Skip to main contentSkip to data table
Pharos
Pharos

Worker and API Limits

Operational limits for the Pharos Worker and API: cron budgets, fetch connection caps, polling intervals, cache behavior, and guardrail checks.

Reference for limits we can verify from repo code and checked-in config.

This document intentionally focuses on:

  • limits enforced in code
  • budgets encoded in config
  • runtime assumptions the scheduler is explicitly designed around

It intentionally does not treat vendor pricing-plan quotas as source of truth. Cloudflare, CoinGecko, Alchemy, Etherscan, Anthropic, X, and similar providers can change those independently of this repo. Re-check official vendor docs or your live account dashboard before making spend-sensitive or capacity-sensitive changes.


Primary Sources

  • worker/wrangler.toml
  • shared/lib/cron-jobs.ts
  • worker/src/lib/rate-limit.ts
  • shared/lib/ops-limits.ts
  • worker/src/lib/api-keys.ts
  • worker/src/lib/circuit-breaker.ts
  • worker/src/handlers/http/gates.ts
  • worker/src/cron/sync-blacklist.ts
  • worker/src/cron/sync-mint-burn.ts
  • worker/src/cron/sync-live-reserves.ts
  • worker/src/cron/sync-live-reserves-config.ts
  • worker/src/lib/address-price-providers/index.ts
  • worker/src/lib/authoritative-price-sources/index.ts
  • worker/src/cron/sync-stablecoins/enrich-prices-cmc-pass.ts
  • worker/src/cron/sync-stablecoins/post-enrichment.ts
  • worker/src/cron/dex-discovery/orchestrator.ts
  • worker/src/cron/measured-execution/sync.ts
  • worker/src/cron/measured-execution/profiles.ts
  • worker/src/cron/sync-stablecoins/enrich-prices.ts
  • worker/src/cron/sync-fx-rates.ts
  • worker/src/cron/publish-report-card-cache.ts
  • worker/src/cron/daily-digest.ts
  • worker/src/cron/sync-yield-data.ts
  • worker/src/cron/sync-yield-supplemental.ts
  • worker/src/cron/fetch-tbill-rate.ts

Worker Runtime

ConstraintCurrent repo valueSourceNotes
Worker CPU budget per invocation30000 msworker/wrangler.tomlHard repo-configured CPU cap via [limits].cpu_ms. Telegram dispatch (C102) applies the fresh-send budget before formatting and check-telegram-load.ts models per-invocation estimatedCpuMs (format-count capped at the fresh budget); the harness fails if the 5,000-watcher burst exceeds 0.5×cpu_ms (15,000 ms).
Cron expressions / trigger slotsSource-owned; run the cron checksworker/wrangler.toml, shared/lib/cron-jobs.ts, shared/lib/scheduled-runner-registry.tsThe shared runner registry is the dispatch authority checked by npm run check:cron-sync; check:cron-connections also models budget-only scheduled surfaces with connectionGroup metadata. Failure-isolated reserve recovery remains independent of the interrupted invocation.
Status-tracked and budget-only jobsSource-owned; exposed by status and budget registriesshared/lib/cron-jobs.ts, shared/lib/scheduled-runner-registry.tsRuntime scheduling matches the shared status metadata expected by /api/status; budget-only work is modeled separately by the connection-budget registry.
API key default limiter120 requests / 60 seconds per keyshared/lib/ops-limits.ts, worker/src/lib/api-keys.tsNon-exempt /api/* requests require a valid X-API-Key; the no-key public exceptions are health, OG images, feedback, self-serve key request/verification, the Telegram webhook, and Telegram Mini App session/mutation endpoints authenticated by signed initData. The D1-backed api_key_rate_limit table enforces per-key quotas in the normal path, and per-key overrides live in api_keys.rate_limit_per_minute. Protected cacheable GET edge-cache hits can use a bounded isolate-local fast path only for recently verified non-self-serve keys; cold, unknown, self-serve, expired auth-cache, cache-miss, cache-bypass, and non-GET requests stay on the D1-backed path or fail closed. After repeated D1 limiter failures, protected cacheable GET routes open a 60-second isolate-local fallback circuit capped at the self-serve quota (30/min); cold or unknown keys still fail closed with 503 and Retry-After: 60. Last-used metadata writes are best-effort.
Self-serve API key policy30 requests / 60 seconds, 60 days expiryshared/lib/ops-limits.ts, worker/src/api/api-key-requests.tsEmail-verified key issuance through /api/; one active/pending self-serve key claim per normalized email.
API key revocation latency≤5 seconds for protected cacheable edge-cache hits; immediate on the D1-backed pathworker/src/lib/api-key-core.ts (API_KEY_AUTH_CACHE_TTL_MS)Normal API-key authentication consults D1 and fails closed if lookup storage is unavailable. A recently verified non-self-serve key can use the bounded fresh auth cache only on the narrow protected cacheable GET edge-cache-hit fast path, and the cache is not accepted as stale authentication material after lookup failures.
Feedback limiter3 submissions / 10 minutes per salted IP hashworker/src/api/feedback.ts, worker/src/lib/rate-limit.tsSeparate from the per-key limiter
Self-serve request limiter5/hour per salted IP hash, 3/day per private email hashshared/lib/ops-limits.ts, worker/src/api/api-key-requests.tsProtects POST /api/api-key-requests; dependency failures fail closed with 503 and Retry-After: 60.
Self-serve verification limiter20/10 minutes per salted IP hash, 5/10 minutes per token hashshared/lib/ops-limits.ts, worker/src/api/api-key-requests.tsProtects POST /api/api-key-requests/verify; issuance is also capped to one creation per salted IP hash per 24 hours.
Request attribution telemetry retention35 daysworker/src/lib/request-source-attribution.ts, functions/lib/request-attribution.tsTotal site-vs-external demand, worker-lane load, and per-key public-API load buckets in api_request_consumer_stats / site_data_request_stats / api_key_request_stats are pruned opportunistically. Worker route/source, Worker per-key, and Pages site-data counters use short isolate-local batching before D1 upsert. Set REQUEST_SOURCE_ATTRIBUTION_DISABLED=true on Worker and/or Pages to pause low-value route/source writes without disabling API-key auth, D1-backed rate limiting, or per-key public API load telemetry. Set API_KEY_REQUEST_ATTRIBUTION_DISABLED=true on the Worker only for keyed public-API spikes where per-key observability writes also need a D1 pressure relief valve; auth, rate limiting, and last-used metadata stay enabled.

