diff --git a/doc/deploy.md b/doc/deploy.md
new file mode 100644
index 0000000..5fac4b0
--- /dev/null
+++ b/doc/deploy.md
@@ -0,0 +1,96 @@
+# Tori 部署指南
+
+## 架构
+
+- **编译方式**: Rust musl 静态链接 (`aarch64-unknown-linux-musl`)
+- **部署位置**: OCI (Oracle Cloud Infrastructure), ARM64 aarch64
+- **域名**: https://tori.oci.euphon.net
+- **K8s**: k3s 单节点, traefik ingress, Let's Encrypt TLS
+- **镜像仓库**: registry.oci.euphon.net/tori
+
+## 前置条件 (OCI 机器上)
+
+```bash
+# Rust 工具链 + musl target
+rustup target add aarch64-unknown-linux-musl
+sudo apt-get install musl-tools
+
+# Docker, kubectl (k3s 自带)
+```
+
+## 编译
+
+在 OCI 上原生编译，避免交叉编译的复杂性:
+
+```bash
+ssh oci
+cd ~/src/tori
+cargo build --release --target aarch64-unknown-linux-musl
+```
+
+产出为静态链接的 ELF binary，可直接在 alpine 容器中运行。
+
+## 部署流程
+
+从本地执行:
+
+```bash
+scripts/deploy.sh
+```
+
+脚本做的事:
+1. rsync `config.yaml` 到 OCI (含 API key，不进 git)
+2. git push + OCI 上 git pull
+3. docker build (仅 COPY 预编译 binary + 前端 dist，秒级完成)
+4. docker push 到 registry.oci.euphon.net
+5. kubectl apply + rollout restart
+
+## 手动部署
+
+```bash
+# 1. 同步代码和配置
+rsync -az config.yaml oci:~/src/tori/
+ssh oci "cd ~/src/tori && git pull"
+
+# 2. 编译 (如有代码变更)
+ssh oci "cd ~/src/tori && . ~/.cargo/env && cargo build --release --target aarch64-unknown-linux-musl"
+
+# 3. 构建镜像
+ssh oci "cd ~/src/tori && docker build -t registry.oci.euphon.net/tori:latest . && docker push registry.oci.euphon.net/tori:latest"
+
+# 4. 部署
+ssh oci "kubectl apply -f ~/src/tori/deploy/ && kubectl rollout restart deployment/tori -n tori"
+```
+
+## K8s 资源
+
+- **Namespace**: tori
+- **Deployment**: tori (1 replica, imagePullSecrets: regcred)
+- **Service**: tori (ClusterIP, port 80 → 3000)
+- **Ingress**: traefik, TLS via Let's Encrypt (`le` certresolver)
+- **PVC**: tori-data (1Gi, local-path)
+
+## 配置
+
+`config.yaml` 直接 COPY 进 Docker 镜像 (不用 ConfigMap/Secret):
+
+```yaml
+llm:
+  base_url: "https://router.requesty.ai/v1"
+  api_key: "..."
+  model: "bedrock/claude-sonnet-4-6@eu-west-1"
+
+server:
+  host: "0.0.0.0"
+  port: 3000
+
+database:
+  path: "tori.db"
+```
+
+## 查看状态
+
+```bash
+ssh oci "kubectl get pods -n tori"
+ssh oci "kubectl logs -n tori deploy/tori"
+```