Skip to content
GitHub
Operator

Edge runbook

Operational runbook for Spectral’s Cloudflare edge. The posture is ADR-052; origins are Cloudflare-native per ADR-109.

DNS + proxy state

runspectral.com is authoritative on Cloudflare (no registrar transfer — it was always there). The record set lives in infra/cloudflare/zone-records.md. All product hostnames are proxied (orange): api. (Worker-fronted container) and app./ops./docs./codex. (Pages). Staging mirrors *-staging. once a staging environment exists.

TLS + certificates

TLS terminates at the edge; certificates issue and renew automatically for each Worker custom domain and Pages project. A first custom-domain attach (e.g. api.) waits on cert issuance — minutes — during which the hostname can return 403; the deploy smoke gate is patient enough for it.

api. custom domain

api.runspectral.com is attached to the spectral Worker by the deploy (tools/deploy/reconcile_edge.sh, via the Cloudflare API). The origin is not exposed; api. gains L7 DDoS protection, the WAF, and per-key rate limiting. app., ops., docs., and codex. attach as Pages custom domains.

WAF / security posture (ADR-052 D3)

  • Managed Ruleset: ON.
  • OWASP CRS: off / Log mode — false-positive-prone on bearer-token JSON POSTs; move toward Block only after path-scoped tuning.
  • Rate limiting: the primary control on api.*, keyed on JWT / API-key identity (not IP); a rule also guards app.*/auth/* + ops.*/auth/* callbacks.
  • Bot Fight Mode: OFF. Free-plan BFM blocks datacenter-origin requests — which blocks legitimate programmatic API callers and CI — and cannot be scoped with a Skip rule. Bot protection on the human-facing portals, if wanted, is a scoped WAF rule; never blanket BFM on api..
  • Operations/Codex Pages Functions: JWKS-local validation for staff-only surfaces; Codex uses KV caching (10-minute TTL; a kid miss bypasses + refetches).

Cache + cookies

No zone-level Cache Rules; Pages projects purge on deploy, and a manual purge_everything is only for an observed stale-asset report. Auth-sensitive SSR + auth-refresh responses set Cache-Control: private, no-store (a cacheable auth-refresh is a session-poisoning vector). Cookies scope to the runspectral.com eTLD+1.