===============================================================
  DEBIAN VPS — Setup paso a paso
===============================================================

REQUISITOS MÍNIMOS DEL VPS
-------------------------
  CPU: 2 cores
  RAM: 4 GB (mínimo, recomendado 8 GB para AI tasks)
  Disco: 30 GB (10 para sistema, 5 para Android SDK,
                10 para histórico de APKs)
  OS: Debian 12 (bookworm)
  Red: IP pública con dominio (si vas a usar webhooks)


PASO 1 — USUARIO Y DIRECTORIOS
------------------------------
  sudo adduser --system --group --home /home/oasis oasis
  sudo mkdir -p /opt/oasis_mobile /opt/scripts /opt/secrets \
                /opt/oasis-base /opt/oasis-webhook \
                /var/oasis-auto/reports /var/oasis-auto/apks \
                /var/www/0asis.net/testing-app
  sudo chown -R oasis:oasis /opt/oasis_mobile /opt/scripts \
                            /var/oasis-auto /var/www/0asis.net


PASO 2 — DEPENDENCIAS BASE
--------------------------
  sudo apt update
  sudo apt install -y \
    git curl wget jq bc \
    python3 python3-pip python3-flask python3-gunicorn \
    openjdk-17-jdk-headless \
    zip unzip cron \
    build-essential


PASO 3 — CADDY (REVERSE PROXY)
------------------------------
  sudo apt install -y debian-keyring debian-archive-keyring \
                      apt-transport-https
  curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | \
    sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
  curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | \
    sudo tee /etc/apt/sources.list.d/caddy-stable.list
  sudo apt update
  sudo apt install -y caddy
  sudo systemctl enable caddy


PASO 4 — ANDROID SDK BUILD-TOOLS
--------------------------------
  cd /tmp
  wget https://dl.google.com/android/repository/commandlinetools-linux-11076708_latest.zip
  sudo mkdir -p /opt/android-sdk/cmdline-tools
  sudo unzip -q commandlinetools-linux-*.zip -d /opt/android-sdk/cmdline-tools
  sudo mv /opt/android-sdk/cmdline-tools/cmdline-tools \
          /opt/android-sdk/cmdline-tools/latest

  sudo yes | /opt/android-sdk/cmdline-tools/latest/bin/sdkmanager --licenses
  sudo /opt/android-sdk/cmdline-tools/latest/bin/sdkmanager \
    "build-tools;35.0.1"

  # Verificar
  /opt/android-sdk/build-tools/35.0.1/apksigner version


PASO 5 — CLAUDE CODE CLI
------------------------
  # Como usuario oasis (no root):
  sudo -u oasis -i
  curl -fsSL https://claude.ai/install.sh | bash

  # Loguearse o usar API key (recomendado para automatización):
  export ANTHROPIC_API_KEY="sk-ant-xxxxx"

  # Test
  claude -p "say hello" --allowed-tools "" \
    --output-format text

  exit  # vuelve a root


PASO 6 — REPO LOCAL
-------------------
  sudo -u oasis git clone <URL del repo oasis_mobile> /opt/oasis_mobile
  cd /opt/oasis_mobile
  sudo -u oasis git remote add upstream https://github.com/epsylon/oasis.git
  sudo -u oasis git fetch upstream

  # Verificar
  sudo -u oasis git log --oneline upstream/main | head -5


PASO 7 — KEYSTORE
-----------------
  # COPIAR el keystore desde tu máquina:
  scp ~/oasis-release-key.jks \
    oasis@your-vps:/opt/secrets/oasis-release-key.jks

  # Permisos restrictivos
  sudo chmod 600 /opt/secrets/oasis-release-key.jks
  sudo chown oasis:oasis /opt/secrets/oasis-release-key.jks

  # Copia también el APK base
  scp ~/oasis-v0.6.8.apk \
    oasis@your-vps:/opt/oasis-base/oasis-v0.6.8.apk


PASO 8 — SCRIPTS Y PROMPTS
--------------------------
  # Copia los scripts de AUTOMATIZACION/09_SCRIPTS.md a:
  /opt/scripts/oasis-scout.sh
  /opt/scripts/oasis-merger.sh
  /opt/scripts/oasis-builder.sh
  /opt/scripts/notify-telegram.sh

  # Copia los prompts de AUTOMATIZACION/08_PROMPTS_para_agentes.md a:
  /opt/scripts/prompts/scout.md
  /opt/scripts/prompts/merger.md
  /opt/scripts/prompts/builder.md

