Delivery record

ShivWorks Network access runbook.

This is the handoff artifact for the PM to forward to the technical owner or developer. Access can be granted now to any named ShivWorks recipient who needs to take ownership of the backend, secrets, CLI workflow, or database operations.

Business outcome

The handoff is now an ownership system.

The page lets a non-technical owner forward the right artifact while keeping production access and private data behind named approval lanes.

Before Backend ownership could scatter across chat, accounts, secrets, and data.

The handoff needed to be safe for a PM to forward and precise enough for a developer to inherit.

Now Repo, secrets, database, app admin, and acceptance checks have named lanes.

The runbook separates GitHub, Infisical, Cloudflare, and app admin access so each grant can be approved and verified.

Risk reduced No broad credential or CREATE SOMETHING internal access is required.

Secret values stay in Infisical and Cloudflare, production data stays out of the public page, and grants remain attributable.

Next decision Name the recipient and choose scoped access or full account transfer.

The remaining work is explicit: identities, access grants, production ownership, and app admin role setup.

Handoff packet

What to send and where ownership moves.

This is written so a non-technical PM can forward the page, while the technical recipient can take ownership without guessing where the repo, secrets, database, and acceptance checks live.

Runbook URL

PM and ShivWorks lead

DeliverThis delivery page is the shareable source of truth for the backend handoff. The PM does not need to run the commands.

HowSend the page URL to the developer or technical owner who will take over the repo, secrets, and database workflow.

Developer identity

PM and backend developer

DeliverThe receiving developer needs a name, email, GitHub username, and Infisical account identity before access can be granted.

HowCollect those identities in one thread, then grant access through GitHub, Infisical, Cloudflare, and app admin as needed for that recipient.

Repository access

Backend developer

DeliverContributor access to createsomethingtoday/shivworks-network, which is the standalone application repository.

HowInvite the developer through the CREATE SOMETHING GitHub organization with the minimum role needed for active work.

Secret access

Backend developer

DeliverInfisical access for development secrets and the names of any production secrets that exist. Secret values are not sent in chat.

HowGrant dev environment access in Infisical first. Add production access only for the named person taking production responsibility.

Database path

Technical owner

DeliverCLI ownership of the ShivWorks data path through Cloudflare D1 and the repo scripts when the developer needs to inspect, query, migrate, or update data.

HowGrant Cloudflare D1 access to the named technical owner. They use Wrangler plus the repo commands for direct database work.

CREATE SOMETHING boundary

PM and technical owner

DeliverNo access to the CREATE SOMETHING monorepo, agency site, or internal operating stack is required for the ShivWorks handoff.

HowGrant only ShivWorks-specific surfaces. For zero long-term crossover, transfer the repo, Cloudflare project, Infisical project, and vendor accounts into ShivWorks-owned accounts.

Acceptance check

Developer and PM

DeliverConfirmation that the developer can clone the repo, inject dev secrets, run the app, and run the validation commands.

HowThe developer sends back pass/fail evidence. The PM can mark the handoff accepted once the technical recipient confirms setup.

Shareable references

What the developer can open.

These references are safe to share. Secret values, production member data, and Cloudflare write permissions stay in GitHub, Infisical, Cloudflare, and the app admin workflow.

Main GitHub repository ShivWorks Network repoCloudflare Pages app Production member networkCloudflare Pages generated domain Pages fallback URL
Secret delivery path; values not published here Infisical secret vault
shivworks-network-db via Wrangler Cloudflare D1 database
Database / Automation / Judgment

Map every handoff item to the operating layer.

Database

Cloudflare D1

Live

Production member, entitlement, session, course, event, media, and progress data lives in the Cloudflare D1 database named shivworks-network-db. With Cloudflare access, the named developer can own read, write, migration, and repair work through Wrangler and the repo CLI.

Automation

CLI and runtime access

Ready to provision

Developers use the standalone GitHub repo, Infisical-injected environment variables, Wrangler login for Cloudflare operations, and repo scripts for checks, tests, migrations, and guarded D1 queries.

