From 00afd38a57def50cf69576d95ed33424910f4285 Mon Sep 17 00:00:00 2001
From: defiQUG <defi@defi-oracle.io>
Date: Thu, 26 Mar 2026 18:56:57 -0700
Subject: [PATCH] feat(deploy): Sankofa portal sync excludes secrets; ensure
 NextAuth on CT

- Tar excludes .env/.env.local; post-sync sets NEXTAUTH_URL on .env and .env.local
- New sankofa-portal-ensure-nextauth-on-ct.sh; optional SANKOFA_PORTAL_NEXTAUTH_URL
- AGENTS.md pointer to ensure script

Made-with: Cursor
---
 AGENTS.md                                     |  30 +++++
 .../sankofa-portal-ensure-nextauth-on-ct.sh   |  46 ++++++++
 .../deployment/sync-sankofa-portal-7801.sh    | 110 ++++++++++++++++++
 3 files changed, 186 insertions(+)
 create mode 100644 AGENTS.md
 create mode 100755 scripts/deployment/sankofa-portal-ensure-nextauth-on-ct.sh
 create mode 100755 scripts/deployment/sync-sankofa-portal-7801.sh

diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..b0e9fa1
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,30 @@
+# Proxmox workspace — agent instructions
+
+Single canonical copy for Cursor/Codex. (If your editor also loads `.cursor/rules`, treat those as overlays.)
+
+## Scope
+
+Orchestration for Proxmox VE, Chain 138 (`smom-dbis-138/`), explorers, NPMplus, and deployment runbooks.
+
+## Quick pointers
+
+| Need | Location |
+|------|-----------|
+| Doc index | `docs/MASTER_INDEX.md` |
+| cXAUC/cXAUT unit | 1 full token = 1 troy oz Au — `docs/11-references/EXPLORER_TOKEN_LIST_CROSSCHECK.md` (section 5.1) |
+| PMM mesh 6s tick | `smom-dbis-138/scripts/reserve/pmm-mesh-6s-automation.sh` — `docs/integration/ORACLE_AND_KEEPER_CHAIN138.md` (PMM mesh automation) |
+| VMID / IP / FQDN | `docs/04-configuration/ALL_VMIDS_ENDPOINTS.md` |
+| Ops template + JSON | `docs/03-deployment/PROXMOX_VE_OPERATIONAL_DEPLOYMENT_TEMPLATE.md`, `config/proxmox-operational-template.json` |
+| Live vs template (read-only SSH) | `bash scripts/verify/audit-proxmox-operational-template.sh` |
+| Config validation | `bash scripts/validation/validate-config-files.sh` |
+| Sankofa portal → CT 7801 (build + restart) | `./scripts/deployment/sync-sankofa-portal-7801.sh` (`--dry-run` first); sets `NEXTAUTH_URL` on CT via `sankofa-portal-ensure-nextauth-on-ct.sh` |
+| Completable (no LAN) | `./scripts/run-completable-tasks-from-anywhere.sh` |
+| Operator (LAN + secrets) | `./scripts/run-all-operator-tasks-from-lan.sh` (use `--skip-backup` if `NPM_PASSWORD` unset) |
+
+## Rules of engagement
+
+- Review scripts before running; prefer `--dry-run` where supported.
+- Do not run the full operator flow when everything is healthy unless the user explicitly wants broad fixes (NPM/nginx/RPC churn).
+- Chain 138 deploy RPC: `http://192.168.11.211:8545` (Core). Read-only / non-deploy checks may use public RPC per project rules.
+
+Full detail: see embedded workspace rules and `docs/00-meta/OPERATOR_READY_CHECKLIST.md`.
diff --git a/scripts/deployment/sankofa-portal-ensure-nextauth-on-ct.sh b/scripts/deployment/sankofa-portal-ensure-nextauth-on-ct.sh
new file mode 100755
index 0000000..25d098c
--- /dev/null
+++ b/scripts/deployment/sankofa-portal-ensure-nextauth-on-ct.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# Ensure CT 7801 (or VMID) has NEXTAUTH_URL (public NPM host) and NEXTAUTH_SECRET.
+# Does not print secret values. Safe to run after every portal sync.
