Phoenix framework — alchemy + Effect + fate foundation

[usirin]

Phoenix framework — alchemy + Effect + fate foundation

main has no alchemy, no HttpRouter, no modular Durable Objects, no fate aggregator split. This PR is the framework establishment, not a modernization sweep on an existing stack. By the time it lands, phoenix is a coherent set of opinionated choices that future tooling can assume:

• One Cloudflare Worker declared by an alchemy stack (apps/web/alchemy.run.ts), with both fate's data plane and HTTP transport composing onto HttpRouter — no wrangler.jsonc, no Hono.
• Effect-native runtime with typed Layer composition, worker-level singletons (no per-request ManagedRuntime), and a captured ServiceMap bridge between fate resolvers and Effect domain code.
• fate as the data-layer protocol — /fate for query/mutation, /fate/live for SSE-pushed live views — implemented over a single unified Durable Object.
• Feature-colocated worker tree — every named app concern lives in one folder under features/; no services/, shared/, infra/, auth/, admin/, runtime/ buckets.

Every reusable shape lands as a pattern doc (.patterns/); every architectural fork lands as an ADR (.decisions/). The framework character itself is the deliverable — 14 new ADRs (0026–0039) plus 9 updated, 16 new patterns + 16 updated, and a worker entry whose docstrings record the load-bearing invariants.

Diff scope: ~18.8k additions / ~14.8k deletions across ~237 files. The breadth is intentional — this is the floor every future phoenix change builds on.

What this PR establishes

The alchemy stack

apps/web/alchemy.run.ts declares phoenix as a Cloudflare.Worker whose init phase binds D1, the live-DO namespace, and the SPA assets. Dev runs offline via Alchemy.localState(); deploy uses the Cloudflare-hosted Cloudflare.state(), selected by the dev-vs-deploy signal (not bare CI truthiness — ADR 0031). wrangler.jsonc is deleted; bindings are type-enforced at compile time. The CI/deploy story (.github/workflows/deploy.yml) ships alongside.

The Effect runtime + fate bridge

The per-request ManagedRuntime pattern is rejected in favor of worker-level singletons. Drizzle and the feature services are built once from the bound D1 (makeFateLayer(db, auth)). POST /fate provides Auth + HttpServerRequest per request, captures the live service map via Effect.context<FateEnv>(), and the bridge runs each resolver with Effect.provide(effect, ctx.context). Resolver R = never after provision. See ADR 0029 and .patterns/alchemy-runtime.md.

Live fan-out via a unified Durable Object

A single LiveDO class plays both roles — per-connection SSE stream holder and per-topic subscriber registry + fan-out + reap — distinguished by instance-name prefix (connection: vs topic:). It addresses its sibling instances through its own DurableObjectNamespaceScope, resolved once at init, so every RPC method's R stays never. There is no per-call yield* Sibling dance.

This unification (ADR 0037) supersedes the earlier ConnectionDO/TopicDO split (ADR 0025) and retires per-call sibling resolution (ADR 0033). The split could not init-bind its siblings without leaking the sibling Tag into the Layer's requirements channel — a cycle Layer.mergeAll can't satisfy; 0033 worked around it with per-call resolution, 0037 removes the cycle outright by collapsing to one class.

DO state is state.storage KV, not SQL: subscriber rows + a monotonic per-connection generation scalar (used to invalidate dead-instance registry rows) persist as KV entries. There is no @effect/sql-sqlite-do schema and no migration directory.

SSE construction follows Effect canon: Queue.dropping<Uint8Array> + Stream.fromQueue + a heartbeat merged via Stream.tick("15 seconds") + Stream.merge + Stream.ensuring cleanup + HttpServerResponse.stream. Captured as .patterns/effect-sse-externally-driven.md. Frame bytes are unchanged from the prior protocol (ADR 0034: stay on SSE+POST, don't redesign to WebSocket).

