npm - @authhero/cloudflare-adapter - Versions diffs - 2.33.2 → 2.34.0 - Mend

@authhero/cloudflare-adapter 2.33.2 → 2.34.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/cloudflare-adapter.cjs +1 -1
package/dist/cloudflare-adapter.d.ts +342 -3
package/dist/cloudflare-adapter.mjs +1683 -1470
package/dist/tsconfig.types.tsbuildinfo +1 -1
package/dist/types/index.d.ts +2 -0
package/dist/types/wfp-provisioner/cf-api.d.ts +83 -0
package/dist/types/wfp-provisioner/index.d.ts +6 -0
package/dist/types/wfp-provisioner/provisioner.d.ts +47 -0
package/dist/types/wfp-provisioner/tenant-hook.d.ts +68 -0
package/dist/types/wfp-provisioner/tenant-worker.example.d.ts +92 -0
package/dist/types/wfp-provisioner/types.d.ts +140 -0
package/package.json +3 -3

package/dist/cloudflare-adapter.cjs CHANGED Viewed

@@ -330,4 +330,4 @@ export default {
     }
   },
 };
-`}var Lh=class{loader;compatibilityDate;constructor(e){this.loader=e.loader,this.compatibilityDate=e.compatibilityDate||`2025-01-01`}async execute(e){let t=Date.now();try{let t=Ih(e.code),n={compatibilityDate:this.compatibilityDate,mainModule:`hook.js`,modules:{"hook.js":t}},r=e.hookCodeId?`${e.hookCodeId}-${await Fh(e.code)}`:null;return await(await(r?this.loader.get(r,async()=>n):this.loader.load(n)).getEntrypoint().fetch(new Request(`https://hook/execute`,{method:`POST`,headers:{"Content-Type":`application/json`},body:JSON.stringify({event:e.event,triggerId:e.triggerId})}))).json()}catch(e){return{success:!1,error:e instanceof Error?e.message:String(e),durationMs:Date.now()-t,apiCalls:[]}}}};function Rh(e){let t={customDomains:Dm(e),cache:km({...e.cacheName&&{cacheName:e.cacheName},...e.defaultTtlSeconds!==void 0&&{defaultTtlSeconds:e.defaultTtlSeconds},...e.keyPrefix&&{keyPrefix:e.keyPrefix}}),geo:Dh()};e.r2SqlLogs?t.logs=Um(e.r2SqlLogs):e.analyticsEngineLogs&&(t.logs=mh(e.analyticsEngineLogs)),e.analyticsEngineLogs&&(t.analytics=ph(e.analyticsEngineLogs)),e.analyticsEngineActionExecutions&&(t.actionExecutions=Eh(e.analyticsEngineActionExecutions));let n=kh(e.rateLimitBindings);return n&&(t.rateLimit=n),t}exports.CloudflareCodeExecutor=Mh,exports.DispatchNamespaceCodeExecutor=jh,exports.WorkerLoaderCodeExecutor=Lh,exports.createAnalyticsEngineActionExecutionsAdapter=Eh,exports.createAnalyticsEngineAnalyticsAdapter=ph,exports.createAnalyticsEngineLogsAdapter=mh,exports.createAnalyticsEngineStatsAdapter=ih,exports.createCloudflareRateLimitAdapter=kh,exports.createR2SQLLogsAdapter=Um,exports.createR2SQLStatsAdapter=Hm,exports.default=Rh,exports.generateWorkerScript=Ah;
+`}var Lh=class{loader;compatibilityDate;constructor(e){this.loader=e.loader,this.compatibilityDate=e.compatibilityDate||`2025-01-01`}async execute(e){let t=Date.now();try{let t=Ih(e.code),n={compatibilityDate:this.compatibilityDate,mainModule:`hook.js`,modules:{"hook.js":t}},r=e.hookCodeId?