title: "DevForge / DevLuxe Registry Gate Execution Walkthrough"
version: "2026-07-09.5"
status: "manual execution guide - registry gates pending"
DevForge / DevLuxe 10X Registry Gate Execution Walkthrough (source: internal value-standard label, not a measured multiplier)
Read first: This is the A-grade execution guide for claiming
devluxeon npm and PyPI. It tells you exactly what must be done manually by you, what can be automated afterward, what values to paste, what receipts prove completion, and what cleanup is mandatory after first publish.
Brutal Reality Boundary
- [ ] DevLuxe is locally prepared for the registry gate, but the workflow is not 100% complete until both public registries show
devluxeand the publish run receipts are retained. - [ ] The walkthrough artifact is generated and present in the CooperLux portal tree locally, but the public
walkthrough.cooperlux.comURL is not live until Cloudflare Pages, DNS, Access, and live verification receipts pass. - [ ] npm currently requires a first-publish token path for this package because the package settings page, where npm trusted publishing is configured, is available only after the npm package exists. (source: local DevLuxe runbook plus npm trusted publishing package-settings flow)
- [ ] PyPI can use a pending trusted publisher for the first publish, but the pending publisher does not reserve the name before the publish runs. source
- [ ]
10Xis an internal quality and value standard only; it is not a revenue, readership, download, conversion, or performance multiplier. (source: this walkthrough boundary) - [ ] No secret belongs in this artifact, screenshots, exported notes, chat, shell history, commit history, or portal files.
Known Current State - July 9, 2026
| Item | Current value | Why it matters |
|---|---|---|
| GitHub owner | katterskillsawmill |
Real repository owner from the local remote. |
| GitHub repo | devluxe |
Real repository name from the local remote. |
| GitHub remote | https://github.com/katterskillsawmill/devluxe.git |
Must match registry publisher fields. |
| npm package | devluxe |
Public namespace to claim. |
| PyPI project | devluxe |
Public namespace to claim. |
| npm version | 0.2.0 |
Current npm/package.json version. |
| PyPI version | 0.2.0 |
Current pypi/pyproject.toml version. |
| Workflow file | publish.yml |
Enter only this filename in registry forms. |
| GitHub workflow path | .github/workflows/publish.yml |
Actual workflow path in the repo. |
| npm environment | npm-publish |
GitHub environment used by publish-npm. |
| PyPI environment | pypi |
GitHub environment used by publish-pypi. |
| First-publish npm secret | NPM_TOKEN |
Environment secret name only; never record the value. |
| Local monorepo | /root/ecosystems/ecosystem-whitelabel/devluxe |
Working source location. |
| Portal walkthrough path | walkthroughs/devforge-devluxe/2026-07-09/ |
CooperLux portal section path. |
| Website access route | https://cooperluxe.com/walkthroughs |
Existing protected website route where the operator link belongs. |
| Pages guide route | https://james-cooperluxe.pages.dev/guides/devforge-devluxe-10x-claim-walkthrough-2026-07-09/ |
Wrangler-deployed artifact location used by the website SSO link; 10x in the slug is the internal value-standard label. (source: this walkthrough boundary) |
| Optional redirect host | walkthroughs.cooperlux.com |
Optional future redirect to https://cooperluxe.com/walkthroughs; not required for today. |
What I Can Automate vs What You Must Do
| Track | Can be automated by Codex | Must be done manually by you |
|---|---|---|
| Registry probes | Check whether npm/PyPI already have devluxe. |
None. |
| Local package tests | Run npm tests, build checks, and Python checks when dependencies are available. | None unless local dependencies require account access. |
| GitHub workflow review | Inspect .github/workflows/publish.yml for branch, environment, permission, and publish shape. |
Approve any publish run if GitHub environment protection asks for approval. |
| GitHub environments | I can show exact environment names and expected settings. | You must create/configure environments if I do not have authenticated GitHub admin access. |
| PyPI pending publisher | I can supply exact form values. | You must log in to PyPI and add the pending publisher. |
| npm first-publish token | I can supply exact token scope and secret name. | You must log in to npm, create the token, copy it once, and put it into GitHub as NPM_TOKEN. |
| First publish | I can give the UI path and CLI command. | You must explicitly authorize the publish and approve protected jobs. |
| Post-publish cleanup | I can patch workflow files after the package exists if requested. | You must configure npm trusted publishing in npm package settings and revoke/delete the first-publish token. |
Official Constraints Checked July 9, 2026
- [ ] npm trusted publishing uses OIDC and removes the need for long-lived npm tokens after it is configured. It requires npm CLI
11.5.1or later and Node22.14.0or higher. source - [ ] npm trusted publishing currently supports GitHub Actions only on GitHub-hosted runners, not self-hosted runners. source
- [ ] npm GitHub trusted-publisher fields are: organization/user, repository, workflow filename, optional environment, and allowed actions. Enter the workflow filename only, not
.github/workflows/publish.yml. source - [ ] npm trusted-publisher configurations created after May 20, 2026 require explicit allowed action selection; choose
npm publishfor this first OIDC flip. source - [ ] npm automatic provenance through trusted publishing requires OIDC, a public package, and a public repository; private repositories do not get provenance even when publishing public packages. source
- [ ] npm granular access tokens are created on the npm website; full tokens are only shown immediately after creation. source
- [ ] PyPI pending publishers create the project only when first used to publish; they do not reserve the name before then. source
- [ ] PyPI trusted publishing works best when the build job and publish job are separate; PyPA recommends a separate publishing job with scoped privileges. source
- [ ] GitHub environment secrets are available only to jobs that reference that environment, and jobs must pass environment protection rules before they can access those secrets. source
Claim Ledger
| Claim | Status | Receipt / boundary |
|---|---|---|
| DevLuxe local registry package sources are prepared for owner execution. | partial | npm tests passed locally on July 9, 2026; PyPI local pytest was not run because pytest was missing from the base Python environment. |
| Public npm namespace claim is complete. | false/removed | Live probe returned npm 404 on July 9, 2026; package does not exist yet. |
| Public PyPI namespace claim is complete. | false/removed | Live probe returned PyPI 404 on July 9, 2026; project does not exist yet. |
| The workflow is 100% complete. | false/removed | Completion requires npm page, PyPI page, GitHub Actions run receipt, and post-publish token cleanup. |
10X is an external measured multiplier. (source: boundary row) |
false/removed | The label is only an internal quality/value standard. |
| The secure Next.js middleware pack is dead or deleted. | false/removed | packs/seniormatic/secure-nextjs-middleware remains a reusable asset; only standalone project-building was stopped. |
Zero-Secret Rule
- [ ] Never paste the npm token into this walkthrough.
- [ ] Never paste the npm token into chat.
- [ ] Never screenshot the token.
- [ ] Never run a command that prints the token.
- [ ] Never store the token in
.env,.npmrc, notes, a draft issue, a commit, or browser autofill notes. - [ ] Copy the token once from npm and paste it directly into the GitHub
NPM_TOKENenvironment secret. - [ ] After first npm publish succeeds, revoke the token on npm and delete the GitHub environment secret.
Phase 0 - Automated Preflight We Can Run
Run these before doing account work. These do not publish anything.
cd /root/ecosystems/ecosystem-whitelabel/devluxe
git status --short
git remote -v
sed -n '1,220p' .github/workflows/publish.yml
Expected:
- [ ] Remote is
https://github.com/katterskillsawmill/devluxe.git. - [ ] Workflow file exists at
.github/workflows/publish.yml. - [ ] Workflow trigger is
workflow_dispatch, not automatic release-on-push. - [ ]
publish-npmuses environmentnpm-publish. - [ ]
publish-pypiuses environmentpypi. - [ ]
publish-pypihasid-token: write. - [ ]
publish-npmis still token-based for first publish.
Registry availability check:
curl -sS -o /dev/null -w "npm: %{http_code}\n" https://registry.npmjs.org/devluxe
curl -sS -o /dev/null -w "pypi: %{http_code}\n" https://pypi.org/pypi/devluxe/json
Expected before first publish:
npm: 404
pypi: 404
Local package checks:
cd /root/ecosystems/ecosystem-whitelabel/devluxe/npm
npm test
Expected:
- [ ]
5npm tests pass.
Python package check, if pytest is available:
cd /root/ecosystems/ecosystem-whitelabel/devluxe/pypi
python3 -m pytest -q
Expected:
- [ ] Python tests pass, or dependency setup is completed before the publish run.
Phase 1 - Manual GitHub Environment Setup
Purpose: make sure the publish jobs have protected, named environments before registry publish starts.
Open:
https://github.com/katterskillsawmill/devluxe/settings/environments
Create or verify pypi
- [ ] Click New environment if
pypidoes not exist. - [ ] Enter environment name:
pypi - [ ] Click Configure environment.
- [ ] Under deployment branches/tags, restrict to
mainif that control is available on your plan. - [ ] Add required reviewers if available and if you want a human approval stop before PyPI publish.
- [ ] Do not add a PyPI API token; PyPI publish uses OIDC.
- [ ] Save.
Pass signal:
- [ ] Environment list shows
pypi. - [ ] No PyPI password, API token, or secret was added.
- [ ] The workflow job
publish-pypican reference the environment name exactly aspypi.
Create or verify npm-publish
- [ ] Click New environment if
npm-publishdoes not exist. - [ ] Enter environment name:
npm-publish - [ ] Click Configure environment.
- [ ] Under deployment branches/tags, restrict to
mainif that control is available on your plan. - [ ] Add required reviewers if available and if you want a human approval stop before npm publish.
- [ ] Leave environment secrets empty until the npm token is created in Phase 3.
- [ ] Save.
Pass signal:
- [ ] Environment list shows
npm-publish. - [ ] No token has been pasted anywhere except the future
NPM_TOKENsecret.
If GitHub says environment protections are unavailable
The repo may be private and the current GitHub plan may limit some protection rules. Create the environments anyway if possible. The environment names still matter because the workflow references `pypi` and `npm-publish`, and environment secrets are scoped to those jobs.Phase 2 - Manual PyPI Pending Publisher Setup
Purpose: let the first trusted PyPI publish create devluxe without any PyPI API token.
Open:
https://pypi.org/manage/account/publishing/
If PyPI asks you to log in:
- [ ] Log in to the owner PyPI account.
- [ ] Complete 2FA if prompted.
- [ ] Stay in account settings, not a project settings page. The project does not exist yet.
Add pending publisher:
- [ ] Click Add a new pending publisher.
- [ ] Choose GitHub.
- [ ] Fill the form exactly:
| PyPI form field | Exact value |
|---|---|
| Project name | devluxe |
| Owner | katterskillsawmill |
| Repository name | devluxe |
| Workflow name | publish.yml |
| Environment name | pypi |
- [ ] Click Add or Submit.
- [ ] Confirm the pending publisher appears in the list.
Pass signal:
- [ ] PyPI shows a pending publisher for project
devluxe. - [ ] It references owner
katterskillsawmill, repositorydevluxe, workflowpublish.yml, environmentpypi. - [ ] No PyPI API token was created.
Stop condition:
- [ ] If PyPI says project
devluxealready exists under someone else, stop. Do not continue the publish workflow. Capture the page state and reassess name strategy.
Why PyPI still shows no project page after this step
That is expected. PyPI pending publishers do not create or reserve the project until first trusted publish. The project page appears only after the workflow successfully publishes the distribution.Phase 3 - Manual npm First-Publish Token Setup
Purpose: claim the unscoped npm package once, then immediately move toward trusted publishing and token removal.
Open:
https://www.npmjs.com/settings/katterskillsawmill/tokens
If that organization token page is not available, use your npm profile menu:
- [ ] Click profile icon.
- [ ] Click Access Tokens.
- [ ] Click Generate New Token.
- [ ] Choose a granular access token.
Create token:
| npm token field | Exact guidance |
|---|---|
| Token name | devluxe-first-publish-2026-07-09 |
| Description | One-time first publish for devluxe; revoke after trusted publishing is configured. |
| Expiration | Shortest available; npm documents at least 1 day for custom expiration. |
| Packages and scopes | Read and write for all packages/scopes available to the publishing account. |
| Organizations | Only add organization access if the package will publish under organization ownership. |
| Bypass 2FA | Enable only if npm account/package settings require 2FA for publish automation and the workflow would otherwise fail. |
- [ ] Click Generate Token.
