Skip to content

Track adapterOS retired Access bypass state#24

Merged
rogu3bear merged 1 commit into
mainfrom
build/aos-retired-access-state
Jun 25, 2026
Merged

Track adapterOS retired Access bypass state#24
rogu3bear merged 1 commit into
mainfrom
build/aos-retired-access-state

Conversation

@rogu3bear

@rogu3bear rogu3bear commented Jun 25, 2026

Copy link
Copy Markdown
Owner

Issues closed

None in this repository. This is the cfctl desired-state follow-up for the adapterOS retired-host Access repair completed during the aos-web v2 release closeout.

Behavior changed

  • Records the live adapterOS retired-host Access app state for beta.adapteros.com, developers.adapteros.com, and ops.adapteros.com.
  • Keeps the retired-host bypass policy at precedence 1 and the prior gated policy at precedence 2 for each app.
  • Adds desired-state specs for the three Bypass retired Pages redirect Access policies so they are no longer unmanaged by cfctl state.
  • Restores desired-state diff correctness by adding the missing sync-body helper and comparing Access app policy references by the desired id/name fields while preserving boolean false values.

Proof commands and results

  • jq . state/access.app/beta-adapteros.json state/access.app/ops-adapteros.json state/access.app/developers-adapteros.json state/access.policy/aos-retired-beta-bypass.json state/access.policy/aos-retired-developers-bypass.json state/access.policy/aos-retired-ops-bypass.json >/dev/null - passed.
  • ./scripts/verify_static_contract.sh - passed.
  • CF_TOKEN_LANE=global ./cfctl diff access.app | jq '{ok, summary, statuses: [.result.desired_specs[] | {spec_path, status, differing_fields, proposed_operation}]}' - passed; spec_count: 3, in_sync_count: 3, drift_count: 0, all proposed operations noop.
  • CF_TOKEN_LANE=global ./cfctl diff access.policy | jq '{ok, summary, statuses: [.result.desired_specs[] | {spec_path, status, differing_fields, proposed_operation}]}' - passed; spec_count: 3, in_sync_count: 3, drift_count: 0, all proposed operations noop.
  • Direct live readback comparisons for the three app specs and three bypass policy specs returned field_diffs: [] and matching policy ids/precedence.

Risk / caveats

  • No live Cloudflare mutation is performed by this branch; it records and verifies the already-live state.
  • The desired-state runtime fix affects diff/sync planning behavior for specs that use boolean false values or Access app policies references. The proof above checks both affected Access surfaces.
  • Remaining unmanaged Access policies are outside the adapterOS retired-host scope and were intentionally left alone.

Deployment impact

No product deploy is required. Merging this updates cfctl source-of-truth state and keeps future desired-state diffs from proposing a rollback of the retired-host bypass repair.

Review focus

  • lib/runtime/desired_state.sh: confirm the subset comparison should preserve boolean false and compare policy references by desired keys.
  • state/access.app/*adapteros*.json: confirm bypass precedence 1 and previous gated policy precedence 2 are intentional.
  • state/access.policy/aos-retired-*-bypass.json: confirm only the three retired-host bypass policies are pulled into state.

Confidence

  • Desired-state app/policy mapping: high.
  • Live mutation safety: high; read-only proof only.
  • Runtime diff helper change: medium-high; small compatibility wrapper plus focused Access diff proof.

@rogu3bear
Track adapterOS retired Access bypass state
f1acd1d 
Behavior: mirror the live beta, developers, and ops adapterOS Access apps after the retired-host repair by recording bypass policies at precedence 1 and preserving the prior gated policies at precedence 2. Add desired-state specs for the three bypass policies so cfctl diff can see the repaired state instead of treating those policies as unmanaged.

Reasoning: the aos-web release repaired live Access so retired hosts can reach the Pages worker redirects. Capturing that state in cfctl prevents a future desired-state sync from drifting the apps back behind the old gate or losing the bypass precedence.

Runtime logic: add the missing desired-state sync body helper and compare Access app policy references by the desired id/name fields, while preserving boolean false values during subset comparison. This makes existing app specs diffable without proposing false updates.

Risks: source-state and diff-runtime changes only; no Cloudflare mutation is performed by this commit. The remaining unmanaged Access policies are outside the adapterOS retired-host scope.

Proof: jq validates the changed JSON specs; ./scripts/verify_static_contract.sh passes; CF_TOKEN_LANE=global ./cfctl diff access.app reports 3 specs, 3 in sync, 0 drift; CF_TOKEN_LANE=global ./cfctl diff access.policy reports 3 specs, 3 in sync, 0 drift.
@rogu3bear

rogu3bear commented Jun 25, 2026

Copy link
Copy Markdown
Owner Author

@codex Please review the desired-state runtime helper change in lib/runtime/desired_state.sh, especially the policy-reference comparison and boolean false preservation, against the Access app/policy state specs added in this PR. The intent is for read-only diff to report no-op when live policies include full policy bodies but desired app state intentionally carries only id/precedence references.

@rogu3bear rogu3bear merged commit 0632cef into main Jun 25, 2026
2 checks passed
@rogu3bear rogu3bear deleted the build/aos-retired-access-state branch June 25, 2026 00:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rogu3bear