feat(deploy): Sankofa portal sync excludes secrets; ensure NextAuth on CT

- Tar excludes .env/.env.local; post-sync sets NEXTAUTH_URL on .env and .env.local
- New sankofa-portal-ensure-nextauth-on-ct.sh; optional SANKOFA_PORTAL_NEXTAUTH_URL
- AGENTS.md pointer to ensure script

Made-with: Cursor

scripts/deployment/sankofa-portal-ensure-nextauth-on-ct.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# Ensure CT 7801 (or VMID) has NEXTAUTH_URL (public NPM host) and NEXTAUTH_SECRET.
+# Does not print secret values. Safe to run after every portal sync.
+#
+# Env: PROXMOX_HOST, SANKOFA_PORTAL_VMID, SANKOFA_PORTAL_CT_DIR, SANKOFA_PORTAL_NEXTAUTH_URL
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+# shellcheck source=/dev/null
+source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
+
+PROXMOX_HOST="${PROXMOX_HOST:-${PROXMOX_HOST_R630_01:-192.168.11.11}}"
+VMID="${SANKOFA_PORTAL_VMID:-7801}"
+CT_APP_DIR="${SANKOFA_PORTAL_CT_DIR:-/opt/sankofa-portal}"
+SERVICE_NAME="${SANKOFA_PORTAL_SERVICE:-sankofa-portal}"
+NEXTAUTH_PUBLIC_URL="${SANKOFA_PORTAL_NEXTAUTH_URL:-https://sankofa.nexus}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+
+ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- bash -s" <<EOF
+set -euo pipefail
+mkdir -p "${CT_APP_DIR}"
+cd "${CT_APP_DIR}"
+
+# .env.local (preferred for secrets / overrides)
+ENV_LOCAL=".env.local"
+touch "\$ENV_LOCAL"
+if grep -q '^NEXTAUTH_URL=' "\$ENV_LOCAL" 2>/dev/null; then
+  sed -i "s|^NEXTAUTH_URL=.*|NEXTAUTH_URL=${NEXTAUTH_PUBLIC_URL}|" "\$ENV_LOCAL"
+else
+  printf '%s\n' "NEXTAUTH_URL=${NEXTAUTH_PUBLIC_URL}" >> "\$ENV_LOCAL"
+fi
+if ! grep -q '^NEXTAUTH_SECRET=' "\$ENV_LOCAL" 2>/dev/null; then
+  printf '%s\n' "NEXTAUTH_SECRET=\$(openssl rand -hex 32)" >> "\$ENV_LOCAL"
+fi
+
+# .env on CT often ships with LAN NEXTAUTH_URL; Next merges both — align to public URL.
+if [[ -f .env ]] && grep -q '^NEXTAUTH_URL=' .env 2>/dev/null; then
+  sed -i "s|^NEXTAUTH_URL=.*|NEXTAUTH_URL=${NEXTAUTH_PUBLIC_URL}|" .env
+fi
+EOF
+
+ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- systemctl restart ${SERVICE_NAME}"
+ssh $SSH_OPTS "root@${PROXMOX_HOST}" "pct exec ${VMID} -- systemctl is-active ${SERVICE_NAME}"
+
+echo "NextAuth env ensured on CT ${VMID} (NEXTAUTH_URL=${NEXTAUTH_PUBLIC_URL}; secret added only if missing). Service restarted."

