fix(deploy): pnpm install workspace deps before running safe-db-push

Two follow-up fixes after the first migration-step deploy revealed
gaps:

1. \`pnpm dlx drizzle-kit\` doesn't work — the drizzle.config.ts file
   itself does \`import { defineConfig } from 'drizzle-kit'\`, and
   Node's resolver only finds that import via local node_modules,
   not pnpm's dlx cache. Reverted to plain \`pnpm exec drizzle-kit\`
   and require the workspace to be installed.

2. CD now runs \`pnpm install --filter ./services/<svc>... --frozen-
   lockfile --ignore-scripts\` once at the start of the migration
   step for every Drizzle service in the deploy. Path-based filter
   (not name-based) because our service package names follow no
   uniform convention (\`@mana/auth\` vs \`@mana/credits-service\` vs
   \`@mana/events\`). pnpm's lockfile cache makes second-and-later
   runs near-instant.

3. Dropped the \`--silent\` flag from \`pnpm exec drizzle-kit --version\`
   — it isn't a recognised pnpm-exec flag and causes a 254 exit code,
   making the script's "is drizzle-kit available?" probe always fail.

Smoke-tested locally — script now runs cleanly against mana-auth's
schema, reports "no changes detected", cleans up the probe SQL file.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

scripts/mac-mini/safe-db-push.sh

@@ -57,16 +57,17 @@ fi
 
 cd "$SVC_DIR"
 
-# Pick how we'll invoke drizzle-kit. The Mac Mini runner doesn't run
-# `pnpm install` for the workspace (everything builds inside Docker),
-# so the per-service node_modules/.bin/drizzle-kit binary is missing.
-# `pnpm dlx` fetches drizzle-kit on demand, caches it in the global
-# pnpm store, and is then fast on every subsequent call. drizzle-kit
-# reads its config from cwd so it still finds drizzle.config.ts here.
-if pnpm exec --silent drizzle-kit --version >/dev/null 2>&1; then
-	DRIZZLE="pnpm exec drizzle-kit"
-else
-	DRIZZLE="pnpm dlx drizzle-kit"
+# Drizzle-kit must be available as a workspace-local module — its
+# binary AND the import that drizzle.config.ts performs both go
+# through Node's local-dir resolver. The CD pipeline runs `pnpm
+# install --filter ./services/<svc>...` before invoking this script
+# so every Drizzle service has node_modules/.bin/drizzle-kit + the
+# importable package linked. `pnpm dlx` doesn't work here because
+# its global cache isn't on Node's resolution path for the config
+# file's `import { defineConfig } from 'drizzle-kit'`.
+if ! pnpm exec drizzle-kit --version >/dev/null 2>&1; then
+	echo "[safe-db-push] $SVC: drizzle-kit not installed in workspace — run \`pnpm install --filter ./services/$SVC...\` first"
+	exit 0
 fi
 
 # Snapshot the existing migration set before we generate. Anything new
@@ -75,7 +76,7 @@ PRE_GEN_FILES=$(find drizzle -maxdepth 2 -name '*.sql' 2>/dev/null | sort || tru
 
 # Generate-only — does not touch the database.
 echo "[safe-db-push] $SVC: generating diff…"
-GEN_OUT=$($DRIZZLE generate --name "__ci_safety_check_$$" 2>&1 || true)
+GEN_OUT=$(pnpm exec drizzle-kit generate --name "__ci_safety_check_$$" 2>&1 || true)
 echo "$GEN_OUT" | tail -20
 
 POST_GEN_FILES=$(find drizzle -maxdepth 2 -name '*.sql' 2>/dev/null | sort || true)
@@ -132,5 +133,5 @@ fi
 
 # Additive only — safe to apply.
 echo "[safe-db-push] $SVC: ✓ additive only, applying…"
-$DRIZZLE push --force
+pnpm exec drizzle-kit push --force
 echo "[safe-db-push] $SVC: ✓ schema is now in sync"