Skip to content

Consolidate platform primitives and harden runtime contracts#3

Open
cnluzhang wants to merge 14 commits into
mainfrom
refactor/dup-audit
Open

Consolidate platform primitives and harden runtime contracts#3
cnluzhang wants to merge 14 commits into
mainfrom
refactor/dup-audit

Conversation

@cnluzhang

@cnluzhang cnluzhang commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Summary

  • consolidate duplicated Control request/error/retry flows, Redis locks and key grammars, queue/cron projections, S3 retry policy, observability helpers, runtime transports, and Rust sidecar contracts into canonical owners
  • harden Control and Auth lifecycle transitions with typed delete locks, optimistic snapshot retries, delegated-issuer fencing, scoped D1/DO ownership records, workflow restart blockers, and commit-time fencing
  • harden gateway, generated-wrapper, D1/R2 facade, Durable Object alarm/transport, and request-context boundaries against tenant-controlled headers, responses, prototypes, malformed identities, and unsafe forwarding targets
  • align Compose, Kubernetes, Terraform, workerd module wiring, dependencies, shared fixtures, behavioral coverage, compatibility notes, changelog entries, and module documentation with those owners

Intentional behavior changes

  • PLATFORM_DOMAIN is normalized across tiers as an ALB-compatible ASCII DNS hostname of at most 126 bytes with an alphabetic final label; /whoami no longer advertises the internal workers.local fallback as a public namespace URL
  • dynamic Workers reject explicit compatibility dates earlier than 2026-04-01, legacy error serialization, and explicit enhanced serialization after it becomes the workerd default; Runtime revalidates the same forward-only floor for retained metadata
  • internal auth tokens must be visible ASCII without whitespace or commas, and receivers reject ambiguous repeated auth headers
  • request ids preserve only the first comma-delimited safe visible-ASCII token; malformed ids are replaced or removed at the owning ingress rather than forwarded unchanged
  • secret mutations reject runtime-reserved and Object.prototype keys; persisted secret envelopes require canonical JSON field order and canonical base64
  • Headers-form R2 httpMetadata.Expires must be a canonical IMF-fixdate
  • DO RPC arguments are structural JSON data capped at 1 MiB; serialization does not invoke toJSON() hooks and rejects sparse arrays, circular structures, non-plain objects, and non-JSON values before dispatch
  • DO class declarations are capped at 468 ASCII bytes so every shard-specific host id remains within the 512-byte wire limit
  • required bundle metadata fails closed where an authoritative route/index needs it for projection, cleanup, workflow, or env-budget correctness; deploy discovery remains caller-specific and watched service-target drift remains 409 target_drift
  • invalid queue base64 is a permanent decode failure; scheduler revalidates canonical queue/cron identities before side effects, treats unusable consumer projections as absent, and bounds runtime response bodies to 1 MiB
  • the unreachable DO inline worker-code test hook and its Terraform switch are removed; do-runtime invoke accepts only canonical persisted bundle identities and rejects non-canonical or oversized host ids
  • tenant-facing Durable Object names and ids must be well-formed Unicode; lone UTF-16 surrogates are rejected before hashing, dispatch, alarm persistence, or Workflows mutation
  • @wdl-dev/aws-sigv4 3.0.1 uses stable request snapshots, rejects redirects, requires lowercase regions, and performs response cleanup without blocking retry progress
  • scheduler and Workflows keep their default 25-second drain within explicit 30-second Compose, Kubernetes, and ECS stop windows

