From db337ed9c6d04512295ae81b1dc19e0358d21d8f Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Sat, 25 Apr 2026 18:29:02 +0200
Subject: [PATCH] docs(readme): note Cloudflare cache caveat for placeholder
 mode

The placeholder serves HTTP 200, so Cloudflare's edge will cache
it normally. Document the operator action (purge cache or set a
short-TTL Cache Rule) needed before recovery for longer outages,
so the edge doesn't keep serving the placeholder past recovery.

Surfaced by final code review of the feature branch.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index b0067dd..28b52ec 100644
--- a/README.md
+++ b/README.md
@@ -44,6 +44,8 @@ To put the site into "back shortly" mode, trigger Gitea → **Actions → deploy
 
 The placeholder is hand-authored static HTML in `placeholder/` and does NOT depend on `npm`/`astro build` — it is deliberately decoupled from the main build so it can ship even when that build is broken.
 
+**Scope note.** The placeholder serves HTTP 200 (not 503), so Cloudflare's edge will cache it normally. This is fine for short planned maintenance windows. For longer outages or incident fallback, purge Cloudflare's cache (or set a short-TTL Cache Rule for the maintenance window) before triggering recovery via `deploy.yml`, otherwise the edge may serve the placeholder past recovery until TTL expires.
+
 **Security headers** (HSTS, CSP, X-Frame-Options, etc.) are owned by **Cloudflare Transform Rules**, not by anything in this repo. Hetzner Webhosting L ignores file-based `.htaccess` (`AllowOverride None`), so origin-side header config is impossible from code. See `OPERATOR-CHECKLIST.md` §2.
 
 See [`OPERATOR-CHECKLIST.md`](./OPERATOR-CHECKLIST.md) for the one-time Hetzner + Cloudflare setup.