security: scrub PII — remove real name and IP from committed files

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

.github/workflows/deploy.yml

@@ -20,6 +20,10 @@ env:
 #   Track 1 (Node): node-test → build-node → deploy-node ──┐
 #   Track 2 (Go):   go-test   → build-go   → deploy-go   ──┼──→ publish
 #                                                           └─ (both wait)
+#
+# Proto validation flow:
+#   1. go-test job: verify .proto files compile (syntax check)
+#   2. deploy-node job: capture fresh fixtures from prod, validate protos match actual API responses
 
 jobs:
   # ───────────────────────────────────────────────────────────────
@@ -56,6 +60,20 @@ jobs:
           echo "--- Go Ingestor Coverage ---"
           go tool cover -func=ingestor-coverage.out | tail -1
 
+      - name: Verify proto syntax (all .proto files compile)
+        run: |
+          set -e
+          echo "Installing protoc..."
+          sudo apt-get update -qq
+          sudo apt-get install -y protobuf-compiler
+          
+          echo "Checking proto syntax..."
+          for proto in proto/*.proto; do
+            echo "  ✓ $(basename "$proto")"
+            protoc --proto_path=proto --syntax_check "$proto"
+          done
+          echo "✅ All .proto files are syntactically valid"
+
       - name: Generate Go coverage badges
         if: always()
         run: |
@@ -369,7 +387,7 @@ jobs:
           curl -f http://localhost:81/api/nodes || exit 1
           echo "Node staging smoke tests passed ✅"
 
-      - name: Validate API contract (proto vs Node fixtures)
+      - name: 🔍 Validate API contract (protos vs prod fixtures)
         run: |
           set -e
           echo "Refreshing Node fixtures from staging container..."
@@ -585,7 +603,7 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "To promote to production:" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
-          echo "ssh deploy@<VM_HOST>" >> $GITHUB_STEP_SUMMARY
+          echo "ssh deploy@\$VM_HOST" >> $GITHUB_STEP_SUMMARY
           echo "cd /opt/meshcore-deploy" >> $GITHUB_STEP_SUMMARY
           echo "./manage.sh promote" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`" >> $GITHUB_STEP_SUMMARY

.squad/decisions.md

@@ -9,9 +9,9 @@
 - **Resource Group:** MESHCORE-WEST-RG
 - **Region:** westus2
 - **Size:** Standard_D2as_v5 (Linux)
-- **Public IP:** <VM_HOST>
+- **Public IP:** (see VM_HOST env var)
 - **SSH User:** deploy
-- **SSH Command:** `ssh deploy@<VM_HOST>`
+- **SSH Command:** `ssh deploy@$VM_HOST`
 - **Azure CLI:** v2.84.0 (upgraded from 2.11.1 this session — stale .pyc files cleared)
 - **CI Runner:** self-hosted on this same VM ("meshcore-vm")
 - **App path:** TBD (Hudson investigating via SSH)