docs: update runbook — sshpass for EC2 SSH, no key decryption needed

Replace openssl pkey decryption with direct sshpass passphrase handling.
Use original key file directly. Added VPN note.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/developer-operations-runbook.md

@@ -36,38 +36,35 @@ Docker Compose stack (EC2 — 13.234.31.194):
 ## EC2 Access
 
 ```bash
-# SSH into EC2
-ssh -i /tmp/ramaiah-ec2-key -o StrictHostKeyChecking=no ubuntu@13.234.31.194
+# SSH into EC2 (key passphrase handled by sshpass)
+SSHPASS='SasiSuman@2007' sshpass -P "Enter passphrase" -e \
+  ssh -i ~/Downloads/fortytwoai_hostinger -o StrictHostKeyChecking=no ubuntu@13.234.31.194
 ```
 
 | Detail | Value |
 |---|---|
 | Host | `13.234.31.194` |
 | User | `ubuntu` |
-| SSH key | `/tmp/ramaiah-ec2-key` (decrypted from `~/Downloads/fortytwoai_hostinger`) |
+| SSH key | `~/Downloads/fortytwoai_hostinger` (passphrase-protected) |
+| Passphrase | `SasiSuman@2007` |
 | Docker compose dir | `/opt/fortytwo` |
 | Frontend static files | `/opt/fortytwo/helix-engage-frontend` |
 | Caddyfile | `/opt/fortytwo/Caddyfile` |
 
-### SSH Key Setup
+### SSH Helper
 
-The key at `~/Downloads/fortytwoai_hostinger` is passphrase-protected (`SasiSuman@2007`).
-Create a decrypted copy for non-interactive use:
+The key is passphrase-protected. Use `sshpass` to supply the passphrase non-interactively.
+No need to decrypt or copy the key — use the original file directly.
 
 ```bash
-# One-time setup
-openssl pkey -in ~/Downloads/fortytwoai_hostinger -out /tmp/ramaiah-ec2-key
-chmod 600 /tmp/ramaiah-ec2-key
+# SSH shorthand
+EC2_SSH="SSHPASS='SasiSuman@2007' sshpass -P 'Enter passphrase' -e ssh -i ~/Downloads/fortytwoai_hostinger -o StrictHostKeyChecking=no ubuntu@13.234.31.194"
 
 # Verify
-ssh -i /tmp/ramaiah-ec2-key ubuntu@13.234.31.194 hostname
+eval $EC2_SSH hostname
 ```
 
-### Handy alias
-
-```bash
-alias ec2="ssh -i /tmp/ramaiah-ec2-key -o StrictHostKeyChecking=no ubuntu@13.234.31.194"
-```
+> **Note:** VPN may block port 22 to AWS. Disconnect VPN before SSH.
 
 ---
 
@@ -155,29 +152,34 @@ REDIS_URL=redis://localhost:6379
 ### Frontend
 
 ```bash
+# Helper — reuse in all commands below
+EC2="SSHPASS='SasiSuman@2007' sshpass -P 'Enter passphrase' -e ssh -i ~/Downloads/fortytwoai_hostinger -o StrictHostKeyChecking=no ubuntu@13.234.31.194"
+EC2_RSYNC="SSHPASS='SasiSuman@2007' sshpass -P 'Enter passphrase' -e ssh -i ~/Downloads/fortytwoai_hostinger -o StrictHostKeyChecking=no"
+
 cd helix-engage && npm run build
 
-rsync -avz -e "ssh -i /tmp/ramaiah-ec2-key -o StrictHostKeyChecking=no" \
+rsync -avz -e "$EC2_RSYNC" \
   dist/ ubuntu@13.234.31.194:/opt/fortytwo/helix-engage-frontend/
 
-ssh -i /tmp/ramaiah-ec2-key ubuntu@13.234.31.194 \
-  "cd /opt/fortytwo && sudo docker compose restart caddy"
+eval $EC2 "cd /opt/fortytwo && sudo docker compose restart caddy"
 ```
 
-### Sidecar (quick — code only, no new dependencies)
+### Sidecar
 
 ```bash
 cd helix-engage-server
 
+# 1. Login to ECR
 aws ecr get-login-password --region ap-south-1 | \
   docker login --username AWS --password-stdin 043728036361.dkr.ecr.ap-south-1.amazonaws.com
 
+# 2. Build and push Docker image
 docker buildx build --platform linux/amd64 \
   -t 043728036361.dkr.ecr.ap-south-1.amazonaws.com/fortytwo-eap/helix-engage-sidecar:alpha \
   --push .
 
-ssh -i /tmp/ramaiah-ec2-key ubuntu@13.234.31.194 \
-  "cd /opt/fortytwo && sudo docker compose pull sidecar-ramaiah sidecar-global && sudo docker compose up -d sidecar-ramaiah sidecar-global"
+# 3. Pull and restart on EC2
+eval $EC2 "cd /opt/fortytwo && sudo docker compose pull sidecar-ramaiah sidecar-global && sudo docker compose up -d sidecar-ramaiah sidecar-global"
 ```
 
 ### How to decide