From 2840fd7371144bc033c8da0a25876cf156e4943b Mon Sep 17 00:00:00 2001
From: defiQUG <defi@defi-oracle.io>
Date: Mon, 11 May 2026 16:11:57 -0700
Subject: [PATCH] ci(gitea): skip Phoenix deploy on doc/report-only pushes;
 ignore ephemeral artifacts

Add paths-ignore on deploy-to-phoenix so pushes that only touch docs/, reports/,
editor paths, AGENTS.md, or root screenshot/tarballs do not run validate+deploy.
Manual workflow_dispatch still runs the full pipeline.

Extend .gitignore for Playwright MCP, root verification screenshots/bundles, and
common reports/status pipeline churn (locks, jsonl, ei-matrix/cw-multitoken blobs).

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .gitea/workflow-sources/deploy-to-phoenix.yml | 24 ++++++++++++++++---
 .gitea/workflow-sources/validate-on-pr.yml    |  6 +++--
 .gitea/workflows/deploy-to-phoenix.yml        | 24 ++++++++++++++++---
 .gitea/workflows/validate-on-pr.yml           |  6 +++--
 .gitignore                                    | 19 +++++++++++++++
 5 files changed, 69 insertions(+), 10 deletions(-)

diff --git a/.gitea/workflow-sources/deploy-to-phoenix.yml b/.gitea/workflow-sources/deploy-to-phoenix.yml
index 87c08469..59e136b9 100644
--- a/.gitea/workflow-sources/deploy-to-phoenix.yml
+++ b/.gitea/workflow-sources/deploy-to-phoenix.yml
@@ -1,10 +1,28 @@
 # Canonical deploy workflow. Keep source and checked-in workflow copies byte-identical.
 # Validation checks both file sync and main/master parity.
+#
+# Push runs validate + Phoenix only when at least one changed path is outside paths-ignore.
+# Doc/report/editor-only pushes skip CI deploy churn; use workflow_dispatch for a manual run.
 name: Deploy to Phoenix
 
 on:
   push:
     branches: [main, master]
+    paths-ignore:
+      # Narrative / audit text — does not change Phoenix-running code on the host
+      - 'docs/**'
+      - 'reports/**'
+      # Editor & local agent tooling
+      - '.cursor/**'
+      - '.cursorindexingignore'
+      - '.playwright-mcp/**'
+      # Repo guidance only (submodules + scripts drive deploy semantics)
+      - 'AGENTS.md'
+      # Typical local verification screenshots/bundles at repo root (regenerate at will)
+      - '/explorer-*.png'
+      - '/explorer-*.jpg'
+      - '/eip155-*.svg'
+      - '/*.tar.gz'
   workflow_dispatch:
 
