---
canonical: "https://yuanhaochen.dev/work/vault-bridge"
path: "/work/vault-bridge"
section: "Work"
title: "serverless-vault-bridge"
language: "en"
agentUse: "summary, retrieval, citation, hiring evaluation"
---

# serverless-vault-bridge

Separates AI suggestions from durable GitHub writes through proposal tokens, digest-bound confirmation, path safety, expected base SHA, and conflict handling.

Why this article exists

I built this around a small but important discomfort: if AI can help maintain a knowledge vault, it should not quietly mutate durable storage behind the user. The bridge lets an assistant prepare a diff, then forces the final write through exact-content confirmation.

Problem

AI-assisted note systems need safe write boundaries: path safety, API authentication, diff review, digest-bound confirmation, expected base SHA, and conflict handling before storage changes.

What shipped

Cloudflare Worker-compatible runtime, GitHub Contents API storage adapter, ChatGPT Actions OpenAPI, MCP JSON-RPC endpoint, proposal tokens, path policy, CAS conflict handling, and behavior tests.

Evidence

The README names the propose-review-commit tool flow and failure semantics for path traversal, token mismatch, digest mismatch, path mismatch, base SHA mismatch, and CAS conflicts.

Inspect path

Inspect `src/`, `test/`, `wrangler.toml.example`, the OpenAPI schema, and tests for auth, path safety, token binding, CAS conflicts, and MCP parity.

Boundary

It is not a sync engine, database, agent framework, or direct-write API for high-risk automation. It proves a reviewable write boundary, not a full knowledge-management product.

What changed

The important boundary became clearer: not chat versus agent, but suggestion versus commit, with ownership and rollback kept visible.

Next question

Where should approval live when AI can prepare a change but should not own the final mutation?

Open public repository

https://github.com/89325516/serverless-vault-bridge