RECTOR-LABS
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 15 additions & 8 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 15 additions & 8 deletions
diff --git a/‎.github/workflows/claude.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/claude.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/deploy.yml‎
Lines changed: 45 additions & 91 deletions b/‎.github/workflows/deploy.yml‎
Lines changed: 45 additions & 91 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 58 additions & 21 deletions b/‎CLAUDE.md‎
Lines changed: 58 additions & 21 deletions
@@ -11,15 +11,22 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
           bundler-cache: true
 
       - name: Scan for common Rails security vulnerabilities using static analysis
-        run: bin/brakeman --no-pager
+        run: |
+          EXIT_CODE=0
+          bin/brakeman --no-pager || EXIT_CODE=$?
+          if [ "$EXIT_CODE" -eq 5 ]; then
+            echo "::warning::Brakeman is not the latest version"
+            exit 0
+          fi
+          exit $EXIT_CODE
       
       - name: Scan for known security vulnerabilities in gems used
         run: bin/bundler-audit
@@ -29,7 +36,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
@@ -45,15 +52,15 @@ jobs:
       RUBOCOP_CACHE_ROOT: tmp/rubocop
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
           bundler-cache: true
 
       - name: Prepare RuboCop cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         env:
           DEPENDENCIES_HASH: ${{ hashFiles('.ruby-version', '**/.rubocop.yml', '**/.rubocop_todo.yml', 'Gemfile.lock') }}
         with:
@@ -89,7 +96,7 @@ jobs:
         run: sudo apt-get update && sudo apt-get install --no-install-recommends -y libpq-dev
 
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
@@ -128,7 +135,7 @@ jobs:
         run: sudo apt-get update && sudo apt-get install --no-install-recommends -y libpq-dev
 
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
@@ -144,7 +151,7 @@ jobs:
         run: bin/rails db:test:prepare test:system
 
       - name: Keep screenshots from failed system tests
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         if: failure()
         with:
           name: screenshots
 
@@ -26,7 +26,7 @@ jobs:
       actions: read # Required for Claude to read CI results on PRs
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 1
 
 
@@ -4,115 +4,69 @@ on:
   push:
     branches:
       - main
-  workflow_dispatch: # Allow manual trigger
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
 
 jobs:
   deploy:
-    name: Deploy to VPS
+    name: Build and Deploy
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
 
     steps:
-      - name: Checkout code
+      - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
         with:
-          ruby-version: '3.3'
-          bundler-cache: true
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Install SSH key
-        uses: shimataro/ssh-key-action@v2
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
         with:
-          key: ${{ secrets.VPS_SSH_KEY }}
-          known_hosts: unnecessary
-          if_key_exists: replace
+          images: ${{ env.REGISTRY }}/${{ github.repository }}
+          tags: |
+            type=raw,value=latest
+            type=sha
 
