Cloud Migration
Cloud Deploy Pack
The start-to-finish handoff for moving the command center from local files to Cloudflare Pages, Workers, D1, R2, private access, and first cloud sync.
Cloud Pack Controls
Open cloud deploy CSVRun npm run cloud:command-center:deploy:preflight and then npm run cloud:command-center:deploy:pack after saving Cloudflare account, domain, Access, D1, R2, Worker URL, or token setup progress.
Safe Command Sequence
| Phase | Owner | Command | Purpose | No-Go Rule |
|---|---|---|---|---|
| 0. Local Pack Validation | Codex | npm run cloud:command-center:check && npm run test:cloud-command-center-sync && npm run cloud:command-center:pages:check |
Verify Worker routes, local sync tooling, and the static Pages dashboard artifact before touching cloud. | Do not deploy while local Worker, sync, or Pages checks fail. |
| 3. D1 And R2 Resources | User + Codex | npx wrangler d1 create nyra_command_center |
Create the D1 database that stores command-center state, upload metadata, and agent run markers. | Copy only the resulting database_id into the dashboard/config; never copy account tokens into repo files. |
| 3. D1 And R2 Resources | User + Codex | npx wrangler r2 bucket create nyra-command-center-uploads |
Create private upload storage for handoff files and future cloud intake evidence. | Do not make the upload bucket public. |
| 4. Worker Configuration | User + Codex | npx wrangler secret put NYRA_COMMAND_TOKEN --cwd cloud/command-center-worker --env production |
Set the private bearer token used by the command-center Worker API. | The token must go through Wrangler secrets only, not wrangler.jsonc, dashboard state, Markdown, CSV, screenshots, or chat. |
| 4. Worker Configuration | Codex | npm run cloud:command-center:config:sync && npm run cloud:command-center:deploy:preflight |
Apply non-secret Cloud page handoffs to the production Worker config and re-check deploy readiness. | This step must not write NYRA_COMMAND_TOKEN, Stripe secrets, or Cloudflare API tokens to repo files. |
| 5. First Cloud Sync | Codex | npm run cloud:command-center:deploy |
Deploy the nyra-command-center-api Worker after D1/R2, ALLOWED_ORIGIN, and NYRA_COMMAND_TOKEN are configured. | Do not deploy with placeholder production D1 database_id or placeholder ALLOWED_ORIGIN. |
| 5. First Cloud Sync | Codex | npm run cloud:command-center:pages:deploy |
Deploy the private dashboard Pages project nyra-command-center-dashboard. | Protect the dashboard with Cloudflare Access or equivalent private access before storing real business records. |
| 5. First Cloud Sync | Codex | npm run cloud:command-center:health && npm run cloud:command-center:push && npm run cloud:command-center:scan && npm run cloud:command-center:ingest && npm run cloud:command-center:roundtrip |
Push current command-center state to cloud, run cloud intake scan, safely ingest cloud handoffs, and verify roundtrip sync. | Use only temporary shell env vars for NYRA_COMMAND_CENTER_API_URL and NYRA_COMMAND_CENTER_TOKEN. |
Cloud Handoff Actions
| Phase | Priority | Owner | Status | Action | What To Do | Page | Field | Verify |
|---|---|---|---|---|---|---|---|---|
| 1. Account And Access | P0 | User | blocked | Cloudflare account confirmed | Confirm the Cloudflare account that will host NyrA command center Pages, Worker, D1, and R2. | pages/cloud.html | cloudMigration.accountReady | npm run cloud:command-center:deploy:preflight |
| 1. Account And Access | P0 | User | blocked | Cloud admin email entered | Enter the Cloudflare admin email that owns Access policy and deployment permissions. | pages/cloud.html | cloudMigration.adminEmail | npm run cloud:command-center:deploy:preflight |
| 3. D1 And R2 Resources | P0 | User | blocked | D1 database ID entered | Create the Cloudflare D1 database for command-center state, then save its database_id in the dashboard. | pages/cloud.html | cloudMigration.d1DatabaseId | npm run cloud:command-center:deploy:preflight |
| 4. Worker Configuration | P0 | User | blocked | Wrangler D1 database ID resolved | Replace the production D1 database_id placeholder in cloud/command-center-worker/wrangler.jsonc after the D1 id is known. | pages/cloud.html | cloudMigration.d1DatabaseId | npm run cloud:command-center:deploy:preflight |
| 5. First Cloud Sync | P0 | User | blocked | Cloud API URL available for sync | After Worker deployment, set NYRA_COMMAND_CENTER_API_URL in a temporary shell and the browser Cloud Connection URL field. | pages/cloud.html | cloudSync.apiUrl | npm run cloud:command-center:deploy:preflight |
| 5. First Cloud Sync | P0 | User | blocked | Cloud API token available for sync | Set NYRA_COMMAND_CENTER_TOKEN in a temporary shell using the same private value as NYRA_COMMAND_TOKEN after the Worker secret is created. | pages/cloud.html | browser localStorage only: nyraCommandCenterApiConfig.token | npm run cloud:command-center:deploy:preflight |
Agent Run Log
Each manual intake or scheduled cloud marker becomes a visible build handoff. Use this to confirm the dashboard was read and routed.
No intake runs loaded yet.
Cloud Deploy Pack JSON
{
"schemaVersion": 1,
"generatedAt": "2026-06-17T22:59:19.215Z",
"status": "CLOUD_DEPLOY_PACK_WAITING_ON_HANDOFFS",
"label": "Cloud Deploy Pack Waiting On Handoffs",
"preflight": {
"status": "BLOCKED_ON_CLOUD_HANDOFFS",
"label": "Blocked On Cloud Handoffs",
"checkedAt": "2026-06-17T22:59:18.908Z",
"passCount": 17,
"blockedCount": 6,
"failCount": 0
},
"resourceTargets": {
"pagesProjectName": "nyra-command-center-dashboard",
"workerName": "nyra-command-center-api",
"d1DatabaseName": "nyra_command_center",
"d1DatabaseId": "replace-with-cloudflare-d1-database-id",
"r2BucketName": "nyra-command-center-uploads",
"dashboardDomain": "command.porterlabz.com",
"accessRequirement": "Protect the dashboard with Cloudflare Access or equivalent private access before entering real business records."
},
"counts": {
"totalActions": 6,
"blockedActions": 6,
"failedActions": 0,
"userActions": 6,
"codexActions": 0,
"deployCommands": 8
},
"actions": [
{
"id": "handoff-account",
"phase": "1. Account And Access",
"priority": "P0",
"owner": "User",
"status": "blocked",
"label": "Cloudflare account confirmed",
"detail": "Confirm the Cloudflare account that will host the dashboard and API.",
"action": "Confirm the Cloudflare account that will host NyrA command center Pages, Worker, D1, and R2.",
"evidenceNeeded": "Save cloudMigration.accountReady=Yes and add account/admin notes or a screenshot/receipt to cloud-handoff if useful.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "cloudMigration.accountReady",
"uploadSlot": "cloud-handoff",
"verificationCommand": "npm run cloud:command-center:deploy:preflight",
"noGoRule": "Do not treat cloud as source of truth until this action is proven by dashboard state, config, command output, or cloud health check."
},
{
"id": "handoff-admin-email",
"phase": "1. Account And Access",
"priority": "P0",
"owner": "User",
"status": "blocked",
"label": "Cloud admin email entered",
"detail": "Enter the admin email to use for Cloudflare Access or ownership records.",
"action": "Enter the Cloudflare admin email that owns Access policy and deployment permissions.",
"evidenceNeeded": "Save cloudMigration.adminEmail; do not enter passwords, recovery codes, API tokens, or inbox credentials.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "cloudMigration.adminEmail",
"uploadSlot": "cloud-handoff",
"verificationCommand": "npm run cloud:command-center:deploy:preflight",
"noGoRule": "Do not treat cloud as source of truth until this action is proven by dashboard state, config, command output, or cloud health check."
