Brixweb Console / app.brixweb.dev

websitesexample.brixweb.app

Control plane for projects, deployments, domains, env/secrets, agents, audit, rollback, and production readiness.

Blocked
Launch decision summary

Can we publish?

No. Production promote stays disabled until accepted live evidence exists.

Blocked
PassProject URLwebsitesexample.brixweb.app
BlockedPublish decisionPublish blocked
Owner actionNext required actionProtect app.brixweb.dev with Cloudflare Access before internal Console launch.
Owner actionNext required evidencedocs/.generated/artifact-upload-verification.local-dry-run.json
Owner actionNext owner actioncloudflare / app.brixweb.dev: Protect app.brixweb.dev with Cloudflare Access before internal Console launch.

Browser mutations remain disabled until Cloudflare Access, object-store verification, live smoke, provider proof, rollback, security readiness, and production signoff are accepted.

Read-onlyBrowser mutations disabledNeeds live evidenceAccess, R2, smoke, rollback, signoffNo raw provider keysAgents use scoped tasks onlyServer broker onlyCloudflare, R2, Bunny, Hetzner operations
WarningDeploymentpromotion_blocked / websitesexample.brixweb.app
Owner actionSecrets and envRotation required
PassAgent exposure2 scoped task(s), no raw access
WarningProvider proof1 live candidate(s)
BlockedRollbackdocs/.generated/rollback-rehearsal-report.json
Project context

Websites Example is bound to sites/clients/websitesexample without direct Git or raw source access.

Route keyroute:host:websitesexample.brixweb.app
Deploymentdep_repo_5ecad9542449bb30 / promotion_blocked
Primary domainwebsitesexample.brixweb.app / active
Live APIAwaiting live API
API base
https://api.brixweb.dev
Identity
Access session pending
Project
Websites Example / websitesexample
Projects
1
Source
sites/clients/websitesexample
Deployments
1
Latest deployment
dep_repo_5ecad9542449bb30
Env snapshot
deployment env snapshot pending live read
Domains
3
Environments
3
Env vars
metadata registry pending live read
Routes
1
Protection
Static protection policy
Readiness
Repo scaffold with owner-action blockers
Owner actions
9 blocking owner action(s)
Media
3
Secrets
2 masked secret record(s)
Agents
1
Agent tasks
2
Audit
2
Provider evidence
0 durable provider operation event(s)
Provider gates
provider executor gates pending live read
Browser mutations
Disabled: browser_mutations_disabled_until_live_owner_evidence
Fallback
Read-only shell remains available when Access/API is unavailable; hosted launch still requires live smoke evidence.
Passroute:host:websitesexample.brixweb.appProject route
Passchanges require redeployEnv versions
Owner actionowner action requiredLive R2 verification
Blockedblocked until proof passesProduction promote

Organization

NameSlugAccess modelProjectsMembersStatus
Brixweb Localbrixweb-localcloudflare-access-rbac-v011Warning
MemberRoleProviderProject scopeSecret value accessAgent owner policyAudit
[email protected]ownercloudflare-accessproject_websitesexampleNo raw secret accessAgents cannot be ownerPass

Projects

Create project policyPass
Endpoint
POST /projects
Permission
project:write
Slug law
domain-policy / <project>.brixweb.app / route:host:<project>.brixweb.app
Fail closed errors
reserved_project_slug, invalid_project_slug, project_slug_conflict
Reserved examples
media, preview, service, api, admin, cdn, assets
Safety
Cloudflare Access identity required / Admin token not accepted for Console auth / writes audit / no secret values
NameOrganizationSlugDefault hostRoute keyClient workspaceGit accessCode storageSecret storageStatus
Websites Exampleorg-brixweb-localwebsitesexamplewebsitesexample.brixweb.approute:host:websitesexample.brixweb.appsites/clients/websitesexampleNo direct Git accessforbiddenforbiddenWarning

Source

Register client workspacePass

sites/clients/registry/client-workspaces.brix.json

Actor
human
Audit
source.workspace.register
Production block
Does not block production
Owner action
Repo-ready
Source access
No direct Git access / No raw source archive / credentials forbidden
Accept metadata-only upload packagePass

/projects/project_websitesexample/source-workspace/upload-packages

Actor
agent
Audit
source.upload_package.accept
Production block
Does not block production
Owner action
Repo-ready
Source access
No direct Git access / No raw source archive / credentials forbidden
Verify artifacts in R2Owner action

docs/.generated/artifact-upload-verification.json

Actor
human
Audit
artifact.upload.verify
Production block
Blocks production
Owner action
Owner action required
Source access
No direct Git access / No raw source archive / credentials forbidden
Create preview deploymentPass

/projects/project_websitesexample/source-workspace/deployments

Actor
agent
Audit
deployment.create
Production block
Does not block production
Owner action
Repo-ready
Source access
No direct Git access / No raw source archive / credentials forbidden
Publish live routeOwner action

/internal/routes/publish

Actor
human
Audit
route.publish
Production block
Blocks production
Owner action
Owner action required
Source access
No direct Git access / No raw source archive / credentials forbidden
Prove rollback targetOwner action

/deployments/dep_repo_5ecad9542449bb30/rollback

Actor
human
Audit
deployment.rollback
Production block
Blocks production
Owner action
Owner action required
Source access
No direct Git access / No raw source archive / credentials forbidden
Client workspaceIntakeAllowed sourcesGit accessSource archiveCode storageSecret storageCredential storageDeploymentArtifact rootPackage schemaStatus
sites/clients/websitesexamplemanual_uploadsite_product, artifact_bundle, migration_package, local_json_pack, agent_build_outputNo direct Git accessNo raw source archiveforbiddenforbiddenforbiddendep_repo_5ecad9542449bb30deployments/dep_repo_5ecad9542449bb30/sites/clients/schemas/client-upload-package.schema.jsonWarning

