Context
detached-node.dev serves directly from Google Cloud Run (us-west1) with no CDN. Two consequences:
- No AI Bot Activity visibility in Microsoft Clarity. Clarity's Bot Activity dashboard (which tracks GPTBot, ClaudeBot, PerplexityBot, CCBot, etc., per-page and per-frequency) requires a connected CDN — Fastly, CloudFront, or Cloudflare. Currently invisible: we cannot see which AI crawlers are hitting which pages or how often. See https://learn.microsoft.com/en-us/clarity/ai-visibility/bot-activity-overview.
- Global TTFB suboptimal. Cloud Run runs only in
us-west1. EU/APAC visitors pay full transcontinental round-trip on every uncached request.
Plan and cost. The Clarity ↔ Cloudflare integration uses Cloudflare LogPush, which Microsoft's own cost-considerations doc notes is "typically available on paid plans and might have usage-based pricing" (https://learn.microsoft.com/en-us/clarity/ai-visibility/cost-considerations-bot-activity-integrations). LogPush to HTTPS destinations requires Cloudflare Pro plan (~$25/month) or higher. Free tier covers the proxy/TTFB/DDoS half, but not the AI Bot Activity unlock. This issue assumes Pro and budgets accordingly.
Acceptance criteria
Out of scope
- Cloudflare Workers, R2, D1 — proxy + DNS + LogPush only
- Page Rules / Transform Rules tuning — baseline only; defer optimization
- WAF rules beyond Pro-tier defaults — defer
- Plan upgrades beyond Pro unless LogPush destination requires it (revisit if so)
Plain-English explanation
- What: Put Cloudflare in front of the site so AI bot traffic becomes visible in Clarity's Bot Activity dashboard and global users get faster page loads. Also lock down the Cloud Run origin so bots can't bypass the CDN.
- Why now: Bot Activity is the biggest blind spot in AI-discovery measurement — without a CDN, we cannot see which AI crawlers visit. Without origin lockdown, the numbers we do see would be incomplete by an unknown margin.
- Cost: ~$25–30/mo on Cloudflare Pro for the LogPush feature that powers the Clarity integration. Free tier is insufficient per Microsoft's own docs.
- Risk: Medium during DNS migration window (brief but visible) — mitigated by mirroring all records at Cloudflare before flipping NS. Cloudflare proxy adds <50ms first-byte for cache misses but improves p99 on geographic edges. Worst case: revert by disabling the orange cloud proxy and flipping NS back to Vercel.
- Validation: Bot Activity dashboard populates within 48 hours of LogPush activation.
cf-ray header present in production responses. Non-Cloudflare requests to the *.run.app origin return 403/timeout.
Note: This is primarily an ops task — DNS migration + dashboard setup + Clarity integration + origin lockdown — with minimal code changes. An implementer subagent may help with the docs/deployment.md update and any Cloud Run middleware for IP filtering; the DNS/dashboard steps are Julian-direct.
Context
detached-node.dev serves directly from Google Cloud Run (us-west1) with no CDN. Two consequences:
us-west1. EU/APAC visitors pay full transcontinental round-trip on every uncached request.Plan and cost. The Clarity ↔ Cloudflare integration uses Cloudflare LogPush, which Microsoft's own cost-considerations doc notes is "typically available on paid plans and might have usage-based pricing" (https://learn.microsoft.com/en-us/clarity/ai-visibility/cost-considerations-bot-activity-integrations). LogPush to HTTPS destinations requires Cloudflare Pro plan (~$25/month) or higher. Free tier covers the proxy/TTFB/DDoS half, but not the AI Bot Activity unlock. This issue assumes Pro and budgets accordingly.
Acceptance criteria
detached-node.devon Pro plan (or higher if needed for LogPush destination)dig @<cloudflare-ns> <record>before NS change*.run.apphostname is discoverable via certificate transparency logs, so bots that find it can bypass Cloudflare entirely):curl -v https://<service>-<hash>-uw.a.run.app/from a non-Cloudflare IP returns 403 or times outcurl -sI https://detached-node.dev/(via Cloudflare) still returns 200curl -sI https://detached-node.dev/showsserver: cloudflareand acf-rayheadercurl https://detached-node.dev/sitemap.xmlreturns the sitemap intactcurl https://detached-node.dev/robots.txtreturns robots.txt intactdocs/deployment.mdOut of scope
Plain-English explanation
cf-rayheader present in production responses. Non-Cloudflare requests to the*.run.apporigin return 403/timeout.Note: This is primarily an ops task — DNS migration + dashboard setup + Clarity integration + origin lockdown — with minimal code changes. An implementer subagent may help with the
docs/deployment.mdupdate and any Cloud Run middleware for IP filtering; the DNS/dashboard steps are Julian-direct.