fix(cloud): enable tag-to-deploy for production cloud worker

[jchris]

Summary

• Add [env.production] section to cloud/backend/cf-d1/wrangler.toml with DO bindings, migrations, and a fresh empty D1 database (fp-cloud-production). The old GH env variable pointed to fp-connect-production which has a different schema. The dev DB (fp-cloud-dev) has the right schema but its tenant data was created with dev secrets and wouldn't be reachable by production clients. The new DB will have its tables created automatically by drizzle:d1-remote on first deploy.
• Parameterize wrangler:deploy scripts in both cf-d1 and cf-storage-cors to use ${CLOUDFLARE_ENV:-dev} instead of hardcoded --env dev
• Pass CLOUDFLARE_ENV to both deploy steps in the workflow so the parameterized scripts pick it up

After merge, deploy with: git tag core-cf@p0.0.1-production-env && git push origin core-cf@p0.0.1-production-env

Test plan

• Review that [env.production] section matches the structure of [env.dev] (DO bindings, migrations, D1)
• Verify CLOUDFLARE_DATABASE_ID in GH production env matches wrangler.toml (ee23476b-c3c8-44c9-8388-d9455dd1b00f)
• After merge, push a core-cf@p* tag and watch the workflow run
• Confirm worker is live at https://fireproof-v2-cloud-production.jchris.workers.dev/fp
• Smoke test sync from a prod vibe app

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added production environment configuration with database and durable object bindings
  • Enabled dynamic deployment environment selection in deployment workflows

[coderabbitai]

Walkthrough

This change introduces support for deploying to multiple Cloudflare environments (dev and production) by adding environment variable configuration to the CI/CD workflow, making the deployment script environment-aware, and defining a complete production environment configuration in the Wrangler setup.

Changes

Cohort / File(s)	Summary
CI/CD Workflow Configuration .github/workflows/ci-core-cf-deploy.yaml	Adds CLOUDFLARE_ENV environment variable to the deployment job step, enabling dynamic environment selection during CI/CD execution.
Cloudflare Backend Environment Setup cloud/backend/cf-d1/package.json, cloud/backend/cf-d1/wrangler.toml	Updates deploy script to use CLOUDFLARE_ENV variable instead of hardcoded environment. Adds production environment configuration including variables, migrations, durable object bindings, and D1 database reference with production database ID.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: enabling production environment configuration for the cloud worker with dynamic tag-based deployment support.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jchris/fix/production-deploy-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci-core-cf-deploy.yaml:
- Line 45: The workflow sets CLOUDFLARE_ENV for the cf-d1 step but the
cf-storage-cors deploy still uses a hardcoded "--env dev"; update the
cf-storage-cors deployment to consume the CLOUDFLARE_ENV variable instead of
"--env dev" (replace the hardcoded flag in
cloud/backend/cf-storage-cors/package.json or the deploy npm script with a
reference to the environment variable, and ensure the CI step passes
CLOUDFLARE_ENV into that job), so both cf-d1 and cloud/backend/cf-storage-cors
use the same CLOUDFLARE_ENV value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bfedcb36-9a69-4556-a525-4415b516ed82

📥 Commits

Reviewing files that changed from the base of the PR and between d7341f5 and a87395a.

📒 Files selected for processing (3)

• .github/workflows/ci-core-cf-deploy.yaml
• cloud/backend/cf-d1/package.json
• cloud/backend/cf-d1/wrangler.toml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Environment targeting is still inconsistent across deploy steps.

Line 45 wires CLOUDFLARE_ENV for cf-d1, but cloud/backend/cf-storage-cors still deploys with hardcoded --env dev (from cloud/backend/cf-storage-cors/package.json:1-10). This can produce partial production deploys.

Suggested fix

diff --git a/.github/workflows/ci-core-cf-deploy.yaml b/.github/workflows/ci-core-cf-deploy.yaml
@@
       - name: deploy cloud/backend/cf-storage-cors
         working-directory: cloud/backend/cf-storage-cors
         env:
           CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           CLOUDFLARE_ACCOUNT_ID: ${{ vars.CLOUDFLARE_ACCOUNT_ID }}
+          CLOUDFLARE_ENV: ${{ vars.CLOUDFLARE_ENV }}
         run: |
           pnpm run wrangler:deploy

diff --git a/cloud/backend/cf-storage-cors/package.json b/cloud/backend/cf-storage-cors/package.json
@@
-  "wrangler:deploy": "wrangler deploy -c ./wrangler.toml --env dev"
+  "wrangler:deploy": "wrangler deploy -c ./wrangler.toml --env ${CLOUDFLARE_ENV:-dev}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci-core-cf-deploy.yaml at line 45, The workflow sets
CLOUDFLARE_ENV for the cf-d1 step but the cf-storage-cors deploy still uses a
hardcoded "--env dev"; update the cf-storage-cors deployment to consume the
CLOUDFLARE_ENV variable instead of "--env dev" (replace the hardcoded flag in
cloud/backend/cf-storage-cors/package.json or the deploy npm script with a
reference to the environment variable, and ensure the CI step passes
CLOUDFLARE_ENV into that job), so both cf-d1 and cloud/backend/cf-storage-cors
use the same CLOUDFLARE_ENV value.

