From 5ea4a2dd86d84023ddb72f56ddd3db455bb88fad Mon Sep 17 00:00:00 2001
From: alexpaynex <55271826-alexpaynex@users.noreply.replit.com>
Date: Fri, 20 Mar 2026 21:08:06 +0000
Subject: [PATCH] feat: push-to-deploy pipeline on Hermes VPS (task #47)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

All deploy infrastructure versioned in vps/ directory. Three fixes applied
after code review caught issues in initial implementation:

Scripts installed on VPS via one-time: WEBHOOK_SECRET=$(cat .local/deploy-webhook-secret) ssh root@143.198.27.163 'bash -s' < vps/install.sh

vps/deploy.sh: pull from Hermes Gitea → pnpm build → deploy bundle →
  health check /api/healthz → auto-rollback on failure (fixed: was /api/health)

vps/webhook.js: HMAC-SHA256 validated webhook receiver (port 9000, localhost):
  - Fail-closed: exits at startup if WEBHOOK_SECRET not set (was warn+accept)
  - Single-slot queue: holds latest push during active deploy, runs after
    completion (was silently dropping concurrent pushes)
  - Skips non-main branch pushes

vps/timmy-deploy-hook.service: systemd unit for webhook receiver
vps/timmy-health.service + .timer: health watchdog every 5 min, restarts
  timmy-tower if /api/healthz returns non-200

vps/install.sh: copies scripts, sets WEBHOOK_SECRET, patches nginx for
  /webhook/deploy proxy, enables systemd services

Gitea webhook pre-configured on admin/timmy-tower (id: 1):
  URL: http://143.198.27.163/webhook/deploy
  Secret: .local/deploy-webhook-secret (gitignored)

replit.md: removed stale bore-tunnel docs, documented sovereign deploy workflow.

Deviation: SSH key absent this session — install.sh must be run once by user or
Hermes agent via SSH. Everything else complete and pushed to Hermes Gitea.