Cloudflare Deploy And Access
This document is the operator reference for Cloudflare deployment targets, custom
Purpose
This document is the operator reference for Cloudflare deployment targets, custom domains, Access boundaries, API docs exposure, and early AI/MCP safety rules. It records intended topology and review rules only. It does not create Cloudflare resources, Access policies, DNS records, Worker routes, Pages projects, API tokens, OAuth credentials, account IDs, zone IDs, or secrets.
Domain Plan
| Host | Deployable | Runtime | Access posture |
|---|---|---|---|
prox-os.com | apps/os-shell | Cloudflare Pages | Public OS entry. |
docs.prox-os.com | apps/docs | Cloudflare Pages target | Public developer docs, with deployment caveats below. |
ui.prox-os.com | apps/ui-workshop Storybook | Cloudflare Pages | Protected by Cloudflare Access in early development. |
api.prox-os.com | apps/api-worker | Cloudflare Workers | Public health endpoints; docs/internal endpoints protected by Access. |
esmadrider.me | apps/esmadrider-me | Cloudflare Pages | Public founder site and iframe app origin. |
Subdomains are infrastructure entrypoints, not long-term app identity. OS apps still use manifest-driven IDs and route groups inside the shell.
Deployment Scripts
Run deploy commands only after reviewing the target Cloudflare account, Pages project, Worker, custom domain, and Access policy in the Cloudflare dashboard.
| Command | Target | Notes |
|---|---|---|
pnpm deploy | All configured deployables | Sequential root entry: OS shell, docs, UI workshop, API worker, and esmadrider.me. |
pnpm deploy:os | apps/os-shell/dist -> Pages project prox-os | Existing public OS shell deploy path. |
pnpm deploy:docs | apps/docs -> Pages project prox-os-docs | Runs docs:sync, Next static export (out/), then wrangler pages deploy out. |
pnpm deploy:ui | apps/ui-workshop/storybook-static -> prox-os-ui-workshop | Runs Storybook build and deploys the static Storybook output. |
pnpm deploy:api | apps/api-worker Worker | Uses wrangler deploy --minify. |
pnpm deploy:esmadrider-me | apps/esmadrider-me/dist -> Pages project esmadrider-me | Existing founder site deploy path. |
Docs deployment (static export)
apps/docs uses Next.js output: 'export' and deploys the out/ directory to
Cloudflare Pages (prox-os-docs, target host docs.prox-os.com). Search,
llms.txt, Open Graph images, and markdown export routes are pre-rendered at
build time (Fumadocs static Orama for /api/search). The proxy.ts markdown
negotiation helper runs in local dev only; on the static site use
/llms.mdx/docs/.../content.md URLs directly.
If the docs site later needs SSR or dynamic server routes beyond static export, migrate to OpenNext on Cloudflare Workers instead of expanding the Pages artifact hack.
API Worker Routes
Local development:
http://localhost:8787/docs
http://localhost:8787/openapi.json
http://localhost:8787/healthProduction target:
https://api.prox-os.com/docs
https://api.prox-os.com/openapi.json
https://api.prox-os.com/healthThe Worker config includes a reviewable custom-domain route placeholder:
api.prox-os.com -> apps/api-worker WorkerWrangler custom domains are host-level routes: the host serves all paths under
api.prox-os.com, including /health, /openapi.json, and /docs.
Do not add docs.api.prox-os.com for the current phase.
Public And Protected Boundaries
Recommended public early surfaces:
prox-os.com
prox-os.com/*
docs.prox-os.com
docs.prox-os.com/*
api.prox-os.com/health
api.prox-os.com/robots.txtRecommended Cloudflare Access-protected early surfaces:
ui.prox-os.com/*
api.prox-os.com/docs
api.prox-os.com/openapi.json
api.prox-os.com/scalar
api.prox-os.com/internal/*/docs and /openapi.json can be deployed, but they should not be exposed
bare to the public in early development. API docs are not automatically
dangerous, but they reveal endpoint structure, product direction, permission
models, and unstable data shapes. Restrict them to a personal email or a small
team allowlist with Cloudflare Access until the public API contract is stable.
No docs.api.prox-os.com
The current API documentation surface is:
api.prox-os.com/docsProtected OpenAPI schema:
api.prox-os.com/openapi.jsonDo not create docs.api.prox-os.com unless API documentation becomes a
standalone developer portal with its own release cadence, authentication,
billing, or external developer experience.
Future API Docs Split
Internal API docs:
api.prox-os.com/docsapi.prox-os.com/openapi.json- Full schema
- Internal endpoints
- Debug endpoints
- Admin endpoints
- Protected by Cloudflare Access
External API docs:
docs.prox-os.com/api- Or a future standalone developer portal
- Stable public API only
- Internal, admin, and debug endpoints hidden
- Designed for community developers and third-party app developers
AI And MCP Safety
Early AI integrations are read-only by default.
- Do not grant AI write permissions in early development.
- Do not let AI directly mutate DNS, WAF rules, Access policies, Worker routes, Pages projects, secrets, or production environment variables.
- AI may generate proposals, diffs, configuration notes, and review checklists. Humans must review and apply them.
- Real Cloudflare API tokens, OAuth credentials,
.env.local,.dev.vars, account IDs, zone IDs, and secrets must not be committed. - Prefer official MCP servers or trusted providers. Do not use unknown third-party MCP proxies for Cloudflare, GitHub, database, or observability access.
Future Product Surface
These capabilities should eventually move into the Prox OS System Monitor and AI Console apps:
- Cloudflare Analytics
- Cloudflare Security Events
- Workers logs
- API health
- App product events
- MCP catalog
- AI-generated monitoring insights
- Human-approved Cloudflare rule suggestions
Manual Cloudflare Follow-up
Before production use, a human operator should:
- Create or verify Pages projects
prox-os,prox-os-docs,prox-os-ui-workshop, andesmadrider-me. - Create or verify the Worker
prox-os-api-worker. - Attach custom domains
prox-os.com,docs.prox-os.com,ui.prox-os.com, andapi.prox-os.com. - Add Cloudflare Access policies for UI Workshop and API docs/internal routes.
- Keep all API tokens, OAuth credentials, account IDs, zone IDs, and secrets outside the repository.
- Verify API docs exposure from a signed-in Access session and from a public anonymous browser session.