ci: add Cloudflare Pages deploy as canonical host

- new deploy-cloudflare.yml: full Bun + Rust/wasm build with typecheck/lint
  gates, SPA _redirects fallback, deploys project torena-sim
- point suggestion-bot CORS ALLOWED_ORIGIN at torena-sim.pages.dev
- document Cloudflare as canonical host + required CF secrets

Author: jalbarrang

.github/workflows/deploy-cloudflare.yml

@@ -0,0 +1,77 @@
+name: Deploy to Cloudflare Pages
+
+on:
+  # Run after Versioning so semantic-release has created the release tag before
+  # changelog:generate reads git history for the in-app changelog.
+  workflow_run:
+    workflows: [Versioning]
+    types: [completed]
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: cloudflare-pages
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    name: Deploy to Cloudflare Pages
+    runs-on: ubuntu-latest
+    env:
+      VITE_PUBLIC_POSTHOG_KEY: ${{ secrets.VITE_PUBLIC_POSTHOG_KEY }}
+      VITE_PUBLIC_POSTHOG_HOST: ${{ vars.VITE_PUBLIC_POSTHOG_HOST }}
+      # Cloudflare Pages serves at the domain root, so no base path.
+      VITE_BASE_PATH: /
+      VITE_SITE_URL: https://torena-sim.pages.dev
+      VITE_SUGGESTION_WORKER_URL: ${{ vars.VITE_SUGGESTION_WORKER_URL }}
+      VITE_TURNSTILE_SITE_KEY: ${{ vars.VITE_TURNSTILE_SITE_KEY }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Setup Rust toolchain (wasm32)
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: wasm32-unknown-unknown
+
+      - name: Cache Rust build
+        uses: swatinem/rust-cache@v2
+        with:
+          workspaces: packages
+
+      - name: Install wasm-pack
+        uses: jetli/wasm-pack-action@v0.4.0
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Generate changelog for build
+        run: bun run changelog:generate
+
+      - name: Run type check
+        run: bun run typecheck
+
+      - name: Run linter
+        run: bun run lint
+
+      - name: Build app
+        run: bun run build
+
+      - name: Add SPA fallback for client-side routing
+        run: printf '/*    /index.html    200\n' > dist/_redirects
+
+      - name: Deploy to Cloudflare Pages
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          command: pages deploy dist --project-name=torena-sim --branch=main

.github/workflows/deploy-netlify.yml

@@ -0,0 +1,55 @@
+name: Deploy to Netlify
+
+on:
+  # Run after Versioning so semantic-release has created the release tag before
+  # changelog:generate reads git history for the in-app changelog.
+  workflow_run:
+    workflows: [Versioning]
+    types: [completed]
+    branches: [main]
+  workflow_dispatch:
+
+concurrency:
+  group: netlify
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    name: Deploy to Netlify
+    runs-on: ubuntu-latest
+    env:
+      VITE_PUBLIC_POSTHOG_KEY: ${{ secrets.VITE_PUBLIC_POSTHOG_KEY }}
+      VITE_PUBLIC_POSTHOG_HOST: ${{ vars.VITE_PUBLIC_POSTHOG_HOST }}
+      VITE_SITE_URL: https://sundays-shadow.netlify.app
+      VITE_SUGGESTION_WORKER_URL: ${{ vars.VITE_SUGGESTION_WORKER_URL }}
+      VITE_TURNSTILE_SITE_KEY: ${{ vars.VITE_TURNSTILE_SITE_KEY }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Generate changelog for build
+        run: bun run changelog:generate
+
+      - name: Build app
+        run: bun run build
+
+      - name: Copy netlify.toml to dist
+        run: cp netlify.toml dist/
+
+      - name: Deploy to Netlify
+        uses: nwtgck/actions-netlify@v3
+        with:
+          publish-dir: ./dist
+          production-deploy: true
+        env:
+          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+          NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}

README.md

@@ -56,13 +56,15 @@ See [docs/data-extraction/data-pipeline.md](docs/data-extraction/data-pipeline.m
 
 Production deploys run automatically on every push to `main` (rolling releases). GitHub Releases from [semantic-release](https://github.com/semantic-release/semantic-release) are for changelog/tags only and do not trigger deploys.
 
