ops(dev): docker-compose.dev.yml + deploy.sh-Branch-Guard

Container-Duplikation fuer v1.x-Entwicklung:
- docker-compose.dev.yml: eigener Container gwoe-antragspruefer-dev,
  Traefik-Host gwoe-dev.toppyr.de, Keycloak-Client gwoe-antragspruefer-dev,
  ohne SMTP (Mail aus Dev = gar nicht), GITEA_FEEDBACK_LABELS=feedback,dev.
- scripts/deploy.sh: Branch-Guard verhindert Prod-Deploy aus main; Prod
  geht nur aus release/1.0 (oder mit --force).

Dev-Server zieht main per Cron alle 5 Minuten und baut neu.

docker-compose.dev.yml

@@ -0,0 +1,44 @@
+# Dev-Compose fuer gwoe-dev.toppyr.de.
+# Auto-Deploy via Cron: docker compose -f docker-compose.dev.yml up -d --build
+# Datenbank, Wahlprogramme, Reports: separate Volumes (am Server: /opt/gwoe-antragspruefer-dev/{data,reports})
+# Mail: bewusst nicht aktiv (kein SMTP-Block)
+# Keycloak: eigener Public-Client gwoe-antragspruefer-dev
+services:
+  gwoe-antragspruefer-dev:
+    build: .
+    container_name: gwoe-antragspruefer-dev
+    restart: unless-stopped
+    stop_grace_period: 15m
+    environment:
+      - DASHSCOPE_API_KEY=${DASHSCOPE_API_KEY}
+      - KEYCLOAK_URL=https://sso.toppyr.de
+      - KEYCLOAK_REALM=collaboration
+      - KEYCLOAK_CLIENT_ID=${KEYCLOAK_CLIENT_ID:-gwoe-antragspruefer-dev}
+      - KEYCLOAK_CLIENT_SECRET=${KEYCLOAK_CLIENT_SECRET}
+      - KEYCLOAK_ADMIN_USER=${KEYCLOAK_ADMIN_USER}
+      - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD}
+      - EMBEDDING_MODEL_WRITE=${EMBEDDING_MODEL_WRITE:-text-embedding-v4}
+      - EMBEDDING_MODEL_READ=${EMBEDDING_MODEL_READ:-text-embedding-v3}
+      - BASE_URL=${BASE_URL:-https://gwoe-dev.toppyr.de}
+      - GITEA_TOKEN=${GITEA_TOKEN}
+      - GITEA_API_URL=${GITEA_API_URL:-https://repo.toppyr.de/api/v1}
+      - GITEA_REPO_OWNER=${GITEA_REPO_OWNER:-tobias}
+      - GITEA_REPO_NAME=${GITEA_REPO_NAME:-gwoe-antragspruefer}
+      - GITEA_FEEDBACK_LABELS=${GITEA_FEEDBACK_LABELS:-feedback,dev}
+      - APP_ENV=dev
+    volumes:
+      - ./data:/app/data
+      - ./reports:/app/reports
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.gwoe-dev.rule=Host(`gwoe-dev.toppyr.de`)"
+      - "traefik.http.routers.gwoe-dev.entrypoints=websecure"
+      - "traefik.http.routers.gwoe-dev.tls=true"
+      - "traefik.http.routers.gwoe-dev.tls.certresolver=letsencrypt"
+      - "traefik.http.services.gwoe-dev.loadbalancer.server.port=8000"
+    networks:
+      - collaboration_collaboration
+
+networks:
+  collaboration_collaboration:
+    external: true

scripts/deploy.sh

@@ -24,6 +24,28 @@ fi
 
 cd "$PROJECT_DIR"
 
+# Branch-Guard: Prod (gwoe.toppyr.de) ist auf release/1.0 festgelegt.
+# 1.x-Entwicklung laeuft auf gwoe-dev.toppyr.de via Cron-Auto-Deploy aus main.
+CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "")
+EXPECTED_BRANCH="release/1.0"
+if [ "${1:-}" = "--force" ]; then
+    shift
+    echo "⚠  --force aktiv: Branch-Guard übersprungen ($CURRENT_BRANCH)"
+elif [ "$CURRENT_BRANCH" != "$EXPECTED_BRANCH" ]; then
+    cat <<EOF
+✗ Prod-Deploy abgebrochen: lokal aktiv ist '$CURRENT_BRANCH', erwartet '$EXPECTED_BRANCH'.
+
+Prod (gwoe.toppyr.de) ist auf release/1.0 festgelegt. Vor einem Deploy:
+    git checkout release/1.0
+
+Fuer Dev (gwoe-dev.toppyr.de) braucht es kein deploy.sh — der Server zieht
+main per Cron alle 5 Minuten.
+
+Mit --force kann der Guard ueberbruckt werden (nur in Notfaellen).
+EOF
+    exit 1
+fi
+
 echo "=== GWÖ-Antragsprüfer Deploy ==="
 
 # 1. Uptime Kuma auf Wartung setzen