Surface Map — Living Inventory

Complete audit of every deployed surface in surfaces/ucca-surfaces/. This is the authoritative reference for what exists, where it lives, and whether it's functional or stub.

Last audited: 10 March 2026

---

Deployment Overview

Surface	Framework	Domain(s)	Worker Name	Status	Bindings
Ops Console	Next.js / OpenNext	ops.ucca.online	ucca-ops	Active	D1 (ops_db, rtopacks_db), R2 (TERRAFORM_STATE), KV (BACKUP_HEARTBEAT)
RTOpacks Site	Next.js / OpenNext	rtopacks.com.au	rtopacks-site	Active	D1 (rtopacks_db, ops_db), KV (LEADS), R2 (RTOPACKS_OUTPUT)
Marketing	Next.js / OpenNext	ucca.online	ucca-site	Active	None
Corporate	Next.js / OpenNext	ucca.com.au	ucca-corporate	Active	None
API	Bare Worker	api.ucca.online	ucca-api	Active	None
Time	Bare Worker	time.ucca.online	ucca-time	Active	None
Traffic Snapshot	Bare Worker (cron)	—	—	Active	D1 (ops_db)
Reg Intel	Bare Worker (cron)	—	—	Staged	KV (not yet created)

---

ops.ucca.online

Repo path: apps/ops-v2/ Framework: Next.js on OpenNext/Cloudflare Auth: Cloudflare Access (cf-access-authenticated-user-email header) + JWT session cookies

API Routes (43 total)

Authentication (5 routes)

Path	Methods	Status	Description
/api/auth/magic/send	POST	Functional	Generate magic link token, store hash in ops_db, log URL (email TODO)
/api/auth/magic/verify	GET	Functional	Verify magic token, issue JWT session cookie
/api/auth/magic/logout	POST	Functional	Clear session cookie
/api/auth/magic/me	GET	Functional	Return authenticated customer from JWT
/api/auth/me	GET	Functional	Return user from Cloudflare Access header

Communications / Twilio (4 routes)

Path	Methods	Status	Description
/api/comms/account	GET	Functional	Twilio balance, usage, daily counts
/api/comms/messages	GET, POST	Functional	Message log + send SMS (From: +13023003336)
/api/comms/calls	GET	Functional	Call log, Studio Flow status
/api/comms/numbers	GET	Functional	Incoming phone numbers and capabilities

Operations Monitoring (5 routes)

Path	Methods	Status	Description
/api/ops/traffic	GET	Functional	Cloudflare analytics — today/week/month/year (GraphQL) or all-time (D1)
/api/ops/health-check	GET	Functional	HEAD-ping 6 UCCA surfaces, report status and latency
/api/ops/platform-status	GET	Functional	Proxy Cloudflare Statuspage, filter to 6 components
/api/ops/ai-status	GET	Functional	AI provider status: Anthropic, OpenAI, Google, Azure, AWS
/api/ops/incident-status	GET	Functional	incident.io summary — ongoing, in-progress, scheduled

Incident Management (2 routes)

Path	Methods	Status	Description
/api/ops/incident-io	GET, POST	Functional	Check connection, list components; create incident
/api/ops/incident-io/update	POST	Functional	Post update to existing incident

Infrastructure (5 routes)

Path	Methods	Status	Description
/api/ops/infra-state	GET	Functional (static)	Return build-time Terraform snapshot JSON
/api/infrastructure/terraform	GET	Functional	Read terraform.tfstate from R2, summarize by type
/api/infrastructure/dns/security-summary	GET	Functional	DNSSEC, CAA, DMARC, SPF, DKIM per zone
/api/infrastructure/dns/[zoneId]/records	GET	Functional	DNS records for a zone
/api/infrastructure/backups	GET	Functional	Latest backup status from KV

Backup Trigger (1 route)

Path	Methods	Status	Description
/api/infrastructure/backups/trigger	POST	Stub	TODO: wire to backup system. Returns "triggered" only.

Compliance (1 route)

Path	Methods	Status	Description
/api/compliance/reg-intel	GET	Functional (Phase 1)	Returns static seed data. Phase 2: live from reg-intel worker KV.

Stripe Payments (2 routes)

Path	Methods	Status	Description
/api/stripe/webhook	POST	Functional	Handles checkout.session.completed, invoice.paid/failed, subscription.deleted. Creates rtopacks_orders on payment. Signature verified.
/api/stripe/checkout	POST	Functional	Creates Stripe Checkout Session with unit_code in metadata. Supports payment + subscription modes.

World Routes — RTOpacks (10 routes)

Path	Methods	Status	Description
/api/worlds/rtopacks/health	GET	Functional	World health summary
/api/worlds/rtopacks/units	GET	Functional	Paginated unit list with search
/api/worlds/rtopacks/units/[code]	GET	Functional	Single unit detail
/api/worlds/rtopacks/qualifications	GET	Functional	Paginated qualification list
/api/worlds/rtopacks/qualifications/[code]	GET	Functional	Single qualification detail
/api/worlds/rtopacks/rtos	GET	Functional	RTO list with filters (state, status, type, enriched)
/api/worlds/rtopacks/rtos/metrics	GET	Functional	RTO dashboard metrics
/api/worlds/rtopacks/rtos/facets	GET	Functional	Faceted search filter values + counts
/api/worlds/rtopacks/nrt	GET	Functional	Unified search across units, quals, skill sets
/api/worlds/rtopacks/enrich	POST	Functional	Enriches single RTO. Requires ENRICH_SECRET.

Legacy Redirects (7 routes)

All permanent 308 redirects from /api/ops/* to /api/worlds/rtopacks/*:

/api/ops/units, /api/ops/units/[code], /api/ops/rtos, /api/ops/rtos/metrics, /api/ops/qualifications, /api/ops/qualifications/[code], /api/ops/enrich

Pages (38 total)

Functional Pages (16)

Path	Description
/w/catalog	Command Centre — draggable grid of business units. Mode-aware (LIVE/GUIDED/COMPLIANCE).
/w/catalog/health	Health dashboard — platform status, surface pings, traffic sparklines
/w/catalog/health/incident-status	AI provider status (Anthropic, OpenAI, Google, Azure, AWS)
/w/catalog/comms	Twilio overview — balance, usage, daily counts
/w/catalog/comms/messages	Message log browser + send interface
/w/catalog/comms/voice	Call log, Studio Flow status
/w/catalog/comms/settings	Twilio webhook config, phone numbers
/w/catalog/dns	DNS security dashboard — DNSSEC, CAA, DMARC, SPF, DKIM per zone
/w/catalog/terraform	Terraform state explorer — resource groups, counts, last modified
/w/catalog/backups	Backup management — trigger, status, heartbeat history
/w/catalog/catalogue	UCCO Store — product/qualification catalogue
/w/catalog/compliance	SOC 2 dashboard — TSC criteria, evidence, NIST mappings, OSCAL
/w/catalog/compliance/certifications	Certification register — expiry tracking, audit log
/w/catalog/settings	Global settings — theme, operating mode, integrations
/w/[workspace]/ops/inventory	RTO inventory — NRT/RTO tabs, faceted search, detail panel
/w/[workspace]/ops/catalogue	Qualification/unit catalogue — browse training.gov.au data

Stub/Placeholder Pages (14)

Path	Placeholder Text
/w/catalog/compliance/corporate	Coming soon — UCCA Corporate compliance world
/w/catalog/compliance/rtopacks	Coming soon — RTOpacks compliance world
/w/catalog/compliance/flight-school	Coming soon — Flight School compliance world
/w/catalog/compliance/biopack	Coming soon — BioPack compliance world
/w/catalog/compliance/audit-log	Coming soon — compliance audit log
/w/catalog/finance	Coming soon — finance tracking
/w/catalog/sales	Coming soon — sales pipeline
/w/catalog/marketing	Coming soon — marketing campaigns
/w/catalog/identity	Coming soon — identity & security controls
/w/catalog/access-control	Coming soon — access control policies
/w/[workspace]/ops/customers	Coming soon — customer management
/w/[workspace]/ops/gauges	Coming soon — business gauges
/w/[workspace]/ops/validation	Coming soon — validation dashboard
/w/[workspace]/ops/provenance	Audit trail (minimal implementation)

Partial/Transitional Pages (8)

