CampaignForge + ContentForge

Cloudflare Access cannot pre-gate a Pages custom domain during initial SSL provisioning. The ACME HTTP-01 challenge to /.well-known/acme-challenge/* is intercepted by the Access gate, blocking Google CA cert issuance. Workaround: delete the Access app → let cert issue (~15s once unblocked) → recreate the Access app. Brief public window is acceptable when the URL isn't advertised yet. Order-of-operations trap — gate pre-seeding doesn't work end-to-end for brand-new hostnames.

Pages.dev hostnames can't have direct Access apps. They belong to Cloudflare's shared zone owned by Cloudflare itself, not your account. Error 12130 "domain does not belong to zone". Always bind a custom subdomain from a zone in the same account as the Pages project, then gate the custom subdomain. The raw .pages.dev URL stays public and needs a separate noindex mechanism.

GitHub repo is locked to one CF account at a time. Disconnecting the CF Pages GitHub App from a repo does NOT clear CF's internal account-repo binding — only deleting the Pages project in the other account fully frees the repo. Error 8000093 means: "delete the conflicting project." Don't try to disconnect the GitHub App as a shortcut; check which account currently owns the binding and do cleanup there first.

CF doesn't support account merging. Manual migration: zones move cleanly via "Move Domain" (preserves all DNS records, no nameserver change); Pages/Workers/R2/KV/D1 must be recreated in target (destructive, lose history). Pick master by which account holds the most infrastructure, not the most domains. Moving a zone that has a bound Pages custom domain BREAKS that binding until the Pages project is re-homed to match — coordinate those two migrations together.

Canonical tag is advisory, not authoritative. Google may still crawl and index .pages.dev URLs despite <link rel="canonical"> pointing to production. Host-scoped X-Robots-Tag: noindex via Pages public/_headers is the authoritative signal. Don't rely on canonical alone for indexing control.

DNS on a prod zone is safe for new subdomains — but verify no wildcards first. Adding a new subdomain CNAME is isolated from root/www/MX records. But if the zone has a wildcard CNAME (*.example.com), an explicit new record overrides the wildcard for that host — could surprise downstream systems. Always grep DNS list for wildcards before committing new records to a prod zone.

After session compaction, restate the intended next action before producing substantive artifacts. Session #18 opened with the system-start context pointing at a Phase 2 Session 2 bootstrap prompt; agent assumed that meant "execute now" and produced a 260-line canonical tool spec. Operator was mid-Cloudflare-work from the prior session and confused by the pivot. Better pattern: after compact, briefly surface the ambiguous thread ("X was queued before compact, Y was just referenced — which one?") and await explicit confirmation before producing substantive artifacts. The work wasn't wasted (the EFC spec becomes the template for remaining 9), but the redirect cost a full round-trip of context.

Compliance is an angle-generation input, not a guardrail. The restricted-claims list is literally the cheat sheet for what converts — each restriction exists because the underlying psychological desire converts hard. Map every restriction to its desire family, the Layer-1 triggers that deliver that desire, and the tool-backed compliant framing that lands harder than the non-compliant original.

Disclaimers are conditional on ad-claim content, not platform/format. Tool-discovery framing ("See what you could qualify for") makes no standalone claim — the tool + 2–3K-word article lander carries all required disclosures with cited sources and freshness dates. In-ad disclaimers only trigger when the ad itself makes a specific claim (dollar amount, named government program, income claim). Tool-discovery framing is simultaneously the best-CTR AND most-compliant framing — not a coincidence.

Proprietary rankings from public gov data beats third-party whitelist. College Scorecard + IPEDS + BLS + VA data let us build our own defensible ranking system with full methodology transparency. No usage-rights gating, no publication bias, no expiration. Essentially "US News for online education" built from public gov data — an angle space competitors can't replicate.

Pattern-detect meta-specs. Three distinct questions (IPEDS cache, proprietary rankings, BLS wage refresh) had the same structural answer: authority-tier data cache with freshness tracking, cron-refreshed, read by Phase 5 with automated staleness halts. Consolidating into one authority-data-cache infrastructure spec beats three separate specs that repeat the same logic.

Persona re-load has empirical basis. Not superstition — output quality degrades every 4–5 turns as attention weight on the persona decays relative to accumulated context. Re-reading restores signal strength via token recency + repetition. CLAUDE.md now codifies: reload on strategic triggers + every ~5 turns in long sessions + every natural phase boundary. NOT every turn (wasteful, dilutes attention on actual work).

