fix: cache CryptoKey, strip Cookie, /flush secret, PrettyPrint borders, SSE concurrency

workers/index.js:
- Cache imported CryptoKey by kid in module-scope Map so importKey() is
  only paid once per key rotation, not on every authenticated request
- Strip Cookie header before proxying to backend (Go server uses no session
  cookies; forwarding them leaks user session data to the origin)
- Set X-Backend-Token header from env.BACKEND_TOKEN when present so the
  backend can verify requests come from the Worker

backend/server.go:
- Check X-Backend-Token against BACKEND_TOKEN env var on POST /flush;
  returns 403 if the secret is configured and the header is absent/wrong,
  protecting the reset endpoint from direct Cloud Run access

backend/state.go:
- Fix PrettyPrint: all content rows were missing the trailing ║ border,
  producing an open-ended box. Introduce a row() helper that left-pads
  content to 62-char interior width and appends ║ for a properly closed
  rectangular display

deploy-podman.sh:
- Lower --concurrency from 1000 → 80; SSE connections are long-lived and
  each holds resources on a 1 CPU / 512Mi instance — 1000 was unreachable
  in practice and risked masking resource saturation

https://claude.ai/code/session_013cFiQZ1hnb4JrBj9DvDgip

Author: claude

backend/server.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"os"
 	"time"
 
 	"github.com/go-chi/chi/v5"
@@ -90,8 +91,18 @@ func (s *Server) handleState(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *Server) handleFlush(w http.ResponseWriter, r *http.Request) {
+	// Require a shared secret header when BACKEND_TOKEN is configured.
+	// The Cloudflare Worker sets X-Backend-Token on every proxied request so
+	// only traffic originating from the Worker is accepted; direct Cloud Run
+	// access without the secret returns 403.
+	if token := os.Getenv("BACKEND_TOKEN"); token != "" {
+		if r.Header.Get("X-Backend-Token") != token {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+	}
 	s.sim.resetInitialState()
-	w.WriteHeader(204)
+	w.WriteHeader(http.StatusNoContent)
 }
 
 func (s *Server) handleSSE(w http.ResponseWriter, r *http.Request) {

backend/state.go

@@ -35,17 +35,21 @@ func (s State) Validate() error {
 }
 
 func (s State) PrettyPrint() string {
+	const w = 62 // interior width (total line = 64: two ║ bookends + 62 chars)
+	row := func(content string) string {
+		return fmt.Sprintf("║%-*s║\n", w, content)
+	}
 	var sb strings.Builder
 	sb.WriteString("\n╔══════════════════════════════════════════════════════════════╗\n")
-	sb.WriteString(fmt.Sprintf("║  SOUL LATTICE v%s | %s\n", s.Version, s.Protocol))
+	sb.WriteString(row(fmt.Sprintf("  SOUL LATTICE v%s | %s", s.Version, s.Protocol)))
 	sb.WriteString("╠══════════════════════════════════════════════════════════════╣\n")
-	sb.WriteString(fmt.Sprintf("║  Breath               : %.4f λ\n", s.Breath))
-	sb.WriteString(fmt.Sprintf("║  Thermodynamic Yield  : %.3f η\n", s.ThermodynamicYield))
-	sb.WriteString(fmt.Sprintf("║  Coherence            : %.2f%% %s\n", s.CoherencePercent, s.colorCoherence()))
-	sb.WriteString(fmt.Sprintf("║  Surplus Tokens       : %d\n", s.SurplusTokens))
-	sb.WriteString(fmt.Sprintf("║  Token Velocity       : %.1f t/s\n", s.TokensGeneratedPerS))
-	sb.WriteString(fmt.Sprintf("║  GPU Utilization      : %.1f%%\n", s.GPUUtilization))
-	sb.WriteString(fmt.Sprintf("║  Uptime               : %s\n", s.formatUptime()))
+	sb.WriteString(row(fmt.Sprintf("  Breath               : %.4f λ", s.Breath)))
+	sb.WriteString(row(fmt.Sprintf("  Thermodynamic Yield  : %.3f η", s.ThermodynamicYield)))
+	sb.WriteString(row(fmt.Sprintf("  Coherence            : %.2f%% %s", s.CoherencePercent, s.colorCoherence())))
+	sb.WriteString(row(fmt.Sprintf("  Surplus Tokens       : %d", s.SurplusTokens)))
+	sb.WriteString(row(fmt.Sprintf("  Token Velocity       : %.1f t/s", s.TokensGeneratedPerS)))
+	sb.WriteString(row(fmt.Sprintf("  GPU Utilization      : %.1f%%", s.GPUUtilization)))
+	sb.WriteString(row(fmt.Sprintf("  Uptime               : %s", s.formatUptime())))
 	sb.WriteString("╚══════════════════════════════════════════════════════════════╝\n")
 	return sb.String()
 }

