feat: APT/DNF Worker scaffolding (#498)

* feat: APT/DNF Worker scaffolding (#493)

Adds the implementation scaffolding for the Cloudflare Worker that
fronts the APT/DNF repo, per docs/worker-apt-plan.md.

New files:
  - worker/src/worker.js: redirects /pool/.../*.deb and /rpm/*/*.rpm
    to GitHub Release assets via 302; passes metadata through to
    the gh-pages origin
  - worker/wrangler.toml: bound to pkg-staging.claude-desktop-debian.dev
    initially; Phase 4a switches to pkg.claude-desktop-debian.dev
  - .github/workflows/deploy-worker.yml: deploys Worker on worker/**
    push, post-deploy probe verifies route bound + Worker responding
  - .github/workflows/apt-repo-heartbeat.yml: daily cron, deb+rpm
    matrix, walks ordered redirect chain + size match against Releases
    asset, opens format-specific tracking issue on failure (auto-close
    on recovery), gates on Worker liveness (skips silently before
    Phase 4a)

Modified:
  - .github/workflows/ci.yml: gated strip step + ordered-chain smoke
    test added to update-apt-repo and update-dnf-repo; the destructive
    strip only fires when the production Worker probe succeeds, so this
    PR can land before Phase 4a without affecting current behavior
  - docs/worker-apt-plan.md: bake in real domain values, mark Decisions
    table entries as concrete, fix Cloudflare API token permissions
    list (current names: Workers Scripts Edit, Account Settings Read,
    Workers Routes Edit; previous "Zone:Zone:Read" name no longer
    matches the dropdown)

Pre-Phase-4a behavior: the strip step's liveness probe targets the
production hostname which doesn't exist yet, so it always skips and
.debs/.rpms are pushed to gh-pages exactly as today. Smoke tests skip
on the same gate. Heartbeat workflow's gate skips before the Worker
is live. Nothing destructive happens until Phase 4a explicitly cuts
the Worker over to production.

Co-Authored-By: Claude <claude@anthropic.com>

* refactor: simplify worker scaffolding per cdd-code-simplifier review

- worker.js: use named capture group `asset` instead of opaque `m[1]`
  positional reference; inline single-use `tagFor()` helper; demote
  unused `arch` capture to non-capturing group.
- ci.yml: hoist `WORKER_DOMAIN` from per-step env to job-level env in
  both `update-apt-repo` and `update-dnf-repo` (matches the pattern
  already used in `apt-repo-heartbeat.yml`).
- apt-repo-heartbeat.yml: use github-script's native `context.serverUrl`
  / `context.runId` instead of reconstructing from process.env; spread
  `...context.repo` instead of repeating owner/repo on every API call;
  destructure `{ data: open }` to flatten `open.data` references.

All changes preserve behaviour. The contrarian-fix mechanisms (positive
Worker liveness probe gating the strip step, hop-by-hop ordered chain
walk in smoke tests) are unchanged. APT/DNF strip + smoke pairs remain
in-place per reviewer-readability preference.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude <claude@anthropic.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: aaddrick

.github/workflows/apt-repo-heartbeat.yml

@@ -0,0 +1,198 @@
+name: APT/DNF Repo Heartbeat
+
+# Walks the published .deb and .rpm URLs through the full
+# Pages 301 → Worker 302 → Releases 302 → CDN 200 chain daily,
+# asserts ordered hops, asserts size match against the Releases
+# asset, and opens a tracking issue (with a format-specific label)
+# on failure. Auto-closes the issue when the format recovers.
+#
+# Pre-Phase-4a: the gate step skips gracefully when the production
+# Worker isn't live yet. Once Phase 4a is done, the gate passes
+# and the full chain is exercised every day.
+
+on:
+  schedule:
+    - cron: '0 12 * * *'  # daily noon UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  ping:
+    strategy:
+      fail-fast: false
+      matrix:
+        format: [deb, rpm]
+    runs-on: ubuntu-latest
+    env:
+      WORKER_DOMAIN: pkg.claude-desktop-debian.dev
+      GH_TOKEN: ${{ github.token }}
+
+    steps:
+      - name: Skip if Worker not live yet
+        id: gate
+        run: |
+          if curl -fsI --max-time 10 \
+              "https://${WORKER_DOMAIN}/dists/stable/InRelease" >/dev/null; then
+            echo "live=true" >> "$GITHUB_OUTPUT"
+            echo "Worker live; running heartbeat."
+          else
+            echo "live=false" >> "$GITHUB_OUTPUT"
+            echo "Worker not live; heartbeat skipping (expected before Phase 4a)."
+          fi
+
+      - name: Resolve latest release for ${{ matrix.format }}
+        if: steps.gate.outputs.live == 'true'
+        id: latest
+        run: |
+          tag=$(gh release list --limit 1 --json tagName \
+                  --jq '.[0].tagName' \
+                  --repo aaddrick/claude-desktop-debian)
+          repoVer="${tag#v}"; repoVer="${repoVer%+claude*}"
+          claudeVer="${tag#*+claude}"
+          if [[ "${{ matrix.format }}" == "deb" ]]; then
+            asset="claude-desktop_${claudeVer}-${repoVer}_amd64.deb"
+            url="https://aaddrick.github.io/claude-desktop-debian/pool/main/c/claude-desktop/${asset}"
+          else
+            asset="claude-desktop-${claudeVer}-${repoVer}-1.x86_64.rpm"
+            url="https://aaddrick.github.io/claude-desktop-debian/rpm/x86_64/${asset}"
+          fi
+          {
+            echo "tag=${tag}"
+            echo "asset=${asset}"
+            echo "url=${url}"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Validate ordered chain + fetch + size match
+        if: steps.gate.outputs.live == 'true'
+        env:
+          ASSET: ${{ steps.latest.outputs.asset }}
+          URL: ${{ steps.latest.outputs.url }}
+          TAG: ${{ steps.latest.outputs.tag }}
+          FORMAT: ${{ matrix.format }}
+        run: |
+          set -euo pipefail
+
+          # Wait for propagation; fail after 5 min instead of cargo-cult sleep
+          deadline=$((SECONDS + 300))
+          until curl -fsI --max-time 10 "$URL" -o /dev/null; do
+            if [[ $SECONDS -gt $deadline ]]; then
+              echo "::error::Reachability timeout for ${URL}"
+              exit 1
+            fi
+            sleep 10
+          done
+
+          # Walk redirect chain hop-by-hop, asserting each hop's pattern in order
+          expected_hops=(
+            "https://${WORKER_DOMAIN}/"
+            "https://github\\.com/aaddrick/claude-desktop-debian/releases/download/"
+            "https://objects\\.githubusercontent\\.com/"
+          )
+          url="$URL"
+          for i in "${!expected_hops[@]}"; do
+            hop_status=$(curl -s -o /dev/null -w '%{http_code}' "$url")
+            redirect_url=$(curl -s -o /dev/null -w '%{redirect_url}' "$url")
+            echo "Hop ${i}: ${hop_status} ${url} -> ${redirect_url}"
+            if [[ ! "$hop_status" =~ ^30[12]$ ]]; then
+              echo "::error::Hop ${i}: expected 301/302, got ${hop_status}"
+              exit 1
+            fi
+            if [[ ! "$redirect_url" =~ ^${expected_hops[$i]} ]]; then
+              echo "::error::Hop ${i} mismatch:"
+              echo "::error::  expected: ${expected_hops[$i]}"
+              echo "::error::  got:      ${redirect_url}"
+              exit 1
+            fi
+            url="$redirect_url"
+          done
+
+          # Fetch the asset and validate its format
+          curl -fsSL -o "/tmp/${ASSET}" "$URL"
+
+          if [[ "$FORMAT" == "deb" ]]; then
+            if ! file "/tmp/${ASSET}" | grep -q 'Debian binary package'; then
+              echo "::error::Fetched file is not a valid Debian package"
+              exit 1
+            fi
+          else
+            sudo apt-get update >/dev/null
+            sudo apt-get install -y rpm >/dev/null
+            if ! rpm -qpi "/tmp/${ASSET}" >/dev/null 2>&1; then
+              echo "::error::Fetched file is not a valid RPM"
+              exit 1
+            fi
+          fi
+
+          # Size match against the Releases asset
+          asset_size=$(gh release view "$TAG" \
+            --repo aaddrick/claude-desktop-debian \
+            --json assets \
+            --jq ".assets[] | select(.name == \"${ASSET}\") | .size")
+          local_size=$(stat -c %s "/tmp/${ASSET}")
+          if [[ "$asset_size" != "$local_size" ]]; then
+            echo "::error::Size mismatch: local ${local_size} vs Releases ${asset_size}"
+            exit 1
+          fi
+
+          echo "Heartbeat passed: chain validated, file matches Releases asset."
+
+      - name: Open or update failure issue
+        if: failure() && steps.gate.outputs.live == 'true'
+        uses: actions/github-script@v7
+        env:
+          FORMAT: ${{ matrix.format }}
+        with:
+          script: |
+            const fmt = process.env.FORMAT;
+            const label = `heartbeat-failure-${fmt}`;
+            const runUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
+            const body = `Heartbeat failed for \`${fmt}\` at ${new Date().toISOString()}.\nRun: ${runUrl}`;
+            const { data: open } = await github.rest.issues.listForRepo({
+              ...context.repo,
+              labels: label,
+              state: 'open',
+            });
+            if (open.length === 0) {
+              await github.rest.issues.create({
+                ...context.repo,
+                title: `APT/DNF repo heartbeat failing (${fmt})`,
+                body,
+                labels: [label],
+              });
+            } else {
+              await github.rest.issues.createComment({
+                ...context.repo,
+                issue_number: open[0].number,
+                body,
+              });
+            }
+
+      - name: Auto-close failure issue on recovery
+        if: success() && steps.gate.outputs.live == 'true'
+        uses: actions/github-script@v7
+        env:
+          FORMAT: ${{ matrix.format }}
+        with:
+          script: |
+            const fmt = process.env.FORMAT;
+            const label = `heartbeat-failure-${fmt}`;
+            const { data: open } = await github.rest.issues.listForRepo({
+              ...context.repo,
+              labels: label,
+              state: 'open',
+            });
+            for (const issue of open) {
+              await github.rest.issues.createComment({
+                ...context.repo,
+                issue_number: issue.number,
+                body: `Heartbeat for \`${fmt}\` recovered at ${new Date().toISOString()}; auto-closing.`,
+              });
+              await github.rest.issues.update({
+                ...context.repo,
+                issue_number: issue.number,
+                state: 'closed',
+              });
+            }

.github/workflows/ci.yml

@@ -405,6 +405,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+    env:
+      WORKER_DOMAIN: pkg.claude-desktop-debian.dev
 
     steps:
       - name: Checkout gh-pages branch
@@ -453,6 +455,24 @@ jobs:
             reprepro --section utils --priority optional includedeb stable "$deb"
           done
 
+      - name: Strip binaries from pool (gated on Worker liveness)
+        working-directory: apt-repo
+        run: |
+          # The Worker on WORKER_DOMAIN serves /pool/.../*.deb requests by
+          # 302-redirecting to GitHub Release assets. When it's live we strip
+          # binaries from the gh-pages tree (the metadata's Filename: field
+          # still references pool paths; the Worker intercepts).
+          # When the Worker isn't live (pre-Phase-4a, outage, misconfiguration)
+          # the strip is skipped to avoid serving 404s for binary fetches.
+          probe_url="https://${WORKER_DOMAIN}/dists/stable/InRelease"
+          if curl -fsI --max-time 10 "$probe_url" >/dev/null; then
+            echo "Worker live at ${WORKER_DOMAIN}; stripping binaries from pool"
+            find pool -type f -name '*.deb' -delete
+          else
+            echo "Worker not responding at ${WORKER_DOMAIN}; preserving .debs in pool"
+            echo "(expected before Phase 4a; after that, an error worth investigating)"
+          fi
+
       - name: Commit and push changes
         working-directory: apt-repo
         run: |
@@ -472,13 +492,75 @@ jobs:
             sleep "$wait_time"
           done
 
+      - name: Smoke test published deb (ordered chain + size)
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          if ! curl -fsI --max-time 10 \
+              "https://${WORKER_DOMAIN}/dists/stable/InRelease" >/dev/null; then
+            echo "Worker not live; skipping smoke test (expected before Phase 4a)"
+            exit 0
+          fi
+
+          # Parse versions from tag (e.g., v2.0.2+claude1.3883.0)
+          repoVer="${TAG#v}"; repoVer="${repoVer%+claude*}"
+          claudeVer="${TAG#*+claude}"
+          deb_name="claude-desktop_${claudeVer}-${repoVer}_amd64.deb"
+          deb_url="https://aaddrick.github.io/claude-desktop-debian/pool/main/c/claude-desktop/${deb_name}"
+
+          # Wait for propagation
+          deadline=$((SECONDS + 300))
+          until curl -fsI --max-time 10 "$deb_url" -o /dev/null; do
+            [[ $SECONDS -gt $deadline ]] \
+              && { echo "::error::Reachability timeout for ${deb_url}"; exit 1; }
+            sleep 10
+          done
+
+          # Walk redirect chain hop-by-hop
+          expected_hops=(
+            "https://${WORKER_DOMAIN}/"
+            "https://github\\.com/aaddrick/claude-desktop-debian/releases/download/v${repoVer}\\+claude${claudeVer}/"
+            "https://objects\\.githubusercontent\\.com/"
+          )
+          url="$deb_url"
+          for i in "${!expected_hops[@]}"; do
+            hop_status=$(curl -s -o /dev/null -w '%{http_code}' "$url")
+            redirect_url=$(curl -s -o /dev/null -w '%{redirect_url}' "$url")
+            echo "Hop ${i}: ${hop_status} ${url} -> ${redirect_url}"
+            [[ "$hop_status" =~ ^30[12]$ ]] \
+              || { echo "::error::Hop ${i} expected 301/302, got ${hop_status}"; exit 1; }
+            [[ "$redirect_url" =~ ^${expected_hops[$i]} ]] \
+              || { echo "::error::Hop ${i} mismatch: expected ${expected_hops[$i]}, got ${redirect_url}"; exit 1; }
+            url="$redirect_url"
+          done
+
+          # Fetch and validate
+          curl -fsSL -o /tmp/smoke.deb "$deb_url"
+          file /tmp/smoke.deb | grep -q 'Debian binary package' \
+            || { echo "::error::Not a valid Debian package"; exit 1; }
+
+          # Size match against the Releases asset
+          asset_size=$(gh release view "$TAG" \
+            --repo aaddrick/claude-desktop-debian \
+            --json assets \
+            --jq ".assets[] | select(.name == \"${deb_name}\") | .size")
+          local_size=$(stat -c %s /tmp/smoke.deb)
+          [[ "$asset_size" == "$local_size" ]] \
+            || { echo "::error::Size mismatch: ${local_size} vs ${asset_size}"; exit 1; }
+
+          echo "APT smoke test passed: chain validated, file matches Releases asset"
+
   update-dnf-repo:
     name: Update DNF Repository
     if: startsWith(github.ref, 'refs/tags/v')
     needs: [release, update-apt-repo]
     runs-on: ubuntu-latest
     permissions:
       contents: write
+    env:
+      WORKER_DOMAIN: pkg.claude-desktop-debian.dev
 
     steps:
       - name: Checkout gh-pages branch
@@ -570,6 +652,21 @@ jobs:
             'gpgkey=https://aaddrick.github.io/claude-desktop-debian/KEY.gpg' \
             > rpm/claude-desktop.repo
 
+      - name: Strip RPMs from pool (gated on Worker liveness)
+        working-directory: dnf-repo
+        run: |
+          # Mirror of the APT-side strip. Repodata (signed) stays; the .rpm
+          # binaries themselves are deleted because the Worker 302-redirects
+          # /rpm/<arch>/*.rpm requests to GitHub Release assets.
+          probe_url="https://${WORKER_DOMAIN}/dists/stable/InRelease"
+          if curl -fsI --max-time 10 "$probe_url" >/dev/null; then
+            echo "Worker live; stripping RPMs from pool (repodata + signatures retained)"
+            find rpm -type f -name '*.rpm' -delete
+          else
+            echo "Worker not responding; preserving .rpms in pool"
+            echo "(expected before Phase 4a; after that, an error worth investigating)"
+          fi
+
       - name: Commit and push changes
         working-directory: dnf-repo
         run: |
@@ -589,6 +686,61 @@ jobs:
             sleep "$wait_time"
           done
 
+      - name: Smoke test published rpm (ordered chain + size)
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          if ! curl -fsI --max-time 10 \
+              "https://${WORKER_DOMAIN}/dists/stable/InRelease" >/dev/null; then
+            echo "Worker not live; skipping smoke test (expected before Phase 4a)"
+            exit 0
+          fi
+
+          repoVer="${TAG#v}"; repoVer="${repoVer%+claude*}"
+          claudeVer="${TAG#*+claude}"
+          rpm_name="claude-desktop-${claudeVer}-${repoVer}-1.x86_64.rpm"
+          rpm_url="https://aaddrick.github.io/claude-desktop-debian/rpm/x86_64/${rpm_name}"
+
+          deadline=$((SECONDS + 300))
+          until curl -fsI --max-time 10 "$rpm_url" -o /dev/null; do
+            [[ $SECONDS -gt $deadline ]] \
+              && { echo "::error::Reachability timeout for ${rpm_url}"; exit 1; }
+            sleep 10
+          done
+
+          expected_hops=(
+            "https://${WORKER_DOMAIN}/"
+            "https://github\\.com/aaddrick/claude-desktop-debian/releases/download/v${repoVer}\\+claude${claudeVer}/"
+            "https://objects\\.githubusercontent\\.com/"
+          )
+          url="$rpm_url"
+          for i in "${!expected_hops[@]}"; do
+            hop_status=$(curl -s -o /dev/null -w '%{http_code}' "$url")
+            redirect_url=$(curl -s -o /dev/null -w '%{redirect_url}' "$url")
+            echo "Hop ${i}: ${hop_status} ${url} -> ${redirect_url}"
+            [[ "$hop_status" =~ ^30[12]$ ]] \
+              || { echo "::error::Hop ${i} expected 301/302, got ${hop_status}"; exit 1; }
+            [[ "$redirect_url" =~ ^${expected_hops[$i]} ]] \
+              || { echo "::error::Hop ${i} mismatch: expected ${expected_hops[$i]}, got ${redirect_url}"; exit 1; }
+            url="$redirect_url"
+          done
+
+          curl -fsSL -o /tmp/smoke.rpm "$rpm_url"
+          rpm -qpi /tmp/smoke.rpm >/dev/null \
+            || { echo "::error::Not a valid RPM"; exit 1; }
+
+          asset_size=$(gh release view "$TAG" \
+            --repo aaddrick/claude-desktop-debian \
+            --json assets \
+            --jq ".assets[] | select(.name == \"${rpm_name}\") | .size")
+          local_size=$(stat -c %s /tmp/smoke.rpm)
+          [[ "$asset_size" == "$local_size" ]] \
+            || { echo "::error::Size mismatch: ${local_size} vs ${asset_size}"; exit 1; }
+
+          echo "DNF smoke test passed: chain validated, file matches Releases asset"
+
   update-aur-repo:
     name: Update AUR Package
     if: startsWith(github.ref, 'refs/tags/v')