Auth via @alchemy.run/better-auth

apps/web/worker/features/pasaport/better-auth-live.ts provides the upstream BetterAuth Context.Service tag via a forked CloudflareD1 Layer (~160 lines) that injects the magic-link + bearer + emailAndPassword plugin stack while reusing phoenix's shared D1. The session secret is read from the BETTER_AUTH_SECRET binding as a Config.redacted (no default; Effect.orDie if absent) — fail-closed, not minted at random.

The BetterAuth.BetterAuth.auth value is Effect<Auth, never, RuntimeContext> — yielding it inside fate resolvers would leak RuntimeContext into every resolver's R. The escape: yield once in worker init (where RuntimeContext is in scope), thread the resolved Auth instance through makePasaportLive(auth) + makeFateLayer(db, auth) as a plain factory parameter. Pasaport's method R stays never. Captured as .patterns/better-auth-with-plugins-on-d1.md.

Feature-colocated worker tree

apps/web/worker/ has five top-level concepts (ADR 0036):

worker/
├── index.ts          (entry — DO host, bindings, env block)
├── env.ts            (deploy-env resolution; fail-closed)  +  config.ts, env.test.ts, types.d.ts
├── db/               (Drizzle + schema + migrations + keyset + resources)
├── http/             (app.ts composition + health route)
└── features/         (every named app-level grouping)
    ├── text/         (utilities)
    ├── fate/         (framework shell + per-feature aggregator barrels)
    ├── fate-live/    (SSE fan-out — the unified LiveDO + protocol + route + event-bus + topics)
    ├── pasaport/     (auth — Pasaport + BetterAuthLive + route + mutations + karma)
    ├── sozluk/, pano/, vote/, stats/

No services/, shared/, infra/, auth/, admin/, runtime/. Each feature owns its full footprint — Service, errors, plus queries.ts / lists.ts / views.ts / shapers.ts / sources.ts / mutations.ts per the per-feature aggregator pattern. The cross-feature aggregators in features/fate/ are barrels re-exporting from each feature, so the SPA's import surface is preserved despite the split (zero src/ file touched by the restructure). The *Admin/seed services and their routes were deleted, not relocated (ADR 0012 retired; the /api/admin/* seeders were a fail-open hole).

Hand-rolled Tags deleted in favor of upstream primitives: CloudflareEnv (use Cloudflare.WorkerEnvironment + Cloudflare.InferEnv), RequestContext (use Effect's HttpServerRequest).

Integration test harness

apps/web/tests/integration/_global-setup.ts deploys the real Stack to local workerd via alchemy/Test/Core in the main process (works around a pool-worker LoopbackServer race), then exposes a black-box HTTP harness (_harness.ts, _localhost-dns.ts) to the test pool. The previous 27 small integration files collapsed to 10 organized by feature (pano-read, pano-mutations, pano-posts-lifecycle, pano-comments, sozluk-read, sozluk-mutations, pasaport, stats, seam, fate-live) plus the 3 harness helpers. Captured as .patterns/alchemy-test-harness.md.

Key architectural decisions

The ADRs that carry the framework character. The pattern docs land next to them; read the pattern when adding code, read the ADR for the why.

ADR	Decision	Pattern
0032	Upgrade to alchemy@2.0.0-beta.45 + effect@4.0.0-beta.74; accept "deploy infra to cloud, run worker locally" as the dev model.	alchemy-overview.md, alchemy-stack-deploy.md
0034	Stay on fate's native SSE + POST protocol; do not redesign to WebSocket.	effect-sse-externally-driven.md, live-fan-out-options-considered.md
0036	Features = any named app-level grouping; worker/ has five top-level concepts.	feature-services.md (updated), per-feature-fate-aggregators.md
0037	Unify the live plane into one void-aligned LiveDO — one class, two roles, KV storage, self-namespace addressing. Supersedes 0025, retires 0033.	effect-sse-externally-driven.md

Supporting decisions from the same arc (0026–0031) cover the alchemy adoption (0026), dropping Hono for HttpRouter (0027), the alchemy Effect DO model (0028), dissolving the per-request runtime (0029), the single-worker + two-process Vite dev loop (0030), and local-first state for dev / remote state for deploy (0031). 0033 (per-call sibling resolution) is preserved as a historical record of the path that 0037 ultimately replaced. 0035 records the CLI conventions, 0038 the local-only dependency-patch policy, and 0039 the LiveBus Context.Service that drives the live fan-out.

