HIGH — Regression auto-fixed
10 workers had their .workers.dev subdomain re-enabled (with previews) at some point after Linq's 4/18 lockdown. This is the exact exposure pattern the original audit closed. The likely cause is deploys via Wrangler/CF Pages that recreate the subdomain unless workers_dev = false is in the wrangler.toml — a deploy-time toggle, not a one-shot API fix.
Action taken tonight: Aria disabled the subdomain on all 10 workers via the same protocol Linq used (POST .../workers/scripts/<name>/subdomain { enabled: false, previews_enabled: false }). Verified post-fix.
Re-fixed tonight
- • bookpatina
- • bookpatina-studio
- • delaware-lanes-launch
- • delaware-lanes-studio
- • madebyaspire
- • madebyaspire-astro
- • madebyaspire-launch
- • modern-maid-launch
- • modern-maid-studio
- • petalswingsastro
To prevent re-regression: every wrangler.toml in the agency repos should set workers_dev = false. Otherwise CF re-enables it on each deploy. Filed as a follow-up — needs a sweep of all agency repos.
📊 Baseline comparison (5/17 vs 4/16)
| Metric | 4/16 Baseline | 5/17 Now | Delta |
|---|---|---|---|
| CF zones | 8 | 8 | unchanged |
| Pages projects | 10 | 10 | same count, churn underneath — 6 renamed/removed, 6 added |
| Workers | 9 | 26 | +17 (190% growth) |
| Access apps | 7 | ? | token scope insufficient — needs ORG token re-auth |
| D1 / KV / R2 | 1 / 5 / 0 | ? | token scope insufficient — same as above |
| .workers.dev exposed | 0 (Linq fixed 4/18) | 0 (Aria re-fixed 5/17) | ⚠️ REGRESSED from 0 → 10 between fixes — auto-fixed tonight |
🟡 MEDIUM — .pages.dev URLs to investigate
10 Pages projects total. 2 are properly Access-protected (aria-command-center, aspire-playbook). 6 are intentionally public client/brand sites. 2 are flagged below — could not auto-fix without Access app scope on the token.
aspire-digital-prod.pages.dev
No custom domain attached. Unclear what this serves — could be stale, could be production by another name. Investigate + Access-protect if non-public.
aspire-docs.pages.dev
Custom domain docs.madebyaspire.com is intentionally public, but the .pages.dev URL also exposes preview deployments. If preview branches host draft content, lock with Access (same pattern as aria-command-center).
Intentionally-public .pages.dev (no action needed)
- aria-public.pages.dev (madebyotten.com — personal brand)
- tees-flooring-git.pages.dev (client production)
- b-clean-carpet-git.pages.dev (client production)
- photosbyb4-git.pages.dev (client production)
- prospect-briefs.pages.dev (yoursite.madebyaspire.com — client-facing briefs)
- aspire-templates.pages.dev (templates.madebyaspire.com — public templates)
🔑 LOW — Token scope gaps blocked deeper audit
The current tokens in ~/.aria-secrets can audit Workers, Pages, and Zones — but not Access apps, KV, D1, or R2. The 4/16 audit used a temporary Global API Key (rotated after use). To do a full deep sweep here, either re-issue a Global key temporarily or extend the deploy/org tokens.
CLOUDFLARE_API_TOKEN (deploy)
Missing: Access read, KV read, D1 read, R2 read
CLOUDFLARE_ORG_TOKEN
Missing: Account · Access Apps Read — currently returns "Authentication error"; either expired or never had this scope
🏗️ Exposure protection model
Each surface has its own protection layer:
Custom domains
Internal sites (cc, playbook, hq) → CF Access policy (Topher + Jaime allow-list). Production client sites → public.
.pages.dev URLs
Each .pages.dev for an internal site needs its own Access app (the custom-domain Access app does NOT auto-cover the .pages.dev hostname).
.workers.dev URLs
workers_dev = false in every wrangler.toml. CF re-enables this on deploy unless explicitly set. Auto-disable via API is a band-aid, not a fix.
📋 Follow-ups for Topher
1. Wrangler.toml sweep across all agency repos — add workers_dev = false to prevent re-regression. Without this, every deploy can re-open the subdomain. Big enough that this should be its own CLI Linear issue + ~30 min of agency sweep work.
2. Investigate aspire-digital-prod.pages.dev — no custom domain attached, unclear purpose. Either delete if stale, or wire a custom domain + Access app if active.
3. Decide on docs.madebyaspire.com .pages.dev exposure — current pattern leaves preview deployments public. If docs use draft branches, lock with Access app.
4. Re-issue Global API Key temporarily if you want a deep audit of Access apps, KV, D1, R2. Rotate after.
5. OR extend the deploy/org tokens with read scopes for Access + Storage so future audits don't need a Global key.