Golden-path apps/os: TanStack Start + oRPC + Workers, no apps framework

[jonastemplestein]

Golden-path apps/os: TanStack Start + oRPC + Cloudflare Workers

Relentlessly simplifies apps/os onto the golden path, fixes the phantom
/projects/new route the sidebar linked to, and — found during review —
closes a live production secret leak. Full decision log:
apps/os/docs/simplification-decisions.md.

---

1. The bug that started this: a sidebar link to a 404

The sidebar linked to /projects/new, which 404'd. The route file was:

// routes/_app/projects/[_]new.tsx   (the [_] escapes a leading underscore)
export const Route = createFileRoute("/_app/projects/_new")({ ... });

In routeTree.gen.ts this produced a route with path: '' — a pathless
route that the type system still advertised as the linkable target
/projects/new, so <Link to="/projects/new"> typechecked but never matched
at runtime. It hit an upstream router-generator bug with escaped underscores
under a pathless layout (TanStack/router#7408, #7453), and the version we were
pinned to (@tanstack/react-start@1.167.5 → bundled router-generator@1.166.17)
predated the fix.

Why it was bad: typed-but-unmatchable routes are invisible to CI — tsc
passes against a lie. The only way to catch it is to keep the generated route
tree honest.

Fix:

• Renamed to a top-level routes/_app/new-project.tsx → /new-project
  (also can't ever collide with a $projectSlug).
• Bumped the TanStack pair to the version with the generator fix
  (react-start 1.168.25 / react-router 1.170.15, bumped together because
  react-start hard-pins react-router).
• Added scripts/generate-route-tree.ts + routes:check, wired into
  typecheck, so CI now fails on a stale/phantom route tree:

// regenerates routeTree.gen.ts with the SAME generator + config the vite build
// uses; --check restores the file and exits 1 if it drifted.
const before = readFileSync(routeTreePath, "utf8");
try { await new Generator({ config, root }).run(); after = readFileSync(routeTreePath, "utf8"); }
finally { if (checkOnly) writeFileSync(routeTreePath, before); }
if (before !== after && checkOnly) { console.error("routeTree.gen.ts is stale…"); process.exit(1); }

---

2. Removed the "apps framework" over-abstraction

apps/os predated the decision to make OS the only product app. It still paid
for generality it no longer needs.

2a. app.ts (manifest + config) → config.ts; manifest deleted

A manifest object existed only to parameterize shared helpers by app identity.
With one product app, every consumer can just say "os":

// before — alchemy.run.ts
const ctx = await initAlchemy(manifest, AppConfig, env);
// after
const ctx = await initAlchemy("os", AppConfig, env);

// before — withEvlog took the whole AppManifest
withEvlog({ request, manifest, config, executionCtx }, …)
// after — a plain { name, slug }; log field names kept stable for dashboards
withEvlog({ request, app: { name: "@iterate-com/os", slug: "os" }, config, executionCtx: ctx }, …)

Config utilities (redacted/publicValue/parseAppConfigFromEnv/
extractPublicConfigSchema) and request logging moved out of the apps/*
namespace to @iterate-com/shared/config and @iterate-com/shared/evlog. The
old @iterate-com/shared/apps/* paths are now one-line re-export shims, so
apps/semaphore needs zero changes in this PR.

2b. AppContext (hand-threaded) → RequestContext (TanStack Start's own)

The old AppContext carried every worker binding as an optional field,
threaded around next to — not through — TanStack Start's request context. That
forced a defensive guard at every use site for bindings that are always bound:

// before — in ~6 routers/capabilities
if (!context.stream) {
  throw new ORPCError("INTERNAL_SERVER_ERROR", { message: "STREAM … not configured." });
}
const ns = context.stream as unknown as StreamDurableObjectNamespace;

Why it was bad: a dozen impossible-error branches, an AppContext type
listing 14 optional bindings, and two parallel notions of "context". The
golden-path answer is to read bindings where you use them:

// after — env is the documented module-level binding accessor
import { env } from "cloudflare:workers";
const ns = env.STREAM as unknown as StreamDurableObjectNamespace;

RequestContext (src/request-context.ts) is now just request-scoped state
(config, db, log, auth principal/session, waitUntil, ctx.exports, project
scope) and is the actual TanStack Start request context — the Register
augmentation lives next to the type. ctx.exports is the one binding kept on
the context, because Cloudflare only exposes it on ExecutionContext, not as a
module import.

Net effect on the routers: agents +10/−44, projects +22/−52,
codemode +3/−21, streams +5/−14 — they all got smaller.

