Trinity Spirit
A Cloudflare Worker that acts as a zero-trust relay between Passport clients and the Authority.
Overview
Spirit is the "always-online" component of Trinity. It runs on Cloudflare's edge network and stores encrypted CSRs and Blind Drops in a D1 database. The gateway cannot decrypt or read the payloads — it acts purely as a blind courier.
API Reference
POST /requests
Submit a CSR or encrypted Blind Drop.
Headers:
Content-Type: application/json
Authorization: Bearer <enrollment_token>Request Body (CSR):
{
"payload": "-----BEGIN CERTIFICATE REQUEST-----\n...",
"type": "csr",
"metadata": {
"device": "Linux",
"user": "alice",
"identity_id": "uuid-here"
}
}Request Body (Blind Drop):
{
"payload": "base64-encoded-encrypted-drop",
"type": "blind_drop",
"metadata": { ... }
}Response (201):
{
"success": true,
"requestId": 42,
"status": "pending"
}GET /certificates/:request_id
Poll for a signed certificate.
Headers:
Authorization: Bearer <enrollment_token>Response (200 — Signed):
{
"status": "signed",
"certificate": "-----BEGIN CERTIFICATE-----\n..."
}Response (200 — Pending):
{
"status": "pending",
"certificate": null
}Database Schema
CREATE TABLE IF NOT EXISTS requests (
id INTEGER PRIMARY KEY AUTOINCREMENT,
payload TEXT NOT NULL,
payload_type TEXT NOT NULL DEFAULT 'csr',
metadata TEXT,
status TEXT NOT NULL DEFAULT 'pending',
certificate TEXT,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
);
CREATE TABLE IF NOT EXISTS enrollment_tokens (
id INTEGER PRIMARY KEY AUTOINCREMENT,
token_hash TEXT NOT NULL UNIQUE,
label TEXT,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
expires_at DATETIME
);Deployment
See the Self-Hosting Guide for full deployment instructions.
cd spirit
npm install
wrangler d1 create trinity-spirit
wrangler d1 execute trinity-spirit --file=schema.sql
wrangler deploySecurity
- Zero-Trust — The gateway cannot decrypt payloads. It stores opaque blobs.
- Token Auth — All requests require a valid enrollment token (Bearer).
- Payload Validation — CSR payloads must start with
-----BEGIN CERTIFICATE REQUEST-----. Blind drops must be at least 100 bytes of Base64. - Edge Execution — Runs on Cloudflare's global network with built-in DDoS protection.