fix(deploy): production CRM deployment improvements

- Fix deploy_crm_only.sh: non-destructive hot reload
  - Enhanced stop logic with pgrep + fuser for port release
  - Added 3-layer verification (process/control/user)
  - Check /proc/$pid/exe for (deleted) marker
  - Never delete DB

- Fix portal script contracts: crm_session → crm_subject
  - deploy_tksea_portal.sh: use $cookie_crm_subject
  - test_tksea_portal_assets.sh: assert crm_subject exists
  - nginx.example.conf: updated trusted subject header

- Add systemd service management
  - sub2api-crm.service.template
  - install_crm_systemd.sh
  - verify_crm_deployment.sh

Update docs/plans/2026-06-04-next-version-plan.md with deployment findings.

deploy/tksea-portal/nginx.sub.tksea.top.conf.example

@@ -8,15 +8,11 @@
 # - /kimi/ 与 /kimi-v1/ 继续保留，兼容旧的 Kimi 专用客户端配置
 #
 # 安全注意事项：
-# - portal-subject 从 cookie 提取，由后端 /api/portal/session/login 设置 httpOnly cookie
+# - X-CRM-Authenticated-Subject 传的是 crm_session（签名 token），CRM 会验签并解出真实 subject
+# - crm_subject 仅供前端展示，不能作为 trusted subject 来源
 # - CRM 验证 X-CRM-Trusted-Proxy header 确保请求来自受信 nginx
 # - 两者必须同时配置才能启用 user-key self-service
 
-# 从 httpOnly cookie 提取 portal subject
-map $http_cookie $portal_subject {
-    default "";
-    ~*crm_session=([^;]+) $1;
-}
 
 location = /portal {
     return 302 /portal/;
@@ -47,7 +43,8 @@ location /portal-proxy/ {
 }
 
 location /portal-admin-api/ {
-    # 必须由受信登录/鉴权层把用户 subject 放进 $portal_subject，不能信任浏览器自带 header。
+    # 必须由受信登录/鉴权层把用户签名放进 $cookie_crm_subject，不能信任浏览器自带 header。
+    # 这是 CRM 配置 TRUSTED_SUBJECT_COOKIE=crm_subject 对应的 cookie 名。
     # 同时 CRM 需配置：
     #   SUB2API_CRM_TRUSTED_SUBJECT_HEADER=X-CRM-Authenticated-Subject
     #   SUB2API_CRM_TRUSTED_PROXY_SECRET_HEADER=X-CRM-Trusted-Proxy
@@ -57,8 +54,8 @@ location /portal-admin-api/ {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
-    # 关键：从验证过的 cookie 提取并注入 subject
-    proxy_set_header X-CRM-Authenticated-Subject $portal_subject;
+    # 关键：注入 portal_auth.go 设置的签名 crm_subject cookie；CRM 会验签并解出 subject
+    proxy_set_header X-CRM-Authenticated-Subject $cookie_crm_subject;
     # 受信代理密钥（必须与 CRM 配置一致）
     proxy_set_header X-CRM-Trusted-Proxy "REPLACE_WITH_64_CHAR_HEX_SECRET";
     proxy_http_version 1.1;