Operational Status

Shared secret over TLS is acceptable for v1. For v2+, require HMAC-signed requests with timestamp and nonce to prevent replay. See docs/SIGNING.md. Set BYJL_WORKER_REQUIRE_SIGNED=1 once the worker implements the signing protocol.

Set BYJL_WORKER_SECRET_ROTATED_AT to the ISO timestamp of the last rotation. Rotate on a 90-day cadence. Accept previous secret for a 24-hour rollover window.

If the execution worker has a stable egress identity, restrict POST /api/results at the edge (Cloudflare IP Access Rules, mTLS, or equivalent). Set BYJL_WORKER_INGRESS_NARROWED=1 once narrowed. Skip if the worker roams.

Mutating operator routes should require a verified identity header from the edge (Cf-Access-Authenticated-User-Email, or equivalent). Set BYJL_SESSION_AUTH_CONFIGURED=1 once Cloudflare Access is enforcing on /api/* mutations and the identity is recorded on AuditEvent.actor.

The control plane has no in-app auth. Cloudflare Access (or equivalent) must sit in front of it. Confirm by setting BYJL_ACCESS_GATING_ACKNOWLEDGED=1.

Audit history is the control plane's legal record. Export daily to R2/S3 with 90-day retention minimum, documented restore procedure, and integrity checks on the export. Set BYJL_AUDIT_BACKUP_CONFIGURED=1 once the backup job runs and a restore has been rehearsed.

Page on: failed_last_24h > 0, worker offline > 1h, POST /api/results auth failures > 5/h, audit write errors, queue backlog > 10 pending_run. Set BYJL_ALERTING_CONFIGURED=1 once paging/notification is wired.