Add maintenance mode (sm down / sm up + bypass token)

[antosubash]

Background

There is currently no way to put the running app into a maintenance state during deployments or DB migrations without manually rerouting traffic at the load balancer. Laravel ships php artisan down --secret=... which drops a sentinel file the framework reads on every request to short-circuit responses except for holders of the bypass cookie.

Motivation

• Safer deploys / migrations
• Lets ops show a branded 503 page
• Bypass token lets the deploying engineer keep verifying the release

Design sketch

• Sentinel: a row in the Settings table (System.MaintenanceMode.Active, System.MaintenanceMode.Until, System.MaintenanceMode.SecretHash, System.MaintenanceMode.Message, System.MaintenanceMode.RetryAfterSeconds)
• Middleware MaintenanceModeMiddleware registered very early in the pipeline (before auth):
  • If active and request lacks the sm_bypass=<token> cookie, return 503 + Retry-After header
  • Sets a HTML response from a Razor view OR Inertia render of a System/Maintenance page
• CLI:
  • sm down --secret <s> --message "..." --retry 60 → flips setting + returns the bypass URL
  • sm up → clears setting
  • sm down --status → prints current state
• Bypass: visiting ?sm_bypass=<secret> writes the cookie, then redirects to /

Acceptance criteria

• Middleware short-circuits at the right place (after IP allowlist, before auth)
• Health-check endpoints (/health/live, /health/ready) exempted
• Inertia request returns JSON 503 (so SPA shows the maintenance page without full reload)
• CLI commands tested
• Bypass cookie scoped, HttpOnly, Secure, SameSite=Lax
• Multi-tenant aware (per-tenant maintenance optional, follow-up issue if scoped out)
• Docs page

References

• Laravel: https://laravel.com/docs/configuration#maintenance-mode