fix(docs): correct deploy topology — static assets live on caddy CT, not steel141

Wrong-path correction: previous DECISIONS.md and handoff said
toolbar.js deploys to /opt/sethmux/ 'on this host'. Caddy's
'root * /opt/sethmux' resolves against Caddy's filesystem, which is
on the caddy CT (192.168.0.185), not steel141. Deployed copy on
steel141 was harmless but unused; the served file came from caddy CT.

Symptom: 'mux.sethpc.xyz looks the same' after a successful steel141
'cp'. Resolution: scp static/toolbar.js caddy:/opt/sethmux/.

DECISIONS.md now documents the two-host split (Caddy serves static
assets from its own disk; ttyd on steel141 serves --index).

.claude/handoffs/2026-04-24-195210-toolbar-workspace-dark-refresh-deploy.md

@@ -116,8 +116,8 @@ ttyd serves only `--index /opt/sethmux/index.html` and the websocket — **toolb
 
 ## Important Context
 
-- **Deployments are MANUAL.** Editing `static/toolbar.js` does not ship until `sudo cp static/toolbar.js /opt/sethmux/toolbar.js`. The Mar 26 → Mar 28 drift this session uncovered (3 toolbar fixes committed but never deployed) suggests this footgun has been hit before.
+- **Deployments are MANUAL and split across TWO hosts.** Static assets Caddy serves directly (`toolbar.js`, `manifest.json`, `icon-*.png`) live in `/opt/sethmux/` on **caddy CT** (192.168.0.185). Index and notify-server live in `/opt/sethmux/` on **steel141**. Same path, different filesystems. **First deploy this session went to the wrong host** (steel141 only) — symptom was "looks the same" because Caddy was still serving the old file from its own /opt/sethmux/. Correct deploy: `scp static/toolbar.js caddy:/opt/sethmux/`. The Mar 26 → Mar 28 drift this session uncovered (3 toolbar fixes committed but never deployed) suggests this footgun has been hit before — same root cause.
-- **toolbar.js is served by Caddy from `/opt/sethmux/`, not by ttyd.** The systemd unit's `--index /opt/sethmux/index.html` only sets ttyd's index page; everything else under `/opt/sethmux/` is `file_server`'d by Caddy. Consequence: no daemon restart on toolbar changes.
+- **toolbar.js is served by Caddy from caddy-CT's `/opt/sethmux/`, not by ttyd.** The systemd unit's `--index /opt/sethmux/index.html` (on steel141) only sets ttyd's index page; static assets are `file_server`'d by Caddy, on Caddy's own filesystem. No daemon restart on toolbar changes.
 - **The pre-commit hook (`detect-secrets-hook`, configured at `~/.config/git/hooks/pre-commit`) flags SRI hashes as base64 high-entropy strings.** When adding new HTML with `integrity="sha384-..."` script tags, regenerate baseline with `detect-secrets scan --all-files --exclude-files '\.git/|\.secrets\.baseline$' > .secrets.baseline` before committing. NEVER use `--no-verify` — global rule.
 - **The compose bar and the helper-textarea hardening are complementary, not redundant.** Compose bar = autocorrect-friendly typing surface. Helper-textarea hardening = prevents Gboard from corrupting per-keystroke chord/arrow taps. Both stay.
 - **Authentik blocks unauthenticated curl** to mux.sethpc.xyz. To verify deploys via HTTP, you'd need an auth token; otherwise, file-hash on disk is the verification path.

DECISIONS.md

@@ -12,7 +12,19 @@ Format: `YYYY-MM-DD: <decision> — <why>`
 
 - **Visual system: Google Workspace dark vocabulary, sethmux orange accent.** Tokens: bar `#202124`, button surface `#303134`, hairline `#3c4043`, primary text `#e8eaed`, accent `#D35400` (replaces Google blue), Roboto 12/500 + Roboto Mono 12/400 for chord keys. **Why:** the previous palette (`#111`/`#222`/2px orange top border) read as a generic terminal toolbar; the Workspace vocabulary makes the bar feel like a deliberate productivity surface while keeping `#D35400` as sethmux brand identity.
 
-- **Manual deploy: `cp static/* /opt/sethmux/`.** No rsync, no auto-reload. **Why:** static assets only, served directly by Caddy from `/opt/sethmux/`. No daemon restart needed — ttyd doesn't serve `toolbar.js` (only `--index /opt/sethmux/index.html`); the rest is Caddy's `file_server` handler. Keep deploy explicit so we never ship in-progress edits.
+- **Manual deploy is split across TWO hosts.** Static assets that Caddy serves directly (`toolbar.js`, `manifest.json`, `icon-*.png`) live in `/opt/sethmux/` on the **caddy CT** (192.168.0.185, `ssh caddy`). The ttyd index (`index.html`) and notify-server (`notify-server.py`) live in `/opt/sethmux/` on **steel141** (192.168.0.141), where the systemd units run. Both hosts happen to use `/opt/sethmux/` — easy to confuse. **Why:** Caddy's `handle /toolbar.js { root * /opt/sethmux; file_server }` resolves the root against **Caddy's own filesystem**, not the upstream's. Caddy is on the caddy CT, so that's where the file must live. Catch-all `handle { reverse_proxy 192.168.0.141:7683 }` proxies the index page request to ttyd on steel141, which serves `--index /opt/sethmux/index.html` from its own disk.
+
+  **Deploy commands:**
+  ```bash
+  # Static assets served by Caddy → caddy CT
+  scp static/toolbar.js static/manifest.json static/icon-*.png caddy:/opt/sethmux/
+
+  # ttyd index + notify-server → steel141 (this host)
+  sudo cp static/index.html /opt/sethmux/
+  sudo cp notify-server.py /opt/sethmux/
+  ```
+
+  No daemon restart needed for static-asset changes. Restart `sethmux.service` (steel141) only when changing ttyd args or `index.html`.
 
 ## Deferred / Rejected