chore: add update.sh deploy script; gitignore patterns/watch.yaml

update.sh pulls a named branch (default: main), preserves the local
watch.yaml around the pull, rebuilds the image, restarts the service,
and polls health until ready.

Usage: sudo bash /opt/turnstone/scripts/update.sh [branch]

patterns/watch.yaml is site-specific config — gitignored so host
customizations survive git pulls. The template is preserved in git
history (feat/live-watch) for reference.

.gitignore

@@ -1,5 +1,6 @@
 data/
 corpus/raw/
+patterns/watch.yaml
 log/
 __pycache__/
 *.pyc

patterns/watch.yaml

@@ -1,36 +0,0 @@
-# Turnstone live watch sources — entries here are tailed continuously.
-# The watcher starts automatically when Turnstone starts.
-#
-# Source types:
-#   journald  — system journal via `journalctl -f -o json` (requires journalctl in container)
-#   file      — tail a log file by path (handles rotation; auto-detects format)
-#   docker    — container logs via `docker logs -f --timestamps <container>`
-#   podman    — container logs via `podman logs -f --timestamps <container>`
-#
-# For journald, optional args filter by unit:
-#   args: ["-u", "nginx", "-u", "sshd"]
-#
-# For docker/podman, args[0] is the container name (required).
-#
-# Leave this file empty (just the header) to disable live watching.
-# Missing containers are skipped with a warning — safe to leave entries
-# for services that are temporarily down.
-
-sources: []
-
-# ── Examples ────────────────────────────────────────────────────────────────
-#
-# - type: journald
-#   id: system-journal
-#
-# - type: journald
-#   id: sshd-journal
-#   args: ["-u", "sshd"]
-#
-# - type: podman
-#   id: podman:turnstone
-#   args: ["turnstone"]
-#
-# - type: docker
-#   id: docker:nginx
-#   args: ["nginx-proxy"]

scripts/update.sh

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+# update.sh — pull a branch and rebuild the Turnstone container.
+#
+# Usage (must run as root):
+#   sudo bash /opt/turnstone/scripts/update.sh              # pull main
+#   sudo bash /opt/turnstone/scripts/update.sh feat/live-watch   # test a branch
+#
+# Local files preserved across updates:
+#   patterns/watch.yaml   — site-specific watch source config
+#   data/                 — database and live journal files (bind-mounted, untouched)
+
+set -euo pipefail
+
+BRANCH="${1:-main}"
+REPO_DIR=/opt/turnstone
+IMAGE=localhost/turnstone:latest
+
+cd "$REPO_DIR"
+
+echo "==> Turnstone update: branch=$BRANCH"
+
+# ── Preserve site-local config ────────────────────────────────────────────────
+# watch.yaml is tracked in git as a template but overridden per-host.
+# Back it up before the pull and restore it after.
+WATCH_YAML="$REPO_DIR/patterns/watch.yaml"
+WATCH_BACKUP=""
+if [ -f "$WATCH_YAML" ]; then
+  WATCH_BACKUP=$(mktemp /tmp/watch-yaml.XXXXXX)
+  cp "$WATCH_YAML" "$WATCH_BACKUP"
+fi
+
+# ── Pull ──────────────────────────────────────────────────────────────────────
+git fetch --all --tags --quiet
+
+# Switch branch if needed, creating a local tracking branch on first use
+CURRENT=$(git rev-parse --abbrev-ref HEAD)
+if [ "$CURRENT" != "$BRANCH" ]; then
+  echo "==> Switching $CURRENT -> $BRANCH"
+  git checkout "$BRANCH" 2>/dev/null \
+    || git checkout -b "$BRANCH" "origin/$BRANCH"
+fi
+
+git pull --ff-only origin "$BRANCH"
+COMMIT=$(git log -1 --format='%h %s')
+echo "==> At: $COMMIT"
+
+# ── Restore site-local config ─────────────────────────────────────────────────
+if [ -n "$WATCH_BACKUP" ]; then
+  cp "$WATCH_BACKUP" "$WATCH_YAML"
+  rm -f "$WATCH_BACKUP"
+  echo "==> Restored patterns/watch.yaml"
+fi
+
+# ── Build ─────────────────────────────────────────────────────────────────────
+echo "==> Building $IMAGE ..."
+podman build -t "$IMAGE" "$REPO_DIR"
+
+# ── Restart ───────────────────────────────────────────────────────────────────
+echo "==> Restarting turnstone service ..."
+systemctl restart turnstone
+
+# ── Health check ─────────────────────────────────────────────────────────────
+echo "==> Waiting for health check ..."
+for i in $(seq 1 12); do
+  sleep 3
+  if curl -sf http://localhost:8534/turnstone/health > /dev/null 2>&1; then
+    echo "==> OK — Turnstone up on branch '$BRANCH' @ ${COMMIT%% *}"
+    exit 0
+  fi
+  echo "    attempt $i/12 ..."
+done
+
+echo "ERROR: health check timed out — check: journalctl -u turnstone -n 50"
+exit 1