tractatus/scripts/deploy-full-project-SAFE.sh

#!/bin/bash

##
## SAFE Full Project Deployment Script
## Uses .rsyncignore to exclude sensitive files
##
## WARNING: Only use this for initial deployment or major updates
## For regular deployments, use deploy-frontend.sh instead
##

set -e

# Colors
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m'

DEPLOY_KEY="/home/theflow/.ssh/tractatus_deploy"
REMOTE_USER="ubuntu"
REMOTE_HOST="vps-93a693da.vps.ovh.net"
REMOTE_PATH="/var/www/tractatus"
PROJECT_ROOT="/home/theflow/projects/tractatus"

echo -e "${YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${YELLOW}   TRACTATUS FULL PROJECT DEPLOYMENT (SAFE MODE)${NC}"
echo -e "${YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""

echo -e "${GREEN}[1/5] CACHE VERSION UPDATE (MANDATORY)${NC}"
echo ""

# CRITICAL: Check if JavaScript files changed since last deployment
CHANGED_JS=$(git diff --name-only HEAD~1 2>/dev/null | grep "public/js/.*\.js$" || true)
if [ ! -z "$CHANGED_JS" ]; then
  echo -e "${YELLOW}⚠ JavaScript files changed since last commit:${NC}"
  echo "$CHANGED_JS" | sed 's/^/  - /'
  echo ""
  echo -e "${YELLOW}Running cache version update (MANDATORY)...${NC}"

  # Run cache version update
  cd "$PROJECT_ROOT"
  node scripts/update-cache-version.js

  echo ""
  echo -e "${GREEN}✓ Cache version updated${NC}"
  echo ""
  echo -e "${YELLOW}⚠ IMPORTANT: Uncommitted changes detected!${NC}"
  echo "Cache version files have been updated. You should:"
  echo "  1. Review changes: git diff"
  echo "  2. Commit: git add -A && git commit -m 'chore: bump cache version'"
  echo "  3. Re-run deployment"
  echo ""
  read -p "Continue deployment with uncommitted cache changes? (yes/NO): " continue_uncommitted
  if [ "$continue_uncommitted" != "yes" ]; then
    echo "Deployment cancelled. Commit cache version changes first."
    exit 1
  fi
else
  echo -e "${GREEN}✓ No JavaScript files changed - cache version update not required${NC}"
fi

echo ""
echo -e "${GREEN}[2/5] PRE-DEPLOYMENT CHECKS${NC}"
echo ""

# Check if .rsyncignore exists
if [ ! -f "$PROJECT_ROOT/.rsyncignore" ]; then
  echo -e "${RED}✗ ERROR: .rsyncignore not found!${NC}"
  echo "This file is required to prevent sensitive data deployment."
  echo "Expected location: $PROJECT_ROOT/.rsyncignore"
  exit 1
fi
echo -e "${GREEN}✓ .rsyncignore found${NC}"

# Check if local server is running (for testing verification)
if ! lsof -i :9000 >/dev/null 2>&1; then
  echo -e "${RED}✗ WARNING: Local server not running on port 9000${NC}"
  echo "It's recommended to test changes locally before deployment."
  read -p "Continue anyway? (yes/NO): " continue_no_server
  if [ "$continue_no_server" != "yes" ]; then
    echo "Deployment cancelled. Start local server with: npm start"
    exit 1
  fi
else
  echo -e "${GREEN}✓ Local server running on port 9000${NC}"
fi

# Check for version parameter updates in HTML files
echo ""
echo "Checking version parameters in HTML files..."
VERSION_FILES=$(grep -l "\.js?v=" public/*.html public/**/*.html 2>/dev/null || true)
if [ -z "$VERSION_FILES" ]; then
  echo -e "${YELLOW}⚠ No version parameters found in HTML files${NC}"
  echo "Consider adding version parameters for cache busting (e.g., script.js?v=timestamp)"
else
  echo -e "${GREEN}✓ Version parameters found in HTML files${NC}"
  OLDEST_VERSION=$(grep -oP 'v=\K\d+' public/*.html public/**/*.html 2>/dev/null | sort -n | head -1)
  NEWEST_VERSION=$(grep -oP 'v=\K\d+' public/*.html public/**/*.html 2>/dev/null | sort -n | tail -1)
  CURRENT_TIME=$(date +%s)

  if [ ! -z "$NEWEST_VERSION" ] && [ "$NEWEST_VERSION" -lt $(($CURRENT_TIME - 3600)) ]; then
    echo -e "${YELLOW}⚠ Newest version parameter is >1 hour old${NC}"
    echo "  Newest: $NEWEST_VERSION"
    echo "  Current time: $CURRENT_TIME"
    echo "  Consider updating version parameters for new deployments"
  fi
fi

# Show excluded patterns
echo ""
echo -e "${GREEN}[3/5] SECURITY CHECK${NC}"
echo "Excluded patterns from .rsyncignore:"
head -20 "$PROJECT_ROOT/.rsyncignore" | grep -v "^#" | grep -v "^$" | sed 's/^/  - /'
echo "  ... (see .rsyncignore for full list)"
echo ""

# Confirm deployment
echo -e "${GREEN}[4/5] DEPLOYMENT CONFIRMATION${NC}"
echo -e "${YELLOW}WARNING: This will sync the ENTIRE project directory${NC}"
echo "Source: $PROJECT_ROOT"
echo "Destination: $REMOTE_USER@$REMOTE_HOST:$REMOTE_PATH"
echo ""
read -p "Continue? (yes/NO): " confirm

if [ "$confirm" != "yes" ]; then
  echo "Deployment cancelled."
  exit 0
fi

echo ""
echo -e "${GREEN}Starting deployment...${NC}"
echo ""

# Dry run first
echo -e "${YELLOW}Dry-run preview...${NC}"
rsync -avzn --delete \
  -e "ssh -i $DEPLOY_KEY" \
  --exclude-from="$PROJECT_ROOT/.rsyncignore" \
  "$PROJECT_ROOT/" \
  "${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_PATH}/" \
  | tail -20

echo ""
read -p "Dry-run complete. Proceed with actual deployment? (yes/NO): " confirm2

if [ "$confirm2" != "yes" ]; then
  echo "Deployment cancelled after dry-run."
  exit 0
fi

# Actual deployment
echo ""
echo -e "${GREEN}[5/5] DEPLOYING TO PRODUCTION${NC}"
rsync -avz --delete \
  -e "ssh -i $DEPLOY_KEY" \
  --exclude-from="$PROJECT_ROOT/.rsyncignore" \
  "$PROJECT_ROOT/" \
  "${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_PATH}/"

echo ""
echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${GREEN}   DEPLOYMENT COMPLETE${NC}"
echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
echo "Next steps:"
echo "1. Verify sensitive files NOT deployed:"
echo "   ssh -i $DEPLOY_KEY $REMOTE_USER@$REMOTE_HOST 'ls -la /var/www/tractatus/CLAUDE.md 2>/dev/null || echo NOT FOUND (good)'"
echo ""
echo "2. Restart server if needed:"
echo "   ssh -i $DEPLOY_KEY $REMOTE_USER@$REMOTE_HOST 'sudo systemctl restart tractatus'"
echo ""
echo "3. Test site: https://agenticgovernance.digital"
echo ""