fix(deploy): production CRM deployment improvements

- Fix deploy_crm_only.sh: non-destructive hot reload
  - Enhanced stop logic with pgrep + fuser for port release
  - Added 3-layer verification (process/control/user)
  - Check /proc/$pid/exe for (deleted) marker
  - Never delete DB

- Fix portal script contracts: crm_session → crm_subject
  - deploy_tksea_portal.sh: use $cookie_crm_subject
  - test_tksea_portal_assets.sh: assert crm_subject exists
  - nginx.example.conf: updated trusted subject header

- Add systemd service management
  - sub2api-crm.service.template
  - install_crm_systemd.sh
  - verify_crm_deployment.sh

Update docs/plans/2026-06-04-next-version-plan.md with deployment findings.

scripts/deploy/sub2api-crm.service.template

@@ -0,0 +1,28 @@
+[Unit]
+Description=Sub2API CRM API Server (Port 18190)
+After=network.target
+
+[Service]
+Type=simple
+User=ubuntu
+Group=ubuntu
+WorkingDirectory=/home/ubuntu/crm-only-20260602_18190
+EnvironmentFile=/home/ubuntu/crm-only-20260602_18190/.env.crm
+Environment="PATH=/usr/local/bin:/usr/bin:/bin"
+ExecStart=/home/ubuntu/crm-only-20260602_18190/sub2api-cn-relay-manager-server
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=5
+StandardOutput=append:/home/ubuntu/crm-only-20260602_18190/crm.log
+StandardError=append:/home/ubuntu/crm-only-20260602_18190/crm.log
+
+# Security hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/home/ubuntu/crm-only-20260602_18190
+
+[Install]
+WantedBy=multi-user.target