fix(security-posture): ship nginx route drop-in + postinst nginx reload (ref #617)

The browser API 404'd because nginx routes /api/ generically to the aggregator,
which does not serve security-posture (it runs its own uvicorn socket). Ship
/etc/nginx/secubox-routes.d/security-posture.conf routing /api/v1/security-posture/
to /run/secubox/security-posture.sock, and reload nginx in postinst.

packages/secubox-security-posture/debian/postinst

@@ -0,0 +1,19 @@
+#!/bin/sh
+# SPDX-License-Identifier: LicenseRef-CMSD-1.0
+set -e
+
+# Writable cache dir for the posture snapshot (service runs as secubox).
+if getent passwd secubox >/dev/null 2>&1; then
+    install -d -o secubox -g secubox -m 0750 /var/lib/secubox/security-posture 2>/dev/null || true
+fi
+
+#DEBHELPER#
+
+# Reload nginx so the /api/v1/security-posture/ route drop-in takes effect.
+if command -v nginx >/dev/null 2>&1; then
+    if nginx -t >/dev/null 2>&1; then
+        nginx -s reload >/dev/null 2>&1 || true
+    fi
+fi
+
+exit 0

packages/secubox-security-posture/debian/rules

@@ -27,3 +27,7 @@ override_dh_auto_install:
 	# Sidebar menu entry (self-contained — folds PR #616)
 	install -d $(DESTDIR)/usr/share/secubox/menu.d
 	[ -d menu.d ] && cp -r menu.d/. $(DESTDIR)/usr/share/secubox/menu.d/ || true
+
+	# nginx route drop-in (own socket — not aggregator-served)
+	install -d $(DESTDIR)/etc/nginx/secubox-routes.d
+	cp nginx/security-posture.conf $(DESTDIR)/etc/nginx/secubox-routes.d/

packages/secubox-security-posture/nginx/security-posture.conf

@@ -0,0 +1,9 @@
+# Installed by secubox-security-posture into /etc/nginx/secubox-routes.d/
+# Unlike most modules (served in-process by secubox-aggregator), security-posture
+# runs its own uvicorn service on /run/secubox/security-posture.sock, so route the
+# public API straight to that socket (the trailing :/ strips the location prefix).
+location /api/v1/security-posture/ {
+    proxy_pass http://unix:/run/secubox/security-posture.sock:/;
+    include /etc/nginx/snippets/secubox-proxy.conf;
+    proxy_intercept_errors on;
+}

packages/secubox-security-posture/www/security-posture/index.html

@@ -19,8 +19,9 @@
     <link rel="stylesheet" href="/shared/sidebar.css">
     <link rel="stylesheet" href="posture.css">
 </head>
-<body>
+<body class="module-wall">
-    <div class="main">
+    <nav class="sidebar" id="sidebar"></nav>
+    <main class="main">
         <header class="page">
             <h1>🎚️ Security Posture <span class="ver" id="ver">v2.0.0</span></h1>
             <div class="actions">
@@ -32,7 +33,7 @@
         <div id="error" class="banner err" hidden></div>
         <div id="loading" class="banner info">Computing posture…</div>
 
-        <main id="content" hidden>
+        <div id="content" hidden>
             <!-- Hero: DEFCON gauge + overall score -->
             <section class="hero">
                 <div class="gauge-wrap">
@@ -88,10 +89,10 @@
                     <table class="audit-table" id="tpnTable"></table>
                 </details>
             </section>
-        </main>
+        </div>
-    </div>
+    </main>
 
-    <script src="/shared/sidebar.js" defer></script>
+    <script src="/shared/sidebar.js"></script>
     <script src="posture.js" defer></script>
 </body>
 </html>