Upload packages

PackageSource kindDigestArtifact inventoryProof refsMedia manifestSubmitted byDeploymentStatusGit accessRaw sourceCredentialsProduction promote
uploadpkg_websitesexample_001artifact_bundlesha256:client-upload-package-websitesexample-001dist/releases/latest/artifact-inventory.brix.jsonpackages/site-products/editorial-commerce/proof/editorial-commerce.proof-bundle.brix.json, docs/.generated/artifact-upload-verification.local-dry-run.jsonpackages/site-products/editorial-commerce/media/home.media-delivery.brix.jsonagentdep_repo_5ecad9542449bb30acceptedNo direct Git accessNo raw sourceNo raw credentialsBlocked until live evidence
uploadpkg_websitesexample_live_owner_actionsmigration_packagesha256:owner-actions-required-before-live-publishdocs/.generated/artifact-upload-verification.jsondocs/.generated/prod-live-smoke-proof.request.json, docs/.generated/media-delivery-live-smoke.request.json, docs/.generated/security-readiness-report.request.jsondocs/.generated/media-delivery-live-smoke.request.jsonhumanblocked_until_live_evidenceowner_action_requiredNo direct Git accessNo raw sourceNo raw credentialsBlocked until live evidence

Deployments

IDEnvStateHostArtifactProofSmoke
dep_repo_5ecad9542449bb30previewpromotion_blockedwebsitesexample.brixweb.appsha256:2d70bd5d440edc7e872938817ea6b72574b040a6aad7d93bbd6576549c5f4f0eWarningOwner action

Deployment logs

DeploymentActionActorCreatedRequest IDPayload
dep_repo_5ecad9542449bb30deployment.createdhuman:platform-owner2026-06-30T00:00:00.000Zreq-console-deployment-createdcontrol-plane-redacted
dep_repo_5ecad9542449bb30route.publish.requestedhuman:platform-owner2026-06-30T00:00:00.000Zreq-console-route-publishcontrol-plane-redacted

Deployment proofs

DeploymentProofStatusBlocks productionRequest artifact acceptedRaw payloadRef
dep_repo_5ecad9542449bb30Release manifestPassnoNo, request artifact is not evidenceNo raw artifact payloaddist/releases/latest/release-manifest.brix.json
dep_repo_5ecad9542449bb30Artifact inventoryPassnoNo, request artifact is not evidenceNo raw artifact payloaddist/releases/latest/artifact-inventory.brix.json
dep_repo_5ecad9542449bb30Live smoke proofOwner actionyesNo, request artifact is not evidenceNo raw artifact payloaddocs/.generated/prod-live-smoke-proof.request.json
dep_repo_5ecad9542449bb30Rollback proofOwner actionyesNo, request artifact is not evidenceNo raw artifact payloaddocs/.generated/rollback-rehearsal-report.json

Domains

HostnameTypeVerificationCertificateRouteDNS hostDNS valueValue kindDNS purposeSecret valueProvider credentialPrimaryActionConfirmation
websitesexample.brixweb.appbrix_subdomainPassOwner actionPassnot requirednot requirednot_requireddefault_subdomainNot a secret valueNo provider credentialyesactiven/a
preview.brixweb.appbrix_subdomainBlockedBlockedBlockedreserved hostreserved hostnot_requiredreserved_hostNot a secret valueNo provider credentialnoreservedn/a
client.example.comcustom_domainOwner actionOwner actionOwner action_brixweb-challenge.client.example.combrixweb-verify-domain-client-exampleverification_tokenownership_verificationNot a secret valueNo provider credentialnoverify_requiredcustom-domain:verify

Protection

EnvironmentDefault modeAlias protectionAudienceNew deploymentsPassword hashToken valueSecret valueAgent production promoteStatus
previewteam_onlypasswordclientyesNo password hash visibleNo token value visibleNo raw secret accessAgent production promote blockedPass
stagingtoken_protectedtokenagent_scopedyesNo password hash visibleNo token value visibleNo raw secret accessAgent production promote blockedWarning
productionowner_approval_requiredowner_approvalowneryesNo password hash visibleNo token value visibleNo raw secret accessAgent production promote blockedBlocked

Project actions

Create projectPass

POST /projects

No confirmation required · Audit project.create
Submit source packageWarning

POST /projects/project_websitesexample/source-workspace/upload-packages

No confirmation required · Audit source.upload_package.accept
Deploy previewWarning

POST /projects/project_websitesexample/source-workspace/deployments

No confirmation required · Audit deployment.create
Add domainWarning

POST /projects/project_websitesexample/domains

No confirmation required · Audit domain.create
Delete domainWarning

DELETE /domains/domain_client_example_com

Confirmation required · Audit domain.delete
Edit secret metadataWarning

PATCH /projects/project_websitesexample/secrets/secret-production-api-key

No confirmation required · Audit secret.update
Protect preview aliasPass

POST /projects/project_websitesexample/deployments/dep_repo_5ecad9542449bb30/protected-aliases

