Production Deployment Checklist
Use this checklist before going live with WasmAgent in a production environment. Each item links to the relevant configuration documentation.
Authentication
- [ ]
clientTokenset — configure as a Cloudflare Workers secret (wrangler secret put CLIENT_TOKEN). All API requests must present this token in theAuthorization: Bearer <token>header. - [ ] CORS locked to known origin — set
WASMAGENT_ALLOWED_ORIGINto your frontend's domain. Do not use*in production. - [ ]
allowLocalSessionFallbackNOT set — this flag allows requests withoutX-Session-Idto fall back to a local session, which disables session isolation. It must be absent orfalsein production.
Session isolation
- [ ]
X-Session-Idrequired on all file/run/job endpoints — the worker must reject requests that omit this header with HTTP 400. - [ ] Session IDs are server-generated — do not allow clients to supply arbitrary session ID values. Generate them server-side and bind them to authenticated user identities.
- [ ]
SessionKvStorein use — verify that all KV reads and writes go throughSessionKvStore(which namespaces keys undersession:<id>:...) rather than raw KV puts/gets.
Kernel policy
- [ ] WASM kernel selected — use
QuickJSKernelorWasmtimeKernelrather thanJsKernel(Node.jsvm). See capability-manifest-guide.md for kernel selection guidance. - [ ]
CapabilityManifestrestricts file paths to workspace —allowedReadPathsandallowedWritePathsmust be scoped to/workspace/<sessionId>or narrower. Paths like/,/etc, or/homemust not appear. - [ ]
allowedHostsis not a wildcard —allowedHosts: ["*"]grants unrestricted outbound network access. In production, list specific domain names only. - [ ]
cpuMsandmemoryLimitMbset — every kernel construction must include a per-invocation CPU deadline and a memory ceiling. Omitting these allows runaway code to monopolise worker resources. - [ ]
ApprovalPolicyset tostrict()orbalanced()—permissive()(the default) allows all writes without human approval. At minimum, usebalanced()in production. See capability-manifest-guide.md.
Data integrity
- [ ] Build-result nonce enabled — configure
buildResultsKvbinding inwrangler.toml. Without this, the/build-resultendpoint does not verify nonces and forged build results can be accepted. - [ ] G3 contamination guard active — run all training exports with
--mode productionto engage then_gram_hashdeduplication check. Do not ship training data that has not passed the G3 gate. - [ ] Eval-items JSONL stored separately from rollout data — the eval fixture set (
eval-items.jsonl) must not be co-located in the same KV prefix or S3 bucket as rollout data. A separate namespace prevents accidental contamination.
Observability
- [ ]
EventLogpersisted to KV — configurecheckpointsKvbinding so that all agent events are durably stored. Without this, events are in-memory only and lost on process restart. - [ ] OTel export configured — optional but recommended for production monitoring. Wire
model_start/model_done/guardrail_tripwireevents to your OTel collector. See audit-events.md. - [ ] Error log retention period set — configure a TTL or purge schedule for KV event keys. The
EventLogdoes not auto-expire entries. - [ ]
guardrail_tripwireevents alerted — set up an alert or dashboard query forguardrail_tripwireevents. A sudden spike indicates an active injection attempt or a misconfigured guardrail.
Rollout data (RLAIF pipeline)
- [ ]
allowLocalSessionFallback: false— confirmed absent or false (see Authentication section above). - [ ] Rollout export endpoint restricted by
sessionId— the/rollouts/exportand/jobs/:id/rollout-exportendpoints must requireX-Session-Idand return only data for that session. - [ ] Training exports require G3 check — automate the G3 guard as a CI step; never ship a training batch that has not been validated by
validate-rlaif.mjs. - [ ]
buildResultsKvnamespace not publicly accessible — the KV namespace storing build-result nonces must be bound only to the worker's service binding. External write access to this namespace would allow nonce forgery.
Guardrails (if used)
- [ ]
classifierGuardrailwired withonError: "closed"— fail-closed on classifier errors means the agent is blocked if the safety classifier is unavailable. Appropriate for high-privilege sessions. - [ ]
intentAlignmentGuardrailapplied to high-privilege tools — wrap tools that can delete files, execute shell commands, or make external API calls. - [ ]
redactPostHookapplied to tool outputs — strip API key patterns and PII before tool results enter the agent's context window and before they are persisted to theEventLog.
Pre-launch verification
Run the following before directing production traffic to a new deployment:
bash
# 1. Confirm WASM kernel is in use (not JsKernel)
wrangler tail --format=json | grep '"kernel_type"'
# 2. Confirm session isolation: write in session A, attempt read in session B
# (See pilot-script.md Scenario 2 for the full test procedure)
# 3. Confirm capability deny: attempt to read /etc/passwd
# (See pilot-script.md Scenario 1 for the full test procedure)
# 4. Confirm build-result nonce: attempt to POST /build-result without nonce
curl -X POST https://your-worker.example.com/build-result \
-H "Content-Type: application/json" \
-d '{"jobId":"fake","status":"success"}' \
# Expected: HTTP 403 Forbidden
# 5. Confirm rollout export auth: attempt GET /rollouts/export without session ID
curl https://your-worker.example.com/rollouts/export
# Expected: HTTP 400 Bad Request (missing X-Session-Id)See also: pilot-script.md for the 30-minute enterprise pilot procedure that produces evidence artifacts for each of these controls.