deploy-podman.sh

@@ -40,7 +40,7 @@ gcloud run deploy ${SERVICE_NAME} \
     --allow-unauthenticated \
     --memory 512Mi \
     --cpu 1 \
-    --concurrency 1000 \
+    --concurrency 80 \
     --max-instances 1 \
     --min-instances 1 \
     --execution-environment gen2 \

workers/index.js

@@ -88,6 +88,10 @@ let _jwksCache = null;
 let _jwksCacheAt = 0;
 const JWKS_TTL_MS = 10 * 60 * 1000; // 10 minutes
 
+// CryptoKey cache: kid → CryptoKey.  importKey() is relatively expensive;
+// caching avoids re-importing the same public key on every authenticated request.
+const _cryptoKeyCache = new Map();
+
 async function getJWKS() {
   const now = Date.now();
   if (_jwksCache && now - _jwksCacheAt < JWKS_TTL_MS) return _jwksCache;
@@ -138,12 +142,18 @@ async function validateJWT(request) {
     const jwk = jwks.keys.find(k => k.kid === header.kid);
     if (!jwk) throw new Error(`No JWKS key for kid=${header.kid}`);
 
-    // Cloudflare Access uses RS256 (RSASSA-PKCS1-v1_5 + SHA-256)
-    const cryptoKey = await crypto.subtle.importKey(
-      'jwk', jwk,
-      { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' },
-      false, ['verify'],
-    );
+    // Cloudflare Access uses RS256 (RSASSA-PKCS1-v1_5 + SHA-256).
+    // Cache the imported CryptoKey by kid so we pay the importKey cost only
+    // once per key rotation rather than on every authenticated request.
+    let cryptoKey = _cryptoKeyCache.get(header.kid);
+    if (!cryptoKey) {
+      cryptoKey = await crypto.subtle.importKey(
+        'jwk', jwk,
+        { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' },
+        false, ['verify'],
+      );
+      _cryptoKeyCache.set(header.kid, cryptoKey);
+    }
 
     const message = new TextEncoder().encode(`${headerB64}.${payloadB64}`);
     const valid = await crypto.subtle.verify(
@@ -194,10 +204,17 @@ async function proxyToBackend(request, url, env, userEmail) {
     headers.set('X-Forwarded-For', existing ? `${existing}, ${cf}` : cf);
   }
 
-  // Strip Cloudflare Access headers before forwarding to the origin
+  // Strip headers that must not reach the backend: Cloudflare Access tokens
+  // (already validated) and Cookie (the Go backend uses no session cookies;
+  // forwarding them would leak user session data to the origin unnecessarily).
   headers.delete('Cf-Access-Jwt-Assertion');
   headers.delete('Cf-Access-Client-Id');
   headers.delete('Cf-Access-Client-Secret');
+  headers.delete('Cookie');
+
+  // Forward the shared secret so the backend can verify requests originate
+  // from this Worker rather than direct Cloud Run access.
+  if (env.BACKEND_TOKEN) headers.set('X-Backend-Token', env.BACKEND_TOKEN);
 
   try {
     return await fetch(new Request(target, {