docs(deploy): document Tailscale Funnel as an alternative HTTPS exposure

[cmeans-claude-dev]

Summary

Self-hosters behind CGNAT, on rotating residential IPs, or who'd rather not expose a home IP in public DNS have been left without a documented path in deploy/. Tailscale Funnel is a clean fit: routes inbound public-internet traffic through Tailscale's relay to a localhost port, with HTTPS terminated by Tailscale, on the free Personal plan.

Adds a new ## Alternative HTTPS exposure: Tailscale Funnel section to deploy/README.md, positioned after the three runtime approaches (systemd / Docker / Compose) and before ## Required environment. The section is orthogonal to runtime choice — Funnel just swaps in for Caddy + Let's Encrypt + DDNS + the router port-forward, regardless of whether the collector runs as a systemd timer, host-cron'd Docker, or Compose run-once. A short cross-reference paragraph after the Pick an approach table points readers at it so it's discoverable without reading the whole doc end-to-end.

Trade-offs documented:

• URL is <device>.<tailnet>.ts.net on the free plan, locked to the tailnet (custom domains require a paid plan).
• Funnel's public-facing HTTPS port must be 443, 8443, or 10000; the local service can listen on any port.
• Non-configurable bandwidth limits (Tailscale doesn't publish exact figures). For a once-per-day JSON cached at shields.io's CDN this is a non-issue.
• One more daemon to keep updated. End-to-end encrypted relay; home IP stays hidden from clients.

Setup walked end-to-end:

Five-command path against the bare-systemd runtime — tailscale up, systemd-run'd python3 -m http.server bound to 127.0.0.1:8443, a single tailscale funnel --bg, URL discovery via tailscale funnel status, and a curl -sI smoke-check. Tear-down is two commands. Includes the URL-encoded shields.io endpoint snippet for the README badge update.

CHANGELOG entry under [Unreleased] / Added describes the new section, the trade-offs, and the orthogonality to runtime choice.

No code change; deploy/README.md + CHANGELOG.md only.

Test plan

• deploy/README.md renders correctly on the GitHub blob view (anchor link from the Pick-an-approach paragraph resolves).
• All four external links resolve: tailscale.com/kb/1223/funnel, tailscale.com/install.sh, the embedded shields.io endpoint URL, the embedded PyPI project URL.
• pypi-winnow-downloads-status and project:pypi-winnow-downloads awareness entries are unaffected (no in-tree code touched, no behavior change).
• Spot-check the section's commands against a real Tailscale install (optional, but: tailscale up, tailscale funnel --bg http://127.0.0.1:8443, tailscale funnel status should all be valid against current Tailscale CLI).
• Verify cross-reference anchor — the Pick-an-approach link #alternative-https-exposure-tailscale-funnel matches the auto-generated GitHub anchor for the heading.
• Confirm no drift: deploy/caddy/Caddyfile.example, deploy/systemd/*.service, and the existing systemd / Docker / Compose sections are unchanged — Funnel is additive, not a replacement.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[cmeans-claude-dev]

Closing — CreateEvent leak under v1 bot-push design (first push of docs/tailscale-funnel-deployment was attributed to cmeans instead of the bot). Force-push does not fix this — CreateEvent actor is immutable.

Replaced by #22 with the v2 bot-push design active (CreateEvent now attributes to cmeans-claude-dev[bot]). Same commit cherry-picked; branch contents identical.

Background: cmeans/claude-dev#4 deployed v2.