Architecture

Admission -> auth -> rate limit -> idempotency -> budget -> governor -> ThreatPrint -> upstream -> output firewall -> async finalize.

Workers handle admission, auth, rate limits, budget checks, governor policy, ThreatPrint, upstream routing, output checks, and async finalize. Durable Objects hold hot budget/rate/session/circuit state where applicable. KV caches configs, entitlements, rules, and flags. Queues buffer async ingestion where configured.

The managed state store holds org, user, project, admin, dashboard, policy, and recent metadata. Proxy traffic should not require state-store roundtrips on every request when cached entitlement/config exists.

R2 stores cold archives, incident artifacts, compressed traces, and long-term logs.

If the state store is unavailable and cached key/config exists, the proxy hot path can continue. If no cached entitlement exists, requests fail closed with a stable error. Finalize/log writes degrade without failing a successful upstream response.

Missing key fails closed. Invalid key fails closed. Budget backend failures fail closed unless explicitly configured otherwise. Async archive/export failures are retried or surfaced in dashboard workflows.