fix(deploy): production CRM deployment improvements

- Fix deploy_crm_only.sh: non-destructive hot reload
  - Enhanced stop logic with pgrep + fuser for port release
  - Added 3-layer verification (process/control/user)
  - Check /proc/$pid/exe for (deleted) marker
  - Never delete DB

- Fix portal script contracts: crm_session → crm_subject
  - deploy_tksea_portal.sh: use $cookie_crm_subject
  - test_tksea_portal_assets.sh: assert crm_subject exists
  - nginx.example.conf: updated trusted subject header

- Add systemd service management
  - sub2api-crm.service.template
  - install_crm_systemd.sh
  - verify_crm_deployment.sh

Update docs/plans/2026-06-04-next-version-plan.md with deployment findings.

scripts/deploy/install_crm_systemd.sh

@@ -0,0 +1,135 @@
+#!/bin/bash
+# install_crm_systemd.sh - 安装 CRM systemd 服务
+# Usage: sudo ./install_crm_systemd.sh [crm_dir]
+
+set -e
+
+CRM_DIR="${1:-/home/ubuntu/crm-only-20260602_18190}"
+SERVICE_NAME="sub2api-crm"
+SERVICE_FILE="/etc/systemd/system/${SERVICE_NAME}.service"
+ENV_FILE="${CRM_DIR}/.env.crm"
+
+echo "=== Installing Sub2API CRM systemd service ==="
+echo "CRM Directory: ${CRM_DIR}"
+echo "Service File: ${SERVICE_FILE}"
+
+# 检查是否为 root
+if [ "$EUID" -ne 0 ]; then
+    echo "ERROR: Please run with sudo"
+    exit 1
+fi
+
+# 检查目录存在
+if [ ! -d "${CRM_DIR}" ]; then
+    echo "ERROR: Directory ${CRM_DIR} does not exist"
+    exit 1
+fi
+
+# 检查可执行文件存在
+if [ ! -x "${CRM_DIR}/sub2api-cn-relay-manager-server" ]; then
+    echo "ERROR: Binary not found or not executable"
+    exit 1
+fi
+
+# 停止现有 nohup 进程
+echo "Stopping existing CRM processes..."
+pkill -f 'sub2api-cn-relay-manager-server' 2>/dev/null || true
+sleep 2
+
+# 从目录名提取端口
+PORT=$(echo "${CRM_DIR}" | grep -oE '[0-9]+' | tail -1)
+if [ -z "${PORT}" ]; then
+    PORT="18190"
+fi
+echo "Detected port: ${PORT}"
+
+# 获取运行用户
+RUN_USER=$(stat -c '%U' "${CRM_DIR}")
+echo "Run user: ${RUN_USER}"
+
+# 检查环境变量文件
+if [ ! -f "${ENV_FILE}" ]; then
+    echo "ERROR: Environment file ${ENV_FILE} not found"
+    exit 1
+fi
+
+# 创建 systemd service 文件
+cat > "${SERVICE_FILE}" << EOF
+[Unit]
+Description=Sub2API CRM API Server (Port ${PORT})
+After=network.target
+
+[Service]
+Type=simple
+User=${RUN_USER}
+Group=${RUN_USER}
+WorkingDirectory=${CRM_DIR}
+EnvironmentFile=${ENV_FILE}
+Environment="PATH=/usr/local/bin:/usr/bin:/bin"
+ExecStart=${CRM_DIR}/sub2api-cn-relay-manager-server
+ExecReload=/bin/kill -HUP \$MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=5
+StandardOutput=append:${CRM_DIR}/crm.log
+StandardError=append:${CRM_DIR}/crm.log
+
+# Security hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=${CRM_DIR}
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+echo "Service file created: ${SERVICE_FILE}"
+
+# 重新加载 systemd
+systemctl daemon-reload
+
+# 启用服务
+systemctl enable "${SERVICE_NAME}"
+echo "Service enabled"
+
+# 启动服务
+echo "Starting service..."
+systemctl start "${SERVICE_NAME}"
+sleep 3
+
+# 验证服务状态
+if systemctl is-active --quiet "${SERVICE_NAME}"; then
+    echo "✓ Service is running"
+else
+    echo "ERROR: Service failed to start"
+    systemctl status "${SERVICE_NAME}" --no-pager
+    exit 1
+fi
+
+# 验证端口监听
+if ss -tlnp | grep -q ":${PORT}"; then
+    echo "✓ Port ${PORT} is listening"
+else
+    echo "WARNING: Port ${PORT} not listening"
+fi
+
+# 健康检查
+echo "Health check..."
+for i in 1 2 3; do
+    if curl -fsS "http://127.0.0.1:${PORT}/healthz" -m 2 >/dev/null 2>&1; then
+        echo "✓ Health check passed"
+        break
+    fi
+    sleep 2
+done
+
+echo ""
+echo "=== Installation complete ==="
+echo "Commands:"
+echo "  systemctl status ${SERVICE_NAME}  - View status"
+echo "  systemctl stop ${SERVICE_NAME}    - Stop service"
+echo "  systemctl start ${SERVICE_NAME}   - Start service"
+echo "  systemctl restart ${SERVICE_NAME} - Restart service"
+echo "  journalctl -u ${SERVICE_NAME} -f  - View logs"