-
Notifications
You must be signed in to change notification settings - Fork 0
feat(deploy): Phase-1 signed-out go-live for agentculture.org/learn #6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| # wrangler config — PHASE 1 (signed-out) deploy of the learn API Worker. | ||
| # | ||
| # This is the config that is LIVE in production today (deployed 2026-07-11). | ||
| # It stands up the whole SIGNED-OUT experience at agentculture.org/learn: | ||
| # the worker owns the /learn/* zone route and reverse-proxies every non-API | ||
| # path to the Cloudflare Pages origin (PAGES_ORIGIN). The signed-out tour is | ||
| # fully static; the resource-gated API routes (/api/me, /api/tutor, …) return | ||
| # 401 WITHOUT ever touching storage, so this deploy needs NO KV, NO D1, and | ||
| # NO secrets. It requires only two token permissions: Cloudflare Pages: Edit | ||
| # (for the Pages project) and Workers Scripts: Edit (for this worker + route). | ||
| # | ||
| # Deploy with: | ||
| # wrangler deploy -c wrangler.signedout.toml | ||
| # | ||
| # PHASE 2 (signed-in) uses the full ./wrangler.toml instead — it adds the KV | ||
| # namespace, the D1 ledger, the GitHub OAuth client id, and the secrets. That | ||
| # deploy additionally needs Workers KV Storage: Edit + D1: Edit on the token, | ||
| # and the GitHub OAuth app must exist first. See README.md "Provisioning". | ||
|
|
||
| name = "learn-api" | ||
| main = "src/index.js" | ||
| compatibility_date = "2024-11-01" | ||
| workers_dev = false | ||
|
|
||
| # Top-level key — MUST precede [vars] (see the gotcha note in wrangler.toml). | ||
| routes = [ | ||
| { pattern = "agentculture.org/learn/*", zone_name = "agentculture.org" }, | ||
| { pattern = "agentculture.org/learn", zone_name = "agentculture.org" }, | ||
| ] | ||
|
|
||
| [vars] | ||
| # Placeholder client id: harmless in phase 1. The sign-in button is only | ||
| # reachable by direct navigation (org's Learn nav link is held until phase 2), | ||
| # so a non-functional OAuth start has no public surface yet. | ||
| GITHUB_CLIENT_ID = "REPLACE_ME_github_oauth_client_id" | ||
| PUBLIC_URL = "https://agentculture.org" | ||
| APP_URL = "https://agentculture.org/learn/" | ||
| CORS_ORIGIN = "https://agentculture.org" | ||
| PAGES_ORIGIN = "https://agentculture-learn.pages.dev" | ||
|
|
||
| [observability] | ||
| enabled = true | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -15,27 +15,34 @@ compatibility_date = "2024-11-01" | |
| # Node-compat is not required — the Worker uses only Web-standard APIs | ||
| # (fetch, Request/Response, crypto.subtle, btoa/atob). Keep the bundle lean. | ||
|
|
||
| # --- Zone route (the same-origin /learn mount) ------------------------------- | ||
| # Cloudflare Pages cannot be mounted at a path, so this ONE worker owns | ||
| # agentculture.org/learn/*: /learn/api/* is handled here, everything else | ||
| # proxies to PAGES_ORIGIN (which serves the site under /learn/ too). | ||
| # | ||
| # GOTCHA: `routes` is a TOP-LEVEL key and MUST appear ABOVE the [vars] table. | ||
| # Placed after [vars], TOML scopes it as `vars.routes` and wrangler silently | ||
| # ignores it ("No targets deployed") — the worker uploads but binds no route. | ||
| # This block is live in production (deployed 2026-07-11); the signed-out mount | ||
| # is served by exactly these two patterns. | ||
| routes = [ | ||
| { pattern = "agentculture.org/learn/*", zone_name = "agentculture.org" }, | ||
| { pattern = "agentculture.org/learn", zone_name = "agentculture.org" }, | ||
| ] | ||
|
Comment on lines
+28
to
+31
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 1. Oauth callback missing /learn With the worker now bound only on the /learn route, handleLogin() still generates the GitHub redirect_uri as https://agentculture.org/api/auth/callback (no /learn), so the OAuth callback will land outside this worker and the web login flow cannot complete. Agent Prompt
|
||
|
|
||
| # --- Non-secret vars ------------------------------------------------------- | ||
| # INFERENCE_URL points at the cloudai-cli / ec2bedrock-cli SERVED endpoint | ||
| # (an OpenAI-shaped HTTP API), NEVER a bespoke provider SDK. The broker only | ||
| # ever POSTs JSON to this URL. Leave it unset to disable tutoring (broker 503s). | ||
| [vars] | ||
| # GITHUB_CLIENT_ID is public; still REPLACE_ME until the GitHub OAuth app exists | ||
| # (needed only for the signed-in tier — see README "Phase 2"). | ||
| GITHUB_CLIENT_ID = "REPLACE_ME_github_oauth_client_id" | ||
| # PUBLIC_URL = "https://agentculture.org" # origin used to build the OAuth callback | ||
| # APP_URL = "https://agentculture.org/learn/" # where the web callback redirects post-login | ||
| # CORS_ORIGIN = "https://agentculture.org" # allow the /learn site to call the API with creds | ||
| # INFERENCE_URL = "https://<cloudai-or-ec2bedrock-served-endpoint>/v1/messages" | ||
| # PAGES_ORIGIN = "https://agentculture-learn.pages.dev" # static-site origin the /learn zone mount proxies to | ||
|
|
||
| # --- Zone route (the same-origin /learn mount) ------------------------------- | ||
| # Cloudflare Pages cannot be mounted at a path, so this ONE worker owns | ||
| # agentculture.org/learn/*: /learn/api/* is handled here, everything else | ||
| # proxies to PAGES_ORIGIN (which serves the site under /learn/ too). | ||
| # Uncomment once the zone is reachable from this account's token: | ||
| # routes = [ | ||
| # { pattern = "agentculture.org/learn/*", zone_name = "agentculture.org" }, | ||
| # { pattern = "agentculture.org/learn", zone_name = "agentculture.org" }, | ||
| # ] | ||
| PUBLIC_URL = "https://agentculture.org" # origin used to build the OAuth callback | ||
| APP_URL = "https://agentculture.org/learn/" # where the web callback redirects post-login | ||
| CORS_ORIGIN = "https://agentculture.org" # allow the /learn site to call the API with creds | ||
| PAGES_ORIGIN = "https://agentculture-learn.pages.dev" # static-site origin the /learn zone mount proxies to | ||
|
Comment on lines
+41
to
+44
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 3. Prod vars hinder wrangler dev wrangler.toml now hard-codes PUBLIC_URL/APP_URL/CORS_ORIGIN to production, so wrangler dev will emit production OAuth redirect URIs and CORS headers (breaking localhost auth/browser testing) unless developers override these vars. Agent Prompt
|
||
| # INFERENCE_URL = "https://<cloudai-or-ec2bedrock-served-endpoint>/v1/messages" # unset ⇒ tutoring 503s | ||
|
|
||
| # --- Secrets (NEVER committed) --------------------------------------------- | ||
| # Set with: wrangler secret put <NAME> | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2. Signed-out config hits github
🐞 Bug☼ ReliabilityAgent Prompt
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools