Hi! This is just my boring personal static blog ^w^
| Surface | Route |
|---|---|
| Production | https://transscendsurvival.org (Cloudflare Pages via proxied apex CNAME) |
| GitHub Pages rollback | https://jesssullivan.github.io / static/CNAME |
| Cloudflare Pages shadow | https://tss.tinyland.dev (development shadow) |
| Alternate Cloudflare shadow | https://tss.ephemera.tinyland.dev |
| Tailnet-only shadow | https://jesssullivan-blog-shadow.taila4c78d.ts.net |
| Tailnet vanity target | https://jesssullivan-blog-shadow.tailnet.tinyland.dev |
The build produces a static SvelteKit artifact. Tinyland snapshots and local
Markdown remain first-paint, no-JS, and regression fixtures; canonical blog and
Pulse display hydrates in the browser from the public Tinyland broker when it is
available. transscendsurvival.org is the production consumer today and is served
by Cloudflare Pages through the proxied apex CNAME. GitHub Pages stays available
as the rollback publisher.
flowchart LR
Posts["src/posts Markdown"] --> Mdsvex["mdsvex"]
TinylandPosts["Tinyland post snapshot fixture"] --> Ingest["fallback ingest check"]
PulseJson["Pulse public snapshot fixture"] --> PulseCheck["snapshot validator"]
Static["static assets"] --> Images["image optimization"]
Routes["SvelteKit routes"] --> Svelte["Svelte 5 compiler"]
Mdsvex --> Shiki["Shiki"]
Mdsvex --> Mermaid["Mermaid cache"]
Mdsvex --> Rehype["rehype cleanup"]
Ingest --> Prebuild["prebuild"]
Shiki --> Prebuild
Mermaid --> Prebuild
Rehype --> Prebuild
Images --> Prebuild
PulseCheck --> Prebuild
Prebuild --> Vite["Vite via Rolldown"]
Svelte --> Vite
Vite --> Tailwind["Tailwind v4"]
Vite --> Skeleton["Skeleton utilities"]
Vite --> A11y["a11y plugin"]
Tailwind --> Adapter["adapter-static"]
Skeleton --> Adapter
A11y --> Adapter
Adapter --> Build["build/"]
Build --> Redirects["redirect pages"]
Build --> Pagefind["Pagefind index"]
Build --> RuntimeHydration["browser runtime hydration"]
HubBlog["hub.tinyland.dev blog broker stream"] --> RuntimeHydration
HubPulse["hub.tinyland.dev Pulse public snapshot"] --> RuntimeHydration
RuntimeHydration --> Blog["/blog and /blog/[slug]"]
RuntimeHydration --> PulseRoute["/pulse"]
CvTex["CV TeX"] --> Tectonic["Tectonic PDF workflow"]
Browser icons are generated from https://github.com/Jesssullivan.png by
npm run icons:generate. The script pins the fetched source at
static/icons/favicon-source.jpg, writes the favicon/Apple/Android/maskable
PNG set, emits the multi-size favicon.ico, and keeps the web app manifest,
Safari mask, and Microsoft tile config in static/.
flowchart LR
PR["PR to main"] --> CI["CI"]
Main["main push"] --> CI
CI --> Scan["secret scan"]
Scan --> Audit["prod dependency audit"]
Audit --> Lint["lint"]
Lint --> Check["svelte-check and validators"]
Check --> Unit["Vitest"]
Unit --> Pulse["pulse-core and pulse-client"]
Pulse --> Agent["blog-agent"]
Agent --> Build["npm run build"]
Build --> StaticChecks["redirect, frontmatter, link, bundle checks"]
StaticChecks --> Browser["Playwright smoke or regression"]
Browser --> Lighthouse["Lighthouse report-only"]
Main --> Pages["GitHub Pages deploy"]
Pages --> Prod["transscendsurvival.org"]
Pages --> Profile["profile refresh dispatch"]
Main --> CfShadow["Cloudflare Pages shadow"]
CfShadow --> Tss["tss.tinyland.dev"]
CfShadow --> Ephemera["tss.ephemera.tinyland.dev"]
PR --> Preview["shadow preview"]
Preview --> SourceImage["public source image"]
SourceImage --> PrivateMirror["private deploy mirror"]
PrivateMirror --> Tailnet["jesssullivan-blog-shadow.taila4c78d.ts.net"]
This repo still uses the npm/SvelteKit workflow for normal local development and deployment. CI also carries a blocking GloriousFlywheel Bazel lane on the tinyland-dind ARC runner so check, test, and Chromium e2e coverage are not proven only by local npm/npx commands.