-      - name: Add VPS to known hosts
-        run: ssh-keyscan -H ${{ secrets.VPS_HOST }} >> ~/.ssh/known_hosts
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Deploy to VPS
-        env:
-          VPS_HOST: ${{ secrets.VPS_HOST }}
-          VPS_USER: ${{ secrets.VPS_USER }}
-        run: |
-          ssh $VPS_USER@$VPS_HOST << 'ENDSSH'
-            set -e
-
-            echo "🚀 Starting deployment..."
-
-            cd /home/core/apps/core
-
-            # Initialize rbenv (add shims to PATH for bundle/rails commands)
-            export PATH="/home/core/.rbenv/shims:/home/core/.rbenv/bin:$PATH"
-            eval "$(/home/core/.rbenv/bin/rbenv init - bash)"
-
-            # Pull latest changes
-            echo "📥 Pulling latest code from main..."
-            git fetch origin
-            git reset --hard origin/main
-
-            # Generate REVISION file with commit SHA, branch, and commit count
-            echo "📝 Generating REVISION file..."
-            COMMIT_SHA=$(git rev-parse HEAD)
-            BRANCH=$(git rev-parse --abbrev-ref HEAD)
-            COMMIT_COUNT=$(git rev-list --count HEAD)
-            echo "${COMMIT_SHA}|${BRANCH}|${COMMIT_COUNT}" > REVISION
-            echo "✅ REVISION: ${BRANCH}@${COMMIT_SHA:0:7} (${COMMIT_COUNT} commits)"
-
-            # Install dependencies
-            echo "📦 Installing dependencies..."
-            bundle install --deployment --without development test
-
-            # Load environment variables
-            export $(cat .env | grep -v '^#' | xargs)
-
-            # Precompile assets
-            echo "🎨 Precompiling assets..."
-            RAILS_ENV=production bundle exec rails assets:precompile
-
-            # Run database migrations
-            echo "🗄️  Running database migrations..."
-            RAILS_ENV=production bundle exec rails db:migrate
-
-            # Restart services (zero-downtime)
-            echo "🔄 Restarting Puma (zero-downtime)..."
-            sudo systemctl reload core-puma
-
-            echo "🔄 Restarting Solid Queue..."
-            sudo systemctl restart core-solidqueue
-
-            # Verify deployment
-            echo "✅ Deployment complete!"
-            echo "📊 App status:"
-            sudo systemctl status core-puma --no-pager -l
-
-          ENDSSH
+        uses: appleboy/ssh-action@v1.0.3
+        with:
+          host: ${{ secrets.VPS_HOST }}
+          username: ${{ secrets.VPS_USER }}
+          key: ${{ secrets.VPS_SSH_KEY }}
+          script: |
+            cd ${{ secrets.VPS_APP_PATH }}
+            docker compose pull
+            docker compose up -d
+            docker image prune -f
 
       - name: Verify deployment
-        env:
-          VPS_HOST: ${{ secrets.VPS_HOST }}
-          VPS_USER: ${{ secrets.VPS_USER }}
         run: |
-          # Wait for app to be ready
-          sleep 5
-
-          # Check if site is responding
+          sleep 10
           if curl -f -s -o /dev/null https://rectorspace.com/up; then
-            echo "✅ Production site is healthy!"
+            echo "Production site is healthy!"
           else
-            echo "❌ Production site health check failed!"
+            echo "Production site health check failed!"
             exit 1
           fi
-
-      - name: Notify deployment success
-        if: success()
-        run: |
-          echo "✅ Deployment successful!"
-          echo "🌐 Visit: https://rectorspace.com"
-
-      - name: Notify deployment failure
-        if: failure()
-        run: |
-          echo "❌ Deployment failed!"
-          echo "Check logs: https://github.com/${{ github.repository }}/actions"
@@ -12,16 +12,30 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 ---
 
-## RECTOR's Achievements (2024-2025)
+## RECTOR's Achievements (YAML-Driven)
 
-**Total Earnings:** ~$10,800 USDC + Gen3 Monke NFT
+**Source of Truth:** `config/achievements.yml`
 
-| # | Project | Type | Place | Prize | Event |
-|---|---------|------|-------|-------|-------|
-| 1 | **Web3 Deal Discovery** | Hackathon | 🥇 1st | $5,000 + NFT | MonkeDAO Cypherpunk (Superteam Earn, Dec 2025) |
-| 2 | **SIP Protocol** | Hackathon | 🏆 Winner | $4,000 | Zypherpunk NEAR Track |
-| 3 | **OpenBudget.ID** | Hackathon | 🥈 2nd | $1,500 | Garuda Spark (Superteam Indonesia, Oct 2025) |
-| 4 | **Saros SDK Docs** | Bounty | 🥇 1st | $300 | Saros SDK Guide Challenge (Dec 2024) |
+Achievements are managed via a YAML file. Homepage, meta tags, and totals auto-calculate.
+
+**To add a new achievement:**
+1. Edit `config/achievements.yml`
+2. Add entry at the top (newest first)
+3. Deploy - everything auto-updates
+
+**Auto-calculated fields:**
+- `Achievement.total_earnings` → sum of all prize amounts
+- `Achievement.win_count` → total count
+- `Achievement.year_range` → "2024-2026" from dates
+- `Achievement.winner_projects` → hash for project badges
+
+**Architecture:**
+```
+config/achievements.yml          # Single source of truth
+app/models/achievement.rb        # PORO - loads YAML, queries, calculates
+app/helpers/achievements_helper.rb  # Formatting helpers
+app/views/pages/_achievement_card.html.erb  # Reusable card partial
+```
 
