Cloudflare Infrastructure¶
Nutri-E uses three Cloudflare Workers with dual-environment support (sandbox + production).
Architecture¶
cloudflare-worker-openai/ -> OpenAI/Vision API proxy
cloudflare-worker-dsld/ -> DSLD supplement database proxy
cloudflare-worker-apple/ -> Apple Server Notifications webhook
Each worker has two environments in a single wrangler.toml:
- sandbox-v3: TestFlight and development testing
- v3: Production (App Store)
Workers¶
OpenAI Worker¶
GPT-4 Vision proxy for food photos and supplement label scanning.
| Environment | Name | Used By |
|---|---|---|
| Sandbox V3 | nutrie-openai-worker-sandbox-v3 |
Debug, TestFlight |
| Production V3 | nutrie-openai-worker-v3 |
App Store |
Key features: Device auth (HMAC-SHA256), subscription-based rate limiting (10-500 req/day), 7-day response caching.
DSLD Worker¶
NIH DSLD API proxy for supplement database access.
| Environment | Name | Used By |
|---|---|---|
| Sandbox V3 | nutrie-dsld-worker-sandbox-v3 |
Debug, TestFlight |
| Production V3 | nutrie-dsld-worker-v3 |
App Store |
Key features: 30-day caching, device auth, subscription-based rate limiting (100-unlimited req/day).
Apple Webhook Worker¶
Apple Server Notifications for subscription lifecycle management.
| Environment | Name | Used By |
|---|---|---|
| Sandbox V3 | nutrie-apple-webhook-worker-sandbox-v3 |
TestFlight |
| Production V3 | nutrie-apple-webhook-worker-v3 |
App Store Connect |
Key features: V2 JWT + V1 legacy support, OWNS all subscription lifecycle (create/update/delete), archives to SUBSCRIPTIONS_DELETED.
KV Namespaces¶
Production and sandbox are fully isolated - separate subscription data, rate limits, and caches.
Shared SUBSCRIPTIONS KV¶
- Apple Worker: Write access (creates, updates, deletes subscriptions)
- OpenAI/DSLD Workers: Read-only (check tier for quota enforcement)
- SUBSCRIPTIONS_DELETED: Archive namespace for expired/refunded/revoked subscriptions
Per-Worker KV¶
- RATE_LIMIT: Per-device daily usage counters (24h TTL)
- CACHE_KV (OpenAI): Response cache (7-day TTL)
- CACHE_KV (DSLD): DSLD response cache (30-day TTL)
Secrets¶
# OpenAI Worker
wrangler secret put DEVICE_SALT --env v3
wrangler secret put OPENAI_API_KEY --env v3
# DSLD Worker
wrangler secret put DEVICE_SALT --env v3
wrangler secret put DSLD_API_KEY --env v3
# Apple Worker - no secrets required
Deployment¶
Automatic (Recommended)¶
Workers deploy automatically via GitHub Actions when changes merge to main:
- Deploy Sandbox Workers (parallel)
- Test Sandbox Workers (integration tests)
- Deploy Production Workers (only if tests pass)
- Test Production Workers
See .github/workflows/deploy-workers.yml.
Manual¶
# Deploy to sandbox
cd cloudflare-worker-openai && wrangler deploy --env sandbox-v3
cd cloudflare-worker-dsld && wrangler deploy --env sandbox-v3
cd cloudflare-worker-apple && wrangler deploy --env sandbox-v3
# Deploy to production
cd cloudflare-worker-openai && wrangler deploy --env v3
cd cloudflare-worker-dsld && wrangler deploy --env v3
cd cloudflare-worker-apple && wrangler deploy --env v3
Testing¶
# Test scripts per worker
./cloudflare-worker-openai/test-worker.sh <url> sandbox-v3
./cloudflare-worker-dsld/test-dsld-worker.sh <url> sandbox-v3
./cloudflare-worker-apple/test-apple-webhook.sh <url> sandbox-v3
# Health checks
curl https://nutrie-openai-worker-v3.invotekas.workers.dev/
curl https://nutrie-dsld-worker-v3.invotekas.workers.dev/
curl https://nutrie-apple-webhook-worker-v3.invotekas.workers.dev/health
Legacy Workers¶
V2 (nutrie-*-worker-v2): Serves App Store 1.0.4. DO NOT MODIFY.
V1 (nutrie-*-worker): Serves iOS 1.0.1-1.0.2. DO NOT MODIFY.
Monitoring¶
# Real-time logs
wrangler tail nutrie-openai-worker-v3 --format pretty
# Filter for specific events
wrangler tail nutrie-openai-worker-v3 --grep "subscription"
Dashboard alerts recommended for: error rate > 5%, P99 > 5s, invocation spikes.