Appearance
Cloudflare
project: hinata-infrastructuretype: provider-docstatus: liveowner: jimmy-neutroncreated: 2026-05-24 The public-edge layer of Hinata. Two Pages projects, one Worker, one D1, one tunnel (currently dormant), one ACL-style application gate that lives in code (no longer in Zero Trust).
Single source of truth for everything Cloudflare-side. If a fact about CF lives anywhere else and contradicts this file, this file wins — update the other place.
Account
FieldValue
Account IDdc4b3e895e741f4b5e46ece136383512 Pages owner emailmichael_nnamah@outlook.com (CF account) Tailnet emailmichael.asolo1@gmail.com (separate identity) TierFree (Pages + Workers + D1 free tiers)
The split between the CF account email and the Tailscale / Google identities is intentional but worth noting — credential recovery requires access to the outlook.com inbox.
Domain
DomainStatusPages bindingNotes
michael-engineer.devLIVE — publicPages project michael-engineerRecruiter / portfolio surface. MUST stay 200 always (website-audit invariant #1) studio.michael-engineer.devLIVE — gatedPages project hinata-studioPersonal Studio. Gated by _middleware.js (onigiri / device-cookie). Invariant #2
DNS records: managed in Cloudflare's DNS for michael-engineer.dev. Apex and subdomain both proxied (orange-cloud).
Pages projects
hinata-studio
FieldValue
Project namehinata-studio Custom domainstudio.michael-engineer.dev Default subdomainhinata-studio.pages.dev SourceDirect upload via wrangler pages deploy (no Git connection) Build outputdist/ (vite) Deploy script/Users/nnamdi/Sandpit/hinata/applications/deploy-to-prod.command Branchprod FunctionsYES — applications/hinata-studio/functions/_middleware.js Last prod deploy2dce69f (2026-06-03) — gate rotated; STUDIO path fixed; hinata_dv cookie
The functions/_middleware.js Pages Function runs ahead of every request and is the canonical gate for the studio. It checks for:
hinata_sessioncookie (2h TTL, set after submitting passwordonigiri)hinata_dvcookie (1y TTL, set via/__enroll?k=u1w8ZHwcMfimDDKgvQmTOQ)
If neither cookie is valid the function returns an HTML password form (HTTP 200, password-form body) instead of serving the Studio app.
michael-engineer
FieldValue
Project namemichael-engineer Custom domainmichael-engineer.dev Default subdomainmichael-engineer.pages.dev SourceDirect upload via wrangler pages deploy Build outputdist/ Deploy script/Users/nnamdi/Sandpit/hinata/applications/deploy-portfolio.command Branchprod Functionsnone — pure static site Last prod deploy5909c0a (2026-05-20)
This project is intentionally isolated from hinata-studio. Neither deploy script may reference both — this isolation is a website-audit invariant.
Workers
hinata-studio-api
FieldValue
Worker namehinata-studio-api Endpointhttps://hinata-studio-api.michael-nnamah.workers.dev Sourceapplications/hinata-studio/api/worker/index.ts Wrangler configapplications/hinata-studio/api/wrangler.toml Compatibility date2026-05-16 Deployinvoked from deploy-to-prod.command step 3 (after Pages deploy) D1 bindingDB → database hinata-studio Env varsENVIRONMENT = "production" Dev port8787
Role: serves API endpoints that need server-side compute (D1 queries, server-only secrets). The jimmy-vps collector handles the persistent data layer; this Worker is the edge layer for things that should not round-trip to the VPS.
Boundary rule: anything that needs cross-device persistence + structured Postgres goes to jimmy-vps (/musicmastery/*, future /bulma/* etc.). Anything that needs sub-50ms edge compute or D1-shaped key/value lookups stays in this Worker.
D1
FieldValue
Database namehinata-studio Database ID73a6699e-e518-4b65-a541-f183fc090c86 Bound toWorker hinata-studio-api as DB SchemaTBD — declared in worker source as needed
D1 is not the durable system of record. Postgres on jimmy-vps is. D1 is appropriate only for data that is acceptable to lose or trivial to rebuild from Postgres.