},
{
"id": "handoff-d1-id",
"phase": "3. D1 And R2 Resources",
"priority": "P0",
"owner": "User",
"status": "blocked",
"label": "D1 database ID entered",
"detail": "Create the D1 database and paste its database_id into the dashboard.",
"action": "Create the Cloudflare D1 database for command-center state, then save its database_id in the dashboard.",
"evidenceNeeded": "Save cloudMigration.d1DatabaseId. Use a screenshot or copied database metadata without account tokens if evidence is needed.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "cloudMigration.d1DatabaseId",
"uploadSlot": "cloud-handoff",
"verificationCommand": "npm run cloud:command-center:deploy:preflight",
"noGoRule": "Do not treat cloud as source of truth until this action is proven by dashboard state, config, command output, or cloud health check."
},
{
"id": "wrangler-d1-id",
"phase": "4. Worker Configuration",
"priority": "P0",
"owner": "User",
"status": "blocked",
"label": "Wrangler D1 database ID resolved",
"detail": "Replace production database_id placeholder in cloud/command-center-worker/wrangler.jsonc.",
"action": "Replace the production D1 database_id placeholder in cloud/command-center-worker/wrangler.jsonc after the D1 id is known.",
"evidenceNeeded": "The repo config should show a concrete D1 database_id, not replace-with-cloudflare-d1-database-id.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "cloudMigration.d1DatabaseId",
"uploadSlot": "cloud-handoff",
"verificationCommand": "npm run cloud:command-center:deploy:preflight",
"noGoRule": "Do not treat cloud as source of truth until this action is proven by dashboard state, config, command output, or cloud health check."
},
{
"id": "env-api-url",
"phase": "5. First Cloud Sync",
"priority": "P0",
"owner": "User",
"status": "blocked",
"label": "Cloud API URL available for sync",
"detail": "After deploy, set NYRA_COMMAND_CENTER_API_URL in a temporary shell before cloud sync.",
"action": "After Worker deployment, set NYRA_COMMAND_CENTER_API_URL in a temporary shell and the browser Cloud Connection URL field.",
"evidenceNeeded": "Temporary shell value or browser Cloud Connection config only. The API URL can be saved; private tokens cannot.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "cloudSync.apiUrl",
"uploadSlot": "cloud-handoff",
"verificationCommand": "npm run cloud:command-center:deploy:preflight",
"noGoRule": "Do not treat cloud as source of truth until this action is proven by dashboard state, config, command output, or cloud health check."
},
{
"id": "env-api-token",
"phase": "5. First Cloud Sync",
"priority": "P0",
"owner": "User",
"status": "blocked",
"label": "Cloud API token available for sync",
"detail": "After deploy, set NYRA_COMMAND_CENTER_TOKEN in a temporary shell only; never write it to repo files.",
"action": "Set NYRA_COMMAND_CENTER_TOKEN in a temporary shell using the same private value as NYRA_COMMAND_TOKEN after the Worker secret is created.",
"evidenceNeeded": "Use only temporary shell or browser localStorage. Never paste the bearer token into dashboard state, CSV, Markdown, screenshots, repo files, or chat.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "browser localStorage only: nyraCommandCenterApiConfig.token",
"uploadSlot": "cloud-handoff",
"verificationCommand": "npm run cloud:command-center:deploy:preflight",
"noGoRule": "Do not treat cloud as source of truth until this action is proven by dashboard state, config, command output, or cloud health check."
}
],
"phases": [
{
"phase": "1. Account And Access",
"actions": [
{
"id": "handoff-account",
"phase": "1. Account And Access",
"priority": "P0",
"owner": "User",
"status": "blocked",
"label": "Cloudflare account confirmed",
"detail": "Confirm the Cloudflare account that will host the dashboard and API.",
"action": "Confirm the Cloudflare account that will host NyrA command center Pages, Worker, D1, and R2.",
"evidenceNeeded": "Save cloudMigration.accountReady=Yes and add account/admin notes or a screenshot/receipt to cloud-handoff if useful.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "cloudMigration.accountReady",
"uploadSlot": "cloud-handoff",
"verificationCommand": "npm run cloud:command-center:deploy:preflight",
"noGoRule": "Do not treat cloud as source of truth until this action is proven by dashboard state, config, command output, or cloud health check."
