Problem
Sensitive client documents had to live somewhere with stronger guarantees than a generic cloud drive: tenant isolation, cryptographic blast-radius limits, and an audit trail the operator itself cannot tamper with.
Approach
Greenfield Astro SSR + Hono API on Cloudflare Workers, deliberately split across 11 modules so spike work (Azure SDK) and external dependencies (IAL backbone) could be isolated behind interfaces and pushed to later batches without holding up the core path.
Crypto is envelope-based: data keys are wrapped by Azure HSM and AWS KMS in parallel, so neither cloud is a single point of compromise. Large documents are chunked before encryption to keep Worker memory predictable.
A separate SMS OTP Worker handles break-glass access, isolated from the main app so a hard outage on the primary Worker doesn’t lock operators out.
What I shipped
- Architecture proposal v1 → v2 closing 6 reviewer concerns (Worker memory handling, auth degradation paths, break-glass channel resilience, document size constraints, audit store authority, shared code strategy)
- 11 capability modules delivered under Strict TDD, 125+ tests green at MVP
- Multi-cloud envelope encryption with chunked streaming
- Write-once audit pipeline to Azure Blob
- Four-level auth cascade with documented degradation order