.gitea/workflows/deploy-node1-runtime.yml

@@ -100,8 +100,11 @@ jobs:
             "${SSH_USER}@${SSH_HOST}" \
             "set -euo pipefail; \
              cd /opt/microdao-daarion; \
+             origin_url=\$(git remote get-url origin 2>/dev/null || true); \
              if [ -n \"\$(git status --porcelain)\" ]; then \
                echo 'WARN: dirty git tree on NODA1; skip checkout/pull and continue with gate'; \
+             elif ! printf '%s' \"\$origin_url\" | grep -Eq 'daarion-admin/microdao-daarion(\\.git)?$'; then \
+               echo \"WARN: origin remote (\$origin_url) is not deploy-safe; skip checkout/pull and continue with gate\"; \
              else \
                git fetch origin; \
                git checkout '${DEPLOY_REF:-main}'; \

docs/ops/deploy_gate.md

@@ -32,6 +32,7 @@ Required repo secrets:
 - `redeploy_runtime=false` only syncs git on NODA1 and runs gate checks.
 - `redeploy_runtime=true` recreates `gateway` and `experience-learner` containers.
 - If NODA1 git tree is dirty, workflow skips checkout/pull and still enforces `phase6_gate` (safe mode for live nodes).
+- If NODA1 `origin` remote is not the expected deploy-safe repo, workflow skips checkout/pull and still enforces `phase6_gate` (prevents accidental downgrade from a stale remote).
 - Workflow uses SSH key validation and `IdentitiesOnly=yes` to avoid host key collisions.
 
 ## Expected PASS