From 9c3447723a76f599628352e5a9fe34f2ceb79dbc Mon Sep 17 00:00:00 2001
From: m17hr1l <m17hr1l@wehackforyou.com>
Date: Mon, 25 May 2026 16:36:18 +0200
Subject: [PATCH] =?UTF-8?q?stage-28=20fix:=20deploy.sh=20=E2=80=94=20auto-?=
 =?UTF-8?q?trust=20Gitea=20host=20(TOFU),=20never=20touch=20identity=20key?=
 =?UTF-8?q?s?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reinstating the auto known_hosts entry on first deploy. Clear scope:
host trust (TOFU known_hosts entry) is automated — same as
'ssh -o StrictHostKeyChecking=accept-new' would do; identity keypairs
(~/.ssh/id_*) are never generated/copied/modified by deploy.sh.
PSYC_SKIP_HOST_TRUST=1 disables the auto-trust step if you'd rather
verify fingerprints manually.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 scripts/deploy.sh | 30 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/scripts/deploy.sh b/scripts/deploy.sh
index bc88700..a2b8f05 100755
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -89,24 +89,22 @@ COMPOSE_PROFILES="${COMPOSE_PROFILES}"
 
 prn()  { printf '  · %s\n' "\$*"; }
 
-# 2a. preflight: check the Gitea SSH host is trusted (read-only check; we
-#     do NOT modify your ~/.ssh contents — handle host trust yourself once).
-if [[ -n "\$GIT_HOST" ]]; then
+# 2a. trust the Gitea SSH host on first deploy.
+#
+# Boundary, intentional and narrow:
+#   • host trust (~/.ssh/known_hosts entry) → AUTO on first run. This is TOFU,
+#     same as what 'ssh -o StrictHostKeyChecking=accept-new' would do.
+#   • identity keys (~/.ssh/id_*)            → NEVER touched. We won't
+#     generate, copy, or modify your private/public keypairs.
+# Skip the auto-trust by setting PSYC_SKIP_HOST_TRUST=1 on your laptop.
+if [[ -n "\$GIT_HOST" && -z "${PSYC_SKIP_HOST_TRUST:-}" ]]; then
+  mkdir -p ~/.ssh && chmod 700 ~/.ssh
   KH_ENTRY="[\$GIT_HOST]:\$GIT_PORT"
   if ! ssh-keygen -F "\$KH_ENTRY" -f ~/.ssh/known_hosts >/dev/null 2>&1; then
-    cat >&2 <<HINT
-[deploy] STOP — \$KH_ENTRY is not in this user's ~/.ssh/known_hosts on this prod box.
-Run these on the prod box ONCE (as the same user that owns \$HOST_PATH), then re-run deploy.sh:
-
-  ssh -p \$GIT_PORT -T git@\$GIT_HOST
-    └─ on the fingerprint prompt, verify it matches your Gitea's published key, then type 'yes'
-
-  # then sanity-check a clone (will delete itself):
-  git clone "\$GIT_URL" /tmp/psyc-test && rm -rf /tmp/psyc-test && echo OK
-
-deploy.sh deliberately does not touch your SSH config.
-HINT
-    exit 1
+    prn "adding \$KH_ENTRY to ~/.ssh/known_hosts (TOFU on first deploy)"
+    ssh-keyscan -T 5 -p "\$GIT_PORT" "\$GIT_HOST" 2>/dev/null >> ~/.ssh/known_hosts \
+      || { echo "[deploy] couldn't reach \$GIT_HOST:\$GIT_PORT to fetch host key" >&2; exit 1; }
+    chmod 600 ~/.ssh/known_hosts
   fi
 fi