Operations
Production topology
Two Workers share one D1 database:
krillswitch-publiconflags.openclaw.aifor evaluation;krillswitchonswitch.openclaw.aifor the dashboard and management API.
Deploy public and admin components separately. The public path must never inherit Cloudflare Access.
Migrations
Apply D1 migrations before deploying either Worker:
pnpm --dir apps/api db:migrate:remoteThe GitHub deploy workflow performs this step. Keep schema changes backward-compatible across the brief two-Worker rollout window.
Configuration propagation
Each Worker isolate caches an environment configuration for one second. A write clears the current isolate's cache; other isolates refresh within the TTL. SDK poll cadence is separate from server propagation.
Health probes
An unauthenticated public evaluation should return 401, not an Access redirect:
curl -i -X POST https://flags.openclaw.ai/v1/eval \
-H 'Content-Type: application/json' \
-d '{"context":{"key":"smoke"}}'An unauthenticated request to https://switch.openclaw.ai/ should be denied or redirected by Cloudflare Access.
With a real eval key, verify Cache-Control: private, no-store, ETag, and Server-Timing.
Benchmarks
pnpm bench
TARGET_URL=https://flags.openclaw.ai TARGET_LABEL=production pnpm benchThe benchmark records sustained load, timing splits, and cache-miss cadence. Keep deployed-target load modest.
Audit review
Use the dashboard or CLI after a production change:
krillswitch log tail --project clawhub --limit 20 --jsonConfirm actor, action, target, and before/after state. Treat unexplained token, role, key, or project events as security signals.