Skip to content
AskFlorence
Main Navigation ArchitectureFlorence AIAgentsMembersAgent PlatformValidationInfrastructure

Appearance

Sidebar Navigation

Overview

Home

Glossary

System Architecture

Consumer & Agent Flow

Florence AI

Overview

Principles

Runtime

Tool surface

Adding a tool

Tool registry

Knowledge: SBC scenarios & CSR

Voice

Evals & observability

Provider risk & portability

Outage playbook

Roadmap

Build plan

Agents

Overview

Workflows & pain points

Members

Overview

Medicaid coverage gap

Carriers

Overview

Marketplaces

Overview

Agency

Overview

Regulations

Overview

Agent Platform

Overview

Auth Architecture

MongoDB Permissioning

Compliance Model

Data Models

Data Sources

Overview

CMS Marketplace API

CMS dependency map

PUF Data

State Subsidies

SBE Ingestion Playbook

SBE State Watchouts + Decisions

CA Phase C/D Playbook

NY Phase C/D Playbook

Validation

Overview

Methodology

APTC Formula

California 2026

New York 2026

CAPS Formula

Scenario Results

Infrastructure

Account Inventory

AWS Setup Runbook

AWS Organizations

CloudTrail

GuardDuty

Security Hub

Config

CloudFront + WAFv2

Data sources & ingest

Phase 4 DNS

Change Log

Vulnerability Management

MongoDB Setup

Access Control

Data Classification

Documentation Hosting

Post-deploy Smoke

Development

Preflight (local CI mirror)

Testing strategy

Compliance

Overview (auditor entry point)

SOC 2 Control Mapping

HIPAA Control Mapping

CMS EDE Appendix A Mapping

Risk Assessment

Encryption Policy

Data Retention Policy

Privacy Impact Assessment

Consent Capture & Versioning

Incident Response Plan

Access Control Policy

Marketing vs. Portal Analytics

Vendor / Subprocessor Register

Dependency Vulnerability Policy

BAA / Compliance Evidence

Compliance-Automation Integration

Compliance-Automation Vendor Evaluation

Penetration Test Reports

Architecture

Portal entry handoff

Mobile app strategy

Deferred architecture decisions

Session cookie architecture

Share flows

Decisions (ADRs)

Index

0001 — Atlas project isolation

0002 — Append-only audit log

0003 — Narrow-scoped Mongo users

0004 — Cross-cluster Atlas PrivateLink

0005 — Delayed-job architecture

0006 — Mongo user simplification

0007 — Terraform owns ECS task def

0008 — E2E testing strategy

0009 — Self-hosted analytics + observability (superseded)

0010 — PostHog HIPAA Cloud (supersedes 0009)

Runbooks

Security Incident Response

Break-Glass Root Login

Onboard Team Member

Offboard Team Member

Atlas user provisioning

Deploy via Terraform (ENG-277)

Rollback via Terraform (ENG-277)

S3 data bucket migration (planned Phase 11)

Access Reviews

2026-Q2 Review

Session log

Index

2026-04-23 — Phase 10 DNS cutover

2026-04-22 — Phase 8 prod AWS mirror

2026-04-22 — Phase 7 Atlas VPC peering

2026-04-22 — Phase 6 CloudFront + WAF

2026-04-21 — Phase 5 staging go-live

2026-04-17 — Atlas staging

Briefs

Index

Member portal plan (ENG-187)

2026-04-16/17 handoff

2026-04-17 Atlas handoff

System briefing (2026-04-17)

Creative AdBundance proposal brief

Creative AdBundance analytics brief

ElevenLabs RN integration research

Policies

Overview

On this page

Documentation Hosting ​

Status: Active. Last updated April 13, 2026. Purpose: SOC 2 evidence for CC6.1 (Logical Access), CC6.6 (System Boundaries), CC7.1 (Infrastructure Management)

Overview ​

Internal documentation is hosted on Cloudflare Pages with Cloudflare Access (Zero Trust) for email-gated authentication. Docs are not public. Only approved team members can access them via one-time PIN email verification.

URL: https://docs.askflorence.health

Architecture ​

ComponentServicePurpose
Static site generatorVitePress 1.6.xBuilds markdown to static HTML with search + Mermaid
HostingCloudflare PagesDeploys from GitHub repo, global CDN
AuthenticationCloudflare Access (Zero Trust)Email-gated one-time PIN access
DNSCloudflareCNAME for docs.askflorence.health
SourceGitHub repo docs/ directorySingle source of truth, version controlled

Deployment ​

Automatic. Cloudflare Pages is connected to the GitHub repo. Every push to main triggers a rebuild and deploy.

SettingValue
GitHub repoaskflorencehealth/ask-florence
Production branchmain
Build commandcd docs && npm install && npm run build
Build output directorydocs/.vitepress/dist
Framework presetNone
Auto-deployYes (on every push to main)

No manual deployment needed. Edit a markdown file, push to main, docs update automatically within ~1 minute.

