POST-DEPLOY PROBE
post-deploy-probe.sh
Post-deploy health probe that asserts sensitive paths are NOT publicly served. Probes a denylist (.env, .git/config, methodology docs, SSH keys) against the live deploy URL and exits non-zero on any 200.
StarkWHAT THIS PATTERN TEACHES
How to verify the deploy surface AFTER upload, not just the artifact before it. Fixed denylist of leak-prone paths, an extensible env-var denylist, curl status probing with a 10s timeout, LEAK vs ok per-path output, a JSON summary line, and fail-the-deploy exit semantics — a single 200 means rollback.
WHEN TO USE THIS
Every deploy, after the artifact is live. Wired into .claude/commands/deploy.md Step 4.5 as the runtime counterpart to deploy-preflight (which scans before upload). Catches the credential-leak and methodology-exposure classes that survive a clean artifact but get served by a misconfigured CDN root or routing rule.
AT A GLANCE
# DEPLOY_URL=https://example.com bash docs/patterns/post-deploy-probe.sh # Probes a denylist against the LIVE deploy. Exits non-zero on any 200. # LEAK 200 -> https://example.com/.env ← rollback and fix the surface # ok 404 -> https://example.com/.git/config
FRAMEWORK IMPLEMENTATIONS
set -euo pipefail
: "${DEPLOY_URL:?DEPLOY_URL is required (e.g. https://example.com)}"
DEPLOY_URL="${DEPLOY_URL%/}" # strip trailing slash for clean composition
# Fixed denylist — mirrors Step 4.5 in .claude/commands/deploy.md.
DENYLIST=(
"/.env" "/.env.production" "/.env.local"
"/.git/config" "/.git/HEAD"
"/.claude/agents/silver-surfer-herald.md"
"/docs/methods/FORGE_KEEPER.md"
"/HOLOCRON.md" "/CHANGELOG.md" "/VERSION.md"
"/package.json" "/tsconfig.json"
"/id_rsa" "/.ssh/id_rsa"
)
# Optional extensible denylist (newline-separated).
if [[ -n "${DEPLOY_PROBE_EXTRA:-}" ]]; then
while IFS= read -r extra; do
[[ -n "$extra" ]] && DENYLIST+=("$extra")
done <<< "$DEPLOY_PROBE_EXTRA"
fi