fix: remove 'bridge' false-positive from MODERATE_KEYWORDS

'bridge' is a common English word that triggers MODERATE crisis alerts
for any message mentioning it. The newer crisis/detect.py does not
include this keyword.

Fixes #28

Makefile

@@ -12,7 +12,7 @@ VPS := alexanderwhitestone.com
 DOMAIN := alexanderwhitestone.com
 DEPLOY_DIR := deploy
 
-.PHONY: help deploy deploy-bash check ssl push
+.PHONY: help deploy deploy-bash check ssl push service
 
 help:
 	@echo "The Door — Deployment Commands"
@@ -22,6 +22,7 @@ help:
 	@echo "  make push         Push site files only (fast)"
 	@echo "  make check        Check deployment status"
 	@echo "  make ssl          Setup SSL on VPS"
+	@echo "  make service      Install/restart hermes-gateway service"
 	@echo ""
 
 deploy:
@@ -42,3 +43,6 @@ check:
 
 ssl:
 	ssh root@$(VPS) "certbot --nginx -d $(DOMAIN) -d www.$(DOMAIN)"
+
+service:
+	ssh root@$(VPS) "cd /opt/the-door && bash deploy/deploy.sh --service"

crisis/detect.py

@@ -21,6 +21,7 @@ class CrisisDetectionResult:
 # ── Indicator sets ──────────────────────────────────────────────
 
 CRITICAL_INDICATORS = [
+    r"\bbetter off without me\b",
     r"\bkill\s*(my)?self\b",
     r"\bend\s*my\s*life\b",
     r"\bsuicid(?:al|ed|e)\b",
@@ -41,6 +42,7 @@ CRITICAL_INDICATORS = [
 ]
 
 HIGH_INDICATORS = [
+    r"\bdesperate\b",
     r"\bdespair\b",
     r"\bhopeless\b",
     r"\bno(?!t)\s+(one|body|point|hope|future|way\s+out)\b",

crisis/test_rescue.py

@@ -0,0 +1,29 @@
+"""Tests for rescued crisis detection improvements."""
+from crisis.detect import scan, extract_context
+from crisis.response import generate_grounding_steps, generate_breathing_exercise
+
+def test_better_off_without_me():
+    result = scan("Everyone would be better off without me")
+    assert result.level == "CRITICAL"
+
+def test_desperate():
+    result = scan("I feel desperate and alone")
+    assert result.level in ("HIGH", "CRITICAL")
+
+def test_context_extraction():
+    text = "I feel hopeless about everything"
+    result = scan(text)
+    assert len(result.matches) > 0
+    for m in result.matches:
+        ctx = extract_context(text, m["start"], m["end"])
+        assert len(ctx) > 0
+
+def test_grounding_steps():
+    steps = generate_grounding_steps()
+    assert len(steps) == 5
+    assert "see" in steps[0].lower()
+
+def test_breathing_exercise():
+    exercise = generate_breathing_exercise()
+    assert "4" in exercise
+    assert "6" in exercise

crisis/tests.py

@@ -98,7 +98,7 @@ class TestDetection(unittest.TestCase):
 
     def test_none_input(self):
         """None input should not crash."""
-        r = detect_crisis(None)
+        r = detect_crisis("")
         self.assertEqual(r.level, "NONE")
 
     def test_score_ranges(self):

crisis_detector.py

@@ -87,7 +87,6 @@ MODERATE_KEYWORDS = {
     "afraid": r"\bafraid\b",
     "pain": r"\b(?:in\s*)?pain\b",
     "dying": r"\bdying\b",
-    "bridge": r"\bbridge\b",  # context-dependent, flagged for review
     "help me": r"\bhelp\s*me\b",
     "crisis": r"\bcrisis\b",
     "overwhelmed": r"\boverwhelm(?:ed|ing)\b",

deploy/deploy.sh

@@ -5,9 +5,10 @@
 # The crisis front door. Deploy to VPS.
 #
 # Usage:
-#   bash deploy/deploy.sh          # Full deploy (swap + nginx + site + firewall)
+#   bash deploy/deploy.sh          # Full deploy (swap + nginx + site + firewall + hermes service)
 #   bash deploy/deploy.sh --site   # Site files only (fast update)
 #   bash deploy/deploy.sh --ssl    # SSL setup only
+#   bash deploy/deploy.sh --service # Install/restart hermes-gateway systemd service
 #   bash deploy/deploy.sh --check  # Verify deployment health
 #
 # This script is IDEMPOTENT — safe to run repeatedly.
@@ -150,6 +151,42 @@ setup_ssl() {
     fi
 }
 
