keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_blocks/deploy-cloudflare.md
Parfii-bot 0be354a920 KeiSeiKit-public — clean state 
Single-commit clean baseline after security scrub of niche-tells,
project codenames, internal jargon, and contributor-email leaks.

Contents:
- 100 Rust crates (_primitives/_rust/)
- 37 agent manifests (_manifests/) + generated specs (_generated/)
- 67 user-invocable skills (skills/)
- 33 hooks (hooks/)
- Composition blocks (_blocks/)
- Documentation (docs/, README.md)
- TS adapter packages (_ts_packages/)
- Assembler (_assembler/)
- Roles (_roles/)
- Templates (_templates/)
- Forgejo CI (.forgejo/)

Author: Denis Parfionovich <info@greendragon.info>

License: see LICENSE.
2026-05-01 12:09:03 +08:00

28 lines
1.6 KiB
Markdown
Raw Blame History

# DEPLOY — Cloudflare (Workers / Pages / R2 / KV)
**Tooling:** `wrangler` CLI (≥ 3.x). `wrangler.toml` is source of truth for bindings, NOT dashboard clicks.
**Surface map:**
- **Workers** — edge compute. `wrangler deploy`. Logs via `wrangler tail`.
- **Pages** — static sites + Pages Functions. Per-branch preview URLs automatic.
- **R2** — S3-compatible object storage. No egress fees.
- **KV** — eventually-consistent key-value config store. Reads cached at the edge.
- **D1** — SQLite at edge (beta/GA track).
**Secrets (NEVER in `wrangler.toml`):**
```
wrangler secret put API_KEY # interactive, encrypted at rest
wrangler secret put --env prod DB_URL
```
`wrangler.toml` is committed to git; secrets live in the platform vault only.
**Self-sufficiency — CF API token scopes (request ALL up front):**
Workers KV · Workers R2 · Workers Scripts · Pages · Zone Edit · DNS · Zone Read · Zone Settings · SSL. Missing scope → ask user to add to token, NEVER ask user to click in the dashboard.
**HARD RULE — CF ToS forbids proxy-mode traffic forwarding:**
- Worker for signaling, fronting helpers, metadata lookups — OK
- Worker as a full proxy pipe (upstream ⇆ Worker ⇆ downstream as a tunnel) — FORBIDDEN. Signaling / rendezvous Workers must do metadata only, NEVER arbitrary traffic. Violation → account ban.
**Cache strategy:** `Cache-Control` headers authoritative; purge via `wrangler pages deployment` or API. `NEXT_PUBLIC_*` / `PUBLIC_*` vars ship to client — treat as non-secret.
**Forbidden:** secrets in `wrangler.toml`, full-proxy Workers (ToS), manual dashboard edits when API token has the scope, committing `.dev.vars`.
Reference in a new issue View git blame Copy permalink