# Access posture (bluehand.dev)

**ST:** `[ST:portfolio:docs:access]`  
**Default:** **private by default** — only `docs.bluehand.dev` is public.

## Public

| Host | Audience |
|------|----------|
| `docs.bluehand.dev` | Builders, integrators (`public_safe.v1`) |

## Access-gated (Cloudflare Zero Trust)

| Host | Purpose |
|------|---------|
| `bluehand.dev` (apex) | Operational sign-in hub |
| `atlas.bluehand.dev` | Atlas orientation UI |
| `state.bluehand.dev` | Machine-state explorer |
| `ops.bluehand.dev` | Operator runbooks |
| `api.bluehand.dev` | Nexus API router |
| `mcp.bluehand.dev` | MCP alias (same worker) |
| `gateway.bluehand.dev` | Future unified façade (planned) |
| `wyrm.bluehand.dev` | Edge Wyrm registry/docs |

## Auth methods (production)

- **GitHub or Google** — Cloudflare Access with **email allowlist only** (portfolio operators; not org-wide GitHub membership)
- **Passkeys** — when enabled on the Access application
- **Service tokens** — machines/CI smoke only; never browser login

## Operator notes

- CF API token lives in macOS keychain label **`cfat`** — never commit or export in shell history.
- Access does **not** grant execution authority — it only controls who can **reach** advisory endpoints.
- See [authority chain](../architecture/authority-chain.md) for CP0 invariant.