2c. entry.workerd.ts (604 lines) → worker.ts (197 lines) + focused modules

The entrypoint was a 600-line grab-bag. It's now a short, linear dispatcher a
Cloudflare engineer would recognize at a glance — infra routes → evlog →
project ingress → stream RPC / capnweb → TanStack Start handler:

export default {
  async fetch(request, env, ctx) {
    const config = parseConfig(env); // per-request, not module scope — see §3 note
    const early = (await handleCaptunTunnelFetch(request, env, config))
      ?? (await handleDebugRoutes({ request, env, config }));
    if (early) return early;
    return withEvlog({ request, app: { name: "@iterate-com/os", slug: "os" }, config, executionCtx: ctx },
      async ({ log }) => {
        // … ingress → stream RPC → capnweb → handler.fetch(request, { context }) …
      });
  },
};

The debug endpoints, project-stream RPC, and ingress lookup moved into
src/debug-routes.ts, src/domains/streams/project-stream-rpc.ts, and
src/ingress/lookup.ts. IterateApp gained a main option (default unchanged,
so semaphore is untouched). The __internal oRPC namespace and the OpenAPI
reference plugin are now declared inline in orpc/root.ts / orpc/handler.ts
instead of via a shared factory.

---

3. 🔒 Security: closed an unauthenticated secret leak (rotate secrets)

Review turned up that GET /api/__internal/debug was unauthenticated and
returned process.env — which, under nodejs_compat (always on for our
workers), contains the raw APP_CONFIG secret blob. Confirmed live on
os.iterate.com and semaphore.iterate.com.

// before — packages/shared/src/apps/internal-router.ts
export function createInternalDebugOutput() {
  if (typeof process === "undefined") return { runtime: "workerd" };
  return { runtime: "node", pid: process.pid, …,
    env: Object.fromEntries(Object.entries(process.env)…), // ← the whole secret blob, to anyone
    memoryUsage: process.memoryUsage() };
}
// after
export function createInternalDebugOutput() {
  // SECURITY: this route is UNAUTHENTICATED. Never return secrets here.
  return { runtime: "workerd" as const };
}

Gutted at the shared source so semaphore (still on the shared router) is fixed
too; OS's inline __internal router does the same.

Access check (Cloudflare Workers Observability, queried 2026-06-10): a path
filter url.path eq /api/__internal/debug returned 0 events; the only
__internal traffic was trpc-cli-procedures from our own node CLI. That's
reassuring but not proof — effective visibility for rare requests was only
~the last 24–35h (far shorter than the exposure window) and the dataset is
ABR-sampled. Action required: rotate the Cloudflare API token, OpenAI/xAI/
Gemini keys, admin API secret, and Slack/Google OAuth secrets on both apps, then
redeploy.

Note (also from review): config is now parsed per request in worker.ts,
not at module scope. Module-scope derivatives of secrets can go stale across
binding-only deploys (Cloudflare reuses isolates); a zod parse per request is
trivially cheap and always honors the current secret.

---

4. Review & verification

• Two adversarial reviews against re-read first-party docs (Cloudflare,
  TanStack Start/Router/Query, oRPC). They caught, among other things, a
  build blocker — @tanstack/devtools-vite@0.7.0's removeDevtools
  transform rewrites a parenthesized JSX return into return ( ); (a syntax
  error), which only vite build (deploy/preview) surfaces, not PR CI. Pinned
  back to 0.6.0.
• Monorepo typecheck / lint (0 warnings) / format / tests / a real
  vite build all pass; Cursor Bugbot clean; Preview deploy + e2e green.
• Headless preview smoke test (apps/os/docs/preview-agent-browser-smoke.md):
  superadmin sign-in → create a project via /new-project → a real agent
  conversation (typed a question in the browser, the agent DO + LLM replied).

Two honest caveats are documented, not hidden: a transient Project not found
I chased was an expired short-lived OS session JWT, not a bug; and live
stream display needs a WebSocket that 500s on preview hosts (the conversation
completes server-side; the WS-upgrade code is byte-identical to main → flagged
as preview-infra follow-up, not claimed fixed).

---

5. "Wait, a simplification PR that's net +~930 lines?"

Correct, and worth unpacking — because ~74% of the net isn't application code
at all, and the code that is application logic mostly shrank.

git diff origin/main…HEAD: 91 files, +3709 / −2777 = net +932. By area:

Area	net	what it is
pnpm-lock.yaml	+423	dependency-graph churn from the TanStack version bump. Zero hand-written lines.
docs/	+267	the decisions log + headless smoke-test guide you asked for. Prose, not code.
apps/os/src	+123	see below — dominated by new files that replace deleted ones
scripts/	+61	the new generate-route-tree.ts freshness check (pure addition, didn't exist)
packages/shared	+57	back-compat shims so semaphore is untouched + the moved modules
generated routeTree.gen.ts	0
tests / other	+1

pnpm-lock.yaml + docs alone are +690 of the +932. Strip those and the
real source delta is ~+240, almost all of it deliberate new
infrastructure, not retained complexity:

• generate-route-tree.ts (+61) — new CI guard against the class of bug that
  started this PR.
• request-context.ts (+96) + router-context.ts (+18) — replace the deleted
  context.ts (−51) with a smaller, correct request context plus the typed
  accessors that work around an upstream getGlobalStartContext type bug.
• back-compat shims in packages/shared/src/apps/* — a few lines each so
  semaphore changes by zero lines instead of forcing a parallel refactor
  into this PR.