Judgment

Access boundary

Ready for named recipient

Access can be granted now to whichever developer or technical owner ShivWorks names. GitHub, Infisical, Cloudflare, and app admin access are still separate grants so ownership stays clear.

Developer Runbook

Start with access, then local proof.

The normal path is GitHub access plus Infisical dev access. Cloudflare D1 access can be granted now to the named technical owner who needs direct production database operations.

Local setup

Clone the standalone repo and start the app with dev secrets injected by Infisical.

git clone https://github.com/createsomethingtoday/shivworks-network.git
cd shivworks-network
pnpm install
infisical login
infisical init
infisical run --env=dev --path=/ -- pnpm dev
Validation

Run the package checks with the same dev secret context.

infisical run --env=dev --path=/ -- pnpm check
infisical run --env=dev --path=/ -- pnpm test
D1 read check

Use after Cloudflare access is granted to confirm the named recipient can reach the production D1 database.

wrangler login

CLOUDFLARE_ACCOUNT_ID=9645bd52e640b8a4f40a3a55ff1dd75a \
pnpm db:shell "SELECT name FROM sqlite_master WHERE type='table';"
D1 ownership path

Use the repo migration and database scripts for intentional data ownership work. Production writes should be named and logged.

pnpm migrate:list
pnpm migrate

CLOUDFLARE_ACCOUNT_ID=9645bd52e640b8a4f40a3a55ff1dd75a \
pnpm db:shell "SELECT COUNT(*) FROM members;"
Access Lanes

Grant only the needed lane.

GitHub, Infisical, Cloudflare, and app-admin access solve different problems. Avoid using one broad credential as a shortcut for all four.

GitHub

OwnerCREATE SOMETHING GitHub org

ScopeContributor access to createsomethingtoday/shivworks-network

ActionInvite the developer with the minimum role needed for active backend work.

Infisical

OwnerCREATE SOMETHING / ShivWorks secret vault

Scopedev path for normal development; prod only by exception

ActionShare secret names and environment access through Infisical, never in chat or repo files.

Cloudflare

OwnerCreate Something Cloudflare account

ScopePages, D1, Stream, and direct database CLI operations when backend production work requires it

ActionGrant named-user access for the handoff recipient so D1 data work is attributable. Use scoped API tokens only for non-interactive automation.

App Admin

OwnerShivWorks product admin

ScopeAdmin role inside the members table

ActionAfter the person signs in through Clerk, set their member role to admin in D1 when they need product admin access.

Private Boundary

Known but not published.

Credential values stay in Infisical and Cloudflare secrets. The delivery page publishes secret names and ownership boundaries only.

Production D1 contains member, entitlement, session, admin, VIP, media, and progress data. The named technical owner can be granted CLI ownership for data work as needed.

Clerk, Stripe, Resend, Circle, and Cloudflare Stream credentials are runtime secrets, not GitHub artifacts or frontend handoff notes.

The ShivWorks developer does not need CREATE SOMETHING monorepo, agency-site, or internal operating-stack access.

If ShivWorks wants no CREATE SOMETHING account dependency long term, move the repo, Cloudflare project, Infisical project, and vendor accounts into ShivWorks-owned accounts.

Replit/front-end management is outside this developer runbook. The PM owns that workflow.

Next Review

Decisions still open.

Collect the recipient name, email, GitHub username, Infisical identity, and Cloudflare account email if Cloudflare access is needed.

Invite the named recipient to createsomethingtoday/shivworks-network.

Grant Infisical dev access for the ShivWorks project/path and confirm they can run the app locally.

Grant Cloudflare access to the named production owner if they will own D1 data, Pages, or Stream operations.

Choose scoped CREATE SOMETHING-managed access for now or transfer the ShivWorks surfaces into ShivWorks-owned accounts for full separation.

When app admin access is needed, have the user sign in and then set their D1 member role to admin.