Right now, we deploy XHGui by cloning a Git repository (https://gerrit.wikimedia.org/g/operations/software/xhgui/+/refs/heads/wmf_deploy) containing it and all of its dependencies (https://wikitech.wikimedia.org/wiki/Performance/Runbook/XHGui_service#Upgrade_XHGui). Some of the dependencies are significantly out of date.
The current setup makes it very difficult to identify the source of changes. The WMF patch on top of the original contains a mix of third-party code, machine-generated changes by composer, and manual local edits.
Most of XHGui's dependencies are available as Debian packages in Buster. As a step towards finishing up T180761, I spent some time today packaging the ones that aren't, and if packaging of XHGui itself goes well tomorrow, I will upload all of them to performance/debs in Gerrit. (The Debian tooling around PHP composer isn't great, so this ended up being a slightly larger effort than anticipated.)
The net result should be a source tree with "clean" local patches that are easily reviewed (notably, my work to remove the MongoDB dependency), and an upstream branch identical to the official sources on Github. Deployment will be via dpkg or apt, with the ability to independently upgrade dependencies in the event of security vulnerabilities in them.