- [ ] Copy the token once.
- [ ] Do not paste it anywhere except GitHub environment secret
NPM_TOKEN.
Add token to GitHub environment:
Open:
https://github.com/katterskillsawmill/devluxe/settings/environments
- [ ] Open environment
npm-publish. - [ ] Under Environment secrets, click Add secret.
- [ ] Secret name:
NPM_TOKEN - [ ] Secret value: paste the npm token once.
- [ ] Click Add secret.
Pass signal:
- [ ] GitHub environment
npm-publishshows a secret namedNPM_TOKEN. - [ ] You cannot see the token value anymore.
- [ ] The token was not pasted anywhere else.
Stop condition:
- [ ] If npm does not let you create a token that can publish a new unscoped package, stop and do not run the workflow. The package claim path must be changed before publish.
Phase 4 - Manual Workflow Dispatch
Purpose: run the single manual-dispatch release workflow after both account gates are ready.
Open:
https://github.com/katterskillsawmill/devluxe/actions/workflows/publish.yml
Run from GitHub UI:
- [ ] Click Run workflow.
- [ ] Branch:
main - [ ] Input
target:both - [ ] Click Run workflow.
Alternative terminal command, only if your GitHub CLI is authenticated to the correct account:
gh workflow run publish.yml -R katterskillsawmill/devluxe -f target=both
gh run watch -R katterskillsawmill/devluxe
While the workflow runs:
- [ ] Confirm
build-npmstarts first and runs tests plusnpm publish --dry-run. - [ ] Confirm
build-npmuploadsdevluxe-npm-package. - [ ] Confirm
publish-npmwaits on thenpm-publishenvironment if approval is configured. - [ ] Approve
publish-npmonly afterbuild-npmsucceeded. - [ ] Confirm
build-pypibuilds distributions, runstwine check, and runs tests. - [ ] Confirm
publish-pypiwaits on thepypienvironment if approval is configured. - [ ] Approve
publish-pypionly afterbuild-pypisucceeded.
Stop conditions:
- [ ] If either build job fails, do not approve publish jobs.
- [ ] If
publish-npmfails before publishing, do not retry until the token, 2FA, and package-name state are understood. - [ ] If
publish-pypifails with a trusted publisher mismatch, check every PyPI field exactly: owner, repository, workflow filename, and environment. - [ ] If either registry already has the package under another owner, stop and reassess. Do not keep retrying.
Phase 5 - Completion Receipts
After the workflow reports success, capture all receipts before calling the workflow complete.
Open and save URLs:
| Receipt | URL |
|---|---|
| GitHub publish workflow | https://github.com/katterskillsawmill/devluxe/actions/workflows/publish.yml |
| npm package | https://www.npmjs.com/package/devluxe |
| npm version | https://www.npmjs.com/package/devluxe/v/0.2.0 |
| PyPI project | https://pypi.org/project/devluxe/ |
| PyPI version | https://pypi.org/project/devluxe/0.2.0/ |
| npm registry JSON | https://registry.npmjs.org/devluxe |
| PyPI registry JSON | https://pypi.org/pypi/devluxe/json |
Run verification commands:
curl -sS -o /dev/null -w "npm: %{http_code}\n" https://registry.npmjs.org/devluxe
curl -sS -o /dev/null -w "pypi: %{http_code}\n" https://pypi.org/pypi/devluxe/json
npm view devluxe version
npx devluxe@0.2.0 --help
python3 -m pip install --upgrade devluxe==0.2.0
devluxe check --help
Expected after successful first publish:
- [ ] npm endpoint returns
200. - [ ] PyPI endpoint returns
200. - [ ]
npm view devluxe versionreturns0.2.0. - [ ]
npx devluxe@0.2.0 --helpprints CLI help. - [ ]
python3 -m pip install --upgrade devluxe==0.2.0installs the package. - [ ]
devluxe check --helpprints CLI help.
Receipt note template:
devluxefirst registry claim completed on<date/time UTC>. GitHub run:<run-url>. npm package:https://www.npmjs.com/package/devluxe/v/0.2.0. PyPI package:https://pypi.org/project/devluxe/0.2.0/. Token cleanup status:<pending/done>. npm trusted publishing flip status:<pending/done>.
