Build password-gated pre-prod deployment at lircap.pendragon.bot

[iainherd]

Goal

Deploy the pre-prod site at lircap.pendragon.bot with a password-only gate before any public navigation.

Source artefacts

• User requirement in project kickoff
• Lir_Website_PRD_v0.1-2.md §9

Acceptance criteria

• Deployment target is the app VPS for lircap.pendragon.bot; do not deploy this pre-prod app to the backoffice host.
• DNS/reverse proxy routes lircap.pendragon.bot to the static build.
• Whole site is protected before route handling, preferably at the reverse proxy edge.
• Unauthenticated request receives an auth challenge / gate.
• Authenticated request reaches the site.
• Password/secret is not committed to repo or printed in logs.
• Deployment and credential rotation steps are documented.

[iainherd]

Agent allocation

Primary profile: agent:devops-deployer
Required reviewer profiles: agent:code-security-reviewer, agent:browser-qa-reviewer, agent:orchestrator

Reason: Allocation reviewed after independent subagent analysis; profile set reflects primary ownership and required verification gates.

Orchestration rules:

• Morwenna/orchestrator retains final repo, PR, deployment, and closeout verification.
• Use fresh bounded subagents for implementation/review slices; do not ask child agents to ingest the full artefact set unless their issue explicitly requires it.
• Spec/brief/content/design compliance review happens before code-quality/security review.
• Subagent reports are evidence, not proof: parent must inspect diff/status and rerun relevant checks before closure.
• Spawn the named Hermes profile only for long-running independent work; otherwise use delegate_task with a self-contained, profile-specific prompt.

[iainherd]

Pre-prod security workflow reference

Issue #4 must follow #24 once landed:

• docs/deploy/preprod-runbook.md

Closeout requires:

• edge/reverse-proxy password gate before all routes;
• unauthenticated 401 evidence;
• authenticated page-load evidence;
• security-header evidence;
• browser QA evidence;
• confirmation that no password/hash/secrets were committed or printed;
• rollback path.

[iainherd]

Client review/change-control reference

Use #26 once landed:

• docs/workflow/client-review-loop.md

Client links/review rounds must be packaged with URL, password instructions without printing the password, change summary, known limitations, and feedback format. Accepted feedback should become GitHub issues/comments rather than ad-hoc edits.