add cf-o11y worker

.github/workflows/deploy-o11y.yml

@@ -0,0 +1,50 @@
+name: Deploy O11y
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Choose an environment to deploy to: dev or prod'
+        required: true
+        default: 'prod'
+        type: choice
+        options:
+          - dev
+          - prod
+  workflow_call:
+    inputs:
+      environment:
+        description: 'Choose an environment to deploy to: dev or prod'
+        required: false
+        default: 'prod'
+        type: string
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    name: Deploy O11y
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v2
+        with:
+          version: latest
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Install dependencies
+        working-directory: cloudflare-o11y
+        run: pnpm install --frozen-lockfile
+
+      - name: Deploy to Cloudflare Workers
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          workingDirectory: cloudflare-o11y
+          command: ${{ inputs.environment == 'dev' && 'deploy --env dev' || 'deploy' }}

.github/workflows/deploy-production.yml

@@ -158,6 +158,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
 
       - name: Check for cloud-agent changes
         uses: dorny/paths-filter@v3
@@ -180,6 +182,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
 
       - name: Check for session-ingest changes
         uses: dorny/paths-filter@v3
@@ -196,3 +200,29 @@ jobs:
     secrets: inherit
     with:
       environment: prod
+
+  check-o11y-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      changed: ${{ steps.changes.outputs.o11y }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - name: Check for o11y changes
+        uses: dorny/paths-filter@v3
+        id: changes
+        with:
+          filters: |
+            o11y:
+              - 'cloudflare-o11y/**'
+
+  deploy-o11y:
+    needs: [check-o11y-changes]
+    if: needs.check-o11y-changes.outputs.changed == 'true'
+    uses: ./.github/workflows/deploy-o11y.yml
+    secrets: inherit
+    with:
+      environment: prod

cloudflare-o11y/.editorconfig

@@ -0,0 +1,12 @@
+# http://editorconfig.org
+root = true
+
+[*]
+indent_style = tab
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.yml]
+indent_style = space

cloudflare-o11y/.gitignore

@@ -0,0 +1,167 @@
+# Logs
+
+logs
+_.log
+npm-debug.log_
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+.pnpm-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+
+report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
+
+# Runtime data
+
+pids
+_.pid
+_.seed
+\*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+
+lib-cov
+
+# Coverage directory used by tools like istanbul
+
+coverage
+\*.lcov
+
+# nyc test coverage
+
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+
+bower_components
+
+# node-waf configuration
+
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+
+build/Release
+
+# Dependency directories
+
+node_modules/
+jspm_packages/
+
+# Snowpack dependency directory (https://snowpack.dev/)
+
+web_modules/
+
+# TypeScript cache
+
+\*.tsbuildinfo
+
+# Optional npm cache directory
+
+.npm
+
+# Optional eslint cache
+
+.eslintcache
+
+# Optional stylelint cache
+
+.stylelintcache
+
+# Microbundle cache
+
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+
+.node_repl_history
+
+# Output of 'npm pack'
+
+\*.tgz
+
+# Yarn Integrity file
+
+.yarn-integrity
+
+# parcel-bundler cache (https://parceljs.org/)
+
+.cache
+.parcel-cache
+
+# Next.js build output
+
+.next
+out
+
+# Nuxt.js build / generate output
+
+.nuxt
+dist
+
+# Gatsby files
+
+.cache/
+
+# Comment in the public line in if your project uses Gatsby and not Next.js
+
+# https://nextjs.org/blog/next-9-1#public-directory-support
+
+# public
+
+# vuepress build output
+
+.vuepress/dist
+
+# vuepress v2.x temp and cache directory
+
+.temp
+.cache
+
+# Docusaurus cache and generated files
+
+.docusaurus
+
+# Serverless directories
+
+.serverless/
+
+# FuseBox cache
+
+.fusebox/
+
+# DynamoDB Local files
+
+.dynamodb/
+
+# TernJS port file
+
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+
+.vscode-test
+
+# yarn v2
+
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.\*
+
+# wrangler project
+
+.dev.vars*
+!.dev.vars.example
+.env*
+!.env.example
+.wrangler/

cloudflare-o11y/.prettierrc

@@ -0,0 +1,6 @@
+{
+	"printWidth": 140,
+	"singleQuote": true,
+	"semi": true,
+	"useTabs": true
+}

cloudflare-o11y/.vscode/settings.json

@@ -0,0 +1,5 @@
+{
+	"files.associations": {
+		"wrangler.json": "jsonc"
+	}
+}

cloudflare-o11y/package.json

@@ -0,0 +1,24 @@
+{
+	"name": "cloudflare-o11y",
+	"version": "0.0.0",
+	"private": true,
+	"scripts": {
+		"deploy": "wrangler deploy",
+		"dev": "wrangler dev",
+		"start": "wrangler dev",
+		"test": "vitest",
+		"cf-typegen": "wrangler types"
+	},
+	"devDependencies": {
+		"@cloudflare/vitest-pool-workers": "^0.12.4",
+		"@types/node": "^25.1.0",
+		"typescript": "^5.5.2",
+		"vitest": "~3.2.0",
+		"wrangler": "^4.61.1"
+	},
+	"dependencies": {
+		"@hono/zod-validator": "^0.7.6",
+		"hono": "^4.11.7",
+		"zod": "^4.3.6"
+	}
+}

cloudflare-o11y/src/alerting/dedup.ts

@@ -0,0 +1,62 @@
+/**
+ * KV-based alert deduplication.
+ *
+ * Prevents the same alert from firing repeatedly by storing a cooldown
+ * marker in KV with a TTL. Higher-severity alerts suppress lower-severity
+ * ones for the same dimension.
+ */
+
+import type { AlertSeverity } from './slo-config';
+import { PAGE_COOLDOWN_SECONDS, TICKET_COOLDOWN_SECONDS } from './slo-config';
+
+function alertKey(severity: AlertSeverity, alertType: string, provider: string, model: string, clientName: string): string {
+	return `o11y:alert:${severity}:${alertType}:${provider}:${model}:${clientName}`;
+}
+
+function cooldownForSeverity(severity: AlertSeverity): number {
+	return severity === 'page' ? PAGE_COOLDOWN_SECONDS : TICKET_COOLDOWN_SECONDS;
+}
+
+/**
+ * Check whether an alert should be suppressed.
+ *
+ * Returns true if the alert should be suppressed (i.e. we already fired
+ * recently for this or a higher severity).
+ */
+export async function shouldSuppress(
+	kv: KVNamespace,
+	severity: AlertSeverity,
+	alertType: string,
+	provider: string,
+	model: string,
+	clientName: string,
+): Promise<boolean> {
+	const key = alertKey(severity, alertType, provider, model, clientName);
+	const existing = await kv.get(key);
+	if (existing) return true;
+
+	// If this is a ticket, also check if a page-level alert is active
+	// (page suppresses ticket for the same dimension).
+	if (severity === 'ticket') {
+		const pageKey = alertKey('page', alertType, provider, model, clientName);
+		const pageExisting = await kv.get(pageKey);
+		if (pageExisting) return true;
+	}
+
+	return false;
+}
+
+/**
+ * Record that an alert was fired, setting the cooldown TTL.
+ */
+export async function recordAlertFired(
+	kv: KVNamespace,
+	severity: AlertSeverity,
+	alertType: string,
+	provider: string,
+	model: string,
+	clientName: string,
+): Promise<void> {
+	const key = alertKey(severity, alertType, provider, model, clientName);
+	await kv.put(key, new Date().toISOString(), { expirationTtl: cooldownForSeverity(severity) });
+}