 jobs:
@@ -59,7 +77,7 @@ jobs:
           BRANCH="$(git rev-parse --abbrev-ref HEAD)"
           set +e
           curl -sSf --retry 3 --retry-connrefused --retry-delay 10 --retry-max-time 180 \
-            --connect-timeout 10 --max-time 120 \
+            --connect-timeout 10 --max-time 3600 \
             -X POST "${{ secrets.PHOENIX_DEPLOY_URL }}" \
             -H "Authorization: Bearer ${{ secrets.PHOENIX_DEPLOY_TOKEN }}" \
             -H "Content-Type: application/json" \
@@ -92,7 +110,7 @@ jobs:
           SHA="$(git rev-parse HEAD)"
           BRANCH="$(git rev-parse --abbrev-ref HEAD)"
           curl -sSf \
-            --connect-timeout 10 --max-time 900 \
+            --connect-timeout 10 --max-time 3600 \
             -X POST "${{ secrets.PHOENIX_DEPLOY_URL }}" \
             -H "Authorization: Bearer ${{ secrets.PHOENIX_DEPLOY_TOKEN }}" \
             -H "Content-Type: application/json" \
@@ -117,7 +135,7 @@ jobs:
           SHA="$(git rev-parse HEAD)"
           BRANCH="$(git rev-parse --abbrev-ref HEAD)"
           curl -sSf --retry 5 --retry-all-errors --retry-connrefused --retry-delay 10 --retry-max-time 300 \
-            --connect-timeout 10 --max-time 120 \
+            --connect-timeout 10 --max-time 900 \
             -X POST "${{ secrets.PHOENIX_DEPLOY_URL }}" \
             -H "Authorization: Bearer ${{ secrets.PHOENIX_DEPLOY_TOKEN }}" \
             -H "Content-Type: application/json" \
diff --git a/.gitea/workflow-sources/validate-on-pr.yml b/.gitea/workflow-sources/validate-on-pr.yml
index f39ce184..861ab9ab 100644
--- a/.gitea/workflow-sources/validate-on-pr.yml
+++ b/.gitea/workflow-sources/validate-on-pr.yml
@@ -1,7 +1,7 @@
 # Canonical PR validation workflow. Keep source and checked-in workflow copies byte-identical.
 # Validation checks both file sync and main/master parity.
-# PR-only: push validation already runs in deploy-to-phoenix.yml; this gives PRs the same
-# no-LAN checks without the deploy job (and without deploy secrets).
+# PR-only: merges to main/master run deploy-to-phoenix only when push touches deploy-relevant
+# paths (see paths-ignore there); this workflow always validates PRs without Phoenix deploy.
 name: Validate (PR)
 on:
   pull_request:
@@ -27,6 +27,8 @@ jobs:
           pnpm install --frozen-lockfile
       # Optional: set org/repo variable URA_STRICT_CLOSURE=1 to fail PRs while pilot placeholders
       # remain in manifest (see scripts/ura/validate-manifest-closure.mjs). Not enabled by default.
+      # Optional: set org/repo vars ETHEREUM_MAINNET_RPC + RPC_URL_138 and EI_MATRIX_ONCHAIN_AUDIT_CI=1 to run
+      # scripts/lib/ei_matrix_onchain_readiness_audit.py via run-all-validation (see OPERATOR_READY_CHECKLIST §5e).
       - name: run-all-validation (no LAN, no genesis)
         env:
           URA_STRICT_CLOSURE: ${{ vars.URA_STRICT_CLOSURE }}
diff --git a/.gitea/workflows/deploy-to-phoenix.yml b/.gitea/workflows/deploy-to-phoenix.yml
index 87c08469..59e136b9 100644
--- a/.gitea/workflows/deploy-to-phoenix.yml
+++ b/.gitea/workflows/deploy-to-phoenix.yml
@@ -1,10 +1,28 @@
 # Canonical deploy workflow. Keep source and checked-in workflow copies byte-identical.
 # Validation checks both file sync and main/master parity.
+#
+# Push runs validate + Phoenix only when at least one changed path is outside paths-ignore.
+# Doc/report/editor-only pushes skip CI deploy churn; use workflow_dispatch for a manual run.
 name: Deploy to Phoenix
 
 on:
   push:
     branches: [main, master]
+    paths-ignore:
+      # Narrative / audit text — does not change Phoenix-running code on the host
+      - 'docs/**'
+      - 'reports/**'
+      # Editor & local agent tooling
+      - '.cursor/**'
+      - '.cursorindexingignore'
+      - '.playwright-mcp/**'
+      # Repo guidance only (submodules + scripts drive deploy semantics)
+      - 'AGENTS.md'
+      # Typical local verification screenshots/bundles at repo root (regenerate at will)
+      - '/explorer-*.png'
+      - '/explorer-*.jpg'
+      - '/eip155-*.svg'
+      - '/*.tar.gz'
   workflow_dispatch:
 
