From 287c4b5372d9d0d4825aa38be05fc6b540f65766 Mon Sep 17 00:00:00 2001
From: AdrianoDev <adrianodalpastro@tielogic.com>
Date: Wed, 29 Apr 2026 21:25:38 +0200
Subject: [PATCH] chore: rimuovi deploy.sh e cache registry buildx
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- scripts/deploy.sh eliminato (sostituito da deploy-noclone.sh)
- build-push.sh: rimossa cache-from/cache-to registry (cache buildx
  locale del laptop sufficiente, niente più image buildcache:* sul
  registry Gitea)
- doc cleanup riferimenti orfani

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 DEPLOYMENT.md             |   5 +-
 scripts/build-push.sh     |   3 -
 scripts/deploy-noclone.sh |   7 +-
 scripts/deploy.sh         | 171 --------------------------------------
 4 files changed, 7 insertions(+), 179 deletions(-)
 delete mode 100755 scripts/deploy.sh

diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md
index 625fee9..cbc9437 100644
--- a/DEPLOYMENT.md
+++ b/DEPLOYMENT.md
@@ -45,8 +45,9 @@ export GITEA_USER=adriano
 
 Lo script:
 - Fa `docker login git.tielogic.xyz`.
-- Builda con `docker buildx build --push` (cache via registry stesso,
-  `buildcache:<name>` per ognuna → build successivi 5-10× più veloci).
+- Builda con `docker buildx build --push` (cache buildx locale del
+  laptop, niente cache registry: build successivi rapidi senza pesare
+  sul registry).
 - Tagga `:latest` + `:sha-<short_HEAD>`.
 - Per le mcp-* passa `BASE_IMAGE`/`BASE_TAG` come build-arg in modo da
   ereditare dall'image `base` appena pushata.
diff --git a/scripts/build-push.sh b/scripts/build-push.sh
index 0f0f0b3..ff0771b 100755
--- a/scripts/build-push.sh
+++ b/scripts/build-push.sh
@@ -56,15 +56,12 @@ build_one() {
 
     local tag_latest="$IMAGE_PREFIX/$name:latest"
     local tag_sha="$IMAGE_PREFIX/$name:sha-$SHA"
-    local cache_ref="$IMAGE_PREFIX/buildcache:$name"
 
