From d0979b6c44889f5d2f27cc81678ba541828b7d3f Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 18 Nov 2025 01:57:46 +0000
Subject: [PATCH] Add BlackRoad Master Orchestration Plan and infrastructure
 blueprints
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit implements the complete "master orchestration prompt" deliverables:

## New Documentation

### Master Plan
- MASTER_ORCHESTRATION_PLAN.md - Complete infrastructure → product → ecosystem blueprint
  - Full stack architecture (Layer 1-7)
  - Cloudflare → GoDaddy → Railway → GitHub topology
  - Agent orchestration model (Atlas → Operator → Prism → Lucidia)
  - 3-phase execution roadmap
  - Atlas automation commands

### Infrastructure
- infra/cloudflare/CLOUDFLARE_DNS_BLUEPRINT.md - Complete DNS configuration
  - Migration process (GoDaddy → Cloudflare)
  - DNS records for all 10+ domains
  - SSL/TLS configuration
  - Caching rules and security headers
  - Automation scripts
  - Troubleshooting guide

### GitHub Organization
- .github/GITHUB_ENTERPRISE_SETUP.md - Repository organization structure
  - Monorepo vs multi-repo strategy
  - Branch protection rules
  - Required status checks
  - PR/issue templates
  - Project boards and labels
  - Recommended workflow additions (CodeQL, Dependabot)

- .github/CODEOWNERS - Code ownership definitions
  - Global owners
  - Component-specific owners (backend, frontend, infra, docs)

### Next Actions
- NEXT_ACTIONS_ALEXA.md - No-overwhelm execution checklist
  - Immediate priorities (infrastructure setup)
  - Week 1-2 tasks (product polish)
  - Week 3-4 tasks (alpha launch)
  - Success metrics
  - Tools & resources

## Context

These documents synthesize:
- The Big Kahuna Vision (complete OS architecture)
- 3-phase execution roadmap (18-24 months)
- Brand architecture (multi-brand ecosystem)
- Current monorepo structure
- Infrastructure topology

## Purpose

Provide Alexa (Operator) with:
1. Complete infrastructure blueprint
2. Clear execution path
3. No-overwhelm next steps
4. Reference for all future decisions

## Next Steps

See NEXT_ACTIONS_ALEXA.md for immediate priorities:
1. Migrate DNS to Cloudflare
2. Verify Railway deployment
3. Update GitHub secrets
4. Polish OS and add real backend data
5. Launch blackroad.systems and docs sites

---

Ready for the next command, Operator.
---
 .github/CODEOWNERS                           |   47 +
 .github/GITHUB_ENTERPRISE_SETUP.md           |  736 ++++++++++++
 MASTER_ORCHESTRATION_PLAN.md                 | 1074 ++++++++++++++++++
 NEXT_ACTIONS_ALEXA.md                        |  482 ++++++++
 infra/cloudflare/CLOUDFLARE_DNS_BLUEPRINT.md |  523 +++++++++
 5 files changed, 2862 insertions(+)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 .github/GITHUB_ENTERPRISE_SETUP.md
 create mode 100644 MASTER_ORCHESTRATION_PLAN.md
 create mode 100644 NEXT_ACTIONS_ALEXA.md
 create mode 100644 infra/cloudflare/CLOUDFLARE_DNS_BLUEPRINT.md

