Deny access to .git, deploy/, and deploy-pull.sh

Prevents leaking repo history, the docker-compose / nginx config, and
the auto-pull script via the publicly served root.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy/nginx.conf

@@ -7,6 +7,12 @@ server {
 
     charset utf-8;
 
+    # Deny access to repo metadata, deploy scripts/configs, and dotfiles
+    location ~ /\.git { deny all; return 404; }
+    location ~ /\.    { deny all; return 404; }
+    location ^~ /deploy/   { deny all; return 404; }
+    location = /deploy-pull.sh { deny all; return 404; }
+
     location = / {
         try_files /facere.html =404;
     }