Skip to content

Fix maildesk account evidence lane#32

Merged
rogu3bear merged 1 commit into
mainfrom
build/maildesk-global-account-evidence
Jun 30, 2026
Merged

Fix maildesk account evidence lane#32
rogu3bear merged 1 commit into
mainfrom
build/maildesk-global-account-evidence

Conversation

@rogu3bear

Copy link
Copy Markdown
Owner

Summary

  • Make maildesk-cf live account-resource evidence use the explicit global lane for Workers, D1, R2, and Queues, matching existing domain and sender readbacks.
  • Prevent false missing_resource drift when the default dev lane cannot see resources that already exist in the account.
  • Add a maildesk contract assertion so future lifecycle changes preserve the evidence lane boundary.

Test plan

  • ./scripts/verify_maildesk_cf_contract.sh
  • ./scripts/verify_static_contract.sh
  • Live private maildesk plan readback: edge_ready=true, only sender-domain drift remains

Risk and review notes

  • Behavioral change is limited to live evidence collection for the composite maildesk-cf lifecycle.
  • The wider lane is read-only inventory in this path; component mutations still remain preview/ack gated.
  • Recent GitHub Actions runs on this repo are failing at the workflow level because of the account billing lock, so local contract proof is the actionable proof lane for this PR.

@codex Please review whether pinning these account-resource reads to the global lane is the right long-term policy, or whether cfctl should instead expose a separate maildesk evidence lane abstraction for account-level inventory.

maildesk-cf lifecycle already reads domain and sender evidence with the wider Cloudflare lane, but account resources were still using the default dev lane. In accounts where dev cannot see D1/R2/Queue/Worker state, provision plans reported false missing_resource drift and tried to recreate existing resources. This commit makes those account-resource reads explicit global-lane evidence reads and locks that behavior into the maildesk contract verifier.
@rogu3bear

Copy link
Copy Markdown
Owner Author

Local proof for the billing-locked CI run:\n\n- ./scripts/verify_maildesk_cf_contract.sh passed\n- ./scripts/verify_static_contract.sh passed\n- Live private maildesk plan readback after this branch: edge_ready=true; remaining drift is sender-domain-only, blocked by Cloudflare Email Sending API 2036 Unauthorized\n\nThe remote static contract job did not start because GitHub reports the account is locked due to a billing issue.

@rogu3bear rogu3bear merged commit 0f1c017 into main Jun 30, 2026
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant