Skip to content

Infrastructure Reference

Canonical reference for all external platform accounts, entity details, and infrastructure IDs. This doc is the single source of truth — if a value appears here and somewhere else, this doc wins.

Last updated: April 2026

UCCA Inc (US)

  • Legal name: UCCA Inc
  • DBA: Universal Capability Certification Authority
  • Structure: Delaware C-Corp
  • EIN: 84-4522608
  • Role: Parent / platform entity. US-facing. Holds US software subscriptions, US credit program enrolments, US-denominated contracts.

⚠️ "United Community Colleges of America Inc" is dead. Do not use it anywhere.

United Central Colleges of Australia Pty Ltd (AU)

  • Legal name: United Central Colleges of Australia Pty Ltd
  • ABN: 59 168 872 535
  • Trading as: RTOpacks
  • Role: Australian operating entity. Trades as RTOpacks. Holds AU customer contracts, AU-denominated invoicing, AU regulatory exposure.

Entity separation principle

US-centric credit programs and subscriptions → UCCA Inc. AU-facing commercial activity → RTOpacks / UCCA Australia Pty Ltd. Do not mix invoicing or subscriptions across entities without a clear reason.

Cloudflare

Accounts

  • RTOpacks CF account ID: f95d45376ebeeeaf011a4f0ec0fb7b38
  • Legacy UCCA CF account ID: e5a9830215a8d88961dc6c80a8c7442a (connected via MCP; limited active use)

Platform migration from UCCA account → RTOpacks account completed early April 2026. 9 D1 databases migrated to APAC, 25+ Workers deployed, DNS migrated, CF Access policies established, security audit completed (SEC-AUDIT-MIGRATE-01, 40 checks, 0 failures).

API tokens

  • Account-owned cfat_ tokens validate via a scoped live call, NEVER /user/tokens/verify. Cloudflare's account-owned API token format (cfat_…, ~53 chars) returns Invalid API Token (code 1000) from /user/tokens/verify even when the token is valid and active — that endpoint only verifies user tokens. To check an account token, make a real scoped call (e.g. GET /zones/<zone>/rulesets) — success: true is the authoritative signal. (Cost ~hours during FLAG2-IAC-01, 2026-06-03, before this was understood — the terraform import 401 was the real signal, not user-verify.)
  • R2 S3 credentials (Access Key ID + Secret Access Key, for the Terraform state backend) come from the R2 → Manage R2 API Tokens creation screen, not the generic Account API tokens page. The cfat_ "Token value" shown there is the Bearer form and is NOT what the S3 backend uses. Need Object Read & Write (Object Read only can read state but can't write the lock/state → 403 on terraform import).

DNS zones

  • rtopacks.com.au — Zone ID: 691d4282eaafd5ab612da6a2204b5729

D1 databases

Categorised per MANDARIN DATA TAXONOMY (see standing-rules.md). Per-env Peel + Intake DBs have dev twins (D1 names retain -staging suffix per ADR-027 D1-name lag).

RTOpacks account (10):

  • rto-nrt-dbPith — nationally recognised training data (TGA corpus, AQF quals). Post NRT-DB-DEPOLLUTE-01 (18 May 2026): contains only TGA reference + sync-pipeline support tables.
  • rto-abs-dbSync-output — ABS labour-force / reference data (abs-sync pipeline)
  • rto-licensing-dbSync-output — licensing / entitlements (teqsa-sync)
  • rto-radar-dbSync-output — digital footprint intelligence (radar-crawl)
  • rto-ops-dbPeel — internal business ops (UCCA staff, internal-ops surface only)
  • rto-workspace-dbPeel — workspace / studio / canvas / RTO end-user identities
  • rto-landscape-dbPeel — VET vendor competitive intelligence
  • rto-calendar-dbPeel — scheduling / calendar
  • rto-micro-dbPeel — microcredentials (non-accredited) content
  • rto-intake-dbIntake — public-form submissions (contacts, contact_enquiries, subscribers). Post INTAKE-DB-EXTRACTION-01 (16 May 2026).

UCCA account (1):

  • ucca-mcp-db — MCP integration data

HARD SEPARATION RULE reminder

  • Regulated training → rto-nrt-db
  • Non-regulated training → rto-micro-db
  • Business ops → rto-ops-db (never surfaced)

See standing-rules.md for full rule.

Worker inventory (as of March 2026)

28 Workers on RTOpacks account, 20 on UCCA account.

Scheduled Workers:

  • tga-sync — Sun 2am AEST
  • cricos-sync — 1st of month, 4am AEST
  • ops-tender-sync — daily 6pm + Sat 8pm AEST
  • stats-cache — every 6 hours
  • qual-enrichment — daily 3am AEST

All 5 scheduled Workers need ops.ucca.online status stubs (pending).

R2 buckets

  • ucca-terraform-state — Terraform state backend. AWS_ env vars in ~/.zshrc. 202 resources, 9 types.
  • Versioned snapshot buckets (see Observatory config).

CF Access bypasses

  • /billing/webhook — Stripe webhook endpoint
  • /billing/qb-callback — QuickBooks OAuth callback

Documentation surfaces

All Cloudflare-proxied.

  • knowledge.ucca.online — UCCA knowledge base
  • docs.ucca.online — UCCA docs
  • docs.rtopacks.com.au — RTOpacks product docs
  • trust.rtopacks.com.au — RTOpacks trust / compliance surface

Apple Developer

  • Team ID: B29TSCBPHD
  • Pass Type ID: pass.online.ucca.credential
  • Bundle ID: online.ucca.authenticator
  • Renewal: 2 March 2027
  • Entity name change: submitted

GitHub

  • Monorepo: uccaonline — contains ucca-project and rtopacks-project. Auth via gh CLI OAuth, auto-refreshes.
  • UCCO repo: ucco-project (on hold). Auth via PAT ucco-foundation-push, expires 14 March 2027.
  • 2FA: enabled (deadline was April 29 — met).

Project structure (local)

All projects under ~/projects/:

  • ucca-project/ — contains engine/ and ucca-docs/ (MkDocs)
  • rtopacks-project/
  • ucco-project/ (on hold)

ucca-project and rtopacks-project share one git repo (uccaonline). ucco-project has its own repo.

Financial / accounting

  • Bank: Mercury (US, under UCCA Inc)
  • Accounting (AU): QuickBooks Online AU
  • QuickBooks sandbox company ID: 9341456854400409
  • Accountant: Kevin (CPA)
  • Stripe: integrated, webhook bypass configured

External APIs

All external APIs must have a reference doc in docs/ops/ before deploy (EXT-API RULE).

TGA (training.gov.au)

  • Reference doc: docs/ops/tga-api-reference.md
  • Swagger: https://training.gov.au/swagger/index.html
  • Unit content endpoint: GET /api/training/{code}/releases/{releaseNumber}/document-bundle
  • TLS note: Node.js fetch works. curl and CF Workers are blocked by TGA's TLS fingerprint. Use a Node-based Worker runtime or proxy if calling from CF.

Other APIs

Add entries here as they're integrated. Each entry must link to its reference doc in docs/ops/.

Machine / local setup

  • Primary machine: Mac Mini M2 Pro
  • Display: 49" Samsung ultrawide
  • Storage: LaCie external, Rclone + Spotlight configured
  • Shell env: AWS_ vars in ~/.zshrc

Wrangler version operating constraint

The repo carries two wrangler versions:

  • Global install (used when running npx wrangler from any directory without a local node_modules/wrangler): currently 4.94.0.
  • Per-worker pinned: e.g. scripts/workers/tga-sync/ uses 3.114.17 via local node_modules; apps/admin/ uses 4.77.0.

Refined picture (post MANDARIN-VIOLATION-02-market-snapshot, 2026-05-24):

Wrangler v4's resource-by-name resolution is asymmetric between resource types:

Resource type v4 from project root v4 from worker dir w/ local config v3 from worker dir w/ local config
Queue (by name) ✅ resolves ✅ resolves ✅ resolves
D1 (by name) ❌ "Couldn't find DB with name X" ✅ resolves ✅ resolves

D1-by-name on v4 from project root fails even with --database-id alone — v4 wants both the positional name AND the --database-id flag, OR the local config context. The cleanest D1 command paths for ad-hoc remote queries:

  1. cd into a worker dir with the binding in local config + use wrangler 3.x pinned (e.g., scripts/workers/tga-sync/): 
    cd scripts/workers/tga-sync && npx wrangler d1 execute ops-db --remote --command "..."
  2. cd into a worker dir with the binding + use wrangler 4 (e.g., apps/admin/): 
    cd apps/admin && npx wrangler d1 execute rto-ops-db-staging --remote --env dev --command "..."
  3. D1 REST API or D1 MCP (skips wrangler discovery entirely — uses UUID directly).

Discipline note: when a prescribed wrangler command fails in a credential-touch flow, halt and surface with the working alternative — do not route around to a different tool on your own authority. The choice of execution path is part of the credential rule, not just the credential bytes.

D1 UUIDs are listed under the D1 databases section above for use with --database-id or for direct MCP/REST calls.

What goes where — quick reference

Item Entity / location
US software subscriptions UCCA Inc
US startup credit programs UCCA Inc
AU customer contracts RTOpacks / UCCA AU Pty Ltd
AU tax and accounting UCCA AU Pty Ltd (Kevin)
Regulated training data rto-nrt-db
Non-regulated training data rto-micro-db
Business ops data rto-ops-db (never surfaced)
Terraform state R2 ucca-terraform-state
RTOpacks DNS Cloudflare, Zone 691d4282eaafd5ab612da6a2204b5729
Primary docs surface docs.rtopacks.com.au
Trust / compliance surface trust.rtopacks.com.au

Change discipline

This doc is canonical. When IDs, entities, or infrastructure change:

  1. Update this doc first
  2. Then update anything that references these values
  3. Commit under docs/ops/infrastructure-reference.md
  4. Note the change date at the top of the doc

Never let this doc drift from reality. If you find a discrepancy, fix this doc before anything else.