[jchris]

Intentionally left as-is. cf-storage-cors is a singleton — its wrangler.toml only defines [env.dev], no [env.production]. Parameterizing the deploy script would cause it to try --env production which doesn't exist, breaking the deploy. Both environments share the same R2 bucket and route.

[coderabbitai]

@jchris, understood — that's a clear and valid reason. Since cf-storage-cors is intentionally a singleton with only [env.dev] defined in its wrangler.toml, parameterizing the deploy script would break production deploys rather than fix them. I'll note this for future reviews.

ʕ •ᴥ•ʔ ← thoughtful rabbit noted!

---

✏️ Learnings added

Learnt from: jchris
Repo: fireproof-storage/fireproof PR: 1735
File: .github/workflows/ci-core-cf-deploy.yaml:45-45
Timestamp: 2026-04-06T17:09:08.631Z
Learning: In the fireproof repository, `cloud/backend/cf-storage-cors` is intentionally a singleton Cloudflare Worker — its `wrangler.toml` only defines `[env.dev]` and has no `[env.production]` section. Both production and dev environments share the same R2 bucket and route. The `wrangler:deploy` script should NOT be parameterized with `CLOUDFLARE_ENV` because passing `--env production` would fail since that environment is not defined in its `wrangler.toml`.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a87395a335

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Pass deployment env to cf-storage-cors step

This change makes cf-d1 environment-aware, but the workflow still leaves cf-storage-cors on its default dev deploy path during core-cf@p*/core-cf@s* runs. That creates a mixed-environment release where cf-d1 is promoted while cf-storage-cors is not, which can leave production serving incompatible worker versions when both components change in the same tag deploy.

Useful? React with 👍 / 👎.

[jchris]

This is intentional — cf-storage-cors is a singleton worker with no per-environment configuration. Its wrangler.toml has no [env.production] section, and all environments share the same R2 bucket and route (storage.fireproof.direct/*). Parameterizing it would break production deploys since --env production doesn't exist in the toml.

[jchris]

Deploy Status

Deployed and verified via tag core-cf@p0.0.1-production-env on this branch (before merge).

What happened

1. First run failed — smoke tests returned signature verification failed. Root cause: CLOUD_SESSION_TOKEN_SECRET in the production GH environment was from 2025-07-15, while CLOUD_SESSION_TOKEN_PUBLIC was updated 2026-04-03. Mismatched keypair.
2. Fixed — updated CLOUD_SESSION_TOKEN_SECRET to match the current public key.
3. Rerun passed — all smoke tests green.

Current state

• Worker fireproof-v2-cloud-production is live (HTTP 404 on /fp as expected for WS endpoint)
• Bindings confirmed: FP_WS_ROOM (Durable Object), FP_BACKEND_D1 (fresh fp-cloud-production D1), VERSION env var
• All 4 secrets present: CLOUD_SESSION_TOKEN_PUBLIC, ACCESS_KEY_ID, SECRET_ACCESS_KEY, STORAGE_URL
• D1 schema created by drizzle migration on first deploy

Ready to merge

This PR adds [env.production] to the wrangler config so future core-cf@p* tags deploy to production via CI instead of manual wrangler deploy --name. cf-storage-cors intentionally left as a singleton (--env dev).

[jchris]

STORAGE_URL fix: switched to CORS proxy

The production STORAGE_URL was pointing directly at R2's S3 API (r2.cloudflarestorage.com), which has no CORS headers. Browsers reject the preflight for cross-origin PUTs/GETs, causing every data block upload/download to fail with net::ERR_FAILED.

Fix: Updated the GH production variable from:

https://f031392067b661e91963881fb76b4ea3.r2.cloudflarestorage.com/fireproof-cloud

to:

https://storage.fireproof.direct

This is the existing cf-storage-cors worker — a thin CORS proxy in front of the same R2 bucket that adds Access-Control-Allow-Origin: * to all responses. No code changes needed.

Redeployed via tag core-cf@p0.0.2-storage-cors to propagate the new URL as a worker secret. Waiting on CI.

[mabels]

Why?