fix(deploy): target the box over WG mesh (10.9.0.6), add ProxyJump support

The box's services are mesh-bound and its public :22 is firewalled, so deploy-service.sh
now targets root@10.9.0.6 (the box's WG leg) with optional MRNUMBER_DEPLOY_JUMP for a
ProxyJump chain. Prospector MRNUMBER_BASE_URL corrected to http://10.9.0.6:8787 (was a
wrong VPC guess). Requires the box to be ON the mesh — see deploy header.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

README.md

@@ -105,7 +105,7 @@ container so adb is local), bound `0.0.0.0:8787`. Deploy from here:
 ```bash
 deploy/deploy-service.sh                  # scp service+client to /opt, install unit, restart
 # then on the box fill /etc/mr-number-service.env (tokens), and point Prospector at:
-#   MRNUMBER_BASE_URL=http://10.20.0.4:8787   (box VPC)
+#   MRNUMBER_BASE_URL=http://10.9.0.6:8787   (box WG mesh leg)
 ```
 **Local dev (plum):**
 ```bash

deploy/deploy-service.sh

@@ -10,10 +10,15 @@
 #   /etc/mr-number-service.env (tokens). It does NOT mint tokens.
 set -euo pipefail
 ROOT="$(cd "$(dirname "$0")/.." && pwd)"
-HOST="${MRNUMBER_DEPLOY_HOST:-root@45.55.191.82}"
+# The box's services are mesh-bound (public :22 is firewalled). Reach it over WG at
+# 10.9.0.6 — REQUIRES the box to be on the mesh (it rejoins via phase-b-mesh-join.sh;
+# if `wg show` on the hub shows a stale handshake, fix that first). Override HOST/JUMP
+# for the public path or a ProxyJump chain (e.g. MRNUMBER_DEPLOY_JUMP=root@<yuzu>,root@<lime>).
+HOST="${MRNUMBER_DEPLOY_HOST:-root@10.9.0.6}"
 KEY="${MRNUMBER_DEPLOY_KEY:-$HOME/.ssh/id_ed25519_1984}"
-SSH=(ssh -i "$KEY" -o StrictHostKeyChecking=accept-new -o ConnectTimeout=15 "$HOST")
+JUMP_OPT=(); [ -n "${MRNUMBER_DEPLOY_JUMP:-}" ] && JUMP_OPT=(-J "$MRNUMBER_DEPLOY_JUMP")
-SCP=(scp -i "$KEY" -o StrictHostKeyChecking=accept-new -o ConnectTimeout=15)
+SSH=(ssh -i "$KEY" "${JUMP_OPT[@]}" -o StrictHostKeyChecking=accept-new -o ConnectTimeout=15 "$HOST")
+SCP=(scp -i "$KEY" "${JUMP_OPT[@]}" -o StrictHostKeyChecking=accept-new -o ConnectTimeout=15)
 DEST=/opt/mr-number-service
 
 echo "[mr-number] verifying box prerequisites…"
@@ -69,4 +74,4 @@ echo "[mr-number] (re)starting mr-number-service…"
     echo "  tokens not filled in /etc/mr-number-service.env — NOT enabling (would crashloop). Fill them, then: systemctl enable --now mr-number-service"
   fi
 '
-echo "[mr-number] done. Prospector → MRNUMBER_BASE_URL=http://10.20.0.4:8787 (box VPC) or http://45.55.191.82:8787."
+echo "[mr-number] done. Prospector → MRNUMBER_BASE_URL=http://10.9.0.6:8787 (box WG mesh leg)."

deploy/install.sh

@@ -84,7 +84,7 @@ cat <<EOS
 [mr-number] trigger service (prod) deploys to the redroid box, not plum:
   • fill tokens on the box: /etc/mr-number-service.env (MRNUMBER_SERVICE_TOKEN, PEOPLE_SERVICE_TOKEN)
   • deploy:  $ROOT/deploy/deploy-service.sh
-  • Prospector → MRNUMBER_BASE_URL=http://10.20.0.4:8787 (box VPC)
+  • Prospector → MRNUMBER_BASE_URL=http://10.9.0.6:8787 (box mesh leg)
   Local dev on plum:  cd $ROOT/service && ./run    (loads ~/.config/cocotte-secrets/*)
 EOS