websitesexample.brixweb.app
Control plane for projects, deployments, domains, env/secrets, agents, audit, rollback, and production readiness.
Can we publish?
No. Production promote stays disabled until accepted live evidence exists.
Browser mutations remain disabled until Cloudflare Access, object-store verification, live smoke, provider proof, rollback, security readiness, and production signoff are accepted.
Websites Example is bound to sites/clients/websitesexample without direct Git or raw source access.
- API base
- https://api.brixweb.dev
- Identity
- Access session pending
- Project
- Websites Example / websitesexample
- Projects
- 1
- Source
- sites/clients/websitesexample
- Deployments
- 1
- Latest deployment
- dep_repo_5ecad9542449bb30
- Env snapshot
- deployment env snapshot pending live read
- Domains
- 3
- Environments
- 3
- Env vars
- metadata registry pending live read
- Routes
- 1
- Protection
- Static protection policy
- Readiness
- Repo scaffold with owner-action blockers
- Owner actions
- 9 blocking owner action(s)
- Media
- 3
- Secrets
- 2 masked secret record(s)
- Agents
- 1
- Agent tasks
- 2
- Audit
- 2
- Provider evidence
- 0 durable provider operation event(s)
- Provider gates
- provider executor gates pending live read
- Browser mutations
- Disabled: browser_mutations_disabled_until_live_owner_evidence
- Fallback
- Read-only shell remains available when Access/API is unavailable; hosted launch still requires live smoke evidence.
Organization
| Name | Slug | Access model | Projects | Members | Status |
|---|---|---|---|---|---|
| Brixweb Local | brixweb-local | cloudflare-access-rbac-v0 | 1 | 1 | Warning |
| Member | Role | Provider | Project scope | Secret value access | Agent owner policy | Audit |
|---|---|---|---|---|---|---|
| [email protected] | owner | cloudflare-access | project_websitesexample | No raw secret access | Agents cannot be owner | Pass |
Projects
- Endpoint
- POST /projects
- Permission
- project:write
- Slug law
- domain-policy / <project>.brixweb.app / route:host:<project>.brixweb.app
- Fail closed errors
- reserved_project_slug, invalid_project_slug, project_slug_conflict
- Reserved examples
- media, preview, service, api, admin, cdn, assets
- Safety
- Cloudflare Access identity required / Admin token not accepted for Console auth / writes audit / no secret values
| Name | Organization | Slug | Default host | Route key | Client workspace | Git access | Code storage | Secret storage | Status |
|---|---|---|---|---|---|---|---|---|---|
| Websites Example | org-brixweb-local | websitesexample | websitesexample.brixweb.app | route:host:websitesexample.brixweb.app | sites/clients/websitesexample | No direct Git access | forbidden | forbidden | Warning |
Source
sites/clients/registry/client-workspaces.brix.json
- Actor
- human
- Audit
- source.workspace.register
- Production block
- Does not block production
- Owner action
- Repo-ready
- Source access
- No direct Git access / No raw source archive / credentials forbidden
/projects/project_websitesexample/source-workspace/upload-packages
- Actor
- agent
- Audit
- source.upload_package.accept
- Production block
- Does not block production
- Owner action
- Repo-ready
- Source access
- No direct Git access / No raw source archive / credentials forbidden
docs/.generated/artifact-upload-verification.json
- Actor
- human
- Audit
- artifact.upload.verify
- Production block
- Blocks production
- Owner action
- Owner action required
- Source access
- No direct Git access / No raw source archive / credentials forbidden
/projects/project_websitesexample/source-workspace/deployments
- Actor
- agent
- Audit
- deployment.create
- Production block
- Does not block production
- Owner action
- Repo-ready
- Source access
- No direct Git access / No raw source archive / credentials forbidden
/internal/routes/publish
- Actor
- human
- Audit
- route.publish
- Production block
- Blocks production
- Owner action
- Owner action required
- Source access
- No direct Git access / No raw source archive / credentials forbidden
/deployments/dep_repo_5ecad9542449bb30/rollback
- Actor
- human
- Audit
- deployment.rollback
- Production block
- Blocks production
- Owner action
- Owner action required
- Source access
- No direct Git access / No raw source archive / credentials forbidden
| Client workspace | Intake | Allowed sources | Git access | Source archive | Code storage | Secret storage | Credential storage | Deployment | Artifact root | Package schema | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|
| sites/clients/websitesexample | manual_upload | site_product, artifact_bundle, migration_package, local_json_pack, agent_build_output | No direct Git access | No raw source archive | forbidden | forbidden | forbidden | dep_repo_5ecad9542449bb30 | deployments/dep_repo_5ecad9542449bb30/ | sites/clients/schemas/client-upload-package.schema.json | Warning |
Upload packages
| Package | Source kind | Digest | Artifact inventory | Proof refs | Media manifest | Submitted by | Deployment | Status | Git access | Raw source | Credentials | Production promote |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| uploadpkg_websitesexample_001 | artifact_bundle | sha256:client-upload-package-websitesexample-001 | dist/releases/latest/artifact-inventory.brix.json | packages/site-products/editorial-commerce/proof/editorial-commerce.proof-bundle.brix.json, docs/.generated/artifact-upload-verification.local-dry-run.json | packages/site-products/editorial-commerce/media/home.media-delivery.brix.json | agent | dep_repo_5ecad9542449bb30 | accepted | No direct Git access | No raw source | No raw credentials | Blocked until live evidence |
| uploadpkg_websitesexample_live_owner_actions | migration_package | sha256:owner-actions-required-before-live-publish | docs/.generated/artifact-upload-verification.json | docs/.generated/prod-live-smoke-proof.request.json, docs/.generated/media-delivery-live-smoke.request.json, docs/.generated/security-readiness-report.request.json | docs/.generated/media-delivery-live-smoke.request.json | human | blocked_until_live_evidence | owner_action_required | No direct Git access | No raw source | No raw credentials | Blocked until live evidence |
Deployments
| ID | Env | State | Host | Artifact | Proof | Smoke |
|---|---|---|---|---|---|---|
| dep_repo_5ecad9542449bb30 | preview | promotion_blocked | websitesexample.brixweb.app | sha256:2d70bd5d440edc7e872938817ea6b72574b040a6aad7d93bbd6576549c5f4f0e | Warning | Owner action |
Deployment logs
| Deployment | Action | Actor | Created | Request ID | Payload |
|---|---|---|---|---|---|
| dep_repo_5ecad9542449bb30 | deployment.created | human:platform-owner | 2026-06-30T00:00:00.000Z | req-console-deployment-created | control-plane-redacted |
| dep_repo_5ecad9542449bb30 | route.publish.requested | human:platform-owner | 2026-06-30T00:00:00.000Z | req-console-route-publish | control-plane-redacted |
Deployment proofs
| Deployment | Proof | Status | Blocks production | Request artifact accepted | Raw payload | Ref |
|---|---|---|---|---|---|---|
| dep_repo_5ecad9542449bb30 | Release manifest | Pass | no | No, request artifact is not evidence | No raw artifact payload | dist/releases/latest/release-manifest.brix.json |
| dep_repo_5ecad9542449bb30 | Artifact inventory | Pass | no | No, request artifact is not evidence | No raw artifact payload | dist/releases/latest/artifact-inventory.brix.json |
| dep_repo_5ecad9542449bb30 | Live smoke proof | Owner action | yes | No, request artifact is not evidence | No raw artifact payload | docs/.generated/prod-live-smoke-proof.request.json |
| dep_repo_5ecad9542449bb30 | Rollback proof | Owner action | yes | No, request artifact is not evidence | No raw artifact payload | docs/.generated/rollback-rehearsal-report.json |
Domains
| Hostname | Type | Verification | Certificate | Route | DNS host | DNS value | Value kind | DNS purpose | Secret value | Provider credential | Primary | Action | Confirmation |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| websitesexample.brixweb.app | brix_subdomain | Pass | Owner action | Pass | not required | not required | not_required | default_subdomain | Not a secret value | No provider credential | yes | active | n/a |
| preview.brixweb.app | brix_subdomain | Blocked | Blocked | Blocked | reserved host | reserved host | not_required | reserved_host | Not a secret value | No provider credential | no | reserved | n/a |
| client.example.com | custom_domain | Owner action | Owner action | Owner action | _brixweb-challenge.client.example.com | brixweb-verify-domain-client-example | verification_token | ownership_verification | Not a secret value | No provider credential | no | verify_required | custom-domain:verify |
Protection
| Environment | Default mode | Alias protection | Audience | New deployments | Password hash | Token value | Secret value | Agent production promote | Status |
|---|---|---|---|---|---|---|---|---|---|
| preview | team_only | password | client | yes | No password hash visible | No token value visible | No raw secret access | Agent production promote blocked | Pass |
| staging | token_protected | token | agent_scoped | yes | No password hash visible | No token value visible | No raw secret access | Agent production promote blocked | Warning |
| production | owner_approval_required | owner_approval | owner | yes | No password hash visible | No token value visible | No raw secret access | Agent production promote blocked | Blocked |
Project actions
POST /projects
POST /projects/project_websitesexample/source-workspace/upload-packages
POST /projects/project_websitesexample/source-workspace/deployments
POST /projects/project_websitesexample/domains
DELETE /domains/domain_client_example_com
PATCH /projects/project_websitesexample/secrets/secret-production-api-key
POST /projects/project_websitesexample/deployments/dep_repo_5ecad9542449bb30/protected-aliases
POST /deployments/dep_repo_5ecad9542449bb30/promote
POST /deployments/dep_repo_5ecad9542449bb30/rollback
Governed route action plan
| Action | Status | Env | Route key | Endpoint | Phrase | Required evidence | Blockers | Owner action | Browser mutation | Proof gate | Audit |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Publish preview route | Warning | preview | route:preview:websitesexample | POST /projects/project_websitesexample/deployments/dep_repo_5ecad9542449bb30/protected-aliases | none | dist/releases/latest/release-manifest.brix.json, dist/releases/latest/artifact-inventory.brix.json, packages/site-products/editorial-commerce/proof/editorial-commerce.proof-bundle.brix.json | hosted Console mutations disabled until Access evidence exists | no | Read-only browser; server/API gated | yes | alias.create |
| Promote production route | Blocked | production | route:host:websitesexample.brixweb.app | POST /internal/routes/publish | PUBLISH_ROUTE | docs/.generated/artifact-upload-verification.json, docs/.generated/media-delivery-live-smoke.json, docs/.generated/prod-live-smoke-report.json, docs/.generated/prod-live-smoke-proof.json, docs/.generated/security-readiness-report.json, docs/.generated/production-v0.1-signoff.json | R2 object-store verification missing, media delivery live smoke missing, live smoke missing, security readiness missing, production signoff missing | yes | Read-only browser; server/API gated | yes | route.publish |
| Rollback route pointer | Owner action | production | route:host:websitesexample.brixweb.app | POST /deployments/dep_repo_5ecad9542449bb30/rollback | ROLLBACK | dist/releases/latest/proofs/rollback-ready.proof.json, dist/releases/latest/proofs/rollback-dry-run.proof.json, owner-approved previous production deployment id, owner-approved previous deployment env snapshot digest | previous production deployment id missing, previous deployment env snapshot digest missing, rollback proof not accepted as live evidence | yes | Read-only browser; server/API gated | yes | deployment.rollback |