Connection-budget operating assumption

Cloudflare currently limits each invocation to six simultaneous outbound requests that are still waiting for response headers. A request stops occupying that header-wait slot once headers arrive. Pharos deliberately uses a stricter trigger-wide six-connection model in its static scheduler budget so nested and chained fetch phases cannot accidentally overlap at the platform ceiling. See the Workers limits and the April 2026 connection-limit change.

The scheduler is structured around that conservative repo constraint:

  • heavy lanes get isolated trigger slots (sync-blacklist, sync-mint-burn, sync-mint-burn-extended, sync-dex-discovery, sync-dex-liquidity)
  • shared slots bundle only related work
  • the quarter-hourly handler sequences jobs instead of fanning them out blindly
  • npm run check:cron-connections fails any trigger at or above 6/6 and reports 5/6 triggers as headroom full
  • the connection check includes budget-only scheduled surfaces that do not create separate cron_runs rows: telegram-registration-reconciliation, telegram-digest-outbox-drain, and digest-trigger-poll

Treat any new fetch-heavy work added to an existing trigger slot as competing for the same trigger-wide outbound connection budget. A trigger at 5/6 must be treated as full for new fetch-heavy work unless the change also reduces existing peak usage or moves work to a different slot.

Current state: sync-dex-liquidity is intentionally modeled at 5/6 because its nested direct-API phase can reach that static peak while staying below both the platform header-wait ceiling and the repo budget. Treat the halfHourlyOffset DEX scoring trigger as full for new fetch-heavy work. Other formerly full slots were given headroom by reducing Telegram send batches to 4, running supplemental yield source families serially, and moving discovery-scan from the 08:05 daily lane to its own 08:10 trigger.

For sync-stablecoins, failed upstream responses must still be consumed or canceled before later passes start. That rule bounds unread bytes, completes transport cleanup, and keeps fetch phases deterministic; it is not a claim that an unread body still occupies Cloudflare's header-wait slot. The late fallback phase remains CoinMarketCap -> Jupiter -> DexScreener.

The same cleanup rule applies to Worker-side integration clients. Telegram delivery, X posting, and GitHub feedback submission should consume or cancel response bodies before returning so transports do not retain unread streams or unbounded response bytes.


Cron Budgeting

AreaCurrent repo budgetSourceNotes
DEX discovery overall deadline12 minutesworker/src/cron/dex-discovery/orchestrator.tsShared deadline for the discovery pass before persistence/cleanup tail work
DEX discovery per-coin budget25 secondsworker/src/cron/dex-discovery/orchestrator.tsPrevents one slow coin from consuming the whole staging lane
Live reserve sync outer deadline12 minutesworker/src/lib/cron-lease.tsExplicit wrapper budget for the serialized reserve loop before the rest of the 4-hourly slot
Live reserve sync internal run budget9 minutesworker/src/cron/sync-live-reserves-config.tsDefault cursoring budget; if the remaining budget drops below one adapter attempt, the untouched tail is marked deferred and resumed from cursor on the next run, leaving at least two minutes of wrapper headroom for D1 cleanup and cron logging. Optional finalization cleanup/history pruning is skipped when the D1 tail budget is already exhausted, and the skip is recorded in cron metadata.
Live reserve adapter I/O peak2 outbound operations per adapter attemptworker/src/cron/reserve-adapters/concurrency.ts, shared/lib/cron-jobs.tsCoin loop is serialized, but individual adapters can fan out internally; shared fetch/RPC helpers enforce the per-attempt limiter
Live reserve recovery poll / deadline5 minutes / 13 minutes; 2/6 connection peakworker/src/handlers/scheduled/reserve-recovery.ts, worker/src/lib/scheduled-recovery-checkpoint.ts, shared/lib/cron-jobs.tsWORKER_RESERVE_RECOVERY_MODE gates the isolated lane: off skips scans, shadow is read-only, reconcile prepares an exact successor without claiming, and recover claims/replays. Active child/recovery leases and queue-hash drift fail closed.
Yield publication overall deadline10 minutesworker/src/lib/cron-lease.tsDedicated hourly sync-yield-data timeout after moving off the half-hourly lane
Yield supplemental overall deadline12 minutesworker/src/lib/cron-lease.tsDedicated 4-hour sync-yield-supplemental timeout for optional protocol families
Telegram dispatch overall deadline14 minutes hard timeout; 4 minutes send-loop soft deadlineshared/lib/telegram-delivery-policy.ts, worker/src/lib/cron-timeouts.ts, worker/src/handlers/scheduled/context.tsDedicated five-minute Telegram lane timeout plus 30-second lease heartbeat; pending-drain and fresh-send loops stop starting Telegram batches near the four-minute mark, releasing pending claims or queueing the untouched fresh tail so slow Bot API runs yield the next trigger interval
Telegram authoritative target planning32 durable transitions per dispatch invocation; 100 statements per D1 transactionshared/lib/telegram-delivery-policy.ts, worker/src/cron/telegram-alert-target-plans/materialization.tsExisting due deliveries drain before subscriber capture and target planning. Page materialization packs complete idempotent plan units into bounded D1 transactions, avoiding a database round trip per subscriber while preserving atomic units and page-level reconciliation.
Telegram personalized recap planning90 due preferences/page, 10 pages (900 recipients), 500 Tape rows/page cap-plus-one, 90 min Tape freshness, 6 h pending TTLshared/lib/telegram-recap-policy.ts, worker/src/cron/telegram-recap-planner.tsD1-only deterministic planning with zero AI/external planning calls. Priority 100 keeps recap work below risk, legacy, and admin pending rows; incomplete Tape windows defer instead of silently truncating.
Telegram eventless dispatch fast path5-minute dispatch cadence with fan-out skipped on healthy no-change runsworker/src/cron/dispatch-telegram-alerts.ts, worker/src/cron/dispatch-telegram-queue-paths.tsQuiet runs still refresh snapshots and drain/clean due or expired pending rows, but skip subscriber fan-out, alert-job manifests, backoff reads, and fresh-send assembly when all alert families are unchanged and the safety source is healthy.
Telegram safety source stale threshold2 producer intervals (30 minutes)worker/src/lib/alert-safety-source-cache.ts, shared/lib/cron-jobs.tsSafety alerts remain suppressed until publish-report-card-cache republishes a fresh generation-valid source snapshot
Report-card full snapshot cache budget<= 1.5 MB stored; <= 1.1 MB compressed; <= 8 MB uncompressedworker/src/lib/report-cards-snapshot-cache.tsThe full public payload is checksum-verified gzip/base64 in D1 while the decoded V8 API contract remains unchanged. The stored ceiling leaves 500 KB of headroom below D1's 2,000,000-byte string/row limit; the new reader also accepts legacy plain envelopes during rolling deploys.
Telegram safety source serialized cache budget<= 1.5 MB for 401 report-card rows in testsworker/src/lib/__tests__/alert-safety-source-cache.test.tsThe optional safety explain payload is kept compact so cache["alert:safety-source-cache"] remains a single D1 cache row with operational headroom
Telegram registration reconciliation peak1 outbound Bot API call at a timeworker/src/lib/telegram-webhook-registration.ts, shared/lib/cron-jobs.tsRuns serially before dispatch-telegram-alerts when 15-minute cache markers expire; modeled as the budget-only telegram-registration-reconciliation entry in the same five-minute Telegram connection group and surfaced through /api/status.budgetOnlySurfaces.
Telegram digest outbox retry peak1 Bot API call at a time; up to 4 due editions per five-minute pollworker/src/lib/telegram-digest-outbox.ts, worker/src/handlers/scheduled/digest-trigger-poll.tsRuns serially on the existing */5 digest-trigger slot. Retryable HTTP failures retain the exact stored chunks and honor retry_after; ambiguous and permanent outcomes stop for operator review. Retained terminal backlog degrades budget-surface telemetry but does not repeatedly feed the Telegram provider circuit when no network attempt occurred.
Persisted cron metadata ceiling<64 KiB per cron_runs.metadata payloadworker/src/lib/cron-metadata-persistence.ts, worker/src/lib/cron-logger.tsGlobal compaction retains counts, bounded samples, and latest drill-down state while preventing large asset/config arrays from driving unbounded D1 growth.
GBP SONIA retained-fallback alert2 consecutive daily retained-fallback runs; 24 hours re-alert cooldownworker/src/cron/fetch-tbill-rate.tsThe first gbp-sonia-compounded-index-failed-retained run writes cache["fetch-tbill-rate:gbp-retained-fallback-streak"]; the second consecutive run sends the shared webhook alert and records a cron event. The 24-hour cooldown is keyed only to successful webhook delivery, so failed webhook attempts remain retryable. Fresh GBP market data resets the streak.
Telegram pulse heavy-section cadence15 minutesworker/src/api/telegram-pulse.ts, worker/src/lib/telegram-usage-analytics.tsCurrent aggregate pulse counts still refresh every 5 minutes. Top coins, lifecycle history/fallback, and Mini App daily counters reuse a rendered pulse section for up to 15 minutes; pending-delivery count can reuse the dispatch lane's pending-capacity snapshot.
Telegram load simulation targets500, 1,000, 5,000, 10,000 active watchersshared/lib/telegram-delivery-policy.ts, shared/lib/telegram-recap-policy.ts, scripts/ci/check-telegram-load.tsnpm run check:telegram-load estimates drain time, per-invocation estimatedCpuMs, and D1 operations for risk, admin, and personalized-recap scenarios. Recap scenarios enforce a 5,000-recipient target across all-due, risk burst, 429 storm, preset-heavy, global-scope, no-change, and stale-Tape cases, with aiCalls=0 and externalPlanningFetches=0; they also emit a non-enforced 10,000-recipient advisory. The recap planner uses a 900-recipient/5-minute-run page budget, a 6-hour pending TTL, and priority 100. The CPU dimension (C102) reads cpu_ms from worker/wrangler.toml and fails when required scenarios exceed 0.5×cpu_ms. scripts/lib/telegram-load-guard.mjs owns the reviewed dependency triggers for local and CI execution.
Telegram group admin membership cache5 minutes for cached denial/admin-list copy; mutating auth revalidates per webhookworker/src/lib/telegram-chat-member.ts, worker/src/api/telegram-webhook-auth.ts/subscribe, /unsubscribe, /set in group/supergroup chats use a fresh getChatMember lookup for mutation authorization and fail closed if Telegram cannot confirm admin status. Soft-launch warnings and denial copy can still use the cached getChatAdministrators list (telegram:chat-admins:<chat_id>). These calls happen on webhook ingress, not inside the dispatch cron lane.
Live reserve history retention90 daysworker/src/lib/live-reserves-store-write.tsreserve_composition_history and reserve_sync_attempt_history are pruned during reserve-sync cleanup
Redemption route-status producerD1-free/static plus live-reserve metadataworker/src/lib/redemption-backstop-route-status.ts, worker/src/cron/sync-redemption-backstops.tsv4 route status remains four-hour snapshot data. sync-redemption-backstops does not add outbound route-status feed fetches; route availability comes from existing live-reserve adapter metadata, reviewed static policy, and market-implied severe-depeg overlays.
Blacklist sync runtime budget10 minutesworker/src/cron/sync-blacklist.tsGuardrail below the 12-minute trigger wrapper timeout
Blacklist sync subrequest budget900worker/src/cron/sync-blacklist.ts, worker/src/lib/evm-logs.tsCovers explorer/RPC calls for a single run
Blacklist provider pacing/concurrency3 requests/second, 1 live requestworker/src/cron/sync-blacklist.ts, worker/src/lib/evm-logs.tsThe serial limiter's declared concurrency matches the live connection posture; throughput and live connections are reported separately in cron metadata
Blacklist RPC topic aggregationOne OR-topic eth_getLogs request per range when supportedworker/src/cron/blacklist/evm-source.ts, worker/src/lib/alchemy-logs.tsRequired topic0 signatures share one completeness frontier; explorer fallback remains per-topic where OR filters are unavailable
Blacklist Alchemy split cap64 provider calls per log scan, depth 8worker/src/lib/alchemy-logs.tsSplit traversal is sequential and also bounded by deadline and the shared 900-subrequest budget; hitting any cap returns incomplete coverage without advancing beyond proof
Blacklist Arbitrum scan window25,000,000 explorer/Alchemy-primary blocks; 250,000 fallback-RPC blocks per config/runworker/src/cron/blacklist/evm-source.tsEvery topic shares the minimum proven frontier; the stored cursor never exceeds the 15-minute safe head
Blacklist amount-recovery batch100 queued rows / passworker/src/cron/blacklist/amount-recovery.ts, worker/src/cron/blacklist/amount-repair-queue.tsPriority/retry state is durable; event and queue outcomes are paired in shared D1 batches and stay under the sync subrequest/runtime budget
Blacklist provider telemetry retention14 days; at most 4 x 120-character failure samples/config/runworker/src/cron/blacklist/provider-telemetry.tsRetains fetched/inserted rows, call count, split depth, safe frontier, and bounded diagnostics without allowing cron metadata or D1 rows to grow unbounded
Mint/burn global request budget200worker/src/cron/sync-mint-burn.tsShared per-run request ceiling
Mint/burn runtime self-budget9 minutes; 60 seconds minimum next-config windowworker/src/cron/mint-burn/run-configs.ts, worker/src/lib/alchemy-logs.tsGuardrail below the 10-minute cron wrapper timeout so the runner can stop before starting a config that would not leave enough persistence/logging tail room. Mint/burn eth_getLogs calls receive the same runtime deadline so a started config cannot continue log-scan recursion past the self-budget.
Mint/burn per-config budget (critical)60; 150 for bridge-aware critical configsworker/src/cron/sync-mint-burn.tsPrevents one hot config from consuming the full run while allowing bridge-aware high-volume configs enough tx-context headroom
Mint/burn tx-context batch size20 tx hashes/request; 3 concurrent batch requestsworker/src/lib/mint-burn-pipeline/classification.tsKeeps bridge-aware classification under the Worker connection pool and avoids one HTTP request per parsed USDC-style mint/burn transaction
Mint/burn per-config budget (extended)25worker/src/cron/sync-mint-burn.tsLower ceiling for long-tail backlog drain
Mint/burn max scan range50,000 blocksworker/src/cron/sync-mint-burn.tsKeeps per-request log scans bounded
Mint/burn timestamp resolution scopeNon-dust candidate logs onlyworker/src/cron/mint-burn/sync-config.tsDust-only blocks are excluded before eth_getBlockByNumber lookups so irrelevant logs cannot block sync-state advancement
Mint/burn SQL IN chunk size90 idsworker/src/cron/sync-mint-burn.tsCurrent safeguard for large batched SQL
Mint/burn event insert batch size50 statementsworker/src/lib/mint-burn-pipeline/persistence.tsEach insert binds 18 values; chunked to stay below D1 batch bind ceilings
Mint/burn extended attempt SLO2 due runs / 75 minutesworker/src/cron/mint-burn/run-state.tsThe next run resumes at the first capacity-deferred config; active provider deferrals are explicitly exempted until their recorded expiry
Stablecoin producer metadata ceiling<60 KiB before scheduler enrichment; <64 KiB persistedworker/src/cron/sync-stablecoins/metadata.ts, worker/src/lib/cron-metadata-persistence.tsThe stablecoin producer reserves 4 KiB for wrapper-owned lease, slot, invocation, and timeout metadata. Its size guard compacts diagnostics before that enrichment so top-level publication and active-price coverage survive unchanged into cron_runs; the global <64 KiB persistence guard remains the final fallback.