`${e.hookCodeId}-${await Fh(e.code)}`:null;return await(await(r?this.loader.get(r,async()=>n):this.loader.load(n)).getEntrypoint().fetch(new Request(`https://hook/execute`,{method:`POST`,headers:{"Content-Type":`application/json`},body:JSON.stringify({event:e.event,triggerId:e.triggerId})}))).json()}catch(e){return{success:!1,error:e instanceof Error?e.message:String(e),durationMs:Date.now()-t,apiCalls:[]}}}},Rh=class extends Error{status;endpoint;errors;body;constructor(e,t,n,r=[]){super(`Cloudflare API ${e} ${t}: ${zh(n,256)}`),this.name=`CloudflareApiError`,this.status=e,this.endpoint=t,this.body=n,this.errors=r}};function zh(e,t){return e.length<=t?e:`${e.slice(0,t)}…`}var Bh=class{accountId;apiToken;fetchImpl;timeoutMs;baseUrl;constructor(e){this.accountId=e.accountId,this.apiToken=e.apiToken,this.fetchImpl=e.fetch??fetch,this.timeoutMs=e.timeoutMs??3e4,this.baseUrl=(e.baseUrl??`https://api.cloudflare.com/client/v4`).replace(/\/+$/,``)}async createD1Database(e){let t=`/accounts/${encodeURIComponent(this.accountId)}/d1/database`;return(await this.request(`POST`,t,{body:JSON.stringify({name:e})})).result}async listD1Databases(e){let t=e?`?name=${encodeURIComponent(e)}`:``,n=`/accounts/${encodeURIComponent(this.accountId)}/d1/database${t}`;return(await this.request(`GET`,n)).result??[]}async deleteD1Database(e){let t=`/accounts/${encodeURIComponent(this.accountId)}/d1/database/${encodeURIComponent(e)}`;await this.request(`DELETE`,t)}async execD1(e,t){let n=`/accounts/${encodeURIComponent(this.accountId)}/d1/database/${encodeURIComponent(e)}/query`;return(await this.request(`POST`,n,{body:JSON.stringify({sql:t})})).result??[]}async uploadNamespacedScript(e,t,n){let r=`/accounts/${this.accountId}/workers/dispatch/namespaces/${encodeURIComponent(e)}/scripts/${encodeURIComponent(t)}`,i={main_module:n.mainModule,compatibility_date:n.compatibilityDate,compatibility_flags:n.compatibilityFlags??[],bindings:n.bindings??[],tags:n.tags},a=new FormData;a.append(`metadata`,new Blob([JSON.stringify(i)],{type:`application/json`})),a.append(n.mainModule,new Blob([n.script],{type:`application/javascript+module`}),n.mainModule),await this.request(`PUT`,r,{body:a})}async deleteNamespacedScript(e,t){let n=`/accounts/${this.accountId}/workers/dispatch/namespaces/${encodeURIComponent(e)}/scripts/${encodeURIComponent(t)}`;await this.request(`DELETE`,n)}async setNamespacedScriptSecret(e,t,n,r){let i=`/accounts/${this.accountId}/workers/dispatch/namespaces/${encodeURIComponent(e)}/scripts/${encodeURIComponent(t)}/secrets`;await this.request(`PUT`,i,{body:JSON.stringify({name:n,text:r,type:`secret_text`})})}async request(e,t,n){let r=`${this.baseUrl}${t}`,i=new AbortController,a=setTimeout(()=>i.abort(),this.timeoutMs),o={Authorization:`Bearer ${this.apiToken}`,...n?.headers??{}};n?.body&&!(n.body instanceof FormData)&&!o[`Content-Type`]&&(o[`Content-Type`]=`application/json`);let s;try{s=await this.fetchImpl(r,{method:e,headers:o,body:n?.body,signal:i.signal})}finally{clearTimeout(a)}let c=await s.text();if(!s.ok){let e=[];try{let t=JSON.parse(c);Array.isArray(t.errors)&&(e=t.errors)}catch{}throw new Rh(s.status,t,c,e)}if(!(c===``||s.status===204))return JSON.parse(c)}},Vh=`{tenant_id}`,Hh=`tenant-{tenant_id}`,Uh=`index.js`,Wh=`2026-05-01`;function Gh(e,t){return e.replace(/\{tenant_id\}/g,t)}function Kh(e){if(!