npm run remote:check,npm run remote:test, andnpm run remote:e2eroute throughscripts/bazel-cache-backed.sh, which refuses to run without a validBAZEL_REMOTE_CACHEand the expected GloriousFlywheel substrate mode.- Local developer shells attach through the endpoint-free GloriousFlywheel front-door kit (
justfile.flywheelplus.bazelrc.flywheel). The managed Nix/Home Manager profile is the preferred source ofBAZEL_REMOTE_CACHEand auth metadata; a gitignored.env.flywheel.localgenerated byjust flywheel-enroll ...is only the fallback fixture, and is sourced by both.envrcandscripts/bazel-cache-backed.sh. - GitHub CI runs the Bazel lane on
tinyland-dindand refuses to run the RBE gate unlessBAZEL_REMOTE_EXECUTORandBAZEL_REMOTE_CACHEare attached by the ARC runner environment. Before the strict gate, CI exchanges GitHub Actions OIDC with the GF token exchange and writes the short-lived cell JWT toGF_REAPI_CREDENTIAL_HELPER_TOKEN_FILE. - In executor-backed mode, the wrapper uses the executor endpoint as Bazel's effective REAPI CAS/cache by default so remote Execute can read uploaded action/input digests. This profile disables remote cache compression for the current GF proof cell and gives remote actions writable GF worker cache paths.
BAZEL_REMOTE_EXECUTOR_CACHEcan override the cache endpoint only when a separate executor-readable CAS is wired. gf-reapi-cellendpoints also require scoped Bazel credential-helper auth.scripts/bazel-cache-backed.shattachesscripts/gf-reapi-bazel-credential-helper.mjsonly for the GF REAPI host, and the helper reads a short-lived JWT fromGF_REAPI_CREDENTIAL_HELPER_TOKEN_FILE,GF_REAPI_CREDENTIAL_HELPER_TOKEN, or the projected-token file at/var/run/secrets/tokens/gf-reapi-cell-token.- The CI lane sets
BAZEL_REMOTE_INSTANCE_NAME=defaultfor the current GF tenant. Literal shell placeholders are rejected before Bazel starts. //:sveltekit_checkruns the SvelteKit check path under Bazel.//static/cv:pdfs_synced_testbyte-compares the checked-in resume/CV PDFs against the Bazel-builtspear_resumesoutputs;.bazelrcpinsSOURCE_DATE_EPOCHandTZso Tectonic output stays reproducible across local sync, CI, and GF RBE.//:vitest_unit_testswraps the root and Pulse Vitest suites throughvitest.bazel.config.ts.//:blog_agent_node_testswraps the blog-agentnode:testsuite throughtsx --test.//:sveltekit_vite_build_smokeruns a copied-workdir SvelteKit/Vite production build smoke. It proves the build target class, not the full npm prebuild/postbuild publication chain.//:playwright_chromium_e2eruns the Chromium Playwright e2e suite through Bazel against the pinned GloriousFlywheel Chromium runtime path.//:playwright_chromium_smokeremains a narrow diagnostic target for browser runtime authority, not the remote e2e gate.//:puppeteer_chromium_smokelaunches Puppeteer against the same pinned Chromium runtime path. It proves Puppeteer can consume browser runtime authority without lifecycle downloads.package-lock.jsonremains the npm dependency authority for the app.pnpm-workspace.yamlmakes the package importers explicit for Bazel, andpnpm-lock.yamlis the generatedrules_jslock consumed by Bazel.- Bazel npm lifecycle hooks skip Playwright and Puppeteer browser downloads. Browser-backed RBE must use the pinned worker Chromium path rather than downloading browsers during proof actions.
- GloriousFlywheel proof runs use the external GF REAPI proof harness or the repository
remote:*scripts against this public repo checkout; remote cache hits, hosted runners, and shared-cache-only execution do not count as RBE.
Current boundary: this gates Bazel check/test/Chromium-e2e and CV PDF sync drift under GloriousFlywheel. Deployment still publishes the SvelteKit static artifact through the existing Pages workflows.
transscendsurvival.org is served by Cloudflare Pages at the apex and www,
with Cloudflare as the registrar, DNS authority, and DNSSEC signer as of
2026-06-23 (the registration moved off DreamHost). The declared Cloudflare zone
keeps both the apex and www as proxied CNAMEs to
transscendsurvival-org.pages.dev; www serves the blog with a canonical link
to the apex. DNSSEC is active — Cloudflare Registrar publishes the parent DS.
npm run test:production-health checks delegated authoritative DNS, major public
resolvers, direct HTTPS against resolved IPv4 targets, apex/www HTTPS responses
and redirects, live responses for the homepage plus slashless and trailing-slash
blog routes, the Tinyland blog broker contract, and browser hydration on /blog.