Security and correctness

  • gateway removes client-supplied worker-routing and private x-wdl-* headers before forwarding
  • generated host wrappers capture policy-critical intrinsics before tenant modules evaluate; the DO alarm shim is installed before tenant evaluation and preserves the real class receiver for prototype, accessor, class-field, private-field, and WeakMap handlers
  • each generated wrapper owns an invocation-local AsyncLocalStorage context established only by its outermost invocation; ordinary nested calls inherit the parent request id, while deliberate ambient ALS manipulation remains a documented best-effort diagnostic boundary rather than an authorization or fencing mechanism
  • private DO RPC/alarm dispatch carries the outer request id into tenant facade calls, and canonical Control/runtime-to-Workflows transport forwards x-request-id for service-side correlation
  • persisted D1/DO owner records are bound to their Redis scope, canonical identities, positive safe-integer generations, and service-specific private endpoints before authenticated forwarding
  • delegated token issuance watches and revalidates the issuer in the final transaction; ambiguous Redis SET/EXEC outcomes rely on the bounded lock TTL instead of reusing an untrusted session
  • DO alarm ingress, mutation, and persisted-state readers revalidate shared identity limits, including well-formed Unicode and UTF-8 shard-dependent aggregate host-id bounds
  • DO owner resolution reads the owner record, typed delete lock, and Redis server time in one WATCH-scoped pipeline, removing an extra hot-path Redis round trip without weakening the delete fence
  • worker delete locks carry a whole: or version: operation kind plus a random token, are refreshed before the final mutation, and are token-checked inside the final WATCH snapshot; only whole-worker deletion blocks new DO ownership, so inactive-version deletion does not interrupt active DO traffic
  • the injected DO transport and owner-endpoint validator capture their critical intrinsics before tenant evaluation and protect request bounds, invoke serialization, private ownership markers, replay classification, owner-target selection, and owner-hint caching from tenant mutation
  • DO retries trust only do-runtime-authored ownership control headers; unknown-outcome direct failures replay only safe GET/HEAD requests, explicit pre-dispatch fence responses retain bounded rediscovery, and discarded response bodies are cancelled best-effort without delaying fallback
  • Control returns generic 5xx messages while preserving bounded structured server diagnostics; diagnostic strings are capped at 2,048 characters and log-only field aliases are normalized before emission
  • delete dry-run and commit paths share active/retained invariants, distinguish stable corruption from optimistic drift, and fence namespace membership against sibling route changes
  • Workflow restart publishes a short-lived target-version blocker before revalidating the active export, then atomically replaces it with the durable wf:by-version referrer; version delete checks both forms so it cannot pass through the restart handoff
  • Workflow list/status and Control routing paths retry supported route/delete drift while stable malformed workflow definitions, active metadata, and nonempty pattern projections fail closed; hot paths read only definitions relevant to the operation
  • worker discovery retains definitions-only workers after their last version or secret is removed, and whole-worker delete reports and removes orphan workflow definitions

Non-goals

  • no compatibility path for unsupported direct Redis writes or legacy invalid secret keys
  • no mixed-version fallback for in-tree tiers that ship together
  • application subnet topology remains a Terraform/AWS provider boundary; this PR does not duplicate VPC CIDR or Availability Zone validation
  • Kubernetes NetworkPolicies and Terraform/ECS security groups remain deployment-specific contracts; ECS intentionally retains its coarse shared runtime security group

Validation

Completed across the review cycle, with final default-build integration against 77533a2:

  • npm run lint
  • npm run lint:unused
  • npm run typecheck
  • npm run typecheck:strict
  • npm run test:unit
  • npm run compile:workerd (5 base configs); full integration compiled all 9 configs
  • cargo fmt --manifest-path rust/Cargo.toml --all --check
  • cargo clippy --manifest-path rust/Cargo.toml --workspace --all-targets -- -D warnings
  • cargo test --manifest-path rust/Cargo.toml --workspace
  • cargo deny --manifest-path rust/Cargo.toml check --config rust/deny.toml
  • npm run test:integration (54 files across 4 shards with default image build enabled; 53 passed initially, while workflows-runtime-core observed running before its queued assertion; a focused default-build rerun passed)
  • git diff --check

Replace brittle source-scanning assertions with behavioral unit coverage, add invalid persisted-cron integration coverage, and document intentional error and lock boundaries.

Signed-off-by: Lu Zhang <lu@wdl.dev>
Centralize repeated JS and Rust contracts for request handling, retries, Redis keys, observability, queue dispatch, ownership, and secret envelopes; align runtime and deployment wiring; and replace drift-prone fixtures and tests with shared behavioral coverage.

Signed-off-by: Lu Zhang <lu@wdl.dev>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR consolidates duplicated platform primitives across JS tiers and Rust sidecars by moving shared logic into common “owner” modules, then pinning cross-language behavior with fixture-backed tests to prevent drift (Redis key grammar, request-id sanitization, internal-auth envelopes, workflow payload limits, R2 metadata mapping, S3 retry policy, etc.).

