# Admin Subdomain Migration + Auth Gate Analysis (2026-05-05) **Brady-decision doc.** Filed S83-H198 in response to: "lets move over our ecosystem to admin.roseinthegrove.com and secure as practical. is that a good move for the web subdomain?" **Direct answer:** Yes, the move is good — but **the security win comes from adding an auth gate (Cloudflare Access), not from the URL change itself**. Subdomain is clean architecture; auth is the lock on the door. --- ## Current state (May 2026) - **URL:** `https://roseinthegrove.com/admin/brady/` - **Auth:** None — anyone with the URL can access - **Pages project:** `roseinthegrove` (Cloudflare Pages) - **Build:** Python builder `build_rig_admin_brady.py` outputs to `/tmp/rig-build/admin/brady/` - **Auto-rebuild:** LaunchAgent `com.grove.admin-brady-rebuild` every 30 min - **Documents bundled:** 79 admin docs copied into `/admin/brady/docs/` The dashboard is publicly indexable — anyone who finds the URL can read all 79 docs (most are operational SOPs, not secrets, but some include CDFI contact info, financial state, capital plans). --- ## What "more secure" actually means ### The 80% security win: auth gate (Cloudflare Access) **Cloudflare Access (Zero Trust)** is the practical answer. Free tier covers up to 50 users. **How it works:** 1. Cloudflare gates traffic at the edge BEFORE it reaches origin 2. Visitor hits `/admin/brady/` → redirected to login screen 3. Visitor enters email → receives one-time PIN OR Google SSO OR magic link 4. If email is on allowlist (Brady + invited collaborators) → granted access for session duration 5. If not on allowlist → denied **No code changes needed.** No `shared/auth_gate.py` to write. No login form to build. No session management to maintain. Cloudflare handles it. **Setup time:** ~30-60 minutes one-time. **Practical setup steps (next session if Brady approves):** 1. Cloudflare dashboard → Zero Trust → Access → Applications → Add application 2. Application type: Self-hosted 3. Application domain: `roseinthegrove.com/admin/*` 4. Identity provider: One-time PIN (default; no setup) OR Google OAuth 5. Access policy: email allowlist - Include: brady@roseinthegrove.com (and any other allowed addresses) 6. Session duration: 24 hours (or shorter) 7. Save and test **This alone is the security win.** The URL change is cosmetic. ### The 20% architecture win: subdomain move Moving to `admin.roseinthegrove.com` adds: - ✅ Cleaner URL (no `/admin/brady/` path) - ✅ Visual separation from public site - ✅ Independent SSL + caching policies - ✅ Easier to apply different security policies at subdomain level - ✅ Subdomain can have a no-index header without affecting main site - ✅ Slightly harder to stumble onto via robots.txt or accidental link It does NOT add: - ❌ Inherent security improvement - ❌ Protection from URL leakage - ❌ Resistance to brute force or credential stuffing --- ## Migration scope (what actually changes) If Brady approves the full subdomain migration: ### DNS + Cloudflare Pages - Add CNAME record `admin.roseinthegrove.com` → existing `roseinthegrove` Pages project (or new dedicated `roseinthegrove-admin` project for cleaner separation) - Configure Cloudflare Pages custom domain - SSL auto-provisions via Cloudflare ### Build pipeline - `build_rig_admin_brady.py` either: - Option A: continues writing to current location, subdomain just maps to same content - Option B: writes to new project root for true subdomain isolation - LaunchAgent `com.grove.admin-brady-rebuild` updates wrangler target if Option B ### Redirect old URL - Add 301 redirect: `roseinthegrove.com/admin/brady/*` → `admin.roseinthegrove.com/*` - Cloudflare Pages `_redirects` file or Worker ### Update references - Any hardcoded URLs in n8n workflows pointing at `/admin/brady/` need update - Any builder docs pointing at old URL need update - Brady's bookmarks (transitional pain — provide updated link list) - LinkedIn profile, email signatures, etc. (if any reference admin URL) ### Auth setup - Cloudflare Access policy on new `admin.roseinthegrove.com/*` (or both old + new during transition) **Estimated total time:** ~2-3 hours one-session migration if Brady has CF Pages + DNS access ready. --- ## Recommended phased approach ### Phase 1 (THIS SESSION — done): analysis filed This doc gives Brady the framework. No execution. ### Phase 2 (NEXT SESSION — 30-60 min): auth gate ONLY **Most important step.