docs(deploy): replace mewsfeed-config with generic joining-service-config example

deploy/DEPLOYMENT.md

@@ -141,16 +141,30 @@ existing seed.
 
 ## Deploy the Joining Service
 
+Copy and fill in `deploy/joining-service-config.example.json` for your hApp:
+
 ```bash
-source deploy/.env.acme-staging
-hdeploy deploy-joining-service --deployment acme-staging \
-  --tofu-dir deploy/tofu \
-  --joining-service-dir ../joining-service
+cp deploy/joining-service-config.example.json deploy/acme-mewsfeed-joining-config.json
+$EDITOR deploy/acme-mewsfeed-joining-config.json
 ```
 
-This deploys the joining service Worker via wrangler and writes
-`linker_registrations` to the sessions KV namespace. Safe to re-run after
-infrastructure changes that affect linker URLs.
+The config needs at minimum: `happ.id`, `happ.name`, `happ.happ_bundle_url`, and
+`auth_methods`. See `joining-service-config.example.json` for membrane proof and
+invite code variants.
+
+`network_seed` and `linker_registrations` are injected automatically — do not set
+them in the config file.
+
+```bash
+source deploy/.env.acme-mewsfeed-staging
+hdeploy deploy-joining-service -d acme-mewsfeed-staging \
+  --joining-service-dir ../joining-service \
+  --joining-config deploy/acme-mewsfeed-joining-config.json
+```
+
+This deploys the joining service Worker via wrangler and writes `joining_config`
+(including the network seed from deployment KV and linker URLs from tofu outputs)
+to the sessions KV namespace. Safe to re-run after infrastructure changes.
 
 ---
 
@@ -220,10 +234,10 @@ harvester_image = "ghcr.io/holo-host/edgenode-harvester:v1.2.3"
 ### Joining service update
 
 ```bash
-source deploy/.env.acme-staging
-hdeploy deploy-joining-service --deployment acme-staging \
-  --tofu-dir deploy/tofu \
-  --joining-service-dir ../joining-service
+source deploy/.env.acme-mewsfeed-staging
+hdeploy deploy-joining-service -d acme-mewsfeed-staging \
+  --joining-service-dir ../joining-service \
+  --joining-config deploy/acme-mewsfeed-joining-config.json
 ```
 
 ### Staging → production
@@ -239,9 +253,9 @@ hdeploy provision --deployment acme-prod \
   --tofu-dir deploy/tofu \
   --log-collector-src docker/log-collector
 hdeploy init-deployment --deployment acme-prod --tofu-dir deploy/tofu
-hdeploy deploy-joining-service --deployment acme-prod \
-  --tofu-dir deploy/tofu \
-  --joining-service-dir ../joining-service
+hdeploy deploy-joining-service -d acme-mewsfeed-prod \
+  --joining-service-dir ../joining-service \
+  --joining-config deploy/acme-mewsfeed-joining-config.json
 hdeploy bootstrap-harvester --deployment acme-prod \
   --tofu-dir deploy/tofu \
   --bootstrap-image ghcr.io/holo-host/bootstrap:latest

deploy/joining-service-config.example.json

@@ -0,0 +1,40 @@
+{
+  "_comment": "Joining service config passed to: hdeploy deploy-joining-service -d <deployment> --joining-config <this-file>. Copy, rename, and fill in values for your hApp. network_seed and linker_registrations are injected automatically by hdeploy — do not set them here.",
+
+  "happ": {
+    "id": "mewsfeed",
+    "name": "Mewsfeed",
+    "happ_bundle_url": "https://github.com/GeekGene/mewsfeed/releases/download/v0.14.0/mewsfeed.webhapp"
+  },
+
+  "auth_methods": ["open"],
+
+  "_auth_method_variants": {
+    "_comment": "Replace auth_methods above with one of these for non-open deployments.",
+    "invite_code_only":               ["invite_code"],
+    "membrane_proof_only":            ["membrane_proof"],
+    "invite_code_or_membrane_proof":  [{ "any_of": ["invite_code", "membrane_proof"] }]
+  },
+
+  "_membrane_proof": {
+    "_comment": "Required when auth_methods includes 'membrane_proof'. The signing key is generated once via: cd ../joining-service && npm run gen-signing-key. Its derived public key must be baked into the DNA properties as the progenitor before the hApp bundle is compiled — see ../joining-service/DEPLOYMENT.md.",
+    "enabled": true,
+    "signing_key_path": "/path/to/signing-key.hex"
+  },
+
+  "_dna_hashes": {
+    "_comment": "Required when membrane_proof.enabled is true. Base64-encoded DNA hashes the signing key is authorised to sign membrane proofs for.",
+    "example": ["uhCkk..."]
+  },
+
+  "_invite_codes": {
+    "_comment": "Invite codes are NOT stored here. They are stored in deployment KV via the INVITE_CODES env var and read by the joining service Worker at runtime."
+  },
+
+  "_network": {
+    "_comment": "Optional. Exposes bootstrap and relay URLs in /v1/info. Off by default — enabling increases DDoS surface area for the listed services.",
+    "bootstrap_url": "",
+    "relay_url": "",
+    "reveal_in_info": false
+  }
+}