| Link proof, smoke, media, and rollback evidence | Owner action | production | route:host:websitesexample.brixweb.app | POST /deployments/dep_repo_5ecad9542449bb30/proofs | none | packages/site-products/editorial-commerce/proof/editorial-commerce.proof-bundle.brix.json, docs/.generated/prod-live-smoke-proof.json, docs/.generated/media-delivery-live-smoke.json, dist/releases/latest/proofs/rollback-ready.proof.json, dist/releases/latest/proofs/rollback-dry-run.proof.json | live smoke proof missing, media live smoke missing, rollback live proof missing | yes | Read-only browser; server/API gated | yes | proof.link |
Provider operation plans
| Operation | Provider | Executor | Status | Live candidate | Credential ID | Credential refs | Required env names | Resolver | Worker | Owner actions | Blockers | Provider credentials | Credential value | Ciphertext ref | Browser |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| provider.cloudflare.r2.uploadArtifact | cloudflare-r2 | hosted | missing-config | no | provider-credential-cloudflare-r2-production | provider-credential-cloudflare-r2-production | CLOUDFLARE_ACCOUNT_ID, BRIXWEB_R2_ENDPOINT, BRIXWEB_R2_ARTIFACT_BUCKET, BRIXWEB_PROVIDER_CREDENTIAL_RESOLVER | required | required | configure-provider-credential-resolver, attach-r2-provider-credential-ref, capture-live-upload-evidence | provider_credential_resolver_missing, live_artifact_upload_evidence_missing | No raw provider credentials | No credential value | No ciphertext ref | Server broker only |
| provider.cloudflare.kv.putRoute | cloudflare | hosted | missing-config | no | provider-credential-cloudflare-production | provider-credential-cloudflare-production | CLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_ZONE_ID_APP, KV_ROUTE_CACHE_NAMESPACE_ID, BRIXWEB_PROVIDER_CREDENTIAL_RESOLVER | required | required | configure-provider-credential-resolver, attach-cloudflare-provider-credential-ref, capture-route-publish-evidence | provider_credential_resolver_missing, live_route_publish_evidence_missing | No raw provider credentials | No credential value | No ciphertext ref | Server broker only |
| provider.bunny.pullzone.purge | bunny | hosted | missing-config | no | provider-credential-bunny-production | provider-credential-bunny-production | BUNNY_PULL_ZONE_ID, BRIXWEB_MEDIA_CDN_HOST, BRIXWEB_PROVIDER_CREDENTIAL_RESOLVER | required | required | configure-provider-credential-resolver, attach-bunny-provider-credential-ref, capture-media-cdn-evidence | provider_credential_resolver_missing, live_media_cdn_evidence_missing | No raw provider credentials | No credential value | No ciphertext ref | Server broker only |
| provider.hetzner.firewall.verify | hetzner | hosted | live-candidate | yes | provider-credential-hetzner-readonly | provider-credential-hetzner-readonly | BRIXWEB_PROVIDER_CREDENTIAL_RESOLVER | required | required | configure-provider-credential-resolver, attach-hetzner-readonly-provider-credential-ref, capture-hetzner-firewall-proof | provider_credential_resolver_missing, provider-broker-hetzner-firewall-proof-missing | No raw provider credentials | No credential value | No ciphertext ref | Server broker only |
Dangerous action policy
| Action | Endpoint | Phrase | Permission | Scope | Identity | Confirmation | Audit | Agent default | Server | Client | Rollback or revocation |
|---|---|---|---|---|---|---|---|---|---|---|---|
| deployment:promote | /deployments/dep_repo_5ecad9542449bb30/promote | PROMOTE | deployment:write | deployment | identity required | confirmation required | writes audit | Agent blocked by default | server validated | client preflight | /deployments/dep_repo_5ecad9542449bb30/rollback |
| deployment:rollback | /deployments/dep_repo_5ecad9542449bb30/rollback | ROLLBACK | deployment:write | deployment | identity required | confirmation required | writes audit | Agent blocked by default | server validated | client preflight | route pointer can be promoted back to the replaced deployment after live smoke |
| custom-domain:verify | /domains/domain_client_example_com/verify | VERIFY_DOMAIN | domain:write | domain | identity required | confirmation required | writes audit | Agent blocked by default | server validated | client preflight | remove or suspend the custom domain mapping |
| domain:delete | /domains/domain_client_example_com | DELETE_DOMAIN | domain:write | domain | identity required | confirmation required | writes audit | Agent blocked by default | server validated | client preflight | re-add the domain and reverify ownership before routing traffic again |
| secret:create | /projects/project_websitesexample/secrets | CREATE_SECRET | secret:write | secret | identity required | confirmation required | writes audit | Agent blocked by default | server validated | client preflight | /projects/project_websitesexample/secrets/<secretId> |
| secret:rotate | /projects/project_websitesexample/secrets/secret-production-api-key/rotate | ROTATE_SECRET | secret:write | secret | identity required | confirmation required | writes audit | Agent blocked by default | server validated | client preflight | create a new deployment with the previous captured env version |
| secret:delete | /projects/project_websitesexample/secrets/secret-production-api-key | DELETE_SECRET | secret:write | secret | identity required | confirmation required | writes audit | Agent blocked by default | server validated | client preflight | recreate secret and redeploy dependent environments |
| agent-token:create | /agents/agent-preview-deploy/tokens | CREATE_AGENT_TOKEN | agent:write | agent | identity required | confirmation required | writes audit | Agent blocked by default | server validated | client preflight | /agents/agent-preview-deploy/revoke |
| agent:revoke | /agents/agent-preview-deploy/revoke | REVOKE_AGENT | agent:write | agent | identity required | confirmation required | writes audit | Agent blocked by default | server validated | client preflight | create a new scoped agent after human review |
| route:publish | /internal/routes/publish | PUBLISH_ROUTE | deployment:write | route | identity required | confirmation required | writes audit | Agent blocked by default | server validated | client preflight | /deployments/dep_repo_5ecad9542449bb30/rollback |
| artifact:publish | /internal/routes/publish | PUBLISH_ARTIFACT | artifact:write | artifact | identity required | confirmation required | writes audit | Agent blocked by default | server validated | client preflight | unpublish route or rollback to previous verified deployment |
