MBMarket BenderSpecification system
10.01 · Frontend and APIs

Static shell plus authenticated Workers boundaries

This specification uses Cloudflare Pages Direct Upload from an allowlisted dist/. The future product may use Pages or Workers Assets for the frontend. Workers own API routing, token verification, authorization, rate limits, request IDs and calls to bound services. Preview and production have separate names, bindings, secrets, databases, buckets, network flags and allowlists.

10.02 · Durable Objects and WebSockets

One SQLite-backed object per match ID

The Match DO owns the state revision, transitions, persisted timestamps, participant connections and effect commands. Critical state is written transactionally before broadcast/effects because memory can reset. The DO owns hibernatable WebSockets and sends snapshot+revision on reconnect. Alarms wake deadline/reconciliation work but may run late; every guard evaluates stored timestamps.

10.03 · Queues and Workflows

Derived async work versus durable multi-step effects

Queues

Use for replay indexing, analytics and bounded background reconciliation. Delivery is at least once, so every message carries a stable idempotency key; configure retries and a dead-letter queue with an operator runbook.

Workflows

Use for multi-step settlement/refund, signer rotation or recovery where steps, retries, pauses and external confirmation must persist. A workflow coordinates effects; the Match DO/immutable decision remains authority.

10.04 · Storage assignment

Consistency follows responsibility

ProductUseNot for
DO SQLiteAuthoritative active-match state, transitions, effect outboxGlobal analytics
D1Users/wallet refs, challenges, match indexes, settlement/evidence indexes, decisionsConcurrent active-match authority split from DO
R2Replay segments, manifests, screenshots/test evidence, large append-only artifactsMutable coordination
KVPublic/non-authoritative cached configuration and source metadataFinancial, credential or match truth
SecretsService credentials, API tokens and wrapping configurationPer-user plaintext signer database or client assets

If D1 read replication is enabled, asynchronously updated replicas may lag; use Sessions/bookmarks when sequential consistency is required.

10.05 · Environments and release

Testnet preview before production

  1. Build a deterministic allowlisted artifact and manifest.
  2. Run content/link/route/accessibility/secret checks locally.
  3. Deploy preview with testnet-only bindings and verify direct routes/flows.
  4. Promote or deploy the identical verified artifact to production.
  5. Record Wrangler version, deployment ID/version URL, artifact hash, checks and rollback target.
10.06 · Logging, metrics and recovery

Correlated and redacted

Structured logs use request/session/account/match/intent/verdict/execution/decision correlations with opaque credential references only. Metrics cover turn latency/errors, stale feeds, risk verdicts, signing/exchange errors, reconciliation gaps, residual exposure, DO transitions/alarms, queue retries/DLQ and settlement latency. Traces stop at sensitive signing payloads. Recovery procedures cover deployment rollback, DO migration, queue replay, replay rebuild and exchange/Privy outage.

10.07 · Rate limits and abuse protection

Principal, account, signer and match scopes

Apply authentication, object-level authorization, schema limits, request body limits, replay/idempotency protection and quotas at the Worker edge. Sensitive/master/admin operations get stronger rate limits and step-up controls. Tool execution limits are enforced independently of client limits so a compromised agent session cannot create unbounded calls.

Navigate specification

Search pages and sections