feat(automation): lock staging to SSH tunnel + dev banner + desktop shortcut

- staging-up.sh binds the dev server to 127.0.0.1 (tunnel-only, no public access)
  and sets NEXT_PUBLIC_ENV_LABEL so the 'INTERNAL DEV / STAGING - NOT PRODUCTION'
  banner shows.
- staging-tunnel.cmd: Windows launcher that opens the SSH tunnel + browser
  (wired to a desktop shortcut).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

automation/README.md

@@ -93,10 +93,14 @@ before a release tag deploys them to prod.
   (`pelagia_test`), safe dev mode (console email, local storage, SSO disabled).
 - Refresh to newer master + restart: re-run `~/issue-watcher/staging-up.sh`.
 - Stop: `pm2 delete ppms-staging`.
-- Access: bound to all interfaces, so reachable at `http://<pms1-ip>:3200`. This is
-  **plain HTTP with prod-mirror data behind login** — for a private setup, restrict
-  to localhost (`pnpm dev -p 3200 -H 127.0.0.1` in `run-staging.sh`) and reach it via
-  `ssh -L 3200:localhost:3200 …` instead.
+- **Access is SSH-tunnel only** — the dev server binds to `127.0.0.1:3200`, so it is
+  not reachable from the public internet. Open a tunnel and browse `http://localhost:3200`:
+  `ssh -L 3200:localhost:3200 shad0w@<pms1>`. On Windows, the desktop shortcut
+  **"Pelagia Staging (tunnel)"** (`automation/staging-tunnel.cmd`) opens the tunnel and
+  the browser in one click.
+- A fixed banner **"INTERNAL DEV / STAGING - NOT PRODUCTION"** is shown (driven by
+  `NEXT_PUBLIC_ENV_LABEL` in the staging `.env`; the `EnvBanner` component renders nothing
+  when the var is unset, so production is unaffected).
 - Log in with a password user (SSO is off here), e.g. `admin@pelagiamarine.com`.
 
 ## Issue label lifecycle

automation/staging-tunnel.cmd

@@ -0,0 +1,15 @@
+@echo off
+title Pelagia Staging Tunnel (localhost:3200)
+echo ============================================================
+echo   Pelagia Portal - STAGING  (internal dev only)
+echo   Tunneling pms1 port 3200 to http://localhost:3200
+echo   Keep this window OPEN while testing. Close it to disconnect.
+echo ============================================================
+echo.
+echo Connecting... your browser will open in a few seconds.
+REM Open the browser shortly after the tunnel comes up.
+start "" cmd /c "ping -n 6 127.0.0.1 >nul & explorer http://localhost:3200"
+ssh -i "%USERPROFILE%\.ssh\peliagia_portal_ubuntu22_ed25519" -o StrictHostKeyChecking=accept-new -N -L 3200:localhost:3200 shad0w@87.76.191.133
+echo.
+echo Tunnel closed. You can close this window.
+pause

automation/staging-up.sh

@@ -42,17 +42,20 @@ AZURE_AD_CLIENT_SECRET="dev-placeholder"
 AZURE_AD_TENANT_ID="dev-placeholder"
 DATABASE_URL="$TEST_URL"
 GST_SERVICE_URL="http://localhost:3003"
+NEXT_PUBLIC_ENV_LABEL="INTERNAL DEV / STAGING - NOT PRODUCTION"
 PORT=$PORT
 EOF
     chmod 600 "$DIR/App/.env"
 fi
 
 # pm2-run wrapper so the dev server always gets nvm on PATH and the right port.
+# Bind to 127.0.0.1 only -- staging is reachable solely via SSH tunnel
+# (ssh -L 3200:localhost:3200 ...), never directly from the public internet.
 cat > "$DIR/App/run-staging.sh" <<EOF
 #!/usr/bin/env bash
 export NVM_DIR="\$HOME/.nvm"; . "\$NVM_DIR/nvm.sh"
 cd "$DIR/App"
-exec pnpm dev -p $PORT
+exec pnpm dev -p $PORT -H 127.0.0.1
 EOF
 chmod +x "$DIR/App/run-staging.sh"