fix(ci): resolve 3 Gitea Actions pipeline failures

- Remove upload-artifact step (unsupported on Gitea GHES)
- Replace architecture+audit jobs with unified validate job running validate_all.py
- Update docs: DEPLOY_HOST must be 172.17.0.1 (Docker bridge), not 127.0.0.1
- Add ufw rule for Docker bridge network SSH access

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/deployment/gitea.md

@@ -192,7 +192,7 @@ The workflow file lives in `.gitea/workflows/ci.yml` (already created in this re
 | `services:` (top-level on job) | `services:` nested under each job with `options:` |
 | `allow_failure: true` | `continue-on-error: true` |
 | `rules: - if:` | `on:` triggers + `if:` conditionals per job |
-| `artifacts: paths:` | `actions/upload-artifact@v4` |
+| `artifacts: paths:` | `actions/upload-artifact@v4` (not supported on Gitea GHES) |
 | `cache: paths:` | `actions/cache@v4` |
 | `coverage: '/regex/'` | Use coverage action or parse in step |
 | CI/CD Variables (UI) | Repository **Settings > Secrets** |
@@ -206,10 +206,13 @@ Configure these in your Gitea repository under **Settings > Actions > Secrets**:
 | Secret | Description | Used by |
 |--------|-------------|---------|
 | `DEPLOY_SSH_KEY` | Ed25519 private key for deployment | Deploy job |
-| `DEPLOY_HOST` | Production server IP (e.g. `127.0.0.1`) | Deploy job |
+| `DEPLOY_HOST` | Docker bridge gateway IP: `172.17.0.1` (see note below) | Deploy job |
 | `DEPLOY_USER` | SSH user on production server (e.g. `samir`) | Deploy job |
 | `DEPLOY_PATH` | App directory on server (e.g. `/home/samir/apps/orion`) | Deploy job |
 
+!!! important "DEPLOY_HOST must be `172.17.0.1`, not `127.0.0.1`"
+    The Gitea Actions runner executes CI jobs inside Docker containers. From inside the container, `127.0.0.1` refers to the container itself, not the host machine. Use `172.17.0.1` (the Docker bridge gateway) so the SSH action can reach the host's SSH daemon. When Gitea and Orion are split onto separate servers, update this to the Orion server's real IP.
+
 ---
 
 ## 8. Pipeline Overview
@@ -220,14 +223,13 @@ The CI pipeline (`.gitea/workflows/ci.yml`) runs:
 push/PR to master
 ├── ruff          (lint)
 ├── pytest        (tests + PostgreSQL service)
-├── architecture  (architecture validation)
+├── validate      (all 4 validators: architecture, security, performance, audit)
 ├── dependency-scanning  (pip-audit, non-blocking)
-├── audit         (custom audit, non-blocking)
-├── docs          (mkdocs build, master-only, after lint+test pass)
-└── deploy        (SSH deploy, master-only, after lint+test+arch pass)
+├── docs          (mkdocs build, master-only, after lint+test+validate pass)
+└── deploy        (SSH deploy, master-only, after lint+test+validate pass)
 ```
 
-All jobs run in parallel except `docs` and `deploy`, which wait for `ruff`, `pytest`, and `architecture` to pass. The `deploy` job only runs on push (not PRs).
+All jobs run in parallel except `docs` and `deploy`, which wait for `ruff`, `pytest`, and `validate` to pass. The `deploy` job only runs on push (not PRs).
 
 ---
 
@@ -239,7 +241,7 @@ The CI pipeline includes an automated deploy job that runs on every successful p
   deploy:
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && github.ref == 'refs/heads/master'
-    needs: [ruff, pytest, architecture]
+    needs: [ruff, pytest, validate]
     steps:
       - name: Deploy to production
         uses: appleboy/ssh-action@v1
@@ -270,6 +272,8 @@ See [Hetzner Server Setup — Step 16](hetzner-server-setup.md#step-16-continuou
 ```bash
 sudo ufw allow OpenSSH
 sudo ufw allow 'Nginx Full'
+# Allow CI containers (Docker bridge) to SSH to the host for deployment
+sudo ufw allow from 172.17.0.0/16 to any port 22
 sudo ufw enable
 ```