Merge pull request #7288 from 0xSolace/fix/cloud-cache-and-jwt-secret-preference

fix(cloud): re-apply auth fixes lost in cloud → eliza migration

Author: lalalune

cloud/apps/api/wrangler.toml

@@ -104,8 +104,9 @@ DATABASE_REGION = "na"
 PAYOUT_TESTNET = "false"
 ENABLE_X402_PAYMENTS = "true"
 X402_NETWORK = "base"
-CACHE_ENABLED = "true"
-REDIS_RATE_LIMITING = "true"
+CACHE_ENABLED = "false"
+CACHE_DISABLE_REASON = "CF Workers cross-request I/O isolation: CacheClient module-level singleton is incompatible until refactored to per-request scope"
+REDIS_RATE_LIMITING = "false"
 FORCE_REDIS_EVENTS = "false"
 R2_PUBLIC_HOST = "blob.elizacloud.ai"
 SQL_HEAVY_PAYLOAD_STORAGE = "r2"
@@ -202,8 +203,9 @@ DATABASE_REGION = "na"
 PAYOUT_TESTNET = "true"
 ENABLE_X402_PAYMENTS = "true"
 X402_NETWORK = "base"
-CACHE_ENABLED = "true"
-REDIS_RATE_LIMITING = "true"
+CACHE_ENABLED = "false"
+CACHE_DISABLE_REASON = "CF Workers cross-request I/O isolation: CacheClient module-level singleton is incompatible until refactored to per-request scope"
+REDIS_RATE_LIMITING = "false"
 FORCE_REDIS_EVENTS = "false"
 R2_PUBLIC_HOST = "blob.elizacloud.ai"
 SQL_HEAVY_PAYLOAD_STORAGE = "r2"
@@ -245,8 +247,9 @@ DATABASE_REGION = "na"
 PAYOUT_TESTNET = "false"
 ENABLE_X402_PAYMENTS = "true"
 X402_NETWORK = "base"
-CACHE_ENABLED = "true"
-REDIS_RATE_LIMITING = "true"
+CACHE_ENABLED = "false"
+CACHE_DISABLE_REASON = "CF Workers cross-request I/O isolation: CacheClient module-level singleton is incompatible until refactored to per-request scope"
+REDIS_RATE_LIMITING = "false"
 FORCE_REDIS_EVENTS = "false"
 R2_PUBLIC_HOST = "blob.elizacloud.ai"
 SQL_HEAVY_PAYLOAD_STORAGE = "r2"

cloud/packages/lib/auth/steward-client.ts

@@ -79,10 +79,15 @@ export interface StewardVerifyEnv {
 let _jwtSecretCache: { raw: string; key: Uint8Array } | null = null;
 
 function resolveJwtSecret(env: StewardVerifyEnv): Uint8Array | null {
-  const raw = env.STEWARD_SESSION_SECRET || env.STEWARD_JWT_SECRET || "";
+  // Mirror @stwd/auth getJwtSecret() preference order:
+  // STEWARD_JWT_SECRET is canonical, STEWARD_SESSION_SECRET is the deprecated
+  // backwards-compat fallback. Reading them in the wrong order causes silent
+  // verify failures when a deployment sets both (signer uses JWT_SECRET,
+  // verifier ends up using SESSION_SECRET). See steward-fi/auth/src/jwt.ts.
+  const raw = env.STEWARD_JWT_SECRET || env.STEWARD_SESSION_SECRET || "";
 
   if (!raw) {
-    logger.warn("[StewardClient] No STEWARD_SESSION_SECRET or STEWARD_JWT_SECRET configured");
+    logger.warn("[StewardClient] No STEWARD_JWT_SECRET or STEWARD_SESSION_SECRET configured");
     return null;
   }
 

cloud/packages/lib/cache/client.ts

@@ -646,11 +646,22 @@ export class CacheClient {
     this.enabled = env.CACHE_ENABLED !== "false";
 
     if (!this.enabled) {
-      if (env.NODE_ENV === "production") {
+      // CACHE_DISABLE_REASON acknowledges an intentional disable
+      // (e.g. CF Workers cross-request I/O isolation incompatibility while
+      // CacheClient remains a module-level singleton). When set, downgrade
+      // the production log to warn so monitoring dashboards do not
+      // alert on every cold start.
+      const disableReason = env.CACHE_DISABLE_REASON;
+      if (env.NODE_ENV === "production" && !disableReason) {
         logger.error(
           "🚨 [Cache] CRITICAL: Caching disabled in production! " +
             "This will cause severe performance degradation. " +
-            "Set CACHE_ENABLED=true and configure Redis credentials.",
+            "Set CACHE_ENABLED=true and configure Redis credentials, " +
+            "or set CACHE_DISABLE_REASON to acknowledge the disable.",
+        );
+      } else if (disableReason) {
+        logger.warn(
+          `[Cache] Caching is disabled (acknowledged): ${disableReason}`,
         );
       } else {
         logger.warn("[Cache] Caching is disabled via CACHE_ENABLED flag");