18 web properties, 3 hosting platforms, 3 Supabase projects, 5+ auth schemes, and no single place for staff to go. This map shows what exists today, where each system should land, and what to fix first. Everything here is already reachable with the credentials on hand — there is no access gap.
The Cloudflare lane is the one to drain: Workers + D1 + R2 move to Railway + Supabase; static Pages fold into the intranet or hocatt.com. team.hocatt.com is already on the target stack and becomes the intranet shell.
Security first and independent of everything else; then drain the easy statics; decommission the dead; build the shell; finish with the hard one.
Ranked by urgency. The top three are live exposures with credentials or PII behind them and shouldn't wait for the consolidation plan.
All the obvious names are free except portal (a live login tool already sits there). Recommended: admin.hocatt.com — the name Dre's own handoff docs already proposed.
Standardize on team.hocatt.com's proven model: email‑OTP (not magic links — Outlook Safe Links burns them), domain allowlist + per‑user roles. Retires every hardcoded gate (a shared code, a plaintext PIN, shared ADMIN_PASSWORD).