feat: sourcemap upload to GlitchTip in deploy.sh

WS-7 PR-3 commit 3, RFC §3.5.

- deploy.sh: export VITE_SENTRY_RELEASE=crewli-app@<short-sha> before
  the Vite build so the release identifier is inlined into the bundle
  via import.meta.env.
- New step 4a after the build: when SENTRY_AUTH_TOKEN and
  VITE_SENTRY_DSN_FRONTEND are present, upload sourcemaps via
  `npx @sentry/cli@latest sourcemaps upload` to project crewli-app
  with --url-prefix=~/assets/ matching Vite's default asset path.
  Soft-fails with a warning so deploy can still succeed if GlitchTip
  is unreachable.
- Always run `find apps/app/dist -name '*.map' -delete` after upload
  (or after skipped upload). No public-mapped sources reach nginx —
  RFC §3.5 invariant.
- .gitignore: defensive `apps/app/dist/**/*.map` exclusion (dist/ is
  already broadly ignored; this is belt-and-suspenders against
  accidental commits of build output).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -64,3 +64,8 @@ docs/.vitepress/cache
 # GlitchTip
 docker/glitchtip/.env
 backups/
+
+# WS-7 RFC §3.5: Vite sourcemaps are uploaded to GlitchTip and stripped
+# from dist/ before deploy. Defensive exclusion in case dist/ is ever
+# committed by mistake (it's already covered by `dist/` above).
+apps/app/dist/**/*.map