ci(web): auto-deploy claudemesh-web to coolify on push to main

new workflow joins the tailnet via tailscale oauth then triggers
the coolify deploy endpoint. path filter scoped to web app + every
package transpiled into it, so broker/cli/docs changes skip it.
concurrency group coalesces rapid pushes.

requires three repo secrets: COOLIFY_TOKEN, TS_OAUTH_CLIENT_ID,
TS_OAUTH_SECRET (the OAuth client needs the devices:write scope and
the tag:ci tag in tailnet ACL tagOwners).

inline coolify token removed from CLAUDE.md — it now references
the repo secret. broker deploy is unchanged: it runs through the
gitea-vps webhook.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/workflows/deploy-web.yml

@@ -0,0 +1,71 @@
+name: Deploy claudemesh-web
+
+# Triggers a Coolify deploy of the apps/web Next.js app on the OVH VPS.
+# Coolify only auto-deploys the broker (it watches the gitea-vps mirror);
+# the web app needs an explicit poke. This workflow is the poke.
+#
+# The Coolify dashboard is bound to a Tailscale-only address
+# (100.122.34.28:8000), so the runner first joins the tailnet via
+# an OAuth-issued ephemeral node, then hits Coolify's deploy API.
+#
+# Path filter: redeploy on changes to the web app, the API package
+# (bundled into the web build), or any shared package the web app
+# transpiles. Anything else (broker-only, cli-only, docs) skips it.
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "apps/web/**"
+      - "packages/api/**"
+      - "packages/db/**"
+      - "packages/auth/**"
+      - "packages/ui/**"
+      - "packages/i18n/**"
+      - "packages/shared/**"
+      - "packages/email/**"
+      - "packages/billing/**"
+      - "packages/storage/**"
+      - "packages/monitoring-web/**"
+      - "pnpm-lock.yaml"
+      - ".github/workflows/deploy-web.yml"
+  workflow_dispatch:
+
+# Coalesce rapid pushes — only one deploy in flight at a time, and
+# if a newer push lands while one is queued, the older one is
+# cancelled. Avoids the "5 commits, 5 deploys" stampede.
+concurrency:
+  group: deploy-web
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Connect to Tailscale
+        uses: tailscale/github-action@v3
+        with:
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
+          tags: tag:ci
+
+      - name: Trigger Coolify deploy
+        env:
+          COOLIFY_TOKEN: ${{ secrets.COOLIFY_TOKEN }}
+          APP_UUID: p68x1e3k4xmrjmblca5ybe09
+        run: |
+          if [ -z "$COOLIFY_TOKEN" ]; then
+            echo "::error::COOLIFY_TOKEN secret is not set"
+            exit 1
+          fi
+          response=$(curl -sS -w "\n%{http_code}" -X GET \
+            "http://100.122.34.28:8000/api/v1/deploy?uuid=${APP_UUID}" \
+            -H "Authorization: Bearer ${COOLIFY_TOKEN}")
+          status=$(echo "$response" | tail -n1)
+          body=$(echo "$response" | sed '$d')
+          echo "HTTP $status"
+          echo "$body"
+          if [ "$status" != "200" ]; then
+            echo "::error::Coolify returned HTTP $status"
+            exit 1
+          fi

CLAUDE.md

@@ -20,11 +20,12 @@ Peer mesh for Claude Code sessions. Broker + CLI + MCP server.
 
 ## Deploy
 
-- **Broker:** `git push gitea-vps main` triggers Coolify auto-deploy. Manual: `curl -s -X GET "http://100.122.34.28:8000/api/v1/deploy?uuid=mcn8m74tbxfxbplmyb40b2ia" -H "Authorization: Bearer 3|K2vkSJzdUA69rj22CKZc5z0YB6pkY43GLEonti3UzcnqVJj6WhrqqYTAng6DzMUi"`. Pending migrations apply automatically on startup.
+- **Broker:** `git push gitea-vps main` triggers Coolify auto-deploy via the gitea webhook. Pending migrations apply automatically on startup.
+- **Web:** Coolify on the OVH VPS (`claudemesh.com` resolves to `135.125.191.245`, NOT Vercel — the `apps/web/Dockerfile` is what Coolify builds). Auto-deploys via `.github/workflows/deploy-web.yml` on push to `main` when paths under `apps/web/**` or `packages/{api,db,auth,ui,i18n,shared,email,billing,storage,monitoring-web}/**` change. The workflow joins the tailnet via Tailscale OAuth, then hits the Coolify API.
+- **Manual deploy** (if the workflow is broken or the path filter missed something) — Coolify dashboard at `http://100.122.34.28:8000` (Tailscale only). Token in `COOLIFY_TOKEN` repo secret. App UUIDs: broker `mcn8m74tbxfxbplmyb40b2ia`, web `p68x1e3k4xmrjmblca5ybe09`.
 - **CLI:**
-  - npm: `cd apps/cli && npm publish --tag alpha --access public --no-git-checks --ignore-scripts`
+  - npm: `cd apps/cli && npm publish --access public --no-git-checks --ignore-scripts`
   - Binaries: `git tag cli-v<version> && git push github cli-v<version>` — workflow builds 5 platforms.
-- **Web:** Coolify on the OVH VPS (`claudemesh.com` resolves to `135.125.191.245`, NOT Vercel — the `apps/web/Dockerfile` is what Coolify builds). Push to `gitea-vps` does NOT auto-deploy the web app the way it does the broker. Trigger manually: `curl -s -X GET "http://100.122.34.28:8000/api/v1/deploy?uuid=p68x1e3k4xmrjmblca5ybe09" -H "Authorization: Bearer 3|K2vkSJzdUA69rj22CKZc5z0YB6pkY43GLEonti3UzcnqVJj6WhrqqYTAng6DzMUi"`
 
 ## Dev