Merge pull request #42 from dirtydishes/chore/deploy-allowlist-pr-packaging

Tighten deploy remote untracked allowlist

docs/turns/2026-05-17-deploy-allowlist-pr-packaging.html

@@ -0,0 +1,151 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Turn Document - Deploy Allowlist PR Packaging</title>
+    <style>
+      :root {
+        color-scheme: dark;
+        --bg: #0a1118;
+        --panel: #121b24;
+        --panel-2: #0d151e;
+        --border: rgba(255, 255, 255, 0.14);
+        --text: #e6edf3;
+        --muted: #95a8bb;
+        --accent: #89d1ff;
+      }
+      * { box-sizing: border-box; }
+      body {
+        margin: 0;
+        font-family: "Segoe UI", Tahoma, sans-serif;
+        background: linear-gradient(180deg, #09121a 0%, #060b10 100%);
+        color: var(--text);
+      }
+      main {
+        width: min(960px, calc(100vw - 32px));
+        margin: 0 auto;
+        padding: 28px 0 40px;
+      }
+      section {
+        background: var(--panel);
+        border: 1px solid var(--border);
+        border-radius: 14px;
+        padding: 20px 22px;
+        margin-bottom: 16px;
+      }
+      h1, h2 { margin-top: 0; }
+      h2 { font-size: 1rem; text-transform: uppercase; letter-spacing: 0.08em; }
+      p, li { line-height: 1.6; }
+      code, pre { font-family: "IBM Plex Mono", Menlo, monospace; }
+      code { color: var(--accent); }
+      pre {
+        margin: 0;
+        padding: 12px;
+        border-radius: 10px;
+        overflow-x: auto;
+        border: 1px solid var(--border);
+        background: var(--panel-2);
+      }
+      .meta { color: var(--muted); }
+    </style>
+  </head>
+  <body>
+    <main>
+      <section>
+        <h1>Deploy Allowlist PR Packaging</h1>
+        <p>
+          Packaged the deploy allowlist cleanup into a PR-ready branch with multiple commits, documented all changes,
+          and tracked work in Beads issue <code>islandflow-9j5</code>.
+        </p>
+        <p class="meta">Generated: 2026-05-17 11:48 EDT</p>
+      </section>
+
+      <section>
+        <h2>Summary</h2>
+        <p>
+          Removed <code>deployment/npm/</code> from the deploy script's remote untracked allowlist so deploy preflight
+          only tolerates the required signal-cli tarball artifact.
+        </p>
+      </section>
+
+      <section>
+        <h2>Changes Made</h2>
+        <ul>
+          <li>Updated <code>scripts/deploy.ts</code> to tighten <code>ALLOWED_REMOTE_UNTRACKED</code>.</li>
+          <li>Created this turn document in <code>docs/turns/</code> as required by repository workflow.</li>
+          <li>Tracked and managed the work through Beads issue <code>islandflow-9j5</code>.</li>
+        </ul>
+      </section>
+
+      <section>
+        <h2>Context</h2>
+        <p>
+          The deploy preflight checks remote repository cleanliness before rollout. Keeping broad allowlist exceptions
+          can hide stale or accidental files on the target host and reduce deployment confidence.
+        </p>
+      </section>
+
+      <section>
+        <h2>Important Implementation Details</h2>
+        <p>
+          The allowlist now contains only:
+        </p>
+        <pre><code>deployment/docker/signal-cli-0.14.3-Linux-native.tar.gz</code></pre>
+        <p>
+          The removed entry:
+        </p>
+        <pre><code>deployment/npm/</code></pre>
+        <p>
+          This change ensures remote preflight fails if <code>deployment/npm/</code> appears unexpectedly.
+        </p>
+      </section>
+
+      <section>
+        <h2>Expected Impact for End-Users</h2>
+        <ul>
+          <li>Deployments should fail faster when unexpected remote workspace artifacts exist.</li>
+          <li>Operators get stricter hygiene checks before production rollouts.</li>
+          <li>No runtime behavior change to API/web/services outside deploy validation logic.</li>
+        </ul>
+      </section>
+
+      <section>
+        <h2>Validation</h2>
+        <ul>
+          <li>
+            <code>bun test</code> was run for the repository and reported 2 failing tests plus 1 module-loading error:
+            <code>services/api/tests/live.test.ts</code> (hot-head cap expectation mismatch) and
+            <code>apps/web/app/terminal.test.ts</code> (Next navigation export mismatch).
+          </li>
+          <li>
+            The user requested skipping dependency-install remediation before completion, so no additional test-fix work
+            was performed in this turn.
+          </li>
+          <li><code>git diff</code> review to confirm only intended allowlist and documentation updates were included.</li>
+        </ul>
+      </section>
+
+      <section>
+        <h2>Issues, Limitations, and Mitigations</h2>
+        <ul>
+          <li>
+            This turn did not add new deploy integration tests for the allowlist branch logic. Mitigation: kept the
+            change scoped to one constant and validated via repository test run plus manual diff inspection.
+          </li>
+          <li>
+            A local untracked signal-cli tarball remains in the working tree by design and was not added to Git.
+          </li>
+        </ul>
+      </section>
+
+      <section>
+        <h2>Follow-up Work</h2>
+        <ul>
+          <li>No additional follow-up issues were created from this scoped cleanup.</li>
+          <li>If full CI confidence is required, run <code>bun install</code> and <code>bun test</code> in a dependency-ready environment.</li>
+        </ul>
+      </section>
+    </main>
+  </body>
+</html>

scripts/deploy.ts

@@ -30,8 +30,7 @@ const SSH_OPTIONS = [
   "BatchMode=yes"
 ];
 const ALLOWED_REMOTE_UNTRACKED = new Set([
-  "deployment/docker/signal-cli-0.14.3-Linux-native.tar.gz",
-  "deployment/npm/"
+  "deployment/docker/signal-cli-0.14.3-Linux-native.tar.gz"
 ]);
 const PUBLIC_APP_URL =
   process.env.DEPLOY_PUBLIC_APP_URL?.trim() || "https://flow.deltaisland.io";