| media:rights-approve | /media/media:dep_repo_5ecad9542449bb30:home-hero/rights | APPROVE_MEDIA_RIGHTS | media:write | media | identity required | confirmation required | writes audit | Agent blocked by default | server validated | client preflight | revoke media rights and remove public derivatives |
Proofs and readiness
| Evidence | Kind | Status | Env | Blocks production | Owner action | Request artifact accepted | Ref |
|---|---|---|---|---|---|---|---|
| Editorial Commerce proof bundle | proof_bundle | Warning | repo | yes | no | No, request artifact is not evidence | packages/site-products/editorial-commerce/proof/editorial-commerce.proof-bundle.brix.json |
| Immutable artifact inventory | artifact_inventory | Pass | repo | no | no | No, request artifact is not evidence | dist/releases/latest/artifact-inventory.brix.json |
| R2 artifact upload verification | artifact_verification | Warning | local_dry_run | yes | yes | No, request artifact is not evidence | docs/.generated/artifact-upload-verification.local-dry-run.json |
| Live subdomain smoke report | smoke_report | Owner action | live | yes | yes | No, request artifact is not evidence | docs/.generated/prod-live-smoke-report.request.json |
| Live smoke proof | smoke_report | Owner action | live | yes | yes | No, request artifact is not evidence | docs/.generated/prod-live-smoke-proof.request.json |
| Media delivery live smoke | smoke_report | Owner action | live | yes | yes | No, request artifact is not evidence | docs/.generated/media-delivery-live-smoke.request.json |
| Rollback rehearsal report | rollback_report | Warning | repo | yes | yes | No, request artifact is not evidence | docs/.generated/rollback-rehearsal-report.json |
| Security readiness | security_report | Owner action | live | yes | yes | No, request artifact is not evidence | docs/.generated/security-readiness-report.request.json |
| Production v0.1 signoff | signoff | Owner action | live | yes | yes | No, request artifact is not evidence | docs/.generated/production-v0.1-signoff.request.json |
Media
| Collection | Assets | Rights | Delivery | CDN host | Origin visible | Private objects visible |
|---|---|---|---|---|---|---|
| Home page media | 3 | Warning | Owner action | media.brixweb.app | no | no |
| Upload intake | Collection | Type | MIME | Bytes | Rights intent | Status | Direct provider upload | Private original visible | Public derivative required |
|---|---|---|---|---|---|---|---|---|---|
| media_intake_home_hero_001 | media_collection_websitesexample_home | image | image/avif | 184320 | customer_provided | accepted | no | no | yes |
| media_intake_home_intro_001 | media_collection_websitesexample_home | video | video/mp4 | 8240000 | licensed | blocked | no | no | yes |
| Asset | Usage | Type | Rights | Rights ref | Alt text | Caption | Quality | Variants | Production blockers | Private original visible | Delivery URL | Source policy |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| media_home_hero_001 | hero | image | owner_action_required | rights:home-hero-001 | Pass | Warning | Pass | avif_1600w, webp_1200w, jpeg_1200w | missing-rights | no | https://media.brixweb.app/websitesexample/home/hero.avif | original_private_derivatives_public |
| media_home_gallery_001 | product-gallery | image | approved | rights:gallery-owner-approved | Pass | Pass | Pass | avif_1200w, webp_1200w, jpeg_1200w | none | no | https://media.brixweb.app/websitesexample/home/gallery-01.webp | original_private_derivatives_public |
| media_home_intro_video_001 | intro-video | video | approved | rights:intro-video-license | Warning | Blocked | Warning | mp4_1080p, webm_1080p, video_poster_avif | missing-caption, missing-video-poster-smoke | no | https://media.brixweb.app/websitesexample/home/intro.mp4 | original_private_derivatives_public |
Secrets and env versions
| Environment | Protection | Active version | Deploy impact | Rollback behavior | Status |
|---|---|---|---|---|---|
| preview | team_only | env-preview-v1 | new_deployment_required | deployment_uses_captured_env | Pass |
| staging | token_protected | env-staging-v1 | new_deployment_required | deployment_uses_captured_env | Warning |
| production | owner_approval_required | env-production-v2 | new_deployment_required | deployment_uses_captured_env | Blocked |
Credential launch packet
Operator-first path for adding Access facts, provider credentials, project secrets, and non-secret env metadata. Values stay server-side; browser and agents receive only masked metadata, ids, commands, and evidence refs.
Configure Cloudflare Access, database, and Secret Broker master key outside git.
- Provider platform docs guardrailPass access_evidence / security_admin
docs/runbooks/provider-platform-docs-verification-runbook.mdCleanup: n/aEvidence: repo-side guardrail only; never live evidenceNo browser storage / No agent raw access - Secret Broker master keyOwner action server_env / owner
server secret store: BRIXWEB_SECRETS_MASTER_KEY + BRIXWEB_SECRETS_MASTER_KEY_IDCleanup: n/aEvidence: docs/.generated/security-readiness-report.jsonNo browser storage / No agent raw access - Cloud API Postgres connectionOwner action server_env / owner
server secret store: DATABASE_URL or BRIXWEB_DATABASE_URLCleanup: n/aEvidence: docs/.generated/control-plane-smoke-report.md + docs/.generated/security-readiness-report.jsonNo browser storage / No agent raw access - Cloudflare Access service token for live smokeOwner action server_env / owner
local secret env: CF_ACCESS_CLIENT_ID + CF_ACCESS_CLIENT_SECRETCleanup: n/aEvidence: docs/.generated/console-live-smoke-report.jsonNo browser storage / No agent raw access - Cloudflare Access configurationOwner action access_evidence / owner
server env: BRIXWEB_CONSOLE_ACCESS_TEAM_DOMAIN + BRIXWEB_CONSOLE_ACCESS_AUD + BRIXWEB_CORS_ALLOWLISTCleanup: n/aEvidence: docs/.generated/cloudflare-access-console-policy-evidence.jsonNo browser storage / No agent raw access
Prepare encrypted provider credential requests locally, preflight them, then post server-side after Access.
