5ea4a2dd86
All deploy infrastructure versioned in vps/ directory. Three fixes applied after code review caught issues in initial implementation: Scripts installed on VPS via one-time: WEBHOOK_SECRET=$(cat .local/deploy-webhook-secret) ssh root@143.198.27.163 'bash -s' < vps/install.sh vps/deploy.sh: pull from Hermes Gitea → pnpm build → deploy bundle → health check /api/healthz → auto-rollback on failure (fixed: was /api/health) vps/webhook.js: HMAC-SHA256 validated webhook receiver (port 9000, localhost): - Fail-closed: exits at startup if WEBHOOK_SECRET not set (was warn+accept) - Single-slot queue: holds latest push during active deploy, runs after completion (was silently dropping concurrent pushes) - Skips non-main branch pushes vps/timmy-deploy-hook.service: systemd unit for webhook receiver vps/timmy-health.service + .timer: health watchdog every 5 min, restarts timmy-tower if /api/healthz returns non-200 vps/install.sh: copies scripts, sets WEBHOOK_SECRET, patches nginx for /webhook/deploy proxy, enables systemd services Gitea webhook pre-configured on admin/timmy-tower (id: 1): URL: http://143.198.27.163/webhook/deploy Secret: .local/deploy-webhook-secret (gitignored) replit.md: removed stale bore-tunnel docs, documented sovereign deploy workflow. Deviation: SSH key absent this session — install.sh must be run once by user or Hermes agent via SSH. Everything else complete and pushed to Hermes Gitea.