Overview
cosmos-digital-services is the public marketing and lead-generation site for cosmosdigitalservices.com. It lives in the monorepo at apps/cosmos/digital-services.
What this app is
Section titled “What this app is”- An Astro site that builds to mostly static HTML, assets, and client scripts.
- Cloudflare Workers at the edge for auth/session APIs, protected route enforcement, non-auth
/api/*handling, and optional image resizing. - A protected admin-style utility at
/portal/outgoing-mailfor authenticated outgoing mail (worker-backed).
What this app is not
Section titled “What this app is not”- Not Astro SSR-first: behavior is static-first; edge workers augment routing and APIs.
- Not where Cloudflare Access “lives”: Access is configured in Cloudflare; the app and gateway worker consume Access JWTs and cookies.
Runtime model
Section titled “Runtime model”- Astro renders pages, layouts, metadata, and browser scripts from
apps/cosmos/digital-services/src/. src/middleware.tscan rewrite most requests to/maintenancewhenPUBLIC_MAINTENANCE_MODE === 'true'.workers/auth-gateway.jshandles/api/auth/session,/api/auth/logout, enforces protected prefixes (/portal*,/admin*by default), and delegates other/api/*to shared edge utilities.workers/image-optimizer.jsserves optimized images when the path matches configured routes and query params (see Worker flow).
Shared UI and theming come from workspace packages such as @cosmos/ui-astro, @cosmos/theme, and @cosmos/edge-utils—the app is not fully self-contained.
Authentication at a glance
Section titled “Authentication at a glance”Authentication is not implemented as Astro server routes for session. The gateway worker validates tokens (Cloudflare Access JWT header or cookie, or Authorization: Bearer) by calling AUTH_WORKER_VERIFY_URL. The layout script calls GET /api/auth/session on load; JSON success: true drives the header switch from Login to Logout and admin nav.
Read next
Section titled “Read next”- Architecture — request boundaries and static vs edge.
- App structure — where to edit what.
- Worker flow — session, logout, protected routes, images, API fallback.
- Configuration reference — config files and blast radius.
- Environment variables —
PUBLIC_*, secrets, worker vars.
Source anchors
Section titled “Source anchors”apps/cosmos/digital-services/README.mdapps/cosmos/digital-services/package.jsonapps/cosmos/digital-services/src/layouts/Layout.astroapps/cosmos/digital-services/src/middleware.tsapps/cosmos/digital-services/workers/auth-gateway.js