D1 overload retry posture

Cron persistence helpers retry transient D1 queue pressure through runWithOverloadRetry() in worker/src/lib/cron-lease.ts. Retried errors include D1 DB is overloaded, Requests queued for too long, D1 storage-operation reset timeouts (D1 DB storage operation exceeded timeout ...), and Cloudflare D1 internal-reference errors (D1_ERROR: internal error; reference = ...). Retry backoff is abort-aware, and batchExecute() can accept an AbortSignal so chunked persistence can stop before the next D1 batch after cron timeout or lease loss. Every status-tracked job in shared/lib/cron-jobs.ts must have an explicit CRON_TIMEOUT_MS ceiling; the scheduled-runner contract test fails when a new cron job would fall back implicitly. If a leased job ignores timeout or lease-loss aborts, runCronWithLease() records an abandoned failure and leaves the lease row to expire by TTL instead of releasing it while late writes may still be running. Long-job lease heartbeats renew every 30 seconds and abort controlled work after three consecutive renewal failures. The duration watchdog excludes stale-slot reconciled synthetic child rows from runtime averages, tracks repeated runBudgetTruncated metadata as real capacity pressure, and uses cron_slot_executions for the separate scheduled-slot abandonment signal. DEX-liquidity persistence writes candidate rows to a per-run table and validates the active generation before updating the public current table. Live reserve, redemption-backstop, cache-sentinel, and DEWS persistence paths should route bursty run-manifest writes, cleanup, prune, and chunked batch work through this helper or batchExecute() so one transient D1 queue spike does not fail a whole scheduled run.

