# Cloudflare surfaces (operator)

**ST:** `[ST:portfolio:docs:cloudflare-surfaces]`  
**Export:** `public_safe.v1` — no Cloudflare account/zone IDs on this site.  
**Detail runbook (private repo):** `docs/operations/surfaces-cloudflare-tool-routing-v0.md`

## Hostname plan (hybrid)

| Host | Project | Access |
|------|---------|--------|
| `www.blue-hand.org` | `bluehand-landing` (Pages) | Public |
| `docs.bluehand.dev` | `bluehand-dev-docs` (Pages) | Public |
| `bluehand.dev` apex | ops hub (planned) | Access |
| `atlas.bluehand.dev` | `atlas-console` | Access |
| `state.bluehand.dev` | `state-console` (planned) | Access |
| `pim0.blue-hand.org` | `atlas-pim0-worker` | mTLS + Access |

## Token hygiene

Store leased Cloudflare API tokens in **macOS keychain** — never shell `export`, never commit, never paste into chat:

```bash
# One-time keychain install (operator machine only)
security add-generic-password -a "cfat" -s "cfat" -w
cd runtime/pim0-worker && bun run cf:token-preflight
```

Scripts resolve tokens in-process; values are not logged.

## Common operator commands

```bash
cd runtime/pim0-worker
bun run cf:token-preflight
bun run cf:bluehand-dev:bind-pages          # dry-run
bun run pim0:transport-gate
bun run cf:workers-dev:status
bun run cf:access-allowlist                 # human Access email allowlist oracle
```

## Zone and account IDs (operators only)

**Not published here.** Per disclosure lane and `public_safe.v1`, Cloudflare account and zone identifiers belong in **operator-local** surfaces only (`wrangler.toml`, keychain preflight, private runbooks).

Operators with repo access:

1. Run `bun run cf:token-preflight` — confirms token + zone reachability without printing secrets.
2. Read zone name from each surface `SURFACE.md` / `wrangler.toml` (`zone_name = "bluehand.dev"`).
3. Never copy raw IDs into issues, public docs, or AI prompts.

## SSL

Pages and proxied zones: Cloudflare edge certificates (automatic).  
Do not point apex at legacy VPS origins (causes **525**).

## Crawl posture

| Surface | Indexing |
|---------|----------|
| `docs.bluehand.dev` | Public builder docs (this site) |
| All other `*.bluehand.dev` app hosts | **noindex** + `robots.txt` Disallow on worker responses |

## Further reading

- [Surface architecture (Atlas-CAI)](https://github.com/WesHacixo/Atlas-CAI/blob/main/docs/operations/bluehand-dev-surface-architecture-v0.md)
- [Live security snapshot (operators)](https://github.com/WesHacixo/Atlas-CAI/blob/main/docs/operations/bluehand-dev-live-security-snapshot-v0.md)
- [Portfolio export profile (BHOK)](https://github.com/WesHacixo/bluehand-orchestration-kernel/blob/main/docs/operations/portfolio-export-profile-v0.md)