fix(deploy): target com.uvlava.ct.services + DO managed-PG CA cert

SERVER_HOST default → 138.197.120.105 (old lime IP released). Ship DO CA cert
+ NODE_EXTRA_CA_CERTS in the unit (managed PG = self-signed chain → node
SELF_SIGNED_CERT_IN_CHAIN). Box must be a DB trusted-source.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

deploy/deploy-server.sh

@@ -25,7 +25,9 @@ set -euo pipefail
 #   ./deploy-server.sh --skip-build    # ship the current dist/ as-is
 #   SERVER_HOST=10.9.0.5 ./deploy-server.sh   # over the wg mesh
 
-SERVER_HOST="${SERVER_HOST:-209.38.51.98}"   # lime reserved IP; 10.9.0.5 = mesh
+SERVER_HOST="${SERVER_HOST:-138.197.120.105}"   # com.uvlava.ct.services; 10.9.0.5 = mesh
+# NOTE: the box must be a TRUSTED SOURCE on the lilith-store-pg managed cluster
+# (DO console / databases firewall) or migrations + the app's DB connect time out.
 REMOTE_DIR="/opt/prospector"
 SERVICE_NAME="prospector"
 PORT="3210"
@@ -95,6 +97,14 @@ MRNUMBER_SERVICE_TOKEN=\$(gen 24)
 EOF
 chmod 600 $REMOTE_DIR/.env"
 
+say "Ensuring DO managed-PG CA cert on the droplet (NODE_EXTRA_CA_CERTS)"
+$SSH "$R" "test -f $REMOTE_DIR/do-ca.crt" 2>/dev/null || {
+  _CID=ef22022e-de47-4a4d-8303-0166dbf891d6
+  curl -s -H "Authorization: Bearer $(cat "$HOME/.vault/do-pat-ct.token")" "https://api.digitalocean.com/v2/databases/$_CID/ca" \
+    | python3 -c 'import sys,json,base64;sys.stdout.write(base64.b64decode(json.load(sys.stdin)["ca"]["certificate"]).decode())' > /tmp/_do-ca.crt
+  rsync -az -e "$RSH" /tmp/_do-ca.crt "$R:$REMOTE_DIR/do-ca.crt" && rm -f /tmp/_do-ca.crt
+}
+
 say "Installing systemd unit $SERVICE_NAME (reads its own .env; no EnvironmentFile)"
 $SSH "$R" "cat > /etc/systemd/system/$SERVICE_NAME.service <<EOF
 [Unit]
@@ -105,6 +115,7 @@ Wants=network-online.target
 [Service]
 Type=simple
 WorkingDirectory=$REMOTE_DIR
+Environment=NODE_EXTRA_CA_CERTS=$REMOTE_DIR/do-ca.crt
 ExecStart=/usr/bin/node $REMOTE_DIR/dist/main.js
 Restart=always
 RestartSec=5