feat(ops): add Cloudflare cost killswitch

saltbo · saltbo · commit 602d1535d1cf · 2026-04-19T15:41:16.000-04:00
Polls CF GraphQL Analytics every 10 minutes. Opens a GitHub issue
when daily usage crosses configurable thresholds for Worker
requests, D1 row reads, DO requests, or DO active duration.

Script exits 0 (ok) / 1 (tripped) / 2 (query failure). The optional
auto-disable step only fires on exit=1, so query failures can never
take the site offline on their own.
diff --git a/.github/workflows/killswitch.yml b/.github/workflows/killswitch.yml
@@ -0,0 +1,135 @@
+name: Cost Killswitch
+
+# Polls Cloudflare billing-relevant counters every 10 minutes. Opens an issue
+# on threshold breach. If AUTO_DISABLE=true and CF_WORKER_NAME is set, removes
+# the Worker's routes to stop billable traffic.
+#
+# Required repo secrets:
+#   CF_API_TOKEN           Analytics: Read (always), Workers Scripts: Edit
+#                          and Zone: Edit (only if AUTO_DISABLE=true)
+#
+# Required repo variables (Settings → Variables → Actions):
+#   CF_ACCOUNT_ID          e.g. 94a89d03c0fc785c8dcbd3c674d6742a
+#
+# Optional repo variables:
+#   DAILY_WORKER_REQUESTS  default 1000000
+#   DAILY_D1_ROWS_READ     default 10000000
+#   DAILY_DO_REQUESTS      default 500000
+#   DAILY_DO_DURATION_SEC  default 10000
+#   AUTO_DISABLE           "true" to actually stop the Worker; default off
+#   CF_WORKER_NAME         e.g. agent-kanban (for route removal)
+#   CF_ZONE_ID             zone ID hosting the Worker route
+
+on:
+  schedule:
+    - cron: "*/10 * * * *"
+  workflow_dispatch:
+
+concurrency:
+  group: cost-killswitch
+  cancel-in-progress: false
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    env:
+      CF_ACCOUNT_ID: ${{ vars.CF_ACCOUNT_ID || '94a89d03c0fc785c8dcbd3c674d6742a' }}
+      CF_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
+      DAILY_WORKER_REQUESTS: ${{ vars.DAILY_WORKER_REQUESTS }}
+      DAILY_D1_ROWS_READ: ${{ vars.DAILY_D1_ROWS_READ }}
+      DAILY_DO_REQUESTS: ${{ vars.DAILY_DO_REQUESTS }}
+      DAILY_DO_DURATION_SEC: ${{ vars.DAILY_DO_DURATION_SEC }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Check usage
+        id: check
+        run: |
+          set +e
+          OUTPUT=$(node scripts/cost-killswitch.mjs 2> >(tee -a $GITHUB_STEP_SUMMARY >&2))
+          CODE=$?
+          echo "$OUTPUT" > /tmp/killswitch.json
+          {
+            echo "exit_code=$CODE"
+            echo "result<<EOF"
+            cat /tmp/killswitch.json
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+          exit 0
+
+      - name: Open alert issue
+        if: steps.check.outputs.exit_code == '1'
+        uses: actions/github-script@v7
+        env:
+          KILL_RESULT: ${{ steps.check.outputs.result }}
+        with:
+          script: |
+            const r = JSON.parse(process.env.KILL_RESULT);
+            const title = `[killswitch] Cost threshold tripped: ${r.reasons.join('; ')}`;
+            const body = [
+              `Killswitch tripped at \`${new Date().toISOString()}\`.`,
+              ``,
+              `**Reasons:**`,
+              ...r.reasons.map(x => `- ${x}`),
+              ``,
+              `**Usage window:** \`${r.windowStart}\` → \`${r.windowEnd}\``,
+              ``,
+              `| Metric | Used | Threshold |`,
+              `|---|---:|---:|`,
+              `| Worker requests | ${r.usage.workerRequests} | ${r.thresholds.workerRequests} |`,
+              `| D1 rows read | ${r.usage.d1RowsRead} | ${r.thresholds.d1RowsRead} |`,
+              `| DO requests | ${r.usage.doRequests} | ${r.thresholds.doRequests} |`,
+              `| DO duration (s) | ${r.usage.doDurationSec} | ${r.thresholds.doDurationSec} |`,
