Workers & Functions
Workers Functions
Section titled “Workers Functions”_middleware.js — Security Layer
Section titled “_middleware.js — Security Layer”Intercepts all /api/* requests. Handles JWT signature verification (RS256 against CF Access JWKS), CSRF protection (Origin/Referer check), tiered rate limiting, and caller email extraction. See the Middleware & Security section for details.
setup.js — Database Migrations
Section titled “setup.js — Database Migrations”Versioned migration system (v1–v10). Each migration creates tables, adds columns, seeds data, or runs custom SQL. Tracks applied versions in schema_migrations table. Admin-only endpoint at /api/setup.
access.js + access/role.js — RBAC
Section titled “access.js + access/role.js — RBAC”access.js handles all CRUD for users, roles, teams, and team requests (admin only). access/role.js returns the caller’s profile (role, permissions, sites, onboarding status) and is called on every page load.
onboarding.js — User Onboarding
Section titled “onboarding.js — User Onboarding”GET: returns onboarding status, teams, pending requests. POST: submits first/last name and optional team join request.
operations.js — TUGA Proxy
Section titled “operations.js — TUGA Proxy”Proxies requests to RPi controllers via Cloudflare Tunnels. Supports ?endpoint=status|alerts|events|occupancy|stats and &rpi=rpi1|all.
langflow.js + messages.js — AI Chat
Section titled “langflow.js + messages.js — AI Chat”langflow.js proxies to the Langflow agent on flow.fjzippin.com and saves AI responses to D1. messages.js handles GET/POST/DELETE for per-user chat history. Both require page:ai permission.
cron-stats Worker
Section titled “cron-stats Worker”Scheduled worker running every 15 minutes. Polls RPi status, health-checks 17+ endpoints, evaluates trigger alert conditions, and stores snapshots in D1.