V1 setup checklist
Use this checklist when real accounts and credentials are available. The repository can ship the static Astro shell and docs now; V1 product behavior starts when Supabase, Cloudflare media services, and api.ui.plan.ai are wired behind the documented contracts.
Static Cloudflare Pages shell
Section titled “Static Cloudflare Pages shell”- Connect the repository to Cloudflare Pages.
- Build command:
pnpm build. - Build output directory:
dist. - Root directory:
/. - Production branch:
main. - Node version:
24.15.0from.node-version. - Keep
_redirectsin rootpublic/; do not write generated docs output by hand.
The root app remains static. Browser sessions read dynamic product state through Supabase RLS and call Agent API ingress through Supabase Edge Functions.
Supabase project
Section titled “Supabase project”Create one Supabase project for each environment that needs isolated data.
- Enable Supabase Auth with PKCE redirects for
https://ui.plan.ai/andhttp://localhost:4321/for local main-app development. - Apply the Supabase SQL plan as migrations before adding application code.
- Create the private originals bucket named in
config/project.config.json.example. - Deploy Edge Functions for Agent API ingress, API-key verification, idempotency checks, frame submissions, media-upload creation, and webhook handling.
- Store server-only secrets in Supabase Edge Function secrets, not in client-side env variables.
- Verify RLS policies with team member, trusted agent, and anonymous public-reader sessions.
Cloudflare Images and Stream
Section titled “Cloudflare Images and Stream”Provision media delivery after Supabase Storage and the frame submission contract are in place.
- Create Cloudflare Images variants for review, public, and thumbnail views, then update the project config when final names are known.
- Create Cloudflare Stream upload and playback policy for large video.
- Generate scoped API tokens for Images and Stream; keep them server-only.
- Decide webhook endpoints for Stream processing events before enabling public video playback.
- Revisit byte, duration, and variant limits after real account limits are visible.
Agent API domain
Section titled “Agent API domain”The public contract uses https://api.ui.plan.ai/v1.
- Choose whether the domain points directly at Supabase Edge Functions or through Cloudflare routing.
- Configure DNS and TLS before issuing agent API keys.
- Keep the OpenAPI server URL and docs examples aligned with the deployed domain.
- Confirm CORS for the workbench origin and trusted agent tooling.
Environment variables
Section titled “Environment variables”Start from env.example. Public PUBLIC_* values can be copied into local Astro .env files. Server-only values belong in Supabase Edge Function secrets, or in local Supabase function environment files only while running functions locally.
| Name | Scope | Notes |
|---|---|---|
PUBLIC_SUPABASE_URL | Browser | Supabase project URL. |
PUBLIC_SUPABASE_ANON_KEY | Browser | Public anon key used with RLS. |
PUBLIC_AGENT_API_BASE_URL | Browser | Defaults to https://api.ui.plan.ai/v1. |
SUPABASE_SERVICE_ROLE_KEY | Server only | Edge Function secret; never expose to the browser. |
CLOUDFLARE_ACCOUNT_ID | Server only | Used by Edge Functions or deploy tooling. |
CLOUDFLARE_IMAGES_API_TOKEN | Server only | Scoped Images token. |
CLOUDFLARE_STREAM_API_TOKEN | Server only | Scoped Stream token. |
Project config
Section titled “Project config”Copy config/project.config.json.example to config/project.config.json when implementation begins. Keep values config-driven and validate the shape against the project config schema. The environment-specific config/project.config.json file is gitignored.
Do not commit production secrets or account-specific private values. Public limits, bucket names, variant names, and default approval behavior may be committed once they are stable.
After deploying the static shell, smoke-test /v1-status.json to confirm the app can expose contract links, public routes, and whether public Supabase env values are configured.