ThatGuySam 6d858d2a19 ci(cloudflare): stop leaking deploy config and stage TS migration ... The Cloudflare worker deploy workflow was printing secret-derived config into CI logs and doing unnecessary root installs. Tighten the workflow to use read-only permissions, secure file writes, and per-worker dependency installs, then add a staged TypeScript migration plan so the repo-wide conversion has explicit CI-safe ordering. Constraint: Must keep the current Cloudflare deploy path working while removing secret exposure from logs Rejected: Leave the workflow as-is and document the risk | known secret leakage in CI is an immediate operational defect Confidence: high Scope-risk: narrow Reversibility: clean Directive: Keep worker deploy inputs secret-only and validate repo-wide TypeScript work in bounded slices, not one bulk migration Tested: ruby YAML parse of .github/workflows/deploy-cloudflare-workers.yml; git diff --check; npm ci --prefix doesitarm-default --ignore-scripts --no-audit --no-fund; npm ci --prefix workers/analytics --ignore-scripts --no-audit --no-fund Not-tested: Full GitHub Actions execution after commit		2026-04-04 17:06:58 -05:00
..
app-discovery-d1-automation.md	docs(plan): add discovery and deploy follow-up research	2026-04-04 15:38:39 -05:00
app-test-typescript-refactor.md	test(playwright): lock browser coverage before scanner refactors	2026-04-04 14:55:13 -05:00
cloudflare-dual-deploy-shadow.md	docs(plan): add discovery and deploy follow-up research	2026-04-04 15:38:39 -05:00
public-discoverability-and-dataset-plan.md	docs(plan): de-risk discoverability work with an ease-first rollout	2026-04-04 16:57:25 -05:00
repo-typescript-migration.md	ci(cloudflare): stop leaking deploy config and stage TS migration	2026-04-04 17:06:58 -05:00