Tool-discovery framing is the workflow cheat-code. The same pattern that solves compliance (route substantiation to lander) also solves CTR (no in-ad disclaimer drag) and lead quality (friction-as-feature qualifies users). Three optimization goals aligned in one architectural choice.

Diagnose before adding. Session surfaced that Firecrawl skill wasn't firing, continuous-learning-v2 looked dormant, session-end was manual. Diagnosis revealed: Firecrawl was CLI-skill-vs-MCP-mismatch (fixable by rewiring deep-research); continuous-learning-v2 had 7.7MB of observations accumulated but observer.enabled: false was blocking the analysis phase (one config flag fix); session-end was genuinely manual (built scripts/session-end.sh safe multi-repo helper). Don't install — diagnose first. Most "missing" capabilities are broken capabilities.

Agents process early rules more heavily: Adding HARD RULES blocks at the top of each skill file ensures non-negotiable constraints are in the "hot zone" of agent attention. Rules buried mid-document get diluted by accumulated context.

Decision trees > prose guidance: Converting "consider X when Y" into "IF X THEN Y, OTHERWISE Z" produces more reliable agent behavior. Agents follow explicit branches; they interpret flexible guidance flexibly (which means inconsistently).

Anti-patterns are as powerful as patterns: Showing agents what NOT to produce (with concrete BAD examples and WHY explanations) creates hard boundaries. Without anti-patterns, agents gravitate toward "safe" generic output that passes no rules but also creates no value.

Subagent permissions are session-scoped, not inherited: Adding permissions to settings.local.json or project settings doesn't reliably propagate to subagents in don't-ask mode. Python/Bash fallback for file writes is the workaround. Some agents succeed, some don't — the behavior is inconsistent and needs investigation.

Sweet spot is 3-4 parallel agents: Beyond 4, prompt quality drops and merge review gets sloppy. The real constraint is file isolation, not compute. With 3 repos, the ceiling is ~5 agents if file boundaries are clean.

Feature branches prevent same-repo conflicts: Agents C and D in campaignforge-app worked on separate branches (feat/cost-session-manager, feat/pipeline-orchestrator), then merged sequentially. Zero conflicts.

Independent agents can converge on identical fixes: Both the a11y and Lighthouse agents independently identified and fixed the same CSS cascade issue (@layer base wrapping, :where() scoping) with byte-identical diffs. Merge was clean because Git detected identical changes.

CAPI Worker type errors are IDE-only: Cloudflare Workers have their own tsconfig with @cloudflare/workers-types. The IDE picks up the root tsconfig which doesn't know about Request/Response/fetch globals. Not real errors.

MDX body_html requires JSX-safe formatting: Raw HTML from JSON has nested block elements on same lines, bare <br> tags, and ~ chars parsed as strikethrough. Conversion script needed multi-pass formatting: self-close void tags, escape tildes to ~, and split every block element onto its own line.

Astro dynamic components need static imports: client:visible hydration fails with dynamic component references (NoMatchingImport). Must use conditional static rendering: {tc === 'EFCCalculator' && <EFCCalculator client:visible />}.

Parallel agents for tool implementations: 4 agents dispatched simultaneously, each handling 2-3 tools. All completed in ~17 minutes. Logic/data separation (*.logic.ts, *.data.ts) enabled clean parallelization with zero merge conflicts.

Astro 5 Content Layer API: entry.render() is gone. Use import { render } from 'astro:content' then render(entry). Content collections need glob() loader from astro/loaders.

shadcn-svelte + Tailwind v4: @apply border-border fails — Tailwind v4 doesn't know custom vars via @apply. Use @theme inline to declare all HSL color vars, then use raw CSS instead of @apply for base styles.

shadcn-svelte components need WithElementRef: The cn utility must also export WithElementRef and WithoutChildrenOrChild types for sidebar/rail components.

MDX in Content Collections: HTML (tables, callouts, step-lists) works inline in MDX. No need to convert to custom components yet — the prose CSS styles handle it.

Astro 5 Content Collections: Uses src/content.config.ts (not src/content/config.ts). The z import from astro:content shows deprecation warnings.

Tailwind v4: No tailwind.config.ts needed. Uses @tailwindcss/vite plugin. The @astrojs/tailwind integration conflicts — use the Vite plugin directly.

Remote agents failed: Overnight scaffold agents couldn't auth with GitHub. Local execution worked first try.