Three bugs in the notify provisioner DNS record upsert:
1. rec.Record ("DKIM"/"SPF") was used as the DNS record type — Cloudflare
doesn't know those labels. Fix: use rec.DNSType ("TXT"/"MX") from the
resendDNSRecord.type JSON field, which is the actual DNS record type.
2. rec.Name from Resend is already relative to the zone apex
(e.g., "resend._domainkey.mail.project-name"), not relative to the
registered domain. Code was doing rec.Name + "." + host which produced
a doubled subdomain. Fix: pass rec.Name directly — Cloudflare's
normalizeName appends ".baseDomain" to build the correct FQDN.
3. MX records have priority 10 in Resend's response but DNSRecord had no
Priority field and Cloudflare CreateRecord/UpdateRecord didn't send it.
Fix: add Priority int to domain.DNSRecord and include it in the body
for both Create and Update when non-zero.
These bugs caused DKIM/SPF DNS records to never be created for any project.
Re-provision affected projects using POST /projects/{id}/notify/provision
after clearing NOTIFY_RESEND_DOMAIN_ID from the credential store.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add verifyWithRetry to provisioner: 60s initial DNS propagation delay,
5 retries with 30s backoff before marking verification as failed
- Add GetNotifyDomainStatus: polls Resend API for domain verification status,
returns "not_configured" when Resend not set up
- Add VerifyProjectNotify: synchronous re-verification for handler use
- Add getDomainStatus to resendAPI interface + resendClient implementation
- Add NotifyDomainStatus domain struct (host, resend_domain_id, status)
- Guard NOTIFY_RESEND_DOMAIN_ID storage against empty string writes
- New handler: GET /projects/{id}/notify/status (returns verification state)
- New handler: POST /projects/{id}/notify/verify (triggers re-verification)
- Add verify-notify-domain cookbook step to persona-community,
slackpath-1, and slackpath-4 trees (polls status for up to 6 min)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fix no-op RequireProjectAccess middleware to enforce project_ids
- Apply project access middleware to all project-scoped routes
- Filter GET /projects by allowed project IDs for restricted keys
- Add GET /me endpoint with key identity, scopes, and project access info
- Add PATCH /keys/{id} for partial key updates (name, scopes, project_ids, allowed_ips, expires_in)
- Add GET/POST/DELETE /projects/{id}/access for project-centric access management
- Auto-grant creating key access when using POST /project/create-and-build
- Accept grant_to_key_ids in create-and-build to grant multiple keys on project creation
- Move newProvisionerWithDeps test helper from production code to test file
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
