Add S3 Terraform scaffolding and D2 runbook

[dashprotocol]

Summary

Implements H-008 as design + IaC scaffolding for secure S3 storage, with provisioning explicitly deferred until D2 (upload flow gate).

What Changed

Terraform resources/policies include:

• S3 bucket: havenhold-{env}-{account-id}
• BlockPublicAccess on all 4 flags
• BucketOwnerEnforced ACL model
• SSE-KMS (aws:kms with AWS-managed aws/s3) + bucket_key_enabled
• HTTPS-only bucket policy (aws:SecureTransport=false deny)
• IAM user havenhold-api with prefix-scoped object access to:
  • uploads/*
  • exports/*
  • temp/*

Env scaffolding

• Updated server/.env.example with AWS_* placeholders and runbook pointer.

Runbook

• Added s3-iam.md covering:
  • D0 scaffolding verification
  • D2 apply + validation commands
  • positive/negative IAM tests
  • access key rotation
  • rollback/teardown paths
  • local backend -> S3 backend state migration sequence

Verification

D0 verification completed:

• terraform plan result: 7 to add, 0 to change, 0 to destroy
• Security settings present in plan output:
  • all public-access-block flags true
  • BucketOwnerEnforced
  • sse_algorithm = "aws:kms" + bucket_key_enabled = true
  • force_destroy = false

Scope Boundary

This PR is D0 scaffolding only:

• terraform apply is intentionally deferred to D2
• no live AWS resources are created in D0