Phase 6 - Mandatory npm Token Cleanup
Purpose: remove the temporary first-publish credential path.
Do this immediately after npm publish succeeds.
Delete GitHub environment secret
Open:
https://github.com/katterskillsawmill/devluxe/settings/environments
- [ ] Open
npm-publish. - [ ] Under environment secrets, find
NPM_TOKEN. - [ ] Delete
NPM_TOKEN. - [ ] Confirm it is gone.
Revoke npm token
Open npm access tokens:
https://www.npmjs.com/settings/katterskillsawmill/tokens
- [ ] Find
devluxe-first-publish-2026-07-09. - [ ] Revoke or delete it.
- [ ] Confirm it is gone from active tokens.
Pass signal:
- [ ] GitHub no longer has
NPM_TOKENin environmentnpm-publish. - [ ] npm no longer has the first-publish token.
- [ ] The receipt note says token cleanup is
done.
Phase 7 - Post-Publish npm Trusted Publishing Flip
Purpose: make the next npm publish use OIDC instead of a long-lived token.
Open:
https://www.npmjs.com/package/devluxe
- [ ] Go to package settings.
- [ ] Find Trusted Publisher or Trusted publishing.
- [ ] Choose GitHub Actions.
- [ ] Fill exactly:
| npm trusted publisher field | Exact value |
|---|---|
| Organization or user | katterskillsawmill |
| Repository | devluxe |
| Workflow filename | publish.yml |
| Environment name | npm-publish |
| Allowed actions | npm publish |
- [ ] Save.
- [ ] Confirm npm shows the trusted publisher configuration.
Then update .github/workflows/publish.yml before the next npm release:
publish-npm:
needs: build-npm
if: ${{ (inputs.target == 'both' || inputs.target == 'npm') && github.ref == 'refs/heads/main' }}
runs-on: ubuntu-latest
environment: npm-publish
permissions:
contents: read
id-token: write
steps:
- uses: actions/setup-node@v4
with:
node-version: 22.14.0
registry-url: https://registry.npmjs.org
- uses: actions/download-artifact@v4
with:
name: devluxe-npm-package
path: npm-package
- run: npm install -g npm@latest
- run: npm --version
- run: npm publish npm-package/*.tgz
Important:
- [ ] Remove the
env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}block. - [ ] Add
id-token: writeonly to the npm publish job. - [ ] Keep
contents: read. - [ ] Keep
runs-on: ubuntu-latest. - [ ] Do not use self-hosted runners for npm OIDC.
- [ ] If the repository stays private, npm provenance will not be generated even when OIDC trusted publishing works. source
Maximum-security option after OIDC works:
- [ ] In npm package settings, consider publishing access settings that require 2FA and disallow token publish access while keeping trusted publishing active. source
Phase 8 - PyPI Post-Publish Verification
Purpose: prove the PyPI pending publisher converted to a normal trusted publisher.
Open:
https://pypi.org/manage/project/devluxe/settings/publishing/
- [ ] Confirm project
devluxeexists. - [ ] Confirm a trusted publisher is now attached to the project.
- [ ] Confirm values match:
| PyPI publisher field | Expected |
|---|---|
| Owner | katterskillsawmill |
| Repository | devluxe |
| Workflow | publish.yml |
| Environment | pypi |
- [ ] Confirm no PyPI API token was created for this release.
Phase 9 - 100% Completion Checklist
The workflow is complete only when every line below is true.
- [ ] npm package page exists:
https://www.npmjs.com/package/devluxe - [ ] npm version page exists:
https://www.npmjs.com/package/devluxe/v/0.2.0 - [ ] PyPI project page exists:
https://pypi.org/project/devluxe/ - [ ] PyPI version page exists:
https://pypi.org/project/devluxe/0.2.0/ - [ ] GitHub Actions publish run succeeded and the run URL is recorded.
- [ ] npm
NPM_TOKENenvironment secret has been deleted from GitHub. - [ ] npm first-publish token has been revoked on npmjs.com.
- [ ] npm trusted publisher is configured for
katterskillsawmill/devluxe,publish.yml, environmentnpm-publish, allowed actionnpm publish. - [ ] Workflow has been patched for npm OIDC before the next npm publish.