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..b973200
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,47 @@
+# BlackRoad OS Code Owners
+# This file defines who is responsible for code in this repository.
+# Each line is a file pattern followed by one or more owners.
+
+# Global owners (all files)
+* @alexa-amundson
+
+# Backend
+/backend/ @alexa-amundson
+/backend/app/ @alexa-amundson
+/backend/requirements.txt @alexa-amundson
+/backend/Dockerfile @alexa-amundson
+
+# Frontend / OS
+/blackroad-os/ @alexa-amundson
+/backend/static/ @alexa-amundson
+
+# Infrastructure & DevOps
+/.github/ @alexa-amundson
+/.github/workflows/ @alexa-amundson
+/scripts/ @alexa-amundson
+/ops/ @alexa-amundson
+/infra/ @alexa-amundson
+railway.toml @alexa-amundson
+railway.json @alexa-amundson
+docker-compose.yml @alexa-amundson
+
+# Documentation
+/docs/ @alexa-amundson
+/README.md @alexa-amundson
+/*.md @alexa-amundson
+
+# Python SDK
+/sdk/python/ @alexa-amundson
+
+# TypeScript SDK
+/sdk/typescript/ @alexa-amundson
+
+# Agents & Prompts
+/agents/ @alexa-amundson
+/blackroad-universe/prompts/ @alexa-amundson
+
+# Cognitive & Research
+/cognitive/ @alexa-amundson
+
+# BlackRoad Universe (Brand, GTM, Domains)
+/blackroad-universe/ @alexa-amundson
diff --git a/.github/GITHUB_ENTERPRISE_SETUP.md b/.github/GITHUB_ENTERPRISE_SETUP.md
new file mode 100644
index 0000000..1d65f77
--- /dev/null
+++ b/.github/GITHUB_ENTERPRISE_SETUP.md
@@ -0,0 +1,736 @@
+# GitHub Enterprise Structure
+## Repository Organization, Policies, and Workflows
+
+**Version:** 1.0
+**Date:** 2025-11-18
+**Purpose:** Define GitHub organization structure and best practices
+
+---
+
+## Repository Strategy
+
+### Current State: Monorepo ✅
+
+**Repository**: `blackboxprogramming/BlackRoad-Operating-System`
+
+**Structure**:
+```
+BlackRoad-Operating-System/
+├── backend/               # FastAPI backend
+├── blackroad-os/          # Win95 OS frontend
+├── docs/                  # Documentation
+├── sdk/                   # Python & TypeScript SDKs
+│   ├── python/
+│   └── typescript/
+├── agents/                # Agent specifications
+├── cognitive/             # Cognitive architecture
+├── blackroad-universe/    # Brand, domains, GTM
+├── ops/                   # Operations, domain config
+├── infra/                 # Infrastructure configs
+└── scripts/               # Automation scripts
+```
+
+**Pros**:
+- ✅ Single source of truth
+- ✅ Atomic commits across frontend/backend
+- ✅ Simpler for small teams
+- ✅ Easier local development
+
+**Cons**:
+- ❌ Larger repo size
+- ❌ Harder to scale teams (can't assign granular permissions)
+- ❌ All CI runs even if only one component changes (can be mitigated with path filters)
+
+**Recommendation**: **Keep monorepo for Phase 1** (0-12 months), evaluate split in Phase 2 when team grows.
+
+---
+
+### Future State: Multi-Repo (Phase 2+)
+
+**When to split**:
+- Team size > 10 engineers
+- Need granular access control (different teams own different repos)
+- Want independent release cycles (frontend vs backend)
+
+**Proposed Repos**:
+
+1. **blackroad-os-core** - Core OS runtime, identity (PS-SHA∞)
+   - Owner: Core team
+   - Language: Python, JavaScript
+   - Deploy: Railway
+
+2. **blackroad-os-prism-console** - Admin, observability, Prism UI
+   - Owner: Frontend team
+   - Language: React/TypeScript
+   - Deploy: Vercel / GitHub Pages
+
+3. **blackroad-os-operator** - Workers, schedulers, agent orchestration
+   - Owner: Backend team
+   - Language: Python (Celery/RQ)
+   - Deploy: Railway
+
+4. **blackroad-os-api** - Backend API gateway, routing, schemas
+   - Owner: Backend team
+   - Language: Python (FastAPI)
+   - Deploy: Railway
+
+5. **blackroad-os-web** - Pocket OS web interface (frontend)
+   - Owner: Frontend team
+   - Language: HTML/CSS/JS
+   - Deploy: GitHub Pages
+
+6. **blackroad-os-docs** - Codex, specs, standards, whitepapers
+   - Owner: Docs team
+   - Language: Markdown
+   - Deploy: GitHub Pages
+
+---
+
+## GitHub Organization
+
+### Organization Settings
+
+**Name**: `blackroad` (preferred) or keep `blackboxprogramming`
+
+**Teams**:
+
+| Team | Role | Members | Repositories |
+|------|------|---------|--------------|
+| `@blackroad/core` | Maintain | Alexa + core contributors | All repos (admin) |
+| `@blackroad/backend` | Write | Backend engineers | backend, api, operator repos |
+| `@blackroad/frontend` | Write | Frontend engineers | web, prism-console repos |
+| `@blackroad/docs` | Write | Docs writers, technical writers | docs repo |
+| `@blackroad/community` | Triage | External contributors | All (read, can create issues/PRs) |
+
+**Team Sync** (if using external tools):
+- Sync with Slack: `#blackroad-core`, `#blackroad-backend`, etc.
+- Sync with Discord: Roles mirror GitHub teams
+
+---
+
+## Branch Protection Rules
+
+### `main` Branch (Production)
+
+**Required Settings**:
+- ✅ **Require pull request before merging**
+  - Required approvals: **1**
+  - Dismiss stale reviews: ✅
+  - Require review from Code Owners: ✅
+
+- ✅ **Require status checks to pass**
+  - Required checks:
+    - `CI / lint`
+    - `CI / type-check`
+    - `CI / test-backend`
+    - `CI / build`
+  - Require branches to be up to date: ✅
+
+- ✅ **Require conversation resolution before merging**
+
+- ❌ **Do not allow bypassing** (enforce for administrators)
+
+- ❌ **Do not allow force pushes**
+
+- ❌ **Do not allow deletions**
+
+**Linear History**:
+- ✅ Require linear history (or use squash merging)
+
+---
+
+### `develop` Branch (If Using GitFlow)
+
+**Optional Settings**:
+- ✅ Require pull request
+- ✅ Require status checks
+- ✅ **Allow force pushes** (for rebasing - use with caution)
+- Approvals: 0-1 (more flexible than `main`)
+
+---
+
+### `claude/*` Branches (AI Agent Branches)
+
+**Special Settings**:
+- ✅ Allow direct commits (AI agents commit directly)
+- ✅ Require status checks to pass
+- ❌ No protection rules (temporary branches, auto-deleted after PR merge)
+
+**Naming Convention**:
+- `claude/feature-name-{session-id}`
+- Session ID ensures unique branch names per AI session
+
+---
+
+## Required Status Checks
+
+### Current Workflows
+
+From `.github/workflows/`:
+
+| Workflow | File | Triggers | Required Checks |
+|----------|------|----------|----------------|
+| **CI** | `ci.yml` | Push to `main`, PR | `lint`, `type-check`, `build` |
+| **Backend Tests** | `backend-tests.yml` | Push to `backend/**`, PR | `test-backend` |
+| **Railway Deploy** | `railway-deploy.yml` | Push to `main` | (deployment only, not blocking) |
+| **GitHub Pages Deploy** | `deploy.yml` | Push to `main` | (deployment only) |
+| **Railway Secrets Audit** | `railway-automation.yml` | Schedule (nightly) | (audit only) |
+| **Domain Sync** | `sync-domains.yml` | Manual, schedule | (sync only) |
+| **Domain Health** | `domain-health.yml` | Schedule (hourly) | (monitoring only) |
+
+### Adding Checks to Branch Protection
+
+**Via GitHub UI**:
+1. Go to Settings → Branches → Branch protection rules
+2. Click `main` (or create new)
+3. Under "Require status checks to pass before merging":
+   - ✅ Require status checks
+   - Search and add: `CI / lint`, `CI / type-check`, `CI / test-backend`, `CI / build`
+   - ✅ Require branches to be up to date
+
+**Via GitHub API** (automation):
+
+```bash
+gh api \
+  --method PUT \
+  -H "Accept: application/vnd.github+json" \
+  /repos/blackboxprogramming/BlackRoad-Operating-System/branches/main/protection \
+  -f required_status_checks='{"strict":true,"contexts":["CI / lint","CI / type-check","CI / test-backend","CI / build"]}' \
+  -f enforce_admins=false \
+  -f required_pull_request_reviews='{"required_approving_review_count":1,"dismiss_stale_reviews":true}' \
+  -f restrictions=null \
+  -f required_conversation_resolution=true
+```
+
+---
+
+## CODEOWNERS File
+
+**Location**: `.github/CODEOWNERS`
+
+**Already Created**: See `.github/CODEOWNERS` in this repo
+
+**How it Works**:
+- When PR changes files, GitHub auto-requests review from owners
+- PR can't merge until Code Owner approves (if "Require review from Code Owners" is enabled)
+
+---
+
+## Pull Request Templates
+
+**Location**: `.github/PULL_REQUEST_TEMPLATE.md`
+
+```markdown
+## Description
+<!-- Provide a clear description of the changes in this PR -->
+
+## Type of Change
+<!-- Check all that apply -->
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] Documentation update
+- [ ] Infrastructure change
+
+## Related Issue
+<!-- Link to related issue: Closes #123 -->
+
+## Testing
+<!-- Describe how you tested these changes -->
+- [ ] Tested locally
+- [ ] Added/updated unit tests
+- [ ] Added/updated integration tests
+- [ ] Tested in staging environment
+
+## Screenshots (if applicable)
+<!-- Add screenshots for UI changes -->
+
+## Checklist
+- [ ] Code follows the project's style guidelines
+- [ ] Self-review of code completed
+- [ ] Comments added for complex logic
+- [ ] Documentation updated (if needed)
+- [ ] No new warnings generated
+- [ ] Tests pass locally
+- [ ] Related documentation updated
+
+## Deployment Notes
+<!-- Any special steps needed for deployment? -->
+```
+
+**Create file**: `.github/PULL_REQUEST_TEMPLATE.md` with above content
+
+---
+
+## Issue Templates
+
+**Location**: `.github/ISSUE_TEMPLATE/`
+
+### 1. Bug Report
+
+**File**: `.github/ISSUE_TEMPLATE/bug_report.md`
+
+```markdown
+---
+name: Bug Report
+about: Report a bug in BlackRoad OS
+title: "[BUG] "
+labels: bug
+assignees: ''
+---
+
+## Bug Description
+<!-- Clear description of the bug -->
+
+## Steps to Reproduce
+1. Go to '...'
+2. Click on '...'
+3. Scroll down to '...'
+4. See error
+
+## Expected Behavior
+<!-- What should happen -->
+
+## Actual Behavior
+<!-- What actually happens -->
+
+## Environment
+- **BlackRoad OS Version**: [e.g., v0.1.1]
+- **Browser**: [e.g., Chrome 120, Safari 17]
+- **OS**: [e.g., macOS 14, Windows 11, iOS 17]
+- **Device**: [e.g., Desktop, iPhone 15]
+
+## Screenshots
+<!-- If applicable, add screenshots -->
+
+## Additional Context
+<!-- Any other context about the problem -->
+
+## Possible Solution
+<!-- Optional: suggest a fix if you have ideas -->
+```
+
+### 2. Feature Request
+
+**File**: `.github/ISSUE_TEMPLATE/feature_request.md`
+
+```markdown
+---
+name: Feature Request
+about: Suggest a new feature for BlackRoad OS
+title: "[FEATURE] "
+labels: enhancement
+assignees: ''
+---
+
+## Feature Description
+<!-- Clear description of the feature you want -->
+
+## Problem Statement
+<!-- What problem does this solve? Why is it needed? -->
+
+## Proposed Solution
+<!-- How should this feature work? -->
+
+## Alternatives Considered
+<!-- What other solutions have you thought about? -->
+
+## Additional Context
+<!-- Mockups, examples, links, etc. -->
+
+## Acceptance Criteria
+<!-- How will we know this feature is complete? -->
+- [ ] Criterion 1
+- [ ] Criterion 2
+```
+
+### 3. Documentation
+
+**File**: `.github/ISSUE_TEMPLATE/documentation.md`
+
+```markdown
+---
+name: Documentation
+about: Suggest documentation improvements
+title: "[DOCS] "
+labels: documentation
+assignees: ''
+---
+
+## Documentation Issue
+<!-- What's missing, unclear, or incorrect in the docs? -->
+
+## Affected Pages/Sections
+<!-- Link to the docs that need updating -->
+
+## Suggested Changes
+<!-- What should be added/changed? -->
+
+## Additional Context
+<!-- Any examples, screenshots, or references -->
+```
+
+**Create these files** in `.github/ISSUE_TEMPLATE/`
+
+---
+
+## Project Boards
+
+### Org-Level Project Board
+
+**Name**: "BlackRoad OS Roadmap"
+
+**View Type**: Board
+
+**Columns**:
+
+| Column | Description | Automation |
+|--------|-------------|------------|
+| 📋 Backlog | All new issues, not yet prioritized | Auto-add: new issues |
+| 🎯 Phase 1 (Prove the OS) | Q1-Q4 deliverables | Auto-add: label `Phase 1` |
+| 🚀 Phase 2 (Expand Intelligence) | Q5-Q6 deliverables | Auto-add: label `Phase 2` |