At the authoritative layer, apex and www must both expand to public A/AAAA
answers (Cloudflare anycast) for visitors. The Cloudflare DNS drift workflow
separately asserts the exact apex and www CNAME targets and proxy posture.
The static build keeps slashless canonical URLs but emits directory-index aliases
so copied, normalized, or legacy trailing-slash links do not 404. The
Production Health workflow runs every 30 minutes and also verifies the latest
github-pages deployment SHA matches main. When NTFY_TOPIC_URL and optional
NTFY_TOKEN repository secrets are configured, it mirrors production-health and
stale-deploy failures to the same ntfy topic used by the DNS guard Worker before
failing the job. To prove alert delivery without breaking the site, manually run
Production Health with send_ntfy_smoke=true; that sends a harmless ntfy smoke
notification and then runs the normal health checks.
This monitoring catches missing A/AAAA records, split-brain authority during
DNS changes, stale Cloudflare proxy targets that fail TLS, broken redirects, and
blog hydration regressions. The DNS drift workflow catches record-level drift
against infra/cloudflare/zone.json.
If production-health is red while apex routes and broker hydration pass, do not weaken the checks. Reconcile live DNS/serving against docs/runbooks/dns-cutover-and-rollback.md or change the desired posture in review first.
Bot-generated stats commits do not naturally trigger recursive GitHub Actions
deploys, so content-stats.yml explicitly dispatches deploy-pages.yml after
it pushes refreshed generated artifacts.
flowchart LR
Author["Jess edits greymatter in tinyland.dev"] --> Tinyland["tinyland.dev content authority"]
Tinyland --> HubStream["hub.tinyland.dev broker stream"]
HubStream --> RuntimeBlog["/blog runtime hydration"]
Tinyland --> StaticSnapshots["checked snapshot fixtures"]
StaticSnapshots --> FirstPaint["static first paint and no-JS fallback"]
SourceRepo["legacy source repo posts"] --> Notify["repository_dispatch"]
Notify --> Collect["collect-posts workflow"]
Collect --> DraftPR["draft fallback PR"]
DraftPR --> Human["review before merge"]
Cross-repo collection is legacy/static intake for fallback content. It is not the primary authoring path for Tinyland-managed posts.
flowchart TB
TinylandEditor["tinyland.dev blog editor"] --> Greymatter["content/users/jesssullivan greymatter"]
Greymatter --> BlogBroker["hub.tinyland.dev blog broker stream"]
BlogBroker --> BlogRuntime["production + shadow /blog and /blog/[slug] runtime display"]
PulseBroker["Tinyland Pulse broker/public policy"] --> PulseSnapshot["hub.tinyland.dev Pulse public snapshot"]
PulseSnapshot --> PulseRuntime["CF Pages /pulse runtime refresh"]
StaticFixtures["checked-in snapshots and src/posts"] --> FirstPaint["static first paint/fallback"]
FirstPaint --> BlogRuntime
FirstPaint --> PulseRuntime
BlogBroker --> DisplayOnly["brokered display only"]
PulseSnapshot --> DisplayOnly
DisplayOnly --> NotFederation["not public Fediverse delivery"]
ApLab["/pulse/client/brokered-stream"] --> ApDemo["AP-shaped hidden lab demo"]
ApDemo --> NotFederation
HubDiscovery["hub.tinyland.dev WebFinger and NodeInfo"] --> DiscoveryOnly["public discovery/projection metadata"]
DiscoveryOnly --> NotFederation
stateDiagram-v2
[*] --> draft
draft --> accepted: submit
draft --> failed: fail
accepted --> queued: queue
accepted --> public_projected: project_public
accepted --> hidden: mark_hidden
accepted --> updated: supersede
accepted --> failed: fail
queued --> enriched: enrich
queued --> failed: fail
enriched --> public_projected: project_public
enriched --> hidden: mark_hidden
enriched --> updated: supersede
enriched --> failed: fail
public_projected --> updated: supersede
public_projected --> deleted: delete_public
public_projected --> failed: fail
hidden --> updated: supersede
hidden --> failed: fail
updated --> failed: fail
deleted --> tombstoned: tombstone
deleted --> failed: fail
tombstoned --> [*]
failed --> [*]