Path	Description
/	Redirects to /w/catalog
/w	Redirects to /w/catalog
/w/[workspace]	RTOpacks: dashboard cards. Other worlds: "Coming Soon".
/w/[workspace]/ops	Workspace ops overview — links to sub-pages
/w/[workspace]/ops/drift-monitor	Drift alerts (minimal)
/w/[workspace]/courses	Coming soon — course/delivery management
/w/[workspace]/pipeline	Coming soon — generation pipeline
/w/[workspace]/reference/catalog	Coming soon — reference materials

Components (19 operator + 26 UI primitives)

Operator components: app-sidebar, page-header, chronometer, account-switcher, mode-selector, scope-strip, dashboard-cards, health-dashboard, ai-status-dashboard, dns-dashboard, infra-state-card, compliance-border, incident-declare-dialog, comms-overview, comms-messages, comms-voice, comms-settings, stub-card, draggable-card-grid

UI primitives (shadcn/ui + Radix): alert, badge, breadcrumb, button, card, checkbox, collapsible, command, context-help, dialog, dropdown-menu, input, label, scroll-area, select, separator, sheet, sidebar, skeleton, sonner, switch, table, tabs, textarea, tooltip

Middleware

Injects UCCA provenance headers on all responses: X-UCCA-Version, X-UCCA-Schema, X-UCCA-Integrity, X-UCCA-Gate, X-UCCA-Audit, X-UCCA-Corpus

Key Library Files

File	Purpose
lib/auth/jwt.ts	Sign/verify JWTs for session cookies
lib/auth/resolve-auth.ts	Resolve user from Cloudflare Access header
lib/auth/schema.sql	Phase 1 schema: users, accounts, memberships, sessions
lib/auth/schema-phase2.sql	Phase 2 schema: magic_tokens, customers, products, purchases, downloads
lib/auth/schema-phase3-orders.sql	Phase 3 schema: rtopacks_orders
lib/dns-zones.ts	Zone registry (IDs, domains)
lib/twilio.ts	Twilio Basic Auth helper
lib/operating-mode.tsx	React context: LIVE/GUIDED/COMPLIANCE
lib/oscal.ts	OSCAL/NIST compliance posture data
lib/workspaces/nav-config.ts	Navigation structure definition
lib/workspaces/workspace-registry.ts	Workspace definitions: rtopacks (live), us-general/door (scaffold)

---

rtopacks.com.au

Repo path: worlds/au-vet/rtopacks/site/ Framework: Next.js 16.1.6 on OpenNext/Cloudflare Auth: Magic link (passwordless) via ops-db Engine invisibility: Zero UCCA fingerprinting. X-Powered-By: RTOpack/1.0.0.

API Routes (12 total)

Authentication (3 routes)

Path	Methods	Status	Description
/api/auth/send	POST	Functional	Send magic link email via Gmail SMTP. 15-min expiry.
/api/auth/verify	GET	Functional	Verify token, set session cookie, redirect to /account/orders/
/api/auth/logout	POST	Functional	Clear session cookie, redirect to home

Orders (2 routes)

Path	Methods	Status	Description
/api/orders	GET	Functional	List customer's orders from ops_db. Enriches with unit titles from rtopacks_db. Auth-gated.
/api/orders/download	GET	Functional	Serve PDF from R2. Validates ownership, logs download for audit. Auth-gated.

Search (2 routes)

Path	Methods	Status	Description
/api/search	GET	Functional	Multi-mode: RTO code, qualification code, keyword. Queries rtopacks_db.
/api/search-enrich	POST	Functional	Auto-enrichment on first RTO search. Rate-limited (10/min). Fetches TGA + ABN APIs.

