> For the complete documentation index, see [llms.txt](https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/.spec_system/archive/sessions/phase33-session06-scan-build-and-deploy/spec.md).

# Session Specification

**Session ID**: `phase33-session06-scan-build-and-deploy` **Phase**: 33 - Cloudflare Pages Real Product Fixtures **Status**: Not Started **Created**: 2026-06-25

***

## 1. Session Overview

This session closes Phase 33 by running the static Cloudflare Pages release gates against the frozen real product fixtures produced in Sessions 01 through 05. The work verifies that the public demo can be packaged, scanned, budgeted, smoke-tested, and uploaded without exposing local-only data or implying hosted runtime behavior.

The session is intentionally release-focused. It does not change fixture projection policy, public-demo UI copy, or route behavior unless a release gate reveals a concrete privacy, coherence, build, or smoke-test failure. Cloudflare Pages remains static-only and consumes committed fixtures from `demo-website/public/`.

The result is deployment-ready or deployed Pages output, with command evidence, route status evidence, no-bridge browser smoke evidence, and final deployment verification notes recorded in the session artifacts.

***

## 2. Objectives

1. Refresh or confirm the committed public demo snapshot and metadata through the existing snapshot exporter.
2. Build, scan, and budget the static Pages output under `demo-website/dist`.
3. Run focused unit and browser route-smoke checks proving frozen public-demo routes are reachable and do not call local bridge or mutation endpoints.
4. Produce deploy dry-run, optional execute-upload evidence, and hosted route verification notes without printing or committing Cloudflare secrets.

***

## 3. Prerequisites

### Required Sessions

* [x] `phase33-session01-capture-local-demo-runs` - captured and reviewed the local Trend Finder and Dream Review payload selected for public demo use.
* [x] `phase33-session02-freeze-public-fixtures` - generated deterministic committed Pages fixtures and metadata.
* [x] `phase33-session03-harden-trend-finder-projection` - preserved useful Trend Finder artifacts with coherent bounded references.
* [x] `phase33-session04-harden-dream-projection` - added the bounded public-safe Dream Review projection.
* [x] `phase33-session05-polish-public-demo-ui-states` - polished frozen-data, read-only, browser-local, and disabled-runtime public demo UI states.

### Required Tools Or Knowledge

* Bun 1.3.14 and project scripts in `package.json`.
* Existing snapshot, build, scan, budget, preview, and deploy helpers under `scripts/demo/` and `scripts/lib/`.
* Existing route matrix in `scripts/lib/pages-demo-routes.ts`.
* Existing Pages route smoke tests in `tests/e2e/pages-demo-routes.spec.ts` and `tests/e2e/pages-demo-mobile.spec.ts`.
* Cloudflare Pages direct-upload flow documented in `docs/deployment.md` and `demo-website/README.md`.

### Environment Requirements

* Work from the repository root.
* Use `VITE_AI_OS_PUBLIC_DEMO=1` only through the existing Pages build script.
* Local deploy execution requires `.env.local` or shell environment values for `CLOUDFLARE_ACCOUNT_ID` and `CLOUDFLARE_API_TOKEN`.
* The real Cloudflare Pages project name must be supplied as a `demo:deploy:pages --project-name` argument and must not be committed.
* Do not print Cloudflare account IDs, API tokens, token-shaped values, or private local paths in session notes.