Changes:

  • Centralize shared primitives (base64 codec, S3 retry loop, Redis token locks, optimistic retries, gateway header stripping, platform-domain normalization) and wire them into runtime/control/do-runtime/scheduler/workflows.
  • Replace source-scanning assertions with behavior/contract tests backed by shared fixtures (JS + Rust) to lock in key grammars and public error envelopes.
  • Refactor test harness loaders/stubs to import production owners (shared-* modules) instead of duplicating logic in per-test stubs.

Reviewed changes

Copilot reviewed 225 out of 227 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tests/unit/version.test.js Adds assertions for shared route-plane Redis key helpers in shared/version.js.
tests/unit/stream-prefix.test.js New unit test for stream line-prefixing helper.
tests/unit/s3-retry.test.js New unit tests for shared S3 transient retry policy/helpers.
tests/unit/runtime-wrapper-generate.test.js Tests wrapper generator parity across flavors (abort shim + class detection).
tests/unit/runtime-tail-worker.test.js Updates tail worker test wiring to import shared errors module.
tests/unit/runtime-service-binding.test.js Updates service-binding tests for new loader/tail envelope wiring.
tests/unit/runtime-r2-host.test.js Adds coverage for mapped R2 HTTP metadata extraction.
tests/unit/runtime-r2-client.test.js Adds coverage for R2 httpMetadata normalization + writing expiry header.
tests/unit/runtime-pool-boundary.test.js Updates boundary test to new runtime-load API (getLoadedWorkerStub).
tests/unit/runtime-loaded-facade-surface.test.js Uses repo-file URL injection for R2 utils instead of stubbed inline logic.
tests/unit/runtime-lib.test.js Verifies runtime base64 exports are sourced from shared owner + fail-closed semantics.
tests/unit/runtime-kv-binding.test.js Updates KV binding loader wiring for shared base64 + bounded body reader.
tests/unit/runtime-internal-auth.test.js Updates runtime internal auth harness for getLoadedWorkerStub.
tests/unit/runtime-do-client.test.js Adds regression test for DO owner-hint hint handling behavior.
tests/unit/runtime-dispatch-workflows.test.js Pins workflow payload limits against shared fixture/contract.
tests/unit/runtime-dispatch-handlers.test.js Extends dispatch tests for invalid base64 handling + falsey thrown value tail logging.
tests/unit/runtime-binding-surface.test.js Updates KV binding surface tests to use shared base64/bounded-body modules.
tests/unit/redis-lock.test.js New unit tests for shared Redis token lock helper.
tests/unit/r2-utils.test.js Adds tests for shared R2 bucket grammar + HTTP metadata mapping/expiry helpers.
tests/unit/queue-keys.test.js New unit tests + fixture-driven parser tests for shared queue key grammar.
tests/unit/internal-auth.test.js Pins internal-auth literals/rotation and failure envelope to shared fixture.
tests/unit/integration-test-plan.test.js Adds tests for tolerant integration-duration report parsing + warning behavior.
tests/unit/integration-pool.test.js Uses shared integration-environment constants/helpers for local env wiring.
tests/unit/gateway-websocket.test.js Updates websocket tests to import gateway-lib module.
tests/unit/gateway-lib.test.js Adds tests for internal header stripping helper.
tests/unit/fake-redis.test.js Ensures shared-redis stub uses production decode semantics + fake WatchError.
tests/unit/cross-language-identity.test.js Extends identity fixture coverage to KV IDs.
tests/unit/control-shared-stub.test.js New tests for control shared stub re-export contract and bounded-body enforcement.
tests/unit/control-s3.test.js Wires control S3 module tests to shared S3 retry module.
tests/unit/control-r2.test.js Adds tests for consolidated control R2 object request/error/not-found handling.
tests/unit/control-logs-tail.test.js Uses compiled auth roles + shared ns-pattern in log-tail handler tests.
tests/unit/control-index.test.js Adds whoami URL omission test + uses shared hostname parsing.
tests/unit/control-handlers-workers.test.js Uses compiled control graph instead of local control-lib stub.
tests/unit/control-d1-store.test.js Uses shared Redis stub + shared ns-pattern replacement in D1 store tests.
tests/unit/control-d1-model.test.js Uses shared ns-pattern replacement in D1 model tests.
tests/unit/bounded-body.test.js Adds test coverage for new bounded stream reader behavior and edge cases.
tests/integration/service-bindings-rpc.test.js Removes throw-literal eslint disables (tests still throw plain objects).
