Cloud Migration

Cloud Dashboard Plan

Move from local collaboration server to hosted dashboard, API, data store, file storage, and scheduled triggers so the command center is not trapped on this computer.

Cloud Handoff Form

Full collaboration form

Checking command-center API...

Cloud Account ReadyCloud Admin EmailAccess DecisionTarget Domain/SubdomainD1 Database IDR2 Bucket

Cloud Notes

Browser Cloud Connection

Connect this dashboard to the Cloudflare Worker API when it is deployed. The private token is stored only in this browser, not in repo files.

Daily agents should use npm run cloud:command-center:ingest -- --write to copy cloud-entered handoffs into local state without overwriting generated launch artifacts.

Cloud setup

No cloud API configured in this browser yet.

Cloud API URL Private API Token

Cloud Readiness

Target Cloudflare Pages for dashboard, Cloudflare Worker API, D1 structured state, R2 private uploads, cron intake markers, Cloudflare Access for browser access Ready

Account ready No Ready

Access decision Cloudflare Access + private bearer token Ready

Dashboard domain command.porterlabz.com Ready

Pages artifact Private Cloudflare Pages dashboard deploy pack implemented locally Ready

Pages check npm run cloud:command-center:pages:check Ready

Cloud bootstrap Cloud Bootstrap Waiting On API Token Ready

Cloudflare discovery Cloudflare Discovery Needs API Token Ready

Discovery matches 0 Ready

Config sync Cloud Worker Config Waiting On Handoffs Ready

Source truth cloud Run cloud:command-center:source-truth Needs input

Deploy preflight Blocked On Cloud Handoffs Ready

Blocked cloud checks 6 Ready

Cloud Bootstrap Pack

Open bootstrap

Plan-only sequence for creating Cloudflare resources, setting Wrangler secrets, applying migrations, deploying Workers/Pages, and proving first cloud sync.

Status Cloud Bootstrap Waiting On API Token Ready

Waiting resources 5 Ready

Command steps 36 Ready

Secret commands 16 Ready

Open bootstrap CSV Open bootstrap JSON

Cloudflare Discovery

Open discovery

Run this before Cloudflare config sync after any account login, resource creation, Pages deploy, or Worker deploy. It records only redacted/non-secret resource findings.

Status Cloudflare Discovery Needs API Token Ready

Worker Config Sync

npm run cloud:command-center:config:sync

This turns Cloud page answers into non-secret production Worker config, including ALLOWED_ORIGIN, D1 database_id, R2 bucket, and optional Cloudflare Access email. Tokens and secrets stay out of repo files.

Status Cloud Worker Config Waiting On Handoffs Ready

Applied 0 Ready

Waiting 2 Ready

Invalid 0 Ready

Applied

No config values changed on the last sync.

Waiting

Production D1 database_id: Create D1 and enter cloudMigration.d1DatabaseId in the dashboard.
Cloudflare Access allowed email: Enter cloudMigration.adminEmail if using Cloudflare Access.

Needs Fix

No invalid cloud config values found.

Cloud Deploy Preflight

npm run cloud:command-center:deploy:preflight

Status Blocked On Cloud Handoffs Ready

Passed 17 Ready

Blocked 6 Ready

Failed 0 Ready

Cloud Deploy Pack

Open pack

Use this pack for the exact Cloudflare resource targets, handoff fields, safe deploy commands, and first cloud sync verification.

Pack status Cloud Deploy Pack Waiting On Handoffs Ready

Actions 6 Ready

Deploy commands 8 Ready

Pages project nyra-command-center-dashboard Ready

Local Now, Cloud Next

Need	Local Now	Cloud Target
Dashboard UI	Static HTML under docs/launch_command_center	Cloudflare Pages
Form API	command-center-server.mjs	Cloudflare Worker
Structured state	command-center-state.json + CSVs	Cloudflare D1
Source of truth routing	source-of-truth-map.json + daily brief	`/api/source-of-truth` and cloud handoff scan output
Uploads	uploads folder	Cloudflare R2
Daily triggers	Codex automations	Codex automations + Worker cron/status hooks
Pages artifact	docs/launch_command_center generated files	cloud/command-center-pages/public with private-dashboard headers

Cloud Command Center Deploy Preflight

Status: Blocked On Cloud Handoffs

Checked: 2026-06-17T22:59:18.908Z

This is the deploy gate for moving the command center off the local computer. It verifies the local Worker, dashboard-to-Worker config sync, D1/R2, Pages artifact, and sync tooling, then keeps the remaining user-owned Cloudflare/domain/secret handoffs explicit.