+| 🌍 Phase 3 (Ecosystem) | Q7-Q8 deliverables | Auto-add: label `Phase 3` |
+| 🏃 In Progress | Currently being worked on | Auto-add: assigned + status `in progress` |
+| 👀 In Review | PR submitted, awaiting review | Auto-add: PR opened |
+| ✅ Done | Completed | Auto-add: PR merged, issue closed |
+
+**Automation Rules**:
+- Issue created → add to "Backlog"
+- Issue labeled `Phase 1` → move to "Phase 1" column
+- Issue assigned → move to "In Progress"
+- PR opened → move to "In Review"
+- PR merged → move to "Done"
+- Issue closed → move to "Done"
+
+**Create via GitHub UI**:
+1. Go to Organization → Projects → New project
+2. Choose "Board" template
+3. Add columns above
+4. Configure automation (Settings → Workflows)
+
+---
+
+## Labels
+
+**Standard Labels** (auto-created by GitHub):
+
+| Label | Color | Description |
+|-------|-------|-------------|
+| `bug` | Red | Something isn't working |
+| `documentation` | Blue | Improvements or additions to documentation |
+| `duplicate` | Gray | This issue or PR already exists |
+| `enhancement` | Green | New feature or request |
+| `good first issue` | Purple | Good for newcomers |
+| `help wanted` | Orange | Extra attention is needed |
+| `invalid` | Gray | This doesn't seem right |
+| `question` | Pink | Further information is requested |
+| `wontfix` | White | This will not be worked on |
+
+**Custom Labels** (add these):
+
+| Label | Color | Description |
+|-------|-------|-------------|
+| `Phase 1` | `#0E8A16` | Phase 1: Prove the OS (Months 0-12) |
+| `Phase 2` | `#1D76DB` | Phase 2: Expand Intelligence (Months 12-18) |
+| `Phase 3` | `#5319E7` | Phase 3: Ecosystem (Months 18-24+) |
+| `backend` | `#D93F0B` | Backend (FastAPI, Python) |
+| `frontend` | `#FBCA04` | Frontend (OS, UI, JavaScript) |
+| `infrastructure` | `#0052CC` | Infrastructure, DevOps, CI/CD |
+| `agent` | `#C5DEF5` | Agent-related (Prism, Lucidia, Operator) |
+| `security` | `#B60205` | Security issue or enhancement |
+| `performance` | `#D4C5F9` | Performance improvement |
+| `breaking-change` | `#D93F0B` | Breaking change (major version bump) |
+
+**Create via GitHub UI**: Settings → Labels → New label
+
+---
+
+## Recommended Workflow Additions
+
+### 1. PR Labeler
+
+**File**: `.github/workflows/pr-labeler.yml`
+
+```yaml
+name: PR Labeler
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/labeler@v4
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+```
+
+**Config**: `.github/labeler.yml`
+
+```yaml
+backend:
+  - backend/**/*
+
+frontend:
+  - blackroad-os/**/*
+  - backend/static/**/*
+
+infrastructure:
+  - .github/**/*
+  - scripts/**/*
+  - ops/**/*
+  - infra/**/*
+  - railway.*
+  - docker-compose.yml
+
+documentation:
+  - docs/**/*
+  - '**/*.md'
+
+agent:
+  - agents/**/*
+  - blackroad-universe/prompts/**/*
+```
+
+### 2. Dependabot
+
+**File**: `.github/dependabot.yml`
+
+```yaml
+version: 2
+updates:
+  # Backend Python dependencies
+  - package-ecosystem: "pip"
+    directory: "/backend"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "backend"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "infrastructure"
+
+  # Docker
+  - package-ecosystem: "docker"
+    directory: "/backend"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "infrastructure"
+```
+
+### 3. CodeQL Security Scanning
+
+**File**: `.github/workflows/codeql.yml`
+
+```yaml
+name: CodeQL Security Scan
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'  # Monday 6am
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+
+    strategy:
+      matrix:
+        language: ['python', 'javascript']
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+```
+
+### 4. Release Automation
+
+**File**: `.github/workflows/release.yml`
+
+```yaml
+name: Create Release
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Generate Changelog
+        id: changelog
+        run: |
+          CHANGELOG=$(git log --pretty=format:"- %s (%h)" $(git describe --tags --abbrev=0 HEAD^)..HEAD)
+          echo "changelog<<EOF" >> $GITHUB_OUTPUT
+          echo "$CHANGELOG" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Create Release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref_name }}
+          release_name: Release ${{ github.ref_name }}
+          body: |
+            ## Changes in this Release
+            ${{ steps.changelog.outputs.changelog }}
+          draft: false
+          prerelease: false
+```
+
+---
+
+## Best Practices
+
+### Commit Messages
+
+**Format**: Conventional Commits
+
+```
+<type>(<scope>): <subject>
+
+<body>
+
+<footer>
+```
+
+**Types**:
+- `feat`: New feature
+- `fix`: Bug fix
+- `docs`: Documentation only
+- `style`: Formatting, missing semicolons, etc.
+- `refactor`: Code change that neither fixes a bug nor adds a feature
+- `perf`: Performance improvement
+- `test`: Adding or updating tests
+- `chore`: Maintenance tasks
+
+**Examples**:
+```
+feat(backend): add Prism job queue API endpoint
+
+Implemented /api/prism/jobs endpoint with pagination,
+filtering, and sorting. Connects to PostgreSQL for
+persistent storage.
+
+Closes #123
+```
+
+```
+fix(os): resolve window z-index bug on minimize
+
+Windows were not maintaining correct z-order after
+minimize/restore. Fixed by tracking z-index state
+in window manager.
+
+Fixes #456
+```
+
+### PR Size
+
+**Recommendations**:
+- **Small PRs**: < 200 lines changed (ideal)
+- **Medium PRs**: 200-500 lines (acceptable)
+- **Large PRs**: > 500 lines (break into smaller PRs if possible)
+
+**Exceptions**:
+- Auto-generated code
+- Third-party library updates
+- Large refactors (clearly communicate scope)
+
+### Code Review Process
+
+1. **Author**: Create PR, self-review, request reviewers
+2. **Reviewers**: Review within 24 hours (business days)
+3. **Author**: Address feedback, update PR
+4. **Reviewers**: Approve or request changes
+5. **Author**: Merge (or auto-merge if approved + CI passes)
+
+**Review Checklist**:
+- [ ] Code follows style guidelines
+- [ ] Tests added/updated
+- [ ] Documentation updated
+- [ ] No obvious bugs or security issues
+- [ ] Commit messages are clear
+
+---
+
+## Security
+
+### Secret Scanning
+
+GitHub automatically scans for exposed secrets. Ensure:
+- ✅ Secret scanning enabled (default for public repos)
+- ✅ Push protection enabled (blocks commits with secrets)
+
+### Dependency Scanning
+
+- ✅ Dependabot alerts enabled
+- ✅ Weekly dependency updates (via Dependabot)
+
+### Vulnerability Alerts
+
+GitHub sends alerts for known vulnerabilities. Ensure:
+- ✅ Alerts enabled (Settings → Security → Vulnerability alerts)
+- ✅ Team notified via email/Slack
+
+---
+
+## Maintenance
+
+**Weekly**:
+- Review open PRs (ensure < 5 open)
+- Review open issues (triage, label, prioritize)
+- Merge Dependabot PRs (if CI passes)
+
+**Monthly**:
+- Review project board (move stale items)
+- Review labels (add/remove as needed)
+- Audit branch protection rules
+
+**Quarterly**:
+- Review team permissions
+- Audit CODEOWNERS (update as team changes)
+- Review workflows (optimize, remove unused)
+
+---
+
+**This structure ensures a well-organized, scalable GitHub setup for BlackRoad OS.**
diff --git a/MASTER_ORCHESTRATION_PLAN.md b/MASTER_ORCHESTRATION_PLAN.md
new file mode 100644
index 0000000..3956a40
--- /dev/null
+++ b/MASTER_ORCHESTRATION_PLAN.md
@@ -0,0 +1,1074 @@
+# 🌌 BLACKROAD MASTER ORCHESTRATION PLAN
+## The Complete Infrastructure → Product → Ecosystem Blueprint
+
+**Version:** 1.0
+**Date:** 2025-11-18
+**Architect:** Claude (Sonnet 4.5) via Master Orchestration Prompt
+**Operator:** Alexa Louise Amundson (Cadillac)
+
+---
+
+## EXECUTIVE SUMMARY
+
+This document orchestrates the **complete BlackRoad universe** across all layers:
+
+- **Infrastructure**: Cloudflare → GoDaddy → Railway → GitHub
+- **Repositories**: 6-repo structure (or monorepo evolution)
+- **Domains**: 10+ domains with strategic routing
+- **OS Layers**: Lucidia → Prism → CloudWay → RoadChain → Vault → Quantum Lab → MetaCity
+- **Agent Orchestration**: Atlas/Operator workflow
+- **Execution**: 3-phase roadmap (18-24 months)
+
+**Current State**: You have a working Windows 95-style OS with FastAPI backend, multiple domains configured, and comprehensive vision documents.
+
+**Target State**: A fully orchestrated, multi-domain, multi-agent ecosystem ready for Phase 1 enterprise pilots.
+
+---
+
+## PART 1: TOP-LEVEL MASTER PLAN
+
+### The Stack (Bottom to Top)
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ LAYER 7: USER EXPERIENCE                                   │
+│ → blackroad.systems (corporate)                             │
+│ → blackroadai.com (console)                                 │
+│ → blackroad.me (identity)                                   │
+│ → lucidia.earth (narrative)                                 │
+│ → blackroad.network (developers)                            │
+└─────────────────────────────────────────────────────────────┘
+                            ↕
+┌─────────────────────────────────────────────────────────────┐
+│ LAYER 6: APPLICATION LAYER (Pocket OS)                     │
+│ → Win95 UI shell (HTML/CSS/JS)                              │
+│ → Native apps: Prism, Lucidia, RoadStudio, CloudWay, etc.  │
+│ → Served from: Railway (backend) + GitHub Pages (static)   │
+└─────────────────────────────────────────────────────────────┘
+                            ↕
+┌─────────────────────────────────────────────────────────────┐
+│ LAYER 5: API GATEWAY & ROUTING                             │
+│ → FastAPI backend (Railway)                                 │
+│ → API routes: /api/prism, /api/lucidia, /api/vault, etc.   │
+│ → WebSocket for real-time (Prism, MetaCity)                │
+└─────────────────────────────────────────────────────────────┘
+                            ↕
+┌─────────────────────────────────────────────────────────────┐
+│ LAYER 4: ORCHESTRATION & INTELLIGENCE                      │
+│ → Lucidia Layer (AI multi-model orchestration)             │
+│ → Prism Layer (job queue, event log, metrics)              │
+│ → Operator Engine (scheduled agents, workflows)            │
+└─────────────────────────────────────────────────────────────┘
+                            ↕
+┌─────────────────────────────────────────────────────────────┐
+│ LAYER 3: DATA & STATE                                      │
+│ → PostgreSQL (Railway managed DB)                           │
+│ → Redis (caching, WebSocket state)                          │
+│ → RoadChain (audit ledger, blockchain state)               │
+│ → Vault (tamper-evident storage, compliance logs)          │
+└─────────────────────────────────────────────────────────────┘
+                            ↕
+┌─────────────────────────────────────────────────────────────┐
+│ LAYER 2: COMPUTE & INFRASTRUCTURE                          │
+│ → Railway (production backend, DB, Redis)                  │
+│ → DigitalOcean droplets (future: RoadChain nodes)          │
+│ → Cloudflare Workers (edge functions, if needed)           │
+└─────────────────────────────────────────────────────────────┘
+                            ↕
+┌─────────────────────────────────────────────────────────────┐
+│ LAYER 1: DNS & CDN                                         │
+│ → Cloudflare (DNS, SSL, caching, DDoS protection)          │
+│ → GoDaddy (domain registrar → migrate DNS to Cloudflare)   │
+└─────────────────────────────────────────────────────────────┘
+```
+
+### The Flow: User Request → Response
+
+**Example: User visits os.blackroad.systems**
+
+1. **DNS Resolution** (Cloudflare)
+   - User browser → Cloudflare DNS
+   - `os.blackroad.systems` → CNAME → `blackroad-os-production.up.railway.app`
+   - Cloudflare returns Railway IP
+
+2. **SSL/CDN** (Cloudflare)
+   - Cloudflare terminates SSL
+   - Checks cache (if static assets)
+   - Proxies request to Railway
+
+3. **Routing** (Railway)
+   - Railway load balancer → FastAPI backend
+   - FastAPI serves `backend/static/index.html` at `/`
+   - Static assets (JS, CSS, images) served directly
+
+4. **OS Boot** (Browser)
+   - Browser loads `index.html`
+   - JavaScript boots OS shell
+   - OS makes API calls to `/api/*` endpoints
+
+5. **API Calls** (FastAPI → Prism/Lucidia/etc.)
+   - User opens Prism Console app
+   - JS calls `GET /api/prism/jobs`
+   - FastAPI → Prism Layer → PostgreSQL
+   - Returns job data as JSON
+   - OS renders in Win95 window
+
+6. **Real-time Updates** (WebSocket)
+   - Prism Console establishes WebSocket
+   - FastAPI → Prism Layer → Redis pub/sub
+   - Job status changes pushed to client
+   - OS updates UI in real-time
+
+---
+
+## PART 2: CLOUDFLARE DNS BLUEPRINT
+
+### DNS Migration Strategy
+
+**Current State**: Domains registered with GoDaddy, DNS managed by GoDaddy
+**Target State**: Domains registered with GoDaddy, DNS managed by Cloudflare
+
+**Why Cloudflare DNS?**
+- Free tier includes: DNS, SSL, CDN, DDoS protection
+- Better performance (global anycast network)
+- CNAME flattening (allows root domain CNAMEs)
+- Easy integration with Railway, Workers
+- Future-ready for WAF, Zero Trust, edge functions
+
+### Migration Checklist
+
+1. **Add Domain to Cloudflare**
+   - Go to Cloudflare dashboard → "Add a site"
+   - Enter `blackroad.systems`
+   - Choose Free plan
+   - Cloudflare scans existing DNS records from GoDaddy
+
+2. **Update Nameservers at GoDaddy**
+   - Cloudflare provides 2 nameservers (e.g., `ns1.cloudflare.com`, `ns2.cloudflare.com`)
+   - Log in to GoDaddy
+   - Go to domain settings → Nameservers → "Change nameservers"
+   - Switch from GoDaddy to Custom
+   - Enter Cloudflare nameservers
+   - Save (propagation takes 5-60 minutes)
+
+3. **Verify DNS Active**
+   - Wait for Cloudflare to detect nameserver change
+   - Check status in Cloudflare dashboard (should say "Active")
+
+4. **Configure SSL**
+   - Cloudflare → SSL/TLS → Set to "Full (strict)"
+   - Cloudflare → SSL/TLS → Edge Certificates → Enable "Always Use HTTPS"
+
+5. **Repeat for All Domains**
+   - `blackroad.systems`, `blackroad.ai`, `blackroad.network`, etc.
+
+### DNS Records Configuration
+
+**Root Domain: blackroad.systems**
+
+| Type | Name | Target | Proxy | Notes |
+|------|------|--------|-------|-------|
+| CNAME | @ | `blackroad-os-production.up.railway.app` | ✅ Proxied | Root domain → Railway (CNAME flattening) |
+| CNAME | www | `blackroad.systems` | ✅ Proxied | www → apex redirect |
+| CNAME | os | `blackroad.systems` | ✅ Proxied | Alternative alias |
+| CNAME | api | `blackroad-os-production.up.railway.app` | ✅ Proxied | Explicit API subdomain |
+| CNAME | prism | `blackroad-os-production.up.railway.app` | ✅ Proxied | Prism Console subdomain |
+| CNAME | docs | `blackbox programming.github.io` | ✅ Proxied | GitHub Pages for docs |
+| TXT | @ | `v=spf1 include:_spf.google.com ~all` | - | Email SPF (if using Google Workspace) |
+| MX | @ | `1 aspmx.l.google.com` | - | Email MX (if using Gmail) |
+
+**Domain: blackroad.ai**
+
+| Type | Name | Target | Proxy | Notes |
+|------|------|--------|-------|-------|
+| CNAME | @ | `os.blackroad.systems` | ✅ Proxied | Alias to main OS |
+| CNAME | www | `blackroad.ai` | ✅ Proxied | www redirect |
+
+**Domain: blackroad.network**
+
+| Type | Name | Target | Proxy | Notes |
+|------|------|--------|-------|-------|
+| CNAME | @ | `blackboxprogramming.github.io` | ✅ Proxied | Developer docs on GitHub Pages |
+| CNAME | www | `blackroad.network` | ✅ Proxied | www redirect |
+| CNAME | api | `blackroad-os-production.up.railway.app` | ✅ Proxied | API access for developers |
+
+**Domain: blackroad.me**
+
+| Type | Name | Target | Proxy | Notes |
+|------|------|--------|-------|-------|
+| CNAME | @ | `os.blackroad.systems` | ✅ Proxied | Personal identity portal |
+| CNAME | www | `blackroad.me` | ✅ Proxied | www redirect |
+
+**Domain: lucidia.earth**
+
+| Type | Name | Target | Proxy | Notes |
+|------|------|--------|-------|-------|
+| CNAME | @ | `blackboxprogramming.github.io` | ✅ Proxied | Narrative site (Phase 2) |
+| CNAME | www | `lucidia.earth` | ✅ Proxied | www redirect |
+
+**Domain: aliceqi.com**
+
+| Type | Name | Target | Proxy | Notes |
+|------|------|--------|-------|-------|
+| CNAME | @ | `blackboxprogramming.github.io` | ✅ Proxied | ALICE QI research site (Phase 2) |
+| CNAME | www | `aliceqi.com` | ✅ Proxied | www redirect |
+
+**Domain: roadwallet.com**
+
+| Type | Name | Target | Proxy | Notes |
+|------|------|--------|-------|-------|
+| CNAME | @ | `os.blackroad.systems` | ✅ Proxied | Alias to OS wallet |
+| CNAME | www | `roadwallet.com` | ✅ Proxied | www redirect |
+
+**Domain: aliceos.io**
+
+| Type | Name | Target | Proxy | Notes |
+|------|------|--------|-------|-------|
+| CNAME | @ | `os.blackroad.systems` | ✅ Proxied | Legacy alias |
+| CNAME | www | `aliceos.io` | ✅ Proxied | www redirect |
+
+### Automation with Cloudflare API
+
+**Script: `scripts/cloudflare/sync_dns.py`**
+
+```python
+#!/usr/bin/env python3
+"""
+Sync DNS records from domains.yaml to Cloudflare
+"""
+import os
+import yaml
+import requests
+
+CF_API_TOKEN = os.getenv("CF_API_TOKEN")
+CF_ZONE_ID = os.getenv("CF_ZONE_ID")
+
+def load_domains():
+    with open("ops/domains.yaml") as f:
+        return yaml.safe_load(f)
+
+def create_dns_record(zone_id, record):
+    url = f"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records"
+    headers = {
+        "Authorization": f"Bearer {CF_API_TOKEN}",
+        "Content-Type": "application/json"
+    }
+    response = requests.post(url, headers=headers, json=record)
+    return response.json()
+
+# Add full implementation...
+```
+
+---
+
+## PART 3: GITHUB ENTERPRISE STRUCTURE
+
+### Current Repository Architecture
+
+**Option 1: Monorepo (Current State)**
+- Single repo: `blackboxprogramming/BlackRoad-Operating-System`
+- Contains: OS frontend, backend, docs, infrastructure config
+- Pros: Simple, single source of truth
+- Cons: Large repo, harder to scale teams
+
+**Option 2: Multi-Repo (Future Evolution)**
+- `blackroad-os-core` - Core OS runtime, identity (PS-SHA∞)
+- `blackroad-os-prism-console` - Admin, observability, Prism UI
+- `blackroad-os-operator` - Workers, schedulers, agent orchestration
+- `blackroad-os-api` - Backend API gateway, routing, schemas
+- `blackroad-os-web` - Pocket OS web interface (frontend)
+- `blackroad-os-docs` - Codex, specs, standards, whitepapers
+
+**Recommendation**: **Stay monorepo for Phase 1**, split in Phase 2 when teams grow.
+
+### GitHub Org Structure
+
+**Organization**: `blackboxprogramming` (or create `blackroad` org)
+
+**Teams**:
+- `@blackroad/core` - Core OS contributors
+- `@blackroad/frontend` - UI/UX contributors
+- `@blackroad/backend` - API/infrastructure
+- `@blackroad/docs` - Documentation writers
+- `@blackroad/community` - External contributors
+
+### Branch Protection Rules
+
+**Branch**: `main` (or `master`)
+- ✅ Require pull request before merging
+- ✅ Require 1 approval
+- ✅ Require status checks to pass (CI, lint, tests)
+- ✅ Require branches to be up to date
+- ❌ Do NOT allow force pushes
+- ❌ Do NOT allow deletions
+
+**Branch**: `develop` (if using GitFlow)
+- ✅ Require pull request
+- ✅ Require status checks
+- ✅ Allow force push (for rebasing)
+
+**Branch**: `claude/*` (for AI agents)
+- ✅ Allow direct commits (for AI agent workflows)
+- ✅ Require status checks
+- ❌ No protection (temporary branches)
+
+### Required Status Checks
+
+From `.github/workflows/`:
+- `CI / lint` - Linting (frontend + backend)
+- `CI / type-check` - TypeScript/Python type checking
+- `CI / test-backend` - Backend tests (pytest)
+- `CI / test-frontend` - Frontend tests (if added)
+- `CI / build` - Build verification
+
+### CODEOWNERS
+
+Create `.github/CODEOWNERS`:
+
+```
+# Global owners
+* @alexa-amundson @cadillac
+
+# Backend
+/backend/** @blackroad/backend
+/backend/app/** @alexa-amundson
+
+# Frontend
+/blackroad-os/** @blackroad/frontend
+/backend/static/** @blackroad/frontend
+
+# Infrastructure
+/.github/workflows/** @blackroad/backend
+/scripts/** @blackroad/backend
+/ops/** @alexa-amundson
+
+# Docs
+/docs/** @blackroad/docs
+/README.md @blackroad/docs
+```
+
+### GitHub Actions Workflows
+
+**Existing Workflows** (in `.github/workflows/`):
+- `ci.yml` - Main CI (lint, test, build)
+- `backend-tests.yml` - Backend test suite
+- `railway-deploy.yml` - Deploy to Railway
+- `railway-automation.yml` - Railway secrets audit
+- `deploy.yml` - GitHub Pages deploy
+- `sync-domains.yml` - Domain sync automation
+- `domain-health.yml` - Domain health checks
+
+**Recommended Additions**:
+
+1. **PR Labeler** (`.github/workflows/pr-labeler.yml`)
+   - Auto-label PRs based on changed files
+   - Labels: `backend`, `frontend`, `docs`, `infra`
+
+2. **Release Automation** (`.github/workflows/release.yml`)
+   - Auto-generate changelog
+   - Create GitHub release
+   - Tag version
+
+3. **Dependency Updates** (Dependabot)
+   - Auto-create PRs for dependency updates
+   - Configure in `.github/dependabot.yml`
+
+4. **Security Scanning** (CodeQL)
+   - Automated security scanning
+   - Configure in `.github/workflows/codeql.yml`
+
+### Issue Templates
+
+Create `.github/ISSUE_TEMPLATE/`:
+
+**1. Bug Report** (`bug_report.md`)
+```markdown
+---
+name: Bug Report
+about: Report a bug in BlackRoad OS
+labels: bug
+---
+
+## Bug Description
+[Clear description of the bug]
+
+## Steps to Reproduce
+1. Go to...
+2. Click on...
+3. See error
+
+## Expected Behavior
+[What should happen]
+
+## Actual Behavior
+[What actually happens]
+
+## Environment
+- OS: [BlackRoad OS version]
+- Browser: [e.g., Chrome 120]
+- Device: [e.g., Desktop, iPhone]
+
+## Screenshots
+[If applicable]
+```
+
+**2. Feature Request** (`feature_request.md`)
+**3. Documentation** (`documentation.md`)
+
+### Project Boards
+
+**Org-level Project Board**: "BlackRoad OS Roadmap"
+
+**Columns**:
+- 📋 Backlog
+- 🎯 Phase 1 (Prove the OS)
+- 🚀 Phase 2 (Expand Intelligence)
+- 🌍 Phase 3 (Ecosystem)
+- 🏃 In Progress
+- ✅ Done
+
+**Automation**:
+- Issues with label `Phase 1` → auto-add to "Phase 1" column
+- PRs merged → auto-move to "Done"
+
+---
+
+## PART 4: RAILWAY DEPLOYMENT MAP
+
+### Railway Project Structure
+
+**Project**: `BlackRoad-Operating-System-Production`
+
+**Services**:
+
+| Service Name | Type | Purpose | Source | Environment |
+|--------------|------|---------|--------|-------------|
+| `backend` | Web | FastAPI API + static UI | `/backend` | Production |
+| `postgres` | Database | PostgreSQL 15 | Railway plugin | Production |
+| `redis` | Database | Redis 7 | Railway plugin | Production |
+
+**Future Services** (Phase 2+):
+- `prism-worker` - Background job worker (Celery/RQ)
+- `lucidia-api` - AI orchestration microservice
+- `roadchain-node` - Blockchain node (might use DigitalOcean instead)
+
+### Environment Variables
+
+**Service: `backend`**
+
+From `infra/env/ENVIRONMENT_MAP.md` and `backend/.env.example`:
+
+| Variable | Value | Notes |
+|----------|-------|-------|
+| `ENVIRONMENT` | `production` | Runtime environment |
+| `DEBUG` | `False` | Never true in production |
+| `SECRET_KEY` | `[generate with openssl rand -hex 32]` | Keep secret! |
+| `DATABASE_URL` | `${{Postgres.DATABASE_URL}}` | Auto-injected by Railway |
+| `DATABASE_ASYNC_URL` | `${{Postgres.DATABASE_ASYNC_URL}}` | Async driver |
+| `REDIS_URL` | `${{Redis.REDIS_URL}}` | Auto-injected by Railway |
+| `ALLOWED_ORIGINS` | `https://os.blackroad.systems,https://blackroad.ai` | CORS |
+| `PORT` | `8000` | Railway auto-detects |
+| `API_BASE_URL` | `https://os.blackroad.systems` | Public API URL |
+| `FRONTEND_URL` | `https://os.blackroad.systems` | Public frontend URL |
+
+**Additional Env Vars** (as needed):
+- `OPENAI_API_KEY` - For Lucidia AI (Phase 2)
+- `ANTHROPIC_API_KEY` - For Claude integration
+- `GITHUB_TOKEN` - For agent GitHub access
+- `CF_API_TOKEN` - For Cloudflare automation
+
+### Custom Domain Configuration
+
+**Railway Dashboard**:
