[Epic] Murmur deploy + transport validation

[viktor-shcherb]

Hetzner ARM64 deploy, Cloudflare Tunnel, GH Actions pipeline, transport spike.

Reference: DESIGN.md §6 (Deployment), §5.2 (Delivery split — Murmur column, deploy rows).

Order matters: D5 (transport validation) runs FIRST against a temporary tunnel + localhost, before D1-D4 are wired up. If D5 fails, the rest of D1-D4 sinks days unnecessarily.

Children (in order):

• D5: Streamable HTTP transport validation spike #22 — D5: Streamable HTTP transport validation spike (Day-1)
• D1: Dockerfile (linux/arm64) + docker-compose.yml #18 — D1: Dockerfile + docker-compose.yml
• D2: deploy.sh + GH Actions workflow #19 — D2: deploy.sh + GH Actions workflow
• D3: Hetzner box bootstrap runbook #20 — D3: Hetzner box bootstrap runbook
• D4: Cloudflare Tunnel + DNS for murmur.colophon-group.org #21 — D4: Cloudflare Tunnel + DNS

Notes: ARM64 + better-sqlite3 native rebuilds in Docker is a known gotcha. The MCP TS SDK's Streamable HTTP transport has had reconnection regressions; D5 is to validate end-to-end with a real Claude Code session before relying on it.

Epic verification

• D5 spike doc committed; transport choice confirmed
• https://murmur.colophon-group.org/health returns 200 from a non-VPN external network
• A git push to main triggers the GH Actions workflow that deploys without manual intervention
• A real Claude Code session can list 3 MCP tools and complete a stub round-trip via the public URL
• All 5 child issues closed

Definition of done

• All children closed
• Bootstrap doc reproduced by a second engineer (or you, with a paper trail)
• Spike doc names the working SDK + cloudflared versions