You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
deploy-worker.yml (Deploy api-cors-preflight Worker) has never succeeded. Every run fails at the wrangler deploy step when it reconciles the Worker route, with a Cloudflare Authentication error [code: 10000]. Because of this, the route api.worldmonitor.app/* was never bound to the Worker — the Worker is uploaded but receives no traffic, and api.worldmonitor.app is currently served by the Vercel origin instead.
The most recent failure was surfaced by #4619 (commit 3a6d6b7), whose 4-line change to workers/api-cors-preflight/src/index.js re-triggered the path-filtered workflow. #4619 did not cause this — it just re-ran an already-broken deploy.
Evidence
Identical failure across every run of the workflow:
A bound Worker would short-circuit OPTIONS and never reach Vercel.
Root cause
The CLOUDFLARE_API_TOKEN repo secret has Workers Scripts:Edit (account) — the script uploads fine — but is missing Workers Routes:Edit on the worldmonitor.app zone (or the token's Zone Resources don't include that zone). CF error 10000 = token lacks permission for the routes operation.
The workflow already documents the required scope:
# CLOUDFLARE_API_TOKEN — token scoped to Workers Scripts:Edit + Workers
# Routes:Edit on the worldmonitor.app zone.
Impact
Not user-facing broken: api/_cors.js on the Vercel origin is currently handling CORS for api.worldmonitor.app, so the app works.
The api-cors-preflight Worker is inert — its per-request CORS logic (including fix(api): surface bbox diagnostics #4619's new Access-Control-Expose-Headers) is not actually serving any traffic.
CI stays permanently red on every Worker touch.
Fix
Permanent (token):
Cloudflare dashboard → API Tokens → edit the token behind CLOUDFLARE_API_TOKEN (or create new) with:
Account → Workers Scripts → Edit
Zone → Workers Routes → Edit ← the missing permission
Zone Resources → Include → Specific zone → worldmonitor.app
Update the CLOUDFLARE_API_TOKEN GitHub repo secret.
Re-run the failed workflow (or workflow_dispatch).
Interim (bind route once): In the CF dashboard, bind api.worldmonitor.app/* → the api-cors-preflight Worker manually (Workers → api-cors-preflight → Triggers → Routes) so it starts taking traffic while the token is fixed.
Acceptance criteria
CLOUDFLARE_API_TOKEN has Workers Routes:Edit on the worldmonitor.app zone.
deploy-worker.yml runs green end-to-end (deploy + live smoke test).
OPTIONS to api.worldmonitor.app is answered by the Worker (no x-vercel-id; carries Access-Control-Allow-Origin + Access-Control-Expose-Headers).
Summary
deploy-worker.yml(Deploy api-cors-preflight Worker) has never succeeded. Every run fails at thewrangler deploystep when it reconciles the Worker route, with a CloudflareAuthentication error [code: 10000]. Because of this, the routeapi.worldmonitor.app/*was never bound to the Worker — the Worker is uploaded but receives no traffic, andapi.worldmonitor.appis currently served by the Vercel origin instead.The most recent failure was surfaced by #4619 (commit
3a6d6b7), whose 4-line change toworkers/api-cors-preflight/src/index.jsre-triggered the path-filtered workflow. #4619 did not cause this — it just re-ran an already-broken deploy.Evidence
Identical failure across every run of the workflow:
3a6d6b72fdff81c613a7fFailing step log (2026-07-02, run
28587741411):Live confirmation the route is unbound — OPTIONS to
api.worldmonitor.appis answered by Vercel, not the Worker:A bound Worker would short-circuit OPTIONS and never reach Vercel.
Root cause
The
CLOUDFLARE_API_TOKENrepo secret has Workers Scripts:Edit (account) — the script uploads fine — but is missing Workers Routes:Edit on theworldmonitor.appzone (or the token's Zone Resources don't include that zone). CF error10000= token lacks permission for the routes operation.The workflow already documents the required scope:
Impact
api/_cors.json the Vercel origin is currently handling CORS forapi.worldmonitor.app, so the app works.api-cors-preflightWorker is inert — its per-request CORS logic (including fix(api): surface bbox diagnostics #4619's newAccess-Control-Expose-Headers) is not actually serving any traffic.Fix
Permanent (token):
CLOUDFLARE_API_TOKEN(or create new) with:CLOUDFLARE_API_TOKENGitHub repo secret.workflow_dispatch).Interim (bind route once): In the CF dashboard, bind
api.worldmonitor.app/*→ theapi-cors-preflightWorker manually (Workers → api-cors-preflight → Triggers → Routes) so it starts taking traffic while the token is fixed.Acceptance criteria
CLOUDFLARE_API_TOKENhas Workers Routes:Edit on theworldmonitor.appzone.deploy-worker.ymlruns green end-to-end (deploy + live smoke test).api.worldmonitor.appis answered by the Worker (nox-vercel-id; carriesAccess-Control-Allow-Origin+Access-Control-Expose-Headers).