fix(cypher): 改用 global_fetch_strictly_public flag 解 same-zone 1042(revert service binding)
richblack 拍板:service binding(前一 commit)靜態、加/改要重 deploy cypher,廢。
改用 global_fetch_strictly_public compatibility flag——cypher wrangler.toml 加一行,
讓 fetch() 走公網前門,self-hosted 的 same-zone fetch(cypher 與 auth 同在
{sub}.workers.dev zone)也能通。
- wrangler.toml:compatibility_flags 加 global_fetch_strictly_public(移除 SVC_AUTH_*)
- auth-dispatcher.ts / types.ts:還原到 service binding 之前(單純 fetch workers.dev)
- 安全(官方 docs):唯一副作用 self-loop 僅在 fetch 自己 hostname;cypher 不 self-loop
- 官方/self-host 共用同一份 toml:官方本就跨 zone 行為不變,self-host 被修好
- 規範還原:rule 02/03/CLAUDE.md/pre-bash-guard 的 service binding 禁令維持原狀
SDD: credential-primitives-wasm Phase 7(A→廢→B)。tsc exit 0。
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
uncle6me-web
@@ -2,7 +2,14 @@ name = "arcrun-cypher-executor"
|
||||
main = "src/index.ts"
|
||||
compatibility_date = "2025-02-19"
|
||||
workers_dev = true
|
||||
compatibility_flags = ["nodejs_compat"]
|
||||
# global_fetch_strictly_public:讓 fetch() 走公網「前門」,解 self-hosted 的 same-zone 1042
|
||||
# (credential-primitives-wasm Phase 7,2026-06-06)。
|
||||
# 病因(官方 docs):self-hosted 的 cypher 與 auth worker 同在 {sub}.workers.dev zone,
|
||||
# cypher fetch auth 屬 same-zone fetch,CF 預設擋(1042)。官方 cypher 在 cypher.arcrun.dev、
|
||||
# 打 auth 的 *.workers.dev 屬跨 zone 故不踩。此 flag 讓 same-zone fetch 改走公網前門 → 同 zone 也通。
|
||||
# 安全(已查證官方 docs):唯一副作用是「Worker fetch 自己 hostname 會 self-loop」,
|
||||
# 但 cypher 只打外部 API + sibling auth worker(皆非自己 hostname)→ 不 self-loop。
|
||||
compatibility_flags = ["nodejs_compat", "global_fetch_strictly_public"]
|
||||
|
||||
[[kv_namespaces]]
|
||||
binding = "EXEC_CONTEXT"
|
||||
@@ -91,24 +98,6 @@ service = "arcrun-date-ops"
|
||||
binding = "SVC_VALIDATE_JSON"
|
||||
service = "arcrun-validate-json"
|
||||
|
||||
# Auth primitive service bindings(credential-primitives-wasm Phase 7,2026-06-06)
|
||||
# 為何:auth-dispatcher 原用 fetch(workers.dev) 打同帳號 auth worker,self-hosted 帳號踩 CF 1042
|
||||
# (壓測階段 11)。service binding 是 CF 內部 RPC,繞開同 zone 522 + 同帳號 1042。
|
||||
# 範圍:只綁「已部署」的 auth worker。auth_mtls 尚未部署(.component-builds 無、官方 404),
|
||||
# 綁不存在的 worker 會讓 deploy 報 "referenced Worker not found"(見上 ai_transform 教訓),
|
||||
# 故 mtls 待它部署後再加。auth-dispatcher 對無 binding 的 primitive 自動 fallback fetch。
|
||||
[[services]]
|
||||
binding = "SVC_AUTH_STATIC_KEY"
|
||||
service = "arcrun-auth-static-key"
|
||||
|
||||
[[services]]
|
||||
binding = "SVC_AUTH_SERVICE_ACCOUNT"
|
||||
service = "arcrun-auth-service-account"
|
||||
|
||||
[[services]]
|
||||
binding = "SVC_AUTH_OAUTH2"
|
||||
service = "arcrun-auth-oauth2"
|
||||
|
||||
# ai_transform_compile / ai_transform_run 已於 Phase 2(2026-05-29)刪除
|
||||
# (Arcrun 是 AI 呼叫的工具,工作流不該內嵌 AI 節點)。對應 worker 已 wrangler delete,
|
||||
# service binding 一併移除(否則 deploy 報 referenced Worker not found)。
|
||||
|
||||
Reference in New Issue
Block a user