(e instanceof Rh))return!1;let t=e.body.toLowerCase();return e.status===409||t.includes(`already exists`)||t.includes(`name is already taken`)||t.includes(`already in use`)}function qh(e){return e instanceof Rh?e.status===404:!1}function Jh(e){let t=new Bh({accountId:e.accountId,apiToken:e.apiToken,fetch:e.fetch,timeoutMs:e.timeoutMs}),n=e.scriptNameTemplate??Vh,r=e.d1NameTemplate??Hh,i=e.scriptMetadata?.main_module??Uh,a=e.scriptMetadata?.compatibility_date??Wh,o=e.scriptMetadata?.compatibility_flags??[`nodejs_compat`],s=e.dispatchNamespace;async function c(e){let n=(await t.listD1Databases(e)).find(t=>t.name===e);if(n)return n.uuid;try{return(await t.createD1Database(e)).uuid}catch(n){if(!Kh(n))throw n;let r=(await t.listD1Databases(e)).find(t=>t.name===e);if(r)return r.uuid;throw n}}async function l(n){for(let r of e.migrations)try{await t.execD1(n,r.sql)}catch(e){throw e instanceof Error?Error(`Failed to apply migration "${r.name}" to D1 ${n}: ${e.message}`,{cause:e}):e}}async function u(n,r){let c=[{type:`d1`,name:`AUTH_DB`,id:r},{type:`plain_text`,name:`CONTROL_PLANE_BASE_URL`,text:e.controlPlaneBaseUrl}];await t.uploadNamespacedScript(s,n,{script:e.tenantWorkerScript,mainModule:i,compatibilityDate:a,compatibilityFlags:o,bindings:c,tags:[`authhero-tenant`,`tenant:${n}`]})}async function d(n,r){let i=await e.secrets(r);for(let[e,r]of Object.entries(i))await t.setNamespacedScriptSecret(s,n,e,r)}return{async onProvision(e){let t=Gh(n,e),i=Gh(r,e),a=await c(i);return await l(a),await u(t,a),await d(t,e),{d1DatabaseId:a,scriptName:t,d1Name:i}},async onDeprovision(e){let i=Gh(n,e),a=Gh(r,e);try{await t.deleteNamespacedScript(s,i)}catch(e){if(!qh(e))throw e}let o=(await t.listD1Databases(a)).find(e=>e.name===a);if(o)try{await t.deleteD1Database(o.uuid)}catch(e){if(!qh(e))throw e}}}}function Yh(e){return e.deployment_type===`wfp`}function Xh(e){let{provisioner:t,tenants:n}=e,r=e.shouldProvision??Yh,i=e.logger;async function a(e,t){let r=t instanceof Error?t.message:String(t);try{await n.update(e,{provisioning_state:`failed`,provisioning_error:r.slice(0,2048),provisioning_state_changed_at:new Date().toISOString()})}catch(t){i?.warn(`Failed to write provisioning_state="failed" for tenant ${e}:`,t)}}return{async onProvision(e){let i=await n.get(e);if(i&&r(i))try{let r=await t.onProvision(e);await n.update(e,{d1_database_id:r.d1DatabaseId,worker_script_name:r.scriptName,provisioning_state:`ready`,provisioning_error:void 0,provisioning_state_changed_at:new Date().toISOString()})}catch(t){throw await a(e,t),t}},async onDeprovision(e){let i=await n.get(e);i&&!r(i)||await t.onDeprovision(e)}}}function Zh(e){let t={customDomains:Dm(e),cache:km({...e.cacheName&&{cacheName:e.cacheName},...e.defaultTtlSeconds!==void 0&&{defaultTtlSeconds:e.defaultTtlSeconds},...e.keyPrefix&&{keyPrefix:e.keyPrefix}}),geo:Dh()};e.r2SqlLogs?t.logs=Um(e.r2SqlLogs):e.analyticsEngineLogs&&(t.logs=mh(e.analyticsEngineLogs)),e.analyticsEngineLogs&&(t.analytics=ph(e.analyticsEngineLogs)),e.analyticsEngineActionExecutions&&(t.actionExecutions=Eh(e.analyticsEngineActionExecutions));let n=kh(e.rateLimitBindings);return