scripts/deployment/sync-sankofa-portal-7801.sh

@@ -0,0 +1,110 @@
+#!/usr/bin/env bash
+# Sync Sankofa Next.js portal source to LXC 7801, install deps, production build, restart systemd.
+# Prerequisites: SSH root@PROXMOX_HOST; portal tree at SANKOFA_PORTAL_SRC (default: sibling ../Sankofa/portal).
+#
+# Usage:
+#   ./scripts/deployment/sync-sankofa-portal-7801.sh [--dry-run]
+# Env:
+#   PROXMOX_HOST (default 192.168.11.11), SANKOFA_PORTAL_VMID (7801), SANKOFA_PORTAL_SRC, IP_SANKOFA_PORTAL (for post-check only)
+#   SANKOFA_PORTAL_NEXTAUTH_URL (default https://sankofa.nexus) — applied on CT after build
+#
+# See: docs/03-deployment/PUBLIC_SECTOR_LIVE_DEPLOYMENT_CHECKLIST.md (Phoenix CT 7801)
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+# shellcheck source=/dev/null
+source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
+
+PROXMOX_HOST="${PROXMOX_HOST:-${PROXMOX_HOST_R630_01:-192.168.11.11}}"
+VMID="${SANKOFA_PORTAL_VMID:-7801}"
+CT_APP_DIR="${SANKOFA_PORTAL_CT_DIR:-/opt/sankofa-portal}"
+SERVICE_NAME="${SANKOFA_PORTAL_SERVICE:-sankofa-portal}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+
+DEFAULT_SRC="${PROJECT_ROOT}/../Sankofa/portal"
+if [[ -d "$DEFAULT_SRC" ]]; then
+  SANKOFA_PORTAL_SRC="${SANKOFA_PORTAL_SRC:-$DEFAULT_SRC}"
+else
+  SANKOFA_PORTAL_SRC="${SANKOFA_PORTAL_SRC:-}"
+fi
+
+DRY_RUN=false
+[[ "${1:-}" == "--dry-run" ]] && DRY_RUN=true
+
+echo "=== Sync Sankofa portal → CT ${VMID} (${CT_APP_DIR}) ==="
+echo "Proxmox: ${PROXMOX_HOST}"
+echo "Source:  ${SANKOFA_PORTAL_SRC:-<unset>}"
+echo ""
+
+if [[ -z "$SANKOFA_PORTAL_SRC" || ! -d "$SANKOFA_PORTAL_SRC" ]]; then
+  echo "ERROR: Set SANKOFA_PORTAL_SRC to the portal directory (clone of Sankofa/portal)."
+  echo "Example: SANKOFA_PORTAL_SRC=/path/to/Sankofa/portal $0"
+  exit 1
+fi
+
+if ! command -v tar >/dev/null; then
+  echo "ERROR: tar required"
+  exit 1
+fi
+
+TMP_TGZ="${TMPDIR:-/tmp}/sankofa-portal-sync-$$.tgz"
+REMOTE_TGZ="/tmp/sankofa-portal-sync-$$.tgz"
+CT_TGZ="/tmp/sankofa-portal-sync.tgz"
+
+cleanup() { rm -f "$TMP_TGZ"; }
+trap cleanup EXIT
+
+if $DRY_RUN; then
+  echo "[DRY-RUN] tar (exclude node_modules,.next,.git) → $TMP_TGZ"
+  echo "[DRY-RUN] scp → root@${PROXMOX_HOST}:${REMOTE_TGZ}"
+  echo "[DRY-RUN] ssh pct push ${VMID} … && pct exec ${VMID} systemctl stop ${SERVICE_NAME}"
+  echo "[DRY-RUN] pct exec: tar xf into ${CT_APP_DIR}; pnpm install; pnpm build; systemctl start ${SERVICE_NAME}"
+  exit 0
+fi
+
+echo "📦 Archiving portal (excluding node_modules, .next, .git, .env / .env.local)…"
+tar czf "$TMP_TGZ" \
+  --exclude=node_modules \
+  --exclude=.next \
+  --exclude=.git \
+  --exclude=.env.local \
+  --exclude=.env \
+  -C "$SANKOFA_PORTAL_SRC" .
+
+echo "📤 Copy to Proxmox host…"
+scp $SSH_OPTS "$TMP_TGZ" "root@${PROXMOX_HOST}:${REMOTE_TGZ}"
+
+echo "📥 Push into CT ${VMID} and build…"
+ssh $SSH_OPTS "root@${PROXMOX_HOST}" bash -s <<REMOTE_EOF
+set -euo pipefail
+pct push ${VMID} ${REMOTE_TGZ} ${CT_TGZ}
+rm -f ${REMOTE_TGZ}
+pct exec ${VMID} -- systemctl stop ${SERVICE_NAME} || true
+pct exec ${VMID} -- bash -lc 'set -euo pipefail
+  mkdir -p ${CT_APP_DIR}
+  cd ${CT_APP_DIR}
+  tar xzf ${CT_TGZ}
+  rm -f ${CT_TGZ}
+  command -v pnpm >/dev/null || { echo "ERROR: pnpm missing in CT"; exit 1; }
+  pnpm install
+  pnpm build
+'
+pct exec ${VMID} -- systemctl start ${SERVICE_NAME}
+pct exec ${VMID} -- systemctl is-active ${SERVICE_NAME}
+REMOTE_EOF
+
+echo ""
+echo "🔐 Ensuring NextAuth URL/secret on CT (see sankofa-portal-ensure-nextauth-on-ct.sh)…"
+SANKOFA_PORTAL_NEXTAUTH_URL="${SANKOFA_PORTAL_NEXTAUTH_URL:-https://sankofa.nexus}"
+export SANKOFA_PORTAL_VMID SANKOFA_PORTAL_CT_DIR SANKOFA_PORTAL_SERVICE SANKOFA_PORTAL_NEXTAUTH_URL PROXMOX_HOST
+bash "${SCRIPT_DIR}/sankofa-portal-ensure-nextauth-on-ct.sh"
+
+echo ""
+echo "✅ Done. Verify:"
+echo "   curl -sS http://${IP_SANKOFA_PORTAL:-192.168.11.51}:3000/ | head -c 120"
+echo "   curl -sSI https://sankofa.nexus/api/auth/signin | head -n 15"
+echo "   https://sankofa.nexus/ (via NPM)"
+echo ""
+echo "Override public auth URL: SANKOFA_PORTAL_NEXTAUTH_URL=https://portal.sankofa.nexus $0"