***

## 4. Scope

### In Scope (MVP)

* Run `bun run demo:snapshot --dry-run --json` before any final fixture write.
* Run `bun run demo:snapshot` only after dry-run output is reviewed.
* Review `demo-website/snapshot-manifest.json`, `demo-website/public/demo/snapshot-metadata.json`, committed fixture files, and final `demo-website/dist` output for safe public content.
* Run `bun run demo:build:pages`, `bun run demo:scan:pages`, and `bun run demo:budget:pages`.
* Run focused tests for Pages snapshot, build, deploy helper, privacy scan, route matrix, public demo metadata, endpoint selection, Trend Finder public demo states, Engine Replay, Dream transforms, and Dream public-demo controls.
* Run desktop and mobile Pages route smoke against static Pages output and confirm no `/__*` bridge or mutation requests are made.
* Spot-check `/`, `/extensions/trend-finder/trends`, `/extensions/trend-finder/engine`, `/extensions/trend-finder/hidden-gems`, `/extensions/trend-finder/sources`, `/extensions/trend-finder/watchlist`, and `/extensions/trend-finder/brief`.
* Run `bun run demo:deploy:pages` with the real operator-supplied project name and `--branch main`, then record the reviewed dry-run command without secret values.
* Run `bun run demo:deploy:pages` with the same real project name, `--branch main`, and `--execute` when Cloudflare env vars are available locally.
* Record final Pages URL, deployment branch, source commit, route HTTP status results, and no-bridge smoke results when deploy execution succeeds.

### Out Of Scope (Deferred)

* Changing Trend Finder or Dream projection policy - Reason: Sessions 03 and 04 already hardened projection; this session changes it only for failed privacy, coherence, or release-gate evidence.
* Changing public-demo copy or route behavior for polish - Reason: Session 05 owns UI state honesty; this session repairs only concrete gate failures.
* Adding Cloudflare Pages Functions, `_worker.js`, analytics, hosted storage, hosted collectors, schedulers, source writes, uploads, account auth, local bridge reads, admin mutations, or hosted Dream runtime - Reason: Phase 33 keeps the public demo static-only.
* Committing Cloudflare credentials, account IDs, tokens, or project secrets - Reason: deployment configuration remains operator-local.
* Replacing the existing Worker deployment path - Reason: the Pages public demo remains a separate static target.

***

## 5. Technical Approach

### Architecture

Use the existing release lane as documented: `demo:snapshot` authors committed fixtures locally; `demo:build:pages` emits the static client in public-demo mode and assembles `demo-website/dist`; `demo:scan:pages` scans committed and generated public output; `demo:budget:pages` measures generated Pages assets; and `demo:deploy:pages` prints or executes a Wrangler Pages direct-upload command.

The release evidence belongs in session artifacts, not in product UI. Command results, fixture deltas, privacy scan counts, budget totals, route status results, deploy dry-run output, and hosted smoke results should be summarized without copying raw fixture bodies, private data, local paths, or secrets.

### Design Patterns

* Static-only Pages boundary: Cloudflare Pages consumes committed fixtures and generated static output only.
* Script-owned release gates: use existing Bun scripts instead of one-off shell deployment logic.
* Dry-run before execute: require deploy dry-run command review before upload.
* No-bridge smoke: browser checks treat any `/__*` request as a release failure.
* Evidence-first closeout: record exact commands, statuses, and route results in session notes.

***

## 6. Deliverables

### Files To Create

| File                                                                                    | Purpose                                                                                                                            | Est. Lines |
| --------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `.spec_system/specs/phase33-session06-scan-build-and-deploy/implementation-notes.md`    | Command evidence, fixture deltas, scan/budget/build results, and release-gate notes.                                               | \~160      |
| `.spec_system/specs/phase33-session06-scan-build-and-deploy/deployment-verification.md` | Static preview, deploy dry-run, optional execute-upload, hosted route status, final Pages URL, branch, and source commit evidence. | \~120      |