- Cloudflare provider credentialOwner action provider_broker / security_admin
npm.cmd run provider-credential:intake:prepare -- --provider cloudflare --value-env CLOUDFLARE_API_TOKEN --out .brixweb-private/provider-credential-intake/cloudflare-deploy-token.jsonCleanup: Remove-Item -LiteralPath .brixweb-private/provider-credential-intake/cloudflare-deploy-token.jsonEvidence: docs/.generated/provider-broker-cloudflare-evidence.jsonNo browser storage / No agent raw access - R2 artifact credentialOwner action provider_broker / security_admin
npm.cmd run provider-credential:intake:prepare -- --provider r2 --value-env R2_SECRET_ACCESS_KEY --out .brixweb-private/provider-credential-intake/r2-artifact-verification.jsonCleanup: Remove-Item -LiteralPath .brixweb-private/provider-credential-intake/r2-artifact-verification.jsonEvidence: docs/.generated/artifact-upload-verification.jsonNo browser storage / No agent raw access - Bunny CDN provider credentialOwner action provider_broker / security_admin
npm.cmd run provider-credential:intake:prepare -- --provider bunny --value-env BUNNY_API_KEY --out .brixweb-private/provider-credential-intake/bunny-media-cdn.jsonCleanup: Remove-Item -LiteralPath .brixweb-private/provider-credential-intake/bunny-media-cdn.jsonEvidence: docs/.generated/media-delivery-live-smoke.jsonNo browser storage / No agent raw access - Hetzner control-plane credentialOwner action provider_broker / security_admin
npm.cmd run provider-credential:intake:prepare -- --provider hetzner --value-env HETZNER_API_TOKEN --out .brixweb-private/provider-credential-intake/hetzner-readonly.jsonCleanup: Remove-Item -LiteralPath .brixweb-private/provider-credential-intake/hetzner-readonly.jsonEvidence: docs/.generated/hetzner-control-plane-health.jsonNo browser storage / No agent raw access
Use Secret Broker for write-only project values; Console keeps values masked and requires a new deployment snapshot.
- Project integration secretWarning secret_broker / admin
/projects/<projectId>/secretsCleanup: n/aEvidence: docs/.generated/deployment-env-snapshot-proof.jsonNo browser storage / No agent raw access
Use Environment Registry for non-secret hostnames, ids, and flags that become versioned deployment metadata.
- Plain Environment Registry valueWarning environment_registry / admin
/projects/<projectId>/env-varsCleanup: n/aEvidence: dist/releases/latest/deployment-env-snapshot.jsonNo browser storage / No agent raw access
Credential intake details
Server-side intake only. Secret Broker, Provider Broker, and Environment Registry own values and refs; Console shows where to enter access material without browser storage or agent raw access.
| Intake ID | Item | Category | Target | Input surface | Endpoint or env names | Local prepare command | Local preflight command | Server-side POST | Clear local env | Delete private file | Private output | Stdout policy | Role | Value handling | Browser storage | Agent access | Audit | Deploy impact | Evidence | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| intake-provider-docs-verification | Provider platform docs guardrail | access_config | access_evidence | local_operator_only | docs/runbooks/provider-platform-docs-verification-runbook.md | n/a | n/a | docs/runbooks/provider-platform-docs-verification-runbook.md | n/a | n/a | n/a | n/a | security_admin | plain_non_secret | No browser secret storage | No agent raw access | audit required | No redeploy | repo-side guardrail only; never live evidence | Pass |
| secret-broker-master-key | Secret Broker master key | system_secret | server_env | local_operator_only | server secret store: BRIXWEB_SECRETS_MASTER_KEY + BRIXWEB_SECRETS_MASTER_KEY_ID | n/a | n/a | server secret store: BRIXWEB_SECRETS_MASTER_KEY + BRIXWEB_SECRETS_MASTER_KEY_ID | n/a | n/a | n/a | n/a | owner | write_only_masked | No browser secret storage | No agent raw access | audit required | Requires redeploy | docs/.generated/security-readiness-report.json | Owner action |
| control-plane-database-connection | Cloud API Postgres connection | system_secret | server_env | local_operator_only | server secret store: DATABASE_URL or BRIXWEB_DATABASE_URL | n/a | n/a | server secret store: DATABASE_URL or BRIXWEB_DATABASE_URL | n/a | n/a | n/a | n/a | owner | write_only_masked | No browser secret storage | No agent raw access | audit required | Requires redeploy | docs/.generated/control-plane-smoke-report.md + docs/.generated/security-readiness-report.json | Owner action |
| access-service-token-live-smoke | Cloudflare Access service token for live smoke | system_secret | server_env | local_operator_only | local secret env: CF_ACCESS_CLIENT_ID + CF_ACCESS_CLIENT_SECRET | n/a | n/a | local secret env: CF_ACCESS_CLIENT_ID + CF_ACCESS_CLIENT_SECRET | n/a | n/a | n/a | n/a | owner | env_name_only | No browser secret storage | No agent raw access | audit required | No redeploy | docs/.generated/console-live-smoke-report.json | Owner action |
| provider-cloudflare | Cloudflare provider credential | provider_credential | provider_broker | console_server_action_after_access | /organizations/<organizationId>/provider-credentials | npm.cmd run provider-credential:intake:prepare -- --provider cloudflare --value-env CLOUDFLARE_API_TOKEN --out .brixweb-private/provider-credential-intake/cloudflare-deploy-token.json | npm.cmd run provider-credential:intake:preflight -- --input .brixweb-private/provider-credential-intake/cloudflare-deploy-token.json | server-side-console-api-after-access / POST /organizations/<organizationId>/provider-credentials | Remove-Item Env:\CLOUDFLARE_API_TOKEN | Remove-Item -LiteralPath .brixweb-private/provider-credential-intake/cloudflare-deploy-token.json | .brixweb-private/provider-credential-intake/cloudflare-deploy-token.json | No encrypted material stdout | security_admin | write_only_masked | No browser secret storage | No agent raw access | audit required | No redeploy | docs/.generated/provider-broker-cloudflare-evidence.json | Owner action |
