docs: fix rsync deployment issue and create deployment script

Problem: rsync with trailing slashes copied directory contents to wrong location
Solution: Created automated deployment script with correct patterns

Changes:
- Created scripts/deploy-security-middleware.sh (automated deployment)
- Created docs/DEPLOYMENT_RSYNC_PATTERNS.md (rsync best practices)
- Cleaned up incorrectly placed files on production
- Documented trailing slash behavior and correct patterns

This prevents future deployment issues and provides reliable automation.

docs/DEPLOYMENT_RSYNC_PATTERNS.md

@@ -0,0 +1,123 @@
+# Rsync Deployment Patterns for Tractatus
+
+## Issue Discovered: 2025-10-14
+
+During Phase 0 security deployment, files were deployed to incorrect locations due to rsync trailing slash behavior.
+
+### Problem: Trailing Slash Behavior
+
+**Incorrect command** (deployed contents to wrong location):
+```bash
+rsync -avz src/middleware/ src/routes/ user@host:/var/www/tractatus/
+```
+
+**What happened:**
+- `src/middleware/` with trailing slash = "copy contents of middleware/"
+- Files ended up in `/var/www/tractatus/` root instead of `/var/www/tractatus/src/middleware/`
+- All middleware and route files were dumped into root directory
+
+### Correct Patterns
+
+#### Pattern 1: Deploy directory contents to matching destination structure
+```bash
+# Deploy middleware files to remote middleware directory
+rsync -avz src/middleware/ user@host:/var/www/tractatus/src/middleware/
+
+# Deploy routes files to remote routes directory
+rsync -avz src/routes/ user@host:/var/www/tractatus/src/routes/
+```
+
+**Key:** Trailing slash on both source AND destination = copy contents into destination directory
+
+#### Pattern 2: Deploy entire directory tree
+```bash
+# Deploy entire src/ directory preserving structure
+rsync -avz src/ user@host:/var/www/tractatus/src/
+```
+
+**Key:** Trailing slash on source, matching destination = preserve structure
+
+#### Pattern 3: Deploy specific files
+```bash
+# Deploy individual files
+rsync -avz src/server.js src/utils/security-logger.js \
+  user@host:/var/www/tractatus/src/
+```
+
+**Key:** No trailing slash on files
+
+### Rsync Trailing Slash Rules
+
+| Source | Destination | Result |
+|--------|-------------|---------|
+| `dir/` | `/dest/` | Copies **contents** of dir into /dest/ |
+| `dir` | `/dest/` | Creates `/dest/dir/` with contents |
+| `dir/` | `/dest/dir/` | Copies contents into existing /dest/dir/ |
+| `file.js` | `/dest/` | Copies file.js into /dest/ |
+
+### Recommended Approach
+
+Use the automated deployment script:
+```bash
+./scripts/deploy-security-middleware.sh
+```
+
+This script uses correct patterns and handles:
+- ✅ Directory structure preservation
+- ✅ File permissions (D755 for dirs, F644 for files)
+- ✅ Service restart
+- ✅ Status verification
+
+### Manual Deployment (if needed)
+
+```bash
+# 1. Deploy middleware
+rsync -avz --chmod=D755,F644 -e "ssh -i ~/.ssh/tractatus_deploy" \
+  src/middleware/ \
+  ubuntu@vps-93a693da.vps.ovh.net:/var/www/tractatus/src/middleware/
+
+# 2. Deploy routes
+rsync -avz --chmod=D755,F644 -e "ssh -i ~/.ssh/tractatus_deploy" \
+  src/routes/ \
+  ubuntu@vps-93a693da.vps.ovh.net:/var/www/tractatus/src/routes/
+
+# 3. Deploy server and utils
+rsync -avz --chmod=D755,F644 -e "ssh -i ~/.ssh/tractatus_deploy" \
+  src/server.js src/utils/security-logger.js \
+  ubuntu@vps-93a693da.vps.ovh.net:/var/www/tractatus/src/
+
+# 4. Restart service
+ssh -i ~/.ssh/tractatus_deploy ubuntu@vps-93a693da.vps.ovh.net \
+  "sudo systemctl restart tractatus"
+```
+
+### Cleanup After Incorrect Deployment
+
+If files end up in the wrong location:
+
+```bash
+# SSH to server
+ssh -i ~/.ssh/tractatus_deploy ubuntu@vps-93a693da.vps.ovh.net
+
+# Remove incorrectly placed files from root
+cd /var/www/tractatus
+rm -f *.routes.js *.middleware.js index.js
+
+# Verify correct locations
+ls src/middleware/*.js
+ls src/routes/*.js
+
+# Re-deploy using correct pattern
+```
+
+### Prevention
+
+1. **Always** use the deployment script when possible
+2. **Test** rsync commands with `--dry-run` first
+3. **Verify** destination paths include full directory structure
+4. **Remember** trailing slash = "contents", no slash = "directory itself"
+
+---
+
+**Last Updated:** 2025-10-14
+**Issue Resolved:** Files cleaned up and correct deployment script created

scripts/deploy-security-middleware.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+###############################################################################
+# Tractatus Security Middleware Deployment Script
+# Deploys security middleware and routes to production with correct structure
+###############################################################################
+
+set -e  # Exit on error
+
+# Configuration
+REMOTE_USER="ubuntu"
+REMOTE_HOST="vps-93a693da.vps.ovh.net"
+SSH_KEY="$HOME/.ssh/tractatus_deploy"
+REMOTE_PATH="/var/www/tractatus"
+LOCAL_PATH="/home/theflow/projects/tractatus"
+
+echo "========================================="
+echo "Tractatus Security Deployment"
+echo "========================================="
+echo ""
+
+# Verify we're in the correct directory
+if [ ! -f "package.json" ] || [ ! -d "src/middleware" ]; then
+    echo "❌ Error: Must run from tractatus project root"
+    exit 1
+fi
+
+echo "📋 Deploying files to production..."
+echo ""
+
+# Deploy security middleware
+echo "1. Deploying security middleware..."
+rsync -avz --chmod=D755,F644 -e "ssh -i $SSH_KEY" \
+  src/middleware/ \
+  ${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_PATH}/src/middleware/
+
+# Deploy routes
+echo "2. Deploying routes..."
+rsync -avz --chmod=D755,F644 -e "ssh -i $SSH_KEY" \
+  src/routes/ \
+  ${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_PATH}/src/routes/
+
+# Deploy server.js and utils
+echo "3. Deploying server.js and utilities..."
+rsync -avz --chmod=D755,F644 -e "ssh -i $SSH_KEY" \
+  src/server.js \
+  src/utils/security-logger.js \
+  ${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_PATH}/src/
+
+# Verify deployment
+echo ""
+echo "✅ Files deployed successfully"
+echo ""
+
+# Restart service
+echo "🔄 Restarting Tractatus service..."
+ssh -i $SSH_KEY ${REMOTE_USER}@${REMOTE_HOST} "sudo systemctl restart tractatus"
+
+sleep 3
+
+# Check status
+echo ""
+echo "📊 Service status:"
+ssh -i $SSH_KEY ${REMOTE_USER}@${REMOTE_HOST} "sudo systemctl status tractatus --no-pager -l | head -15"
+
+echo ""
+echo "========================================="
+echo "✨ Deployment complete!"
+echo "========================================="