ops: harden push.sh — snapshot + migrate-in-deploy + /health gate + auto-rollback

Removes the rsync --delete / manual-migration / no-rollback footguns from the
deploy path. Validated: clean deploy passes the health gate; a forced health
failure correctly rolls back from the .prev snapshot and recovers.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

deploy/README.md

@@ -128,3 +128,15 @@ re-initdb the cluster, use `--encoding=UTF8 --locale=C.UTF-8`.
   chown void: /var/lib/void/icons
   ```
 - **Service registry** — edit `config/services.json` to the real homelab service URLs and CT numbers. The committed seed values are best-guess placeholders and should be updated before the health band is meaningful.
+
+## Deploy safety (push.sh, hardened)
+`./deploy/push.sh` now does an atomic-ish, self-verifying deploy:
+1. **Snapshots** the current remote code (excl `node_modules`/`.env`) to `/opt/void-server.prev` for rollback.
+2. rsyncs the new code (`--delete`; preserves `node_modules` + `.env`).
+3. Runs **`npm install --omit=dev` + `npm run migrate`** as part of the deploy (no more separate manual migrate step).
+4. Restarts `void-server`.
+5. **Health-gates**: polls `/health` until it reports the expected `package.json` version + `db_ok` (≈25s).
+6. **Auto-rolls-back** on any failure: restores the `.prev` snapshot, reinstalls, restarts.
+
+Override the health endpoint with `HEALTH_URL=…` if the target IP differs.
+Caveat: forward-only migrations are not auto-reverted on rollback (they're additive by convention, so a code rollback against the new schema is safe; a destructive migration needs manual care).