Config Service

Layered KV config store with scope-based override. Built on Cloudflare Workers + KV.

Concept

Like git config's system → global → local layering:

• shared — team-wide config (e.g. CF_ACCOUNT_ID, AWS_REGION)
• personal — per-agent overrides (e.g. GITEA_TOKEN, GH_TOKEN)

Read: personal wins over shared. Write: must specify scope.

Auth

Each agent has a token. The service stores sha256(token) → agent_id mappings. Agents can read/write their own personal scope and read (but not write) the shared scope. Shared scope writes require an admin token.

API

GET    /config/:key          → returns personal value, fallback to shared
GET    /config?scope=shared  → list all shared keys
GET    /config?scope=personal → list all personal keys
PUT    /config/:key          → write to personal scope (default)
PUT    /config/:key?scope=shared → write to shared scope (admin only)
DELETE /config/:key          → delete from personal scope
DELETE /config/:key?scope=shared → delete from shared (admin only)
POST   /config/sync          → returns all resolved keys (personal over shared)

Auth header: Authorization: Bearer <token>

Storage Layout (KV)

auth:<sha256(token)>           → { "agent_id": "tuanzi", "role": "agent|admin" }
shared:<key>                   → { "value": "...", "updated_at": "..." }
personal:<agent_id>:<key>      → { "value": "...", "updated_at": "..." }

CLI

cfg get <KEY>                  # read (personal > shared)
cfg set <KEY> <VALUE>          # write to personal
cfg set --shared <KEY> <VALUE> # write to shared (admin)
cfg list                       # list all resolved
cfg list --scope shared        # list shared only
cfg sync                       # sync all to local cache
cfg delete <KEY>               # delete from personal