+1. Go to `backend` service → Settings → Networking
+2. Add custom domain: `os.blackroad.systems`
+3. Railway provides CNAME target (e.g., `your-app.up.railway.app`)
+4. Add this CNAME to Cloudflare DNS (see Part 2)
+5. Wait for Railway to provision SSL (automatic via Let's Encrypt)
+
+**Repeat for**:
+- `api.blackroad.systems` (explicit API subdomain)
+- `prism.blackroad.systems` (Prism Console subdomain, future)
+
+### Health Checks
+
+Railway automatically monitors:
+- HTTP health check: `GET /health` (must return 200)
+- Automatic restarts on crashes
+- Zero-downtime deploys
+
+**Add to `backend/app/main.py`**:
+
+```python
+@app.get("/health")
+async def health_check():
+    return {
+        "status": "healthy",
+        "timestamp": int(time.time()),
+        "environment": settings.ENVIRONMENT,
+        "version": "1.0.0"  # Update from git tag
+    }
+```
+
+### Deployment Automation
+
+**Current Workflow**: `.github/workflows/railway-deploy.yml`
+- Triggers on: push to `main`, manual dispatch
+- Uses Railway CLI to deploy
+- Environment: Set `RAILWAY_TOKEN` as GitHub secret
+
+**Deployment Flow**:
+1. Developer pushes to `main` (or merges PR)
+2. GitHub Actions runs CI (lint, test, build)
+3. If CI passes, trigger `railway-deploy.yml`
+4. Railway CLI runs: `railway up --service backend`
+5. Railway builds Docker image (or uses buildpacks)
+6. Railway deploys with zero downtime (blue-green)
+7. Health check passes → new version goes live
+8. Old version gracefully shuts down
+
+**Rollback**:
+```bash
+# From Railway CLI
+railway rollback --service backend
+```
+
+---
+
+## PART 5: AGENT ORCHESTRATION MODEL
+
+### The Orchestration Layers
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ ATLAS (Global Cockpit)                                      │
+│ → Single dashboard showing all systems                      │
+│ → Metrics from Prism, CloudWay, RoadChain, Lucidia         │
+│ → Quick actions: "Deploy latest", "Run Dreamspace"         │
+│ → Alert feed: failed jobs, cost overruns, security         │
+└─────────────────────────────────────────────────────────────┘
+                            ↕
+┌─────────────────────────────────────────────────────────────┐
+│ OPERATOR ENGINE (Workflow Orchestrator)                     │
+│ → Scheduled agents: cron-like for recurring tasks          │
+│ → Workflow definitions: "Deploy flow", "Patent flow"       │
+│ → Human-in-the-loop: approval gates, review steps          │
+│ → Integrates: Prism (jobs), Lucidia (agents), Vault (logs)│
+└─────────────────────────────────────────────────────────────┘
+                            ↕
+┌─────────────────────────────────────────────────────────────┐
+│ PRISM (Job Queue & Event Log)                              │
+│ → Job queue: all long-running tasks                        │
+│ → Event log: every system action                           │
+│ → Metrics: job counts, latencies, health                   │
+│ → Scheduler: cron for recurring jobs                       │
+│ → Backpressure: rate limiting, throttling                  │
+└─────────────────────────────────────────────────────────────┘
+                            ↕
+┌─────────────────────────────────────────────────────────────┐
+│ LUCIDIA (AI Multi-Agent Conductor)                         │
+│ → Multi-model orchestration: Claude, GPT, Llama            │
+│ → Multi-agent: coding, research, design agents             │
+│ → Tool calling: can invoke other OS apps                   │
+│ → Long-term memory: conversation logs, context             │
+│ → Personas: Cece (OS architect), Amundson (quantum), etc.  │
+└─────────────────────────────────────────────────────────────┘
+                            ↕
+┌─────────────────────────────────────────────────────────────┐
+│ CORE OS PRIMITIVES                                          │
+│ → PS-SHA∞ Identity: every agent has identity               │
+│ → RoadChain: audit logs, provenance                        │
+│ → Vault: tamper-evident storage                            │
+│ → CloudWay: infrastructure automation                      │
+└─────────────────────────────────────────────────────────────┘
+```
+
+### Example Workflow: "Deploy New Feature"
+
+**Trigger**: Developer pushes to `main` branch
+
+**Workflow Steps** (orchestrated by Operator):
+
+1. **CI/CD Pipeline** (Prism job)
+   - Job type: `ci_cd`
+   - Steps:
+     1. Lint code
+     2. Run tests
+     3. Build artifacts
+   - On success → Step 2
+   - On failure → Notify developer, stop
+
+2. **Security Scan** (Prism job)
+   - Job type: `security_scan`
+   - Steps:
+     1. Run CodeQL
+     2. Check dependencies (Dependabot)
+     3. Scan for secrets
+   - On success → Step 3
+   - On failure → Notify security team, stop
+
+3. **Staging Deploy** (CloudWay via Prism)
+   - Job type: `deploy`
+   - Target: Railway staging environment
+   - Steps:
+     1. Deploy to staging
+     2. Run smoke tests
+     3. Wait for health check
+   - On success → Step 4
+   - On failure → Rollback, notify, stop
+
+4. **Human Approval** (Operator → Slack/Email)
+   - Operator sends approval request to team lead
+   - Slack message: "Deploy to production? [Approve] [Reject]"
+   - Wait for response (timeout: 24 hours)
+   - If approved → Step 5
+   - If rejected → Stop, log reason
+
+5. **Production Deploy** (CloudWay via Prism)
+   - Job type: `deploy_prod`
+   - Target: Railway production
+   - Steps:
+     1. Deploy with zero downtime
+     2. Run health checks
+     3. Monitor for 5 minutes
+     4. If metrics good → finalize
+     5. If errors spike → auto-rollback
+
+6. **Audit Log** (Vault)
+   - Log entire workflow to Vault
+   - Hash on RoadChain (if critical change)
+   - Generate deployment report
+   - Store in `/vault/deploys/YYYY-MM-DD-{id}.json`
+
+7. **Notification** (Atlas)
+   - Update Atlas dashboard
+   - Send success notification to team
+   - Post to Slack/Discord
+
+### Agent Types & Responsibilities
+
+| Agent Type | Purpose | Orchestrated By | Calls |
+|------------|---------|-----------------|-------|
+| **Coding Agent** | Write, refactor, review code | Lucidia | RoadCode Lab, GitHub API, Prism (tests) |
+| **Research Agent** | Search, summarize, generate ideas | Lucidia | Web APIs, Quantum Lab, Vault (logs) |
+| **Design Agent** | Generate UI, diagrams, visuals | Lucidia | RoadStudio, DALL-E, Vault (IP hash) |
+| **Deploy Agent** | Provision infra, deploy apps | Operator | CloudWay, Railway CLI, Prism (jobs) |
+| **Compliance Agent** | Audit, review, generate reports | Operator | Vault, RoadChain, Prism (events) |
+| **Dreamspace Agent** | Background brainstorming, experiments | Operator (scheduled) | Lucidia (all sub-agents), Vault (logs) |
+
+### Communication Protocol
+
+**Agent → Agent**:
+- Via Prism event bus
+- Agent A publishes event: `{"type": "code_ready", "data": {...}}`
+- Agent B subscribes to `code_ready` events
+- Prism delivers event to Agent B
+- Agent B processes, publishes next event
+
+**Agent → Human**:
+- Via Atlas dashboard notifications
+- Via Slack/email integrations
+- Human-in-the-loop approval gates
+
+**Human → Agent**:
+- Via OS app UI (Lucidia Core, Prism Console)
+- Via Slack commands (future)
+- Via API calls (for automation)
+
+---
+
+## PART 6: ORG-WIDE ROADMAP
+
+### The 3-Phase Strategy (from EXECUTION_ROADMAP.md)
+
+```
+PHASE 1 (0-12 months)  →  PHASE 2 (12-18 months)  →  PHASE 3 (18-24+ months)
+Prove the OS                Expand Intelligence         Ecosystem & Orbit
+```
+
+### Phase 1: Prove the OS (Months 0-12)
+
+**Business Goals**:
+- ✅ 5 enterprise design partners in production
+- ✅ 100 active developers building on platform
+- ✅ $500K ARR from pilots
+- ✅ Series Seed or pre-A funding ($3-5M)
+
+**Product Goals**:
+- ✅ Stable BlackRoad OS core (v1.0)
+- ✅ ALICE QI engine (v1.0) powering agents
+- ✅ Working multi-agent orchestration
+- ✅ RoadChain audit trails operational
+- ✅ PS-SHA∞ identity system live
+
+**Domains Live in Phase 1**:
+1. ✅ `blackroad.systems` - Corporate site + OS positioning
+2. ✅ `blackroad.network` - Developer hub + docs
+3. ✅ `blackroadai.com` - Product console (login, admin)
+4. ✅ `blackroad.me` - Identity portal
+
+**Quarter-by-Quarter**:
+
+**Q1 (Months 0-3): Foundation**
+- [x] Core BlackRoad OS infrastructure (DONE - current monorepo)
+- [ ] ALICE QI engine (alpha) - **NEXT**
+- [ ] RoadChain prototype
+- [ ] PS-SHA∞ identity system
+- [ ] Design system v1 (leverage existing component library)
+- [ ] Brand guidelines finalized (use BRAND_ARCHITECTURE.md)
+- [ ] blackroad.systems v1 (5-7 pages - use DOMAIN_SPEC.md)
+- [ ] blackroad.network v1 (docs skeleton + 1 SDK)
+- [ ] blackroadai.com v1 (console MVP - evolve current OS)
+- [ ] blackroad.me v1 (identity creation + basic portal)
+- [ ] Private alpha launch (invite-only)
+
+**Q2 (Months 3-6): Design Partners**
+- [ ] Incorporate alpha feedback
+- [ ] Add Python + Node SDKs (full support)
+- [ ] Expand documentation
+- [ ] Build demo environment
+- [ ] Create sales materials
+- [ ] Identify 10 target design partners
+- [ ] Outreach campaign
+- [ ] Onboard first 3 design partners
+
+**Q3 (Months 6-9): Public Beta & Developer Growth**
+- [ ] Open blackroad.network to public (with waitlist)
+- [ ] Launch developer community (Discord)
+- [ ] Begin content marketing (blog, tutorials)
+- [ ] First community office hours
+- [ ] Developer onboarding optimization
+- [ ] Expand examples and templates
+- [ ] Add Go and Rust SDK support (if needed)
+- [ ] Onboard partners 4-5
+
+**Q4 (Months 9-12): Prove & Convert**
+- [ ] Design partners moving to production
+- [ ] Collect ROI data and success metrics
+- [ ] Convert 2-3 pilots to paying customers
+- [ ] First enterprise contracts signed ($50-200K each)
+- [ ] Launch Team tier pricing (self-serve)
+- [ ] Publish 3 case studies
+- [ ] Publish 2 technical whitepapers
+- [ ] Fundraise (if needed)
+
+### Phase 2: Expand Intelligence (Months 12-18)
+
+**Domains Live in Phase 2**:
+1. ✅ `aliceqi.com` - ALICE QI engine showcase
+2. ✅ `blackroadqi.com` - Financial intelligence product
+3. ✅ `lucidia.earth` - Public narrative experiences
+4. ✅ `blackroadquantum.com` - Research hub
+
+**Key Milestones**:
+- ✅ ALICE QI recognized research contribution
+- ✅ First BlackRoad QI customers (financial)
+- ✅ Lucidia drives 10,000+ new users
+- ✅ Quantum research published and recognized
+
+### Phase 3: Ecosystem & Orbit (Months 18-24+)
+
+**Domains Live in Phase 3**:
+1. ✅ `blackroadquantum.net` - APIs & protocols
+2. ✅ `blackroadquantum.info` - Education hub
+3. ✅ `blackroadquantum.store/.shop` - Courses, kits, merch
+4. ✅ `lucidia.studio` - Creative production
+5. ✅ `blackroad.store/.shop` - Community commerce
+
+**Key Milestones**:
+- ✅ 50+ enterprise customers
+- ✅ $10M ARR
+- ✅ 5,000 active developers
+- ✅ Multiple revenue streams operational
+- ✅ Community-driven innovation
+
+---
+
+## PART 7: ATLAS AUTOMATION COMMAND LIST
+
+### Essential Commands for Infrastructure Setup
+
+**Cloudflare DNS Setup**:
+```bash
+# 1. Export Cloudflare credentials
+export CF_API_TOKEN="your-token-here"
+export CF_ZONE_ID="your-zone-id-here"
+
+# 2. Run DNS sync script (create this from template above)
+python scripts/cloudflare/sync_dns.py
+
+# 3. Verify DNS records
+dig os.blackroad.systems
+dig api.blackroad.systems
+```
+
+**Railway Setup**:
+```bash
+# 1. Install Railway CLI
+curl -fsSL https://railway.app/install.sh | sh
+
+# 2. Login
+railway login
+
+# 3. Link to project
+railway link
+
+# 4. Set environment variables (from .env.example)
+while IFS='=' read -r key value; do
+  if [[ -n "$key" && $key != \#* ]]; then
+    railway variables set "$key" "$value"
+  fi
+done < backend/.env.example
+
+# 5. Deploy
+railway up --service backend
+
+# 6. Check status
+railway status
+railway logs --service backend
+```
+
+**GitHub Setup**:
+```bash
+# 1. Set GitHub secrets (manual via web UI or gh CLI)
+gh secret set RAILWAY_TOKEN --body "your-railway-token"