### Files To Modify

| File                                               | Changes                                                                                                                | Est. Lines |
| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ---------- |
| `demo-website/public/demo/live-data.snapshot.json` | Refresh or confirm the final committed public snapshot from the exporter.                                              | generated  |
| `demo-website/public/demo/snapshot-metadata.json`  | Refresh or confirm public snapshot metadata, provenance, and route coverage.                                           | generated  |
| `demo-website/public/demo/graphs/index.json`       | Refresh or confirm committed public graph registry fixture.                                                            | generated  |
| `demo-website/public/demo/graphs/ai-os.json`       | Refresh or confirm committed public AI OS graph fixture.                                                               | generated  |
| `demo-website/snapshot-manifest.json`              | Refresh or confirm source commit, captured timestamp, redaction counts, field policy, scan status, and route coverage. | generated  |
| `demo-website/dist/index.html`                     | Regenerate final static Pages output through `demo:build:pages`.                                                       | generated  |
| `demo-website/dist/_headers`                       | Regenerate final Pages headers output from committed public source files.                                              | generated  |
| `demo-website/dist/_redirects`                     | Regenerate final Pages redirects output from committed public source files.                                            | generated  |
| `demo-website/dist/demo/live-data.snapshot.json`   | Regenerate final static Pages copy of the committed public snapshot.                                                   | generated  |
| `demo-website/dist/demo/snapshot-metadata.json`    | Regenerate final static Pages copy of the committed metadata.                                                          | generated  |
| `demo-website/dist/demo/graphs/index.json`         | Regenerate final static Pages copy of graph registry fixture.                                                          | generated  |

***

## 7. Success Criteria

### Functional Requirements

* [ ] `bun run demo:snapshot --dry-run --json` passes before any final fixture write.
* [ ] Final public fixtures and manifest contain the expected Trend Finder, Dream Review, route coverage, source commit, redaction, and scan metadata without private data.
* [ ] `bun run demo:build:pages` produces `demo-website/dist/index.html`, `_headers`, `_redirects`, `demo/live-data.snapshot.json`, `demo/snapshot-metadata.json`, and `demo/graphs/index.json`.
* [ ] Pages output contains no top-level `404.html`, `_worker.js`, Pages Functions, hosted collector, local bridge, upload, account-auth, admin mutation, source mutation, scheduler, or Dream runtime entrypoint.
* [ ] `bun run demo:scan:pages` and `bun run demo:budget:pages` pass.
* [ ] Static preview and route smoke confirm the core route set returns HTTP success and makes no `/__*` requests.
* [ ] Deploy dry-run prints the expected `wrangler pages deploy demo-website/dist` command without secret values.
* [ ] When execute upload runs, hosted verification records the final Pages URL, branch, source commit, and HTTP status results for the required routes.

### Testing Requirements

* [ ] Focused snapshot, build, deploy, privacy scan, route matrix, public-demo, endpoint-selection, Trend Finder, Engine Replay, Dream transform, and Dream public-demo control tests pass.
* [ ] Desktop and mobile Pages route smoke pass against static Pages output.
* [ ] Manual route spot-check results are recorded for the core route set.

### Non-Functional Requirements

* [ ] Public demo remains static-only and credential-free.
* [ ] No committed fixture or generated dist file exposes credentials, local paths, private identifiers, raw prompts, provider bodies, private logs, or misleading live-runtime claims.
* [ ] Pages total client bundle remains within the configured Pages budget.

### Quality Gates

* [ ] All files ASCII-encoded.
* [ ] Unix LF line endings.
* [ ] Code follows project conventions.
* [ ] Release notes and session notes contain command outcomes, not secrets or raw private payload bodies.

***

## 8. Implementation Notes

### Working Assumptions

* Session 06 is the next executable session: the analyzer reports Phase 33 in progress, Sessions 01 through 05 complete, no active current session, and `phase33-session06-scan-build-and-deploy` as the only unfinished current phase candidate. Planning can proceed because all prerequisites have validation evidence.
* Deploy execution is environment-dependent but planning can proceed: the docs and deploy helper require an operator-supplied Pages project name plus local Cloudflare env vars, while dry-run, build, scan, budget, and static preview verification are repo-local.
* `demo-website/dist` is generated release output: it may be regenerated during implementation and should be reviewed as build evidence, while source-of-truth fixtures remain under `demo-website/public/`.