n&&(t.rateLimit=n),t}exports.CloudflareApiClient=Bh,exports.CloudflareApiError=Rh,exports.CloudflareCodeExecutor=Mh,exports.DispatchNamespaceCodeExecutor=jh,exports.WorkerLoaderCodeExecutor=Lh,exports.createAnalyticsEngineActionExecutionsAdapter=Eh,exports.createAnalyticsEngineAnalyticsAdapter=ph,exports.createAnalyticsEngineLogsAdapter=mh,exports.createAnalyticsEngineStatsAdapter=ih,exports.createCloudflareRateLimitAdapter=kh,exports.createCloudflareWfpD1Provisioner=Jh,exports.createR2SQLLogsAdapter=Um,exports.createR2SQLStatsAdapter=Hm,exports.createWfpTenantProvisioningHook=Xh,exports.default=Zh,exports.generateWorkerScript=Ah;

package/dist/cloudflare-adapter.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { StatsAdapter, LogsDataAdapter, AnalyticsAdapter, ActionExecutionsAdapter, RateLimitScope, RateLimitAdapter, CustomDomainsAdapter, CodeExecutor, CodeExecutionResult, CacheAdapter, GeoAdapter } from '@authhero/adapter-interfaces';
+import { StatsAdapter, LogsDataAdapter, AnalyticsAdapter, ActionExecutionsAdapter, RateLimitScope, RateLimitAdapter, CustomDomainsAdapter, CodeExecutor, CodeExecutionResult, TenantsDataAdapter, CacheAdapter, GeoAdapter } from '@authhero/adapter-interfaces';
 interface R2SQLLogsAdapterConfig {
     /**
@@ -508,6 +508,345 @@ declare class WorkerLoaderCodeExecutor implements CodeExecutor {
     }): Promise<CodeExecutionResult>;
 }
+/**
+ * Public types for the Workers-for-Platforms + D1 tenant provisioner.
+ *
+ * Wire-up shape — the operator constructs a provisioner once at control-plane
+ * boot and passes its `onProvision` / `onDeprovision` to
+ * `@authhero/multi-tenancy`'s `databaseIsolation` config. Every tenant
+ * create/delete in the management API then drives a CF API call sequence
+ * that:
+ *   1. (create) provisions a per-tenant D1, applies migrations, deploys a
+ *      namespaced worker bound to that D1, and uploads secrets to it.
+ *   2. (delete) removes the namespaced worker and its D1.
+ *
+ * Failures throw — the multi-tenancy hook wraps `onProvision` such that a
+ * thrown error rolls the tenant row back. Idempotency on retry is best-effort:
+ * each step checks for "already exists" and continues, but the operator
+ * should treat the provisioning sequence as restartable rather than
+ * transactional.
+ */
+/**
+ * SQL migration to run on every new tenant D1, in order.
+ *
+ * Operators bundle these from `@authhero/drizzle`'s `drizzle/sqlite/` files
+ * via their build tool of choice (vite's `?raw`, esbuild loader, webpack's
+ * raw-loader, etc.) — the provisioner is agnostic about how the SQL gets
+ * loaded.
+ */
+interface ProvisionerMigration {
+    /** Filename, used only for error messages and audit logging. */
+    name: string;
+    /** Full SQL text of the migration. May contain multiple statements. */
+    sql: string;
+}
+/**
+ * Resolver that returns the secret values to upload onto a newly-provisioned
+ * tenant worker. Called once per tenant during `onProvision`.
+ *
+ * Implementations typically pull from a secret store (Vault, GCP Secret
+ * Manager, etc.) — the values must match the control-plane authhero's
+ * expectations for that tenant (notably `ENCRYPTION_KEY` and JWT signing
+ * material, which must be byte-stable to keep encrypted-at-rest data and
+ * issued JWTs valid).
+ */
+type TenantSecretsResolver = (tenantId: string) => Promise<Record<string, string>>;
+interface CloudflareWfpD1ProvisionerOptions {
+    /** Cloudflare account id that owns the namespace, D1s, and tenant workers. */
+    accountId: string;
+    /**
+     * API token with at least these permissions on `accountId`:
+     *   - Workers Scripts:Edit
+     *   - D1:Edit
+     *   - Workers for Platforms:Edit (for namespace ops)
+     */
+    apiToken: string;
+    /** Name of the dispatch namespace tenant workers are deployed into. */
+    dispatchNamespace: string;
+    /**
+     * Base URL of the control-plane authhero. Passed to the tenant worker via
+     * the `CONTROL_PLANE_BASE_URL` env var so its `controlPlaneSync` destination
+     * knows where to POST `controlplane.sync.*` events.
+     */
+    controlPlaneBaseUrl: string;
+    /**
+     * Full JavaScript bundle of the tenant worker. The operator builds this
+     * (typically via esbuild/vite of a thin wrapper that calls
+     * `authhero.init({ ... })`), and passes the resulting JS string here.
+     *
+     * The bundle MUST be self-contained — Cloudflare's script upload doesn't
+     * resolve npm dependencies. Use your bundler's `format: 'esm'` + `external`
+     * lists to inline `authhero`, `@authhero/drizzle`, and friends.
+     */
+    tenantWorkerScript: string;
+    /**
+     * Optional script metadata override. Defaults to
+     * `{ main_module: "index.js", compatibility_date, compatibility_flags: ["nodejs_compat"] }`.
+     * Set `compatibility_date` to the same date the rest of your workers use.
+     */
+    scriptMetadata?: {
+        main_module?: string;
+        compatibility_date?: string;
+        compatibility_flags?: string[];
+    };
+    /**
+     * SQL migrations applied in array order to every new tenant D1. Typically
+     * loaded from `@authhero/drizzle`'s shipped migrations via your build tool.
+     */
+    migrations: ProvisionerMigration[];
+    /**
+     * Resolver that returns the secret values to set on the tenant worker.
+     * Called once per `onProvision`. The provisioner uploads each entry via
+     * the per-script secrets API.
+     */
+    secrets: TenantSecretsResolver;
+    /**
+     * Naming convention for the namespaced script. Supports `{tenant_id}`
+     * placeholder. Defaults to `"{tenant_id}"`.
+     *
+     * Must match whatever the dispatcher synthesizes as `script_name` in its
+     * `dispatch_namespace` handler — otherwise the dispatcher can't reach the
+     * worker after provisioning.
+     */
+    scriptNameTemplate?: string;
+    /**
+     * Naming convention for the per-tenant D1. Supports `{tenant_id}`.
+     * Defaults to `"tenant-{tenant_id}"`. CF accepts most ASCII names; keep
+     * it stable so a re-provision finds the existing D1.
+     */
+    d1NameTemplate?: string;
+    /**
+     * Fetch override (tests only). Defaults to global `fetch`.
+     */
+    fetch?: typeof fetch;
+    /**
+     * Per-request timeout (ms) on the CF API. Defaults to 30s. Individual
+     * D1 migrations can take a few seconds each; the upload of a multi-MB
+     * tenant bundle also takes a noticeable chunk of that.
+     */
+    timeoutMs?: number;
+}
+/**
+ * Outcome of a successful `onProvision` — returned so the caller can persist
+ * the resource IDs back onto the tenant row (`tenants.d1_database_id`,
+ * `tenants.worker_script_name`). The control-plane authhero ships these
+ * fields in its schema; `createWfpTenantProvisioningHook` writes them
+ * automatically.
+ */
+interface ProvisionResult {
+    d1DatabaseId: string;
+    scriptName: string;
+    d1Name: string;
+}
+/**
+ * What `createCloudflareWfpD1Provisioner` returns — the two lifecycle
+ * callbacks that plug into `databaseIsolation` from `@authhero/multi-tenancy`
+ * via the `createWfpTenantProvisioningHook` wrapper (which handles
+ * deployment-type guarding and tenant-row writebacks).
+ */
+interface CloudflareWfpD1Provisioner {
+    onProvision(tenantId: string): Promise<ProvisionResult>;
+    onDeprovision(tenantId: string): Promise<void>;
+}
+/**
+ * Construct the lifecycle hooks for provisioning + deprovisioning a tenant
+ * on Cloudflare Workers-for-Platforms backed by a per-tenant D1.
+ *
+ * Wiring on the control-plane authhero:
+ *
+ * ```ts
+ * import createAdapters from "@authhero/cloudflare-adapter";
+ * import { createCloudflareWfpD1Provisioner } from "@authhero/cloudflare-adapter";
+ * import { initMultiTenant } from "@authhero/multi-tenancy";
+ * import tenantWorkerScript from "./tenant-worker.dist.js?raw";
+ * import migration0001 from "@authhero/drizzle/drizzle/sqlite/0000_initial.sql?raw";
+ *
+ * const provisioner = createCloudflareWfpD1Provisioner({
+ *   accountId: env.CLOUDFLARE_ACCOUNT_ID,
+ *   apiToken: env.CLOUDFLARE_API_TOKEN,
+ *   dispatchNamespace: "authhero-tenants",
+ *   controlPlaneBaseUrl: env.PUBLIC_BASE_URL,
+ *   tenantWorkerScript,
+ *   migrations: [{ name: "0000_initial.sql", sql: migration0001 }],
+ *   secrets: async (tenantId) => ({
+ *     ENCRYPTION_KEY: env.SHARED_ENCRYPTION_KEY,
+ *     ISSUER: `https://${tenantId}.tokens.example.com`,
+ *   }),
+ * });
+ *
+ * const { app } = initMultiTenant({
+ *   dataAdapter,
+ *   controlPlane: { tenantId: "main", clientId: "platform" },
+ *   databaseIsolation: {
+ *     getAdapters: async (tenantId) => { ... },   // resolve per-tenant adapter
+ *     onProvision: provisioner.onProvision,
+ *     onDeprovision: provisioner.onDeprovision,
+ *   },
+ * });
+ * ```
+ *
+ * On tenant create, the management API row write fires
+ * `databaseIsolation.onProvision(tenantId)` which runs the full sequence
+ * below. If any step throws, the upstream `createProvisioningHooks` rolls
+ * back the tenant row — though side effects already taken (D1 created,
+ * partial migrations applied) are NOT rolled back. The operator should
+ * treat re-running `onProvision(tenantId)` as safe; each step is idempotent
+ * on "already exists".
+ */
+declare function createCloudflareWfpD1Provisioner(options: CloudflareWfpD1ProvisionerOptions): CloudflareWfpD1Provisioner;
+/**
+ * Adapt the provisioner to `@authhero/multi-tenancy`'s
+ * `databaseIsolation.onProvision` / `onDeprovision` contract by:
+ *
+ *  1. Looking up the tenant row first and gating on
+ *     `tenant.deployment_type === "wfp"` — shared tenants short-circuit so
+ *     the same control plane can host both kinds without code branches.
+ *  2. Running the provisioner sequence (D1 + script + secrets).
+ *  3. Writing the resulting `d1_database_id` + `worker_script_name` +
+ *     `provisioning_state` back onto the tenant row so the admin UI can
+ *     show real status, and so a redeploy / re-provision knows which
+ *     resource ids to operate on.
+ *  4. On failure, marking `provisioning_state = "failed"` with the error
+ *     message, then re-throwing — the multi-tenancy hook treats the throw
+ *     as a signal to roll back the tenant row.
+ *
+ * Typical wiring on the control-plane authhero:
+ *
+ * ```ts
+ * import { initMultiTenant } from "@authhero/multi-tenancy";
+ * import {
+ *   createCloudflareWfpD1Provisioner,
+ *   createWfpTenantProvisioningHook,
+ * } from "@authhero/cloudflare-adapter";
+ *
+ * const provisioner = createCloudflareWfpD1Provisioner({ ... });
+ * const hook = createWfpTenantProvisioningHook({
+ *   provisioner,
+ *   tenants: dataAdapter.tenants,
+ * });
+ *
+ * const { app } = initMultiTenant({
+ *   dataAdapter,
+ *   databaseIsolation: {
+ *     getAdapters: async (tenantId) => { ... },
+ *     onProvision: hook.onProvision,
+ *     onDeprovision: hook.onDeprovision,
+ *   },
+ * });
+ * ```
+ */
+interface WfpTenantProvisioningHookOptions {
+    provisioner: CloudflareWfpD1Provisioner;
+    tenants: TenantsDataAdapter;
+    /**
+     * Optional override of "should this tenant be WFP-provisioned?". Defaults
+     * to `tenant.deployment_type === "wfp"`. Provide a custom predicate when
+     * the gating signal lives elsewhere (a feature flag, a config table, etc.).
