Edge runbook
Operational runbook for Spectral’s Cloudflare edge. The posture is ADR-052; origins are Cloudflare-native per ADR-109.
DNS + proxy state
runspectral.com is authoritative on Cloudflare (no registrar transfer — it was always there). The record set lives in infra/cloudflare/zone-records.md. All product hostnames are proxied (orange): api. (Worker-fronted container) and app./ops./docs./codex. (Pages). Staging mirrors *-staging. once a staging environment exists.
TLS + certificates
TLS terminates at the edge; certificates issue and renew automatically for each Worker custom domain and Pages project. A first custom-domain attach (e.g. api.) waits on cert issuance — minutes — during which the hostname can return 403; the deploy smoke gate is patient enough for it.
api. custom domain
api.runspectral.com is attached to the spectral Worker by the deploy (tools/deploy/reconcile_edge.sh, via the Cloudflare API). The origin is not exposed; api. gains L7 DDoS protection, the WAF, and per-key rate limiting. app., ops., docs., and codex. attach as Pages custom domains.
WAF / security posture (ADR-052 D3)
- Managed Ruleset: ON.
- OWASP CRS: off / Log mode — false-positive-prone on bearer-token JSON POSTs; move toward Block only after path-scoped tuning.
- Rate limiting: the primary control on
api.*, keyed on JWT / API-key identity (not IP); a rule also guardsapp.*/auth/*+ops.*/auth/*callbacks. - Bot Fight Mode: OFF. Free-plan BFM blocks datacenter-origin requests — which blocks legitimate programmatic API callers and CI — and cannot be scoped with a Skip rule. Bot protection on the human-facing portals, if wanted, is a scoped WAF rule; never blanket BFM on
api.. - Operations/Codex Pages Functions: JWKS-local validation for staff-only surfaces; Codex uses KV caching (10-minute TTL; a
kidmiss bypasses + refetches).
Cache + cookies
No zone-level Cache Rules; Pages projects purge on deploy, and a manual purge_everything is only for an observed stale-asset report. Auth-sensitive SSR + auth-refresh responses set Cache-Control: private, no-store (a cacheable auth-refresh is a session-poisoning vector). Cookies scope to the runspectral.com eTLD+1.
Related
- ADR-052 — edge posture.
- ADR-109 — Cloudflare-native origins.
infra/cloudflare/zone-records.md— the record plan.deployment.md— the deploy that reconciles the edge.