Command Center
⚠️

HIGH — Regression auto-fixed

10 workers had their .workers.dev subdomain re-enabled (with previews) at some point after Linq's 4/18 lockdown. This is the exact exposure pattern the original audit closed. The likely cause is deploys via Wrangler/CF Pages that recreate the subdomain unless workers_dev = false is in the wrangler.toml — a deploy-time toggle, not a one-shot API fix.

Action taken tonight: Aria disabled the subdomain on all 10 workers via the same protocol Linq used (POST .../workers/scripts/<name>/subdomain { enabled: false, previews_enabled: false }). Verified post-fix.

Re-fixed tonight

  • • bookpatina
  • • bookpatina-studio
  • • delaware-lanes-launch
  • • delaware-lanes-studio
  • • madebyaspire
  • • madebyaspire-astro
  • • madebyaspire-launch
  • • modern-maid-launch
  • • modern-maid-studio
  • • petalswingsastro

To prevent re-regression: every wrangler.toml in the agency repos should set workers_dev = false. Otherwise CF re-enables it on each deploy. Filed as a follow-up — needs a sweep of all agency repos.

📊 Baseline comparison (5/17 vs 4/16)

Metric 4/16 Baseline 5/17 Now Delta
CF zones 8 8 unchanged
Pages projects 10 10 same count, churn underneath — 6 renamed/removed, 6 added
Workers 9 26 +17 (190% growth)
Access apps 7 ? token scope insufficient — needs ORG token re-auth
D1 / KV / R2 1 / 5 / 0 ? token scope insufficient — same as above
.workers.dev exposed 0 (Linq fixed 4/18) 0 (Aria re-fixed 5/17) ⚠️ REGRESSED from 0 → 10 between fixes — auto-fixed tonight

🟡 MEDIUM — .pages.dev URLs to investigate

10 Pages projects total. 2 are properly Access-protected (aria-command-center, aspire-playbook). 6 are intentionally public client/brand sites. 2 are flagged below — could not auto-fix without Access app scope on the token.

aspire-digital-prod.pages.dev

No custom domain attached. Unclear what this serves — could be stale, could be production by another name. Investigate + Access-protect if non-public.

aspire-docs.pages.dev

Custom domain docs.madebyaspire.com is intentionally public, but the .pages.dev URL also exposes preview deployments. If preview branches host draft content, lock with Access (same pattern as aria-command-center).

Intentionally-public .pages.dev (no action needed)
  • aria-public.pages.dev (madebyotten.com — personal brand)
  • tees-flooring-git.pages.dev (client production)
  • b-clean-carpet-git.pages.dev (client production)
  • photosbyb4-git.pages.dev (client production)
  • prospect-briefs.pages.dev (yoursite.madebyaspire.com — client-facing briefs)
  • aspire-templates.pages.dev (templates.madebyaspire.com — public templates)

🔑 LOW — Token scope gaps blocked deeper audit

The current tokens in ~/.aria-secrets can audit Workers, Pages, and Zones — but not Access apps, KV, D1, or R2. The 4/16 audit used a temporary Global API Key (rotated after use). To do a full deep sweep here, either re-issue a Global key temporarily or extend the deploy/org tokens.

CLOUDFLARE_API_TOKEN (deploy)

Missing: Access read, KV read, D1 read, R2 read

CLOUDFLARE_ORG_TOKEN

Missing: Account · Access Apps Read — currently returns "Authentication error"; either expired or never had this scope

🏗️ Exposure protection model

Each surface has its own protection layer:

Custom domains

Internal sites (cc, playbook, hq) → CF Access policy (Topher + Jaime allow-list). Production client sites → public.

.pages.dev URLs

Each .pages.dev for an internal site needs its own Access app (the custom-domain Access app does NOT auto-cover the .pages.dev hostname).

.workers.dev URLs

workers_dev = false in every wrangler.toml. CF re-enables this on deploy unless explicitly set. Auto-disable via API is a band-aid, not a fix.

📋 Follow-ups for Topher

1. Wrangler.toml sweep across all agency repos — add workers_dev = false to prevent re-regression. Without this, every deploy can re-open the subdomain. Big enough that this should be its own CLI Linear issue + ~30 min of agency sweep work.

2. Investigate aspire-digital-prod.pages.dev — no custom domain attached, unclear purpose. Either delete if stale, or wire a custom domain + Access app if active.

3. Decide on docs.madebyaspire.com .pages.dev exposure — current pattern leaves preview deployments public. If docs use draft branches, lock with Access app.

4. Re-issue Global API Key temporarily if you want a deep audit of Access apps, KV, D1, R2. Rotate after.

5. OR extend the deploy/org tokens with read scopes for Access + Storage so future audits don't need a Global key.