},
{
"id": "handoff-admin-email",
"phase": "1. Account And Access",
"priority": "P0",
"owner": "User",
"status": "blocked",
"label": "Cloud admin email entered",
"detail": "Enter the admin email to use for Cloudflare Access or ownership records.",
"action": "Enter the Cloudflare admin email that owns Access policy and deployment permissions.",
"evidenceNeeded": "Save cloudMigration.adminEmail; do not enter passwords, recovery codes, API tokens, or inbox credentials.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "cloudMigration.adminEmail",
"uploadSlot": "cloud-handoff",
"verificationCommand": "npm run cloud:command-center:deploy:preflight",
"noGoRule": "Do not treat cloud as source of truth until this action is proven by dashboard state, config, command output, or cloud health check."
}
]
},
{
"phase": "3. D1 And R2 Resources",
"actions": [
{
"id": "handoff-d1-id",
"phase": "3. D1 And R2 Resources",
"priority": "P0",
"owner": "User",
"status": "blocked",
"label": "D1 database ID entered",
"detail": "Create the D1 database and paste its database_id into the dashboard.",
"action": "Create the Cloudflare D1 database for command-center state, then save its database_id in the dashboard.",
"evidenceNeeded": "Save cloudMigration.d1DatabaseId. Use a screenshot or copied database metadata without account tokens if evidence is needed.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "cloudMigration.d1DatabaseId",
"uploadSlot": "cloud-handoff",
"verificationCommand": "npm run cloud:command-center:deploy:preflight",
"noGoRule": "Do not treat cloud as source of truth until this action is proven by dashboard state, config, command output, or cloud health check."
}
]
},
{
"phase": "4. Worker Configuration",
"actions": [
{
"id": "wrangler-d1-id",
"phase": "4. Worker Configuration",
"priority": "P0",
"owner": "User",
"status": "blocked",
"label": "Wrangler D1 database ID resolved",
"detail": "Replace production database_id placeholder in cloud/command-center-worker/wrangler.jsonc.",
"action": "Replace the production D1 database_id placeholder in cloud/command-center-worker/wrangler.jsonc after the D1 id is known.",
"evidenceNeeded": "The repo config should show a concrete D1 database_id, not replace-with-cloudflare-d1-database-id.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "cloudMigration.d1DatabaseId",
"uploadSlot": "cloud-handoff",
"verificationCommand": "npm run cloud:command-center:deploy:preflight",
"noGoRule": "Do not treat cloud as source of truth until this action is proven by dashboard state, config, command output, or cloud health check."
}
]
},
{
"phase": "5. First Cloud Sync",
"actions": [
{
"id": "env-api-url",
"phase": "5. First Cloud Sync",
"priority": "P0",
"owner": "User",
"status": "blocked",
"label": "Cloud API URL available for sync",
"detail": "After deploy, set NYRA_COMMAND_CENTER_API_URL in a temporary shell before cloud sync.",
"action": "After Worker deployment, set NYRA_COMMAND_CENTER_API_URL in a temporary shell and the browser Cloud Connection URL field.",
"evidenceNeeded": "Temporary shell value or browser Cloud Connection config only. The API URL can be saved; private tokens cannot.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "cloudSync.apiUrl",
"uploadSlot": "cloud-handoff",
"verificationCommand": "npm run cloud:command-center:deploy:preflight",
"noGoRule": "Do not treat cloud as source of truth until this action is proven by dashboard state, config, command output, or cloud health check."
},
{
"id": "env-api-token",
"phase": "5. First Cloud Sync",
"priority": "P0",
"owner": "User",
"status": "blocked",
"label": "Cloud API token available for sync",
"detail": "After deploy, set NYRA_COMMAND_CENTER_TOKEN in a temporary shell only; never write it to repo files.",
"action": "Set NYRA_COMMAND_CENTER_TOKEN in a temporary shell using the same private value as NYRA_COMMAND_TOKEN after the Worker secret is created.",
"evidenceNeeded": "Use only temporary shell or browser localStorage. Never paste the bearer token into dashboard state, CSV, Markdown, screenshots, repo files, or chat.",
"dashboardPage": "pages/cloud.html",
"dashboardField": "browser localStorage only: nyraCommandCenterApiConfig.token",
"uploadSlot": "cloud-handoff",
"verificationCommand": "npm run cloud:command-center:deploy:preflight",
"noGoRule": "Do not treat cloud as source of truth until this action is proven by dashboard state, config, command output, or cloud health check."
