From 487ee062b3ba16733e15a86a182ebbefe2c26534 Mon Sep 17 00:00:00 2001
From: hongming-codex-laptop <hongming-codex-laptop@agents.moleculesai.app>
Date: Wed, 13 May 2026 00:23:16 -0700
Subject: [PATCH] fix(ci): harden Cloudflare sweep API errors

---
 scripts/ops/sweep-cf-orphans.sh | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/scripts/ops/sweep-cf-orphans.sh b/scripts/ops/sweep-cf-orphans.sh
index 8a4da90c..b96d7bfb 100755
--- a/scripts/ops/sweep-cf-orphans.sh
+++ b/scripts/ops/sweep-cf-orphans.sh
@@ -97,6 +97,33 @@ log "  live EC2s: $(echo "$EC2_NAMES" | wc -w | tr -d ' ')"
 log "Fetching Cloudflare DNS records..."
 CF_JSON=$(curl -sS -m 15 -H "Authorization: Bearer $CF_API_TOKEN" \
   "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/dns_records?per_page=500")
+if ! echo "$CF_JSON" | python3 -c '
+import json, sys
+
+try:
+    payload = json.load(sys.stdin)
+except Exception as exc:
+    print(f"ERROR: Cloudflare returned non-JSON response: {exc}", file=sys.stderr)
+    raise SystemExit(1)
+
+if not payload.get("success", False) or not isinstance(payload.get("result"), list):
+    errors = payload.get("errors") or []
+    if errors:
+        detail = "; ".join(
+            "{code}: {message}".format(
+                code=err.get("code", "unknown"),
+                message=err.get("message", "unknown error"),
+            )
+            for err in errors
+        )
+    else:
+        detail = "unexpected result type {}".format(type(payload.get("result")).__name__)
+    print(f"ERROR: Cloudflare DNS list failed: {detail}", file=sys.stderr)
+    raise SystemExit(1)
+'; then
+  log "Cloudflare DNS list failed; verify CF_API_TOKEN has Zone:DNS:Edit and CF_ZONE_ID is the moleculesai.app zone."
+  exit 1
+fi
 TOTAL_CF=$(echo "$CF_JSON" | python3 -c "import json,sys; print(len(json.load(sys.stdin)['result']))")
 log "  CF records: $TOTAL_CF"