chore: add nginx deployment smoke test

Add the nginx deployment artifact from PLAN.md. The example config keeps upl
behind nginx, sets client_max_body_size to 64 MiB, disables request buffering for
chunk uploads, forwards standard proxy headers, and leaves explicit placeholders
for TLS certificates and access control before public exposure.

Add just nginx-smoke as a reusable Docker-based verification. The script starts
upl with a temporary data directory, runs nginx as a reverse proxy, uploads a
17 MiB file through nginx, restarts the Rust backend mid-upload, confirms server
progress survives the restart through the proxy, uploads the remaining chunk,
completes the upload, and compares SHA-256 hashes.

Document the production nginx shape, the local Docker smoke-test caveat, and the
manual deployment retest scenario in TESTS.md.

Test Plan:
- bash -n scripts/nginx-smoke.sh
- just check
- just nginx-smoke

Refs: PLAN.md milestone 9

TESTS.md

@@ -19,6 +19,11 @@ Keep this file as the reusable verification checklist while implementing
     - `POST /api/uploads/:id/complete` assembles verified chunks.
     - `POST /api/uploads/:id/complete` rejects incomplete uploads.
     - `static/app.js` passes `node --check`.
+- `just nginx-smoke`
+  - Runs upl behind nginx in Docker.
+  - Uploads a 17 MiB file through nginx.
+  - Restarts the Rust backend mid-upload, resumes through nginx, completes, and
+    compares SHA-256 hashes.
 
 ## Manual
 
@@ -40,6 +45,9 @@ features land.
 - Attempt an invalid chunk index and confirm it is rejected.
 - Attempt a wrong-size non-final chunk and confirm it is rejected.
 - Complete an upload and compare the final file with the source file:
+- Install `deploy/nginx/upl.conf.example` on the deployment host, add the real
+  TLS certificate and access-control settings, and repeat the resume scenarios
+  through the public nginx URL.
 
 ```sh
 sha256sum source-file data/complete/uploaded-file