| provider-r2-artifact-verification | R2 artifact credential | provider_credential | provider_broker | console_server_action_after_access | /organizations/<organizationId>/provider-credentials | npm.cmd run provider-credential:intake:prepare -- --provider r2 --value-env R2_SECRET_ACCESS_KEY --out .brixweb-private/provider-credential-intake/r2-artifact-verification.json | npm.cmd run provider-credential:intake:preflight -- --input .brixweb-private/provider-credential-intake/r2-artifact-verification.json | server-side-console-api-after-access / POST /organizations/<organizationId>/provider-credentials | Remove-Item Env:\R2_SECRET_ACCESS_KEY | Remove-Item -LiteralPath .brixweb-private/provider-credential-intake/r2-artifact-verification.json | .brixweb-private/provider-credential-intake/r2-artifact-verification.json | No encrypted material stdout | security_admin | write_only_masked | No browser secret storage | No agent raw access | audit required | No redeploy | docs/.generated/artifact-upload-verification.json | Owner action |
| provider-bunny-media | Bunny CDN provider credential | provider_credential | provider_broker | console_server_action_after_access | /organizations/<organizationId>/provider-credentials | npm.cmd run provider-credential:intake:prepare -- --provider bunny --value-env BUNNY_API_KEY --out .brixweb-private/provider-credential-intake/bunny-media-cdn.json | npm.cmd run provider-credential:intake:preflight -- --input .brixweb-private/provider-credential-intake/bunny-media-cdn.json | server-side-console-api-after-access / POST /organizations/<organizationId>/provider-credentials | Remove-Item Env:\BUNNY_API_KEY | Remove-Item -LiteralPath .brixweb-private/provider-credential-intake/bunny-media-cdn.json | .brixweb-private/provider-credential-intake/bunny-media-cdn.json | No encrypted material stdout | security_admin | write_only_masked | No browser secret storage | No agent raw access | audit required | No redeploy | docs/.generated/media-delivery-live-smoke.json | Owner action |
| provider-hetzner-readonly | Hetzner control-plane credential | provider_credential | provider_broker | console_server_action_after_access | /organizations/<organizationId>/provider-credentials | npm.cmd run provider-credential:intake:prepare -- --provider hetzner --value-env HETZNER_API_TOKEN --out .brixweb-private/provider-credential-intake/hetzner-readonly.json | npm.cmd run provider-credential:intake:preflight -- --input .brixweb-private/provider-credential-intake/hetzner-readonly.json | server-side-console-api-after-access / POST /organizations/<organizationId>/provider-credentials | Remove-Item Env:\HETZNER_API_TOKEN | Remove-Item -LiteralPath .brixweb-private/provider-credential-intake/hetzner-readonly.json | .brixweb-private/provider-credential-intake/hetzner-readonly.json | No encrypted material stdout | security_admin | write_only_masked | No browser secret storage | No agent raw access | audit required | No redeploy | docs/.generated/hetzner-control-plane-health.json | Owner action |
| project-secrets | Project integration secret | project_secret | secret_broker | console_server_action_after_access | /projects/<projectId>/secrets | n/a | n/a | /projects/<projectId>/secrets | n/a | n/a | n/a | n/a | admin | write_only_masked | No browser secret storage | No agent raw access | audit required | Requires redeploy | docs/.generated/deployment-env-snapshot-proof.json | Warning |
| plain-env-registry | Plain Environment Registry value | plain_env | environment_registry | console_server_action_after_access | /projects/<projectId>/env-vars | n/a | n/a | /projects/<projectId>/env-vars | n/a | n/a | n/a | n/a | admin | plain_non_secret | No browser secret storage | No agent raw access | audit required | Requires redeploy | dist/releases/latest/deployment-env-snapshot.json | Warning |
| access-cloudflare-console-api | Cloudflare Access configuration | access_config | access_evidence | local_operator_only | server env: BRIXWEB_CONSOLE_ACCESS_TEAM_DOMAIN + BRIXWEB_CONSOLE_ACCESS_AUD + BRIXWEB_CORS_ALLOWLIST | n/a | n/a | server env: BRIXWEB_CONSOLE_ACCESS_TEAM_DOMAIN + BRIXWEB_CONSOLE_ACCESS_AUD + BRIXWEB_CORS_ALLOWLIST | n/a | n/a | n/a | n/a | owner | env_name_only | No browser secret storage | No agent raw access | audit required | Requires redeploy | docs/.generated/cloudflare-access-console-policy-evidence.json | Owner action |
Environment registry
| Key | Env | Type | Scope | Version | Value | Value readable | Ciphertext ref | Value digest | Deploy impact | Secret version | Last used | Updated |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| BRIXWEB_MEDIA_CDN_HOST | all | plain | project | v1 | media.brixweb.app | yes | No ciphertext ref | No value digest | Requires redeploy | n/a | 2026-06-30T00:00:00.000Z | 2026-06-30T00:00:00.000Z |
| SHOPIFY_STOREFRONT_TOKEN | production | secret_ref | environment | v2 | ******** | No raw env value | No ciphertext ref | No value digest | Requires redeploy | redacted-secret-version-ref | not_yet_used_by_live_deployment | 2026-06-30T00:00:00.000Z |
| Key | Env | Version | Type | Value | Value readable | Runtime | Rotation | Policy | Action |
|---|---|---|---|---|---|---|---|---|---|
| BRIXWEB_R2_ARTIFACT_BUCKET | production | v1 | plain_env | ******** | no | build_time | current | requires_redeploy | Rotate secret |
| SHOPIFY_STOREFRONT_TOKEN | production | v2 | secret_env | ******** | no | server_only | rotation_required | requires_redeploy | Rotate secret |
Secret version history
| Key | Env | Version | State | Value | Value readable | Ciphertext ref | Change policy | Rollback behavior | Created by | Created |
|---|---|---|---|---|---|---|---|---|---|---|
| BRIXWEB_R2_ARTIFACT_BUCKET | production | v1 | Current | ******** | No raw secret value | No ciphertext ref | requires_redeploy | deployment_uses_captured_env | human:platform-owner | 2026-06-30T00:00:00.000Z |
| SHOPIFY_STOREFRONT_TOKEN | production | v1 | Previous | ******** | No raw secret value | No ciphertext ref | requires_redeploy | deployment_uses_captured_env | human:platform-owner | 2026-06-29T00:00:00.000Z |
| SHOPIFY_STOREFRONT_TOKEN | production | v2 | Current | ******** | No raw secret value | No ciphertext ref | requires_redeploy | deployment_uses_captured_env | human:platform-owner | 2026-06-30T00:00:00.000Z |