+#
+# Env: PROXMOX_HOST, SANKOFA_PORTAL_VMID, SANKOFA_PORTAL_CT_DIR, SANKOFA_PORTAL_NEXTAUTH_URL
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+# shellcheck source=/dev/null
+source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
+
+PROXMOX_HOST="${PROXMOX_HOST:-${PROXMOX_HOST_R630_01:-192.168.11.11}}"
+VMID="${SANKOFA_PORTAL_VMID:-7801}"
+CT_APP_DIR="${SANKOFA_PORTAL_CT_DIR:-/opt/sankofa-portal}"
+SERVICE_NAME="${SANKOFA_PORTAL_SERVICE:-sankofa-portal}"
+NEXTAUTH_PUBLIC_URL="${SANKOFA_PORTAL_NEXTAUTH_URL:-https://sankofa.nexus}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+
+ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- bash -s" <<EOF
+set -euo pipefail
+mkdir -p "${CT_APP_DIR}"
+cd "${CT_APP_DIR}"
+
+# .env.local (preferred for secrets / overrides)
+ENV_LOCAL=".env.local"
+touch "\$ENV_LOCAL"
+if grep -q '^NEXTAUTH_URL=' "\$ENV_LOCAL" 2>/dev/null; then
+  sed -i "s|^NEXTAUTH_URL=.*|NEXTAUTH_URL=${NEXTAUTH_PUBLIC_URL}|" "\$ENV_LOCAL"
+else
+  printf '%s\n' "NEXTAUTH_URL=${NEXTAUTH_PUBLIC_URL}" >> "\$ENV_LOCAL"
+fi
+if ! grep -q '^NEXTAUTH_SECRET=' "\$ENV_LOCAL" 2>/dev/null; then
+  printf '%s\n' "NEXTAUTH_SECRET=\$(openssl rand -hex 32)" >> "\$ENV_LOCAL"
+fi
+
+# .env on CT often ships with LAN NEXTAUTH_URL; Next merges both — align to public URL.
+if [[ -f .env ]] && grep -q '^NEXTAUTH_URL=' .env 2>/dev/null; then
+  sed -i "s|^NEXTAUTH_URL=.*|NEXTAUTH_URL=${NEXTAUTH_PUBLIC_URL}|" .env
+fi
+EOF
+
+ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- systemctl restart ${SERVICE_NAME}"
+ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- systemctl is-active ${SERVICE_NAME}"
+
+echo "NextAuth env ensured on CT ${VMID} (NEXTAUTH_URL=${NEXTAUTH_PUBLIC_URL}; secret added only if missing). Service restarted."
diff --git a/scripts/deployment/sync-sankofa-portal-7801.sh b/scripts/deployment/sync-sankofa-portal-7801.sh
new file mode 100755
index 0000000..ac779ea
--- /dev/null
+++ b/scripts/deployment/sync-sankofa-portal-7801.sh
@@ -0,0 +1,110 @@
+#!/usr/bin/env bash
+# Sync Sankofa Next.js portal source to LXC 7801, install deps, production build, restart systemd.
+# Prerequisites: SSH root@PROXMOX_HOST; portal tree at SANKOFA_PORTAL_SRC (default: sibling ../Sankofa/portal).
+#
+# Usage:
+#   ./scripts/deployment/sync-sankofa-portal-7801.sh [--dry-run]
+# Env:
+#   PROXMOX_HOST (default 192.168.11.11), SANKOFA_PORTAL_VMID (7801), SANKOFA_PORTAL_SRC, IP_SANKOFA_PORTAL (for post-check only)
+#   SANKOFA_PORTAL_NEXTAUTH_URL (default https://sankofa.nexus) — applied on CT after build
+#
+# See: docs/03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md (Phoenix CT 7801)
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+# shellcheck source=/dev/null
+source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
+
+PROXMOX_HOST="${PROXMOX_HOST:-${PROXMOX_HOST_R630_01:-192.168.11.11}}"
+VMID="${SANKOFA_PORTAL_VMID:-7801}"
+CT_APP_DIR="${SANKOFA_PORTAL_CT_DIR:-/opt/sankofa-portal}"
+SERVICE_NAME="${SANKOFA_PORTAL_SERVICE:-sankofa-portal}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+
+DEFAULT_SRC="${PROJECT_ROOT}/../Sankofa/portal"
+if [[ -d "$DEFAULT_SRC" ]]; then
+  SANKOFA_PORTAL_SRC="${SANKOFA_PORTAL_SRC:-$DEFAULT_SRC}"
+else
+  SANKOFA_PORTAL_SRC="${SANKOFA_PORTAL_SRC:-}"
+fi
+
+DRY_RUN=false
+[[ "${1:-}" == "--dry-run" ]] && DRY_RUN=true
+
+echo "=== Sync Sankofa portal → CT ${VMID} (${CT_APP_DIR}) ==="
+echo "Proxmox: ${PROXMOX_HOST}"
+echo "Source:  ${SANKOFA_PORTAL_SRC:-<unset>}"
+echo ""
+
+if [[ -z "$SANKOFA_PORTAL_SRC" || ! -d "$SANKOFA_PORTAL_SRC" ]]; then
+  echo "ERROR: Set SANKOFA_PORTAL_SRC to the portal directory (clone of Sankofa/portal)."
