# Memeroot browser-OS → Cloudflare release map
Date: 2026-06-13
## What was found
- `memeroot-delivery` is already close to a Cloudflare Pages static site: `index.html` catalog, standalone HTML demos, downloadable component zips, guides, XML features, and the `MR-CANVAS-v0.8.html` substrate.
- The browser OS is not a conventional SPA. It is a static HTML substrate that loads XML feature definitions, executes feature implementations, admits XML regions into an address tree, signs/verifies regions via WebCrypto, persists locally, and exports self-contained bundles.
- The release strategy should therefore keep HTML/XML/ZIP files as first-class static assets and avoid build tooling that rewrites them.

## Release series
| Release | Purpose | Cloudflare upload | Notes |
|---|---|---|---|
| `00-catalog-full` | Memeroot Catalog Full Delivery | `releases/00-catalog-full.zip` or folder `releases/00-catalog-full` | 50 files; SHA-256 `4bb8879b71554d50…` |
| `01-page-build` | Memeroot Page Build | `releases/01-page-build.zip` or folder `releases/01-page-build` | 33 files; SHA-256 `3a501fed188ea76a…` |
| `02-interface-from-xml` | Memeroot Interface from XML | `releases/02-interface-from-xml.zip` or folder `releases/02-interface-from-xml` | 34 files; SHA-256 `c6649f445c1c3aca…` |
| `03-knowledge-tree` | Memeroot Knowledge Tree | `releases/03-knowledge-tree.zip` or folder `releases/03-knowledge-tree` | 31 files; SHA-256 `6a28dfe029de5324…` |
| `04-skill-author` | Memeroot Skill Author | `releases/04-skill-author.zip` or folder `releases/04-skill-author` | 33 files; SHA-256 `a0c4076bf0bd07f2…` |
| `05-compliance-audit-trail` | Memeroot Compliance Audit Trail | `releases/05-compliance-audit-trail.zip` or folder `releases/05-compliance-audit-trail` | 33 files; SHA-256 `dcb76ab310a49494…` |
| `06-oracle-sql-free` | Memeroot Oracle SQL Free | `releases/06-oracle-sql-free.zip` or folder `releases/06-oracle-sql-free` | 30 files; SHA-256 `1db022ca68fe30ab…` |
| `07-composable-substrate` | Memeroot Composable XML Substrate | `releases/07-composable-substrate.zip` or folder `releases/07-composable-substrate` | 39 files; SHA-256 `99df75b6a8a7fcd9…` |
| `08-bridge-and-cli` | Memeroot Bridge and CLI | `releases/08-bridge-and-cli.zip` or folder `releases/08-bridge-and-cli` | 48 files; SHA-256 `e8624c6088c1034e…` |

## Transformation layers
1. **Static preservation layer**: copy existing HTML, XML, ZIP, JS, shell and guide files without bundler transformation.
2. **Cloudflare metadata layer**: add `_headers`, `_redirects`, `robots.txt`, `release.json`, and `README-CLOUDFLARE.md`.
3. **Release isolation layer**: patch the canvas localStorage key from global `mr.canvas.v0` to a release-path scoped key. This avoids cross-demo contamination under one Cloudflare origin.
4. **Optional edge layer**: keep `_worker.js.optional` inactive by default. Rename to `_worker.js` only when `/api/health` or `/api/anthropic` proxy behavior is wanted.
5. **Documentation/demo layer**: each stream release gets a top-level `index.html` where the source only had `GUIDE.html` or `reference.html`. Full delivery keeps its original catalog index.

## Functional map
| Browser-OS capability | Source evidence | Cloudflare handling |
|---|---|---|
| Canvas substrate | `MR-CANVAS-v0.8.html` | Serve as static HTML; do not minify/rewrite. |
| XML feature loading | `features/*.xml`; inline bootstrap manifest | Serve XML files; allow inline script/XML blocks. |
| Dynamic feature execution | `new Function("MR", code)` in canvas | Do not apply strict CSP unless allowing `unsafe-eval`; preferred future refactor is signed module registry. |
| Region ingestion | FileReader/drop/paste | Works in browser; no Cloudflare function required. |
| Signing/verification | WebCrypto ECDSA-P256/SHA-256 | Cloudflare HTTPS gives secure context; preserve client-side operation. |
| Local persistence | `localStorage` | Scoped per release path in prepared zips. |
| Bundle export | `fetch(window.location.href)` + Blob download | Works over HTTPS; fails less on Cloudflare than `file://`. |
| AI invoker | `fetch("https://api.anthropic.com/v1/messages")` in feature | Static release will not generally work without auth/CORS; optional `_worker.js.optional` sketches same-origin proxy. |

## Cloudflare decision
- **Recommended first release**: `00-catalog-full.zip` as the public catalog. It preserves all existing links and downloadable component zips.
- **Recommended series release**: publish `01`–`07` as separate Pages projects or preview branches so each stream is independently demoable and downloadable.
- **Recommended advanced release**: use Wrangler folder deploy, not dashboard drag/drop, once active Pages Functions or secrets are required.

## Known non-breaking issues
- The canvas imports Google fonts in the source. That is aesthetic, not functional. For strict offline/no-third-party mode, remove the `@import` and rely on the existing Georgia/Consolas fallbacks. Font files are not included.
- The invoker feature is architectural proof unless backed by an edge proxy and a configured secret. Do not present it as production AI invocation until wired through Cloudflare Worker/Pages Functions.
- A strict CSP is incompatible with the current XML-as-feature-loader model. The proper hardening step is to replace runtime `new Function` with signed ES modules or a vetted opcode registry.