No confirmation required · Audit alias.create
Promote productionBlocked

POST /deployments/dep_repo_5ecad9542449bb30/promote

Confirmation required · Audit deployment.promote
RollbackOwner action

POST /deployments/dep_repo_5ecad9542449bb30/rollback

Confirmation required · Audit deployment.rollback

Governed route action plan

ActionStatusEnvRoute keyEndpointPhraseRequired evidenceBlockersOwner actionBrowser mutationProof gateAudit
Publish preview routeWarningpreviewroute:preview:websitesexamplePOST /projects/project_websitesexample/deployments/dep_repo_5ecad9542449bb30/protected-aliasesnonedist/releases/latest/release-manifest.brix.json, dist/releases/latest/artifact-inventory.brix.json, packages/site-products/editorial-commerce/proof/editorial-commerce.proof-bundle.brix.jsonhosted Console mutations disabled until Access evidence existsnoRead-only browser; server/API gatedyesalias.create
Promote production routeBlockedproductionroute:host:websitesexample.brixweb.appPOST /internal/routes/publishPUBLISH_ROUTEdocs/.generated/artifact-upload-verification.json, docs/.generated/media-delivery-live-smoke.json, docs/.generated/prod-live-smoke-report.json, docs/.generated/prod-live-smoke-proof.json, docs/.generated/security-readiness-report.json, docs/.generated/production-v0.1-signoff.jsonR2 object-store verification missing, media delivery live smoke missing, live smoke missing, security readiness missing, production signoff missingyesRead-only browser; server/API gatedyesroute.publish
Rollback route pointerOwner actionproductionroute:host:websitesexample.brixweb.appPOST /deployments/dep_repo_5ecad9542449bb30/rollbackROLLBACKdist/releases/latest/proofs/rollback-ready.proof.json, dist/releases/latest/proofs/rollback-dry-run.proof.json, owner-approved previous production deployment id, owner-approved previous deployment env snapshot digestprevious production deployment id missing, previous deployment env snapshot digest missing, rollback proof not accepted as live evidenceyesRead-only browser; server/API gatedyesdeployment.rollback
Link proof, smoke, media, and rollback evidenceOwner actionproductionroute:host:websitesexample.brixweb.appPOST /deployments/dep_repo_5ecad9542449bb30/proofsnonepackages/site-products/editorial-commerce/proof/editorial-commerce.proof-bundle.brix.json, docs/.generated/prod-live-smoke-proof.json, docs/.generated/media-delivery-live-smoke.json, dist/releases/latest/proofs/rollback-ready.proof.json, dist/releases/latest/proofs/rollback-dry-run.proof.jsonlive smoke proof missing, media live smoke missing, rollback live proof missingyesRead-only browser; server/API gatedyesproof.link

Provider operation plans

OperationProviderExecutorStatusLive candidateCredential IDCredential refsRequired env namesResolverWorkerOwner actionsBlockersProvider credentialsCredential valueCiphertext refBrowser
provider.cloudflare.r2.uploadArtifactcloudflare-r2hostedmissing-confignoprovider-credential-cloudflare-r2-productionprovider-credential-cloudflare-r2-productionCLOUDFLARE_ACCOUNT_ID, BRIXWEB_R2_ENDPOINT, BRIXWEB_R2_ARTIFACT_BUCKET, BRIXWEB_PROVIDER_CREDENTIAL_RESOLVERrequiredrequiredconfigure-provider-credential-resolver, attach-r2-provider-credential-ref, capture-live-upload-evidenceprovider_credential_resolver_missing, live_artifact_upload_evidence_missingNo raw provider credentialsNo credential valueNo ciphertext refServer broker only
provider.cloudflare.kv.putRoutecloudflarehostedmissing-confignoprovider-credential-cloudflare-productionprovider-credential-cloudflare-productionCLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_ZONE_ID_APP, KV_ROUTE_CACHE_NAMESPACE_ID, BRIXWEB_PROVIDER_CREDENTIAL_RESOLVERrequiredrequiredconfigure-provider-credential-resolver, attach-cloudflare-provider-credential-ref, capture-route-publish-evidenceprovider_credential_resolver_missing, live_route_publish_evidence_missingNo raw provider credentialsNo credential valueNo ciphertext refServer broker only
provider.bunny.pullzone.purgebunnyhostedmissing-confignoprovider-credential-bunny-productionprovider-credential-bunny-productionBUNNY_PULL_ZONE_ID, BRIXWEB_MEDIA_CDN_HOST, BRIXWEB_PROVIDER_CREDENTIAL_RESOLVERrequiredrequiredconfigure-provider-credential-resolver, attach-bunny-provider-credential-ref, capture-media-cdn-evidenceprovider_credential_resolver_missing, live_media_cdn_evidence_missingNo raw provider credentialsNo credential valueNo ciphertext refServer broker only
provider.hetzner.firewall.verifyhetznerhostedlive-candidateyesprovider-credential-hetzner-readonlyprovider-credential-hetzner-readonlyBRIXWEB_PROVIDER_CREDENTIAL_RESOLVERrequiredrequiredconfigure-provider-credential-resolver, attach-hetzner-readonly-provider-credential-ref, capture-hetzner-firewall-proofprovider_credential_resolver_missing, provider-broker-hetzner-firewall-proof-missingNo raw provider credentialsNo credential valueNo ciphertext refServer broker only

Dangerous action policy

ActionEndpointPhrasePermissionScopeIdentityConfirmationAuditAgent defaultServerClientRollback or revocation
deployment:promote/deployments/dep_repo_5ecad9542449bb30/promotePROMOTEdeployment:writedeploymentidentity requiredconfirmation requiredwrites auditAgent blocked by defaultserver validatedclient preflight/deployments/dep_repo_5ecad9542449bb30/rollback
deployment:rollback/deployments/dep_repo_5ecad9542449bb30/rollbackROLLBACKdeployment:writedeploymentidentity requiredconfirmation requiredwrites auditAgent blocked by defaultserver validatedclient preflightroute pointer can be promoted back to the replaced deployment after live smoke
custom-domain:verify/domains/domain_client_example_com/verifyVERIFY_DOMAINdomain:writedomainidentity requiredconfirmation requiredwrites auditAgent blocked by defaultserver validatedclient preflightremove or suspend the custom domain mapping
domain:delete/domains/domain_client_example_comDELETE_DOMAINdomain:writedomainidentity requiredconfirmation requiredwrites auditAgent blocked by defaultserver validatedclient preflightre-add the domain and reverify ownership before routing traffic again
secret:create/projects/project_websitesexample/secretsCREATE_SECRETsecret:writesecretidentity requiredconfirmation requiredwrites auditAgent blocked by defaultserver validatedclient preflight/projects/project_websitesexample/secrets/<secretId>
secret:rotate/projects/project_websitesexample/secrets/secret-production-api-key/rotateROTATE_SECRETsecret:writesecretidentity requiredconfirmation requiredwrites auditAgent blocked by defaultserver validatedclient preflightcreate a new deployment with the previous captured env version
secret:delete/projects/project_websitesexample/secrets/secret-production-api-keyDELETE_SECRETsecret:writesecretidentity requiredconfirmation requiredwrites auditAgent blocked by defaultserver validatedclient preflightrecreate secret and redeploy dependent environments
agent-token:create/agents/agent-preview-deploy/tokensCREATE_AGENT_TOKENagent:writeagentidentity requiredconfirmation requiredwrites auditAgent blocked by defaultserver validatedclient preflight/agents/agent-preview-deploy/revoke
agent:revoke/agents/agent-preview-deploy/revokeREVOKE_AGENTagent:writeagentidentity requiredconfirmation requiredwrites auditAgent blocked by defaultserver validatedclient preflightcreate a new scoped agent after human review
route:publish/internal/routes/publishPUBLISH_ROUTEdeployment:writerouteidentity requiredconfirmation requiredwrites auditAgent blocked by defaultserver validatedclient preflight/deployments/dep_repo_5ecad9542449bb30/rollback
artifact:publish/internal/routes/publishPUBLISH_ARTIFACTartifact:writeartifactidentity requiredconfirmation requiredwrites auditAgent blocked by defaultserver validatedclient preflightunpublish route or rollback to previous verified deployment
media:rights-approve/media/media:dep_repo_5ecad9542449bb30:home-hero/rightsAPPROVE_MEDIA_RIGHTSmedia:writemediaidentity requiredconfirmation requiredwrites auditAgent blocked by defaultserver validatedclient preflightrevoke media rights and remove public derivatives