### Conflict Resolutions

* The Session 06 stub repeats several build, scan, budget, snapshot, and hosted route success criteria. This plan treats the duplicates as one release-gate bundle and records each command once with clear evidence.
* The stub asks to run the snapshot exporter after Sessions 02 through 04 already froze and hardened fixtures. This plan uses dry-run first, then a final exporter run to refresh or confirm the committed public snapshot, while deferring projection-policy changes unless gate evidence requires repair.

### Key Considerations

* Keep Cloudflare Pages separate from the Worker deployment path.
* Keep Cloudflare project name and credentials out of committed files and logs.
* Treat no-bridge desktop/mobile smoke as a privacy gate, not a cosmetic check.
* Record route HTTP status evidence for both static preview and hosted deploy when upload execution succeeds.

### Potential Challenges

* Missing deploy project name or Cloudflare env vars: record deploy-ready dry-run evidence and the unmet environment requirement without committing external configuration.
* Snapshot timestamp or source-commit deltas: review and record generated file changes before deploy rather than assuming regenerated fixtures are identical.
* Pages budget pressure from prior AI Rogue assets: use the configured `demo:budget:pages` gate and record totals.
* Hosted route propagation delay: retry route status checks with bounded waits and record observed status results.

### Relevant Considerations

* \[P31/P32] **Pages demo CI guard deferred**: This session must run build, scan, Pages budget, desktop/mobile route smoke, and public-demo gameplay smoke locally because they are not yet routine CI gates.
* \[P31/P32] **Public-demo release gates stay bundled**: Build, privacy scan, route smoke, bundle budget, private-scan review, dependency posture, and release evidence should be captured together.
* \[P31/P32] **Pages demo stays static-only**: Do not add `/__*` bridge calls, hosted writes, collectors, analytics, Functions, or advanced Workers.
* \[P31] **Route smoke is a privacy gate**: Desktop and mobile route checks must fail on local bridge requests.
* \[P24] **Browser-safe export and triage boundaries**: Static Brief and browser-visible output must avoid local triage notes, private paths, and raw evidence.

***

## 9. Testing Strategy

### Unit Tests

* Run focused script tests for snapshot projection, privacy scanning, Pages build assembly, Pages deploy command validation, and route matrix coverage.
* Run focused app tests for public-demo copy, `use-live-data` public endpoint selection, Dream public-demo controls, Dream home projection, Trend Finder public-demo route states, and Engine Replay.

### Integration Tests

* Run `bun run demo:build:pages`, `bun run demo:scan:pages`, and `bun run demo:budget:pages`.
* Serve `demo-website/dist` with Wrangler Pages dev and run desktop/mobile Pages route smoke against that static preview.

### Runtime Verification

* Spot-check `/`, Trend Finder Trends, Engine Replay, Hidden Gems, Sources, Watchlist, and Brief on static preview.
* If deployment executes, spot-check the same hosted route set and record status codes, final URL, branch, and source commit.

### Edge Cases

* Missing Cloudflare project name or credentials.
* Privacy scan issue in committed fixtures or generated dist.
* Generated Pages output missing required fixture files.
* Generated Pages output containing a top-level `404.html` or hosted runtime entrypoint.
* Public route requesting any `/__*` local bridge or mutation path.
* Budget failure after static asset assembly.

***

## 10. Dependencies

### Other Sessions

* Depends on: `phase33-session01-capture-local-demo-runs`, `phase33-session02-freeze-public-fixtures`, `phase33-session03-harden-trend-finder-projection`, `phase33-session04-harden-dream-projection`, `phase33-session05-polish-public-demo-ui-states`
* Depended by: Phase 33 audit and phase transition workflow

***

## Next Steps

Run the `implement` workflow step to execute the release gates, record evidence, and prepare the session for code review, validation, and Phase 33 closeout.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/.spec_system/archive/sessions/phase33-session06-scan-build-and-deploy/spec.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
