diff --git a/.woodpecker/build.yml b/.woodpecker/build.yml
index 3ebda9b..87fc7cd 100644
--- a/.woodpecker/build.yml
+++ b/.woodpecker/build.yml
@@ -1,23 +1,21 @@
-# UNT (NOVA) Pipeline
+# UNT (NOVA) — Build Workflow
 #
-# Two stages:
-#   build-* → runs on dev-side agent (label: location=local) to avoid server OOM
-#            pushes to the registry over WireGuard (10.8.0.1:5000 — plain HTTP,
-#            trusted because of the WG perimeter)
-#   deploy  → runs on server-side agent (label: location=server)
-#            pulls via the public HTTPS path (same registry, different edge)
-#            and runs docker compose on the host daemon
+# Runs on the dev-side agent (label: location=local) to avoid server OOM.
+# Pushes images to the registry over WireGuard (10.8.0.1:5000, plain HTTP,
+# trusted because of the WG perimeter).
 #
-# Trigger: manual only. See ppl/def/ci-cd/local-agent-rollout.md.
+# Triggered together with deploy.yml; deploy depends on this one.
+# See ppl/def/ci-cd/local-agent-rollout.md for the full flow.
 
 when:
   - event: manual
 
+labels:
+  location: local
+
 steps:
   - name: build-api
     image: plugins/docker
-    labels:
-      location: local
     settings:
       repo: 10.8.0.1:5000/unt/api
       registry: 10.8.0.1:5000
@@ -30,8 +28,6 @@ steps:
 
   - name: build-ui
     image: plugins/docker
-    labels:
-      location: local
     settings:
       repo: 10.8.0.1:5000/unt/ui
       registry: 10.8.0.1:5000
@@ -41,21 +37,3 @@ steps:
         - ${CI_COMMIT_SHA:0:7}
       dockerfile: ctrl/Dockerfile.ui
       context: .
-
-  - name: deploy
-    image: docker:24-cli
-    labels:
-      location: server
-    depends_on:
-      - build-api
-      - build-ui
-    commands:
-      - cd /edge
-      - docker compose pull
-      - docker compose up -d --remove-orphans
-      - docker image prune -f
-      - docker compose ps
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      # read-only so the deploy step structurally cannot stomp on .env
-      - /home/mariano/unt/ctrl/edge:/edge:ro
diff --git a/.woodpecker/deploy.yml b/.woodpecker/deploy.yml
new file mode 100644
index 0000000..896639b
--- /dev/null
+++ b/.woodpecker/deploy.yml
@@ -0,0 +1,30 @@
+# UNT (NOVA) — Deploy Workflow
+#
+# Runs on the server-side agent (label: location=server).
+# Depends on build.yml completing — pulls the just-pushed images via the
+# public HTTPS path and runs docker compose on the host daemon.
+#
+# The edge compose dir is mounted read-only so we structurally cannot stomp
+# the server's .env (see ppl/def/ci-cd/auth-tiers.md context).
+
+when:
+  - event: manual
+
+labels:
+  location: server
+
+depends_on:
+  - build
+
+steps:
+  - name: deploy
+    image: docker:24-cli
+    commands:
+      - cd /edge
+      - docker compose pull
+      - docker compose up -d --remove-orphans
+      - docker image prune -f
+      - docker compose ps
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /home/mariano/unt/ctrl/edge:/edge:ro