Proofs and readiness

EvidenceKindStatusEnvBlocks productionOwner actionRequest artifact acceptedRef
Editorial Commerce proof bundleproof_bundleWarningrepoyesnoNo, request artifact is not evidencepackages/site-products/editorial-commerce/proof/editorial-commerce.proof-bundle.brix.json
Immutable artifact inventoryartifact_inventoryPassrepononoNo, request artifact is not evidencedist/releases/latest/artifact-inventory.brix.json
R2 artifact upload verificationartifact_verificationWarninglocal_dry_runyesyesNo, request artifact is not evidencedocs/.generated/artifact-upload-verification.local-dry-run.json
Live subdomain smoke reportsmoke_reportOwner actionliveyesyesNo, request artifact is not evidencedocs/.generated/prod-live-smoke-report.request.json
Live smoke proofsmoke_reportOwner actionliveyesyesNo, request artifact is not evidencedocs/.generated/prod-live-smoke-proof.request.json
Media delivery live smokesmoke_reportOwner actionliveyesyesNo, request artifact is not evidencedocs/.generated/media-delivery-live-smoke.request.json
Rollback rehearsal reportrollback_reportWarningrepoyesyesNo, request artifact is not evidencedocs/.generated/rollback-rehearsal-report.json
Security readinesssecurity_reportOwner actionliveyesyesNo, request artifact is not evidencedocs/.generated/security-readiness-report.request.json
Production v0.1 signoffsignoffOwner actionliveyesyesNo, request artifact is not evidencedocs/.generated/production-v0.1-signoff.request.json

Media

CollectionAssetsRightsDeliveryCDN hostOrigin visiblePrivate objects visible
Home page media3WarningOwner actionmedia.brixweb.appnono
Upload intakeCollectionTypeMIMEBytesRights intentStatusDirect provider uploadPrivate original visiblePublic derivative required
media_intake_home_hero_001media_collection_websitesexample_homeimageimage/avif184320customer_providedacceptednonoyes
media_intake_home_intro_001media_collection_websitesexample_homevideovideo/mp48240000licensedblockednonoyes
AssetUsageTypeRightsRights refAlt textCaptionQualityVariantsProduction blockersPrivate original visibleDelivery URLSource policy
media_home_hero_001heroimageowner_action_requiredrights:home-hero-001PassWarningPassavif_1600w, webp_1200w, jpeg_1200wmissing-rightsnohttps://media.brixweb.app/websitesexample/home/hero.aviforiginal_private_derivatives_public
media_home_gallery_001product-galleryimageapprovedrights:gallery-owner-approvedPassPassPassavif_1200w, webp_1200w, jpeg_1200wnonenohttps://media.brixweb.app/websitesexample/home/gallery-01.webporiginal_private_derivatives_public
media_home_intro_video_001intro-videovideoapprovedrights:intro-video-licenseWarningBlockedWarningmp4_1080p, webm_1080p, video_poster_avifmissing-caption, missing-video-poster-smokenohttps://media.brixweb.app/websitesexample/home/intro.mp4original_private_derivatives_public

Secrets and env versions

EnvironmentProtectionActive versionDeploy impactRollback behaviorStatus
previewteam_onlyenv-preview-v1new_deployment_requireddeployment_uses_captured_envPass
stagingtoken_protectedenv-staging-v1new_deployment_requireddeployment_uses_captured_envWarning
productionowner_approval_requiredenv-production-v2new_deployment_requireddeployment_uses_captured_envBlocked

Credential launch packet

Operator-first path for adding Access facts, provider credentials, project secrets, and non-secret env metadata. Values stay server-side; browser and agents receive only masked metadata, ids, commands, and evidence refs.

1. Bootstrap trustOwner action

Configure Cloudflare Access, database, and Secret Broker master key outside git.

  1. Provider platform docs guardrailPass access_evidence / security_admindocs/runbooks/provider-platform-docs-verification-runbook.mdCleanup: n/aEvidence: repo-side guardrail only; never live evidenceNo browser storage / No agent raw access
  2. Secret Broker master keyOwner action server_env / ownerserver secret store: BRIXWEB_SECRETS_MASTER_KEY + BRIXWEB_SECRETS_MASTER_KEY_IDCleanup: n/aEvidence: docs/.generated/security-readiness-report.jsonNo browser storage / No agent raw access
  3. Cloud API Postgres connectionOwner action server_env / ownerserver secret store: DATABASE_URL or BRIXWEB_DATABASE_URLCleanup: n/aEvidence: docs/.generated/control-plane-smoke-report.md + docs/.generated/security-readiness-report.jsonNo browser storage / No agent raw access
  4. Cloudflare Access service token for live smokeOwner action server_env / ownerlocal secret env: CF_ACCESS_CLIENT_ID + CF_ACCESS_CLIENT_SECRETCleanup: n/aEvidence: docs/.generated/console-live-smoke-report.jsonNo browser storage / No agent raw access
  5. Cloudflare Access configurationOwner action access_evidence / ownerserver env: BRIXWEB_CONSOLE_ACCESS_TEAM_DOMAIN + BRIXWEB_CONSOLE_ACCESS_AUD + BRIXWEB_CORS_ALLOWLISTCleanup: n/aEvidence: docs/.generated/cloudflare-access-console-policy-evidence.jsonNo browser storage / No agent raw access
2. Broker provider accessOwner action

Prepare encrypted provider credential requests locally, preflight them, then post server-side after Access.

