fix(bootstrap): grant monitoring.editor + enable monitoring API

v1.3.0 added google_monitoring_uptime_check_config + alert policies to the
module, but bootstrap-gcp.sh was not updated. Fresh customers (and the
first apply after upgrading existing customers) hit 403 on
monitoring.uptimeCheckConfigs.create.

Fix: enable monitoring.googleapis.com + grant roles/monitoring.editor to
the deploy SA. Idempotent (safe to re-run on existing projects).

scripts/bootstrap-gcp.sh

@@ -26,6 +26,7 @@ gcloud services enable \
     secretmanager.googleapis.com \
     cloudresourcemanager.googleapis.com \
     storage.googleapis.com \
+    monitoring.googleapis.com \
     --project="${PROJECT_ID}"
 
 echo "=== Create deploy service account (if not exists) ==="
@@ -46,7 +47,8 @@ for role in \
     iam.serviceAccountAdmin \
     secretmanager.admin \
     storage.admin \
-    resourcemanager.projectIamAdmin; do
+    resourcemanager.projectIamAdmin \
+    monitoring.editor; do
     gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
         --member="serviceAccount:${SA_EMAIL}" \
         --role="roles/${role}" \