Status

Thin, stateless capability gateway to Google Web Risk. Bearer-token auth, per-caller quota, KV cache, fleet kill switch.

Kill switch spend ON

Toggle via POST /admin/quota with {"global":{"enabled":true|false}} and the x-admin-token header. The fleet-wide CONTROL-001 switch (Provider_Spend_On_Off) layers on top of this and is not shown here — it's shared with every Google-calling gateway worker.

Issue a bearer token

New callers should use the guided onboarding wizard instead — this is the quick path for an existing operator.

Settings catalog

VariableScopeStatusDescription
GOOGLE_WEBRISK_API_KEY secret ✅ set Google Cloud API key with the Web Risk API enabled, used for uris:search lookups. Secrets Store binding.
ADMIN_TOKEN worker-secret ✅ set Bearer for /admin/* routes (quota overrides, cache purge, token issuance, spend view).
WEBRISK_GW_CACHE_KV binding ✅ set KV cache for Web Risk verdicts, keyed by URI hash + threat-type set. TTL honors Google's expireTime on a match.
WEBRISK_GW_QUOTA_KV binding ✅ set KV store for per-caller daily quota counters, quota overrides, and issued bearer tokens.
PROVIDER_CONTROL binding ✅ set CONTROL-001 fleet-wide master spend switch (shared provider-control KV, key Provider_Spend_On_Off, same namespace bound on every Google-calling gateway worker). Missing binding counts as on — set the key to "off" to stop paid Google calls fleet-wide.
GPN_GOOGLE_MONITORING_WORKER binding ✅ set Service binding to gpn-google-monitoring-worker for read-only Google API spend visibility.
ARC binding ✅ set Service binding to ar-accountrevenue-eu-worker — commercialisation (E3.3/E4): entitlement-based quota tiers + per-call usage reporting for callers with an AR account (src/arc.ts). Callers without one are unaffected (free-tier default, unchanged). Requires this worker's own ARC app registration (dashboard action) before it does anything.
ARC_API_TOKEN worker-secret ⬜ not set Per-app bearer token for calling ARC (usage reporting, entitlement checks). Requires ARC app registration first — until set, entitlement lookups fail open to the free tier and usage reports are silently dropped (never blocks a request).
ARC_WEBHOOK_SECRET worker-secret ⬜ not set Verifies X-MUP-Signature on inbound ARC webhooks. No webhook receiver route exists yet.
WEBRISK_GW_DAILY_QUOTA_DEFAULT var ✅ set Default per-caller daily cap on cache-miss Google Web Risk calls, unless overridden per caller.
MONITORING_API_TOKEN worker-secret ⬜ not set Bearer sent to gpn-google-monitoring-worker for GET /admin/spend. Optional — spend visibility is unavailable without it.
GOOGLE_CLOUD_PROJECT_ID var ⬜ not set GCP project id passed to gpn-google-monitoring-worker for GET /admin/spend.
GOOGLE_WEBRISK_MONITORING_SERVICE_NAME var ✅ set Service name passed to gpn-google-monitoring-worker for GET /admin/spend.

Capabilities

See GET /api/capabilities for the live catalog, or POST /mcp for the MCP surface.