# Nexus engineering (Cloudflare v0.1) **ST:** `[ST:portfolio:docs:nexus-engineering]` **Skill (canonical):** [`adv-wrangler-api-mcp` v0.1](https://github.com/WesHacixo/Atlas-CAI/blob/main/surfaces/nexus-core/skills/adv-wrangler-api-mcp/SKILL.md) ## Summary Bluehand `.dev` is an **operational edge hub**: - **`blue-hand.org`** publishes doctrine - **`bluehand.dev`** operates (Access-gated) - **Supabase** holds canonical portfolio state - **KV/D1** at edge are cache-only lineage — not source of truth ## Surface map | Surface | Host | Package | |---------|------|---------| | Builder docs | `docs.bluehand.dev` | `surfaces/docs-portal` | | API + MCP | `api.*`, `mcp.*` | `surfaces/nexus-core` | | Gateway (planned) | `gateway.bluehand.dev` | service-binding façade — doc only v0.1 | | Wyrm edge | `wyrm.bluehand.dev` | registry/docs — local stdio primary | | Atlas | `atlas.bluehand.dev` | `surfaces/atlas-console` | | State / Ops | `state.*`, `ops.*` | planned consoles | ## MCP v0.1 Governance-first vocabulary: `state.observe`, `govern.evaluate`, `lineage.append`, etc. See [MCP](./mcp.md) and [API](./api.md). ## Free-tier discipline (June 2026) | Service | Use | |---------|-----| | Pages | Static docs — primary traffic | | Workers | API/MCP only | | KV | Lineage cache + small config | | D1 | Optional lineage query cache | | R2 | Defer until >10MB assets | | Durable Objects | PIM-0 only (separate worker) | ## Deployment ritual 1. `bun test` in `surfaces/nexus-core` 2. `wrangler deploy` 3. Emit `lineage.append` event (deploy kind + git sha) 4. Update `state:version` in KV ## Bootstrap checklist 1. Keychain: install CF token per [Cloudflare surfaces](./cloudflare-surfaces.md) (label only — no token in docs) 2. `bun run cf:token-preflight` (`runtime/pim0-worker`) 3. `bun run --cwd surfaces/docs-portal build && bun run deploy` 4. Create KV + D1 → paste IDs in **local** `surfaces/nexus-core/wrangler.toml` (not public docs) 5. `bun run --cwd surfaces/nexus-core deploy` 6. Cloudflare Access on api/mcp/atlas/state/ops/gateway/wyrm 7. `bun run cf:access-allowlist` — verify human email allowlist ## DNS zone Zone name: **`bluehand.dev`**. Zone ID is operator-local (`[ID:cloudflare]`) — resolve via `cf:token-preflight`, not published on `public_safe.v1` docs. ## Related - [Cloudflare surfaces](./cloudflare-surfaces.md) - [Access](./access.md) - [Lineage](./lineage.md)