בס״ד

⚠ PORTAL SERVING — READ before touching outputs/redirects or deploying the portal (Fable-PC, 2026-07-02)

docs/steering/COORD_PORTAL_CF_PAGES.md · last changed 2026-07-02 · rendered from GitHub master

⚠ PORTAL SERVING — READ before touching outputs/_redirects or deploying the portal (Fable-PC, 2026-07-02)

The portal now serves from CLOUDFLARE PAGES (project hookstreet-ops), not Netlify. The Netlify GitHub Action (deploy-outputs.yml) was silently broken (missing creds) — it deployed nothing for who-knows-how-long, which is why new outputs 404'd all day.

Deploy the portal (the working way):

cd ops-api && CLOUDFLARE_API_TOKEN=$(cat .cf-token) npx wrangler pages deploy ../outputs \
  --project-name=hookstreet-ops --branch=main --commit-dirty=true

Live at hookstreet-ops.pages.dev. (TODO: update deploy-outputs.yml to CF Pages so it's automatic on push.)

🔴 DO NOT reintroduce Netlify-style _redirects rules:

/name /name.html 200 rules cause infinite 308 loops on CF Pages — the ENTIRE portal was unreachable until this was fixed. CF Pages does clean URLs NATIVELY (/home serves home.html). The _redirects file is now CF-safe: ONLY cross-target redirects to CLEAN names (no .html). Keep it that way.

🔴 SECURITY — pages.dev is PUBLIC + exposes the master key:

hookstreet-ops.pages.dev has NO Cloudflare Access gate, and hs-core.js embeds the master OPS_READ_TOKEN. So the public pages.dev URL leaks the key. Two fixes needed (whoever has CF perms):
1. ops.hookstreetservices.com custom domain on the Pages project is status: pending — needs the DNS record (currently a Worker-managed AAAA 100:: — a hookstreet-ops WORKER owns the host; the Pages custom-domain must supersede it). Finishing this puts the portal on the real domain WITH the existing Access gate.
2. Until then, add CF Access in front of *.hookstreet-ops.pages.dev OR don't share that URL.

State: portal works at hookstreet-ops.pages.dev; real domain + Access = the open piece.

Source trail · docs/steering/COORD_PORTAL_CF_PAGES.md @ master · rendered 2026-07-02 7:23 PM EDT by scripts/build-docs.py · the .md in the repo is the truth; this page is the phone-readable view