  1. Cloudflare provider credentialOwner action provider_broker / security_adminnpm.cmd run provider-credential:intake:prepare -- --provider cloudflare --value-env CLOUDFLARE_API_TOKEN --out .brixweb-private/provider-credential-intake/cloudflare-deploy-token.jsonCleanup: Remove-Item -LiteralPath .brixweb-private/provider-credential-intake/cloudflare-deploy-token.jsonEvidence: docs/.generated/provider-broker-cloudflare-evidence.jsonNo browser storage / No agent raw access
  2. R2 artifact credentialOwner action provider_broker / security_adminnpm.cmd run provider-credential:intake:prepare -- --provider r2 --value-env R2_SECRET_ACCESS_KEY --out .brixweb-private/provider-credential-intake/r2-artifact-verification.jsonCleanup: Remove-Item -LiteralPath .brixweb-private/provider-credential-intake/r2-artifact-verification.jsonEvidence: docs/.generated/artifact-upload-verification.jsonNo browser storage / No agent raw access
  3. Bunny CDN provider credentialOwner action provider_broker / security_adminnpm.cmd run provider-credential:intake:prepare -- --provider bunny --value-env BUNNY_API_KEY --out .brixweb-private/provider-credential-intake/bunny-media-cdn.jsonCleanup: Remove-Item -LiteralPath .brixweb-private/provider-credential-intake/bunny-media-cdn.jsonEvidence: docs/.generated/media-delivery-live-smoke.jsonNo browser storage / No agent raw access
  4. Hetzner control-plane credentialOwner action provider_broker / security_adminnpm.cmd run provider-credential:intake:prepare -- --provider hetzner --value-env HETZNER_API_TOKEN --out .brixweb-private/provider-credential-intake/hetzner-readonly.jsonCleanup: Remove-Item -LiteralPath .brixweb-private/provider-credential-intake/hetzner-readonly.jsonEvidence: docs/.generated/hetzner-control-plane-health.jsonNo browser storage / No agent raw access
3. Add project secretsWarning

Use Secret Broker for write-only project values; Console keeps values masked and requires a new deployment snapshot.

  1. Project integration secretWarning secret_broker / admin/projects/<projectId>/secretsCleanup: n/aEvidence: docs/.generated/deployment-env-snapshot-proof.jsonNo browser storage / No agent raw access
4. Add public env metadataWarning

Use Environment Registry for non-secret hostnames, ids, and flags that become versioned deployment metadata.

  1. Plain Environment Registry valueWarning environment_registry / admin/projects/<projectId>/env-varsCleanup: n/aEvidence: dist/releases/latest/deployment-env-snapshot.jsonNo browser storage / No agent raw access

Credential intake details

Server-side intake only. Secret Broker, Provider Broker, and Environment Registry own values and refs; Console shows where to enter access material without browser storage or agent raw access.