tests/integration/queue-native-dispatch.test.js Adds integration coverage for invalid base64 queue message handling.
tests/integration/helpers/env.js Consolidates local integration env constants/helpers.
tests/integration/cron-triggers.test.js Adds integration test for invalid persisted cron ref cleanup.
tests/helpers/mocks/observability.js No-op observability mock now re-exports production formatError/sanitizeRequestId.
tests/helpers/mocks/fake-redis.js Adds shared-redis stub URL helper backed by production RESP decode semantics.
tests/helpers/load-shared-module.js Adds shared-base64 module mapping for runtime-lib module loader.
tests/helpers/load-runtime-r2-binding.js Wires runtime R2 binding loader to shared S3 retry module.
tests/helpers/load-runtime-dispatch.js Wires runtime dispatch loader to shared errors module for tail-forwarder.
tests/helpers/load-do-owner-registry.js Uses sharedRedisStubUrl for shared-redis replacements.
tests/helpers/load-do-host-actor.js Reuses production DO ownership code constants via protocol data-url.
tests/helpers/load-d1-owner-registry.js Uses sharedRedisStubUrl for shared-redis replacements.
tests/helpers/load-control-routing.js Uses control shared stub owner rather than local literal constants.
tests/helpers/load-control-lib.js Wires compiled control graph to shared-errors + control-lib mapping.
tests/helpers/load-auth-index.js Uses sharedRedisStubUrl + shared redis-lock/version module wiring.
tests/helpers/control-handler-harness.js Drops obsolete formatError re-export from no-op harness stub.
tests/fixtures/workflow-limits.json New fixture pinning workflow payload limits + too-large code.
tests/fixtures/scheduler-projection-contract.json New fixture pinning scheduler projections and Redis key shapes.
tests/fixtures/request-id-sanitizer.json Extends request-id fixture with Unicode whitespace/BOM cases and UTF-8 length cases.
tests/fixtures/queue-key-parse.json New cross-language fixture for queue key parser behavior.
tests/fixtures/observability-contract.json Extends observability fixture with structured-log envelope contract.
tests/fixtures/internal-auth-contract.json New cross-language fixture for internal-auth literals and rotation semantics.
tests/fixtures/cross-language-identity.json Extends identity fixture with KV ID cases.
terraform/modules/compute/security_groups.tf Clarifies ECS runtime SG sharing constraints vs Kubernetes NetworkPolicies.
system-workers/s3-cleanup/src/index.js Switches cleanup worker to shared S3 retry helper.
shared/version.js Adds shared constants + Redis key helpers for route-plane registries; adds next-version key.
shared/secret-envelope.js Enforces canonical JSON field ordering for secret envelope (stable cross-language encoding).
shared/s3-retry.js New shared S3 transient retry helper module.
shared/redis-lock.js New shared Redis token lock helpers (acquire/renew/release).
shared/queue-keys.js Tightens queue key parsers via shared ns/queue-name validation.
shared/owner-lease.js Extracts generic optimistic retry helper and reuses it for watch retry loop.
shared/observability.js Updates request-id sanitization to enforce 128 UTF-8 byte limit.
shared/ns-pattern.js Adds platform domain normalization helpers + D1 database ID regex owner.
shared/internal-auth.js Exposes internal-auth failure code/message constants; uses them in response.
shared/d1-transport.js Removes obsolete lint-ignore comment.
shared/bounded-body.js Adds shared readBoundedStreamBytes helper and reuses it from readBoundedBytes.
shared/base64.js Makes Buffer base64 decoding fail-closed by validating against atob-like grammar.
scripts/run-parallel.js Uses extracted stream-prefix helper.
scripts/integration-test-plan.js Splits duration report parsing (full report vs records) and improves tolerance/warnings.
scripts/integration-environment.js Centralizes local integration constants and helper constructors.
scripts/_stream-prefix.js New shared helper for prefixing stream output lines.
rust/workflows/src/tests.rs Uses shared temp-env override helper from wdl-rust-common test-support.
rust/workflows/src/server.rs Uses shared internal-auth failure response + constants from wdl-rust-common.
rust/workflows/src/api/tick/dispatch.rs Uses shared runtime endpoint selector + shared workflow too-large code constant.
rust/workflows/src/api/progress.rs Uses shared runtime endpoint selector function.
rust/workflows/src/api/limits.rs Introduces workflow payload-too-large code const + fixture parity test.
rust/workflows/src/api.rs Adds shared runtime endpoint helper for workflows crate.