Summary

Passed: 17
Blocked on handoff: 6
Failed: 0

Checks

Status	Owner	Check	Detail
pass	Codex	Worker validation script exists	cloud:command-center:check is wired.
pass	Codex	Pages validation script exists	cloud:command-center:pages:check is wired.
pass	Codex	Dashboard-to-Worker config sync exists	cloud:command-center:config:sync is wired.
pass	Codex	Worker deploy script exists	cloud:command-center:deploy is wired.
pass	Codex	Worker service name	Worker service is nyra-command-center-api.
pass	Codex	Worker entrypoint	Worker main points at src/index.mjs.
pass	Codex	Worker runtime compatibility	nodejs_compat is enabled.
pass	Codex	Daily cloud intake trigger	Worker cron trigger is configured.
pass	Codex	Production open API disabled	ALLOW_DEV_OPEN_API is false in production.
pass	Codex	Production D1 binding	Production DB binding points at a named D1 database and migrations folder.
pass	Codex	Production R2 binding	Production UPLOADS R2 binding is present.
pass	Codex	D1 schema	D1 migration includes command state, upload metadata, and agent run tables.
pass	Codex	Pages artifact exists	Cloudflare Pages public artifact exists.
pass	Codex	Pages artifact excludes binaries	No installer, blockmap, unpacked app, DLL, PAK, BIN, or builder debug file is in the Pages artifact.
blocked	User	Cloudflare account confirmed	Confirm the Cloudflare account that will host the dashboard and API.
blocked	User	Cloud admin email entered	Enter the admin email to use for Cloudflare Access or ownership records.
pass	User	Private access model chosen	Private access model is selected.
pass	User	Dashboard domain entered	Dashboard domain/subdomain is saved.
blocked	User	D1 database ID entered	Create the D1 database and paste its database_id into the dashboard.
blocked	User	Wrangler D1 database ID resolved	Replace production database_id placeholder in cloud/command-center-worker/wrangler.jsonc.
pass	User	Worker allowed origin resolved	Production ALLOWED_ORIGIN is concrete.
blocked	User	Cloud API URL available for sync	After deploy, set NYRA_COMMAND_CENTER_API_URL in a temporary shell before cloud sync.
blocked	User	Cloud API token available for sync	After deploy, set NYRA_COMMAND_CENTER_TOKEN in a temporary shell only; never write it to repo files.

Next Commands

npm run cloud:command-center:check
npm run test:cloud-command-center-sync
npm run cloud:command-center:pages:check
npm run cloud:command-center:config:sync
npm run cloud:command-center:deploy:preflight
npm run cloud:command-center:deploy
npm run cloud:command-center:push
npm run cloud:command-center:scan
npm run cloud:command-center:roundtrip

Secret Rule

Do not paste Cloudflare tokens, bearer tokens, Stripe secrets, certificate passwords, recovery codes, or private keys into dashboard fields or repo files. Use Wrangler secrets, Cloudflare dashboard secrets, or a temporary shell environment.

Cloud Command Center Plan

Target: move the collaboration dashboard off this computer while keeping the local repo as a rebuildable source of truth.

Recommended Stack

Cloudflare Pages: host the dashboard UI.
Cloudflare Workers: API for decisions, team updates, triggers, and upload metadata.
Cloudflare D1: structured command-center state, todos, costs, team status, decisions, and update history.
Cloudflare R2: uploaded files such as LLC documents, screenshots, brand files, policy drafts, and release artifacts.
Cloudflare Cron Triggers: scheduled checks that create/update work items for Codex/agents.
Stripe webhooks: payment/license events into the backend.

Why This Shape

The command center needs a web UI, form data, file uploads, and scheduled triggers. A Pages + Workers + D1 + R2 stack keeps the dashboard lightweight and avoids running a traditional server.

Migration Steps

Keep local dashboard working with npm run command-center:server.
Use the repo scaffold in cloud/command-center-worker.
Create Cloudflare account/project.
Buy/connect domain.
Create D1 database for command-center state.
Create R2 bucket for uploads.
Apply the D1 migration.
Configure Cloudflare Access or the private API token secret.
Deploy Worker API.
Deploy Pages dashboard.
Connect scheduled triggers.
Connect Stripe webhook endpoint.
Seed cloud state with npm run cloud:command-center:push.
Verify browser dashboard sync with Browser Cloud Connection > Test Cloud API > Pull State From Cloud > Scan Handoffs.