     echo "=== [$name] build & push ==="
     local args=(buildx build --push
         -f "$file"
         -t "$tag_latest"
         -t "$tag_sha"
-        --cache-from "type=registry,ref=$cache_ref"
-        --cache-to   "type=registry,ref=$cache_ref,mode=max"
     )
     if [[ "$name" == mcp-* ]]; then
         args+=(--build-arg "BASE_IMAGE=$IMAGE_PREFIX/base"
diff --git a/scripts/deploy-noclone.sh b/scripts/deploy-noclone.sh
index 2082c2b..e7d6759 100755
--- a/scripts/deploy-noclone.sh
+++ b/scripts/deploy-noclone.sh
@@ -1,9 +1,10 @@
 #!/usr/bin/env bash
-# Cerbero_mcp — deploy script (no-clone) per VPS produzione.
+# Cerbero_mcp — deploy script per VPS produzione.
 #
-# Variante di deploy.sh che NON clona il repo; scarica solo i file
+# Sul VPS NON viene clonato il repo: lo script scarica solo i file
 # strettamente necessari al runtime (compose, Caddyfile, public assets)
-# via raw HTTP da Gitea. Image pre-built dal registry come deploy.sh.
+# via raw HTTP da Gitea. Le image vengono pullate pre-built dal registry
+# Gitea (buildate dal laptop dev con scripts/build-push.sh).
 #
 # Pre-requisiti sul VPS (NON gestiti da questo script):
 # 1. Docker Engine ≥ 24 + plugin docker compose installati.
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
deleted file mode 100755
index eb16e35..0000000
--- a/scripts/deploy.sh
+++ /dev/null
@@ -1,171 +0,0 @@
-#!/usr/bin/env bash
-# Cerbero_mcp — deploy script per VPS produzione.
-#
-# Pre-requisiti sul VPS (NON gestiti da questo script):
-# 1. Docker Engine ≥ 24 + plugin docker compose installati.
-# 2. DNS A record `cerbero-mcp.tielogic.xyz` → IP del VPS.
-# 3. Porte 80 e 443 aperte sul firewall (per ACME + traffico HTTPS).
-# 4. PAT Gitea con scope `read:package`, salvato in env `$GITEA_PAT`.
-# 5. Username Gitea in env `$GITEA_USER` (default: adriano).
-# 6. Secret JSON exchange + token bearer disponibili in $SECRETS_SRC
-#    (default: ~/cerbero-secrets/), che lo script copierà in
-#    $DEPLOY_DIR/secrets/ con permessi 600.
-#
-# Idempotente: rieseguibile per aggiornamenti.
-
-set -euo pipefail
-
-DEPLOY_DIR="${DEPLOY_DIR:-/opt/cerbero-mcp}"
-SECRETS_SRC="${SECRETS_SRC:-$HOME/cerbero-secrets}"
-GITEA_USER="${GITEA_USER:-adriano}"
-GITEA_REPO_URL="${GITEA_REPO_URL:-ssh://git@git.tielogic.xyz:222/Adriano/Cerbero-mcp.git}"
-REGISTRY="${REGISTRY:-git.tielogic.xyz}"
-DOMAIN="${DOMAIN:-cerbero-mcp.tielogic.xyz}"
-AUDIT_LOG_DIR="${AUDIT_LOG_DIR:-/var/log/cerbero-mcp}"
-
-echo "=== Cerbero_mcp deploy → $DEPLOY_DIR (domain $DOMAIN) ==="
-
-# ──────────────────────────────────────────────────────────────
-# 1. Verifica pre-requisiti
-# ──────────────────────────────────────────────────────────────
-command -v docker >/dev/null || { echo "FATAL: docker non installato"; exit 1; }
-docker compose version >/dev/null || { echo "FATAL: docker compose plugin assente"; exit 1; }
-
-if [ -z "${GITEA_PAT:-}" ]; then
-    echo "FATAL: env GITEA_PAT non settata. Export del PAT con scope read:package prima."
-    exit 1
-fi
-
-if [ ! -d "$SECRETS_SRC" ]; then
-    echo "FATAL: secrets src dir $SECRETS_SRC non esiste."
-    echo "  Atteso contenere: deribit.json bybit.json hyperliquid.json alpaca.json"
-    echo "                    macro.json sentiment.json core.token observer.token"
-    exit 1
-fi
-
-# Check DNS resolution (warning only, non blocca)
-ip_resolved=$(getent hosts "$DOMAIN" | awk '{print $1}' | head -1 || true)
-if [ -z "$ip_resolved" ]; then
-    echo "WARN: $DOMAIN non risolve via DNS — TLS Let's Encrypt fallirà finché DNS non propaga."
-else
-    echo "DNS $DOMAIN → $ip_resolved"
-fi
-
-# ──────────────────────────────────────────────────────────────
-# 2. Login al container registry
-# ──────────────────────────────────────────────────────────────
-echo "=== docker login $REGISTRY ==="
-echo "$GITEA_PAT" | docker login "$REGISTRY" -u "$GITEA_USER" --password-stdin
-
-# ──────────────────────────────────────────────────────────────
-# 3. Setup dir + clone/pull repo
-# ──────────────────────────────────────────────────────────────
-sudo mkdir -p "$DEPLOY_DIR"
-sudo chown "$USER:$USER" "$DEPLOY_DIR"
-
-if [ -d "$DEPLOY_DIR/.git" ]; then