+  echo "Example: SANKOFA_PORTAL_SRC=/path/to/Sankofa/portal $0"
+  exit 1
+fi
+
+if ! command -v tar >/dev/null; then
+  echo "ERROR: tar required"
+  exit 1
+fi
+
+TMP_TGZ="${TMPDIR:-/tmp}/sankofa-portal-sync-$$.tgz"
+REMOTE_TGZ="/tmp/sankofa-portal-sync-$$.tgz"
+CT_TGZ="/tmp/sankofa-portal-sync.tgz"
+
+cleanup() { rm -f "$TMP_TGZ"; }
+trap cleanup EXIT
+
+if $DRY_RUN; then
+  echo "[DRY-RUN] tar (exclude node_modules,.next,.git) → $TMP_TGZ"
+  echo "[DRY-RUN] scp → root@${PROXMOX_HOST}:${REMOTE_TGZ}"
+  echo "[DRY-RUN] ssh pct push ${VMID} … && pct exec ${VMID} systemctl stop ${SERVICE_NAME}"
+  echo "[DRY-RUN] pct exec: tar xf into ${CT_APP_DIR}; pnpm install; pnpm build; systemctl start ${SERVICE_NAME}"
+  exit 0
+fi
+
+echo "📦 Archiving portal (excluding node_modules, .next, .git, .env / .env.local)…"
+tar czf "$TMP_TGZ" \
+  --exclude=node_modules \
+  --exclude=.next \
+  --exclude=.git \
+  --exclude=.env.local \
+  --exclude=.env \
+  -C "$SANKOFA_PORTAL_SRC" .
+
+echo "📤 Copy to Proxmox host…"
+scp $SSH_OPTS "$TMP_TGZ" "root@${PROXMOX_HOST}:${REMOTE_TGZ}"
+
+echo "📥 Push into CT ${VMID} and build…"
+ssh $SSH_OPTS "root@${PROXMOX_HOST}" bash -s <<REMOTE_EOF
+set -euo pipefail
+pct push ${VMID} ${REMOTE_TGZ} ${CT_TGZ}
+rm -f ${REMOTE_TGZ}
+pct exec ${VMID} -- systemctl stop ${SERVICE_NAME} || true
+pct exec ${VMID} -- bash -lc 'set -euo pipefail
+  mkdir -p ${CT_APP_DIR}
+  cd ${CT_APP_DIR}
+  tar xzf ${CT_TGZ}
+  rm -f ${CT_TGZ}
+  command -v pnpm >/dev/null || { echo "ERROR: pnpm missing in CT"; exit 1; }
+  pnpm install
+  pnpm build
+'
+pct exec ${VMID} -- systemctl start ${SERVICE_NAME}
+pct exec ${VMID} -- systemctl is-active ${SERVICE_NAME}
+REMOTE_EOF
+
+echo ""
+echo "🔐 Ensuring NextAuth URL/secret on CT (see sankofa-portal-ensure-nextauth-on-ct.sh)…"
+SANKOFA_PORTAL_NEXTAUTH_URL="${SANKOFA_PORTAL_NEXTAUTH_URL:-https://sankofa.nexus}"
+export SANKOFA_PORTAL_VMID SANKOFA_PORTAL_CT_DIR SANKOFA_PORTAL_SERVICE SANKOFA_PORTAL_NEXTAUTH_URL PROXMOX_HOST
+bash "${SCRIPT_DIR}/sankofa-portal-ensure-nextauth-on-ct.sh"
+
+echo ""
+echo "✅ Done. Verify:"
+echo "   curl -sS http://${IP_SANKOFA_PORTAL:-192.168.11.51}:3000/ | head -c 120"
+echo "   curl -sSI https://sankofa.nexus/api/auth/signin | head -n 15"
+echo "   https://sankofa.nexus/ (via NPM)"
+echo ""
+echo "Override public auth URL: SANKOFA_PORTAL_NEXTAUTH_URL=https://portal.sankofa.nexus $0"