deploy scripts: per-region TF_DATA_DIR isolation + demo-seed prompt

[iammukeshm]

Two deploy-script changes.

1. Isolate Terraform data dir per env/region (TF_DATA_DIR)

Problem

app_stack/ keeps Terraform working data in a single shared .terraform/, and each env/region is selected per-run via terraform init -reconfigure -backend-config=envs/<env>/<region>/backend.hcl. That makes concurrent runs against different backends unsafe: whichever runs init -reconfigure last repoints the shared backend pointer for both.

Observed: an ap-south-1 deploy and a us-east-1 destroy overlapped. The deploy's apply + migrator succeeded, but in the gap before its frontend step the destroy's init repointed the backend to us-east-1. The deploy's closing terraform output dashboard_site/admin_site/api_url then read the wrong state → "Output not found" → the SPA publish was silently skipped (infra was fine; only the file publish was missed).

Fix

deploy.sh, deploy.ps1, destroy.ps1 set TF_DATA_DIR to an absolute app_stack/.terraform/<env>-<region> before any terraform call. Each env/region gets its own data dir (backend pointer, providers, modules), so two runs against different backends physically cannot share — and clobber — the same pointer. .terraform/ is already gitignored.

Verification

Ran end-to-end against the live dev/ap-south-1 stack: init into a fresh .terraform/dev-ap-south-1/, apply → No changes, both SPAs built/synced (dashboard 95 objects, admin 65) + CloudFront invalidated — the previously-skipped publish now completes.

2. Prompt to seed demo tenants when not specified

deploy.sh/deploy.ps1 now ask Seed demo tenants (acme/globex)? before the apply. Skipped when already chosen (--seed-demo/-SeedDemo), not migrating (--skip-migrate), or unattended (--auto-approve / no TTY), so CI never blocks.

bash -n + PowerShell parser checks pass on all scripts.

🤖 Generated with Claude Code