digital-identity-platform-docs
digital-identity-platform-docs / supabase/functions/sync-edge-config
supabase/functions/sync-edge-config
Fileoverview
Sync Edge Config Edge Function
Authoritative sync mechanism from Supabase (source of truth) to Cloudflare KV (runtime mirror). This is the single point of truth for all KV synchronization.
Cloudflare Architecture Context
| Attribute | Value |
|---|---|
| Classification | 🟢 ACTIVE (CRITICAL) |
| Position | Supabase (Source of Truth) → THIS FUNCTION → Cloudflare KV (Runtime) |
| Receives Public Traffic | No (internal service calls only) |
| Latency Sensitive | No (async sync, not on request path) |
| Safe to Retry | Yes (idempotent KV writes) |
| Failure Behavior | Fail-closed (returns error, does not degrade silently) |
This function is the authoritative sync point between Supabase and Cloudflare. All runtime configuration flows through this function during:
- Container provisioning (sgtm-containers → sync-edge-config)
- Domain verification (verify_custom_domain → sync-edge-config)
- Domain deletion (delete_custom_domain → sync-edge-config)
- Nightly drift repair (nightly-kv-drift-check → sync-edge-config logic)
KV Namespaces Written:
EDGE_CONFIG:container:<id>→ Full runtime config JSONLOADER_TOKEN_MAP:loader:<token>→ Container ID stringSITE_REGISTRY:site:<host>→ Site-specific config (tokens, cookie domain)
NOT Written by This Function:
ROUTING_MAP: Managed exclusively by Infrastructure Provisioner (infra-provisioner)
Endpoint
POST /sync-edge-config - Sync container config to KV
Endpoint
DELETE /sync-edge-config - Remove container config from KV
Auth
Required - Service role or JWT
Remarks
Phase 2 Infrastructure: Supabase → Cloudflare KV Runtime Config Sync
Invariants:
- KV state MUST reflect Supabase state exactly
- KV writes are idempotent
- Errors are surfaced, never silent