Cloudflare R2 Service
One Space service brokers object-storage operations. Its public discovery contract describes both the Space-managed credential and optional, isolated credential sets owned by each Capsule.
Space service, brokered data plane
scope = space: one Service belongs to the Space, not to each Capsule.data_plane = brokered: operations remain behind the Service instead of exposing its key.credential_policy = managed-or-byok: the contract keeps BYOK optional and declares the intended selection policy. When Assistant binding lands, the managed Space credential is the fallback if no Capsule override is selected; no released Assistant data plane executes that selection today.- The declarative form fixes
owner_scopetocapsuleandcardinalitytomany, allowing multiple named R2 credential sets per Capsule.
The current runtime executes the credential lifecycle, exact Capsule ownership checks, encrypted custody, and fail-closed updates. Selection of a credential set by an Assistant remains outside this proof.
Definitions are public inside the private Service network
GET /healthz GET /v1/driver GET /v1/driver/credentials The /v1/driver path is retained for wire compatibility with existing runtimes. The manifest
endpoint returns the validated Service contract. The credential endpoint returns only
form definitions—field identifiers, labels, types, named formats, and bounds. Neither endpoint returns
a credential value, credential inventory, provider token, environment variable, or bucket contents.
What conforms now
- The closed manifest selects Service Spec v1, Space scope, brokered data, and optional BYOK.
- The closed credential form accepts only the reusable v1 field formats needed by an R2 access key.
- Both files pass strict parsers before the service starts and are returned unchanged by discovery.
- The Admin renders that form and proxies the five lifecycle operations without returning secret values.
- A separate per-Capsule principal prevents one Capsule from listing or mutating another's inventory.
- Create and rotate verify the candidate first; authenticated encryption binds its identities and generation, while compare-and-swap rejects stale changes.
Bind Assistants without exposing keys
Service Spec v1 now covers custody and lifecycle, but the Assistant capability-binding runtime is not
released and has no admitted credential_ref or scoped grant path. Assistants cannot consume
these credential sets today, and the existing R2 object routes continue to use the Space-managed
credential. The next data-plane slice must
pass only an opaque reference and an exact operation grant to the broker; it must never inject the
submitted access key into an Assistant or Capsule environment.
OAuth, passkeys, and Redpanda are not part of this R2 runtime. Their Service Spec shapes are architecture for later platform-owned adapters and events, not a claim that Cloudflare OAuth or passkey authorization is available today.
Production Capsule operations are hard-gated on gVisor. Because runsc is not registered on
the current host, the Capsule controller (internally still named capsule-driver) fails closed
instead of silently using runc; focused contract and lifecycle tests do not replace that
pending live isolation proof.
Read the Cloudflare R2 Service source.