feat(web+infra): polished front page, app at /, tracker at /status

- apps/web: redesigned landing (Hero/Scanner/HowItWorks/Features/Footer),
  honest live-vs-coming-soon badges, same-origin /api/scan, ember theme.
- ecosystem.config.cjs: runnable — pyre-api/worker via `node --import tsx`,
  pyre-web via `next start`, fork mode, env wired. pm2 web+api verified online
  (api /health 200, scan 200, web 200).
- infra/nginx/feedthepyre.com.conf: app at / (proxy :3000), API at /api
  (proxy :4000, prefix preserved), dev tracker at /status (static).
- scripts/deploy-web.sh: sudo cutover (install vhost, nginx -t, reload,
  certbot --nginx --keep-until-expiring).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

scripts/deploy-web.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+# =============================================================================
+# Cut nginx over to serve the PYRE app at / (and the dev tracker at /status).
+# =============================================================================
+# Prereqs: the app is built + running under pm2 (pyre-web:3000, pyre-api:4000),
+# and Phase 0 provisioning already obtained a TLS cert for feedthepyre.com.
+#
+# Run as root:  sudo bash scripts/deploy-web.sh
+# Idempotent + re-runnable.
+# =============================================================================
+set -euo pipefail
+
+DOMAIN="feedthepyre.com"
+WWW_DOMAIN="www.feedthepyre.com"
+REPO_DIR="/home/pyre/pyre"
+CERTBOT_EMAIL="${CERTBOT_EMAIL:-a31s15.roguewave@gmail.com}"
+VHOST_SRC="${REPO_DIR}/infra/nginx/${DOMAIN}.conf"
+VHOST_AVAIL="/etc/nginx/sites-available/${DOMAIN}"
+VHOST_ENABLED="/etc/nginx/sites-enabled/${DOMAIN}"
+
+if [[ "${EUID}" -ne 0 ]]; then
+  echo "Must run as root:  sudo bash ${0}" >&2
+  exit 1
+fi
+
+echo "==> Installing nginx vhost (app at / , tracker at /status , api at /api)"
+install -m 0644 "${VHOST_SRC}" "${VHOST_AVAIL}"
+ln -sfn "${VHOST_AVAIL}" "${VHOST_ENABLED}"
+
+echo "==> nginx -t"
+nginx -t
+systemctl reload nginx
+
+echo "==> Re-applying TLS (certbot mirrors the server to a 443 block; idempotent)"
+certbot --nginx -d "${DOMAIN}" -d "${WWW_DOMAIN}" \
+  --non-interactive --agree-tos -m "${CERTBOT_EMAIL}" \
+  --redirect --keep-until-expiring || {
+    echo "[WARN] certbot did not complete; HTTP is live, re-run once DNS/cert is ready." >&2
+  }
+systemctl reload nginx
+
+echo "Done."
+echo "  https://${DOMAIN}/         -> PYRE app (pm2 pyre-web:3000)"
+echo "  https://${DOMAIN}/api/scan -> API (pm2 pyre-api:4000)"
+echo "  https://${DOMAIN}/status/  -> dev status tracker (static)"