# Shared deploy libraries (ia_dev)

## `ssh.sh`

Canonical SSH/SCP helpers (`ssh_run`, `scp_copy`, `require_ssh_key`, `ssh_common_opts`) used across projects.  
**LeCoffre** : `deploy/scripts_v2/_lib/ssh.sh` sources `ia_dev/deploy/lib/ssh.sh` when the submodule path `ia_dev/deploy/lib/ssh.sh` exists from the repo root; otherwise it embeds the same implementation.

## `deploy-log.sh`

Optional `deploy_script_tee_log_if_requested <project_root> <log_subdir> [deploy_env]` — third arg `test` \| `pprod` \| `prod` sets the log filename `deploy_<env>_…` and a header line. Requires `info` from the project’s `colors.sh` (sourced before this file in `deploy.sh`). `DEPLOY_STARTED_AT` in the shell is echoed in the header when set.

## Policy

Project-specific logic (Prisma, systemd unit names, remote app layout, LeCoffre domains) stays under each repository’s `deploy/scripts_v2/`. Only transport/logging helpers live here.

## `deploy-methodology.sh`

Shared contract for all managed projects: allowed envs (`test` \| `pprod` \| `prod`), validation helpers. Sourced by **`deploy.sh`** and **`orchestrator.sh`**. Extend only with an explicit decision (new env = conf + doc migration).

**Boundary** : any step **strictly identical** for every project belongs here or in a sibling `deploy/lib/deploy-*.sh`. The project orchestrator under `repository_root` only sequences **project-specific** scripts (e.g. `_lib/deploy-phase-*.sh`).

Quality gates and longer sequences that are identical across projects should be added here or in peers — not in project repos.

## `deploy-conf-handling.sh`

Shared **conf.json** handling: `jq` requirement, `deploy.secrets_path` → `SECRETS_BASE` / `LECOFFRE_SECRETS_BASE`, exports **`IA_DEV_DEPLOY_REPO_ROOT`** and **`IA_DEV_DEPLOY_ENV`** (mandatory handoff: `ia_dev_deploy_assert_handoff_context` exits if unset or inconsistent — no fallback). Sourced by **`orchestrator.sh`**. Add new generic `deploy.*` reads here.

## Orchestration (`../orchestrator.sh`, `../deploy.sh`)

- **`deploy.sh`** : `./deploy/deploy.sh <project_id> <env> [args]` — applies methodology (env validation, banner), sets `IA_PROJECT_ID`, then **`exec orchestrator.sh`**.
- **`orchestrator.sh`** : exports secrets from conf, then **`exec`** the **project orchestrator** `repository_root` + `deploy.project_orchestrator_path` (relative path) with the same `"$@"`. **Legacy** : if `project_orchestrator_path` is missing, uses `deploy.hooks.phases` or `deploy.deploy_script_path`. **`run-project-hooks.sh`** execs `orchestrator.sh` for backward compatibility.

Project orchestrator = single script in the target repo that sequences project-specific steps (`deploy.sh` LeCoffre today, or a dedicated `orchestrate-project.sh` later).