rust/workflows/Cargo.toml Adds dev-dep on wdl-rust-common with test-support feature.
rust/supervisor/src/renew.rs Uses shared temp-env override helper for tests.
rust/supervisor/src/drain.rs Uses shared temp-env override helper for tests.
rust/supervisor/Cargo.toml Adds dev-dep on wdl-rust-common test-support feature.
rust/scheduler/src/test_fixtures.rs New fixture loader module for scheduler projection contract.
rust/scheduler/src/queue/registry.rs Adds deadlock-avoidance note + fixture-driven hydrate_consumer test.
rust/scheduler/src/queue/keys.rs Removes inline tests in favor of shared fixture/contract coverage.
rust/scheduler/src/queue/delayed.rs Uses shared wake stream/field constants from wdl-rust-common queue_keys.
rust/scheduler/src/lib.rs Adds test_fixtures module behind cfg(test).
rust/scheduler/src/cron/sweep.rs Uses shared cron key parsing/scan pattern + slot expiry helper; fixture-driven tests.
rust/scheduler/src/cron/slot.rs Adds slot_expire_at helper + fixture-driven tests.
rust/scheduler/src/cron/reference.rs Centralizes cron worker key helpers + fixture-driven projection contract tests.
rust/redis-proxy/src/queue.rs Uses shared delayed-wake stream/field constants from wdl-rust-common.
rust/redis-proxy/src/lib.rs Uses shared internal-auth failure response + constants from wdl-rust-common.
rust/redis-proxy/src/kv/cursor.rs Extracts pipeline builder for existence probes + adds test for packed commands.
rust/common/src/test_env.rs New serialized process-env override helper (test-support gated).
rust/common/src/request_id.rs Expands request-id sanitization to handle Unicode whitespace/BOM trimming semantics.
rust/common/src/metrics.rs Uses shared observability fixture loader rather than duplicating include_str logic.
rust/common/src/lib.rs Adds test-support feature-gated module export and shared fixture helpers.
rust/common/Cargo.toml Adds test-support feature flag.
runtime/tail-forwarder.js Introduces shared tail envelope helper with finish + finishError.
runtime/runtime.js Updates module ownership comment (runtime/load.js owns wrapper).
runtime/r2-utils.js Adds shared R2 HTTP metadata mapping + expiry helpers.
runtime/r2-client.js Normalizes httpMetadata via shared mapping + cache expiry helpers.
runtime/load/wrapper-generate.js Deduplicates generated wrapper source snippets across wrapper flavors.
runtime/load/env-build.js Simplifies requiredCallerSecrets materialization and avoids null-prototype objects.
runtime/load.js Adds shared getLoadedWorkerStub wrapper (record isolate; optional sibling eviction).
runtime/lib.js Uses shared base64 codec owner and re-exports it for runtime helpers.
runtime/internal.js Switches to getLoadedWorkerStub for internal dispatch loader path.
runtime/index.js Switches to getLoadedWorkerStub and enables eviction only for gateway-routed active loads.
runtime/dispatch/workflow-json.js Exports workflow payload limit constants + too-large code constant.
runtime/dispatch.js Uses shared tail envelope helper with error normalization.
runtime/config-user.capnp Embeds new shared modules (base64, s3-retry, shared-errors) into workerd bundles.
runtime/bindings/service.js Uses getLoadedWorkerStub and shared tail envelope helper; avoids eviction for pinned versions.
runtime/bindings/r2/metadata.js Uses shared R2 metadata mapping + cache expiry helpers.
runtime/bindings/r2.js Uses shared S3 retry helper module.
runtime/bindings/kv.js Uses shared base64 + bounded-body stream reader.
runtime/bindings/do.js Uses shared do-transport hint-cache wrappers and replay policy helper.
package.json Tightens knip hints policy and adds yaml dev dependency.
package-lock.json Locks yaml@2.9.0 in dev deps.
knip.jsonc Treats runtime/d1-client.js as an entry (injected into loaded workers) instead of ignored file.
gateway/websocket.js Uses shared gateway internal header stripping helper.
gateway/runtime.js Uses shared Redis key constants from shared-version.
gateway/lib.js Introduces shared internal header stripping helper.
gateway/index.js Uses shared header stripping helper + shared platform domain normalization owner.
docs/testing.md Documents preference for importing production owners in tests and sharedRedisStubUrl usage.
docs/security.zh.md Clarifies internal-auth token rotation semantics wording.
docs/rust-sidecar-standards.zh.md Documents test-support feature for shared temp-env override helper.
docs/rust-sidecar-standards.md Documents test-support feature for shared temp-env override helper.