 jobs:
@@ -59,7 +77,7 @@ jobs:
           BRANCH="$(git rev-parse --abbrev-ref HEAD)"
           set +e
           curl -sSf --retry 3 --retry-connrefused --retry-delay 10 --retry-max-time 180 \
-            --connect-timeout 10 --max-time 120 \
+            --connect-timeout 10 --max-time 3600 \
             -X POST "${{ secrets.PHOENIX_DEPLOY_URL }}" \
             -H "Authorization: Bearer ${{ secrets.PHOENIX_DEPLOY_TOKEN }}" \
             -H "Content-Type: application/json" \
@@ -92,7 +110,7 @@ jobs:
           SHA="$(git rev-parse HEAD)"
           BRANCH="$(git rev-parse --abbrev-ref HEAD)"
           curl -sSf \
-            --connect-timeout 10 --max-time 900 \
+            --connect-timeout 10 --max-time 3600 \
             -X POST "${{ secrets.PHOENIX_DEPLOY_URL }}" \
             -H "Authorization: Bearer ${{ secrets.PHOENIX_DEPLOY_TOKEN }}" \
             -H "Content-Type: application/json" \
@@ -117,7 +135,7 @@ jobs:
           SHA="$(git rev-parse HEAD)"
           BRANCH="$(git rev-parse --abbrev-ref HEAD)"
           curl -sSf --retry 5 --retry-all-errors --retry-connrefused --retry-delay 10 --retry-max-time 300 \
-            --connect-timeout 10 --max-time 120 \
+            --connect-timeout 10 --max-time 900 \
             -X POST "${{ secrets.PHOENIX_DEPLOY_URL }}" \
             -H "Authorization: Bearer ${{ secrets.PHOENIX_DEPLOY_TOKEN }}" \
             -H "Content-Type: application/json" \
diff --git a/.gitea/workflows/validate-on-pr.yml b/.gitea/workflows/validate-on-pr.yml
index f39ce184..861ab9ab 100644
--- a/.gitea/workflows/validate-on-pr.yml
+++ b/.gitea/workflows/validate-on-pr.yml
@@ -1,7 +1,7 @@
 # Canonical PR validation workflow. Keep source and checked-in workflow copies byte-identical.
 # Validation checks both file sync and main/master parity.
-# PR-only: push validation already runs in deploy-to-phoenix.yml; this gives PRs the same
-# no-LAN checks without the deploy job (and without deploy secrets).
+# PR-only: merges to main/master run deploy-to-phoenix only when push touches deploy-relevant
+# paths (see paths-ignore there); this workflow always validates PRs without Phoenix deploy.
 name: Validate (PR)
 on:
   pull_request:
@@ -27,6 +27,8 @@ jobs:
           pnpm install --frozen-lockfile
       # Optional: set org/repo variable URA_STRICT_CLOSURE=1 to fail PRs while pilot placeholders
       # remain in manifest (see scripts/ura/validate-manifest-closure.mjs). Not enabled by default.
+      # Optional: set org/repo vars ETHEREUM_MAINNET_RPC + RPC_URL_138 and EI_MATRIX_ONCHAIN_AUDIT_CI=1 to run
+      # scripts/lib/ei_matrix_onchain_readiness_audit.py via run-all-validation (see OPERATOR_READY_CHECKLIST §5e).
       - name: run-all-validation (no LAN, no genesis)
         env:
           URA_STRICT_CLOSURE: ${{ vars.URA_STRICT_CLOSURE }}
diff --git a/.gitignore b/.gitignore
index 82d094ef..86fb4acc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -162,3 +162,22 @@ vendor/
 
 # Operator-local secrets (SSH keys, tokens — never commit)
 .secrets/
+
+# --- Ephemeral local outputs (avoid accidental commits that re-trigger Phoenix via push) ---
+# Playwright MCP session data (Cursor)
+.playwright-mcp/
+
+# Root-level verification screenshots / bundles (use reports/status with git add -f if retaining)
+/explorer-*.png
+/explorer-*.jpg
+/eip155-*.svg
+/*.tar.gz
+
+# Operator pipeline chunks, locks, and screenshot dumps under reports/status (force-add to retain)
+reports/status/**/*.lock
+reports/status/**/*.idx
+reports/status/**/*.hex
+reports/status/**/*.jsonl
+reports/status/ei-matrix-*
+reports/status/cw-multitoken-l2-remediation-*.jsonl
+reports/status/screenshots/