Intake IDItemCategoryTargetInput surfaceEndpoint or env namesLocal prepare commandLocal preflight commandServer-side POSTClear local envDelete private filePrivate outputStdout policyRoleValue handlingBrowser storageAgent accessAuditDeploy impactEvidenceStatus
intake-provider-docs-verificationProvider platform docs guardrailaccess_configaccess_evidencelocal_operator_onlydocs/runbooks/provider-platform-docs-verification-runbook.mdn/an/adocs/runbooks/provider-platform-docs-verification-runbook.mdn/an/an/an/asecurity_adminplain_non_secretNo browser secret storageNo agent raw accessaudit requiredNo redeployrepo-side guardrail only; never live evidencePass
secret-broker-master-keySecret Broker master keysystem_secretserver_envlocal_operator_onlyserver secret store: BRIXWEB_SECRETS_MASTER_KEY + BRIXWEB_SECRETS_MASTER_KEY_IDn/an/aserver secret store: BRIXWEB_SECRETS_MASTER_KEY + BRIXWEB_SECRETS_MASTER_KEY_IDn/an/an/an/aownerwrite_only_maskedNo browser secret storageNo agent raw accessaudit requiredRequires redeploydocs/.generated/security-readiness-report.jsonOwner action
control-plane-database-connectionCloud API Postgres connectionsystem_secretserver_envlocal_operator_onlyserver secret store: DATABASE_URL or BRIXWEB_DATABASE_URLn/an/aserver secret store: DATABASE_URL or BRIXWEB_DATABASE_URLn/an/an/an/aownerwrite_only_maskedNo browser secret storageNo agent raw accessaudit requiredRequires redeploydocs/.generated/control-plane-smoke-report.md + docs/.generated/security-readiness-report.jsonOwner action
access-service-token-live-smokeCloudflare Access service token for live smokesystem_secretserver_envlocal_operator_onlylocal secret env: CF_ACCESS_CLIENT_ID + CF_ACCESS_CLIENT_SECRETn/an/alocal secret env: CF_ACCESS_CLIENT_ID + CF_ACCESS_CLIENT_SECRETn/an/an/an/aownerenv_name_onlyNo browser secret storageNo agent raw accessaudit requiredNo redeploydocs/.generated/console-live-smoke-report.jsonOwner action
provider-cloudflareCloudflare provider credentialprovider_credentialprovider_brokerconsole_server_action_after_access/organizations/<organizationId>/provider-credentialsnpm.cmd run provider-credential:intake:prepare -- --provider cloudflare --value-env CLOUDFLARE_API_TOKEN --out .brixweb-private/provider-credential-intake/cloudflare-deploy-token.jsonnpm.cmd run provider-credential:intake:preflight -- --input .brixweb-private/provider-credential-intake/cloudflare-deploy-token.jsonserver-side-console-api-after-access / POST /organizations/<organizationId>/provider-credentialsRemove-Item Env:\CLOUDFLARE_API_TOKENRemove-Item -LiteralPath .brixweb-private/provider-credential-intake/cloudflare-deploy-token.json.brixweb-private/provider-credential-intake/cloudflare-deploy-token.jsonNo encrypted material stdoutsecurity_adminwrite_only_maskedNo browser secret storageNo agent raw accessaudit requiredNo redeploydocs/.generated/provider-broker-cloudflare-evidence.jsonOwner action
provider-r2-artifact-verificationR2 artifact credentialprovider_credentialprovider_brokerconsole_server_action_after_access/organizations/<organizationId>/provider-credentialsnpm.cmd run provider-credential:intake:prepare -- --provider r2 --value-env R2_SECRET_ACCESS_KEY --out .brixweb-private/provider-credential-intake/r2-artifact-verification.jsonnpm.cmd run provider-credential:intake:preflight -- --input .brixweb-private/provider-credential-intake/r2-artifact-verification.jsonserver-side-console-api-after-access / POST /organizations/<organizationId>/provider-credentialsRemove-Item Env:\R2_SECRET_ACCESS_KEYRemove-Item -LiteralPath .brixweb-private/provider-credential-intake/r2-artifact-verification.json.brixweb-private/provider-credential-intake/r2-artifact-verification.jsonNo encrypted material stdoutsecurity_adminwrite_only_maskedNo browser secret storageNo agent raw accessaudit requiredNo redeploydocs/.generated/artifact-upload-verification.jsonOwner action
provider-bunny-mediaBunny CDN provider credentialprovider_credentialprovider_brokerconsole_server_action_after_access/organizations/<organizationId>/provider-credentialsnpm.cmd run provider-credential:intake:prepare -- --provider bunny --value-env BUNNY_API_KEY --out .brixweb-private/provider-credential-intake/bunny-media-cdn.jsonnpm.cmd run provider-credential:intake:preflight -- --input .brixweb-private/provider-credential-intake/bunny-media-cdn.jsonserver-side-console-api-after-access / POST /organizations/<organizationId>/provider-credentialsRemove-Item Env:\BUNNY_API_KEYRemove-Item -LiteralPath .brixweb-private/provider-credential-intake/bunny-media-cdn.json.brixweb-private/provider-credential-intake/bunny-media-cdn.jsonNo encrypted material stdoutsecurity_adminwrite_only_maskedNo browser secret storageNo agent raw accessaudit requiredNo redeploydocs/.generated/media-delivery-live-smoke.jsonOwner action
provider-hetzner-readonlyHetzner control-plane credentialprovider_credentialprovider_brokerconsole_server_action_after_access/organizations/<organizationId>/provider-credentialsnpm.cmd run provider-credential:intake:prepare -- --provider hetzner --value-env HETZNER_API_TOKEN --out .brixweb-private/provider-credential-intake/hetzner-readonly.jsonnpm.cmd run provider-credential:intake:preflight -- --input .brixweb-private/provider-credential-intake/hetzner-readonly.jsonserver-side-console-api-after-access / POST /organizations/<organizationId>/provider-credentialsRemove-Item Env:\HETZNER_API_TOKENRemove-Item -LiteralPath .brixweb-private/provider-credential-intake/hetzner-readonly.json.brixweb-private/provider-credential-intake/hetzner-readonly.jsonNo encrypted material stdoutsecurity_adminwrite_only_maskedNo browser secret storageNo agent raw accessaudit requiredNo redeploydocs/.generated/hetzner-control-plane-health.jsonOwner action
project-secretsProject integration secretproject_secretsecret_brokerconsole_server_action_after_access/projects/<projectId>/secretsn/an/a/projects/<projectId>/secretsn/an/an/an/aadminwrite_only_maskedNo browser secret storageNo agent raw accessaudit requiredRequires redeploydocs/.generated/deployment-env-snapshot-proof.jsonWarning
plain-env-registryPlain Environment Registry valueplain_envenvironment_registryconsole_server_action_after_access/projects/<projectId>/env-varsn/an/a/projects/<projectId>/env-varsn/an/an/an/aadminplain_non_secretNo browser secret storageNo agent raw accessaudit requiredRequires redeploydist/releases/latest/deployment-env-snapshot.jsonWarning
access-cloudflare-console-apiCloudflare Access configurationaccess_configaccess_evidencelocal_operator_onlyserver env: BRIXWEB_CONSOLE_ACCESS_TEAM_DOMAIN + BRIXWEB_CONSOLE_ACCESS_AUD + BRIXWEB_CORS_ALLOWLISTn/an/aserver env: BRIXWEB_CONSOLE_ACCESS_TEAM_DOMAIN + BRIXWEB_CONSOLE_ACCESS_AUD + BRIXWEB_CORS_ALLOWLISTn/an/an/an/aownerenv_name_onlyNo browser secret storageNo agent raw accessaudit requiredRequires redeploydocs/.generated/cloudflare-access-console-policy-evidence.jsonOwner action

Environment registry

KeyEnvTypeScopeVersionValueValue readableCiphertext refValue digestDeploy impactSecret versionLast usedUpdated
BRIXWEB_MEDIA_CDN_HOSTallplainprojectv1media.brixweb.appyesNo ciphertext refNo value digestRequires redeployn/a2026-06-30T00:00:00.000Z2026-06-30T00:00:00.000Z
SHOPIFY_STOREFRONT_TOKENproductionsecret_refenvironmentv2********No raw env valueNo ciphertext refNo value digestRequires redeployredacted-secret-version-refnot_yet_used_by_live_deployment2026-06-30T00:00:00.000Z
KeyEnvVersionTypeValueValue readableRuntimeRotationPolicyAction
BRIXWEB_R2_ARTIFACT_BUCKETproductionv1plain_env********nobuild_timecurrentrequires_redeployRotate secret
SHOPIFY_STOREFRONT_TOKENproductionv2secret_env********noserver_onlyrotation_requiredrequires_redeployRotate secret

