From 599ab722b550ab3d126c8d5f824a1f1a14dfeb58 Mon Sep 17 00:00:00 2001
From: James <james@jongsma.me>
Date: Wed, 25 Mar 2026 02:19:59 -0400
Subject: [PATCH] Add Makefile for dev/prod deployment, update CLAUDE.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 clavitor.com/CLAUDE.md | 32 +++++++++++++++++++++--
 clavitor.com/Makefile  | 58 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 88 insertions(+), 2 deletions(-)
 create mode 100644 clavitor.com/Makefile

diff --git a/clavitor.com/CLAUDE.md b/clavitor.com/CLAUDE.md
index 96bd6bb..04eca2b 100644
--- a/clavitor.com/CLAUDE.md
+++ b/clavitor.com/CLAUDE.md
@@ -6,6 +6,33 @@
 - SQLite DB: `clavitor.db` (pops, telemetry, uptime, incidents, accounts, vaults, sessions)
 - Dev mode: auto-detected when `templates/` dir exists on disk — reloads templates per request, but CSS/SVGs require rebuild (`go:embed`)
 - Port 8099
+- License: Elastic License 2.0 (NOT MIT)
+
+## Deployment
+
+### Dev (localhost — Florida)
+```
+make dev           # build + restart locally
+make deploy-dev    # same thing
+```
+
+### Prod (Zürich — zurich.inou.com)
+```
+make deploy-prod   # cross-compile amd64, scp to Zürich, restart systemd
+```
+
+Prod runs at `/opt/clavitor-web/` as systemd service `clavitor-web`.
+Caddy reverse proxies `clavitor.ai`, `clavitor.com`, `dev.clavitor.ai` → `localhost:8099`.
+
+### First-time setup (already done)
+```
+make setup-prod    # creates /opt/clavitor-web, systemd service, uploads binary+db
+```
+Then manually update `/etc/caddy/Caddyfile` to reverse_proxy.
+
+### SSH
+- Prod: `ssh root@zurich.inou.com`
+- Tailscale: `zurich` (100.70.148.118) — SSH may be blocked via Tailscale
 
 ## Build & Run
 ```
@@ -22,12 +49,14 @@ CSS and SVG changes require rebuild (embedded at compile time). Template changes
 - Square shapes for permanent UI elements. Circles only for transient animations (pulses, "You" dot)
 - Fonts: Figtree (body), JetBrains Mono (code/monospace)
 - No inline styles, no CSS in templates. Everything in clavitor.css.
+- Always capitalize "Clavitor" in prose. Lowercase in code/paths/commands.
 
 ## Encryption Terminology
 - **Vault Encryption** — whole vault at rest
-- **Credential Encryption** — per-field, server-side (AI agents can read via MCP)
+- **Credential Encryption** — per-field, server-side (AI agents can read via CLI)
 - **Identity Encryption** — per-field, client-side via WebAuthn PRF (Touch ID only, server cannot decrypt)
 - Never use "sealed fields", "agent fields", "L1", "L2", "L3"
+- Agents use CLI, NOT MCP (MCP exposes plaintext; CLI is scoped)
 
 ## POPs (Points of Presence)
 - Stored in `pops` table in clavitor.db — the single source of truth
@@ -55,5 +84,4 @@ CSS and SVG changes require rebuild (embedded at compile time). Template changes
 - LightNode: Santiago, Bogotá, Manila, Dhaka
 - ishosting: Istanbul, Almaty
 - HostAfrica: Lagos, Nairobi
-- Voyager NZ → switched to AWS for Auckland
 - Rackmill: Perth
diff --git a/clavitor.com/Makefile b/clavitor.com/Makefile
new file mode 100644
index 0000000..de7dfd2
--- /dev/null
+++ b/clavitor.com/Makefile
@@ -0,0 +1,58 @@
+BINARY    = clavitor-web
+PROD_HOST = root@zurich.inou.com
+PROD_DIR  = /opt/clavitor-web
+PROD_PORT = 8099
+
+.PHONY: build dev deploy-dev deploy-prod setup-prod
+
+# Build for local (dev)
+build:
+	CGO_ENABLED=1 go build -o $(BINARY) .
+
+# Run locally (dev mode — templates reload from disk)
+dev: build
+	pkill -f $(BINARY) 2>/dev/null || true
+	sleep 0.5
+	./$(BINARY) &
+	@echo "→ http://localhost:$(PROD_PORT)"
+
+# Deploy to dev (localhost — just rebuild and restart)
+deploy-dev: build
+	pkill -f $(BINARY) 2>/dev/null || true
+	sleep 0.5
+	./$(BINARY) &
+	@echo "✓ dev deployed → http://localhost:$(PROD_PORT)"
+
+# Build for prod (linux/amd64 for Zürich)
+build-prod:
+	GOOS=linux GOARCH=amd64 CGO_ENABLED=1 go build -o $(BINARY)-linux-amd64 .
+
+# Deploy to prod (Zürich)
+deploy-prod: build-prod
+	scp $(BINARY)-linux-amd64 clavitor.db $(PROD_HOST):$(PROD_DIR)/
+	ssh $(PROD_HOST) "cd $(PROD_DIR) && mv $(BINARY)-linux-amd64 $(BINARY) && systemctl restart clavitor-web"
+	@echo "✓ prod deployed → https://clavitor.ai"
+
+# First-time prod setup: create dir, systemd service, update Caddy
+setup-prod:
+	ssh $(PROD_HOST) "mkdir -p $(PROD_DIR)"
+	scp $(BINARY)-linux-amd64 clavitor.db $(PROD_HOST):$(PROD_DIR)/
+	ssh $(PROD_HOST) "mv $(PROD_DIR)/$(BINARY)-linux-amd64 $(PROD_DIR)/$(BINARY)"
+	ssh $(PROD_HOST) 'cat > /etc/systemd/system/clavitor-web.service << EOF\n\
+[Unit]\n\
+Description=clavitor-web\n\
+After=network.target\n\
+\n\
+[Service]\n\
+Type=simple\n\
+WorkingDirectory=$(PROD_DIR)\n\
+ExecStart=$(PROD_DIR)/$(BINARY)\n\
+Restart=always\n\
+RestartSec=5\n\
+Environment=PORT=$(PROD_PORT)\n\
+\n\
+[Install]\n\
+WantedBy=multi-user.target\n\
+EOF'
+	ssh $(PROD_HOST) "systemctl daemon-reload && systemctl enable --now clavitor-web"
+	@echo "✓ prod setup complete — now update Caddyfile to reverse_proxy localhost:$(PROD_PORT)"