portal: serve /files/ (logo) from stable host path, fix recurring 403

nginx served /files/ via alias straight into /var/lib/docker/volumes/... but
/var/lib/docker is root 0700 (no traverse for www-data) and docker resets that
perm on restart -> recurring 403 on /files/pw-logo.png (broken portal logo).

Sync the site's public /files/ into /opt/erpnext-assets/assets/files (already
www-data-owned, nginx-traversable, never touched by docker) during asset
extraction, and verify the logo is present. nginx /files/ alias must point here
(separate nginx change applied on server).

extract-erpnext-assets.sh

@@ -55,6 +55,18 @@ $DOCKER exec "$CONTAINER" cat \
     /home/frappe/frappe-bench/sites/assets/assets.json \
   | sudo tee "${DEST}/assets.json" >/dev/null
 
+# Site-uploaded public /files/ (e.g. the portal logo pw-logo.png). nginx cannot
+# traverse the raw docker volume (/var/lib/docker is root 0700 and docker resets
+# it on restart -> recurring 403s), so we serve /files/ from this stable
+# www-data-owned host path instead. Re-synced here on every deploy.
+SITE="${ERPNEXT_SITE:-performancewest.net}"
+FILES_SRC="/home/frappe/frappe-bench/sites/${SITE}/public/files"
+echo "--- Syncing site /files/ (logo, uploads) ---"
+sudo rm -rf "${DEST}/files"
+sudo mkdir -p "${DEST}/files"
+$DOCKER exec "$CONTAINER" sh -c "[ -d '${FILES_SRC}' ] && tar cf - -C '${FILES_SRC}' . || true" \
+  | sudo tar xf - -C "${DEST}/files" 2>/dev/null || true
+
 sudo chown -R www-data:www-data /opt/erpnext-assets
 sudo nginx -s reload 2>/dev/null || true
 
@@ -68,3 +80,8 @@ if [ -n "$LOGIN_HASH" ] && [ ! -f "${DEST}/frappe/dist/css/${LOGIN_HASH}" ]; the
 fi
 
 echo "=== Done. Assets at ${DEST} (login bundle: ${LOGIN_HASH:-unknown}) ==="
+
+# Verify the portal logo made it across (served at /files/pw-logo.png).
+if [ ! -f "${DEST}/files/pw-logo.png" ]; then
+  echo "WARN: ${DEST}/files/pw-logo.png missing — portal logo may be broken." >&2
+fi