Agents
Allowed: project:read, deployment:create, deployment:preview, proof:write
Denied: production:promote, secret:read-value, domain:delete, organization:admin
| Task | Agent | Env | Purpose | Status | Requested operations | Allowed operations | Blocked operations | Approval | Session binding | Session expiry | Completion proof | Checks | Revoke path | Provider credentials | Secret value | Production promote | Audit |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| task-preview-deploy | preview-deploy-agent | preview | Create verified preview deployment artifacts for websitesexample without touching production. | approved | deployment:create, deployment:preview, proof:write | deployment:create, deployment:preview, proof:write | production:promote, secret:read-value, domain:delete, provider-credential:read-value | allowed | task_bound_short_lived | 2026-07-01T00:00:00.000Z | docs/.generated/agent-task-preview-deploy.json | npm run check:source:platform, npm run smoke:console-browser | POST /agents/:id/revoke | No raw provider credentials | No raw secret access | Agent production promote blocked | Pass |
| task-production-promote | preview-deploy-agent | production | Demonstrate that production promotion is not available to preview agents without human approval. | blocked | production:promote | none | production:promote, secret:read-value, provider-credential:read-value | human_approval_required | blocked_until_human_approval | blocked_until_human_approval | pending | agent-token-negative-access-tests | POST /agents/:id/revoke | No raw provider credentials | No raw secret access | Agent production promote blocked | Blocked |
Settings
- Default domain
- websitesexample.brixweb.app
- Source mode
- client_workspace_metadata_only / sites/clients/websitesexample
- Production source
- manual artifact bundle from verified client workspace package / not_git_connected
- Git integration
- future_feature_not_v0_blocker
- Build
- npm run production:build -> dist/sites/editorial-commerce
- Framework
- brix_site_product / deployments/<deploymentId>/
- Deploy impact
- settings and env changes require a new deployment
- Protection
- team_only_preview_owner_approval_production / blocked_until_verified_live_evidence
- Mutation status
- read_only_until_settings_persistence
- Safety
- No direct Git access / No raw source / No secret values / No raw credentials / No browser provider API access
- Audit
- Cloudflare Access identity required / Admin token not accepted for Console auth / project.settings.update
Audit
| Action | Actor | Resource | Result |
|---|---|---|---|
| route.publish.requested | human:platform-owner | websitesexample.brixweb.app | owner_action_required |
| agent.production_promote.attempt | agent:preview-deploy-agent | dep_repo_5ecad9542449bb30 | blocked |
Production readiness
| Gate | Status | Required | Owner action | Blocks production | Request artifact accepted | Evidence ref |
|---|---|---|---|---|---|---|
| Release artifacts | Pass | yes | no | no | No, request artifact is not evidence | dist/releases/latest/release-manifest.brix.json |
| R2 artifact upload verification | Owner action | yes | yes | yes | No, request artifact is not evidence | docs/.generated/artifact-upload-verification.local-dry-run.json |
| Project route registry | Pass | yes | no | no | No, request artifact is not evidence | route:host:websitesexample.brixweb.app |
| media.brixweb.app live delivery smoke | Owner action | yes | yes | yes | No, request artifact is not evidence | docs/.generated/media-delivery-live-smoke.json |
| Live project subdomain smoke | Owner action | yes | yes | yes | No, request artifact is not evidence | docs/.generated/prod-live-smoke-report.request.json |
| Rollback rehearsal with previous live deployment | Blocked | yes | yes | yes | No, request artifact is not evidence | docs/.generated/rollback-rehearsal-report.json |
| Security readiness | Owner action | yes | yes | yes | No, request artifact is not evidence | docs/.generated/security-readiness-report.request.json |
| Production v0.1 signoff | Owner action | yes | yes | yes | No, request artifact is not evidence | docs/.generated/production-v0.1-signoff.request.json |
Release blocker ledger
| Check | Categories | Blockers | Owner action | Required evidence | Source command |
|---|---|---|---|---|---|
| site-product-capsules | intentional-alpha | intentional-alpha-graduation-checklist-incomplete | yes | accepted evidence for alpha graduation requirement: workspace-publication-policy, accepted evidence for alpha graduation requirement: live-evidence, accepted evidence for alpha graduation requirement: rollback-previous-deployment | node tools/check-site-product-capsules.mjs --release |
| proof-requirements | owner-action-closure-required | workspace-publication-policy, live-evidence, rollback-previous-deployment | yes | workspace publication policy accepted evidence, live smoke/security/signoff accepted evidence, real previous deployment rollback evidence | node tools/check-proof-requirements.mjs --release |
| workspace-locks | workspace-publication-policy, artifact-upload-verification-owner-action | workspace-publication-policy-release-blocker, artifact-upload-verification-owner-action | yes | public release workspace policy, R2 object-store artifact upload verification | node tools/check-workspace-locks.mjs --release |
| rollback-readiness-action | rollback-readiness-owner-action | rollback-readiness-owner-action | yes | owner-approved previous production deployment id, rollback dry-run and post-rollback smoke evidence | node tools/check-rollback-readiness-action.mjs --release |
| artifact-upload-verification | artifact-upload-verification-owner-action | artifact-upload-verification-owner-action | yes | docs/.generated/artifact-upload-verification.json | node tools/check-artifact-upload-verification.mjs --release |
Owner-action closure map
| Requirement | Status | Blocks release | Trace | Evidence count | Evidence refs | Request artifact accepted |
|---|---|---|---|---|---|---|