-    echo "=== Aggiornamento repo $DEPLOY_DIR ==="
-    git -C "$DEPLOY_DIR" pull --ff-only
-else
-    echo "=== Clone repo $GITEA_REPO_URL → $DEPLOY_DIR ==="
-    git clone "$GITEA_REPO_URL" "$DEPLOY_DIR"
-fi
-
-cd "$DEPLOY_DIR"
-
-# ──────────────────────────────────────────────────────────────
-# 4. Copia secrets con permessi 600
-# ──────────────────────────────────────────────────────────────
-mkdir -p secrets
-echo "=== Copia secrets da $SECRETS_SRC ==="
-for f in deribit.json bybit.json hyperliquid.json alpaca.json macro.json sentiment.json core.token observer.token; do
-    if [ -f "$SECRETS_SRC/$f" ]; then
-        cp "$SECRETS_SRC/$f" "secrets/$f"
-        chmod 600 "secrets/$f"
-        echo "  ok: secrets/$f"
-    else
-        echo "  WARN: $SECRETS_SRC/$f assente — il servizio relativo fallirà al boot."
-    fi
-done
-
-# ──────────────────────────────────────────────────────────────
-# 5. Crea/aggiorna .env (preserva esistente)
-# ──────────────────────────────────────────────────────────────
-if [ ! -f .env ]; then
-    echo "=== Creazione .env iniziale (testnet di default) ==="
-    cat > .env <<EOF
-# Cerbero_mcp deploy config — modifica per passare a mainnet
-ACME_EMAIL=adrianodalpastro@tielogic.com
-GATEWAY_HTTP_PORT=80
-GATEWAY_HTTPS_PORT=443
-WRITE_ALLOWLIST="127.0.0.1/32 ::1/128 172.16.0.0/12"
-
-IMAGE_TAG=latest
-IMAGE_PREFIX=git.tielogic.xyz/adriano/cerbero-mcp
-
-# Environment exchange (true=testnet, false=mainnet).
-# IMPORTANTE: per mainnet aggiungi anche "environment":"mainnet" al secret JSON
-# corrispondente, altrimenti il boot abortisce per safety (vedi consistency_check).
-DERIBIT_TESTNET=true
-BYBIT_TESTNET=true
-HYPERLIQUID_TESTNET=true
-ALPACA_PAPER=true
-
-# Permette mainnet senza creds["environment"]="mainnet" esplicito (sconsigliato).
-STRICT_MAINNET=true
-
-# Audit log persistente per write endpoint (place_order, cancel, ecc.).
-AUDIT_LOG_DIR=$AUDIT_LOG_DIR
-
-# Watchtower polling auto-update (sec).
-WATCHTOWER_POLL_INTERVAL=300
-EOF
-    echo "  $DEPLOY_DIR/.env creato. Rivedi prima del primo up."
-else
-    echo "=== .env preesistente — non sovrascritto ==="
-fi
-
-# ──────────────────────────────────────────────────────────────
-# 6. Audit log dir host (volume bind)
-# ──────────────────────────────────────────────────────────────
-sudo mkdir -p "$AUDIT_LOG_DIR"
-sudo chown 1000:1000 "$AUDIT_LOG_DIR"  # uid del container app
-echo "Audit log dir: $AUDIT_LOG_DIR (chown 1000:1000)"
-
-# ──────────────────────────────────────────────────────────────
-# 7. Pull image + up
-# ──────────────────────────────────────────────────────────────
-COMPOSE_FILES=("-f" "docker-compose.prod.yml")
-if [ "${BEHIND_TRAEFIK:-false}" = "true" ]; then
-    echo "=== Modalità behind-traefik attiva (network ${TRAEFIK_NETWORK:-gitea_traefik-public}) ==="
-    COMPOSE_FILES+=("-f" "docker-compose.traefik.yml")
-fi
-
-echo "=== docker compose pull + up ==="
-docker compose "${COMPOSE_FILES[@]}" --env-file .env pull
-docker compose "${COMPOSE_FILES[@]}" --env-file .env up -d
-
-# ──────────────────────────────────────────────────────────────
-# 8. Verifica stato
-# ──────────────────────────────────────────────────────────────
-sleep 5
-echo "=== Stato container ==="
-docker compose "${COMPOSE_FILES[@]}" --env-file .env ps
-
-echo
-echo "=== Smoke test (health check via gateway pubblico) ==="
-sleep 10  # tempo per Caddy di richiedere cert
-if curl -sf -o /dev/null -m 10 "https://$DOMAIN/mcp-macro/health"; then
-    echo "  ✅ https://$DOMAIN/mcp-macro/health → 200"
-else
-    echo "  ⚠️  https://$DOMAIN/mcp-macro/health non risponde (DNS o cert non ancora pronti?)"
-    echo "      Riprova fra 30s o controlla: docker compose -f docker-compose.prod.yml logs gateway"
-fi
-
-echo
-echo "=== Deploy completato ==="
-echo "Comandi utili (compose files: ${COMPOSE_FILES[*]}):"
-echo "  Logs:    docker compose ${COMPOSE_FILES[*]} --env-file .env logs -f <service>"
-echo "  Audit:   tail -f $AUDIT_LOG_DIR/*.audit.jsonl"
-echo "  Restart: docker compose ${COMPOSE_FILES[*]} --env-file .env restart <service>"
-echo "  Stop:    docker compose ${COMPOSE_FILES[*]} --env-file .env down"