D1 query budgeting

Public health/status diagnostics intentionally trade a few minutes of operator telemetry freshness for lower D1 pressure:

  • queryBlacklistGapMetrics() supports a core diagnostic mode that skips the amount-status and amount-source distribution scans when callers only need total/recoverable/recent gap counts for health scoring.
  • sync-blacklist materializes producer-owned blacklist gap snapshots into the existing D1 cache table only after every required config completes successfully in the run, no state CAS conflicts occur, and enough snapshot budget remains. Any skipped or incomplete config degrades the run and withholds publication. The snapshot timestamp is the oldest required config's successful-scan time, preventing a recent cron finish from masking a stale source cohort. It writes both full summary metrics and core health/status metrics from one live full query. /api/health, /api/status, and /api/blacklist-summary prefer those producer snapshots, then fall back to the short request cache and finally the live query if the producer row is missing or stale.
  • /api/blacklist-summary also has a producer-owned summary payload snapshot in the same D1 cache table. The handler preserves the public response shape, serves a fresh producer payload directly, serves a stale-but-present producer payload without rewriting the producer cache from public traffic, and falls back to live construction only when no valid snapshot has ever been written. Freshness headers are based on the producer snapshot timestamp, so stale-but-served fallback snapshots still emit the normal Warning header once they exceed the blacklist summary max age.
  • The short 5-minute D1 request cache remains only as a fallback pressure valve. It should not be treated as the freshness authority for blacklist health; producer materialization is the preferred source when present.
  • Cron health reads the latest 10 runs per tracked job through the existing (job, started_at DESC) index instead of applying a window function across the retained cron_runs table.
  • Tron blacklist amount recovery mirrors blacklist_current_balances through deterministic current-balance IDs and primary-key id IN (...) lookups instead of correlated LOWER() subqueries against the ledger table. The mirror is capped at 100 candidate events per pass and receives the same runtime budget as sync-blacklist.
  • DEWS producers maintain stress_signals_latest as a latest-row materialization for public stress-signal, Telegram dispatch, and DEWS smoothing reads. Readers merge latest rows over canonical stress_signals latest-history rows by stablecoin_id so missing, stale, unreadable, or partially written latest materialization cannot suppress fresher canonical history during rollout or D1 chunk failures. A missing dews:published-generation pointer is treated as first-run bootstrap and can use the unbounded latest-row fallback; corrupt or unreadable publication pointers return unavailable current rows instead of silently switching to an unbounded generation.
  • Migration 0144_worker_hot_query_indexes_and_stress_latest.sql adds chain/hour mint_burn_hourly, stablecoin/time yield, and depeg pagination/open-event indexes for the current hot query families. Keep matching SQL comments stable so D1 insights can attribute reads to source-owned query families.
  • D1 capacity samples are hourly and bounded. File-size states cross at 60%, 75%, and 90% of Cloudflare's 10 GB paid-plan ceiling. Exhaustion forecasts require at least three observations spanning 24 hours and never extrapolate a flat or shrinking trend. The scheduled status lane refreshes the control-plane observation; public health reads only the bounded cached assessment.
  • The five-minute Telegram lane reuses same-run pending-capacity and safety-source reads between dispatch, degradation watchdog, and pulse publication. Healthy no-change dispatch runs skip fan-out and fresh-send assembly while preserving pending drain, TTL cleanup, snapshot freshness, and watchdog-visible metadata.
  • Telegram registration reconciliation still keeps separate webhook, command, profile, and menu cache checks so each helper remains directly callable and testable. Coalesce those cache reads only with a helper that preserves the current standalone semantics and Bot API rate-limit backoff behavior.
  • Cron progress writes still go through the shared scheduled-runner logging path. There is no Telegram-specific progress-write opt-out today; add a generic, documented opt-out before reducing progress persistence for one lane.

When adding a new health/status loader, prefer a producer-cadence cache or an indexed top-N read over table-wide aggregates. Table scans are acceptable for low-frequency admin-only diagnostics, but not for public health probes, status self-checks, or same-origin browser polling.

Large cache-backed endpoints can opt into a response-ready companion cache when the producer has already validated the canonical payload. /api/stablecoins writes stablecoins:response-ready:v2 alongside the canonical stablecoins cache row after schema validation; the reader serves that raw body only when both rows share the same updated_at, then injects freshness metadata without reparsing the full payload. Companion rows are best-effort optimizations: read or write failures fall back to the canonical cache path and should not fail the producer. Endpoints with live transforms should not use this shortcut unless the companion body already includes those transforms.


