feat: AI판정/OCR/알림톡/소셜로그인/푸시/CODEF 전체 구현 + CI SSH 전환

Backend (server/src):
- services/anthropic.ts — Claude API 래퍼 (키 없으면 룰베이스 fallback)
- services/ocr.ts — Naver Clova + Google Vision 듀얼 연동 + 영수증 필드 파서
- services/solapi.ts — 카카오 알림톡 HMAC 서명 + 드라이런
- services/expoPush.ts — Expo Push API 전송
- services/codef.ts — 보험 통합조회 mock + 실연동 포인트
- routes/ai.ts, ocr.ts, devices.ts, social.ts (naver/apple), alimtalk.ts, codef.ts
- Prisma: PushDevice 모델 + binaryTargets linux-musl-openssl-3.0.x
- Dockerfile: apk add openssl (Prisma schema engine 정상화)
- api-secrets에 9개 외부 API 키 슬롯 추가 (optional)

Frontend:
- api/endpoints.ts: aiApi, ocrApi, deviceApi, socialApi, codefApi
- services/kakao.ts — Kakao JS SDK 동적 로드 + Auth.login
- services/push.ts — expo-notifications 권한/토큰 등록 + 서버 전송
- LoginScreen — 카카오/네이버/애플 버튼 (웹은 토큰 입력 fallback)
- AIJudgeScreen — 실제 /ai/claim-judge 호출, source(llm/rules) 표시
- ClaimScreen — 영수증 촬영 시 자동 OCR → 병원/날짜/제목 자동 기입
- useAuthStore hydrate 시 푸시 토큰 등록

Infra:
- eas.json (development/preview/production 빌드 프로필)
- API_KEYS.md — 9개 외부 서비스 발급/등록 가이드
- scripts/deploy-remote.sh 개선 (sudo 정확히, traefik cp 버그 수정, API fail 시 로그 출력)
- deploy/k8s/api.yaml — 외부 API 키 환경변수 매핑 (optional=true)

CI/CD:
- .gitea/workflows/deploy.yml → SSH 기반으로 전환
  (appleboy/ssh-action으로 서버 접속 → deploy-remote.sh 실행)
- 필요 Secrets: SSH_HOST, SSH_USER, SSH_PASSWORD

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

scripts/deploy-remote.sh

@@ -1,13 +1,18 @@
 #!/usr/bin/env bash
 set -e
 export KUBECONFIG=/home/chpark/.kube/config
-SUDO="echo qlalfqjsgh11 | sudo -S"
+SUDO_PASS="${SUDO_PASS:-qlalfqjsgh11}"
+
+sudo_run() {
+  echo "$SUDO_PASS" | sudo -S bash -c "$1"
+}
 
 cd /home/chpark
-if [ -d insurance ]; then
+if [ -d insurance/.git ]; then
   echo "[*] Updating insurance repo"
-  cd insurance && git pull origin master
+  cd insurance && git fetch origin && git reset --hard origin/master
 else
+  rm -rf /home/chpark/insurance 2>/dev/null || true
   echo "[*] Cloning insurance repo"
   git clone https://git.junggomoa.com/chpark/insurance.git
   cd insurance
@@ -29,8 +34,17 @@ docker push localhost:5000/insurance/api:latest
 echo "[*] Applying Kubernetes manifests"
 kubectl apply -f deploy/k8s/namespace.yaml
 
+SECRETS_FILE=/home/chpark/.insurance-secrets
+if [ -f "$SECRETS_FILE" ]; then
+  set -a; source "$SECRETS_FILE"; set +a
+fi
 POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-$(openssl rand -hex 24)}"
 JWT_SECRET="${JWT_SECRET:-$(openssl rand -hex 32)}"
+cat > "$SECRETS_FILE" <<EOF
+POSTGRES_PASSWORD=$POSTGRES_PASSWORD
+JWT_SECRET=$JWT_SECRET
+EOF
+chmod 600 "$SECRETS_FILE"
 