docs/redis-key-layout.zh.md Documents bundle __meta__ parsing/fail-closed semantics.
docs/redis-key-layout.md Documents bundle __meta__ parsing/fail-closed semantics.
docs/modules/workflows.zh.md Documents shared workflow payload limits contract + shared runtime endpoint selector.
docs/modules/workflows.md Documents shared workflow payload limits contract + shared runtime endpoint selector.
docs/modules/runtime.zh.md Documents shared runtime loader wrapper and env budget estimation approach.
docs/modules/runtime.md Documents shared runtime loader wrapper and env budget estimation approach.
docs/modules/queues-cron.zh.md Documents shared wake stream field owners + shared queue parser fixture.
docs/modules/queues-cron.md Documents shared wake stream field owners + shared queue parser fixture.
docs/modules/log-tail-observability.md Documents that tail-forwarder owns consistent envelope timing/thrown normalization.
docs/modules/infra.zh.md Adds note about ECS SG granularity vs Kubernetes caller matrices.
docs/modules/infra.md Adds note about ECS SG granularity vs Kubernetes caller matrices.
docs/modules/gateway.zh.md Documents gateway internal-header stripping behavior + platform domain normalization.
docs/modules/gateway.md Documents gateway internal-header stripping behavior + platform domain normalization.
docs/modules/durable-objects.zh.md Documents DO ownership code vocabulary owner + hint-cache transport semantics.
docs/modules/durable-objects.md Documents internal-auth requirement for do-runtime + ownership vocabulary owner.
docs/modules/cli.zh.md Clarifies when control returns namespace URL hint.
docs/modules/cli.md Clarifies when control returns namespace URL hint.
docker-compose.images.yml Deduplicates published image definitions via YAML anchors.
do-runtime/protocol.js Introduces DO_OWNERSHIP_CODE vocabulary constants.
do-runtime/owner-client.js Uses DO_OWNERSHIP_CODE constants for stable error codes.
do-runtime/config.capnp Embeds new shared modules (base64, s3-retry, respond alias).
do-runtime/actor.js Uses DO_OWNERSHIP_CODE constants for stable error codes.
deploy/kubernetes/README.zh.md Refactors local metadata guard into reusable kustomize component.
deploy/kubernetes/README.md Refactors local metadata guard into reusable kustomize component.
deploy/kubernetes/overlays/local-metadata-guard/metadata-egress-policy.yaml Deletes per-overlay policy in favor of shared component.
deploy/kubernetes/overlays/local-metadata-guard/kustomization.yaml Uses shared metadata-guard component.
deploy/kubernetes/overlays/local-ingress-metadata-guard/kustomization.yaml Uses shared metadata-guard component.
deploy/kubernetes/components/metadata-guard/metadata-egress-policy.yaml New reusable metadata egress NetworkPolicy component.
deploy/kubernetes/components/metadata-guard/kustomization.yaml Declares metadata-guard as a kustomize Component.
deploy/kubernetes/base/network-policy.yaml Adjusts ingress source list (removes system-runtime selector entry).
control/s3.js Imports S3 retry constant from shared owner.
control/optimistic.js Adds control wrapper around shared optimistic retries + WatchError classification.
control/json-body.js Adds shared JSON body parser with bounded-body support and stable error envelopes.
control/handlers/versions.js Uses shared bundle meta parsing + asset prefix helper.
control/handlers/promote.js Uses shared platformDomainFromEnv owner.
control/handlers/ns-secrets.js Adds explicit BundleMetaError handling/logging at namespace secret mutation boundary.
control/handlers/hosts.js Uses shared platformDomainFromEnv + shared hostsKey helper.
control/handlers/delete-plan.js Uses shared key constants and helpers for namespace/hosts membership sets.
control/errors.js Introduces ControlAbort + coded error response helpers with safe JSON error contract.
control/d1-model.js Uses shared D1 database ID regex from shared ns-pattern owner.
control/d1-migrations.js Uses shared Redis token lock helpers; logs lock-release failures safely.
control/bundle.js Uses shared workerd dependency version parser helper.
control/bindings.js Uses shared D1 database ID regex; preserves LinkError at binding link boundary.
auth/lib.js Clarifies AuthPolicyError intent relative to control error shape without cross-imports.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread runtime/r2-utils.js
Signed-off-by: Lu Zhang <lu@wdl.dev>
@cnluzhang cnluzhang marked this pull request as ready for review July 12, 2026 08:55
@cnluzhang cnluzhang requested a review from Copilot July 12, 2026 09:03