Upstream Fetch Budgets

PathCurrent repo throttle / budgetSourceNotes
CoinGecko onchain discovery250 ms between requestsworker/src/lib/rate-limit.tsUsed by discovery crawlers
CoinGecko onchain crawl budget5 minutesworker/src/lib/rate-limit.tsPer-source crawl budget, not full-run deadline
CoinGecko backfill throttle200 ms between requestsworker/src/lib/rate-limit.tsUsed by CoinGecko backfill/admin flows
GeckoTerminal crawl throttle2000 ms between requestsworker/src/lib/rate-limit.tsConservative crawl pacing
GeckoTerminal crawl budget3 minutesworker/src/lib/rate-limit.tsPer-source crawl budget
GeckoTerminal probe budget90 seconds max per sync-stablecoins run; dynamically clipped to preserve a 90 seconds sync tailworker/src/lib/constants.ts, worker/src/cron/sync-stablecoins/stages.tsPrevents the serialized soft-source cross-check from consuming the full 8-minute stablecoin sync timeout
Protocol-redeem live override stage10 s total budget; grouped circuit for most external live RPC-backed providers, with dedicated Kava, JUSD, USX, AZND, and Mento circuitsworker/src/lib/authoritative-price-sources/index.tsMissing-price candidates run before already-priced candidates and provider families are interleaved within each partition. Missing-only thin routes are excluded when a usable incumbent exists. Local par and inherited tracked-base overrides are cache/local decisions; circuit-open RPC providers fail closed.
Kava USDX oracle adapter4 sequential requests, 2.2 s timeout/request, 0 retries, 256 KiB max response/request; inside the shared 10 s live-override budgetworker/src/lib/authoritative-price-sources/kava-pricefeed.tsReads head, market, aggregate, and raw-oracle state serially. Wrong chain/market/oracle identity, a head older than 2 minutes, insufficient oracle expiry, or excessive dispersion fails closed.
Reviewed exact price routesInside the shared 10 s live-override budget; adapter-specific bounded RPC calls and executable notionalsworker/src/lib/authoritative-price-sources/sAID, PHPm, USX, AZND, and JUSD pin exact contracts/tokens and reject stale state, identity drift, missing trusted parents, insufficient capacity/depth, route-specific impact/divergence failures, failed public redemption, or RPC failure. AZND calls stay serial to preserve connection headroom.
Reviewed Balancer USP route3 sequential hosted Balancer API requests: exact pool state, one pool-constrained 1 USP reference quote, and one pool-constrained 1,000 USP bounded quote; inside the direct Balancer provider budgetworker/src/cron/dex-liquidity/fetch-balancer.tsRequires the exact USP -> waEthUSDC -> USDC buffer path, at least $50,000 pool TVL, bounded output no greater than 5% of TVL, calculated reference-to-bounded impact no greater than 2%, and reported impact no greater than 2% when numeric. Generic balanceUSD par is suppressed; this is not direct same-block Vault verification.
DexScreener discovery fallback budget2 minutes shared fallback windowworker/src/lib/rate-limit.tsShared with other late-stage discovery fallbacks
Jupiter price fallback50 ids/request, 5 s timeout/request, 0 retries; up to 25 low-depth primary augmentation targets/run; at most 3 sequential 3 s slot-RPC probes/passworker/src/cron/sync-stablecoins/enrich-prices-jupiter-pass.tsSolana-only enrichment pass between CMC and DexScreener; can append agreeing Jupiter evidence to low-depth primary prices and fails closed when every bounded slot reference is unavailable
DexScreener price-enrichment pass10 total requests, 5 s timeout/request, 45 s total budget, 0 retriesworker/src/cron/sync-stablecoins/enrich-prices-dexscreener-pass.tsBest-effort final fallback for missing prices through exact token-address lookups; symbol search is retired
Address-price augmentation group90 s total budget, 5 s timeout/request, 0 retriesworker/src/lib/address-price-providers/index.tsOptional group currently disabled in production Worker config for quarter-hour sync headroom. When enabled, it runs during primary pricing for assets with missing prices, observations expiring before the next generation, low-confidence prices, or previous source depth below 3. Durable target cursors rotate only inside missing, expiring, low-depth, and remaining-priced cohorts.
vaults.fyi supplemental yield13 estimated credits/run on the four-hour lane; 2,500 estimated credits/UTC monthworker/src/cron/yield-sync/vaults-fyi.tsGeneration-fences one reservation owner with compare-and-swap, finalizes only the matching owner, dynamically throttles to the sustainable remainder, and fails closed before paid requests when the monthly ledger is corrupt; no provider-authoritative usage counter is available on this path
Coinbase CEX ticker products1 product request in flight, 10 s timeout/request, 1 retryworker/src/lib/cex-tickers.tsKeeps the Coinbase thunk inside the sync-stablecoins primary-provider cap instead of multiplying the quarter-hourly trigger fanout
Secondary FX mirror race3 mirror requests in parallelworker/src/cron/sync-fx-rates-sources.ts, shared/lib/cron-jobs.tsjsDelivr @latest, direct Pages mirror, and date-pinned jsDelivr package race inside the sync-fx-rates max connection declaration
Chainlink FX/commodity overlay3 feed pipelines in parallelworker/src/lib/chainlink-feeds.ts, shared/lib/cron-jobs.tsKeeps the five-feed overlay inside the sync-fx-rates three-connection cron metadata while preserving bounded parallel recovery
DexScreener address augmentationopt-in; 1 request/run, 30 addresses/requestworker/src/lib/address-price-providers/dexscreener.tsExact /tokens/v1/{chain}/{addresses} lane; no symbol search; stops on hard upstream refusal
DexPaprika address augmentation60 token-detail requests/runworker/src/lib/address-price-providers/index.tsPublic exact token-detail lookup
CoinGecko Onchain address augmentation5 requests/run, 30 addresses/requestworker/src/lib/address-price-providers/index.tsKeyed exact onchain token lookup, separate from the serialized GeckoTerminal pool probe
Alchemy Prices address augmentation20 requests/run, 25 addresses/requestworker/src/lib/address-price-providers/index.tsOptional keyed lookup, grouped by Alchemy network id
Moralis address augmentation3 requests/run, 100 addresses/requestworker/src/lib/address-price-providers/moralis.tsOptional keyed EVM batch lookup; capped below the free-plan 40k CU/day envelope for the 15-minute sync cadence
Birdeye address augmentation10 Solana requests/run, 1000 ms between requestsworker/src/lib/address-price-providers/index.tsOptional keyed Solana-only targeted gap lookup; known no-price payloads count as missing-quote, while 429 or provider-wide quota/compute-unit exhaustion stops the remaining request tail immediately
CoinMarketCap fallbackUp to 2 requests in an eligible hour: 1 category request plus 1 targeted request for at most 25 rotated unresolved slugs; 10 s timeout/request, 0 retriesworker/src/cron/sync-stablecoins/enrich-prices-cmc-pass.tsUsable returned category rows survive an unseen tail. Targeted quotes require exact identity, active status, freshness, positive volume, required supplied-contract agreement for known deployments, and peg validation. Verified targeted rows preserve their upstream timestamp through the one-hour cooldown; 429 still honors Retry-After.
DEX primary source JSON reads30 s per attempt through fetchJsonWithRetry()worker/src/cron/dex-liquidity/fetch-primary.tsDeFiLlama Yields, DeFiLlama Protocols, and Curve API body reads stay inside the request timeout; the defillama-protocols cache stores a compact slug/category snapshot for yield coverage audits, and raw Curve response trees are released once their derived lookup maps are built
Direct DEX API fetch phase1 protocol family at a time, 5 nested connection static peak within a provider, 90 s provider timeout wrapping 15 s per-request timeouts, deterministic page caps (50 default); Fluid ticker retries cap provider Retry-After sleeps at 5 s per retryworker/src/lib/provider-execution.ts, worker/src/cron/dex-liquidity/direct-api-policy.ts, worker/src/cron/dex-liquidity/direct-api-paginated.ts, protocol fetchers, shared/lib/cron-jobs.tsRuns inside the existing sync-dex-liquidity trigger through a provider execution context derived from the declared cron connection budget; each provider result is reduced to tracked pools plus compact raw counts and authoritative exact keys before the next family starts. check:cron-connections still treats the trigger as 5/6 and headroom-full because one provider can use the nested peak; page-cap errors include resume markers for large or drifting upstream responses
Measured DEX execution RPC lane3 chain lanes, one sequential RPC stream per chain; 800 actual JSON-RPC requests, 6,400 quote subcalls, and 8 minutes per run; quote batches start at 8 and halve adaptivelyworker/src/cron/measured-execution/sync.ts, worker/src/cron/measured-execution/profiles.ts, shared/lib/cron-jobs.tsRuns in the isolated 0,30 * * * * trigger. Every block/code/factory/quote request is clipped to the absolute producer deadline; the producer stops and records bounded failure reasons instead of opening more requests.
Shared retry JSON/text response body16 MiB default; configurable per request with maxResponseBytesworker/src/lib/fetch-retry.ts, worker/src/lib/response-body.tsfetchJsonWithRetry() and fetchTextWithRetry() reject declared or streamed overflow, cancel the body, and retry through the existing warning path; JSON is parsed only after a complete in-cap body. Raw fetchWithRetry() responses remain caller-owned and uncapped.
Generic circuit breakeropens after 3 consecutive failures, probes every 30 minutesworker/src/lib/circuit-breaker.tsUsed to stop hammering degraded upstreams

