{"ok":true,"generatedAt":"2026-05-30T11:00:07.366Z","version":"0.3.2","environment":"production","deployment":{"source":"cloudflare_version_metadata","workerVersionId":"32e3dc37-3073-4332-a6a3-d1f83ac0d76a","workerVersionTag":"","workerVersionTimestamp":"2026-05-17T23:41:33.341995Z","environment":"production"},"noExternalPublishingPerformed":true,"purpose":"Plan Cloudflare Access perimeter rules before mutating any Cloudflare account configuration.","cloudflareApplications":[{"id":"apcp-public-demo","type":"self_hosted","hostnames":["agent-publish-control-plane.fkurka.workers.dev","agent-publish-control-plane-staging.fkurka.workers.dev"],"leavePublic":["/","/demo","/demo/*","/health","/v1/project","/v1/catalog","/v1/access-policy-plan","/v1/capabilities","/v1/destinations*","/v1/status","/v1/demo/*"]},{"id":"apcp-operator","type":"self_hosted","paths":["/operator","/operator/intake","/v1/workspaces*","/v1/events","/v1/publish-runs*","/v1/operator-submissions","/v1/manifests*"],"policies":[{"name":"APCP human operators","action":"Allow","include":["approved operator emails, email domain, IdP group, or Access group"],"require":["optional device posture, MFA method, country, or network requirements"]},{"name":"APCP CLI and MCP automation","action":"Service Auth","include":["named Cloudflare Access service tokens for local CLI, CI, and MCP callers"]}],"applicationAuthStillRequired":["OPERATOR_READ_TOKEN for private reads when configured","MANIFEST_WRITE_TOKEN for writes"]}],"routeSummary":{"publicRouteCount":22,"operatorReadRouteCount":18,"writeRouteCount":17,"legacyQueryRouteCount":1},"publicRoutes":[{"method":"GET","path":"/","access":"public","description":"Public landing page with status and destination summary."},{"method":"GET","path":"/demo","access":"public","description":"Outside-in new visitor demo for previewing artifact destinations with no external publishing."},{"method":"GET","path":"/demo/technical","access":"public","description":"Preserved technical demo preview with route plan JSON and public checks."},{"method":"GET","path":"/demo/walkthrough","access":"public","description":"Presenter walkthrough for the hosted demo path."},{"method":"GET","path":"/demo/readiness","access":"public","description":"Live public readiness check for the demo surfaces and catalog."},{"method":"GET","path":"/demo/changelog","access":"public","description":"Public demo release notes and safe-change history."},{"method":"GET","path":"/demo/visual-qa","access":"public","description":"Static visual QA checklist for the hosted demo pages."},{"method":"GET","path":"/demo/auth","access":"public","description":"Hosted auth readiness panel for Access activation and SaaS authorization shape."},{"method":"GET","path":"/demo/operator","access":"public_demo","description":"Seeded read-only operator demo on an Access-separable path."},{"method":"GET","path":"/health","access":"public","description":"Service, environment, storage, and manifest-count health check."},{"method":"GET","path":"/v1/project","access":"public","description":"Project identity and hosted environment metadata."},{"method":"GET","path":"/v1/catalog","access":"public","description":"Read-only route catalog and destination taxonomy."},{"method":"GET","path":"/v1/access-policy-plan","access":"public","description":"Read-only Cloudflare Access protection plan for hosted operator and API routes."},{"method":"GET","path":"/v1/capabilities","access":"public","description":"Interfaces, artifact kinds, review profiles, adapters, and workspace model."},{"method":"GET","path":"/v1/destinations","access":"public","description":"Built-in destination registry with filters for kind, mode, status, and operation."},{"method":"GET","path":"/v1/destinations/:destinationId","access":"public","description":"One destination definition with adapter operations and credential requirements."},{"method":"GET","path":"/v1/status","access":"public","description":"Public manifest and target summary."},{"method":"GET","path":"/v1/demo/showcase","access":"public","description":"Browser-safe hosted demo preview JSON."},{"method":"GET","path":"/v1/demo/operator-state","access":"public","description":"Sanitized seeded operator-console state for the hosted demo."},{"method":"GET","path":"/v1/demo/release-notes","access":"public","description":"Release notes and deployment metadata for the current demo build."},{"method":"GET","path":"/v1/demo/transcript","access":"public","description":"Short, technical, or agent-facing demo transcript data."},{"method":"GET","path":"/v1/demo/visual-qa","access":"public","description":"Static visual QA manifest and expected page anchors."}],"protectedRoutePatterns":[{"path":"/operator","reason":"Operator shell can reveal private API entry points even when data still requires tokens."},{"path":"/operator/intake","reason":"Protected staging intake can submit real user material and must sit behind the operator perimeter."},{"path":"/v1/workspaces*","reason":"Private workspace, manifest, event, provider, or publish-run API surface."},{"path":"/v1/events","reason":"Private workspace, manifest, event, provider, or publish-run API surface."},{"path":"/v1/publish-runs*","reason":"Private workspace, manifest, event, provider, or publish-run API surface."},{"path":"/v1/operator-submissions","reason":"Private workspace, manifest, event, provider, or publish-run API surface."},{"path":"/v1/manifests*","reason":"Private workspace, manifest, event, provider, or publish-run API surface."}],"tokenModel":{"access":"Perimeter authentication and request logging.","operatorReadToken":"Application-level private read authorization.","manifestWriteToken":"Application-level mutation intent for manifests, approvals, provider setup, media, and publish runs."},"compatibilityNotes":["Cloudflare Access application paths do not support query strings, so the public seeded demo now lives at /demo/operator.","The legacy /operator?demo=1 route remains for local compatibility but should not be used as the public demo path once /operator is Access-protected.","Service Auth policies should be used for CLI, MCP, and CI automation so Access still logs requests.","Do not use a Bypass policy for private APIs; it skips Access enforcement and logging."],"setupChecklist":["Choose the operator identity selector: explicit emails, an IdP group, an email domain, or an Access group.","Create or select service tokens for CLI, MCP, and CI automation.","Create a self-hosted Access application for /operator and private API path patterns.","Attach Allow and Service Auth policies, leaving public demo and status routes outside the protected path set.","Set CF_ACCESS_CLIENT_ID and CF_ACCESS_CLIENT_SECRET only in local profiles or CI secrets, never in source.","Run npm run access:activation, npm run auth:check, and npm run demo:smoke against staging before protecting production.","Enable AUTH_TRUST_ACCESS_HEADERS=true only after the private route set is protected by Cloudflare Access."],"externalMutationRequired":true,"stopBoundary":"Creating Access applications, policies, service tokens, or secrets must be approved and run against the Cloudflare account."}