refactor: deployment infrastructure cleanup (4 fixes)

1. Docker socket security: remove root group from Dockerfile, use
   group_add in docker-compose.yml for runtime-only socket access

2. M2M server communication: create ServerApiClient using Logto
   client_credentials grant with API resource scope. Add M2M server
   role in bootstrap. Replace hacky admin/admin login in
   AgentStatusService.

3. Async deployment: extract DeploymentExecutor as separate @Service
   so Spring's @Async proxy works (self-invocation bypasses proxy).
   Deploy now returns immediately, health check runs in background.

4. Bootstrap: M2M server role (cameleer-m2m-server) with server:admin
   scope, idempotent creation outside the M2M app creation block.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker/logto-bootstrap.sh

@@ -305,6 +305,24 @@ else
       fi
     fi
   fi
+
+fi
+
+# Create M2M role for the Cameleer API resource (server:admin access) — idempotent
+EXISTING_M2M_SERVER_ROLE=$(api_get "/api/roles" | jq -r '.[] | select(.name == "cameleer-m2m-server") | .id')
+if [ -z "$EXISTING_M2M_SERVER_ROLE" ]; then
+  log "Creating M2M server access role..."
+  SERVER_M2M_ROLE_RESPONSE=$(api_post "/api/roles" "{
+    \"name\": \"cameleer-m2m-server\",
+    \"description\": \"Server API access for SaaS backend (M2M)\",
+    \"type\": \"MachineToMachine\",
+    \"scopeIds\": [\"$SCOPE_SERVER_ADMIN\"]
+  }")
+  EXISTING_M2M_SERVER_ROLE=$(echo "$SERVER_M2M_ROLE_RESPONSE" | jq -r '.id')
+fi
+if [ -n "$EXISTING_M2M_SERVER_ROLE" ] && [ "$EXISTING_M2M_SERVER_ROLE" != "null" ] && [ -n "$M2M_ID" ]; then
+  api_post "/api/roles/$EXISTING_M2M_SERVER_ROLE/applications" "{\"applicationIds\": [\"$M2M_ID\"]}" >/dev/null 2>&1
+  log "Assigned server API role to M2M app: $EXISTING_M2M_SERVER_ROLE"
 fi
 
 # ============================================================