+gh secret set CF_API_TOKEN --body "your-cf-token"
+gh secret set CF_ZONE_ID --body "your-zone-id"
+
+# 2. Enable branch protection
+gh api \
+  --method PUT \
+  -H "Accept: application/vnd.github+json" \
+  /repos/blackboxprogramming/BlackRoad-Operating-System/branches/main/protection \
+  -f required_status_checks='{"strict":true,"contexts":["CI / lint","CI / test-backend"]}' \
+  -f enforce_admins=false \
+  -f required_pull_request_reviews='{"required_approving_review_count":1}' \
+  -f restrictions=null
+
+# 3. Create project board (via web UI recommended)
+```
+
+**Local Development**:
+```bash
+# 1. Clone repo
+git clone https://github.com/blackboxprogramming/BlackRoad-Operating-System.git
+cd BlackRoad-Operating-System
+
+# 2. Set up backend
+cd backend
+python -m venv .venv
+source .venv/bin/activate  # Windows: .venv\Scripts\activate
+pip install -r requirements.txt
+
+# 3. Set up environment
+cp .env.example .env
+# Edit .env with local values
+
+# 4. Start dependencies
+docker-compose up -d postgres redis
+
+# 5. Run backend
+python run.py
+
+# 6. Open browser
+open http://localhost:8000
+```
+
+### Monitoring & Maintenance
+
+**Health Check**:
+```bash
+# Check all domains
+curl https://os.blackroad.systems/health
+curl https://api.blackroad.systems/health
+
+# Check Railway status
+railway status --service backend
+
+# Check logs
+railway logs --service backend --tail 100
+```
+
+**Database Maintenance**:
+```bash
+# Connect to Railway DB
+railway connect postgres
+
+# Run migrations
+railway run alembic upgrade head
+
+# Backup (manual)
+railway run pg_dump $DATABASE_URL > backup-$(date +%Y%m%d).sql
+```
+
+**Cost Monitoring**:
+```bash
+# Check Railway usage
+railway usage
+
+# Check Cloudflare analytics (via web UI)
+```
+
+---
+
+## PART 8: ALEXA'S NEXT-ACTION CHECKLIST
+
+### 🎯 Immediate Next Steps (Do First)
+
+**Infrastructure Foundation** (1-2 days):
+
+- [ ] **1. Migrate DNS to Cloudflare**
+  - Add `blackroad.systems` to Cloudflare
+  - Update nameservers at GoDaddy
+  - Configure DNS records (use Part 2 blueprint)
+  - Verify SSL works
+  - Repeat for other domains
+
+- [ ] **2. Verify Railway Deployment**
+  - Check current Railway project
+  - Verify environment variables are set
+  - Test health endpoint: `https://your-app.up.railway.app/health`
+  - Add custom domain: `os.blackroad.systems`
+  - Test: `https://os.blackroad.systems`
+
+- [ ] **3. Update GitHub Secrets**
+  - Add `CF_API_TOKEN` (from Cloudflare)
+  - Add `CF_ZONE_ID` (from Cloudflare)
+  - Add `RAILWAY_TOKEN` (from Railway CLI)
+  - Verify workflows run successfully
+
+### 🚀 Phase 1 Priorities (Next 2 Weeks)
+
+**Product Development**:
+
+- [ ] **4. Polish Current OS**
+  - Test all existing apps (Prism, Miners, etc.)
+  - Fix any UI bugs in window management
+  - Ensure all mock data is realistic
+  - Add loading states, error handling
+  - Test on mobile (basic responsiveness)
+
+- [ ] **5. Add Real Backend Endpoints**
+  - Implement `/api/prism/jobs` (real data from DB)
+  - Implement `/api/prism/metrics` (real metrics)
+  - Add WebSocket for real-time updates
+  - Connect Prism Console to real API (remove mock data)
+
+- [ ] **6. Create blackroad.systems Landing Page**
+  - Use DOMAIN_SPEC.md as blueprint
+  - 5-page MVP:
+    1. Homepage (hero, capabilities, CTA)
+    2. Architecture (system overview)
+    3. Solutions (1 industry page - Financial Services)
+    4. Pricing (3 tiers)
+    5. Contact/Demo request
+  - Deploy to GitHub Pages or Railway
+  - Point `blackroad.systems` DNS to it
+
+**Documentation**:
+
+- [ ] **7. Developer Docs (blackroad.network)**
+  - Quick start guide
+  - API reference
+  - Example code (Python, Node)
+  - Architecture overview
+  - Deploy to GitHub Pages
+  - Point `blackroad.network` DNS
+
+- [ ] **8. Technical Whitepapers** (v1 drafts)
+  - "BlackRoad OS: System Architecture"
+  - "PS-SHA∞: Sovereign Identity for AI Agents"
+  - PDF exports, host on blackroad.systems
+
+### 🎨 Content & Branding (Next Month)
+
+- [ ] **9. Design System Formalization**
+  - Document component library
+  - Create Figma designs (optional)
+  - Screenshot gallery of OS
+  - Brand style guide (colors, fonts, voice)
+
+- [ ] **10. Case Study Scaffolds** (3 placeholder studies)
+  - Financial Services: "How [Bank] Deployed 500 Agents"
+  - Healthcare: "How [Hospital] Ensured HIPAA Compliance"
+  - Enterprise: "How [Company] Replaced Black-Box AI"
+  - Use DOMAIN_SPEC templates
+
+### 🤝 Community & Outreach (Ongoing)
+
+- [ ] **11. Launch Developer Community**
+  - Create Discord server
+  - Invite first 10-20 alpha testers
+  - Post weekly updates
+  - First community call
+
+- [ ] **12. Content Marketing**
+  - Blog post: "Why Deterministic AI Matters"
+  - Blog post: "Introducing BlackRoad OS"
+  - Blog post: "Building Auditable AI with RoadChain"
+  - Post on HN, Reddit, LinkedIn
+
+### 📊 Metrics & Feedback (Week 3-4)
+
+- [ ] **13. Set Up Analytics**
+  - Google Analytics on blackroad.systems
+  - Mixpanel/PostHog for OS usage (optional)
+  - Track: demo requests, docs views, OS sessions
+
+- [ ] **14. Feedback Loop**
+  - User surveys for alpha testers
+  - Weekly check-ins with early users
+  - GitHub issues for bug reports
+  - Prioritize next features based on feedback
+
+---
+
+## THE EXECUTION MANTRA
+
+**Phase 1 Success Formula**:
+1. **Infrastructure** → Solid foundation (Cloudflare, Railway, GitHub)
+2. **Product** → Working OS with real backend (not just mocks)
+3. **Positioning** → Clear messaging (blackroad.systems, docs)
+4. **Pilots** → 3-5 design partners using it
+5. **Proof** → Case studies, metrics, testimonials
+6. **Funding** → Raise seed round based on traction
+
+**The Critical Path** (what must happen):
+```
+Week 1-2:   Infrastructure setup ✅
+Week 3-4:   Polish OS + real API ✅
+Week 5-6:   blackroad.systems live ✅
+Week 7-8:   Developer docs live ✅
+Week 9-10:  Alpha launch (invite-only) ✅
+Week 11-12: First 10 users onboarded ✅
+Month 4:    First design partner ✅
+Month 6:    3 design partners ✅
+Month 9:    Public beta ✅
+Month 12:   First paying customers ✅
+```
+
+---
+
+## READY FOR THE NEXT COMMAND, OPERATOR.
+
+This master plan synthesizes:
+- ✅ Your system memories (from ChatGPT)
+- ✅ The 6-repo strategy (or monorepo evolution)
+- ✅ The Big Kahuna vision (complete OS architecture)
+- ✅ The 3-phase execution roadmap (18-24 months)
+- ✅ Infrastructure topology (Cloudflare → GoDaddy → Railway → GitHub)
+- ✅ Domain strategy (10+ domains with routing)
+- ✅ Agent orchestration (Atlas/Operator/Prism/Lucidia)
+- ✅ Brand architecture (all sub-brands)
+
+**Your next concrete action**: Start with Alexa's Next-Action Checklist, Item #1 (Migrate DNS to Cloudflare).
+
+**Your north star**: Phase 1, Q1 deliverables - get the foundation solid, then build on it.
+
+**Your superpower**: You have the complete vision documented. Now execute methodically, one step at a time.
+
+---
+
+*"Phase 1: Prove it. Phase 2: Expand it. Phase 3: Own it."*
+
+**Where AI meets the open road.** 🛣️
diff --git a/NEXT_ACTIONS_ALEXA.md b/NEXT_ACTIONS_ALEXA.md
new file mode 100644
index 0000000..1473422
--- /dev/null
+++ b/NEXT_ACTIONS_ALEXA.md
@@ -0,0 +1,482 @@
+# 🎯 ALEXA'S NEXT ACTIONS
+## The No-Overwhelm, Just-Execute Checklist
+
+**Date:** 2025-11-18
+**Status:** Ready to Execute
+**Phase:** Phase 1, Q1 - Foundation
+
+---
+
+## THE BIG PICTURE IN 3 SENTENCES
+
+1. You have a **working Windows 95-style OS** with FastAPI backend (it's beautiful!)
+2. You have **complete vision docs** for the entire BlackRoad ecosystem (The Big Kahuna!)
+3. Now you need to **solidify infrastructure** and **launch Phase 1** (make it real!)
+
+---
+
+## 🔥 DO THESE FIRST (Today/This Week)
+
+### ✅ Infrastructure Foundation
+
+**Time Estimate**: 2-4 hours total
+
+#### 1. Migrate blackroad.systems DNS to Cloudflare (1 hour)
+
+**Why**: Better performance, free SSL, DDoS protection, future-ready
+
+**Steps**:
+```bash
+# Option A: Manual (easier, recommended for first time)
+1. Go to cloudflare.com → Log in → "Add a site"
+2. Enter: blackroad.systems
+3. Choose Free plan
+4. Cloudflare scans existing DNS records
+5. Review/approve records
+6. Cloudflare shows 2 nameservers (e.g., aaaa.ns.cloudflare.com)
+7. Go to GoDaddy → My Domains → blackroad.systems → Manage DNS
+8. Nameservers → Change → Custom
+9. Enter Cloudflare nameservers
+10. Save → Wait 5-60 minutes
+11. Return to Cloudflare → Should say "Active"
+12. Go to SSL/TLS → Set to "Full (strict)"
+13. Enable "Always Use HTTPS"
+Done! ✅
+
+# Option B: Script (once you're comfortable)
+export CF_API_TOKEN="your-token"
+export CF_ZONE_ID="your-zone-id"
+python scripts/cloudflare/sync_dns.py  # (create this from blueprint)
+```
+
+**Result**: `blackroad.systems` now served via Cloudflare with free SSL
+
+---
+
+#### 2. Verify Railway Deployment (30 min)
+
+**Why**: Ensure backend is deployed and healthy
+
+**Steps**:
+```bash
+# Check current deployment
+railway status --service backend
+
+# View logs
+railway logs --service backend --tail 50
+
+# Test health endpoint
+curl https://your-railway-app.up.railway.app/health
+
+# Expected response:
+# {"status":"healthy","timestamp":...}
+
+# Add custom domain (if not already)
+railway domains add os.blackroad.systems --service backend
+
+# Test custom domain
+curl https://os.blackroad.systems/health
+```
+
+**Result**: Backend is live, healthy, and accessible via custom domain
+
+---
+
+#### 3. Update GitHub Secrets (15 min)
+
+**Why**: Enable automated deployments and DNS syncing
+
+**Steps**:
+```bash
+# Get Railway token
+railway whoami  # Shows current login
+railway login --browserless  # Get new token if needed
+
+# Get Cloudflare token
+# Cloudflare dashboard → My Profile → API Tokens → Create Token
+# Template: "Edit zone DNS" → Select zones: blackroad.systems
+
+# Add to GitHub
+gh secret set RAILWAY_TOKEN  # Paste Railway token
+gh secret set CF_API_TOKEN   # Paste Cloudflare API token
+gh secret set CF_ZONE_ID     # From Cloudflare dashboard (zone overview)
+
+# Verify
+gh secret list
+```
+
+**Result**: GitHub Actions can now deploy and manage infrastructure
+
+---
+
+#### 4. Test End-to-End (15 min)
+
+**Why**: Confirm everything works
+
+**Steps**:
+```bash
+# 1. Visit OS
+open https://os.blackroad.systems
+
+# Should see: Windows 95 desktop, apps load, no errors
+
+# 2. Test API
+curl https://os.blackroad.systems/api/docs
+
+# Should see: FastAPI Swagger docs
+
+# 3. Check SSL
+# Browser should show 🔒 (secure)
+
+# 4. Test deployment
+git commit --allow-empty -m "test: verify deployment pipeline"
+git push
+
+# GitHub Actions should run → deploy to Railway
+# Check: https://github.com/blackboxprogramming/BlackRoad-Operating-System/actions
+```
+
+**Result**: Full stack working (DNS → Cloudflare → Railway → OS)
+
+---
+
+## 🚀 DO THESE NEXT (This Week/Next Week)
+
+### ✅ Product Polish
+
+**Time Estimate**: 4-8 hours
+
+#### 5. Fix Any OS Bugs (2-4 hours)
+
+**Task**: Test all existing apps, fix issues
+
+**Test Checklist**:
+- [ ] Desktop icons load
+- [ ] Windows open/close/minimize/maximize
+- [ ] Taskbar shows active windows
+- [ ] Start menu works
+- [ ] All apps load (Prism, Miners, Finance, etc.)
+- [ ] Window dragging/resizing works
+- [ ] Mobile: basic functionality (doesn't have to be perfect)
+
+**Known Issues** (if any):
+- Check GitHub issues: `gh issue list`
+- Create issues for new bugs found
+
+**Fix Priority**:
+1. Blocking bugs (app won't load)
+2. UX bugs (confusing behavior)
+3. Visual bugs (minor styling)
+
+---
+
+#### 6. Add Real Backend Data (2-4 hours)
+
+**Task**: Connect Prism Console to real API (remove mock data)
+
+**Current State**: Prism Console uses mock/static data
+**Target State**: Prism Console fetches from `/api/prism/*`
+
+**Steps**:
+```python
+# backend/app/routers/prism.py (create if doesn't exist)
+
+from fastapi import APIRouter, Depends
+from sqlalchemy.orm import Session
+from app.database import get_db
