Adds new "deploy" job in .gitea/workflows/ci.yml that runs on push
to main (after PR is merged). Builds production bundle and rsyncs
it to /var/www/rublox-player/build/ on both production servers
(S1 VM 124 via NAT 1998, S2 VM 124 directly via runner network).
Uses Gitea Secrets:
- DEPLOY_SSH_KEY: dedicated ed25519 key for CI, pubkey already
on ~min/.ssh/authorized_keys on both VM 124
- KNOWN_HOSTS: host-keys of both targets to prevent MITM
Also updates CONTRIBUTING.md:
- Maintainer workflow section explaining why even Lead works via PR
- Hotfix flow (always via PR, never direct push to main)
- DevPanel as fallback if CI deploy is broken
3 блокера перед запуском opensource-контрибьюторов:
1. CI Lint+Format убран format:check (отдельная формат-неделя).
Secret-scan переехал с docker run на нативный trufflehog install.
2. Ассеты (106 МБ kubikon-assets/) в Gitea Releases:
https://git.rublox.pro/rublox/player/releases/tag/assets-v1
npm run fetch-assets + postinstall.
3. PlayerAuth поддерживает ?standalone=1 URL-параметр
(раньше только через VITE_STANDALONE в .env).
