Important Notes
You must follow these rules. Official code will be maintained and updated by us.
Do not modify
Section titled “Do not modify”Frontend apps
Section titled “Frontend apps”apps/adminapps/web
These are official templates. We will add more features and push updates. If you modify them directly, you will not be able to merge our updates cleanly.
Recommended: Copy apps/web to a new project (e.g. ai-saas) and customize there.
Backend services
Section titled “Backend services”Do not modify any of these official services:
backend/node1-auth-servicebackend/node2-support-servicebackend/node3-pay-servicebackend/node4-notify-servicebackend/node5-blog-servicebackend/node6-cdn-servicebackend/node7-site-servicebackend/node8-prompt-servicebackend/node9-checkin-servicebackend/node10-ai-servicebackend/zship-provider1-service
These are official services. We will update them with new features and fixes. Do not change them.
Security and secrets (short list)
Section titled “Security and secrets (short list)”- Never commit
.envfiles, signing keys, or cookie secrets to a public repo. Use Cloudflare Secrets,wrangler secret put, or Dev Console push for production. - Rotate
ADMIN_SECRET, JWT secrets, and payment/provider keys on a sensible schedule; redeploy Workers that read those values after rotation. - Prefer operator accounts and RBAC in admin (docs) instead of sharing the root secret across many people.
- Layer Cloudflare protections (WAF, IP rules, etc.) and least-privilege access for admin and sensitive APIs.