deploy script: build, chown state to muede, lock SYSTEM.md as root 644

scripts/deploy.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# Build, deploy, and fix permissions on the damocles-lab state tree.
+# Run from the damocles-daemon repo root (or anywhere - resolves paths absolutely).
+
+set -euo pipefail
+
+REPO="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+TARGET=/persist/damocles-lab
+STATE="$TARGET/state"
+
+echo "==> building"
+cd "$REPO"
+nix develop --command cargo build --bin damocles-daemon --bin damocles-mcp 2>&1 | tail -3
+
+echo "==> deploying binaries to $TARGET"
+for bin in damocles-daemon damocles-mcp; do
+    cp "$REPO/target/debug/$bin" "$TARGET/$bin.new"
+    chown muede:users "$TARGET/$bin.new"
+    mv "$TARGET/$bin.new" "$TARGET/$bin"
+done
+ls -la "$TARGET/damocles-daemon" "$TARGET/damocles-mcp"
+
+echo "==> fixing state tree ownership (muede:users)"
+# Anything touched by full-Damocles from the (root-running) damocles container
+# ends up root-owned and unwritable by the daemon. Bulk-fix every time we deploy.
+chown -R muede:users "$STATE"
+
+# SYSTEM.md is the harness contract. Daemon must read it but not write it -
+# it ships as part of the system prompt on each shard spawn. Restore root:root 644.
+if [ -f "$STATE/identity/SYSTEM.md" ]; then
+    chown root:root "$STATE/identity/SYSTEM.md"
+    chmod 644 "$STATE/identity/SYSTEM.md"
+fi
+echo "    state tree fixed"
+
+echo "==> done. restart daemon to pick up new binary:"
+echo "    ~/lab.sh \"cd /workspace && RUST_LOG=info ./damocles-daemon\""