  # Permisos
  sudo chmod +x /opt/scripts/*.sh
  sudo chown -R oasis:oasis /opt/scripts


PASO 9 — TELEGRAM BOT (opcional)
-------------------------------
  # En Telegram: hablar con @BotFather, crear bot, copiar token.
  # Añadir el bot a un canal/grupo donde recibir notificaciones.
  # Obtener chat_id con:
  curl "https://api.telegram.org/bot$TOKEN/getUpdates"

  # Guardar en /opt/secrets/telegram.env:
  TELEGRAM_BOT_TOKEN=123456789:AAxxxx
  TELEGRAM_CHAT_ID=-1001234567890

  sudo chmod 600 /opt/secrets/telegram.env


PASO 10 — CRON
--------------
  sudo cp /opt/scripts/oasis-auto.cron /etc/cron.d/oasis-auto

  # Verificar
  systemctl restart cron
  cat /etc/cron.d/oasis-auto


PASO 11 — WEBHOOK (opcional, para opción D)
-------------------------------------------
  cd /opt/oasis-webhook
  # Copia app.py de 09_SCRIPTS.md

  # Generar secret
  python3 -c "import secrets; print(secrets.token_hex(32))" \
    | sudo tee /opt/secrets/webhook-secret

  # Service
  sudo cp oasis-webhook.service /etc/systemd/system/
  sudo systemctl daemon-reload
  sudo systemctl enable --now oasis-webhook

  # Verificar
  curl http://127.0.0.1:5000/api/health


PASO 12 — DNS Y HTTPS
---------------------
  # En tu DNS provider:
  A   0asis.net   -> IP-DEL-VPS

  # Caddyfile:
  sudo cp Caddyfile /etc/caddy/Caddyfile
  sudo systemctl reload caddy

  # Caddy obtiene certificado Let's Encrypt automáticamente.
  # Verificar:
  curl -I https://0asis.net


PASO 13 — WEBHOOK EN GITHUB
---------------------------
  # En el fork de oasis_mobile en GitHub:
  Settings → Webhooks → Add webhook
    URL: https://0asis.net/api/oasis-release
    Secret: el de /opt/secrets/webhook-secret
    Events: only "Releases"


PASO 14 — TEST INICIAL
----------------------
  # Como oasis user:
  sudo -u oasis -i

  # Forzar scout manualmente
  /opt/scripts/oasis-scout.sh

  # Verificar reporte
  ls /var/oasis-auto/reports/

  # Si OK, esperar al lunes o forzar pipeline completo
  /opt/scripts/oasis-merger.sh && /opt/scripts/oasis-builder.sh


CHECKLIST FINAL
---------------
  [ ] User oasis creado
  [ ] /opt/oasis_mobile con remote upstream
  [ ] /opt/secrets con keystore y permisos 600
  [ ] /opt/oasis-base con oasis-v0.6.8.apk
  [ ] Android SDK build-tools instalado
  [ ] Claude Code instalado con API key
  [ ] Scripts en /opt/scripts/ con permisos
  [ ] Cron /etc/cron.d/oasis-auto configurado
  [ ] Telegram bot (opcional)
  [ ] Caddy + HTTPS para 0asis.net
  [ ] Webhook receiver en systemd (opcional)
  [ ] Webhook en GitHub configurado (opcional)
  [ ] Test inicial OK


MONITORING
----------
  # Logs cron
  tail -f /var/log/syslog | grep CRON

  # Logs de cada agente
  tail -f /var/oasis-auto/reports/*.log

  # Logs Caddy
  journalctl -u caddy -f

  # Logs webhook
  journalctl -u oasis-webhook -f

  # Espacio en disco
  df -h /var/www /opt /var/oasis-auto


PROBLEMAS COMUNES
-----------------

  "claude command not found":
    El PATH del cron no incluye ~/.local/bin
    → en cron usa /home/oasis/.local/bin/claude full path

  "git push falla":
    El user oasis necesita SSH key configurada
    → ssh-keygen -t ed25519 y añadir a tu Gitea/GitHub

  "apksigner: java not found":
    sudo apt install openjdk-17-jdk-headless
    Verifica: java --version

  "permission denied en keystore":
    sudo chown oasis:oasis /opt/secrets/oasis-release-key.jks
    sudo chmod 600 ...