Guardrails & Failure Behavior

1. Security Guardrails

1.1 allowed_hosts Enforcement

Mechanism: The Router Worker actively validates the X-Public-Host header against the allowed_hosts list in the runtime configuration (EDGE_CONFIG). Failure Mode: If a request comes from an unknown host, the Router returns 404 Unknown project host. This prevents domain spoofing and unauthorized usage of the container.

1.2 Access Control

Mechanism: container-config endpoint is protected by a shared secret (X-Edge-Auth) known only to the Workers. Failure Mode: Missing or invalid auth returns 401 Unauthorized.

2. Billing & Usage Enforcement

2.1 Subscription Status

Mechanism: The EDGE_CONFIG contains a subscription_status field. Behavior:

• active: Requests processed normally.
• past_due: Requests processed normally (grace period).
• paused: Fail-Closed. The Router returns 402 Payment Required (JSON) immediately. It does not proxy the request to the origin, preventing further infrastructure costs.

2.2 Plan Limits

Mechanism: Limits (e.g., custom domains, monthly hits) are enforced by the Control Plane (Supabase/Stripe). Behavior:

• Soft Limits: Hitting a limit triggers an auto-upgrade attempt.
• Hard Limits: If upgrade fails or max tier reached, the subscription moves to paused (see above).

3. Resiliency Guardrails

3.1 Configuration Caching

Mechanism: Workers cache EDGE_CONFIG and ROUTING_MAP in caches.default for ~60 seconds. Failure Mode (Supabase Down): If the container-config fallback is unreachable, the Worker continues to serve traffic using the stale cached config until it expires. Failure Mode (KV Empty + Supabase Down): Fail-Closed. The system cannot route traffic safety without config. Returns 500.

3.2 Logging Reliability

Mechanism: Analytics Engine and R2 logging calls are wrapped in try/catch blocks and executed via ctx.waitUntil. Failure Mode: If logging fails (e.g., R2 bucket missing), the error is logged to the Worker console, but the tracking request proceeds successfully. The priority is always data collection over observability.

4. Drift Detection

4.1 System of Record

Supabase is the System of Record. Cloudflare KV is a Runtime Cache.

4.2 Automated Repair

Mechanism: nightly-kv-drift-check runs daily.

• Check: Compares config_version in DB vs. KV.
• Action: If mismatch, overwrites KV with DB state via sync-edge-config.
• Outcome: Ensures consistency without manual intervention.