 **Project Details:**
 
@@ -45,6 +59,12 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
    - Interactive API Explorer, 15+ tutorials, production examples
    - Live: https://saros-docs.rectorspace.com
 
+5. **pNode Pulse** (`RECTOR-LABS/pnode-pulse`)
+   - Real-time analytics for Xandeum's decentralized pNode storage network
+   - TimescaleDB time-series, health scoring, 200+ nodes tracked
+   - Stack: Next.js 14 + TypeScript + tRPC + TimescaleDB + Redis
+   - Live: https://pulse.rectorspace.com
+
 ---
 
 ## The 7-Section Architecture
@@ -79,6 +99,7 @@ core/
 │   │   ├── pages_controller.rb       # Homepage (✅ implemented)
 │   │   └── works_controller.rb       # Work section (✅ implemented)
 │   ├── models/
+│   │   ├── achievement.rb            # PORO for YAML achievements (✅ implemented)
 │   │   ├── github_repo.rb            # GitHub repository cache (✅ implemented)
 │   │   └── work.rb                   # Work/project stories (✅ implemented)
 │   ├── views/
@@ -88,13 +109,15 @@ core/
 │   │       ├── index.html.erb        # Work listing (✅ implemented)
 │   │       └── show.html.erb         # Story page with custom CSS (✅ implemented)
 │   ├── helpers/
+│   │   ├── achievements_helper.rb    # Achievement summary formatting (✅ implemented)
 │   │   └── works_helper.rb           # Markdown rendering (✅ implemented)
 │   ├── jobs/
 │   │   └── sync_github_repos_job.rb  # Hourly GitHub sync (✅ implemented)
 │   └── services/
 │       ├── github_api_service.rb     # GitHub API client (✅ implemented)
 │       └── tech_stack_parser.rb      # Language parser (✅ implemented)
 ├── config/
+│   ├── achievements.yml              # Single source of truth for achievements (✅ implemented)
 │   ├── routes.rb                     # Routes for /, /work (✅ configured)
 │   └── recurring.yml                 # Solid Queue job schedule
 ├── db/
@@ -192,22 +215,36 @@ bin/rails server
 
 ---
 
-## Deployment Strategy
+## Deployment
 
-**VPS Deployment:**
-- Single Rails app deployment (Nginx + Puma/Passenger)
-- 1 user account per deployment environment (staging/production)
-- PostgreSQL database
-- Let's Encrypt SSL for rectorspace.com
-- GitHub Actions CI/CD
-- SSH via `~/.ssh/config`
+**Architecture:** Docker on shared VPS (reclabs3, 151.245.137.75)
 
-**Environment Variables:**
-- Ghost CMS API credentials
-- Database connection strings
-- External API keys (GitHub API, Quran API)
+```
+GitHub push → Actions build → GHCR image → SSH → docker compose pull → up -d → image prune -f
+```
+
+**Containers** (docker-compose.yml):
+| Service | Image | Port |
+|---------|-------|------|
+| postgres | postgres:16 | 127.0.0.1:5435:5432 |
+| web | ghcr.io/rector-labs/core:latest | 8000:80 |
+| solidqueue | ghcr.io/rector-labs/core:latest | — |
+
+- Puma runs behind Thruster (port 80 inside container)
+- nginx reverse proxies `rectorspace.com` → `127.0.0.1:8000`
+- `db:prepare` runs automatically on container start (entrypoint)
+- Solid Queue runs as a separate container (`bundle exec rake solid_queue:start`)
+
+**VPS User:** `core` (SSH alias: `core`)
+
+**GitHub Secrets:** `VPS_HOST`, `VPS_USER`, `VPS_SSH_KEY`, `VPS_APP_PATH`
+
+**Environment Variables** (VPS `~/core/.env`):
+- `SECRET_KEY_BASE` — Rails secret
+- `CORE_DATABASE_PASSWORD` — PostgreSQL password
+- `GITHUB_TOKEN` — GitHub API access for repo sync
 
-**Security:** Never commit `.env`, use Rails credentials (encrypted)
+**Security:** Never commit `.env`. DB port bound to localhost only.
 
 ---