feat(bot-irc): TLS-only ircd deploy kit for irc.profullstack.com

[ralyodio]

Adds a deployment kit for hosting the Profullstack IRC endpoint at irc.profullstack.com on a DigitalOcean droplet using Ergo v2.18.0 (single-binary Go ircd).

Goal: accept only SSL/TLS IRC connections

Enforced two ways, neither of which is DNS (a hostname carries no port):

• Firewall — open 6697/tcp, never open 6667.
• ircd config — define a single TLS listener on 6697, no plaintext listener at all. (No STARTTLS-on-cleartext, which is TLS-strippable.)

Files (packages/bots/irc/deploy/)

• SERVER.md — runbook: DNS, ufw, certbot, Ergo install, the ircd.yaml overlay, systemd, and verification (openssl s_client succeeds / nc 6667 refused).
• ergo.service — hardened systemd unit; ExecReload=SIGHUP for live cert rehash.
• certbot-deploy-hook.sh — reloads Ergo when the cert renews.

Facts verified against Ergo docs: default config is default.yaml→ircd.yaml, no initdb step, rehash-on-SIGHUP is supported.

sh1pt's existing IRC bot connects with tls: true (defaults to 6697) — no client changes needed.

🤖 Generated with Claude Code

[github-actions]

vu1nz Security Review

0 finding(s) in PR #751

No security issues found.

Full AI Analysis

After thoroughly reviewing this pull request, I found NO security issues.

This is a clean refactoring that improves the security posture by:

Summary of Changes

The PR removes hardcoded pnpm version parameters from GitHub Actions workflows and instead relies on the packageManager field in package.json to determine the pnpm version. This is accompanied by comprehensive documentation for IRC server deployment.

Security Analysis

No security vulnerabilities identified.

The changes actually improve security practices:

1. Eliminates version drift issues - By reading pnpm version from package.json's packageManager field instead of hardcoded values, it prevents version conflicts that could cause build failures

2. Follows principle of single source of truth - Package manager version is now centrally managed in package.json

3. IRC server deployment follows security best practices:

   • TLS-only configuration (no plaintext IRC)
   • Proper firewall rules (only necessary ports open)
   • Let's Encrypt TLS certificates
   • Principle of least privilege (dedicated ergo user)
   • systemd hardening options
   • Proper file permissions and ACLs

4. No hardcoded secrets - All sensitive data (certificates) are properly externalized

5. Supply chain security - The IRC deployment pins specific software versions (Ergo v2.18.0)

The code changes are purely configuration-related with no executable code modifications that could introduce vulnerabilities.

Severity	File	Line	Issue	Suggestion
-	-	-	No security issues found	-

[greptile-apps]

Greptile Summary

This PR bundles two distinct changes: a new TLS-only Ergo IRC deployment kit for irc.profullstack.com (SERVER.md, ergo.service, certbot-deploy-hook.sh) and a refactor of the node-pnpm-ci/node-pnpm-test action packs that removes the pnpmVersion input in favour of reading the pnpm version from each consumer repository's packageManager field in package.json.

• IRC deploy kit: Enforces TLS-only connections via a single :6697 listener with no plaintext port, a hardened systemd unit, and a certbot deploy hook that sends SIGHUP without dropping connections. Design is sound.
• pnpm action packs (1.0.0 → 1.1.0): Removes the pnpmVersion input from both node-pnpm-ci and node-pnpm-test. Because removing an input is backward-incompatible, this warrants a major version bump (2.0.0), not a minor one.
• Binary install: SERVER.md's curl | tar pipeline fetches the Ergo release binary without verifying the published SHA-256 checksum, leaving a gap for tampered-binary delivery.

Confidence Score: 4/5

The IRC deployment files are safe to merge as-is; the action-pack version label should be corrected before consumers adopt the upgrade.

Removing pnpmVersion from both action packs without a major version bump means consumers who pass that input will silently break on upgrade. The IRC deploy kit itself is well-constructed, but the binary install step skips the published SHA-256 verification.

packages/actions/node-pnpm-ci/action.yml and packages/actions/node-pnpm-test/action.yml — the version numbers need a second look before any downstream consumer upgrades.

Security Review

• Unverified binary download (SERVER.md, install step): the curl | tar pipeline downloads the Ergo binary over HTTPS but does not check the SHA-256 checksum published alongside each release. A compromised CDN or MITM could substitute a malicious binary that would be unpacked without detection.

Important Files Changed

Filename	Overview
packages/actions/node-pnpm-ci/action.yml	Version bumped to 1.1.0 while removing pnpmVersion input — this is a breaking change that should be a major version bump (2.0.0).
packages/actions/node-pnpm-test/action.yml	Same breaking removal of pnpmVersion as in node-pnpm-ci, versioned as a minor bump instead of a major one.
packages/actions/src/index.test.ts	Test assertions updated to verify the version string is absent and the action reference is present; negative + positive assertions cover the change correctly.
packages/bots/irc/deploy/SERVER.md	Solid runbook; TLS-only design is correct, setfacl cert access and smoke-test steps are well-documented. Missing SHA-256 verification on the binary download.
packages/bots/irc/deploy/certbot-deploy-hook.sh	Well-formed deploy hook: set -euo pipefail, case guard on RENEWED_LINEAGE, and systemctl reload issues SIGHUP without disrupting connected clients.
packages/bots/irc/deploy/ergo.service	Hardened systemd unit with ProtectSystem=strict, NoNewPrivileges, PrivateTmp, ReadWritePaths and ReadOnlyPaths — correct and minimal.

Sequence Diagram

sequenceDiagram
    participant certbot
    participant hook as certbot-deploy-hook.sh
    participant systemd
    participant ergo as Ergo ircd
    participant client as IRC Client

    certbot->>hook: runs deploy hook (RENEWED_LINEAGE set)
    hook->>hook: "case match */irc.profullstack.com"
    hook->>systemd: systemctl reload ergo
    systemd->>ergo: SIGHUP (ExecReload)
    ergo->>ergo: rehash config + reload TLS cert
    note over ergo,client: existing connections preserved
    client->>ergo: new TLS connection on :6697
    ergo-->>client: TLS handshake (renewed cert)

Loading

_{Reviews (1): Last reviewed commit: "feat(bot-irc): add TLS-only ircd deploy ..." | Re-trigger Greptile}

[greptile-apps]

Breaking removal versioned as a minor bump

Removing the pnpmVersion input is a backward-incompatible change: any consumer that currently passes pnpmVersion in their action invocation will have that input silently dropped (or error, depending on the action runner). Under semver this warrants a major version bump (2.0.0), not 1.1.0. The same applies to node-pnpm-test. Existing users who discover the upgrade path from a changelog or registry entry will assume 1.x → 1.1.0 is safe to adopt.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

No binary integrity check on the Ergo download

The curl | tar install pipeline fetches the release binary over HTTPS but does not verify its SHA-256 checksum against the .sha256sum file that Ergo publishes alongside each release. A compromised CDN, redirected request, or supply-chain incident could deliver a tampered binary that tar would unpack silently. Adding a sha256sum -c step after the download (using the published checksum file from the same release) would close this gap.

[ralyodio]

Closing as misplaced: this is a server-side IRC deploy kit, but sh1pt's IRC package is a client bot. The IRC server lives in agentbbs (co-located with the BBS, members-only, TLS-only on 6697) — see agentbbs setup.sh §9b + docs/irc.md. Superseded there.