 kubectl -n insurance create secret generic postgres-credentials \
   --from-literal=username=insurance \
@@ -40,6 +54,16 @@ kubectl -n insurance create secret generic postgres-credentials \
 kubectl -n insurance create secret generic api-secrets \
   --from-literal=jwtSecret="$JWT_SECRET" \
   --from-literal=databaseUrl="postgresql://insurance:${POSTGRES_PASSWORD}@postgres:5432/insurance?schema=public" \
+  --from-literal=anthropicApiKey="${ANTHROPIC_API_KEY:-}" \
+  --from-literal=clovaOcrUrl="${CLOVA_OCR_URL:-}" \
+  --from-literal=clovaOcrSecret="${CLOVA_OCR_SECRET:-}" \
+  --from-literal=gcpVisionApiKey="${GCP_VISION_API_KEY:-}" \
+  --from-literal=solapiApiKey="${SOLAPI_API_KEY:-}" \
+  --from-literal=solapiApiSecret="${SOLAPI_API_SECRET:-}" \
+  --from-literal=solapiPfId="${SOLAPI_PFID:-}" \
+  --from-literal=solapiSenderKey="${SOLAPI_SENDER_KEY:-}" \
+  --from-literal=codefClientId="${CODEF_CLIENT_ID:-}" \
+  --from-literal=codefClientSecret="${CODEF_CLIENT_SECRET:-}" \
   --dry-run=client -o yaml | kubectl apply -f -
 
 kubectl apply -f deploy/k8s/postgres.yaml
@@ -47,7 +71,11 @@ kubectl -n insurance rollout status statefulset/postgres --timeout=180s
 
 kubectl apply -f deploy/k8s/api.yaml
 kubectl -n insurance rollout restart deployment/insurance-api || true
-kubectl -n insurance rollout status deployment/insurance-api --timeout=240s
+if ! kubectl -n insurance rollout status deployment/insurance-api --timeout=300s; then
+  echo "[!] API rollout failed, printing logs"
+  kubectl -n insurance logs -l app.kubernetes.io/name=insurance-api --tail=80 || true
+  kubectl -n insurance describe pod -l app.kubernetes.io/name=insurance-api | tail -30 || true
+fi
 
 kubectl apply -f deploy/k8s/deployment.yaml
 kubectl apply -f deploy/k8s/service.yaml
@@ -55,19 +83,16 @@ kubectl -n insurance rollout restart deployment/insurance-web || true
 kubectl -n insurance rollout status deployment/insurance-web --timeout=180s
 
 echo "[*] Installing Traefik dynamic routing"
-eval "$SUDO cp deploy/traefik-dynamic.yml /opt/docker/traefik/dynamic/insurance.yml"
-eval "$SUDO chmod 644 /opt/docker/traefik/dynamic/insurance.yml"
-
-echo "[*] Saving secrets for reuse"
-cat > /home/chpark/.insurance-secrets <<EOF
-POSTGRES_PASSWORD=$POSTGRES_PASSWORD
-JWT_SECRET=$JWT_SECRET
-EOF
-chmod 600 /home/chpark/.insurance-secrets
+sudo_run "cp /home/chpark/insurance/deploy/traefik-dynamic.yml /opt/docker/traefik/dynamic/insurance.yml && chmod 644 /opt/docker/traefik/dynamic/insurance.yml && ls -la /opt/docker/traefik/dynamic/insurance.yml"
 
 echo ""
 echo "===== DEPLOY STATUS ====="
 kubectl -n insurance get pods,svc
 echo ""
+echo "--- NodePort health check ---"
+sleep 5
+curl -fsS http://127.0.0.1:30200/health 2>&1 | head -3 || echo "[!] web 30200 not ready"
+curl -fsS http://127.0.0.1:30201/health 2>&1 | head -3 || echo "[!] api 30201 not ready"
+echo ""
 echo "🚀 Web: https://insurance.junggomoa.com"
 echo "🔌 API: https://api.insurance.junggomoa.com"