chore(infra): stop writing a server-side .env on deploy — inject BWS secrets into the container

[anneoneone]

Context

Follow-up to #147 / #80. Prod still materializes secrets as a file: CI
(.github/workflows/backend.yml) fetches secrets from Bitwarden, writes a production .env, SCPs
it to Lightsail (backend/scripts/deploy_lightsail.sh), and docker-compose mounts it read-only
(backend/docker-compose.prod.yml:10). A plaintext .env at rest on the host (mode 600) is an
avoidable footprint. Since the app reads from process env, the BWS secrets can be injected straight
into the container and the file dropped.

Scope (GitNexus)

Affected area(s): deploy pipeline + container env. No application code change (app reads
process env).

• .github/workflows/backend.yml — pass BWS secrets to deploy as env, not a generated .env.
• backend/scripts/deploy_lightsail.sh — remove .env upload/move/600 steps (~lines 185–324);
  pass env to the container instead.
• backend/docker-compose.prod.yml — replace the ./.env:/app/.env:ro mount (line 10) with
  environment: injection from the shell.
• backend/scripts/backup/{setup_rclone.sh,restore-r2.sh} — they source .env; switch to injected
  env / BWS.

Acceptance criteria

• No .env is written to or mounted on the Lightsail host; secrets reach the container as env
  vars.
• Backend starts and all R2 / Instagram / Telegram / SoundCloud features work in prod with no
  .env present.
• Backup scripts function without a server-side .env.
• Deploy script no longer references --env-file / TMP_REMOTE_ENV / /opt/unheard-backend/.env.

Notes

• Depends on feat(infra): source local dev secrets from Bitwarden (drop hand-edited .env) #147. Lower priority (later).
• Parent: Use Bitwarden Secret Manager #80.