- [ ] PyPI publisher is attached to the real
devluxeproject after first publish. - [ ] Verification commands return
200and version0.2.0. - [ ] Receipt note is added to the project runbook.
- [ ] No publish secret appears in any repo file, artifact, note, screenshot, browser download, or exported walkthrough notes.
Fast Path - The Minimum Manual Click Sequence
Use this when you are ready and want the shortest path.
- [ ] GitHub: create/verify environment
pypi. - [ ] GitHub: create/verify environment
npm-publish. - [ ] PyPI: add pending publisher with project
devluxe, ownerkatterskillsawmill, repodevluxe, workflowpublish.yml, environmentpypi. - [ ] npm: create one short-lived granular read/write token for first publish.
- [ ] GitHub: paste token only into environment secret
npm-publish->NPM_TOKEN. - [ ] GitHub Actions: run
publish.ymlon branchmainwithtarget=both. - [ ] Approve protected publish jobs only after build jobs pass.
- [ ] Verify npm and PyPI package pages exist.
- [ ] Delete GitHub
NPM_TOKEN. - [ ] Revoke npm token.
- [ ] Configure npm trusted publisher for future OIDC publishes.
- [ ] Record receipts.
Troubleshooting
npm publish fails with authentication or OTP error
Check whether the token was added as a GitHub environment secret under `npm-publish`, not as a repository secret. Confirm the workflow job uses `environment: npm-publish`. If npm account settings require 2FA for automation, recreate the token with the npm website's 2FA bypass option if policy allows it, then replace the GitHub secret. Do not print the token while debugging.npm publish succeeds but npm trusted publishing is not visible
Open the package settings page for `devluxe`. The package must exist before that settings page exists. If the option is still missing, confirm you are logged into the npm owner account that owns the package.PyPI publish fails with trusted publisher mismatch
Compare the PyPI pending publisher fields character by character: owner `katterskillsawmill`, repository `devluxe`, workflow `publish.yml`, environment `pypi`. Do not use `.github/workflows/publish.yml` in the workflow-name field.The registry name is taken before you publish
Stop. Do not retry with the same public claim language. Decide whether to dispute, rename, scope, or publish under a different package name. Update the walkthrough and package metadata before any new publish attempt.The Python local tests cannot run because pytest is missing
Do not treat local Python test verification as complete until the dependency environment is fixed or the GitHub workflow build job has run and passed `pytest -q`. The publish workflow installs `pytest` in the PyPI build job before running tests.GitHub required reviewers are unavailable for the private repo
Use the environments anyway if available, and keep manual dispatch as the release brake. If required reviewers are unavailable on the current plan, the hard gate becomes your explicit manual run of `workflow_dispatch` plus immediate token deletion after success.Portal Placement
Current status:
- [ ] Local artifact is generated and copied into the CooperLux portal walkthrough section.
- [ ] The public operator entry point is the existing website route:
https://cooperluxe.com/walkthroughs. - [ ] After Wrangler deploy, the artifact guide lives under the existing
james-cooperluxePages portal and is linked from the admin operator surface oncooperluxe.com/walkthroughs. - [ ]
walkthrough.cooperlux.comandwalkthroughs.cooperlux.comare not required for today's access path. If either is created later, it should redirect tohttps://cooperluxe.com/walkthroughsor attach to the same protected portal policy.
Local filesystem review path:
deliverables/cooperlux-walkthrough-portal-2026-07-07/site/walkthroughs/devforge-devluxe/2026-07-09/devforge-devluxe-10x-claim-walkthrough-2026-07-09.html
Local HTTP review URL when the portal static server is running on port 8792:
http://127.0.0.1:8792/walkthroughs/devforge-devluxe/2026-07-09/devforge-devluxe-10x-claim-walkthrough-2026-07-09.html
Restart the local portal server if needed:
cd /root/ecosystems/ecosystem-publishing/deliverables/cooperlux-walkthrough-portal-2026-07-07/site
python3 -m http.server 8792 --bind 0.0.0.0
Website access path after the Wrangler deploy is complete:
https://cooperluxe.com/walkthroughs
Direct Pages guide URL after Wrangler deploy:
https://james-cooperluxe.pages.dev/guides/devforge-devluxe-10x-claim-walkthrough-2026-07-09/
Required public-access receipts before the website path is treated as complete:
- [ ]
james-cooperluxePages deployment contains/guides/devforge-devluxe-10x-claim-walkthrough-2026-07-09/;10xin the slug is the internal value-standard label. (source: this walkthrough boundary) - [ ]
cooperluxe.com/walkthroughsadmin operator surface links to that guide through/api/portal-sso. - [ ] The signed-in owner/admin can open
https://cooperluxe.com/walkthroughs, click the DevLuxe card, and land on this artifact. - [ ] Direct Pages access is either protected by the portal SSO/session middleware or accepted as an operator-only unlisted artifact URL.