Cloudflare Zero Trust (deprecated for studio)
ItemStatus
ZT team membershipActive (account-tied) Application gating studio.michael-engineer.devREMOVED 2026-05-24 — replaced by app-layer _middleware.js Application gating any other Hinata hostnameNone ZT residue / leftover org michaelnnamahClosed (#200013) Live policy that touches michael-engineer.devNone — recruiter is public
ZT is left intact at the account level so it can be re-enabled in future (e.g. for a different subdomain) without re-onboarding. The current architecture deliberately does NOT use it because the in-app middleware gives:
Custom UI (password form styled like the Studio)
Granular cookie control (
hinata_session2h vshinata_dv1y)An enrolment URL pattern (
/__enroll?k=...) that ZT didn't easily supportNo per-request CF Access lookup overhead
If ZT is re-introduced for any Hinata hostname, update context.md Deployment Invariants AND website-audit SKILL.md Primacy Zone in the same PR.
Cloudflare Tunnel
FieldValue
Tunnel ID770561fa-c72c-4b06-95af-a6132fff9116 Credentials file/Users/nnamdi/.cloudflared/770561fa-c72c-4b06-95af-a6132fff9116.json Config/Users/nnamdi/.cloudflared/config.yml Ingressservice: http_status:404 (catch-all) — tunnel does NOT bind any Hinata hostname today StatusDormant — exists, no active routes
The tunnel survives from earlier experimentation. It is currently safe (no hostname binding, no exposure of local services). Website-audit invariant #4 requires the ingress to stay catch-all.
If you ever bind a hostname to the tunnel (hostname: foo.michael-engineer.dev), website-audit will flag it and the deployment invariants need to be re-evaluated.
Wrangler / CLI
SurfaceCommand
Pages deploy (studio)npx wrangler pages deploy dist --project-name hinata-studio --branch prod Pages deploy (portfolio)npx wrangler pages deploy dist --project-name michael-engineer --branch prod Worker deploynpx wrangler deploy (run from applications/hinata-studio/api/) List Pages projectsnpx wrangler pages project list List Pages deploymentsnpx wrangler pages deployment list --project-name [name] Tail Worker logsnpx wrangler tail hinata-studio-api D1 querynpx wrangler d1 execute hinata-studio --command "SELECT 1"
Wrangler is invoked via npx — no global install. Auth via wrangler login (browser flow once; token in ~/.config/.wrangler/).
Known gaps + risks
GapSeverityPath forward
No Git-backed Pages deployMediumDirect uploads make rollback manual (deploy a previous artifact). Acceptable for solo-dev; reconsider if a collaborator joins. Account email is outlook.com, separate from Google identityLowDocumented above; ensure outlook.com recovery is preserved. Tunnel is dormant but credentials existLowEither delete the tunnel + credentials, or document a planned use. Current state: kept dormant by design. D1 schema is undocumentedLowDocument in this file once it stabilises. ZT account residueNone — closed#200013 closed; nothing to do.
Deployment invariants (mirror)
These are the canonical statements of what must be true on the Cloudflare side. Authoritative copy lives in context.md §Deployment Invariants.
1. `michael-engineer.dev` returns HTTP 200 publicly.
2. `studio.michael-engineer.dev` returns HTTP 200 with a password-form HTML body for unauthenticated requests; never the Studio app shell.
3. `deploy-to-prod.command` writes ONLY to Pages project `hinata-studio`. `deploy-portfolio.command` writes ONLY to Pages project `michael-engineer`. Neither references the other.
4. Cloudflare Tunnel ingress stays catch-all 404.
5. The gate is `_middleware.js` (code), not a CF Access policy.
Run /website-audit after any change to Pages, Workers, D1, the tunnel, or _middleware.js.
Open loops
* `#840020` — GCP rename (does NOT affect CF; CF custom domains still point to Pages projects, not VMs)
* `#831042` — VPS sleep mode stack (no CF dependency)
* `#840022` — CLOSED (MusicMastery e2e — Studio talks to jimmy-vps directly, not via CF Worker)
* `#840021` — CLOSED (post-ZT invariants locked here)
Decision log
* **2026-05-24:** Cloudflare project documented as a single source of truth for the first time.
* **2026-05-24:** ZT removed for `studio.michael-engineer.dev`; replaced by `_middleware.js` cookie gate.
* **2026-05-20:** Recruiter site `michael-engineer.dev` published via `deploy-portfolio.command`.
* **2026-05-16:** Worker `hinata-studio-api` first deployed; D1 `hinata-studio` created.
◆ hinata · projects/hinata-infrastructure/cloudflare.html · phase-19 conversion