What was considered and rejected

The pattern docs and .patterns/live-fan-out-options-considered.md carry the full record; the most consequential:

• Per-call sibling resolution for co-hosted mutual DOs (ADR 0033). Implemented, then retired within this PR (ADR 0037): collapsing the two DOs into one class that addresses siblings through its own init-resolved namespace removes the Layer cycle entirely, so no per-call yield* Sibling is needed and every RPC method's R stays never.
• WebSocket transport for live views. Considered. Rejected (ADR 0034): fate's SSE+POST works, the BYO protocol gives us cursors/backfill we'd reimplement on WS, and the SSE format is the simpler thing to debug.
• partyserver / partysub (Cloudflare's experimental pub/sub). Surveyed. partysub is too new (no durability story, no QoS); partyserver is the wrong abstraction layer. Track quarterly; revisit if partysub ships durability + QoS.
• Cloudflare Pub/Sub (MQTT). Dead product line. Off the table.
• SaaS pub/sub (Ably / PubNub / Pusher). Rejected: introduces a non-Cloudflare dependency for a problem one DO already solves well.
• Context.Service for parameterized Layers (e.g. an Auth service injected into Pasaport). Rejected for the auth-threading case: factory functions (makePasaportLive(auth)) stay simpler and keep R = never without adding a tag-resolution dance.

Test plan

• pnpm typecheck — clean (effect-tsgo across project references)
• pnpm lint — clean (biome), including the custom no-type-assertions GritQL rule
• Unit suite (vitest --project unit) — green
• Integration suite (vitest --project integration) — globalSetup deploys the real Stack to local workerd and tears it down; 10 feature files + 3 harness helpers cover the full HTTP surface
• SSE wire protocol byte-identical (verified by fate-live.test.ts frame assertions)
• SPA import surface preserved via barrel files (zero src/ file touched by the restructure)

Production cutover notes

LiveDO storage is state.storage KV. The unified LiveDO persists subscriber rows + the per-connection generation scalar as KV entries — no SQL schema, no migration ledger, no first-wake migration step. Any legacy DO carrying old SQL state is irrelevant: the new class never reads it. (This replaces the @effect/sql-sqlite-do migration plan from the superseded two-DO design.)

Bearer plugin is retained in better-auth-live.ts. The SPA's authClient at apps/web/src/auth/client.ts actively sends Authorization: Bearer <token> with localStorage-backed tokens — don't strip the bearer plugin on a "no worker-side consumer" audit without checking the SPA first.

Deploy-env is fail-closed. apps/web/worker/config.ts resolves ENVIRONMENT from config with Config.withDefault("production"), and BETTER_AUTH_SECRET has no default — a deploy that forgets it dies at runtime init (Effect.orDie) rather than booting with a fallback key.

Follow-ups (non-blocking)

• Live-fire smoke test against alchemy dev once the Redacted.value(undefined) OAuth-credentials bug is worked around with CLOUDFLARE_API_TOKEN.
• Framework CLI tooling (e.g. a per-DO SQL-migration scaffolder) is deferred — the phoenix-migrate package was dropped because the unified KV-backed LiveDO has no live SQL-migration target. The CLI conventions are recorded in ADR 0035, so the next focused tool starts from the established shape; revisit when a feature reintroduces per-DO SQL.
• partysub revisit cadence — quarterly check on Cloudflare's experimental topic-pubsub abstraction. Clean migration target if it ships durability + QoS.

[github-actions]

Preview: https://phoenix-pr-12.kampusinfra.workers.dev