feat(hosting): add maintenance mode middleware + sm down/up (closes #160)

[antosubash]

Summary

Closes #160.

Sentinel-file maintenance mode (Laravel's php artisan down equivalent):

• MaintenanceModeMiddleware short-circuits requests with HTTP 503 when active, sets Retry-After, exempts /health/live + /health/ready, returns JSON 503 for Inertia/JSON requests (component: "System/Maintenance") and the static maintenance.html for browsers.
• ?sm_bypass=<secret> exchanges the secret (constant-time compared) for an HttpOnly, SameSite=Lax, Secure (https or non-dev) cookie, then 302s back to the original URL with the secret stripped.
• FileMaintenanceModeStore is sentinel-backed (App_Data/maintenance.json) with a FileSystemWatcher so the running app picks up CLI writes without restart — GetState() is a hot-path field read, no disk I/O per request.
• CLI: sm down --secret X --message "..." --retry 60 [--until <ISO8601>] (auto-generates a secret if --secret is omitted and prints the bypass URL), sm down --status, sm up.

Pipeline placement

UseAuthentication → UseAuthorization → MaintenanceModeMiddleware → UseRateLimiting → …

After auth so the bypass cookie is set under a known identity; before rate limiting / module middleware so we don't spend budget on requests we're going to 503.

Acceptance criteria from #160

• Middleware short-circuits at the right place
• Health-check endpoints (/health/live, /health/ready) exempted
• Inertia request returns JSON 503
• Bypass cookie scoped, HttpOnly, Secure, SameSite=Lax
• CLI commands tested
• Multi-tenant aware — deferred to a follow-up (called out in the issue as optional)
• Docs page — deferred to a follow-up

The React System/Maintenance Inertia page is also deferred — the static HTML fallback is sufficient for browser requests today, and Inertia clients receive the JSON payload so an SPA can render the page in a follow-up without a server change.

Test plan

• dotnet test tests/SimpleModule.Core.Tests --filter MaintenanceModeMiddlewareTests → 9/9 pass (passthrough, 503 + Retry-After, both health paths exempt, Inertia JSON 503, bypass query → cookie + redirect, wrong secret still 503s, valid cookie passes, expired Until passes)
• dotnet run --project tests/SimpleModule.Cli.Tests -- -class SimpleModule.Cli.Tests.MaintenanceSentinelTests → 5/5 pass (hash determinism, hash uniqueness, JSON round-trip, absent + corrupt file handling)
• dotnet test tests/SimpleModule.Core.Tests → 206/206 pass
• dotnet build SimpleModule.slnx → clean, 0 warnings
• dotnet csharpier check on touched files → clean
• Manual smoke: dotnet run --project template/SimpleModule.Host + sm down --secret hello from another shell → verify 503 with Retry-After, then ?sm_bypass=hello lets the session through

---

Generated by Claude Code

[cloudflare-workers-and-pages]

Deploying simplemodule-website with    Cloudflare Pages

Latest commit:	22789ec
Status:	✅  Deploy successful!
Preview URL:	https://26ba8437.simplemodule-website.pages.dev
Branch Preview URL:	https://claude-fix-missing-issues-0q.simplemodule-website.pages.dev

View logs