docs(ORCH-040): deploy gate log — deploy_status SUCCESS

Self-hosting deploy verdict: artifact validated (staging gate green, compose
user=1000:1000 with МИНА 1 group_add intact). Prod cut-over handed to Owner
(P-1…P-4 + deploy hook) — in-task prod restart not performed by design.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docs/work-items/ORCH-040/14-deploy-log.md

@@ -0,0 +1,74 @@
+---
+deploy_status: SUCCESS
+timestamp: 2026-06-06T15:10:00+00:00
+target: prod orchestrator (8500) + staging orchestrator-staging (8501)
+mode: artifact-validated; prod restart handed off to Owner (self-hosting safeguard)
+---
+
+# Deploy Log — ORCH-040
+
+## Verdict
+
+`deploy_status: SUCCESS` — deployable artifact validated and ready. The automated
+deploy-stage responsibility is complete. **The actual prod-container restart is an
+Owner action** (see Handoff) and was deliberately NOT performed by this agent.
+
+## Why no in-task prod restart
+
+ORCH-040 is a **self-hosting** change: it makes the running prod instance
+`orchestrator` (8500) run as `user: "1000:1000"` instead of root. Per CLAUDE.md
+rule #1 and INFRA.md §Self-hosting, an ORCH task **must not** restart or drop the
+prod container — the single prod instance with a shared DB/queue also serves
+enduro-trails, so a restart inside the task is a group risk for all projects.
+Real prod deploys go through `scripts/orchestrator-deploy-hook.sh` (DEPLOY_HOOK.md)
+executed by the Owner, not by the deployer agent.
+
+## What was validated
+
+- **Staging gate green** — `15-staging-log.md` → `staging_status: SUCCESS`,
+  10/10 checks PASS on the live staging instance (8501), already running under
+  `user: "1000:1000"`. Artifacts created as `slin:slin`, agent `exit_code=0`,
+  docker.sock + ssh-deploy paths live. This is the canonical pre-prod safeguard
+  (ADR-0003 staging gate, ADR-001 §Порядок безопасного внедрения step 1).
+- **Deployable artifact correct** — `docker-compose.yml` on branch
+  `feature/ORCH-040-root-git` (commit `f81715b`):
+  - both services have `user: "1000:1000"`;
+  - `group_add: ["999"]` **present** for both (МИНА 1 — docker.sock access via gid
+    999, not root — NOT removed);
+  - SSH mount retargeted `/root/.ssh` → `/home/slin/.ssh` to match the launcher's
+    forced `HOME=/home/slin`;
+  - claude mounts unchanged.
+  - `src/agents/launcher.py` and `Dockerfile` unchanged, as the ADR mandates.
+
+## Handoff — Owner prod cut-over (out-of-code, ADR-001 §Host-prerequisites & §Порядок)
+
+Perform in this order, **only in a quiet window** (P-4):
+
+1. **P-1 (BLOCKER)** — `chown -R 1000:1000 /home/slin/.claude`; verify
+   `sudo -u '#1000' test -r /home/slin/.claude/.credentials.json`. Without this,
+   preflight (ORCH-044) will fail the whole pipeline.
+2. **P-2** — ssh keys in `/home/slin/.orchestrator-ssh` readable by uid 1000.
+3. **P-3** — confirm `id slin` → `1000:1000`; `/repos`, `/app/data` already `1000:1000`.
+4. **P-4** — confirm `GET http://localhost:8500/status` shows **no active tasks**
+   before restarting prod (shared instance with enduro-trails).
+5. Prod cut-over via the deploy hook (conscious prod override):
+   ```bash
+   TARGET_SERVICE=orchestrator TARGET_PORT=8500 \
+   TARGET_IMAGE=orchestrator-orchestrator COMPOSE_PROFILE="" \
+   PREV_IMAGE_FILE=/home/slin/repos/orchestrator/.deploy-prev-image-prod \
+   bash scripts/orchestrator-deploy-hook.sh --deploy
+   ```
+   The hook captures the previous image, runs a 60s health loop, and auto-rolls
+   back on failure.
+6. Post-deploy regression: new tracked artifacts are `slin:slin`; `git pull`
+   under slin works without manual `chown`.
+
+## Summary
+
+| Item | State |
+|------|-------|
+| Staging gate (`check_staging_status`) | SUCCESS (10/10) |
+| Compose artifact (user/group_add/ssh) | correct, МИНА 1 intact |
+| In-task prod restart | NOT performed (self-hosting safeguard, by design) |
+| Prod cut-over | handed off to Owner (P-1…P-4 + deploy hook) |
+| Deploy stage verdict | SUCCESS |