| browser-proofs | complete | yes | not-blocked-in-current-ledger | 6 | editorial-commerce.proof-bundle.brix.json, browser-a11y-home.proof-attestation.brix.json, browser-visual-home.proof-attestation.brix.json, browser-performance-home.proof-attestation.brix.json | No, request artifact is not evidence |
| media-replacement | complete | yes | not-blocked-in-current-ledger | 3 | editorial-commerce.media-pack.brix.json, home.media-delivery.brix.json, home.media-quality-report.brix.json | No, request artifact is not evidence |
| media-rights | complete | yes | not-blocked-in-current-ledger | 3 | editorial-commerce.demo-media-rights.brix.json, editorial-commerce.media-replacement-plan.brix.json, home.media-quality-report.brix.json | No, request artifact is not evidence |
| workspace-publication-policy | owner-action-required | yes | open-release-blocker | 2 | workspace publication policy targets public release, workspace lock binds current immutable artifact digest | No, request artifact is not evidence |
| live-evidence | owner-action-required | yes | open-release-blocker | 4 | media-delivery-live-smoke.json, prod-live-smoke-report.json, prod-live-smoke-proof.json, security-readiness-report.json, production-v0.1-signoff.json | No, request artifact is not evidence |
| rollback-previous-deployment | owner-action-required | yes | open-release-blocker | 1 | real previous production deployment id and rollback evidence | No, request artifact is not evidence |
Launch owner-action matrix
| Provider | Surface | Status | Blocks production | Required credential refs | Required env names | Required evidence | Request artifact accepted | Secret values | Raw credentials | Browser provider API | Owner action |
|---|---|---|---|---|---|---|---|---|---|---|---|
| cloudflare | app.brixweb.dev | Owner action | yes | none | CLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_ZONE_ID_DEV | docs/.generated/cloudflare-access-console-policy-evidence.json | No, request artifact is not evidence | No secret values | No raw credentials | No browser provider API access | Protect app.brixweb.dev with Cloudflare Access before internal Console launch. |
| cloudflare | api.brixweb.dev | Owner action | yes | none | CLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_ZONE_ID_DEV, BRIXWEB_CONSOLE_ALLOWED_EMAILS, BRIXWEB_CONSOLE_DEFAULT_ROLE, BRIXWEB_CONSOLE_REQUIRE_ACCESS_JWT, BRIXWEB_CONSOLE_ACCESS_TEAM_DOMAIN, BRIXWEB_CONSOLE_ACCESS_AUD, BRIXWEB_CORS_ALLOWLIST | docs/.generated/cloudflare-access-api-policy-evidence.json | No, request artifact is not evidence | No secret values | No raw credentials | No browser provider API access | Protect api.brixweb.dev with Access/auth plus server-side Console RBAC, signed Access JWT verification, and blocked direct origin access. |
| cloudflare | *.brixweb.app | Owner action | yes | provider-credential-cloudflare-production | CLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_ZONE_ID_APP, KV_ROUTE_CACHE_NAMESPACE_ID, KV_REGISTRY_NAMESPACE_ID | docs/.generated/edge-worker-smoke-report.json | No, request artifact is not evidence | No secret values | No raw credentials | No browser provider API access | Deploy brixweb-edge with Worker Routes for *.brixweb.app and reserved exact host behavior. |
| cloudflare-r2 | brix-artifacts-public | Owner action | yes | provider-credential-cloudflare-r2-production | BRIXWEB_R2_ENDPOINT, BRIXWEB_R2_REGION, BRIXWEB_R2_ARTIFACT_BUCKET, BRIXWEB_PROVIDER_CREDENTIAL_RESOLVER | docs/.generated/artifact-upload-verification.json | No, request artifact is not evidence | No secret values | No raw credentials | No browser provider API access | Upload immutable deployment artifacts to R2 and verify every object with HEAD plus digest sampling. |
| bunny | media.brixweb.app | Owner action | yes | provider-credential-bunny-production | BRIXWEB_MEDIA_CDN_HOST, BUNNY_PULL_ZONE_ID | docs/.generated/media-delivery-live-smoke.json | No, request artifact is not evidence | No secret values | No raw credentials | No browser provider API access | Verify media.brixweb.app serves public derivatives and never leaks media-origin or private R2 URLs. |
| hetzner | api.brixweb.dev | Owner action | yes | provider-credential-hetzner-readonly | BRIXWEB_DATABASE_URL, BRIXWEB_ADMIN_TOKEN | docs/.generated/control-plane-smoke-report.json | No, request artifact is not evidence | No secret values | No raw credentials | No browser provider API access | Prove the Hetzner control plane and Postgres-backed Cloud API are healthy behind Access/auth. |
| cloudflare | websitesexample.brixweb.app | Owner action | yes | none | none | docs/.generated/media-delivery-live-smoke.json, docs/.generated/prod-live-smoke-report.json, docs/.generated/prod-live-smoke-proof.json | No, request artifact is not evidence | No secret values | No raw credentials | No browser provider API access | Run live smoke for websitesexample.brixweb.app, reserved hosts, media URLs, noindex, and deployment headers. |
| brixweb-control-plane | route:host:websitesexample.brixweb.app | Owner action | yes | none | none | dist/releases/latest/proofs/rollback-ready.proof.json, dist/releases/latest/proofs/rollback-dry-run.proof.json, docs/.generated/rollback-rehearsal-report.json | No, request artifact is not evidence | No secret values | No raw credentials | No browser provider API access | Prove route pointer rollback from a live deployment to a previous live deployment without rebuild, including previous deployment env snapshot digest binding. |
| brixweb-release | production-v0.1 | Owner action | yes | none | none | docs/.generated/production-v0.1-signoff.json | No, request artifact is not evidence | No secret values | No raw credentials | No browser provider API access | Save final signoff after Worker, R2, Bunny, API, live smoke, security, media, and rollback pass. |
Owner Actions
- Configure Cloudflare Access for app.brixweb.dev and api.brixweb.dev.
- Deploy brixweb-edge Worker on *.brixweb.app routes.
- Upload and verify artifacts in R2 before route publish.
- Verify Bunny media CDN on media.brixweb.app.
- Confirm Hetzner control-plane health and Postgres migrations.
- Collect live smoke, rollback rehearsal, security readiness, and signoff evidence.