simuport deploy gateway

Deploy   POST https://deploy.simuport.com/hooks/<project-id>
         HMAC-SHA256 sign the request body with the shared secret in the
         X-Hub-Signature-256 header; body includes:
           {"ref":"refs/heads/main","after":"<git-sha>"}
         Response: {"app","sha","status_url","logs_url"} for this deploy.

Status   GET  https://deploy.simuport.com/hooks/deploy-status?app=<project-id>&sha=<git-sha>
         -> {"state": queued|running|success|failure, ...}

Logs     GET  https://deploy.simuport.com/hooks/deploy-logs?app=<project-id>&sha=<git-sha>
         -> raw deploy log

Key      Shared HMAC secret looks like:  1574****d510    sha256: b0c33af4
         Eyeball the masked key, or verify by hash (reveals nothing):
           printf %s "$DEPLOY_WEBHOOK_SECRET" | sha256sum

Status and logs need no auth — the git sha is the access (the repo is private).
The sha appears in proxy access logs; treat anyone with those as able to read.

Projects:
  - safedrop-project-web