feat(deploy): sync CyberSecur-Global to CT7810 via pct; optional CF cache purge

Made-with: Cursor

scripts/cloudflare/purge-cybersecur-d-bis-edge-cache.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+# Purge Cloudflare edge cache for cybersecur.d-bis.org static paths after deploy.
+# Fixes stale HITs where HEAD returns 404 while GET is OK (robots.txt) or favicon cached as 404.
+#
+# Requires CLOUDFLARE_API_TOKEN with Zone → Cache Purge → Purge (same zone as DNS edits).
+# DNS-only scoped tokens often fail here — extend token or purge once in Dashboard:
+#   Caching → Configuration → Purge Cache → Custom Purge → URL list.
+#
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+if [[ -f "${PROJECT_ROOT}/.env" ]]; then set -a; source "${PROJECT_ROOT}/.env"; set +a; fi
+TOKEN="${CLOUDFLARE_API_TOKEN:?Set CLOUDFLARE_API_TOKEN}"
+ZONE="${CLOUDFLARE_ZONE_ID_D_BIS_ORG:-}"
+if [[ -z "$ZONE" ]]; then
+  ZONE=$(curl -sS -H "Authorization: Bearer ${TOKEN}" \
+    "https://api.cloudflare.com/client/v4/zones?name=d-bis.org" | jq -r '.result[0].id // empty')
+fi
+[[ -n "$ZONE" ]] || { echo "Could not resolve zone id for d-bis.org" >&2; exit 1; }
+
+BODY=$(jq -n --arg z "$ZONE" '{
+  files: [
+    "https://cybersecur.d-bis.org/",
+    "https://cybersecur.d-bis.org/robots.txt",
+    "https://cybersecur.d-bis.org/sitemap.xml",
+    "https://cybersecur.d-bis.org/favicon.ico",
+    "https://cybersecur.d-bis.org/index.html"
+  ]
+}')
+RESP=$(curl -sS -X POST "https://api.cloudflare.com/client/v4/zones/${ZONE}/purge_cache" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  -H "Content-Type: application/json" \
+  -d "$BODY")
+echo "$RESP" | jq .
+
+if echo "$RESP" | jq -e '.success == true' >/dev/null 2>&1; then
+  echo "✓ Purged. Recheck: curl -sSI https://cybersecur.d-bis.org/robots.txt | head -1"
+  exit 0
+fi
+echo "If authentication failed, add Cache Purge permission to the token or run Custom Purge in Cloudflare Dashboard for the URLs above." >&2
+exit 1