10 · Cloudflare Infrastructure
Cloudflare hosts the specification and the planned Market Bender product layer. Each storage/compute product is assigned according to authority, consistency, delivery and artifact requirements.
Static shell plus authenticated Workers boundaries
This specification uses Cloudflare Pages Direct Upload from an allowlisted dist/. The future product may use Pages or Workers Assets for the frontend. Workers own API routing, token verification, authorization, rate limits, request IDs and calls to bound services. Preview and production have separate names, bindings, secrets, databases, buckets, network flags and allowlists.
One SQLite-backed object per match ID
The Match DO owns the state revision, transitions, persisted timestamps, participant connections and effect commands. Critical state is written transactionally before broadcast/effects because memory can reset. The DO owns hibernatable WebSockets and sends snapshot+revision on reconnect. Alarms wake deadline/reconciliation work but may run late; every guard evaluates stored timestamps.
Derived async work versus durable multi-step effects
Queues
Use for replay indexing, analytics and bounded background reconciliation. Delivery is at least once, so every message carries a stable idempotency key; configure retries and a dead-letter queue with an operator runbook.
Workflows
Use for multi-step settlement/refund, signer rotation or recovery where steps, retries, pauses and external confirmation must persist. A workflow coordinates effects; the Match DO/immutable decision remains authority.
Consistency follows responsibility
| Product | Use | Not for |
|---|---|---|
| DO SQLite | Authoritative active-match state, transitions, effect outbox | Global analytics |
| D1 | Users/wallet refs, challenges, match indexes, settlement/evidence indexes, decisions | Concurrent active-match authority split from DO |
| R2 | Replay segments, manifests, screenshots/test evidence, large append-only artifacts | Mutable coordination |
| KV | Public/non-authoritative cached configuration and source metadata | Financial, credential or match truth |
| Secrets | Service credentials, API tokens and wrapping configuration | Per-user plaintext signer database or client assets |
If D1 read replication is enabled, asynchronously updated replicas may lag; use Sessions/bookmarks when sequential consistency is required.
Testnet preview before production
- Build a deterministic allowlisted artifact and manifest.
- Run content/link/route/accessibility/secret checks locally.
- Deploy preview with testnet-only bindings and verify direct routes/flows.
- Promote or deploy the identical verified artifact to production.
- Record Wrangler version, deployment ID/version URL, artifact hash, checks and rollback target.
Correlated and redacted
Structured logs use request/session/account/match/intent/verdict/execution/decision correlations with opaque credential references only. Metrics cover turn latency/errors, stale feeds, risk verdicts, signing/exchange errors, reconciliation gaps, residual exposure, DO transitions/alarms, queue retries/DLQ and settlement latency. Traces stop at sensitive signing payloads. Recovery procedures cover deployment rollback, DO migration, queue replay, replay rebuild and exchange/Privy outage.
Principal, account, signer and match scopes
Apply authentication, object-level authorization, schema limits, request body limits, replay/idempotency protection and quotas at the Worker edge. Sensitive/master/admin operations get stronger rate limits and step-up controls. Tool execution limits are enforced independently of client limits so a compromised agent session cannot create unbounded calls.