feat(infra): Phase 0 provisioning + dev status dashboard

- scripts/phase0-provision.sh: idempotent root setup (nginx, PostgreSQL,
  Redis, certbot/TLS, UFW). Opens 22/2222/80/443 before enabling UFW so SSH
  and Gitea git-SSH can't be locked out. Redis/Postgres stay localhost-only.
- infra/nginx/feedthepyre.com.conf: vhost serving the status page; commented
  web(:3000)/api(:4000) reverse-proxy blocks ready for app deploy.
- infra/status/: data-driven dev status dashboard (status.json + gen-status.mjs
  + prebuilt index.html), served at feedthepyre.com.
- ecosystem.config.cjs (PM2), infra/systemd/pm2-pyre.service, infra/logrotate/pyre,
  scripts/backup.sh — process mgmt + ops (inert until apps are built).

Built by 4 parallel agents, reviewed by 2 audit agents; audit fixes applied
(logs dir creation, port-citation accuracy, status truthfulness). pm2 installed
user-level. Privileged steps gated on `sudo bash scripts/phase0-provision.sh`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

ecosystem.config.cjs

@@ -0,0 +1,74 @@
+// PYRE / Prometheus Protocol — PM2 ecosystem (process manager) config
+//
+// ⚠️  INERT / NOT YET RUNNABLE: the apps are NOT implemented yet. This file
+//     defines how the three PYRE processes WILL run once apps/web, apps/api,
+//     and apps/worker are built/deployed. Starting it now will fail because
+//     the apps (and their builds) do not exist yet.
+//
+// Process names match docs/PYRE_MVP_DESIGN.md §12: pyre-web, pyre-api, pyre-worker.
+//
+// Once apps exist, start with:
+//   pm2 start ecosystem.config.cjs
+//   pm2 save            # persist process list so `pm2 resurrect` works on boot
+//
+// PM2 is installed at user level: ~/.local/share/pnpm/bin/pm2
+// Logs go to /home/pyre/pyre/logs/ (rotated by infra/logrotate/pyre).
+//
+// Note on memory: the 8GB VPS is shared with postgres, redis, nginx, etc.,
+// so each process is capped at 400M via max_memory_restart.
+
+module.exports = {
+  apps: [
+    {
+      // Next.js frontend (production) — port 3000 per .env.example (WEB_PORT).
+      name: "pyre-web",
+      cwd: "apps/web",
+      script: "pnpm",
+      args: "start", // runs `next start` (requires a prior `pnpm build`)
+      instances: 1,
+      autorestart: true,
+      max_memory_restart: "400M",
+      env: {
+        NODE_ENV: "production",
+        PORT: 3000,
+      },
+      out_file: "/home/pyre/pyre/logs/pyre-web-out.log",
+      error_file: "/home/pyre/pyre/logs/pyre-web-err.log",
+    },
+    {
+      // Fastify HTTP API — port 4000 per .env.example (API_PORT).
+      // Runs the compiled server. Until a build exists you can temporarily
+      // swap to a dev runner: script: "pnpm", args: "dev"
+      name: "pyre-api",
+      cwd: "apps/api",
+      script: "node",
+      args: "dist/index.js",
+      instances: 1,
+      autorestart: true,
+      max_memory_restart: "400M",
+      env: {
+        NODE_ENV: "production",
+        PORT: 4000,
+      },
+      out_file: "/home/pyre/pyre/logs/pyre-api-out.log",
+      error_file: "/home/pyre/pyre/logs/pyre-api-err.log",
+    },
+    {
+      // BullMQ background worker (no HTTP port).
+      // Runs the compiled worker. Until a build exists you can temporarily
+      // swap to a dev runner: script: "pnpm", args: "dev"
+      name: "pyre-worker",
+      cwd: "apps/worker",
+      script: "node",
+      args: "dist/index.js",
+      instances: 1,
+      autorestart: true,
+      max_memory_restart: "400M",
+      env: {
+        NODE_ENV: "production",
+      },
+      out_file: "/home/pyre/pyre/logs/pyre-worker-out.log",
+      error_file: "/home/pyre/pyre/logs/pyre-worker-err.log",
+    },
+  ],
+};