chore: enforce PAT-only git sync workflow and ignore local credentials

DEPLOYMENT.md

@@ -96,3 +96,34 @@ Then confirm:
 - Use a dedicated Proxmox API user/token with least privileges.
 - Keep backend bound to localhost (`127.0.0.1`) and expose only frontend port.
 - Enable off-host backups for DB and app config.
+
+## 5) PAT-Only Git Update Workflow (No Password Auth)
+
+Use Personal Access Token (PAT) authentication only. Do not use account passwords for Git pull/push.
+
+### A. Create PAT (Git server)
+1. Sign in to your Git server user settings.
+2. Create a PAT with minimum required scopes (`repo:read` for pull; add write only if needed).
+3. Save it securely (password manager/secret vault).
+
+### B. Update app on server with PAT (no credential persistence)
+Run this on the server:
+
+```bash
+cd /opt/proxpanel
+chmod +x infra/deploy/git-pat-sync.sh
+export GIT_USERNAME="your_git_username"
+export GIT_PAT="your_personal_access_token"
+bash infra/deploy/git-pat-sync.sh \
+  --repo-dir /opt/proxpanel \
+  --branch main \
+  --repo-url https://git.votcloud.com/austindebest/proxpanel.git
+unset GIT_PAT
+```
+
+Then deploy:
+
+```bash
+cd /opt/proxpanel
+docker compose --env-file .env.production -f infra/deploy/docker-compose.production.yml up -d --build
+```