Skip to content

Guide sender-domain writes to global lane#35

Merged
rogu3bear merged 1 commit into
mainfrom
build/sender-domain-global-lane-guidance
Jul 1, 2026
Merged

Guide sender-domain writes to global lane#35
rogu3bear merged 1 commit into
mainfrom
build/sender-domain-global-lane-guidance

Conversation

@rogu3bear

Copy link
Copy Markdown
Owner

Summary

  • Marks sender_domain enable as a global-lane write in the surface catalog and capabilities matrix.
  • Updates guide/classify to fall back to a single explicit policy lane when live lane comparison has no recommendation.
  • Adds static contract coverage proving no-auth cfctl guide sender_domain enable emits global-lane preview/apply/verify commands.

Test plan

  • Red first: ./scripts/verify_static_contract.sh failed on missing sender-domain global lane assertion
  • env -u CF_DEV_TOKEN -u CF_GLOBAL_TOKEN -u CLOUDFLARE_API_TOKEN -u CLOUDFLARE_ACCOUNT_ID CF_SHARED_ENV_FILE=/nonexistent/cfctl-empty-env CF_REPO_ENV_FILE=/nonexistent/cfctl-empty-env ./cfctl guide sender_domain enable --zone example.com --name example.com
  • env -u CF_DEV_TOKEN -u CF_GLOBAL_TOKEN -u CLOUDFLARE_API_TOKEN -u CLOUDFLARE_ACCOUNT_ID CF_SHARED_ENV_FILE=/nonexistent/cfctl-empty-env CF_REPO_ENV_FILE=/nonexistent/cfctl-empty-env ./cfctl classify sender_domain enable --zone example.com --name example.com
  • bash -n commands/cfctl.sh scripts/lib/cfctl.sh cfctl
  • git diff --check
  • ./scripts/verify_static_contract.sh

Risk / review focus

  • Confidence: high that this fixes the guide/classify mismatch without changing generic two-lane write guidance.
  • Review focus: the fallback only uses policy lanes when the operation has exactly one allowed lane; verify that avoids over-prefixing normal dev,global writes.
  • CI caveat: GitHub Actions for this repo is currently failing before runner steps/logs are recorded on main; local static contract is the meaningful proof for this change.

Sender-domain enablement is an Email Sending write path that needs the global lane for private maildesk zones. The catalog already drives command generation and capabilities docs, so pin the operation to the global lane, teach guide/classify to fall back to a single policy lane when live lane comparison has no answer, and add static contract coverage for the generated global-lane commands.
@rogu3bear

Copy link
Copy Markdown
Owner Author

@codex Please review the sender-domain lane guidance fallback. The part I am least certain about is whether falling back to a single explicit policy lane should live at the helper level or only in guide/classify.

@rogu3bear

Copy link
Copy Markdown
Owner Author

Local proof is green: red-first static assertion, no-auth guide/classify checks, bash syntax, diff check, capabilities regeneration, and full ./scripts/verify_static_contract.sh. GitHub Actions failed before runner steps/logs were recorded, matching the existing cfctl Actions startup-failure pattern on main.

@rogu3bear rogu3bear merged commit b7fdc63 into main Jul 1, 2026
1 of 2 checks passed
@rogu3bear rogu3bear deleted the build/sender-domain-global-lane-guidance branch July 1, 2026 06:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant