Curated topic

sre

Posts tagged with sre

Cloudflare BlogApr 15, 2026

Introducing Agent Lee - a new interface to the Cloudflare stack

Why it matters: Agent Lee shifts cloud management from manual navigation to natural language intent. By using TypeScript code generation and secure proxying, it provides a blueprint for building autonomous agents that safely perform complex multi-step infrastructure tasks in production environments.

Agent Lee is an in-dashboard AI assistant that allows users to manage, troubleshoot, and configure Cloudflare resources using natural language.
The system uses 'Codemode' to convert Model Context Protocol (MCP) tools into TypeScript APIs, enabling LLMs to write and chain code for improved accuracy over standard tool calling.
Security is enforced through Durable Objects acting as credentialed proxies, classifying operations as read or write and requiring explicit user approval for any state changes.
The interface features generative UI, dynamically rendering interactive charts and visualizations based on real-time account data and traffic logs.
Built entirely on Cloudflare's public primitives like the Agents SDK and Workers AI, the tool serves 18,000 daily users and executes 250,000 tool calls per day.

#mlp #sre #security

Read original

Cloudflare BlogApr 15, 2026

Why it matters: This API enables seamless domain registration within automated pipelines and AI-driven development environments. By removing manual UI steps, engineers can programmatically provision infrastructure and identity directly from their code editors or CI/CD workflows.

Cloudflare launched the Registrar API in beta, enabling programmatic domain search, availability checking, and registration.
The API is optimized for agentic workflows, allowing AI agents in tools like Cursor or Claude Code to handle domain purchases via Cloudflare MCP.
A three-step machine-friendly process includes Search (cached results), Check (authoritative registry query), and Register (execution).
Registration defaults to account-level contact and payment info with WHOIS privacy protection enabled automatically at no extra cost.
The service maintains Cloudflare's at-cost pricing model with no markups, supporting both standard and premium TLDs.

#sre #mlp

Read original

Cloudflare BlogApr 14, 2026

Managed OAuth for Access: make internal apps agent-ready in one click

Why it matters: AI agents often fail at human-centric login redirects. Managed OAuth provides a standardized, secure way for agents to access protected internal data using user-scoped tokens rather than risky static credentials, ensuring auditability and fine-grained access control without refactoring code.

Cloudflare Access now supports managed OAuth to enable AI agents to authenticate with internal applications without manual intervention.
The system implements RFC 9728 for discovery and RFC 7591 for Dynamic Client Registration, allowing agents to identify authentication requirements automatically.
Agents use the PKCE (Proof Key for Code Exchange) flow to obtain a JWT, ensuring secure delegation of user permissions.
This approach replaces the need for static service tokens or service accounts, which often lead to 'confused deputy' security risks.
Managed OAuth maintains full auditability by attributing all agent actions to the specific human user who authorized the session.
The feature is designed to work with the Model Context Protocol (MCP) and requires no code changes to legacy internal applications.

#security #sre #mlp

Read original

Cloudflare BlogApr 14, 2026

Securing non-human identities: automated revocation, OAuth, and scoped permissions

Why it matters: As AI agents and automation scale, the risk of credential leaks grows. Automated token revocation and granular RBAC ensure non-human identities are secured throughout their lifecycle, preventing unauthorized access and reducing the blast radius of accidental exposures.

Cloudflare is introducing automated revocation for leaked API tokens through a partnership with GitHub's Secret Scanning program.
New API tokens now feature a distinct 'cf' prefix and a checksum to improve detection accuracy and reduce false positives for security scanners.
Cloudflare One customers can use DLP profiles to detect and block tokens across network traffic, email, and SaaS applications.
The platform is enhancing identity management by providing better visibility into OAuth principals and granular, resource-scoped RBAC policies.
These updates specifically target the risks associated with non-human identities, such as AI agents and automated scripts, in modern development workflows.

#security #sre

Read original

Salesforce EngineeringApr 13, 2026

Reducing Agentforce AI Debugging from Two Weeks to Same-Day with Query-Driven Observability

Why it matters: Traditional logs fail to capture the data context of AI responses. This query-driven approach allows engineers to inspect the exact document chunks and embeddings used in production, slashing debugging time from weeks to hours while maintaining strict data isolation.

Salesforce's Einstein Notebooking platform enables secure, production-grade AI debugging for Agentforce and Data 360 systems.
The system addresses the 'black box' nature of AI agents by providing visibility into ingestion, chunking, retrieval, and response generation.
Engineers use Spark-based workflows to query production indexes, including vector, keyword, and hybrid search results directly.
Query-driven observability allows for inspection of document chunks, embeddings, and session-level feedback within a unified notebook environment.
Tenant-scoped access patterns ensure strict data isolation and compliance while investigating real production scenarios.
The approach reduced investigation times from two weeks to a single day for over 60 Agentforce features and 400 million records.

