Skip to content
cfdemo.link

Technical Audit

Summary of Scope & Gaps

Section titled “Summary of Scope & Gaps”

CF Messenger is a high-fidelity demonstration of Cloudflare edge primitives. While it excels at low-latency, global WebSockets, certain production-grade features are intentionally deferred for the POC.

Known Limitations & Failure Modes

Section titled “Known Limitations & Failure Modes”
  1. Message Durability (Improved): ChatRoom DOs flush to disk every 1 second. While suitable for demos, it is not fully ACID compliant; a crash could lose up to 1s of data.
  2. Session Expiry UX: Tokens expire after 20 minutes. Without auto-refresh modals, users may experience abrupt disconnections.
  3. Rate Limit Drift: Durable Object counters reset on rare reroutes. KV mirrors reduce this drift but do not guarantee absolute enforcement.
  4. Presence Drift: SESSION_KV TTLs can expire while sockets remain open; the worker forces disconnects when tokens become invalid.
  5. DO Migration Loss: Deploying new Durable Object class definitions clears in-memory buffers unless state is persisted to KV/D1.

Path to Production

Section titled “Path to Production”

To transition this stack from a demo to a production-ready application, the following work is required:

  • Durability: Persist message buffers to Cloudflare R2 or D1, add deduplication logic, and replay buffers during warm-ups.
  • Offline Delivery: Integrate Cloudflare Queues to buffer and retry messages when clients reconnect.
  • Hardened Security: Rotate secrets automatically and encrypt Durable Object/KV buffers at rest using AES-256-GCM.
  • Compliance Automation: Implement a full Deletion API, enforce strict retention policies, and enable Logpush for audit trails.

Observability & Analytics

Section titled “Observability & Analytics”

The system utilises a dual-layered approach to monitor both performance and business logic:

Frontend: Web Analytics

Section titled “Frontend: Web Analytics”

Privacy-first, cookie-less tracking of Real User Monitoring (RUM) metrics (LCP, FID, CLS) via a lightweight JavaScript beacon.

Backend: Workers Analytics Engine

Section titled “Backend: Workers Analytics Engine”

High-cardinality, time-series logging of custom application events, such as login_success and ai_invocation, enabling SQL-based querying of application health directly from the Cloudflare Dashboard.

This audit ensures stakeholders understand both the immense capabilities and the deliberate constraints of the current architecture.