Module workers/sst-loader/worker

Cloudflare Worker responsible for loader delivery, session bootstrapping, and GTM container script proxying for the platform.

Role in the platform

• Serves the first-party loader script (/l/:loaderToken.js) that initializes client-side logic.
• Handles loader bootstrap (/boot) to resolve site, container, profile, and session state via Supabase.
• Proxies GTM container scripts (/c/:containerToken.js) while preserving preview/debug behavior.
• Exposes /mark-session-detection to record session-level adblock / ITP detection signals.

Request flow

• GET /l/:loaderToken.js
  • Returns a dynamically rendered loader JS template with environment-specific URLs injected.
• POST /boot
  • Validates loader + site
  • Resolves container, site, profile, and session
  • Persists loader session and cookies
  • Returns container metadata and cookie restoration instructions
• GET /c/:containerToken.js
  • Resolves Web GTM ID
  • Proxies gtm.js from Google with cache headers
• POST /mark-session-detection
  • Forwards session detection signals to a Supabase Edge Function

Security & trust boundaries

• Uses Supabase REST and RPC endpoints authenticated via:
  • SUPABASE_SERVICE_KEY
• Depends on:
  • SUPABASE_URL
  • optional SESSION_SALT for IP hashing

CORS & browser behavior

• Explicit CORS handling for /boot and /mark-session-detection
• Allows credentials and custom headers used by the loader

Error handling

• Returns 400 for malformed client payloads
• Returns 404 for unknown loaders, sites, or containers
• Supabase errors are logged and surfaced as generic responses

Observability

• Extensive console.log and console.warn statements for debugging bootstrap flow
• Session identifiers are generated server-side and returned to the client

Notes

• This Worker intentionally embeds a large JS template string; it is not executed server-side.
• No request routing occurs beyond explicit path matching.
• Designed for Cloudflare Workers runtime semantics.