Access Control ​

Cloudflare Access Application ​

SettingValue
Application nameAskFlorence Docs
Application URLdocs.askflorence.health
TypeSelf-hosted
Session duration24 hours
Authentication methodOne-time PIN (email-based)
Application ID87b977b3-56f2-42fb-a680-e41643abbae4
CreatedApril 13, 2026

Access Policy ​

SettingValue
Policy nameAllowed team
ActionAllow
Include ruleEmails
Allowed emails[email protected], [email protected], [email protected]

How Access Works ​

  1. User visits docs.askflorence.health
  2. Cloudflare Access intercepts the request
  3. User sees a login screen asking for their email
  4. If the email is in the allowed list, a one-time 6-digit PIN is sent
  5. User enters the PIN
  6. Access is granted for 24 hours (session-based)
  7. After 24 hours, re-authentication required

Adding New Users ​

  1. Go to Cloudflare Zero Trust dashboard (one.dash.cloudflare.com)
  2. Access controls > Policies > "Allowed team" > Configure
  3. Add the new email address to the Include > Emails list
  4. Save
  5. Update this document

Removing Users ​

  1. Remove their email from the Allowed team policy
  2. Their existing session expires within 24 hours (or revoke immediately via Access > Logs)
  3. Update this document

Local Development ​

To run docs locally:

bash
cd docs
npm install
npm run dev

Opens at http://localhost:5173 with hot reload, search, and Mermaid rendering.

To build locally (verify before pushing):

bash
cd docs
npm run build

Output goes to docs/.vitepress/dist/ (gitignored).

Authoring conventions (read before adding new docs) ​

These conventions exist because the Cloudflare Pages build is strict — ignoreDeadLinks is [] in docs/.vitepress/config.ts, so any dead link fails the build and blocks deploy. The rules below prevent the most common breakage class.

1. Cross-repo links MUST be absolute GitHub URLs ​

When linking from a docs markdown file to source code, IaC, CI workflows, or anything else outside docs/, use the absolute GitHub URL, not a relative path.

markdown
✅ [`src/lib/db.ts`](https://github.com/askflorencehealth/ask-florence/blob/main/src/lib/db.ts)
✅ [`infra/modules/ses/`](https://github.com/askflorencehealth/ask-florence/tree/main/infra/modules/ses/)

❌ [`src/lib/db.ts`](../../src/lib/db.ts)
❌ [`scripts/audit/foo.ts`](../../../scripts/audit/foo.ts)

URL shape:

  • File: https://github.com/askflorencehealth/ask-florence/blob/main/<path>
  • Directory: https://github.com/askflorencehealth/ask-florence/tree/main/<path>/

Use main (not a SHA) so links stay current as files evolve. This matches the convention every GitHub-issue link in these docs already follows.

Why: only the docs/ directory ships to Cloudflare Pages. Relative paths like ../../src/lib/db.ts render correctly when reading the markdown source on GitHub but resolve to a 404 on docs.askflorence.health. Worse, before the fix in PR #129, VitePress would silently let some of these through (anything with a non-.md extension was skipped by the dead-link checker), so they'd ship broken without anyone noticing.

Background: PR #129 (ENG-261) rewrote 43 such links and tightened ignoreDeadLinks to []. Earlier history: commit 4971e81 (April 2026) was the first time we hit this; the v0.15.0 narrow infra/-only suppression let it grow back over the next month.

2. Links inside docs/ use relative paths ​

Internal links (between docs pages, to docs/audits/, docs/adr/, etc.) stay relative — that's how VitePress generates the navigation graph and live-reload works.

markdown
✅ [ADR 0004](../adr/0004-cross-cluster-atlas-privatelink.md)
✅ See the [change log](./change-log.md)

If the target is a directory, ensure it has an index.md — VitePress doesn't auto-resolve README.md as the index. Linking to a directory without index.md fails the build (e.g. [docs/audits/](../audits/) — the audits/ dir has no index.md, so use a GitHub tree/main/ URL instead).

3. Verify locally before pushing ​

bash
cd docs
npm install   # one-time / on lockfile change
npm run build

Expect build complete in N.NNs. with no errors. If you see Found dead link …, fix it before pushing — the same failure will block the Cloudflare Pages deploy of main and break docs.askflorence.health.

Technical Details ​

VitePress Configuration ​

  • Config: docs/.vitepress/config.ts
  • Dependencies: docs/package.json (separate from main app)
  • Mermaid: via vitepress-plugin-mermaid
  • Search: VitePress built-in local search (no external service)
  • Theme: Default VitePress theme with AskFlorence brand colors
  • Dead-link policy: ignoreDeadLinks: [] — strict. See "Authoring conventions" above.

Node Version ​

VitePress requires Node 18+. The main Next.js app runs on Node 25. Use fnm (Fast Node Manager) to switch if needed:

bash
fnm use 22   # for docs
fnm use 25   # for main app (default)

Known Limitations ​

  • vite and esbuild have moderate Dependabot alerts (dev-only build tools, not in production app). Dismissed as tolerable risk until VitePress 2.0 stable releases with vite 6+.
  • Email delivery to new askflorence.health Google Workspace may be delayed (domain reputation building). Use personal emails as fallback in the Access policy.

SOC 2 Control Mapping ​

ControlEvidence
CC6.1 (Logical Access)Email-gated access, named user policy, session expiry
CC6.3 (Access Removal)Documented removal process, 24-hour session max
CC6.6 (System Boundaries)Docs isolated on separate subdomain with separate auth
CC7.1 (Infrastructure)Hosting configuration documented, auto-deploy from repo
CC8.1 (Change Management)Git-based deployment, all changes tracked in commit history

Change Log ​

DateChangeBy
April 13, 2026Migrated from Jekyll/GitHub Pages to VitePress/Cloudflare PagesTaha Abbasi
April 13, 2026Added Cloudflare Access (Zero Trust) email-gated authTaha Abbasi
April 13, 2026Added [email protected] as fallback emailTaha Abbasi
Pager
Previous pageData Classification
Next pagePost-deploy Smoke

AskFlorence Internal Documentation. Not for public distribution.

AskFlorence

Internal Documentation

Access restricted. Not for public distribution.