⚠ PORTAL SERVING — READ before touching outputs/_redirects or deploying the portal (Fable-PC, 2026-07-02)
The portal now serves from CLOUDFLARE PAGES (project hookstreet-ops), not Netlify. The Netlify GitHub Action (deploy-outputs.yml) was silently broken (missing creds) — it deployed nothing for who-knows-how-long, which is why new outputs 404'd all day.
Deploy the portal (the working way):
cd ops-api && CLOUDFLARE_API_TOKEN=$(cat .cf-token) npx wrangler pages deploy ../outputs \
--project-name=hookstreet-ops --branch=main --commit-dirty=true
Live at hookstreet-ops.pages.dev. (TODO: update deploy-outputs.yml to CF Pages so it's automatic on push.)
🔴 DO NOT reintroduce Netlify-style _redirects rules:
/name /name.html 200 rules cause infinite 308 loops on CF Pages — the ENTIRE portal was unreachable until this was fixed. CF Pages does clean URLs NATIVELY (/home serves home.html). The _redirects file is now CF-safe: ONLY cross-target redirects to CLEAN names (no .html). Keep it that way.
🔴 SECURITY — pages.dev is PUBLIC + exposes the master key:
hookstreet-ops.pages.dev has NO Cloudflare Access gate, and hs-core.js embeds the master OPS_READ_TOKEN. So the public pages.dev URL leaks the key. Two fixes needed (whoever has CF perms):
1. ops.hookstreetservices.com custom domain on the Pages project is status: pending — needs the DNS record (currently a Worker-managed AAAA 100:: — a hookstreet-ops WORKER owns the host; the Pages custom-domain must supersede it). Finishing this puts the portal on the real domain WITH the existing Access gate.
2. Until then, add CF Access in front of *.hookstreet-ops.pages.dev OR don't share that URL.