Feedback creatortrack prod deploy guardrail

CreatorTrack's :3070 (proxied by Cloudflare Tunnel as app.creatortrack.ai) is NOT a dev server. It's next start -p 3070 serving a production build, systemd-managed, with a canonical deploy path at scripts/forge_creatortrack_deploy.sh. That script hard-refuses to run on anything but a clean main branch and has an auth guard against exposing data via the dev-email fallback.

Why: Justin approved what he thought was a "dev-server restart" but the real action would have been a next build + restart of the live public app, baking in another session's uncommitted work and bypassing the deploy script's clean-main and auth guards. The assistant caught this gap before acting and stopped to re-confirm scope with Justin rather than proceeding on the loose approval.

How to apply: Any time a request touches CreatorTrack's :3070 service (or app.creatortrack.ai), verify whether it's a genuine dev workflow or the live prod service before executing. If it's prod, require: (1) branch is clean main, (2) go through forge_creatortrack_deploy.sh, never a raw next build/restart. If the working tree is dirty or on a feature branch, stop and surface the discrepancy instead of proceeding on a prior looser approval.

[auto-memory session 461b1ad7-a331-4bac-a340-58ef4cd3ee7e, confidence 0.85, mode direct]