JSON/text fetch callers that need per-request timeout coverage across body consumption should use fetchJsonWithRetry() or fetchTextWithRetry() rather than calling fetchWithRetry() and then consuming the returned Response separately. Provider execution wrappers (providerJson() and providerTextBounded()) keep their provider timeout active through body reads and record body-read timeouts as provider failures.

What this means operationally

  • sync-dex-liquidity no longer owns discovery. It consumes staged output written by sync-dex-discovery.
  • sync-cl-exit-depth consumes the previously published retained-pool target generation and atomically publishes the next measured-quote generation. The 10,40 scoring run only joins a fresh published generation and then publishes the next target inventory, so a torn or same-run self-join cannot activate partial evidence.
  • sync-dex-discovery is deliberately best-effort. Short per-source request timeouts and the 12-minute shared budget are there to force a partial degraded result before the platform can hard-kill the invocation. Lower-priority tier-2/tier-3 candidates are deterministically sharded across their cadence windows so one modulo run does not inherit the entire tier queue at once.
  • Missing-price fallback is intentionally time-bounded so a bad upstream day cannot consume the whole sync-stablecoins slot.
  • Replay-safe price continuity has a hard six-hour ceiling and also obeys any shorter per-source maxTrustedAgeSec. Low/fallback or non-replay-safe sources are never eligible. The separate verified-CMC provider cache is limited to the original quote's one-hour age, preserves its upstream timestamp, stays fallback confidence, and revalidates identity and peg bounds on reuse.
  • activePriceCoverage is independent from cron execution and cache publication. A missing active price degrades public health while the valid remainder of the stablecoins payload stays available and a successfully published cron run remains ok. Two consecutive published missing generations trigger an asset-attributable webhook alert; only successful delivery starts the 24-hour per-asset cooldown.
  • Exact adapters are fail-closed availability paths. A stale head, RPC/provider outage, identity drift, missing parent, depleted bridge, insufficient pool depth, or excessive quote impact produces no price; operators must not compensate by increasing replay age or substituting nominal parity.
  • Any new provider added to discovery or price enrichment should come with both a throttle and a hard stop budget.

Request Timeouts Worth Preserving

AreaCurrent timeoutSource
CoinMarketCap price fallback10_000 msworker/src/cron/sync-stablecoins/enrich-prices-cmc-pass.ts
Jupiter price fallback5_000 msworker/src/cron/sync-stablecoins/enrich-prices-jupiter-pass.ts
DexScreener price fallback requestsup to 5_000 ms per requestworker/src/cron/sync-stablecoins/enrich-prices-dexscreener-pass.ts
Direct DEX API requests15_000 ms per requestworker/src/cron/dex-liquidity/direct-api-policy.ts
Measured DEX execution RPC requestsup to 15_000 ms, further clipped to the run's absolute 8 minute deadlineworker/src/cron/measured-execution/sync.ts, worker/src/cron/measured-execution/profiles.ts
Ops admin proxy reads20_000 ms for /api/status and /api/status-history; 45_000 ms for /api/audit-depeg-historyshared/lib/api-endpoints/definitions.ts (opsProxyTimeoutMs)
Live reserve adapter attempt20_000 msworker/src/cron/sync-live-reserves-config.ts
Live reserve D1 finalize timeout30_000 msworker/src/cron/sync-live-reserves-config.ts
Public dataset snapshot outer deadline10 * 60_000 msworker/src/lib/public-dataset-snapshot-budget.ts, worker/src/lib/cron-lease.ts
Blacklist explorer / RPC reads15_000 msworker/src/lib/fetch-retry.ts (default timeout)
Daily digest LLM call (outer)12 * 60_000 msworker/src/lib/constants.ts
Daily digest per-attempt fetch11 * 60_000 msworker/src/cron/digest/platform.ts (DIGEST_FETCH_PER_ATTEMPT_TIMEOUT_MS)

Live reserve timeout values are resolved through LiveReserveSyncBudgetConfig. Production uses the checked-in defaults above; tests and operational wrappers can inject smaller or larger positive finite values to validate deferred-tail and D1-finalize behavior without changing cron code.

