    env_file: ./.env
+    environment:
+      - DATABASE_PATH=/app/data/app.db
+    volumes:
+      - app-data:/app/data
+    networks:
+      - net
+
+  blue-scheduler:
+    profiles: ["blue"]
+    build:
+      context: .
+    restart: unless-stopped
+    command: python -m beanflows.worker scheduler
+    env_file: ./.env
+    environment:
+      - DATABASE_PATH=/app/data/app.db
+    volumes:
+      - app-data:/app/data
+    networks:
+      - net
+
+  # ── Green slot ────────────────────────────────────────────
+
+  green-app:
+    profiles: ["green"]
+    build:
+      context: .
+    restart: unless-stopped
+    env_file: ./.env
+    environment:
+      - DATABASE_PATH=/app/data/app.db
+      - SERVING_DUCKDB_PATH=/data/materia/analytics.duckdb
+    volumes:
+      - app-data:/app/data
+      - /data/materia/analytics.duckdb:/data/materia/analytics.duckdb:ro
+    networks:
+      - net
+    healthcheck:
+      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:5000/health')"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 15s
+
+  green-worker:
+    profiles: ["green"]
+    build:
+      context: .
+    restart: unless-stopped
+    command: python -m beanflows.worker
+    env_file: ./.env
+    environment:
+      - DATABASE_PATH=/app/data/app.db
+    volumes:
+      - app-data:/app/data
+    networks:
+      - net
+
+  green-scheduler:
+    profiles: ["green"]
+    build:
+      context: .
+    restart: unless-stopped
+    command: python -m beanflows.worker scheduler
+    env_file: ./.env
+    environment:
+      - DATABASE_PATH=/app/data/app.db
+    volumes:
+      - app-data:/app/data
+    networks:
+      - net
+
+volumes:
+  app-data:
+
+networks:
+  net: