Skip to content

Security Architecture Baseline

System Overview

The dlongglobal platform is separated into two repositories:

  • dlongglobal-engine: ops UI, worker API, and Terraform infrastructure scaffold.
  • dlongglobal-docs: documentation sites (docs-site and knowledge-site).

Primary domain: dlongglobal.org.

Trust Boundaries

  1. Public internet boundary Only explicitly approved hosts are publicly reachable.

  2. Identity boundary (Cloudflare Access) Private surfaces require Cloudflare Access authentication and policy checks.

  3. Application boundary Frontend runtime (Pages/Next.js) is separate from backend runtime (Worker/Hono). No backend secrets are exposed to browser clients.

  4. Data boundary D1, KV, and R2 are worker-side bindings only. No direct browser access to those stores.

  5. Secret boundary Secrets are sourced from Cloudflare secret stores/environment configuration. Secrets are not committed to git and not stored in Terraform variables files.

Exposed Hosts

  • docs.dlongglobal.org: public documentation surface.
  • ops.dlongglobal.org: private operations UI (Access protected).
  • knowledge.dlongglobal.org: private knowledge surface (Access protected).
  • api.dlongglobal.org: internal/private API surface (Access protected, service auth capable).

No wildcard hostnames are part of this baseline.

Public vs Private Surfaces

Public: - https://docs.dlongglobal.org/*

Private: - https://ops.dlongglobal.org/* - https://knowledge.dlongglobal.org/* - https://api.dlongglobal.org/*

Cloudflare Access Policies

Baseline policy intent: - ops.dlongglobal.org: allow tim@dlongglobal.com, root@dlongglobal.com. - knowledge.dlongglobal.org: allow tim@dlongglobal.com, root@dlongglobal.com. - api.dlongglobal.org: allow same user allowlist and optional service token IDs.

Default posture is deny-by-default unless explicitly allowed.

Worker/API Security Model

  • Worker framework: Hono.
  • Production workers.dev access is disabled in scaffold config.
  • API host is separate (api.dlongglobal.org) to isolate operational backend surface.
  • CORS is strict by default and only allows https://ops.dlongglobal.org origin.
  • Route exposure is minimal; non-essential public routes are excluded.

Secret Management

  • Worker secrets: Cloudflare Worker secrets/environment bindings.
  • Pages secrets: only where server-side execution requires them.
  • Terraform authentication: provided via environment variable TF_VAR_cloudflare_api_token.
  • No plaintext secrets in git-tracked files.

DNS Exposure Rules

Terraform-managed host records are limited to: - docs.dlongglobal.org - ops.dlongglobal.org - knowledge.dlongglobal.org - api.dlongglobal.org

Rules: - No wildcard DNS records. - Only minimum required records are declared. - Proxy is enabled where applicable to keep services behind Cloudflare controls.

Terraform Governance Approach

  • Infrastructure is defined as code and reviewed before apply.
  • Changes are expected via feature branches and reviewed merges.
  • terraform apply is not run without explicit operator approval.
  • Baseline outputs document planned hosts, DNS records, and access model before rollout.

This document is intended to support future management review and governance evidence requirements.