Scaffold Now In Repo

Worker API: cloud/command-center-worker/src/index.mjs
Wrangler config: cloud/command-center-worker/wrangler.jsonc
D1 migration: cloud/command-center-worker/migrations/0001_command_center.sql
Deployment checklist: cloud/command-center-worker/DEPLOYMENT_CHECKLIST.md
Test harness: cloud/command-center-worker/test-worker.mjs
Pages deploy pack: cloud/command-center-pages
Pages artifact builder: scripts/prepare-command-center-pages.mjs
Browser sync controls: docs/launch_command_center/assets/command-center.js
CLI sync tool: scripts/command-center-cloud-sync.mjs
Deploy preflight: scripts/cloud-command-center-deploy-preflight.mjs

Validation:

npm run cloud:command-center:check
npm run test:cloud-command-center-sync
npm run cloud:command-center:pages:check
npm run cloud:command-center:deploy:preflight

The scaffold is intentionally not deployed yet. Cloud deployment requires the account, domain/subdomain, Access/admin email choice, D1 database ID, R2 bucket, and secret values.

Deployment Hardening Now In Place

wrangler.jsonc declares nodejs_compat, observability, and explicit D1/R2 bindings inside the production environment.
The Worker keeps secrets out of config and expects NYRA_COMMAND_TOKEN through wrangler secret put.
Bearer-token auth uses a SHA-256 constant-time comparison path instead of direct string equality.
API writes require Content-Type: application/json.
General JSON requests are capped at 256 KB.
Upload payloads are capped at 10 MB decoded file size.
/api/health reports the active API limits so deploy checks can verify the expected build is running.
/api/source-of-truth lets the dashboard and daily agents verify route coverage before treating cloud state as current.
The Pages deploy pack writes no-index/no-store headers and excludes local uploads, the local API server, and raw state JSON from the static artifact.

Data Classes

Safe for dashboard:

Business name choices.
Product name.
Subscription price.
Support email.
Domain.
Status and notes.

Use caution:

LLC filing documents.
Tax forms.
Bank/payout references.
Identity verification screenshots.

Never store:

Passwords.
Full EIN/SSN.
Raw Stripe secret keys.
Bank account numbers.
Recovery codes.

Current Local Equivalent

Dashboard UI: docs/launch_command_center/index.html
Local API: docs/launch_command_center/command-center-server.mjs
State JSON: docs/launch_command_center/command-center-state.json
Upload folder: docs/launch_command_center/uploads
Team data: team_status.csv, team_updates.csv

Current Cloud Equivalent

Worker API: cloud/command-center-worker/src/index.mjs
Pages dashboard artifact: cloud/command-center-pages/public
D1 schema: cloud/command-center-worker/migrations/0001_command_center.sql
R2 object keys: upload slot plus timestamped safe filename.
Scheduled intake marker: 15 8 * * * UTC.
Auth: Cloudflare Access email or NYRA_COMMAND_TOKEN.
Browser connection: API URL and token saved only in browser localStorage.
CLI sync: NYRA_COMMAND_CENTER_API_URL plus shell-only NYRA_COMMAND_CENTER_TOKEN.
Deploy preflight output: docs/launch_command_center/CLOUD_DEPLOY_PREFLIGHT.md and docs/launch_command_center/cloud-deploy-preflight.json.

Pages deployment commands:

npm run cloud:command-center:pages:prepare
npx wrangler pages project create nyra-command-center-dashboard --production-branch main
npx wrangler pages deploy public --project-name nyra-command-center-dashboard --cwd cloud/command-center-pages

NyrA Command Center Pages Dashboard

This folder packages the launch command center as a Cloudflare Pages dashboard artifact.

The dashboard must be treated as a private operator console. Protect it with Cloudflare Access or equivalent private access before entering real business records, legal documents, Stripe screenshots, or support evidence.

Build The Pages Artifact

npm run cloud:command-center:pages:prepare
npm run cloud:command-center:pages:check

The prepare script copies the static dashboard into cloud/command-center-pages/public and writes:

_headers with no-index, no-store, and browser safety headers.
_redirects for the dashboard root.
publish-manifest.json showing copied files and intentionally excluded local/sensitive files.

The artifact intentionally excludes local uploads, uploads_manifest.csv, command-center-state.json, and command-center-server.mjs. Live state should come from the Worker API and D1 after npm run cloud:command-center:push.

Create And Deploy Pages

Cloudflare's Wrangler Pages flow uses pages project create to create the project and pages deploy <directory> to upload a static folder.

npx wrangler pages project create nyra-command-center-dashboard --production-branch main
npm run cloud:command-center:pages:prepare
npx wrangler pages deploy public --project-name nyra-command-center-dashboard --cwd cloud/command-center-pages

After deployment:

Put the Pages URL behind Cloudflare Access.
Set the Worker ALLOWED_ORIGIN to the exact Pages dashboard origin.
Deploy the Worker API.
In the dashboard, open Browser Cloud Connection, enter the Worker API URL and private token, then run Test Cloud API, Pull State From Cloud, and Scan Handoffs.

Do not store the private Worker token in this folder, dashboard state, markdown files, or screenshots.

NyrA Command Center Cloud API

This is the cloud scaffold for moving the launch command center off the local computer.

It mirrors the local server in docs/launch_command_center/command-center-server.mjs, but targets Cloudflare Workers with:

D1 for structured command-center state.
R2 for uploaded files.
Cron Triggers for daily intake markers.
Cloudflare Access or a bearer token for private API access.
Constant-time bearer token comparison, JSON content-type checks, and request/upload size limits.

This does not deploy anything by itself. Deployment requires the Cloudflare account, domain/project decision, D1 database ID, R2 bucket, and secrets.

Local Validation

npm run cloud:command-center:check
npm run test:cloud-command-center-sync
npm run cloud:command-center:deploy:preflight

Cloudflare Setup Handoff

Log in to the intended Cloudflare account.
Create the D1 database:

npx wrangler d1 create nyra_command_center --cwd cloud/command-center-worker

Copy the returned database_id into every database_id placeholder in wrangler.jsonc, including the production environment block.
Create the R2 bucket:

npx wrangler r2 bucket create nyra-command-center-uploads

Apply the D1 migration:

npx wrangler d1 migrations apply nyra_command_center --cwd cloud/command-center-worker

Set a private API token secret for agent/server use:

npx wrangler secret put NYRA_COMMAND_TOKEN --cwd cloud/command-center-worker

Prefer Cloudflare Access for the browser dashboard and set ALLOWED_EMAIL to the approved owner/admin email.
Prepare the Pages dashboard artifact:

npm run cloud:command-center:pages:prepare
npm run cloud:command-center:pages:check

Create/deploy the Pages dashboard from cloud/command-center-pages, then protect it with Cloudflare Access.
Set the production ALLOWED_ORIGIN value in wrangler.jsonc to the exact Pages dashboard origin after Pages/domain is configured.
Deploy only after auth and origin settings are correct:

npm run cloud:command-center:deploy:preflight
npm run cloud:command-center:deploy

After deployment, seed and verify the cloud command-center state from this workstation:

$env:NYRA_COMMAND_CENTER_API_URL = "https://your-worker-url"
$env:NYRA_COMMAND_CENTER_TOKEN = "paste-private-token-for-this-shell-only"
npm run cloud:command-center:health
npm run cloud:command-center:push
npm run cloud:command-center:source-truth
npm run cloud:command-center:scan
npm run cloud:command-center:roundtrip
Remove-Item Env:\NYRA_COMMAND_CENTER_TOKEN

Open the Pages dashboard, use Browser Cloud Connection, paste the Worker API URL and private token, then run Test Cloud API, Pull State From Cloud, and Scan Handoffs. The browser stores that token only in localStorage; do not paste it into repo files.

API Shape

GET /api/health: public health check.
GET /api/state: read command-center state.
POST /api/state: deep-merge saved dashboard fields.
GET /api/source-of-truth: classify synced Source Of Truth Map routes against cloud state, uploads, and secret-presence signals.
GET /api/uploads: list upload metadata.
POST /api/upload: upload base64 file payload into R2 and D1 metadata.
GET /api/uploads/:id: download a private upload.
POST /api/intake/scan: summarize synced handoff readiness, update cloud intake status, and record a cloud scan run.
POST /api/intake/run: record a manual intake marker.
GET /api/intake/runs: list intake markers.

All endpoints except /api/health require Cloudflare Access, bearer token auth, or local dev opt-in.

JSON endpoints require Content-Type: application/json. General JSON requests are capped at 256 KB. Upload JSON bodies are capped for a 10 MB decoded file payload. The bearer token must be stored with wrangler secret put NYRA_COMMAND_TOKEN; do not place it in wrangler.jsonc, dashboard state, source files, or docs.

Sync Scripts

npm run cloud:command-center:health: verify the deployed Worker health route.
npm run cloud:command-center:push: push docs/launch_command_center/command-center-state.json into cloud state.
npm run cloud:command-center:pull: print cloud state. Add -- --write only when the cloud copy is the trusted source and should overwrite local state.
npm run cloud:command-center:source-truth: print the cloud-classified Source Of Truth Map. Add -- --write only when the cloud route state is the trusted source for this workstation.
npm run cloud:command-center:scan: trigger the cloud handoff scan against the latest synced state. Add -- --write only when the cloud state should be pulled back into the local state file.
npm run cloud:command-center:roundtrip: read health/state and record a manual intake run marker.

Sensitive Data Rule

Do not store passwords, full EIN/SSN, bank account numbers, recovery codes, raw API keys, or live Stripe secrets in the command center. Uploads can contain business records only after the private cloud access path is configured.

Command Center Cloud Deployment Checklist

Use this checklist when Porter is ready to move the dashboard off the local machine.

Decisions Needed

Cloudflare account owner email.
Dashboard domain or subdomain.
Whether Cloudflare Access will gate the dashboard.
Admin email allowed through Access.
Whether uploads can include LLC/EIN/legal files.
Stripe webhook hostname after deployment.

Local-Only Work Already Ready

Worker API scaffold.
D1 schema migration.
R2 upload path.
Scheduled daily intake marker.
Auth guard with Cloudflare Access email or constant-time bearer token comparison.
JSON content-type checks and request/upload size caps.
Browser dashboard cloud connection controls.
CLI health, push, pull, scan, and roundtrip sync scripts.
Cloud /api/intake/scan parity endpoint for browser and automation-triggered handoff scans.
Pages dashboard deploy pack with private-dashboard headers and excluded local upload/state files.
Local test harness.

User Handoffs

Confirm Cloudflare account to use.
Confirm domain/subdomain.
Confirm admin email for Cloudflare Access.
Approve creation of D1 database and R2 bucket.
Replace every placeholder D1 database ID and dashboard origin in wrangler.jsonc.
Approve deployment after reviewing auth settings.

Deploy Commands

npm run cloud:command-center:check
npm run test:cloud-command-center-sync
npm run cloud:command-center:pages:check
npm run cloud:command-center:config:sync
npm run cloud:command-center:deploy:preflight
npx wrangler d1 create nyra_command_center --cwd cloud/command-center-worker
npx wrangler r2 bucket create nyra-command-center-uploads
npx wrangler d1 migrations apply nyra_command_center --cwd cloud/command-center-worker
npx wrangler secret put NYRA_COMMAND_TOKEN --cwd cloud/command-center-worker
npx wrangler pages project create nyra-command-center-dashboard --production-branch main
npm run cloud:command-center:pages:prepare
npx wrangler pages deploy public --project-name nyra-command-center-dashboard --cwd cloud/command-center-pages
npm run cloud:command-center:deploy

Before npm run cloud:command-center:deploy, save the Cloud page handoffs and run npm run cloud:command-center:config:sync. Confirm wrangler.jsonc has no placeholder database_id, no placeholder ALLOWED_ORIGIN, ALLOW_DEV_OPEN_API remains false in production, and the production environment contains the D1 and R2 bindings. The config sync writes only non-secret values; use Wrangler secrets for NYRA_COMMAND_TOKEN.

The deploy preflight writes docs/launch_command_center/CLOUD_DEPLOY_PREFLIGHT.md and docs/launch_command_center/cloud-deploy-preflight.json. A blocked result is expected until the Cloudflare account, dashboard domain, Access/token model, D1 database ID, Worker origin, deployed API URL, and temporary sync token are available.

First Cloud Sync

$env:NYRA_COMMAND_CENTER_API_URL = "https://your-worker-url"
$env:NYRA_COMMAND_CENTER_TOKEN = "paste-private-token-for-this-shell-only"
npm run cloud:command-center:health
npm run cloud:command-center:push
npm run cloud:command-center:scan
npm run cloud:command-center:roundtrip
Remove-Item Env:\NYRA_COMMAND_CENTER_TOKEN

Then open the dashboard, enter the Worker API URL and token in Browser Cloud Connection, test the API, and pull the cloud state. Do not commit the token or paste it into command-center state files.

Post-Deploy Verification

GET /api/health returns ok: true.
GET /api/state returns 401 without auth.
GET /api/state returns saved state with approved auth.
POST /api/state saves a harmless test field.
POST /api/state without application/json returns 415.
Oversized JSON/upload requests return 413.
POST /api/upload stores a small test file in R2 and metadata in D1.
POST /api/intake/scan records a cloud handoff scan and returns readiness counts from the synced command-center state.
Cron trigger records an intake marker.
Browser Cloud Connection can test the Worker API and pull cloud state.
CLI roundtrip records an intake marker without writing secrets to disk.
Dashboard origin is the only allowed browser origin.
No secrets appear in static dashboard files.
Pages artifact does not contain local uploads, uploads_manifest.csv, command-center-state.json, or the local command-center server.