Deployment should preserve the same capability boundaries proven locally. Separate a public-data capture worker from the network-denied paper worker. The capture worker permits HTTPS GET only to approved hosts; the paper worker reads sealed artifacts and SQLite, generates reports, and exposes no public control endpoint.
Create an unprivileged operating-system user, a fixed application directory, read-only code, writable var/ directories, restrictive file permissions, and a service definition with restart limits. Pin dependencies with hashes, scan them, and deploy a reviewed build artifact rather than editing code on the server.
Configuration comes from a protected runtime file or secret store. The paper service rejects trading credential names. Optional LLM and SMTP keys belong only to the component that needs them and never to fixture tests. Logs use structured redaction and rotate under a size/retention budget.
Health checks cover last successful capture, last sealed run, database integrity, disk space, scheduler heartbeat, report age, safety-manifest result, and backup status. A process being alive is not enough. Failed freshness puts the dashboard into degraded state.
Use a firewall default deny. The capture worker needs outbound DNS/HTTPS to allowlisted hosts; the report can be served as static files by a minimal web server. No SSH password login, database port, debug console, or administration route should be public. Keep operator access separate and patched.
Deployment is reversible: back up database/artifacts, upload new version, run migrations and smoke tests, switch the service, monitor, and retain the prior artifact for rollback. Rollback never rewrites audit events.
Create a deployment evidence packet containing artifact hash, dependency scan, safety-manifest result, migration output, service user/permission checks, firewall test, network-denial proof for the paper worker, health response, backup hash, and rollback rehearsal. Redact host addresses and credentials where unnecessary, but keep timestamps and command outcomes. A successful process start without this evidence is not a verified launch.
🇵🇰 Pakistan Angle
Choose hosting after measuring current local latency, cost, storage, and payment practicality; do not hardcode a provider claim. Design for internet interruption at the learner end with static reports. Server geography does not establish legal permission for market activity.
Hands-On Exercise
Deploy to a local VM or VPS with fake fixtures. Prove the paper worker cannot reach the internet, the service runs unprivileged, logs redact secrets, health turns degraded after stale data, and backup restore works. Capture commands and evidence without secret values.
Completion Rubric
- Capture and paper workers have least-privilege network/filesystem access.
- Build, dependencies, migrations, and rollback are reproducible.
- Health measures data and audit integrity, not process life alone.
- No public debug/admin or transaction surface exists.
- Deployment evidence contains no credentials.
Sources
- NIST Secure Software Development Framework
- OWASP deployment configuration testing guide
- Python venv documentation
Key takeaway: Safe deployment carries paper-only capability limits, provenance, health, and recovery controls into operations.