[NX-203 Issue] Add production proxy profile with validation and documentation

Introduced a secure, repeatable production proxy profile for reverse proxy and HTTPS deployment, including NGINX configuration, environment variables, and CORS guidance. Added CI workflow for static validation of proxy guardrails and detailed documentation to ensure best practices in deployment.

ops/scripts/validate_proxy_profile.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "[proxy-profile] validating reverse-proxy and mixed-content guardrails"
+
+require_pattern() {
+  local file="$1"
+  local pattern="$2"
+  local message="$3"
+  if ! grep -Eq "$pattern" "$file"; then
+    echo "[proxy-profile] FAIL: $message ($file)"
+    exit 1
+  fi
+}
+
+# Frontend should default to relative API base in container builds.
+require_pattern "frontend/Dockerfile" "ARG VITE_API_URL=/api/v1" \
+  "VITE_API_URL default must be relative (/api/v1)"
+
+# Frontend runtime proxy should forward /api with forward headers.
+require_pattern "frontend/nginx.conf" "location /api/" \
+  "frontend nginx must proxy /api/"
+require_pattern "frontend/nginx.conf" "proxy_set_header X-Forwarded-Proto" \
+  "frontend nginx must set X-Forwarded-Proto"
+require_pattern "frontend/nginx.conf" "proxy_set_header X-Forwarded-For" \
+  "frontend nginx must set X-Forwarded-For"
+require_pattern "frontend/nginx.conf" "proxy_set_header Host" \
+  "frontend nginx must forward Host"
+
+# Mixed-content guard in frontend API client.
+require_pattern "frontend/src/api.js" "window\\.location\\.protocol === \"https:\".*parsed\\.protocol === \"http:\"" \
+  "frontend api client must contain HTTPS mixed-content protection"
+
+# Production profile must not use wildcard CORS.
+require_pattern "ops/profiles/prod/.env.production.example" "^CORS_ORIGINS=https://[^*]+$" \
+  "production profile must use explicit HTTPS CORS origins"
+
+echo "[proxy-profile] PASS"