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 225 out of 227 changed files in this pull request and generated no new comments.

Pin internal auth and request-id contracts, protect DO transport and wrapper intrinsics from tenant mutation, tighten secret and error handling, and align tests and module documentation.

Signed-off-by: Lu Zhang <lu@wdl.dev>
@cnluzhang cnluzhang changed the title Consolidate duplicated platform primitives Consolidate platform primitives and harden runtime contracts Jul 13, 2026
Capture owner-endpoint parsing intrinsics before tenant code runs, add adversarial regression coverage, and align compatibility, module, and changelog documentation with the final branch behavior.

Signed-off-by: Lu Zhang <lu@wdl.dev>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 244 out of 246 changed files in this pull request and generated no new comments.

Reset inherited build definitions in published-image overrides and pin the Compose configuration contract.

Signed-off-by: Lu Zhang <lu@wdl.dev>
- Validate owner endpoints, scoped records, generations, and canonical identities.
- Harden D1, R2, DO alarm, request-id, and RPC trust boundaries.
- Align JS/Rust scheduler contracts, Terraform network checks, tests, and docs.

Signed-off-by: Lu Zhang <lu@wdl.dev>
@cnluzhang cnluzhang requested a review from Copilot July 14, 2026 10:07

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

- Document structural DO RPC serialization and its 1 MiB boundary.
- Record Terraform subnet validation as a plan-time upgrade impact.

Signed-off-by: Lu Zhang <lu@wdl.dev>
- Capture Map intrinsics so cached owner metadata cannot be leaked or forged.
- Reject empty service target metadata during promote and watched deploy commit.
- Clarify alarm handler snapshot semantics and optimistic retry ownership.

Signed-off-by: Lu Zhang <lu@wdl.dev>
- Recheck watched routes when dependent metadata disappears before EXEC.
- Retry promote, platform alias, and bump races while preserving stable corruption failures.
- Cover supported active-version transitions and projection cleanup.

Signed-off-by: Lu Zhang <lu@wdl.dev>
Fence delete and DO ownership transitions, propagate invocation-local request context, bound diagnostics and response bodies, align queue and version contracts, update SigV4, and pin shutdown windows across deployment targets.

Signed-off-by: Lu Zhang <lu@wdl.dev>
Pipeline owner, delete-lock, and Redis-time reads into one watched snapshot, align Redis test doubles, and retry workflow metadata reads without masking stable corrupt metadata during unrelated route churn.

Signed-off-by: Lu Zhang <lu@wdl.dev>
@cnluzhang cnluzhang force-pushed the refactor/dup-audit branch from 38ee90a to 75ec567 Compare July 15, 2026 13:29
Fence delegated issuance and deletion races
Centralize DO alarm, ownership, and transport validation
Align cross-tier fixtures, diagnostics, and request propagation

Signed-off-by: Lu Zhang <lu@wdl.dev>
Fence version deletion across workflow restart handoff
Preserve definitions-only workers and fail closed on malformed projections
Make request context outermost-only and enforce forward-only worker bounds
Return subnet validation to Terraform and AWS provider boundaries

Signed-off-by: Lu Zhang <lu@wdl.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants