Wire maintenance page into deploy script as a dynamic toggle

Replaces the earlier auto-fallback-on-upstream-error approach with an
explicit flag-file toggle controlled by the deploy script. The flag
is touched before stopping the app and removed on successful finish
(or via trap if the deploy aborts), so a failed deploy doesn't strand
the site in maintenance.

- nginx/goodwalk.co.nz.svelte.conf.example: error_page 503 routes to
  /maintenance.html (internal); /m/ serves static maintenance assets;
  the / and /api/submit blocks return 503 when /etc/nginx/conf.d/
  maintenance.flag exists.
- nginx/maintenance.html: brand-styled "Be right back" page — full
  Goodwalk green background, white card with yellow accent, real
  Goodwalk logo, contact details fallback, auto-reload after 60s.
- nginx/logo.png: maintenance-time logo (served from /m/logo.png).
- nginx/nginx.conf: reverted the earlier auto-fallback edits; this
  file is not deployed (the prod conf is goodwalk.co.nz.svelte.conf
  .example).
- scripts/deploy-remote.sh: copies maintenance.html + logo into the
  nginx container, reloads nginx so the new conf is live, touches
  the flag, then runs the rebuild, then clears the flag. Adds a
  trap-based clear_maintenance_flag fallback. Also adds a defensive
  env-file merger that appends new keys from deploy.env.template
  without clobbering live values, with a timestamped .env backup.

Plus a small a11y polish unrelated to maintenance:
- ServicesSection: "Learn more" links now include screen-reader-only
  "about <Service>" context.
- base.css: adds .visually-hidden utility class.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

scripts/deploy-remote.sh

@@ -114,8 +114,19 @@ else
 fi
 
 STAGING_DIR="$(mktemp -d "${TMPDIR:-/tmp}/goodwalk-deploy.XXXXXX")"
+MAINTENANCE_ACTIVE=0
+
+clear_maintenance_flag() {
+  if (( MAINTENANCE_ACTIVE )) && (( nginx_args_present )); then
+    echo "[deploy-remote] Clearing maintenance flag"
+    "${COMPOSE_CMD[@]}" -p "$NGINX_PROJECT_NAME" -f "$NGINX_COMPOSE_FILE" \
+      exec -T nginx rm -f /etc/nginx/conf.d/maintenance.flag || true
+    MAINTENANCE_ACTIVE=0
+  fi
+}
 
 cleanup() {
+  clear_maintenance_flag
   rm -rf "$STAGING_DIR"
 }
 
@@ -182,6 +193,70 @@ if [[ ! -f "$DEPLOY_PATH/.env" ]]; then
   fi
 fi
 
+merge_env_file() {
+  local template="$1"
+  local live="$2"
+
+  [[ -f "$template" ]] || { echo "[deploy-remote] No env template at $template, skipping merge"; return 0; }
+  [[ -f "$live" ]] || { echo "[deploy-remote] No live .env at $live, skipping merge"; return 0; }
+
+  local added diffs backup
+  added="$(mktemp)"
+  diffs="$(mktemp)"
+  backup="${live}.bak.$(date -u +%Y%m%dT%H%M%SZ)"
+
+  awk -v live="$live" -v added_log="$added" -v diff_log="$diffs" '
+    function trim(s) { sub(/^[ \t]+/,"",s); sub(/[ \t]+$/,"",s); return s }
+    BEGIN {
+      while ((getline line < live) > 0) {
+        if (line ~ /^[ \t]*#/ || line ~ /^[ \t]*$/) continue
+        eq = index(line, "=")
+        if (eq == 0) continue
+        k = trim(substr(line, 1, eq-1))
+        v = substr(line, eq+1)
+        live_keys[k] = v
+        live_seen[k] = 1
+      }
+      close(live)
+    }
+    /^[ \t]*#/ || /^[ \t]*$/ { next }
+    {
+      eq = index($0, "=")
+      if (eq == 0) next
+      k = trim(substr($0, 1, eq-1))
+      v = substr($0, eq+1)
+      if (!(k in live_seen)) {
+        print k "=" v >> added_log
+      } else if (live_keys[k] != v) {
+        print k "  (template=" v "  |  live=" live_keys[k] ")" >> diff_log
+      }
+    }
+  ' "$template"
+
+  if [[ -s "$added" ]]; then
+    cp "$live" "$backup"
+    echo "[deploy-remote] Adding env keys present in template but missing from $live:"
+    sed 's/^/    + /' "$added"
+    {
+      printf '\n# Appended by deploy-remote.sh on %s from deploy.env.template\n' "$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+      cat "$added"
+    } >> "$live"
+    echo "[deploy-remote] Backup of previous .env written to $backup"
+  else
+    echo "[deploy-remote] .env is up to date with template (no missing keys)"
+  fi
+
+  if [[ -s "$diffs" ]]; then
+    echo "[deploy-remote] NOTE: these keys exist in both files but values differ. Live values are PRESERVED:"
+    sed 's/^/    ! /' "$diffs"
+    echo "[deploy-remote] If a live value is stale (e.g. an old OWNER_EMAIL), edit $live and re-deploy."
+  fi
+
+  rm -f "$added" "$diffs"
+}
+
+merge_env_file "$DEPLOY_PATH/deploy.env.template" "$DEPLOY_PATH/.env"
+
 cd "$DEPLOY_PATH"
 
 echo "[deploy-remote] Validating compose configuration"
@@ -194,6 +269,39 @@ if [[ -n "$SERVICE_NAME" ]]; then
   fi
 fi
 
