Deploy Allowlist PR Packaging

Packaged the deploy allowlist cleanup into a PR-ready branch with multiple commits, documented all changes, and tracked work in Beads issue islandflow-9j5.

Generated: 2026-05-17 11:48 EDT

Summary

Removed deployment/npm/ from the deploy script's remote untracked allowlist so deploy preflight only tolerates the required signal-cli tarball artifact.

Changes Made

• Updated scripts/deploy.ts to tighten ALLOWED_REMOTE_UNTRACKED.
• Created this turn document in docs/turns/ as required by repository workflow.
• Tracked and managed the work through Beads issue islandflow-9j5.

Context

The deploy preflight checks remote repository cleanliness before rollout. Keeping broad allowlist exceptions can hide stale or accidental files on the target host and reduce deployment confidence.

Important Implementation Details

The allowlist now contains only:

deployment/docker/signal-cli-0.14.3-Linux-native.tar.gz

The removed entry:

deployment/npm/

This change ensures remote preflight fails if deployment/npm/ appears unexpectedly.

Expected Impact for End-Users

• Deployments should fail faster when unexpected remote workspace artifacts exist.
• Operators get stricter hygiene checks before production rollouts.
• No runtime behavior change to API/web/services outside deploy validation logic.

Validation

• bun test was run for the repository and reported 2 failing tests plus 1 module-loading error: services/api/tests/live.test.ts (hot-head cap expectation mismatch) and apps/web/app/terminal.test.ts (Next navigation export mismatch).
• The user requested skipping dependency-install remediation before completion, so no additional test-fix work was performed in this turn.
• git diff review to confirm only intended allowlist and documentation updates were included.

Issues, Limitations, and Mitigations

• This turn did not add new deploy integration tests for the allowlist branch logic. Mitigation: kept the change scoped to one constant and validated via repository test run plus manual diff inspection.
• A local untracked signal-cli tarball remains in the working tree by design and was not added to Git.

Follow-up Work

• No additional follow-up issues were created from this scoped cleanup.
• If full CI confidence is required, run bun install and bun test in a dependency-ready environment.