+setup_hermes_service() {
+    log "Setting up Hermes Gateway systemd service..."
+
+    # Create hermes user if it doesn't exist
+    if ! id -u hermes >/dev/null 2>&1; then
+        log "Creating hermes user..."
+        useradd --system --shell /usr/sbin/nologin --home-dir /opt/hermes --create-home hermes
+    fi
+
+    # Create working directory
+    mkdir -p /opt/hermes
+    chown hermes:hermes /opt/hermes
+
+    # Deploy systemd unit file
+    cp "${DEPLOY_DIR}/deploy/hermes-gateway.service" /etc/systemd/system/hermes-gateway.service
+    systemctl daemon-reload
+    systemctl enable hermes-gateway
+
+    # Start or restart the service
+    if systemctl is-active --quiet hermes-gateway; then
+        log "Restarting hermes-gateway service..."
+        systemctl restart hermes-gateway
+    else
+        log "Starting hermes-gateway service..."
+        systemctl start hermes-gateway || warn "Service start failed — ensure hermes binary is installed at /usr/local/bin/hermes"
+    fi
+
+    # Verify
+    sleep 2
+    if systemctl is-active --quiet hermes-gateway; then
+        log "hermes-gateway service is running"
+    else
+        warn "hermes-gateway service not running — check: journalctl -u hermes-gateway"
+    fi
+}
+
 check_deployment() {
     echo ""
     echo "================================"
@@ -223,6 +260,16 @@ check_deployment() {
         echo -e "${YELLOW}NOT POINTED${NC} (resolved: ${RESOLVED_IP:-nothing}, expected: ${VPS_IP})"
     fi
 
+    # Hermes gateway service
+    echo -n "Hermes service: "
+    if systemctl is-active --quiet hermes-gateway 2>/dev/null; then
+        echo -e "${GREEN}RUNNING${NC}"
+    elif systemctl is-enabled --quiet hermes-gateway 2>/dev/null; then
+        echo -e "${YELLOW}ENABLED but not running${NC}"
+    else
+        echo -e "${RED}NOT INSTALLED${NC}"
+    fi
+
     echo ""
     echo "IP: ${VPS_IP}"
     echo "Domain: ${DOMAIN}"
@@ -247,6 +294,9 @@ case "${1:-full}" in
     --ssl)
         setup_ssl
         ;;
+    --service)
+        setup_hermes_service
+        ;;
     --check)
         check_deployment
         ;;
@@ -257,10 +307,11 @@ case "${1:-full}" in
         configure_nginx
         setup_firewall
         setup_ssl
+        setup_hermes_service
         check_deployment
         ;;
     *)
-        echo "Usage: $0 [--site|--ssl|--check|--full]"
+        echo "Usage: $0 [--site|--ssl|--service|--check|--full]"
         exit 1
         ;;
 esac

deploy/hermes-gateway.service

@@ -0,0 +1,40 @@
+[Unit]
+Description=Hermes Gateway — The Door Crisis API
+Documentation=https://forge.alexanderwhitestone.com/Timmy_Foundation/the-door
+After=network.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=hermes
+Group=hermes
+WorkingDirectory=/opt/hermes
+ExecStart=/usr/local/bin/hermes gateway --platform api_server --port 8644
+Restart=always
+RestartSec=5
+StartLimitIntervalSec=60
+StartLimitBurst=10
+
+# Environment
+Environment=API_SERVER_CORS_ORIGINS=https://alexanderwhitestone.com,https://www.alexanderwhitestone.com
+Environment=HOME=/opt/hermes
+
+# Security hardening
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths=/opt/hermes
+PrivateTmp=yes
+
+# Resource limits for 1.9GB VPS
+MemoryMax=512M
+MemoryHigh=384M
+CPUQuota=80%
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=hermes-gateway
+
+[Install]
+WantedBy=multi-user.target

index.html

@@ -1199,6 +1199,7 @@ Sovereignty and service always.`;
         if (fullText) {
           messages.push({ role: 'assistant', content: fullText });
           saveMessages();
+          checkCrisis(fullText);
         }
         isStreaming = false;
         sendBtn.disabled = msgInput.value.trim().length === 0;