# Live Source Deployment SOP Purpose: safely manage projects where live production is the current source of truth. ## Principle Nick confirmed on 2026-05-25 HST / 2026-05-26 UTC that live production sites should be treated as the current source of truth. Local/iCloud/GitHub source should be derived from live first, then filtered before committing. ## What To Extract Safe candidates: - custom themes - child themes - custom plugins - MU plugins after secret review - static site source files - project-specific scripts - non-secret configuration templates Do not extract into Git: - WordPress uploads - databases - cache folders - backup archives - `.env` files - `wp-config.php` - credentials - SSH keys - customer form submissions - API tokens - SMTP credentials - Turnstile/recaptcha secrets - origin-specific runtime markers unless they are intentionally source-controlled ## Extraction Workflow 1. Confirm live path and hosting target. 2. List files before copying. 3. Run server-side syntax checks where applicable. 4. Run secret-pattern scans before committing. 5. Copy only bounded source folders into `src/`. 6. Document exactly what was included and excluded in `docs/live-source-sync.md`. 7. Commit locally. 8. Push to private GitHub only after confirming no secrets/backups were included. ## WordPress Guardrails For WordPress sites: - Treat the full WordPress filesystem as runtime, not source. - Version custom code only. - Keep full site backups in TrueNAS/Backblaze/restic. - Keep uploads out of Git unless a specific small media asset is intentionally part of source. - Never commit `wp-config.php`. - Review MU plugins carefully; they often contain credentials or service tokens. ## Static Site Guardrails For static sites: - Extract page/source files and assets. - Exclude server-local backups and nested duplicate site folders. - Exclude `.DS_Store`. - Exclude health/origin markers unless they are meant to deploy with the site. - Normalize accidental executable file modes. ## Deployment From Source Back To Live Do not deploy from local source back to production until a project-specific `deployment.md` defines: - target host - target path - WARP SSH alias - files/folders to sync - exclusions - backup/rollback path - verification commands - Cloudflare/DNS/cache implications Default verification after deploy: - public HTTPS check - origin check when relevant - Mission Control status check - WordPress admin/front-end smoke test when relevant - backup/restore posture unchanged ## Current Known Exclusions - Aloha Challenge Coins: `acd-turnstile-forms.php` excluded pending secret-safe review. - Duke Plumb: `dukeplumb-smtp.php` excluded because it is known to contain SMTP credentials. - KCD: `functions.php.bak-20260214` is currently included in source but should be reviewed to decide whether it belongs in long-term history.