From b6a7e7b4b89a2c6c1804705ccfd9a2e8d24a38e6 Mon Sep 17 00:00:00 2001
From: kang <wankang2050@gmail.com>
Date: Wed, 27 May 2026 22:14:19 +0800
Subject: [PATCH] chore: harden production deploy scripts

---
 scripts/deploy-prod-safe.sh   | 11 +++++++++++
 scripts/verify-prod-docker.sh | 27 +++++++++++++++++++++------
 2 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/scripts/deploy-prod-safe.sh b/scripts/deploy-prod-safe.sh
index 6207646..04bbd66 100755
--- a/scripts/deploy-prod-safe.sh
+++ b/scripts/deploy-prod-safe.sh
@@ -50,11 +50,20 @@ rsync -az --delete \
   --filter='P /api/.env.production' \
   --exclude='/.git/' \
   --exclude='/.memory/' \
+  --exclude='/.backups/' \
   --exclude='/.logs/' \
   --exclude='/.pids/' \
+  --exclude='/.playwright-mcp/' \
+  --exclude='/.DS_Store' \
+  --exclude='*.log' \
+  --exclude='__pycache__/' \
+  --exclude='*.pyc' \
   --exclude='/data/' \
+  --exclude='/data-local/' \
   --exclude='/jobs/' \
+  --exclude='/output/' \
   --exclude='/secrets/' \
+  --exclude='/api/.venv/' \
   --exclude='/api/jobs/' \
   --exclude='/api/.env' \
   --exclude='/api/.env.local' \
@@ -63,6 +72,8 @@ rsync -az --delete \
   --exclude='/web/node_modules/' \
   --exclude='/web/.next/' \
   --exclude='/web/out/' \
+  --exclude='/web/canvas-app/node_modules/' \
+  --exclude='/web/canvas-app/dist/' \
   --exclude='/node_modules/' \
   --exclude='内部分享-口播脚本.md' \
   ./ "$HOST:$APP_DIR/"
diff --git a/scripts/verify-prod-docker.sh b/scripts/verify-prod-docker.sh
index 0df93c9..f9e0795 100755
--- a/scripts/verify-prod-docker.sh
+++ b/scripts/verify-prod-docker.sh
@@ -13,12 +13,27 @@ ssh "$HOST" "cd '$APP_DIR' && \
       echo \"ERROR: local API/dev URL leaked into web static bundle\" >&2
       exit 1
     fi
-    for p in / /login/ /_next/does-not-exist.js /api/health; do
-      code=\$(curl -sS -o /tmp/skg-smoke.out -w \"%{http_code}\" \"http://127.0.0.1\$p\")
-      case \"\$p:\$code\" in
-        /:302|/login/:200|/_next/does-not-exist.js:404|/api/health:401) echo \"web:\$p \$code\" ;;
-        *) echo \"ERROR: unexpected web route status \$p \$code\" >&2; head -c 200 /tmp/skg-smoke.out >&2; exit 1 ;;
-      esac
+    check_route() {
+      p=\"\$1\"
+      expected=\"\$2\"
+      attempts=\"\${3:-30}\"
+      i=1
+      while [ \"\$i\" -le \"\$attempts\" ]; do
+        code=\$(curl -sS -o /tmp/skg-smoke.out -w \"%{http_code}\" \"http://127.0.0.1\$p\" || echo 000)
+        if [ \"\$code\" = \"\$expected\" ]; then
+          echo \"web:\$p \$code\"
+          return 0
+        fi
+        sleep 1
+        i=\$((i + 1))
+      done
+      echo \"ERROR: unexpected web route status \$p \$code\" >&2
+      head -c 200 /tmp/skg-smoke.out >&2 || true
+      exit 1
+    }
+    for route in \"/ 302\" \"/login/ 200\" \"/_next/does-not-exist.js 404\" \"/api/health 401\"; do
+      set -- \$route
+      check_route \"\$1\" \"\$2\"
     done
   ' && \
   docker exec skg-marketing-api sh -lc '