feat(H-005): add Lightsail provisioning/hardening scripts and D0 runbook

[dashprotocol]

Summary

Implements feat/H-005 (Provision Lightsail + host hardening) with reproducible scripts and documentation for deploy gate D0.

What changed

• Added Lightsail provisioning helper:
  • infra/create-instance.sh
  • Creates instance + static IP
  • Enforces exact public port allowlist (22/80/443 by default) via put-instance-public-ports
  • Supports optional SSH CIDR restriction (SSH_CIDR)
• Added host hardening script:
  • infra/provision.sh
  • Applies updates, enables unattended upgrades
  • Creates havenadmin, configures SSH hardening
  • Configures UFW + fail2ban
  • Includes runtime fix for /run/sshd
  • Adds operator note to set local sudo password for havenadmin
• Added runbook:
  • docs/runbook/H-005-lightsail-provision.md
  • UI-first + script-assisted flow
  • D0 checklist and validation commands
  • Rollback/recovery guidance
• Added ticket implementation plan:
  • docs/tickets/feat-H-005-implementation-plan.md
• Updated README with optional AWS CLI dependency + infra section:
  • README.md

Security notes

• No secrets/private keys committed.
• Runbook is sanitized and explicitly calls out secret handling.
• Dual-layer firewall posture documented (Lightsail + UFW).

Validation

• bash -n infra/create-instance.sh
• bash -n infra/provision.sh
• Manual host validation completed against D0 checks:
  • UFW only allows required ports
  • root SSH login denied
  • password auth disabled
  • unattended-upgrades active
  • fail2ban sshd jail active