Other (5 routes)

Path	Methods	Status	Description
/api/nrt	GET	Functional	Instant search overlay — FTS5 + LIKE + synonym expansion across units/quals/skill sets/RTOs
/api/lead	POST	Functional	Early access signup. Dual storage: KV + Gmail notification. Honeypot + rate limit.
/api/enrich	POST	Functional	Ops console backchannel — receives TGA JSON, stores to rtopacks_db. Requires ENRICH_SECRET.
/api/tga-proxy	GET	Functional	Authenticated proxy to training.gov.au organisation API

Pages (8 total)

Path	Status	Description
/	Functional	Cinematic hero — 13-video carousel, typewriter search, mobile responsive
/search	Functional	RTO/qualification/keyword results. Live auto-enrichment on mount.
/login	Functional	Passwordless magic link form. Error states for expired/invalid tokens.
/account/orders	Functional	Auth-gated order table. Status badges (queued/processing/complete/failed). Download button.
/about	Functional	Static — company details, ABN, location
/contact	Functional	Static — two email addresses
/signal	Stub	Editorial magazine layout. Hardcoded articles, subscribe form not wired.
/sitemap.xml	Stub	Only homepage listed, no dynamic entries

Components

Component	Lines	Description
SearchOverlay.js	328	Global instant search — slides up on 2+ chars, debounced NRT fetch, synonym expansion, grouped results, 20s auto-dismiss

Auth Flow

1. User enters email at /login
2. POST /api/auth/send → generates token, stores hash in ops_db, sends Gmail
3. User clicks link → GET /api/auth/verify?token=xxx
4. Verifies token, marks used, sets rtopacks_session cookie (httpOnly, Secure, 30-day)
5. Redirects to /account/orders/

Session: base64-encoded JSON payload (customer ID, email, issued-at). Not JWT — sufficient for v1.

---

ucca.online (Marketing)

Repo path: apps/marketing/ Framework: Next.js on OpenNext/Cloudflare Worker name: ucca-site

Public marketing website. Localized routes via [locale] dynamic params.

Path	Status	Description
/	Functional	Landing page
/careers	Functional	Job listings
/privacy	Functional	Privacy policy
/security	Functional	Security overview
/security/acknowledgments	Functional	Security acknowledgments
/security/policy	Functional	Security policy
/terms	Functional	Terms of service
/api/contact	Functional	Contact form handler
/api/status	Functional	Status endpoint
/api/build-info	Functional	Build metadata

No data bindings. Zero external origins in CSP.

---

ucca.com.au (Corporate)

Repo path: apps/corporate/ Framework: Next.js on OpenNext/Cloudflare Worker name: ucca-corporate

Corporate/company information site. Identical route structure to marketing. No data bindings.

---

api.ucca.online

Repo path: apps/api/ Framework: Bare Cloudflare Worker (~100 lines) Worker name: ucca-api

Path	Description
GET /	JSON status: { status: "operational", service: "UCCA API" }
GET /.well-known/security.txt	RFC 9116 security policy
GET /robots.txt	Disallows all crawlers

No data bindings. UCCA provenance headers (internal surface).

---

time.ucca.online

Repo path: apps/time/ Framework: Bare Cloudflare Worker (~1,090 lines) Worker name: ucca-time

Split-flap UTC clock + Solari-style departure board showing engine event status. Interactive Susuwatari (soot sprites) canvas animation. All HTML/CSS/JS inline — zero external dependencies. No data bindings.

---

Standalone Workers

traffic-snapshot

Repo path: workers/traffic-snapshot/ Schedule: 0 2 * * * (2 AM UTC daily) Bindings: D1 ops-db as DB

Captures yesterday's per-zone traffic stats from Cloudflare GraphQL Analytics API. Writes to traffic_daily table in ops-db. Queries 3 zones: ucca.online, ucca.com.au, rtopacks.com.au.

reg-intel (staged)

Repo path: workers/reg-intel/ Schedule: 0 3 * * * (3 AM UTC daily) Bindings: KV REG_INTEL (namespace not yet created — placeholder ID)

Regulatory intelligence feed aggregator. Phase 1: seed data only. Phase 2 planned: NIST NVD, AICPA, ISO feeds. Phase 3: world-specific feeds (training.gov.au, CASA, etc.). Not yet operational.

---

Surfaces Not Yet Built

These domains are registered and DNS-managed but have no deployed surface code in ucca-surfaces:

• docs.ucca.online — MkDocs site, lives in docs/ucca-docs/ (separate repo)
• knowledge.ucca.online — Cloudflare Pages project (separate)
• app.ucca.online — planned application surface (no code exists)

---

Version History

Version	Date	Change	Author
1.0	2026-03-10	Initial audit — complete inventory of all surfaces	Claude Code