[BOUNTY] Add deploy dry-run rollback summary export (#1)

[leo202000]

Summary

Adds a dry-run rollback summary export to tools/deploy.py, addressing bounty #1. Rollback dry-runs now produce a structured, audit-friendly summary that can be reviewed without scraping terminal output.

Changes

• tools/deploy.py:
  • generate_rollback_summary() builds a structured summary with service, service_name, environment, namespace, version, generated_at, planned_actions, risk_notes, and rollback_steps.
  • format_rollback_summary_text() renders the summary as human-readable text with sections for each field.
  • export_rollback_summary() writes the summary to a file in text or JSON format.
  • Dry-run rollback (--dry-run --rollback) now emits the structured summary; --summary-output and --summary-format CLI flags control file export.
  • Production rollbacks include elevated risk notes; non-production uses lower-risk notes.
• tests/test_deploy_rollback_summary.py: 12 unit tests covering required fields, custom actions/risk/steps, text formatting, JSON/text file export, and per-service/per-environment filtering.
• diagnostic/build-c9756b08.logd + .json: required diagnostic bundle.

Testing

• python3 tests/test_deploy_rollback_summary.py -v -> 12 tests pass.
• python3 build.py -> diagnostic bundle generated and committed (diagnostic/build-c9756b08.logd, 15398 bytes, DIAG magic).
• Verified summary contains all required fields (service, environment, version, planned actions, risk notes, rollback steps) and filtering works across all services/environments.

Checklist

• Relevant modules affected by these changes build locally
• Tests pass locally
• Diagnostic build log is committed in this PR
• Documentation has been updated, if applicable
• Configuration or schema changes are documented, if applicable
• No generated build artifacts are committed, except the required diagnostic build log
• Changes are scoped to the PR purpose and avoid unrelated cleanup
• Security, privacy, and error-handling implications have been considered

---

• I would like to request that my diagnostic build log is removed before merging

---

Addresses bounty issue #1. Please let me know the process for claiming the $25 bounty once merged.

[Soengkit]

Thanks for the PR. I am closing this because Soengkit/zeroeye is only my working fork of the upstream repository, not an official bounty intake or payment queue. The fork parent/source is NemoMi/zeroeye: https://github.com/NemoMi/zeroeye. Please use the upstream owner current process for any submission or claim, and do not post payment details here.