}
]
}
],
"deployCommands": [
{
"id": "validate-local-cloud-stack",
"phase": "0. Local Pack Validation",
"owner": "Codex",
"command": "npm run cloud:command-center:check && npm run test:cloud-command-center-sync && npm run cloud:command-center:pages:check",
"purpose": "Verify Worker routes, local sync tooling, and the static Pages dashboard artifact before touching cloud.",
"noGoRule": "Do not deploy while local Worker, sync, or Pages checks fail."
},
{
"id": "create-d1",
"phase": "3. D1 And R2 Resources",
"owner": "User + Codex",
"command": "npx wrangler d1 create nyra_command_center",
"purpose": "Create the D1 database that stores command-center state, upload metadata, and agent run markers.",
"noGoRule": "Copy only the resulting database_id into the dashboard/config; never copy account tokens into repo files."
},
{
"id": "create-r2",
"phase": "3. D1 And R2 Resources",
"owner": "User + Codex",
"command": "npx wrangler r2 bucket create nyra-command-center-uploads",
"purpose": "Create private upload storage for handoff files and future cloud intake evidence.",
"noGoRule": "Do not make the upload bucket public."
},
{
"id": "set-command-token",
"phase": "4. Worker Configuration",
"owner": "User + Codex",
"command": "npx wrangler secret put NYRA_COMMAND_TOKEN --cwd cloud/command-center-worker --env production",
"purpose": "Set the private bearer token used by the command-center Worker API.",
"noGoRule": "The token must go through Wrangler secrets only, not wrangler.jsonc, dashboard state, Markdown, CSV, screenshots, or chat."
},
{
"id": "sync-worker-config",
"phase": "4. Worker Configuration",
"owner": "Codex",
"command": "npm run cloud:command-center:config:sync && npm run cloud:command-center:deploy:preflight",
"purpose": "Apply non-secret Cloud page handoffs to the production Worker config and re-check deploy readiness.",
"noGoRule": "This step must not write NYRA_COMMAND_TOKEN, Stripe secrets, or Cloudflare API tokens to repo files."
},
{
"id": "deploy-worker",
"phase": "5. First Cloud Sync",
"owner": "Codex",
"command": "npm run cloud:command-center:deploy",
"purpose": "Deploy the nyra-command-center-api Worker after D1/R2, ALLOWED_ORIGIN, and NYRA_COMMAND_TOKEN are configured.",
"noGoRule": "Do not deploy with placeholder production D1 database_id or placeholder ALLOWED_ORIGIN."
},
{
"id": "deploy-pages",
"phase": "5. First Cloud Sync",
"owner": "Codex",
"command": "npm run cloud:command-center:pages:deploy",
"purpose": "Deploy the private dashboard Pages project nyra-command-center-dashboard.",
"noGoRule": "Protect the dashboard with Cloudflare Access or equivalent private access before storing real business records."
},
{
"id": "first-cloud-sync",
"phase": "5. First Cloud Sync",
"owner": "Codex",
"command": "npm run cloud:command-center:health && npm run cloud:command-center:push && npm run cloud:command-center:scan && npm run cloud:command-center:ingest && npm run cloud:command-center:roundtrip",
"purpose": "Push current command-center state to cloud, run cloud intake scan, safely ingest cloud handoffs, and verify roundtrip sync.",
"noGoRule": "Use only temporary shell env vars for NYRA_COMMAND_CENTER_API_URL and NYRA_COMMAND_CENTER_TOKEN."
}
],
"outputs": {
"json": "docs/launch_command_center/cloud-deploy-pack.json",
"csv": "docs/launch_command_center/cloud-deploy-pack.csv",
"report": "docs/launch_command_center/CLOUD_DEPLOY_PACK.md",
"dashboard": "docs/launch_command_center/pages/cloud-deploy-pack.html"
}
}