fix: resolve staging deployment issues with Traefik, Loki, and Alloy (refs #105)

- Exclude blue-green.yml from staging Traefik by mounting dynamic-staging/
  directory (only grafana.yml + middleware.yml) instead of dynamic/ which
  contains production-only blue-green routing config
- Disable Loki healthcheck: distroless image has no /bin/sh so CMD-SHELL
  healthchecks cannot execute; Alloy and Grafana verify Loki connectivity
- Fix Alloy healthcheck: replace wget (not in image) with bash /dev/tcp
- Add Grafana staging domain override (logs.staging.motovaultpro.com)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

config/traefik/dynamic-staging/grafana.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    grafana-ipwhitelist:
+      ipAllowList:
+        sourceRange:
+          - "10.0.0.0/8"
+          - "172.16.0.0/12"
+          - "192.168.0.0/16"

config/traefik/dynamic-staging/middleware.yml

@@ -0,0 +1,173 @@
+http:
+  middlewares:
+    # Security headers middleware
+    secure-headers:
+      headers:
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - PUT
+          - POST
+          - DELETE
+        accessControlAllowOriginList:
+          - "https://admin.motovaultpro.com"
+          - "https://motovaultpro.com"
+        accessControlMaxAge: 100
+        addVaryHeader: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        frameDeny: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+        customRequestHeaders:
+          X-Forwarded-Proto: https
+
+    # CORS middleware for API endpoints
+    cors:
+      headers:
+        accessControlAllowCredentials: true
+        accessControlAllowHeaders:
+          - "Authorization"
+          - "Content-Type"
+          - "X-Requested-With"
+          - "X-Tenant-ID"
+          - "X-Request-Id"
+        accessControlAllowMethods:
+          - "GET"
+          - "POST"
+          - "PUT"
+          - "DELETE"
+          - "OPTIONS"
+        accessControlAllowOriginList:
+          - "https://admin.motovaultpro.com"
+          - "https://motovaultpro.com"
+        accessControlMaxAge: 100
+
+    # API authentication middleware
+    api-auth:
+      forwardAuth:
+        address: "http://admin-backend:3001/auth/verify"
+        authResponseHeaders:
+          - "X-Auth-User"
+          - "X-Auth-Roles"
+          - "X-Tenant-ID"
+        authRequestHeaders:
+          - "Authorization"
+          - "X-Tenant-ID"
+        trustForwardHeader: true
+
+    # Platform API authentication middleware
+    platform-auth:
+      forwardAuth:
+        address: "http://admin-backend:3001/auth/verify-platform"
+        authResponseHeaders:
+          - "X-Service-Name"
+          - "X-Auth-Scope"
+        authRequestHeaders:
+          - "X-API-Key"
+          - "Authorization"
+        trustForwardHeader: true
+
+    # Rate limiting middleware
+    rate-limit:
+      rateLimit:
+        burst: 100
+        average: 50
+        period: 1m
+
+    # Request/response size limits
+    size-limit:
+      buffering:
+        maxRequestBodyBytes: 26214400  # 25MB
+        maxResponseBodyBytes: 26214400  # 25MB
+
+    # IP whitelist for development (optional)
+    local-ips:
+      ipAllowList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "10.0.0.0/8"
+          - "172.16.0.0/12"
+          - "192.168.0.0/16"
+
+    # Advanced security headers for production
+    security-headers-strict:
+      headers:
+        accessControlAllowCredentials: false
+        accessControlAllowMethods:
+          - GET
+          - POST
+          - OPTIONS
+        accessControlAllowOriginList:
+          - "https://admin.motovaultpro.com"
+          - "https://motovaultpro.com"
+        browserXssFilter: true
+        contentTypeNosniff: true
+        customRequestHeaders:
+          X-Forwarded-Proto: https
+        customResponseHeaders:
+          X-Frame-Options: DENY
+          X-Content-Type-Options: nosniff
+          Referrer-Policy: strict-origin-when-cross-origin
+          Permissions-Policy: "geolocation=(), microphone=(), camera=()"
+        forceSTSHeader: true
+        frameDeny: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+
+    # Circuit breaker for reliability
+    circuit-breaker:
+      circuitBreaker:
+        expression: "NetworkErrorRatio() > 0.3 || ResponseCodeRatio(500, 600, 0, 600) > 0.3"
+        checkPeriod: 30s
+        fallbackDuration: 10s
+        recoveryDuration: 30s
+
+    # Request retry for resilience
+    retry-policy:
+      retry:
+        attempts: 3
+        initialInterval: 100ms
+
+    # Compress responses for performance
+    compression:
+      compress: {}
+
+    # Health check middleware chain
+    health-check-chain:
+      chain:
+        middlewares:
+          - compression
+          - secure-headers
+
+    # API middleware chain
+    api-chain:
+      chain:
+        middlewares:
+          - compression
+          - security-headers-strict
+          - cors
+          - rate-limit
+          - api-auth
+          - retry-policy
+
+    # Platform API middleware chain
+    platform-chain:
+      chain:
+        middlewares:
+          - compression
+          - security-headers-strict
+          - rate-limit
+          - platform-auth
+          - circuit-breaker
+          - retry-policy
+
+    # Public frontend middleware chain
+    frontend-chain:
+      chain:
+        middlewares:
+          - compression
+          - secure-headers