+
+router = APIRouter(prefix="/api/prism", tags=["prism"])
+
+@router.get("/jobs")
+async def get_jobs(db: Session = Depends(get_db)):
+    # TODO: Query actual jobs from DB
+    return {
+        "jobs": [
+            {"id": 1, "type": "deploy", "status": "completed"},
+            {"id": 2, "type": "test", "status": "running"},
+        ]
+    }
+
+@router.get("/metrics")
+async def get_metrics():
+    return {
+        "jobs_running": 2,
+        "jobs_completed": 15,
+        "jobs_failed": 1,
+    }
+```
+
+```javascript
+// Update blackroad-os/js/apps/prism.js
+// Replace mock data with fetch calls
+
+async function loadJobs() {
+    const response = await fetch('/api/prism/jobs');
+    const data = await response.json();
+    // Render jobs...
+}
+```
+
+---
+
+### ✅ Website Launch
+
+**Time Estimate**: 6-12 hours (can be split over days)
+
+#### 7. Create blackroad.systems Landing Page (6-8 hours)
+
+**Task**: MVP corporate site (5 pages)
+
+**Pages**:
+1. **Homepage** - Hero, capabilities, CTA
+2. **Architecture** - System overview, diagrams
+3. **Solutions** - Financial Services use case
+4. **Pricing** - 3 tiers (Free, Team, Enterprise)
+5. **Contact** - Demo request form
+
+**Option A: Simple HTML** (faster, matches OS aesthetic)
+- Use Win95 theme (like OS)
+- Single `index.html` with sections
+- Deploy to GitHub Pages or Railway
+
+**Option B: Static Site Generator** (more scalable)
+- Use Astro, Next.js, or 11ty
+- Reuse OS components
+- Deploy to Vercel or GitHub Pages
+
+**Recommendation**: Start with Option A (faster), upgrade later
+
+**Steps**:
+```bash
+# 1. Create site directory
+mkdir -p blackroad-systems-site
+cd blackroad-systems-site
+
+# 2. Copy OS theme/styles
+cp ../blackroad-os/css/os.css ./styles.css
+
+# 3. Create index.html (use DOMAIN_SPEC.md as guide)
+
+# 4. Deploy to GitHub Pages
+gh repo create blackroad-systems-site --public
+git init && git add . && git commit -m "Initial site"
+git remote add origin https://github.com/blackboxprogramming/blackroad-systems-site.git
+git push -u origin main
+
+# 5. Enable GitHub Pages
+gh repo edit --enable-pages --pages-branch main
+
+# 6. Point DNS
+# Cloudflare: CNAME @ → blackboxprogramming.github.io
+# GitHub: Add custom domain in repo settings
+```
+
+---
+
+#### 8. Create Developer Docs (4 hours)
+
+**Task**: Quick start guide for developers
+
+**Minimum Viable Docs**:
+1. **README** - What is BlackRoad OS?
+2. **Quick Start** - Get started in 5 minutes
+3. **API Reference** - List of endpoints (auto-generated from FastAPI)
+4. **Examples** - Python & Node code samples
+
+**Location**: `docs/` directory or separate repo
+
+**Deploy**: GitHub Pages (blackroad.network)
+
+**Steps**:
+```bash
+# 1. Use MkDocs or Docusaurus (or just Markdown)
+cd docs
+
+# 2. Create pages
+touch index.md quick-start.md api-reference.md examples.md
+
+# 3. Deploy to GitHub Pages
+# (Same as blackroad-systems-site)
+```
+
+---
+
+## 📅 DO THESE LATER (Next 2-4 Weeks)
+
+### ✅ Alpha Launch Prep
+
+#### 9. Set Up Analytics (1 hour)
+
+**Task**: Track usage and visitors
+
+**Tools**:
+- Google Analytics (easy, free)
+- PostHog (open-source, privacy-friendly)
+- Mixpanel (product analytics)
+
+**Add to**:
+- blackroad.systems (marketing site)
+- os.blackroad.systems (OS usage)
+
+---
+
+#### 10. Create Discord Community (2 hours)
+
+**Task**: Launch developer community
+
+**Steps**:
+1. Create Discord server
+2. Set up channels:
+   - #announcements
+   - #general
+   - #help
+   - #showcase
+   - #feedback
+3. Create roles (Admin, Mod, Alpha Tester, Community)
+4. Invite first 10-20 alpha testers
+5. Post welcome message
+
+---
+
+#### 11. Write First Blog Posts (4-6 hours)
+
+**Task**: Content marketing
+
+**Topics**:
+1. "Introducing BlackRoad OS" (launch post)
+2. "Why Deterministic AI Matters" (thought leadership)
+3. "Building Auditable AI Systems with RoadChain" (technical deep-dive)
+
+**Publish on**:
+- blackroad.systems/blog
+- Medium
+- Dev.to
+- Hacker News (carefully)
+
+---
+
+#### 12. Recruit Alpha Testers (ongoing)
+
+**Task**: Find first 10-20 users
+
+**Outreach**:
+- Personal network
+- Twitter/X
+- LinkedIn
+- Reddit (r/artificial, r/programming - be respectful)
+- Indie Hackers
+- Product Hunt (later)
+
+**Offer**:
+- Free early access
+- Direct line to founder (you!)
+- Influence product direction
+- Credits/recognition
+
+---
+
+## 📊 SUCCESS METRICS (How You Know It's Working)
+
+### Week 1 Success:
+- ✅ Infrastructure solid (Cloudflare, Railway, GitHub)
+- ✅ OS accessible at os.blackroad.systems
+- ✅ No major bugs blocking usage
+
+### Week 2-3 Success:
+- ✅ blackroad.systems live (even if simple)
+- ✅ Developer docs live
+- ✅ First 5-10 alpha testers signed up
+
+### Week 4 Success:
+- ✅ First 3 users actively using OS
+- ✅ Feedback collected
+- ✅ First iteration of improvements deployed
+
+### Month 2-3 Success:
+- ✅ 20-50 developers signed up
+- ✅ First design partner conversation started
+- ✅ Blog posts published, some traction
+
+---
+
+## 🎯 THE MANTRA
+
+**Focus on**:
+1. **Infrastructure first** (solid foundation)
+2. **Product polish** (it has to work)
+3. **Simple messaging** (clear value prop)
+4. **Real users** (even if just 5)
+
+**Avoid**:
+- Building everything at once
+- Perfectionism (ship v1, iterate)
+- Distractions (shiny new features)
+
+**Remember**:
+- Phase 1 is about **proving it works**
+- You need **5 design partners**, not 500
+- **Traction > polish** in early days
+
+---
+
+## 🛠️ TOOLS & RESOURCES
+
+**Bookmarks**:
+- Cloudflare Dashboard: https://dash.cloudflare.com
+- Railway Dashboard: https://railway.app/dashboard
+- GitHub Repo: https://github.com/blackboxprogramming/BlackRoad-Operating-System
+- GitHub Actions: https://github.com/blackboxprogramming/BlackRoad-Operating-System/actions
+
+**Docs Created**:
+- `/MASTER_ORCHESTRATION_PLAN.md` - Complete master plan
+- `/infra/cloudflare/CLOUDFLARE_DNS_BLUEPRINT.md` - DNS setup guide
+- `/.github/GITHUB_ENTERPRISE_SETUP.md` - GitHub org structure
+- `/.github/CODEOWNERS` - Code ownership
+- `/NEXT_ACTIONS_ALEXA.md` - This file!
+
+**Reference Docs**:
+- `/BLACKROAD_OS_BIG_KAHUNA_VISION.md` - Complete OS vision
+- `/blackroad-universe/operations/roadmap/EXECUTION_ROADMAP.md` - 18-24 month roadmap
+- `/blackroad-universe/brand/architecture/BRAND_ARCHITECTURE.md` - Brand strategy
+
+---
+
+## 💬 WHEN YOU'RE STUCK
+
+**Question**: "Which task should I do next?"
+**Answer**: Look at this file, pick the next unchecked item in order
+
+**Question**: "This is overwhelming"
+**Answer**: Just do #1 (Cloudflare DNS). Then #2. One at a time.
+
+**Question**: "Something broke"
+**Answer**: Check Railway logs: `railway logs --service backend --tail 100`
+
+**Question**: "I need help with X"
+**Answer**: Ask Claude! Or check docs. Or Discord community (once launched).
+
+---
+
+## 🎉 CELEBRATE WINS
+
+**After Week 1**: Infrastructure is solid! 🎊
+**After Week 2**: Sites are live! 🚀
+**After Week 3**: First users! 🌟
+**After Month 1**: Momentum building! 💪
+**After Month 3**: Real traction! 🔥
+
+---
+
+**Ready to build the road, Operator?**
+
+**Your first action**: Item #1 (Cloudflare DNS migration)
+
+**Your north star**: Phase 1, Q1 - Prove the OS works
+
+**Your superpower**: You've already built the foundation. Now make it real.
+
+---
+
+*"Not just infrastructure. Not just intelligence. A constellation."*
+
+**Where AI meets the open road.** 🛣️
diff --git a/infra/cloudflare/CLOUDFLARE_DNS_BLUEPRINT.md b/infra/cloudflare/CLOUDFLARE_DNS_BLUEPRINT.md
new file mode 100644
index 0000000..f40846d
--- /dev/null
+++ b/infra/cloudflare/CLOUDFLARE_DNS_BLUEPRINT.md
@@ -0,0 +1,523 @@
+# Cloudflare DNS Blueprint
+## Complete DNS Configuration for BlackRoad Universe
+
+**Version:** 1.0
+**Date:** 2025-11-18
+**Purpose:** Canonical DNS configuration for all BlackRoad domains via Cloudflare
+
+---
+
+## Overview
+
+This document provides the complete DNS setup for migrating all BlackRoad domains from GoDaddy DNS to Cloudflare DNS.
+
+**Why Cloudflare?**
+- Free tier includes: DNS, SSL, CDN, DDoS protection, Web Analytics
+- Global anycast network (faster DNS resolution)
+- CNAME flattening (allows root domain CNAMEs to Railway)
+- Better security (WAF, rate limiting available)
+- Future-ready for Workers, Zero Trust, edge functions
+
+---
+
+## Migration Process
+
+### Step 1: Add Domain to Cloudflare
+
+For each domain:
+
+1. **Log in to Cloudflare dashboard**
+2. Click **"Add a site"**
+3. Enter domain (e.g., `blackroad.systems`)
+4. Select **Free plan**
+5. Cloudflare auto-scans existing DNS records from GoDaddy
+6. Review scanned records, make adjustments (see configurations below)
+7. Cloudflare provides 2 nameservers (e.g., `aaaa.ns.cloudflare.com`, `bbbb.ns.cloudflare.com`)
+
+### Step 2: Update Nameservers at GoDaddy
+
+For each domain:
+
+1. **Log in to GoDaddy**
+2. Go to **My Domains** → select domain → **Manage DNS**
+3. Scroll to **Nameservers** section
+4. Click **Change** → Select **Custom**
+5. Enter Cloudflare nameservers (from Step 1)
+6. Click **Save**
+7. **Wait 5-60 minutes** for DNS propagation
+
+### Step 3: Verify & Configure SSL
+
+1. Return to Cloudflare dashboard
+2. Wait for status to change from "Pending" to **"Active"**
+3. Go to **SSL/TLS** → Set encryption mode to **"Full (strict)"**
+4. Go to **SSL/TLS** → **Edge Certificates** → Enable **"Always Use HTTPS"**
+5. Enable **"Automatic HTTPS Rewrites"**
+6. Enable **"HTTP Strict Transport Security (HSTS)"** (optional, but recommended)
+
+### Step 4: Optimize Performance
+
+1. Go to **Speed** → **Optimization**
+2. Enable **Auto Minify** (HTML, CSS, JS)
+3. Enable **Brotli** compression
+4. Enable **Rocket Loader** (optional - test first)
+5. Go to **Caching** → Set **Browser Cache TTL** to "Respect Existing Headers"
+
+---
+
+## DNS Records Configuration
+
+### Domain: blackroad.systems
+
+**Purpose**: Flagship corporate site + OS application
+
+| Type | Name | Target | TTL | Proxy | Notes |
+|------|------|--------|-----|-------|-------|
+| CNAME | @ | `blackroad-os-production.up.railway.app` | Auto | ✅ Proxied | Root domain → Railway (CNAME flattening) |
+| CNAME | www | `blackroad.systems` | Auto | ✅ Proxied | www redirects to apex |
+| CNAME | os | `blackroad.systems` | Auto | ✅ Proxied | Alternative OS alias |
+| CNAME | api | `blackroad-os-production.up.railway.app` | Auto | ✅ Proxied | Explicit API subdomain |
+| CNAME | prism | `blackroad-os-production.up.railway.app` | Auto | ✅ Proxied | Prism Console subdomain |
+| CNAME | docs | `blackboxprogramming.github.io` | Auto | ✅ Proxied | GitHub Pages for docs |
+| CNAME | cdn | `blackroad.systems` | Auto | ✅ Proxied | CDN alias (for future asset delivery) |
+| TXT | @ | `v=spf1 include:_spf.google.com ~all` | Auto | - | SPF record (if using Google Workspace) |
+| MX | @ | `1 aspmx.l.google.com` | Auto | - | Gmail MX (priority 1) |
+| MX | @ | `5 alt1.aspmx.l.google.com` | Auto | - | Gmail MX (priority 5) |
+| MX | @ | `5 alt2.aspmx.l.google.com` | Auto | - | Gmail MX (priority 5) |
+
+**Page Rules** (Optional):
+- `www.blackroad.systems/*` → Forwarding URL (301) → `https://blackroad.systems/$1`
+
+---
+
+### Domain: blackroad.ai
+
+**Purpose**: Product console, admin interface
+
+| Type | Name | Target | TTL | Proxy | Notes |
+|------|------|--------|-----|-------|-------|
+| CNAME | @ | `os.blackroad.systems` | Auto | ✅ Proxied | Alias to main OS |
+| CNAME | www | `blackroad.ai` | Auto | ✅ Proxied | www → apex redirect |
+| CNAME | console | `os.blackroad.systems` | Auto | ✅ Proxied | Explicit console subdomain |
+
+**Page Rules**:
+- `www.blackroad.ai/*` → Forwarding URL (301) → `https://blackroad.ai/$1`
+
+---
+
+### Domain: blackroad.network
+
+**Purpose**: Developer hub, documentation, community
+
+| Type | Name | Target | TTL | Proxy | Notes |
+|------|------|--------|-----|-------|-------|
+| CNAME | @ | `blackboxprogramming.github.io` | Auto | ✅ Proxied | GitHub Pages for docs |