/api/audit-depeg-history is also hard-capped at 25 items per request (limit default and max) so the CoinGecko-backed admin audit stays page-sized over the Pages proxy.


Anthropic / Digest Runtime

Current digest generation constraints that are actually encoded in repo code:

  • model: claude-opus-4-7
  • thinking: adaptive (thinking.type = "adaptive")
  • reasoning effort: xhigh (output_config.effort = "xhigh") — dropped from max on 2026-04-18 after runaway-thinking exhausted max_tokens twice (stopReason=max_tokens with only a signature_delta at both 16k and 32k). max has no constraint on thinking depth on Opus 4.7; xhigh is Anthropic's recommended level for complex editorial work and Claude Code's own default.
  • Anthropic outer timeout: 12 * 60_000 ms (12 min), bound by AbortSignal.timeout(ANTHROPIC_TIMEOUT_MS) in platform.ts
  • per-attempt fetch timeout: 11 * 60_000 ms (11 min), local to requestDigestCopy; safety net so a single stalled attempt cannot consume the outer budget
  • retry depth for the digest Anthropic call: 2 (max 3 attempts); the outer AbortSignal caps total wall time regardless
  • corrective retry skip: if first-pass elapsed >= 50% of the outer budget (6 min), the in-process retry after quality failures is skipped; the parse is accepted with qualityIssues flagged degraded
  • daily cron lease (wrapper timeout): 14 * 60_000 ms (14 min), leaves ~2 min under Cloudflare's 15-min scheduled-event ceiling for D1 persistence, Twitter/Telegram delivery, and cron_runs logging.
  • daily-digest heartbeat override: heartbeatSec = 30, maxRenewFailures = 3 (see worker/src/handlers/scheduled/context.ts — default policy unchanged for other jobs)
  • weekly cron lease: 12 * 60_000 ms (12 min)
  • max_tokens: 64000 daily, 64000 weekly — Anthropic's documented floor for Opus 4.7 at xhigh/max effort with adaptive thinking. Earlier settings of 16k → 32k at effort: "max" both hit stop_reason=max_tokens with no text emitted; the root-cause fix on 2026-04-18 lowered effort to xhigh and raised the ceiling to 64k in one change.
  • cadence: daily scheduled run plus deferred manual admin trigger (see "Manual trigger runtime model" below)
  • cost envelope (approximate, assuming single-attempt runs): Opus 4.7 input ~$5/Mtok, output ~$25/Mtok. Daily worst-case at 64k tokens ≈ $4.80; weekly worst-case at 64k ≈ $4.80. Annualized ≈ $2000 at cap. Actual usage is typically much lower since most runs don't approach the cap; the ceiling exists to survive adaptive-thinking-heavy runs. The current worker does not persist token-usage telemetry in digest:last-trigger-result or cron_runs; use provider-side Anthropic usage logs for exact spend.

Manual trigger runtime model

POST /api/trigger-digest does not execute the digest synchronously. It writes a digest:force-run-request flag into the cache D1 table and returns 202. A dedicated */5 * * * * cron slot (digestTriggerPoll) reads the flag on its next tick and runs the digest under scheduled-event wall-clock (15 min). Outcome is persisted to digest:last-trigger-result for D1 inspection and future ops-UI surfacing; the current admin panel still shows only the enqueue result from the browser session.

This two-step model exists because the repo treats long HTTP-triggered ctx.waitUntil() digest execution as unsafe on Cloudflare Workers. The external platform assumption is that HTTP request tail work can be canceled after a short post-response window, while scheduled events get the full scheduled-event wall-clock; an Opus 4.7 digest run takes 5–10 min, so enqueue + scheduled polling is the repo-verified safe path.

Source: worker/src/api/admin-actions.ts (enqueue-only HTTP handler), worker/src/handlers/scheduled/digest-trigger-poll.ts (polling consumer).

Source: worker/src/lib/constants.ts (Anthropic timeout/retries), worker/src/lib/cron-lease.ts (CRON_TIMEOUT_MS per-job lease budget), worker/src/cron/digest/platform.ts (model/thinking/effort, per-attempt timeout, corrective-retry skip), worker/src/cron/daily-digest.ts and worker/src/cron/weekly-recap.ts (max_tokens), worker/src/handlers/scheduled/context.ts (PER_JOB_LEASE_OPTIONS heartbeat override)

This doc deliberately does not restate Anthropic account-tier RPM / token-plan numbers because those are not repo-enforced.


Design Guidance

Before adding a worker feature that touches external services:

  1. Pick the trigger slot first. Shared slots are a capacity decision, not just a schedule decision.
  2. Add explicit throttle constants and an overall time budget before writing the fetch loop.
  3. Prefer chunked / batched writes and bounded SQL fan-out.
  4. Add or reuse a circuit breaker when the feature depends on a flaky upstream.
  5. Run npm run check:cron-connections and document the trigger-slot impact for any new outbound I/O.
  6. Update this doc only with limits the repo actually enforces or depends on architecturally.

If you need current provider-plan quotas, verify them outside the repo before relying on them.