** Add Cloudflare Access to `roseinthegrove.com/admin/*` with email allowlist. Keep current URL. This alone: - Shuts down public access - 79 sensitive docs become Brady-only - No code changes required - No URL break for Brady This is the **80% security win in 30 minutes**. ### Phase 3 (LATER — 2-3 hour session, if Brady wants clean architecture) Full subdomain migration: - Add `admin.roseinthegrove.com` CNAME - 301 redirect from old path - Update LaunchAgent + builder + workflow URLs - Verify auth still works on new subdomain Phase 3 is **optional**. If Phase 2 is in place, Brady is secure. Subdomain is cosmetic preference. --- ## Decision tree for Brady **Pick one:** ### Path A — Security only (recommended for speed) - Phase 2 next session: add Cloudflare Access auth gate - Keep current URL - Total time: 30-60 min - Result: ✅ Secure ### Path B — Security + clean architecture (recommended for long-term) - Phase 2 next session: add Cloudflare Access - Phase 3 a session later: full subdomain migration - Total time: ~3 hours over 2 sessions - Result: ✅ Secure + ✅ Clean URL ### Path C — Migration first, security later (NOT recommended) - Skip auth gate, just move to subdomain - Result: cleaner URL but **still publicly accessible** - Inverts the value prop **Recommendation:** Path A or B. **Do not do Path C.** --- ## Risks of NOT acting If dashboard stays unauthenticated: - 79 docs accessible to anyone with the URL — including capital plans (toolkit, acquisition playbook) just filed in H197/H198 - Search engines may index the path eventually - Anyone who finds the URL via referer logs, browser history sharing, etc. has full access - A single accidental URL share (Slack screenshot, email forward) compromises everything These are not theoretical — they're the default behavior of any public URL. --- ## Things to know before Phase 2 **Prerequisites for Cloudflare Access setup:** 1. Brady has Cloudflare account access for `roseinthegrove.com` zone — confirmed (the zone exists in Brady's CF account) 2. `roseinthegrove.com` is on Cloudflare proxy (orange cloud) — confirmed (Pages requires this) 3. Brady has email address(es) to allowlist — `brady@roseinthegrove.com` minimum 4. Decision: 24-hour session vs. 7-day session vs. 30-day session — recommend 7 days as middle ground **Compatibility considerations:** - LaunchAgent rebuild works fine — it deploys via Pages API, not via the public URL - Brady's mobile + desktop access works via authenticated browser (one-time login per session per device) - Curl / scripts that access the dashboard programmatically would break — but no current scripts do this **Cost:** $0. Cloudflare Access free tier covers ≤50 users; Brady will use ≤5 (himself + select collaborators). --- ## What this doc does NOT cover - Specific Cloudflare API commands to set up Access (deferred to next session execution) - Migration of any other Brady surfaces (Brady has 8+ live sites — only the admin dashboard is in scope here) - Identity provider integration beyond email OTP (Google SSO, GitHub, etc. are equivalent — pick whichever Brady prefers) --- ## Sources (verified May 2026) - [Cloudflare Access overview](https://www.cloudflare.com/sase/products/access/) - [Cloudflare Zero Trust pricing](https://www.cloudflare.com/plans/zero-trust-services/) - [Cloudflare One platform](https://developers.cloudflare.com/cloudflare-one/) --- ## Brady's go/no-go answer **Question:** "Is admin.roseinthegrove.com a good move for the web subdomain?" **Answer:** Yes, eventually — but the **bigger and more urgent move is adding the auth gate**. Recommendation: 1. **THIS SESSION (H198):** filed this analysis ✅ 2. **NEXT SESSION:** Cloudflare Access on existing `/admin/brady/*` path (~30-60 min, $0) — 80% of the value 3. **LATER SESSION (optional):** subdomain migration if Brady wants the architectural cleanup Do not let perfect be the enemy of good. Phase 2 alone is enough. --- _Filed S83-H198 (2026-05-05). Awaits Brady go/no-go on Phase 2 (auth gate) and Phase 3 (subdomain). Cross-references H197 capital strategy + H198 ag/eco financing docs (which are the surfaces being protected)._