Secret version history

KeyEnvVersionStateValueValue readableCiphertext refChange policyRollback behaviorCreated byCreated
BRIXWEB_R2_ARTIFACT_BUCKETproductionv1Current********No raw secret valueNo ciphertext refrequires_redeploydeployment_uses_captured_envhuman:platform-owner2026-06-30T00:00:00.000Z
SHOPIFY_STOREFRONT_TOKENproductionv1Previous********No raw secret valueNo ciphertext refrequires_redeploydeployment_uses_captured_envhuman:platform-owner2026-06-29T00:00:00.000Z
SHOPIFY_STOREFRONT_TOKENproductionv2Current********No raw secret valueNo ciphertext refrequires_redeploydeployment_uses_captured_envhuman:platform-owner2026-06-30T00:00:00.000Z

Agents

preview-deploy-agentagent.deployer.preview

Allowed: project:read, deployment:create, deployment:preview, proof:write

Denied: production:promote, secret:read-value, domain:delete, organization:admin

Expires 2026-07-07T00:00:00.000Z
TaskAgentEnvPurposeStatusRequested operationsAllowed operationsBlocked operationsApprovalSession bindingSession expiryCompletion proofChecksRevoke pathProvider credentialsSecret valueProduction promoteAudit
task-preview-deploypreview-deploy-agentpreviewCreate verified preview deployment artifacts for websitesexample without touching production.approveddeployment:create, deployment:preview, proof:writedeployment:create, deployment:preview, proof:writeproduction:promote, secret:read-value, domain:delete, provider-credential:read-valueallowedtask_bound_short_lived2026-07-01T00:00:00.000Zdocs/.generated/agent-task-preview-deploy.jsonnpm run check:source:platform, npm run smoke:console-browserPOST /agents/:id/revokeNo raw provider credentialsNo raw secret accessAgent production promote blockedPass
task-production-promotepreview-deploy-agentproductionDemonstrate that production promotion is not available to preview agents without human approval.blockedproduction:promotenoneproduction:promote, secret:read-value, provider-credential:read-valuehuman_approval_requiredblocked_until_human_approvalblocked_until_human_approvalpendingagent-token-negative-access-testsPOST /agents/:id/revokeNo raw provider credentialsNo raw secret accessAgent production promote blockedBlocked

Settings

Websites Example settingsWarning
Default domain
websitesexample.brixweb.app
Source mode
client_workspace_metadata_only / sites/clients/websitesexample
Production source
manual artifact bundle from verified client workspace package / not_git_connected
Git integration
future_feature_not_v0_blocker
Build
npm run production:build -> dist/sites/editorial-commerce
Framework
brix_site_product / deployments/<deploymentId>/
Deploy impact
settings and env changes require a new deployment
Protection
team_only_preview_owner_approval_production / blocked_until_verified_live_evidence
Mutation status
read_only_until_settings_persistence
Safety
No direct Git access / No raw source / No secret values / No raw credentials / No browser provider API access
Audit
Cloudflare Access identity required / Admin token not accepted for Console auth / project.settings.update

Audit

ActionActorResourceResult
route.publish.requestedhuman:platform-ownerwebsitesexample.brixweb.appowner_action_required
agent.production_promote.attemptagent:preview-deploy-agentdep_repo_5ecad9542449bb30blocked

Production readiness

GateStatusRequiredOwner actionBlocks productionRequest artifact acceptedEvidence ref
Release artifactsPassyesnonoNo, request artifact is not evidencedist/releases/latest/release-manifest.brix.json
R2 artifact upload verificationOwner actionyesyesyesNo, request artifact is not evidencedocs/.generated/artifact-upload-verification.local-dry-run.json
Project route registryPassyesnonoNo, request artifact is not evidenceroute:host:websitesexample.brixweb.app
media.brixweb.app live delivery smokeOwner actionyesyesyesNo, request artifact is not evidencedocs/.generated/media-delivery-live-smoke.json
Live project subdomain smokeOwner actionyesyesyesNo, request artifact is not evidencedocs/.generated/prod-live-smoke-report.request.json
Rollback rehearsal with previous live deploymentBlockedyesyesyesNo, request artifact is not evidencedocs/.generated/rollback-rehearsal-report.json
Security readinessOwner actionyesyesyesNo, request artifact is not evidencedocs/.generated/security-readiness-report.request.json
Production v0.1 signoffOwner actionyesyesyesNo, request artifact is not evidencedocs/.generated/production-v0.1-signoff.request.json

Release blocker ledger

CheckCategoriesBlockersOwner actionRequired evidenceSource command
site-product-capsulesintentional-alphaintentional-alpha-graduation-checklist-incompleteyesaccepted evidence for alpha graduation requirement: workspace-publication-policy, accepted evidence for alpha graduation requirement: live-evidence, accepted evidence for alpha graduation requirement: rollback-previous-deploymentnode tools/check-site-product-capsules.mjs --release
proof-requirementsowner-action-closure-requiredworkspace-publication-policy, live-evidence, rollback-previous-deploymentyesworkspace publication policy accepted evidence, live smoke/security/signoff accepted evidence, real previous deployment rollback evidencenode tools/check-proof-requirements.mjs --release
workspace-locksworkspace-publication-policy, artifact-upload-verification-owner-actionworkspace-publication-policy-release-blocker, artifact-upload-verification-owner-actionyespublic release workspace policy, R2 object-store artifact upload verificationnode tools/check-workspace-locks.mjs --release
rollback-readiness-actionrollback-readiness-owner-actionrollback-readiness-owner-actionyesowner-approved previous production deployment id, rollback dry-run and post-rollback smoke evidencenode tools/check-rollback-readiness-action.mjs --release
artifact-upload-verificationartifact-upload-verification-owner-actionartifact-upload-verification-owner-actionyesdocs/.generated/artifact-upload-verification.jsonnode tools/check-artifact-upload-verification.mjs --release

