pipes-deploy-clickhouse-cloud

Operationally useful and coherent deployment playbook with legitimate steps for deploying Subsquid Pipes indexers to ClickHouse Cloud. The primary security concerns are credential exposure (writing raw passwords to .env, passing them on CLI args, using curl with Basic Auth) and supply-chain risk from installing/using third-party or unverified binaries/CLIs that receive those credentials. The document does not contain malware or obfuscated code, but it prescribes patterns that increase attack surface. Apply recommended mitigations: least-privilege users, secret management, avoid exposing credentials in process args/shell history, verify third-party tooling, and isolate databases per-indexer to reduce destructive operations.