chore(deploy): rewrite web.env every deploy with machine-id-derived SECRET_KEY

Drops the 'only on first creation' guard so newly added env vars reach
existing boxes (today's SESSION_COOKIE_SECURE=false rake). SECRET_KEY
is now sha256(/etc/machine-id) — stable per host, no session
invalidation across redeploys, no state persisted in /etc that the
deploy has to tiptoe around. Single-operator test deployment; the
secret being machine-id-derivable is acceptable per deploy/README.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy/deploy-test-server.sh

@@ -154,17 +154,18 @@ $sudo_cmd install -m 0644 -o root -g root \
     /opt/left4me/deploy/files/etc/left4me/sandbox-resolv.conf \
     /etc/left4me/sandbox-resolv.conf
 
-if [ ! -f /etc/left4me/web.env ]; then
+# Stomp the file every deploy so newly added vars reach existing boxes.
-    secret_key=$(python3 -c 'import secrets; print(secrets.token_hex(32))')
+# SECRET_KEY is derived from /etc/machine-id so it stays stable across
-    tmp_web_env="$remote_tmp/web.env"
+# redeploys (no session invalidation) without persisting state in /etc.
-    {
+secret_key=$(sha256sum < /etc/machine-id | awk '{print $1}')
-        printf 'DATABASE_URL=sqlite:////var/lib/left4me/left4me.db\n'
+tmp_web_env="$remote_tmp/web.env"
-        printf 'SECRET_KEY=%s\n' "$secret_key"
+{
-        printf 'JOB_WORKER_THREADS=4\n'
+    printf 'DATABASE_URL=sqlite:////var/lib/left4me/left4me.db\n'
-        printf 'SESSION_COOKIE_SECURE=false\n'
+    printf 'SECRET_KEY=%s\n' "$secret_key"
-    } > "$tmp_web_env"
+    printf 'JOB_WORKER_THREADS=4\n'
-    $sudo_cmd install -m 0640 -o root -g left4me "$tmp_web_env" /etc/left4me/web.env
+    printf 'SESSION_COOKIE_SECURE=false\n'
-fi
+} > "$tmp_web_env"
+$sudo_cmd install -m 0640 -o root -g left4me "$tmp_web_env" /etc/left4me/web.env
 
 if [ ! -x /opt/left4me/.venv/bin/python ]; then
     run_as_left4me python3 -m venv /opt/left4me/.venv