+if (( nginx_args_present )); then
+  [[ -f "$DEPLOY_PATH/$NGINX_SOURCE" ]] || fail "Nginx config missing from deployment payload: $DEPLOY_PATH/$NGINX_SOURCE"
+  [[ -f "$NGINX_COMPOSE_FILE" ]] || fail "Nginx compose file was not found on the server: $NGINX_COMPOSE_FILE"
+
+  MAINTENANCE_HTML_SRC="$DEPLOY_PATH/nginx/maintenance.html"
+  MAINTENANCE_LOGO_SRC="$DEPLOY_PATH/nginx/logo.png"
+  [[ -f "$MAINTENANCE_HTML_SRC" ]] || fail "Maintenance page missing from deployment payload: $MAINTENANCE_HTML_SRC"
+  [[ -f "$MAINTENANCE_LOGO_SRC" ]] || fail "Maintenance logo missing from deployment payload: $MAINTENANCE_LOGO_SRC"
+
+  echo "[deploy-remote] Updating shared nginx config (pre-rebuild) so maintenance routing is active"
+  mkdir -p "$(dirname "$NGINX_TARGET")"
+  cp "$DEPLOY_PATH/$NGINX_SOURCE" "$NGINX_TARGET"
+
+  echo "[deploy-remote] Installing maintenance page assets into nginx container"
+  "${COMPOSE_CMD[@]}" -p "$NGINX_PROJECT_NAME" -f "$NGINX_COMPOSE_FILE" \
+    exec -T nginx mkdir -p /var/www/html/m
+  "${COMPOSE_CMD[@]}" -p "$NGINX_PROJECT_NAME" -f "$NGINX_COMPOSE_FILE" \
+    cp "$MAINTENANCE_HTML_SRC" nginx:/var/www/html/maintenance.html
+  "${COMPOSE_CMD[@]}" -p "$NGINX_PROJECT_NAME" -f "$NGINX_COMPOSE_FILE" \
+    cp "$MAINTENANCE_LOGO_SRC" nginx:/var/www/html/m/logo.png
+
+  echo "[deploy-remote] Validating nginx configuration"
+  "${COMPOSE_CMD[@]}" -p "$NGINX_PROJECT_NAME" -f "$NGINX_COMPOSE_FILE" exec -T nginx nginx -t
+
+  echo "[deploy-remote] Reloading shared nginx so the new config (incl. maintenance routing) is live"
+  "${COMPOSE_CMD[@]}" -p "$NGINX_PROJECT_NAME" -f "$NGINX_COMPOSE_FILE" exec -T nginx nginx -s reload
+
+  echo "[deploy-remote] Engaging maintenance page (touch maintenance.flag)"
+  "${COMPOSE_CMD[@]}" -p "$NGINX_PROJECT_NAME" -f "$NGINX_COMPOSE_FILE" \
+    exec -T nginx touch /etc/nginx/conf.d/maintenance.flag
+  MAINTENANCE_ACTIVE=1
+fi
+
 if [[ -n "$SERVICE_NAME" ]]; then
   echo "[deploy-remote] Stopping only the Goodwalk service: $SERVICE_NAME"
   "${COMPOSE_CMD[@]}" -p "$PROJECT_NAME" -f "$COMPOSE_FILE" stop "$SERVICE_NAME" || true
@@ -216,19 +324,6 @@ if [[ -z "$SERVICE_NAME" || "$SERVICE_NAME" == "app" || "$SERVICE_NAME" == "db"
   "${COMPOSE_CMD[@]}" -p "$PROJECT_NAME" -f "$COMPOSE_FILE" exec -T app node scripts/sync-homepage-content.mjs
 fi
 
-if (( nginx_args_present )); then
-  [[ -f "$DEPLOY_PATH/$NGINX_SOURCE" ]] || fail "Nginx config missing from deployment payload: $DEPLOY_PATH/$NGINX_SOURCE"
-  [[ -f "$NGINX_COMPOSE_FILE" ]] || fail "Nginx compose file was not found on the server: $NGINX_COMPOSE_FILE"
-
-  echo "[deploy-remote] Updating shared nginx config to avoid stale container IPs"
-  mkdir -p "$(dirname "$NGINX_TARGET")"
-  cp "$DEPLOY_PATH/$NGINX_SOURCE" "$NGINX_TARGET"
-
-  echo "[deploy-remote] Validating nginx configuration"
-  "${COMPOSE_CMD[@]}" -p "$NGINX_PROJECT_NAME" -f "$NGINX_COMPOSE_FILE" exec -T nginx nginx -t
-
-  echo "[deploy-remote] Reloading shared nginx"
-  "${COMPOSE_CMD[@]}" -p "$NGINX_PROJECT_NAME" -f "$NGINX_COMPOSE_FILE" exec -T nginx nginx -s reload
-fi
+clear_maintenance_flag
 
 echo "[deploy-remote] Remote deployment finished"