- [ ] Final receipts include Wrangler deployment output, guide URL HTTP response, and website walkthrough card visibility.
Public Portal Online Gate - Why Localhost Failed
Current verified blocker:
- [ ]
http://127.0.0.1:8792/...is machine-local. It is expected to fail from a different browser/device. - [ ]
https://walkthrough.cooperlux.com/...did not resolve from this environment on July 9, 2026. - [ ] The local artifact server returns
200 OKfor the same walkthrough path on port8792. - [ ] The fastest public path is not localhost and not
walkthrough.cooperlux.com; it is Wrangler deployment into the existingjames-cooperluxePages portal, then a website operator link athttps://cooperluxe.com/walkthroughs.
Official Cloudflare references for the public portal gate:
- Cloudflare Pages Direct Upload
- Cloudflare Pages custom domains
- Cloudflare Access self-hosted public applications
Wrangler deployment path:
- [ ] Confirm the DevLuxe files exist under:
/root/ecosystems/ecosystem-cooperluxe/james-portal/public/guides/devforge-devluxe-10x-claim-walkthrough-2026-07-09/
- [ ] Confirm
cooperluxe-portal/src/lib/walkthroughs.tsincludes the admin link to:
https://james-cooperluxe.pages.dev/guides/devforge-devluxe-10x-claim-walkthrough-2026-07-09/
- [ ] Deploy the Pages guide with Wrangler:
cd /root/ecosystems/ecosystem-cooperluxe/james-portal
npx --yes wrangler pages deploy public --project-name james-cooperluxe --branch main --commit-message "Add DevLuxe registry gate walkthrough"
- [ ] If the website deployment does not automatically pick up
cooperluxe-portalsource changes, deploy the website through its normal production lane. - [ ] Open:
https://cooperluxe.com/walkthroughs
- [ ] Sign in as the owner/admin.
- [ ] Click DevForge / DevLuxe Registry Gate Execution.
- [ ] Confirm the guide opens and the checklists/copy buttons work.
- [ ] Save the Wrangler deployment URL and website verification timestamp.
Optional redirect host path:
- [ ] If
walkthroughs.cooperlux.commust exist later, deploy the existing Worker redirect scaffold at:
/root/dcoop-workflows/cooperlux-wrangler-subdomain-audit-2026-07-08/cooperlux-walkthroughs-redirect
- [ ] This requires a Worker-scoped Cloudflare token. The Pages/DNS token used for Pages inventory was previously not enough for Worker custom-domain deploy.
Automation path if Codex is finishing the deployment:
- [ ] Make
CLOUDFLARE_API_TOKENavailable to Wrangler in the shell environment. - [ ] Do not paste the token into chat.
- [ ] Codex runs the
james-cooperluxePages deploy, verifies the direct guide URL, and reports whether the website deployment also needs to be pushed.
Artifact Maintenance Checklist
- [ ] Source Markdown exists in
walkthroughs/. - [ ] Publishing engine generated Markdown, HTML, DOCX, PDF, manifest JSON, and SHA256 sums.
- [ ] Generated HTML passed the tutorial verifier.
- [ ] Portal walkthrough index links to the generated HTML, PDF, DOCX, Markdown, manifest, and SHA sums.
- [ ] Portal artifact index records local review path and intended public URL without claiming the public URL is already live.
- [ ] Site-level and portal-level SHA receipts verify.
- [ ] No npm/PyPI publish action was attempted during artifact generation.