The actual product logic got smaller and flatter:

• entry.workerd.ts (−604) → worker.ts (+197) plus three focused extracted
  modules. The headline file shrank ~3×.
• the oRPC routers lost net ~120 lines of impossible-error binding guards.
• context.ts (−51) and the 14-field AppContext are gone.

The line counters also double-count pure moves: config.ts shows as
+501 (new path) and −501 (old path → 4-line shim) — net ~0 churn that
inflates both columns. Same for the evlog modules. Git doesn't detect these
as renames because the old path still exists as a shim.

So: net +~930, but it's lockfile (+423) + requested docs (+267) + new guard
rails and a security fix (+~240), against genuinely less and simpler runtime
code. If you want the "pure simplification" number, it's the apps/os/src
runtime logic, which is net-negative once you exclude the new context/worker
scaffolding that replaced larger deleted files.

🤖 Generated with Claude Code

---

6. Update: merged main (itx) + semaphore migration

Since this branch opened, main landed #1407 (itx) which rewrote the worker
entrypoint and replaced src/capnweb/ with src/itx/. Rather than rebase
through it, I merged main and reconciled:

• worker.ts now wires the itx handlers (handleItxFetch,
  handleProjectHostItxFetch, getItxCapHostIngressRule, itx entrypoint
  exports) instead of the removed capnweb ones — keeping the clean split
  (debug-routes.ts, project-stream-rpc.ts, ingress/lookup.ts).
• The whole src/itx/ subsystem was migrated onto the new config.ts /
  request-context.ts (it was built on the now-deleted app.ts/context.ts).
• Honored main's new no-raw-durable-object-binding-access guardrail:
  ingress code (projects router, integration-api) mints Project/Slack DO stubs
  through helpers in the trusted *-durable-object.ts domain files
  (getProjectDurableObjectStub, getSlackIntegrationStub) rather than raw
  env.X.getByName. Updated the rule's allowlist for the worker.ts rename.

Also migrated apps/semaphore off the same @iterate-com/shared/apps/*
framework (its own app.ts→config.ts, context.ts→request-context.ts,
entry.workerd.ts→worker.ts, inline __internal), which let me delete the
shared modules entirely (the apps/config, apps/logging/*,
apps/internal-router, apps/orpc shims) instead of leaving them as
back-compat shims. Monorepo typecheck, lint (0 warnings), and tests are green.

---

Note

High Risk
Removes the shared apps layer and rewrites the worker entry, request context, and oRPC wiring across most of OS; also fixes a live unauthenticated debug endpoint that exposed secrets—rotate affected credentials after deploy.

Overview
Refactors apps/os off the shared “apps framework” onto a single-app golden path: app.ts → config.ts, AppContext → RequestContext (TanStack Start’s registered request context), and entry.workerd.ts → worker.ts with logic split into debug-routes.ts, ingress/lookup.ts, and project-stream-rpc.ts. oRPC routers and integrations now read Cloudflare bindings via import { env } from "cloudflare:workers" instead of optional fields on context, with trusted DO stub helpers for lint compliance.

Fixes the phantom /projects/new route by moving project creation to /new-project, bumps the TanStack pair, and adds routes:check / generate-route-tree.ts so CI fails on a stale routeTree.gen.ts.

Security: stops GET /api/__internal/debug from exposing secrets — OS inlines a safe __internal router (static { runtime: "workerd" } on debug) and hardens the shared debug helper so other apps don’t leak process.env.

Docs add the simplification decision log and expanded headless preview smoke procedures; alchemy deploy points IterateApp at ./src/worker.ts and passes "os" to initAlchemy instead of a manifest.

^{Reviewed by Cursor Bugbot for commit ecbd6d7. Bugbot is set up for automated code reviews on this repo. Configure here.}

Environment Config Lease

No active environment config lease.

OS

Status: released
Commit: ecbd6d7
Preview: https://os.iterate-preview-2.com
Summary: Preview app released.
Workflow run
Updated: 2026-06-10T08:12:17.757Z

Semaphore

Status: released
Commit: ecbd6d7
Preview: https://semaphore.iterate-preview-2.com
Summary: Preview app released.
Workflow run
Updated: 2026-06-10T08:12:13.352Z

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit ecbd6d7. Configure here.}