Owner-action closure map

RequirementStatusBlocks releaseTraceEvidence countEvidence refsRequest artifact accepted
browser-proofscompleteyesnot-blocked-in-current-ledger6editorial-commerce.proof-bundle.brix.json, browser-a11y-home.proof-attestation.brix.json, browser-visual-home.proof-attestation.brix.json, browser-performance-home.proof-attestation.brix.jsonNo, request artifact is not evidence
media-replacementcompleteyesnot-blocked-in-current-ledger3editorial-commerce.media-pack.brix.json, home.media-delivery.brix.json, home.media-quality-report.brix.jsonNo, request artifact is not evidence
media-rightscompleteyesnot-blocked-in-current-ledger3editorial-commerce.demo-media-rights.brix.json, editorial-commerce.media-replacement-plan.brix.json, home.media-quality-report.brix.jsonNo, request artifact is not evidence
workspace-publication-policyowner-action-requiredyesopen-release-blocker2workspace publication policy targets public release, workspace lock binds current immutable artifact digestNo, request artifact is not evidence
live-evidenceowner-action-requiredyesopen-release-blocker4media-delivery-live-smoke.json, prod-live-smoke-report.json, prod-live-smoke-proof.json, security-readiness-report.json, production-v0.1-signoff.jsonNo, request artifact is not evidence
rollback-previous-deploymentowner-action-requiredyesopen-release-blocker1real previous production deployment id and rollback evidenceNo, request artifact is not evidence

Launch owner-action matrix

ProviderSurfaceStatusBlocks productionRequired credential refsRequired env namesRequired evidenceRequest artifact acceptedSecret valuesRaw credentialsBrowser provider APIOwner action
cloudflareapp.brixweb.devOwner actionyesnoneCLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_ZONE_ID_DEVdocs/.generated/cloudflare-access-console-policy-evidence.jsonNo, request artifact is not evidenceNo secret valuesNo raw credentialsNo browser provider API accessProtect app.brixweb.dev with Cloudflare Access before internal Console launch.
cloudflareapi.brixweb.devOwner actionyesnoneCLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_ZONE_ID_DEV, BRIXWEB_CONSOLE_ALLOWED_EMAILS, BRIXWEB_CONSOLE_DEFAULT_ROLE, BRIXWEB_CONSOLE_REQUIRE_ACCESS_JWT, BRIXWEB_CONSOLE_ACCESS_TEAM_DOMAIN, BRIXWEB_CONSOLE_ACCESS_AUD, BRIXWEB_CORS_ALLOWLISTdocs/.generated/cloudflare-access-api-policy-evidence.jsonNo, request artifact is not evidenceNo secret valuesNo raw credentialsNo browser provider API accessProtect api.brixweb.dev with Access/auth plus server-side Console RBAC, signed Access JWT verification, and blocked direct origin access.
cloudflare*.brixweb.appOwner actionyesprovider-credential-cloudflare-productionCLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_ZONE_ID_APP, KV_ROUTE_CACHE_NAMESPACE_ID, KV_REGISTRY_NAMESPACE_IDdocs/.generated/edge-worker-smoke-report.jsonNo, request artifact is not evidenceNo secret valuesNo raw credentialsNo browser provider API accessDeploy brixweb-edge with Worker Routes for *.brixweb.app and reserved exact host behavior.
cloudflare-r2brix-artifacts-publicOwner actionyesprovider-credential-cloudflare-r2-productionBRIXWEB_R2_ENDPOINT, BRIXWEB_R2_REGION, BRIXWEB_R2_ARTIFACT_BUCKET, BRIXWEB_PROVIDER_CREDENTIAL_RESOLVERdocs/.generated/artifact-upload-verification.jsonNo, request artifact is not evidenceNo secret valuesNo raw credentialsNo browser provider API accessUpload immutable deployment artifacts to R2 and verify every object with HEAD plus digest sampling.
bunnymedia.brixweb.appOwner actionyesprovider-credential-bunny-productionBRIXWEB_MEDIA_CDN_HOST, BUNNY_PULL_ZONE_IDdocs/.generated/media-delivery-live-smoke.jsonNo, request artifact is not evidenceNo secret valuesNo raw credentialsNo browser provider API accessVerify media.brixweb.app serves public derivatives and never leaks media-origin or private R2 URLs.
hetznerapi.brixweb.devOwner actionyesprovider-credential-hetzner-readonlyBRIXWEB_DATABASE_URL, BRIXWEB_ADMIN_TOKENdocs/.generated/control-plane-smoke-report.jsonNo, request artifact is not evidenceNo secret valuesNo raw credentialsNo browser provider API accessProve the Hetzner control plane and Postgres-backed Cloud API are healthy behind Access/auth.
cloudflarewebsitesexample.brixweb.appOwner actionyesnonenonedocs/.generated/media-delivery-live-smoke.json, docs/.generated/prod-live-smoke-report.json, docs/.generated/prod-live-smoke-proof.jsonNo, request artifact is not evidenceNo secret valuesNo raw credentialsNo browser provider API accessRun live smoke for websitesexample.brixweb.app, reserved hosts, media URLs, noindex, and deployment headers.
brixweb-control-planeroute:host:websitesexample.brixweb.appOwner actionyesnonenonedist/releases/latest/proofs/rollback-ready.proof.json, dist/releases/latest/proofs/rollback-dry-run.proof.json, docs/.generated/rollback-rehearsal-report.jsonNo, request artifact is not evidenceNo secret valuesNo raw credentialsNo browser provider API accessProve route pointer rollback from a live deployment to a previous live deployment without rebuild, including previous deployment env snapshot digest binding.
brixweb-releaseproduction-v0.1Owner actionyesnonenonedocs/.generated/production-v0.1-signoff.jsonNo, request artifact is not evidenceNo secret valuesNo raw credentialsNo browser provider API accessSave final signoff after Worker, R2, Bunny, API, live smoke, security, media, and rollback pass.

Owner Actions

  1. Configure Cloudflare Access for app.brixweb.dev and api.brixweb.dev.
  2. Deploy brixweb-edge Worker on *.brixweb.app routes.
  3. Upload and verify artifacts in R2 before route publish.
  4. Verify Bunny media CDN on media.brixweb.app.
  5. Confirm Hetzner control-plane health and Postgres migrations.
  6. Collect live smoke, rollback rehearsal, security readiness, and signoff evidence.