Add three-tier deployment infrastructure

Platform pivot from Raspberry Pi to three-tier model:
- Tier 1: Bootable Debian Live USB for field reporters
- Tier 2: Docker/K8s org server for newsrooms
- Tier 3: Docker/K8s federation relay for VPS

Tier 1 — Live USB (deploy/live-usb/):
- build.sh: live-build based image builder for amd64
- Package list: Python + system deps + minimal GUI (openbox + Firefox)
- Install hook: creates venv, pip installs soosef[web,cli,attest,...]
- Hardening hook: disable swap/coredumps, UFW, auto-login to web UI
- systemd service with security hardening (NoNewPrivileges, ProtectSystem)
- Auto-opens Firefox kiosk to http://127.0.0.1:5000 on boot

Tier 2+3 — Docker (deploy/docker/):
- Multi-stage Dockerfile with two targets:
  - server: full web UI + stego + attestation + federation (Tier 2)
  - relay: lightweight FastAPI attestation API only (Tier 3)
- docker-compose.yml with both services and persistent volumes
- .dockerignore for clean builds

Kubernetes (deploy/kubernetes/):
- namespace.yaml, server-deployment.yaml, relay-deployment.yaml
- PVCs, services, health checks, resource limits
- Single-writer strategy (Recreate, not RollingUpdate) for SQLite safety
- README with architecture diagram and deployment instructions

Config presets (deploy/config-presets/):
- low-threat.json: press freedom country (no killswitch, 30min sessions)
- medium-threat.json: restricted press (48h deadman, USB monitoring)
- high-threat.json: conflict zone (12h deadman, tamper monitoring, 5min sessions)
- critical-threat.json: targeted surveillance (127.0.0.1 only, 6h deadman, 3min sessions)

Deployment guide rewritten for three-tier model with RPi as legacy appendix.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

deploy/live-usb/config/hooks/live/0100-install-soosef.hook.chroot

@@ -0,0 +1,26 @@
+#!/bin/bash
+# Install SooSeF and all dependencies into the live image.
+# This runs inside the chroot during image build.
+set -euo pipefail
+
+echo "=== Installing SooSeF ==="
+
+# Create soosef user
+useradd -m -s /bin/bash -G sudo soosef
+echo "soosef:soosef" | chpasswd
+
+# Create virtual environment
+python3 -m venv /opt/soosef-env
+source /opt/soosef-env/bin/activate
+
+# Install soosef with all extras (pre-built wheels from PyPI)
+pip install --no-cache-dir "soosef[web,cli,attest,stego-dct,stego-audio,fieldkit]"
+
+# Verify installation
+python3 -c "import soosef; print(f'SooSeF {soosef.__version__} installed')"
+python3 -c "from soosef.stegasoo import encode; print('stegasoo OK')"
+python3 -c "from soosef.verisoo import Attestation; print('verisoo OK')"
+
+deactivate
+
+echo "=== SooSeF installation complete ==="

deploy/live-usb/config/hooks/live/0200-harden.hook.chroot

@@ -0,0 +1,39 @@
+#!/bin/bash
+# Security hardening for the live image.
+set -euo pipefail
+
+echo "=== Applying security hardening ==="
+
+# Disable core dumps (Python doesn't zero memory — core dumps leak keys)
+echo "* hard core 0" >> /etc/security/limits.conf
+echo "fs.suid_dumpable = 0" >> /etc/sysctl.d/99-soosef.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.d/99-soosef.conf
+
+# Disable swap (keys persist in swap pages)
+systemctl mask swap.target || true
+echo "vm.swappiness = 0" >> /etc/sysctl.d/99-soosef.conf
+
+# Enable UFW with deny-all + allow web UI
+ufw default deny incoming
+ufw default allow outgoing
+ufw allow 5000/tcp comment "SooSeF Web UI"
+ufw allow 22/tcp comment "SSH"
+ufw --force enable || true
+
+# Disable unnecessary services
+systemctl disable bluetooth.service 2>/dev/null || true
+systemctl disable avahi-daemon.service 2>/dev/null || true
+systemctl disable cups.service 2>/dev/null || true
+
+# Enable SooSeF service
+systemctl enable soosef.service
+
+# Auto-login to openbox (so the browser opens without login prompt)
+mkdir -p /etc/lightdm/lightdm.conf.d
+cat > /etc/lightdm/lightdm.conf.d/50-autologin.conf << 'EOF'
+[Seat:*]
+autologin-user=soosef
+autologin-user-timeout=0
+EOF
+
+echo "=== Hardening complete ==="