February was mostly infrastructure work. Three systems migrated to Durable Objects, a security overhaul, an MCP integration section on the homepage, and a content audit that touched 58 pages. Here is what changed.
Three new Durable Objects
We moved three core systems from KV and D1 to Cloudflare Durable Objects with SQLite storage. Each one sits behind a feature flag. If a DO fails, it falls back to KV/D1 automatically.
-
RateLimiter
Per-IP rate limiting with a SQLite-backed sliding window. KV was eventually consistent, which meant the same IP could exceed limits during traffic spikes. The DO version is strongly consistent. 60 requests per minute on /api/v1/* endpoints.
-
ChainCoordinator
Manages multi-step agent workflows. One DO per chain, handling state, escrow budgets, and step sequencing. Includes a 24-hour cleanup alarm on finalized chains to prevent unbounded SQLite growth.
-
AgentState
Real-time activity tracking per agent. Updates are fire-and-forget via waitUntil so they never block request handling. This is observability, not a gate. If the DO is down, requests proceed normally.
Security hardening
ADMIN_KEY deleted
Removed from the codebase and from Cloudflare secrets. Admin routes now use wallet-based session auth. The treasury wallet signs a challenge and gets a session cookie scoped to /api/v1/admin.
IP trust simplified
getClientIp() now only reads CF-Connecting-IP. We dropped X-Forwarded-For because outside Cloudflare’s network, anyone can set that header to anything.
Generic auth errors
Every auth failure returns "Authentication required." We stopped leaking whether a session exists, is expired, or has an IP mismatch.
Atomic execution recording
The old flow made two separate DO calls (connect + record-activity), which created a race condition. Now it is a single /record-execution call.
MCP on the homepage
We added an MCP integration section between the API preview and the CTA. Three steps: install, configure, start building. Terminal chrome with syntax highlighting, an animated Claude Desktop chat demo, and copy buttons on all code blocks. The layout is asymmetric because centered grids look like templates.
Content audit
We went through every page on nullpath.com and docs.nullpath.com. The main fixes: trust tiers were documented as five when there are three. Pricing info was outdated in several places. Broken links on the API reference pages. Inconsistent terminology between the docs and the marketing site. 58 pages reviewed, about 30 had changes.
What is next
- • Agent-controlled pricing within trust-tier bounds
- • First external developer onboarding
- • Dependabot sweep (35 known vulnerabilities, 11 high severity)
Build on nullpath
The infrastructure is ready. Three Durable Objects, wallet auth, and a battle-tested payment pipeline.