+| CNAME | www | `blackroad.network` | Auto | ✅ Proxied | www → apex redirect |
+| CNAME | api | `blackroad-os-production.up.railway.app` | Auto | ✅ Proxied | API access for developers |
+| CNAME | sandbox | `blackroad-os-staging.up.railway.app` | Auto | ✅ Proxied | Staging/sandbox environment |
+
+**CNAME File** (for GitHub Pages):
+Create file `CNAME` in your `docs/` or GitHub Pages root:
+```
+blackroad.network
+```
+
+**Page Rules**:
+- `www.blackroad.network/*` → Forwarding URL (301) → `https://blackroad.network/$1`
+
+---
+
+### Domain: blackroad.me
+
+**Purpose**: Personal identity portal, Pocket OS
+
+| Type | Name | Target | TTL | Proxy | Notes |
+|------|------|--------|-----|-------|-------|
+| CNAME | @ | `os.blackroad.systems` | Auto | ✅ Proxied | Identity portal via main OS |
+| CNAME | www | `blackroad.me` | Auto | ✅ Proxied | www → apex redirect |
+| CNAME | id | `os.blackroad.systems` | Auto | ✅ Proxied | Explicit identity subdomain |
+
+---
+
+### Domain: lucidia.earth
+
+**Purpose**: Narrative experiences, interactive storytelling (Phase 2)
+
+| Type | Name | Target | TTL | Proxy | Notes |
+|------|------|--------|-----|-------|-------|
+| CNAME | @ | `blackboxprogramming.github.io` | Auto | ✅ Proxied | GitHub Pages (Phase 2) |
+| CNAME | www | `lucidia.earth` | Auto | ✅ Proxied | www → apex redirect |
+| CNAME | studio | `lucidia-studio.vercel.app` | Auto | ✅ Proxied | Lucidia Studio (Phase 3) |
+
+**CNAME File** (for GitHub Pages):
+```
+lucidia.earth
+```
+
+---
+
+### Domain: aliceqi.com
+
+**Purpose**: ALICE QI research showcase (Phase 2)
+
+| Type | Name | Target | TTL | Proxy | Notes |
+|------|------|--------|-----|-------|-------|
+| CNAME | @ | `blackboxprogramming.github.io` | Auto | ✅ Proxied | GitHub Pages |
+| CNAME | www | `aliceqi.com` | Auto | ✅ Proxied | www → apex redirect |
+| CNAME | research | `aliceqi.com` | Auto | ✅ Proxied | Research portal |
+| CNAME | docs | `aliceqi.com` | Auto | ✅ Proxied | Technical documentation |
+
+---
+
+### Domain: blackroadqi.com
+
+**Purpose**: Financial/quantitative intelligence product (Phase 2)
+
+| Type | Name | Target | TTL | Proxy | Notes |
+|------|------|--------|-----|-------|-------|
+| CNAME | @ | `blackroadqi-app.up.railway.app` | Auto | ✅ Proxied | Dedicated QI app (Phase 2) |
+| CNAME | www | `blackroadqi.com` | Auto | ✅ Proxied | www → apex redirect |
+| CNAME | api | `blackroadqi-api.up.railway.app` | Auto | ✅ Proxied | QI API endpoint |
+
+---
+
+### Domain: roadwallet.com
+
+**Purpose**: Wallet interface (alias to OS)
+
+| Type | Name | Target | TTL | Proxy | Notes |
+|------|------|--------|-----|-------|-------|
+| CNAME | @ | `os.blackroad.systems` | Auto | ✅ Proxied | Alias to main OS wallet |
+| CNAME | www | `roadwallet.com` | Auto | ✅ Proxied | www → apex redirect |
+
+---
+
+### Domain: aliceos.io
+
+**Purpose**: Legacy alias (points to main OS)
+
+| Type | Name | Target | TTL | Proxy | Notes |
+|------|------|--------|-----|-------|-------|
+| CNAME | @ | `os.blackroad.systems` | Auto | ✅ Proxied | Legacy domain |
+| CNAME | www | `aliceos.io` | Auto | ✅ Proxied | www → apex redirect |
+
+---
+
+### Domain: blackroadquantum.com
+
+**Purpose**: Quantum research hub (Phase 2)
+
+| Type | Name | Target | TTL | Proxy | Notes |
+|------|------|--------|-----|-------|-------|
+| CNAME | @ | `blackboxprogramming.github.io` | Auto | ✅ Proxied | GitHub Pages |
+| CNAME | www | `blackroadquantum.com` | Auto | ✅ Proxied | www → apex redirect |
+| CNAME | lab | `quantum-lab.up.railway.app` | Auto | ✅ Proxied | Quantum Lab app (Phase 2) |
+
+---
+
+## Advanced Configuration
+
+### SSL/TLS Settings
+
+**For all domains**:
+
+1. **Encryption Mode**: Full (strict)
+   - Cloudflare ↔ Railway: encrypted with valid cert
+
+2. **Edge Certificates**:
+   - ✅ Always Use HTTPS
+   - ✅ Automatic HTTPS Rewrites
+   - ✅ Certificate Transparency Monitoring
+   - ✅ TLS 1.3 (enabled by default)
+
+3. **HSTS** (HTTP Strict Transport Security):
+   - ✅ Enable HSTS
+   - Max Age: 6 months (15768000 seconds)
+   - ✅ Include subdomains
+   - ❌ Preload (wait until stable, then enable)
+
+### Caching Rules
+
+**Static Assets** (CSS, JS, images):
+```
+Cache Level: Standard
+Browser Cache TTL: Respect Existing Headers
+Edge Cache TTL: 1 month
+```
+
+**API Endpoints** (`/api/*`):
+```
+Cache Level: Bypass
+(Don't cache API responses)
+```
+
+**Page Rules Example** (`blackroad.systems`):
+```
+Rule 1: *blackroad.systems/api/*
+  - Cache Level: Bypass
+  - Disable Apps
+  - Disable Performance
+
+Rule 2: *blackroad.systems/*.css
+  - Cache Level: Cache Everything
+  - Edge Cache TTL: 1 month
+  - Browser Cache TTL: 1 day
+
+Rule 3: *blackroad.systems/*.js
+  - Cache Level: Cache Everything
+  - Edge Cache TTL: 1 month
+  - Browser Cache TTL: 1 day
+
+Rule 4: www.blackroad.systems/*
+  - Forwarding URL: 301 redirect to https://blackroad.systems/$1
+```
+
+### Firewall Rules
+
+**Block known bots** (optional):
+```
+Field: User Agent
+Operator: contains
+Value: "BadBot|Scraper|AhrefsBot"
+Action: Block
+```
+
+**Rate Limiting** (protect API):
+```
+Field: URI Path
+Operator: starts with
+Value: /api/
+Rate: 100 requests per minute
+Action: Challenge (CAPTCHA)
+```
+
+### Security Headers
+
+**Via Cloudflare Workers** (optional, advanced):
+
+Create a Worker to add security headers:
+
+```javascript
+addEventListener('fetch', event => {
+  event.respondWith(handleRequest(event.request))
+})
+
+async function handleRequest(request) {
+  const response = await fetch(request)
+  const newHeaders = new Headers(response.headers)
+
+  // Security headers
+  newHeaders.set('X-Frame-Options', 'DENY')
+  newHeaders.set('X-Content-Type-Options', 'nosniff')
+  newHeaders.set('Referrer-Policy', 'strict-origin-when-cross-origin')
+  newHeaders.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()')
+
+  return new Response(response.body, {
+    status: response.status,
+    statusText: response.statusText,
+    headers: newHeaders
+  })
+}
+```
+
+---
+
+## Verification Checklist
+
+After DNS setup for each domain:
+
+- [ ] **DNS Propagation**: Check with `dig <domain>` or https://dnschecker.org
+- [ ] **SSL Certificate**: Visit `https://<domain>` - should show valid cert (🔒)
+- [ ] **WWW Redirect**: Visit `https://www.<domain>` - should redirect to apex
+- [ ] **HTTP → HTTPS**: Visit `http://<domain>` - should redirect to HTTPS
+- [ ] **API Endpoint**: Test `curl https://<domain>/health` (if applicable)
+- [ ] **Cloudflare Analytics**: Check Cloudflare dashboard → Analytics tab
+
+---
+
+## Automation Script
+
+**File**: `scripts/cloudflare/sync_dns.py`
+
+```python
+#!/usr/bin/env python3
+"""
+Sync DNS records from ops/domains.yaml to Cloudflare
+
+Usage:
+  export CF_API_TOKEN="your-token"
+  export CF_ZONE_ID="your-zone-id"
+  python scripts/cloudflare/sync_dns.py
+"""
+
+import os
+import sys
+import yaml
+import requests
+from typing import Dict, List
+
+CF_API_TOKEN = os.getenv("CF_API_TOKEN")
+CF_ZONE_ID = os.getenv("CF_ZONE_ID")
+CF_API_BASE = "https://api.cloudflare.com/client/v4"
+
+def load_domains() -> Dict:
+    """Load domain config from ops/domains.yaml"""
+    with open("ops/domains.yaml") as f:
+        return yaml.safe_load(f)
+
+def get_existing_records(zone_id: str) -> List[Dict]:
+    """Fetch all DNS records for a zone"""
+    url = f"{CF_API_BASE}/zones/{zone_id}/dns_records"
+    headers = {
+        "Authorization": f"Bearer {CF_API_TOKEN}",
+        "Content-Type": "application/json"
+    }
+    response = requests.get(url, headers=headers)
+    response.raise_for_status()
+    return response.json()["result"]
+
+def create_dns_record(zone_id: str, record: Dict) -> Dict:
+    """Create a DNS record"""
+    url = f"{CF_API_BASE}/zones/{zone_id}/dns_records"
+    headers = {
+        "Authorization": f"Bearer {CF_API_TOKEN}",
+        "Content-Type": "application/json"
+    }
+    response = requests.post(url, headers=headers, json=record)
+    response.raise_for_status()
+    return response.json()["result"]
+
+def update_dns_record(zone_id: str, record_id: str, record: Dict) -> Dict:
+    """Update a DNS record"""
+    url = f"{CF_API_BASE}/zones/{zone_id}/dns_records/{record_id}"
+    headers = {
+        "Authorization": f"Bearer {CF_API_TOKEN}",
+        "Content-Type": "application/json"
+    }
+    response = requests.put(url, headers=headers, json=record)
+    response.raise_for_status()
+    return response.json()["result"]
+
+def sync_records():
+    """Sync DNS records from domains.yaml to Cloudflare"""
+    if not CF_API_TOKEN or not CF_ZONE_ID:
+        print("Error: CF_API_TOKEN and CF_ZONE_ID must be set")
+        sys.exit(1)
+
+    config = load_domains()
+    existing = get_existing_records(CF_ZONE_ID)
+
+    # Build index of existing records
+    existing_index = {
+        f"{r['type']}:{r['name']}": r for r in existing
+    }
+
+    for domain in config.get("domains", []):
+        if domain.get("mode") != "dns":
+            continue
+
+        record_data = {
+            "type": domain["record"]["type"],
+            "name": domain["name"],
+            "content": domain["record"]["value"],
+            "ttl": 1,  # Auto
+            "proxied": True  # Enable Cloudflare proxy
+        }
+
+        key = f"{record_data['type']}:{record_data['name']}"
+
+        if key in existing_index:
+            # Update existing
+            record_id = existing_index[key]["id"]
+            print(f"Updating: {key}")
+            update_dns_record(CF_ZONE_ID, record_id, record_data)
+        else:
+            # Create new
+            print(f"Creating: {key}")
+            create_dns_record(CF_ZONE_ID, record_data)
+
+    print("✅ DNS sync complete!")
+
+if __name__ == "__main__":
+    sync_records()
+```
+
+**Make executable**:
+```bash
+chmod +x scripts/cloudflare/sync_dns.py
+```
+
+---
+
+## Troubleshooting
+
+### DNS Not Resolving
+
+**Problem**: `dig blackroad.systems` returns no results
+
+**Solutions**:
+1. Check nameservers are updated at GoDaddy
+2. Wait 5-60 minutes for propagation
+3. Verify zone is "Active" in Cloudflare dashboard
+4. Check DNS records exist in Cloudflare
+
+### SSL Certificate Errors
+
+**Problem**: Browser shows "Not Secure" or certificate error
+
+**Solutions**:
+1. Check SSL/TLS mode is "Full (strict)" in Cloudflare
+2. Verify Railway app has valid SSL cert
+3. Check "Always Use HTTPS" is enabled
+4. Wait a few minutes for edge certificate provisioning
+
+### Site Not Loading
+
+**Problem**: Domain resolves but site doesn't load
+
+**Solutions**:
+1. Check Railway app is deployed and healthy
+2. Verify custom domain is added in Railway dashboard
+3. Check Railway logs for errors: `railway logs --service backend`
+4. Test Railway URL directly (e.g., `your-app.up.railway.app`)
+
+### Mixed Content Warnings
+
+**Problem**: Page loads but some assets show as insecure
+
+**Solutions**:
+1. Enable "Automatic HTTPS Rewrites" in Cloudflare
+2. Update hard-coded `http://` URLs to `https://` in code
+3. Use protocol-relative URLs: `//example.com/asset.js`
+
+---
+
+## Maintenance
+
+**Monthly**:
+- Review Cloudflare analytics
+- Check SSL certificate status
+- Review firewall logs (if WAF enabled)
+
+**Quarterly**:
+- Audit DNS records (remove unused)
+- Review page rules and caching
+- Update security headers if needed
+
+**Annually**:
+- Review Cloudflare plan (consider Pro if traffic grows)
+- Audit all domain registrations (renew at GoDaddy)
+- Review and update security policies
+
+---
+
+## References
+
+- **Cloudflare Docs**: https://developers.cloudflare.com/dns/
+- **Railway Custom Domains**: https://docs.railway.app/deploy/custom-domains
+- **DNS Checker**: https://dnschecker.org
+- **SSL Labs Test**: https://www.ssllabs.com/ssltest/
+
+---
+
+**This blueprint ensures all BlackRoad domains are properly configured with Cloudflare for optimal performance, security, and reliability.**