-Deployment target:
+The canonical app is hosted on **Cloudflare Pages**. GitHub Pages and Netlify are kept only as 301 redirects to the canonical domain so legacy inbound links don't break.
 
-| Target           | Workflow                               | URL                                |
-| ---------------- | -------------------------------------- | ---------------------------------- |
-| **GitHub Pages** | `.github/workflows/deploy-pages.yml`   | Configured in repo Pages settings  |
+| Target               | Role        | Workflow                                | URL                                |
+| -------------------- | ----------- | --------------------------------------- | ---------------------------------- |
+| **Cloudflare Pages** | Canonical   | `.github/workflows/deploy-cloudflare.yml` | https://torena-sim.pages.dev       |
+| **GitHub Pages**     | 301 redirect | `.github/workflows/deploy-pages.yml`    | Configured in repo Pages settings  |
+| **Netlify**          | 301 redirect | `.github/workflows/deploy-netlify.yml`  | https://sundays-shadow.netlify.app |
 
-The workflow can also be triggered manually via `workflow_dispatch`.
+Only Cloudflare Pages runs the full build (incl. the Rust/wasm engine). The two redirect workflows publish a tiny static redirect and do not build the app. All workflows can also be triggered manually via `workflow_dispatch`.
 
 ### Versioning
 
@@ -87,6 +89,10 @@ Use `DATA_UPDATE_PAT` as `GITHUB_TOKEN` for local releases.
 | Name                       | Type     | Used by                                                          |
 | -------------------------- | -------- | ---------------------------------------------------------------- |
 | `DATA_UPDATE_PAT`          | Secret   | `versioning.yml` — PAT for semantic-release (push tags, releases) |
+| `CLOUDFLARE_API_TOKEN`     | Secret   | Cloudflare Pages deploy (scope: *Cloudflare Pages → Edit*)                                                |
+| `CLOUDFLARE_ACCOUNT_ID`    | Secret   | Cloudflare Pages deploy (also used by the suggestion-bot Worker)                                          |
+| `NETLIFY_AUTH_TOKEN`       | Secret   | Netlify redirect deploy                                                                                   |
+| `NETLIFY_SITE_ID`          | Secret   | Netlify redirect deploy                                                                                   |
 | `VITE_PUBLIC_POSTHOG_KEY`  | Secret   | Build-time analytics key                                                                                  |
 | `VITE_PUBLIC_POSTHOG_HOST` | Variable | Build-time analytics host                                                                                 |
 | `VITE_BASE_PATH`           | Variable | GitHub Pages base path                                                                                    |

netlify.toml

@@ -0,0 +1,4 @@
+[[redirects]]
+from = "/*"
+to = "/index.html"
+status = 200

workers/suggestion-bot/README.md

@@ -36,7 +36,7 @@ wrangler login
 ```
 
 Set the app origin(s) in `wrangler.jsonc` → `vars.ALLOWED_ORIGIN`. Multiple origins are
-comma-separated, e.g. `https://jalbarrang.github.io`. The
+comma-separated, e.g. `https://torena-sim.pages.dev,https://jalbarrang.github.io`. The
 Worker echoes back whichever origin matches the request (CORS requires a single concrete origin)
 and rejects browser requests from origins not on the list.
 

workers/suggestion-bot/wrangler.jsonc

@@ -14,7 +14,7 @@
 
   // Public, non-secret config. Comma-separated list of app origins allowed via CORS.
   "vars": {
-    "ALLOWED_ORIGIN": "https://jalbarrang.github.io"
+    "ALLOWED_ORIGIN": "https://torena-sim.pages.dev,https://jalbarrang.github.io"
   }
 
   // ── Secrets (set via `wrangler secret put <NAME>`, never commit) ──