#mlp #data #sre

Read original

Cloudflare BlogApr 13, 2026

Building a CLI for all of Cloudflare

Why it matters: Managing thousands of API endpoints manually is error-prone. Cloudflare's new schema-driven CLI ensures consistency across all products, providing a reliable interface for both humans and AI agents to automate infrastructure-as-code and local development workflows.

Cloudflare is rebuilding the Wrangler CLI to cover its entire API surface of over 3,000 operations across 100+ products.
A new TypeScript-based schema replaces manual updates, serving as a single source of truth for SDKs, CLI commands, and documentation.
The system standardizes command syntax and flags to improve ergonomics for both human developers and AI agents.
A technical preview is now available via the npx cf command, allowing early testing of the unified interface.
The architecture supports complex interactions, including local resource simulation and RPC-based Workers bindings.

#sre #dist

Read original

Cloudflare BlogApr 10, 2026

500 Tbps of capacity: 16 years of scaling our global network

Why it matters: This milestone demonstrates how massive-scale infrastructure can handle record-breaking DDoS attacks (31.4 Tbps) autonomously. It showcases the power of pushing security and compute to the edge using eBPF and XDP, allowing for high-performance, distributed application hosting.

Cloudflare reached 500 Tbps of external capacity across 330+ cities, supporting over 20% of the web.
Autonomous DDoS mitigation uses eBPF and XDP (l4drop) to drop malicious packets at line rate without human intervention.
The 'dosd' daemon samples traffic and broadcasts mitigation rules globally via Quicksilver, a distributed KV store.
Layer 4 load balancing is handled by Unimog, while flowtrackd provides stateful TCP inspection for enterprise traffic.
The network has evolved into a distributed developer platform (Workers) that now supports V8 isolates and edge containers.

#security #dist #sre

Read original

PlanetScale Tech BlogApr 10, 2026

Keeping a Postgres queue healthy

Why it matters: Using Postgres for queues is convenient but risky. High-churn tables generate dead tuples that can bloat indexes. If long-running transactions block autovacuum, I/O overhead can degrade the entire database's performance, potentially bringing down the application.

Postgres queues offer transactional consistency but are prone to performance degradation from high row churn.
MVCC creates dead tuples upon deletion, which persist in heap pages and indexes until vacuumed.
Accumulated dead tuples force index scans to traverse unnecessary entries, increasing I/O and latency.
Autovacuum efficiency is globally constrained; a single long-running transaction can block cleanup for all tables.
Implementing FOR UPDATE SKIP LOCKED enables high-concurrency job processing without worker interference.
Database health requires monitoring transaction age to prevent runaway bloat in transient tables.

#data #sre #dist

Read original

Salesforce EngineeringApr 9, 2026

Building a Distributed Persistent Queue That Scaled AI Workloads 5x Under LLM Rate Limits

Why it matters: Managing shared infrastructure limits is critical when scaling LLM applications. This architecture demonstrates how to balance high-volume autonomous agents with human-in-the-loop workflows, ensuring fairness and prioritizing high-value tasks without hitting rate-limit failures.

Engineered a distributed persistent queue to orchestrate AI and human workflows within strict LLM rate limits of 300 RPM.
Implemented a fair-share distribution mechanism using round-robin allocation to prevent any single agent or user from monopolizing capacity.
Developed a three-tier priority system (Replies, Intros, Nudges) to ensure high-value business interactions are dispatched first.
Utilized an adaptive backfill strategy to maintain 100% slot utilization by filling unused high-priority capacity with lower-priority tasks.
Achieved a 5x scale in AI workload throughput while maintaining system reliability and preventing gateway failures.

#dist #mlp #sre

Read original

Engineering at MetaApr 9, 2026

Escaping the Fork: How Meta Modernized WebRTC Across 50+ Use Cases

Why it matters: Meta's approach provides a blueprint for maintaining large open-source dependencies without getting stuck in permanent forks. By using dual-stack architectures and namespace mangling, they enabled safe upgrades and A/B testing for critical infrastructure serving billions of users.

Meta migrated from a divergent WebRTC fork to a modular architecture based on the latest upstream version to escape the 'forking trap'.
A dual-stack architecture with a shim layer was implemented to allow simultaneous execution and A/B testing of legacy and upstream versions.
To avoid C++ One Definition Rule (ODR) violations, Meta used automated namespace mangling to rename symbols in the secondary library copy.
The shim layer approach achieved an 87% reduction in binary size impact compared to duplicating higher-level orchestration libraries.
A 'Patch-First' workflow was established in the monorepo to automate the rebasing of internal optimizations onto new upstream releases.

#dist #mobile #sre

Read original

Page 3 of 23

Prev 1 2 3 4 5...23 Next