deploy-and-runtime-verificationlisted

# 08 — Deploy and Runtime Verification ## Mandatory deploy loop (every code change) 1. Build + typecheck 2. `wrangler deploy` (or platform equivalent) 3. Purge CDN (`wrangler cache purge` or `curl -X POST https://api.cloudflare.com/client/v4/zones/{id}/purge_cache`) 4. Fetch each changed route on PROD URL via curl + Playwright 5. Assert new content / headers / JSON-LD / status live 6. AI vision QA at 6 viewports (per `_kernel/standards.md#breakpoints`) 7. Fix-forward (max 3 redeploys) — never silently fail 8. Only then mark DONE "Local typecheck + build pass" is NOT done. Per `rules/verification-loop.md`. ## Auth fallback chain - `CLOUDFLARE_API_TOKEN` from `/Users/Apple/.local/bin/get-secret` - On 401: `CLOUDFLARE_API_KEY` + `CLOUDFLARE_EMAIL` - Both stale: prompt `! npx wrangler login`, resume deploy automatically once fresh - NEVER silently skip deploy because creds missing — surface as blocker ## Workers Builds (native CI/CD) - Configure in `wrangler.jsonc` `build` block - Auto-deploys on push to `main` per `rules/main-only-branch.md` - Workers Builds runs `npm install` + `npm run build` + `wrangler deploy` - Secrets injected via dashboard or `wrangler secret put` per `rules/secret-provisioning.md` ## Secrets management - Per `rules/secret-provisioning.md` + `rules/secret-auto-provisioning.md` - `wrangler secret put KEY` — runtime secrets - `wrangler secret list` — names only, never values - Two-way mirror: every prod secret also in chezmoi (`~/.local/share/chezm