+              ``,
+              `Investigate at https://dash.cloudflare.com/${process.env.CF_ACCOUNT_ID || ''}/workers/overview`,
+            ].join('\n');
+            const { data: open } = await github.rest.issues.listForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open',
+              labels: 'killswitch',
+            });
+            if (open.length > 0) {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: open[0].number,
+                body,
+              });
+            } else {
+              await github.rest.issues.create({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                title,
+                body,
+                labels: ['killswitch'],
+              });
+            }
+
+      - name: Auto-disable Worker routes
+        if: steps.check.outputs.exit_code == '1' && vars.AUTO_DISABLE == 'true' && vars.CF_ZONE_ID != '' && vars.CF_WORKER_NAME != ''
+        env:
+          CF_ZONE_ID: ${{ vars.CF_ZONE_ID }}
+          CF_WORKER_NAME: ${{ vars.CF_WORKER_NAME }}
+        run: |
+          set -euo pipefail
+          ROUTES=$(curl -sS -H "Authorization: Bearer $CF_API_TOKEN" \
+            "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/workers/routes")
+          echo "$ROUTES" | jq -r --arg name "$CF_WORKER_NAME" \
+            '.result[] | select(.script == $name) | .id' | while read id; do
+            if [ -n "$id" ]; then
+              echo "Removing route $id"
+              curl -sS -X DELETE -H "Authorization: Bearer $CF_API_TOKEN" \
+                "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/workers/routes/$id"
+            fi
+          done
+
+      - name: Fail the job on trip
+        if: steps.check.outputs.exit_code == '1'
+        run: exit 1
diff --git a/scripts/cost-killswitch.mjs b/scripts/cost-killswitch.mjs
@@ -0,0 +1,151 @@
+#!/usr/bin/env node
+/**
+ * Cost killswitch: queries Cloudflare GraphQL Analytics for today's usage
+ * and exits non-zero when any threshold is exceeded.
+ *
+ * Env:
+ *   CF_ACCOUNT_ID             — required
+ *   CF_API_TOKEN              — required, needs Analytics: Read
+ *   DAILY_WORKER_REQUESTS     — optional, default 1_000_000
+ *   DAILY_D1_ROWS_READ        — optional, default 10_000_000
+ *   DAILY_DO_REQUESTS         — optional, default 500_000
+ *   DAILY_DO_DURATION_SEC     — optional, default 100_000  (active seconds, not GB-sec)
+ *
+ * Exit codes:
+ *   0  — all thresholds ok
+ *   1  — one or more thresholds tripped
+ *   2  — query failed (treat as unknown, do NOT auto-disable)
+ *
+ * Stdout: a single JSON line with { tripped, usage, thresholds, reasons }
+ * Stderr: human-readable diagnostics
+ */
+
+const ACCOUNT_ID = process.env.CF_ACCOUNT_ID;
+const API_TOKEN = process.env.CF_API_TOKEN;
+
+if (!ACCOUNT_ID || !API_TOKEN) {
+  console.error("CF_ACCOUNT_ID and CF_API_TOKEN are required");
+  process.exit(2);
+}
+
+const thresholds = {
+  workerRequests: Number(process.env.DAILY_WORKER_REQUESTS ?? 1_000_000),
+  d1RowsRead: Number(process.env.DAILY_D1_ROWS_READ ?? 10_000_000),
+  doRequests: Number(process.env.DAILY_DO_REQUESTS ?? 500_000),
+  doDurationSec: Number(process.env.DAILY_DO_DURATION_SEC ?? 100_000),
+};
+
+// UTC day window — CF billing resets at 00:00 UTC
+const now = new Date();
+const start = new Date(Date.UTC(now.getUTCFullYear(), now.getUTCMonth(), now.getUTCDate()));
+const startIso = start.toISOString();
+const nowIso = now.toISOString();
+
+const query = `
+  query Usage($accountTag: String!, $start: Time!, $end: Time!) {
+    viewer {
+      accounts(filter: { accountTag: $accountTag }) {
+        workersInvocationsAdaptive(
+          filter: { datetime_geq: $start, datetime_lt: $end }
+          limit: 10000
+        ) {
+          sum { requests errors }
+        }
+        durableObjectsInvocationsAdaptiveGroups(
+          filter: { datetime_geq: $start, datetime_lt: $end }
+          limit: 10000
+        ) {
+          sum { requests }
+        }
+        durableObjectsPeriodicGroups(
+          filter: { datetime_geq: $start, datetime_lt: $end }
+          limit: 10000
+        ) {
+          sum { activeTime }
+        }
+        d1AnalyticsAdaptiveGroups(
+          filter: { datetime_geq: $start, datetime_lt: $end }
+          limit: 10000
+        ) {
+          sum { readQueries writeQueries rowsRead rowsWritten }
+        }
+      }
+    }
+  }
+`;
+
+async function callGraphQL() {
+  const res = await fetch("https://api.cloudflare.com/client/v4/graphql", {
+    method: "POST",
+    headers: {
+      "Authorization": `Bearer ${API_TOKEN}`,
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify({
+      query,
+      variables: { accountTag: ACCOUNT_ID, start: startIso, end: nowIso },
+    }),
+  });
+  if (!res.ok) {
+    throw new Error(`GraphQL HTTP ${res.status}: ${await res.text()}`);
+  }
+  const data = await res.json();
+  if (data.errors?.length) {
+    throw new Error(`GraphQL errors: ${JSON.stringify(data.errors)}`);
+  }
+  return data.data.viewer.accounts[0] ?? {};
+}
+
+function sumBy(rows, key) {
+  if (!Array.isArray(rows)) return 0;
+  return rows.reduce((acc, r) => acc + (r?.sum?.[key] ?? 0), 0);
+}
+
+function main() {
+  return callGraphQL().then((acct) => {
+    const usage = {
+      workerRequests: sumBy(acct.workersInvocationsAdaptive, "requests"),
+      workerErrors: sumBy(acct.workersInvocationsAdaptive, "errors"),
+      doRequests: sumBy(acct.durableObjectsInvocationsAdaptiveGroups, "requests"),
+      // activeTime is returned in microseconds; convert to seconds for human-friendly threshold
+      doDurationSec: Math.round(sumBy(acct.durableObjectsPeriodicGroups, "activeTime") / 1_000_000),
+      d1RowsRead: sumBy(acct.d1AnalyticsAdaptiveGroups, "rowsRead"),
+      d1RowsWritten: sumBy(acct.d1AnalyticsAdaptiveGroups, "rowsWritten"),
+    };
+
+    const reasons = [];
+    if (usage.workerRequests > thresholds.workerRequests) {
+      reasons.push(`workerRequests ${usage.workerRequests} > ${thresholds.workerRequests}`);
+    }
+    if (usage.d1RowsRead > thresholds.d1RowsRead) {
+      reasons.push(`d1RowsRead ${usage.d1RowsRead} > ${thresholds.d1RowsRead}`);
+    }
+    if (usage.doRequests > thresholds.doRequests) {
+      reasons.push(`doRequests ${usage.doRequests} > ${thresholds.doRequests}`);
+    }
+    if (usage.doDurationSec > thresholds.doDurationSec) {
+      reasons.push(`doDurationSec ${usage.doDurationSec} > ${thresholds.doDurationSec}`);
+    }
+
+    const tripped = reasons.length > 0;
+    const result = { tripped, windowStart: startIso, windowEnd: nowIso, usage, thresholds, reasons };
+
+    console.log(JSON.stringify(result));
+    console.error(
+      `[killswitch] window=${startIso}..${nowIso}\n` +
+      `  workerRequests: ${usage.workerRequests} / ${thresholds.workerRequests}\n` +
+      `  d1RowsRead:     ${usage.d1RowsRead} / ${thresholds.d1RowsRead}\n` +
+      `  doRequests:     ${usage.doRequests} / ${thresholds.doRequests}\n` +
+      `  doDurationSec:  ${usage.doDurationSec} / ${thresholds.doDurationSec}\n` +
+      `  tripped: ${tripped}${tripped ? ` (${reasons.join("; ")})` : ""}`
+    );
+
+    process.exit(tripped ? 1 : 0);
+  }).catch((err) => {
+    console.error(`[killswitch] query failed: ${err.message}`);
+    console.log(JSON.stringify({ tripped: false, error: err.message }));
+    process.exit(2);
+  });
+}
+
+main();