+     */
+    shouldProvision?: (tenant: {
+        id: string;
+        deployment_type?: string;
+        storage_kind?: string;
+    }) => boolean;
+    /**
+     * Optional `console`-compatible logger for warnings emitted when the
+     * tenant row write-back fails after a successful provision. Defaults to
+     * a silent no-op so this module stays test-quiet.
+     */
+    logger?: Pick<Console, "warn">;
+}
+interface WfpTenantProvisioningHook {
+    onProvision(tenantId: string): Promise<void>;
+    onDeprovision(tenantId: string): Promise<void>;
+}
+declare function createWfpTenantProvisioningHook(options: WfpTenantProvisioningHookOptions): WfpTenantProvisioningHook;
+/**
+ * Thin Cloudflare REST API client for the WFP+D1 provisioner.
+ *
+ * Each method maps 1:1 to a documented CF endpoint and returns the parsed
+ * response body. Errors surface as `CloudflareApiError` carrying the HTTP
+ * status, endpoint, and (when JSON) the CF error array — making them easy
+ * to log without re-fetching the response.
+ *
+ * Idempotency is the caller's responsibility — the provisioner sequences
+ * calls and tolerates "already exists" / "not found" depending on the
+ * operation (see `provisioner.ts`).
+ */
+declare class CloudflareApiError extends Error {
+    readonly status: number;
+    readonly endpoint: string;
+    readonly errors: unknown[];
+    readonly body: string;
+    constructor(status: number, endpoint: string, body: string, errors?: unknown[]);
+}
+interface CfApiClientOptions {
+    accountId: string;
+    apiToken: string;
+    fetch?: typeof fetch;
+    timeoutMs?: number;
+    baseUrl?: string;
+}
+interface D1Database {
+    uuid: string;
+    name: string;
+}
+interface D1QueryResult {
+    success: boolean;
+    meta?: Record<string, unknown>;
+    results?: unknown[];
+}
+interface ScriptBinding {
+    type: "d1" | "plain_text" | "secret_text";
+    name: string;
+    id?: string;
+    text?: string;
+}
+interface ScriptUploadOptions {
+    /** Script source (JavaScript ES module). */
+    script: string;
+    /** Main module filename (must match part name in form data). */
+    mainModule: string;
+    /** Compatibility date, ISO yyyy-mm-dd. */
+    compatibilityDate: string;
+    /** Compatibility flags (e.g. `["nodejs_compat"]`). */
+    compatibilityFlags?: string[];
+    /** Bindings to attach (D1, plain_text, etc.). Secrets go via setSecret(). */
+    bindings?: ScriptBinding[];
+    /** Optional tags, stored on the script for operator-side lookup. */
+    tags?: string[];
+}
+declare class CloudflareApiClient {
+    private readonly accountId;
+    private readonly apiToken;
+    private readonly fetchImpl;
+    private readonly timeoutMs;
+    private readonly baseUrl;
+    constructor(options: CfApiClientOptions);
+    createD1Database(name: string): Promise<D1Database>;
+    listD1Databases(name?: string): Promise<D1Database[]>;
+    deleteD1Database(databaseId: string): Promise<void>;
+    /**
+     * Execute a single SQL statement (or batch of `;`-separated statements
+     * permitted by D1) against the given database. Use for applying
+     * migrations one file at a time — the per-call response size cap means
+     * very large single calls can fail; splitting per file keeps each call
+     * bounded by the migration author.
+     */
+    execD1(databaseId: string, sql: string): Promise<D1QueryResult[]>;
+    uploadNamespacedScript(namespace: string, scriptName: string, options: ScriptUploadOptions): Promise<void>;
+    deleteNamespacedScript(namespace: string, scriptName: string): Promise<void>;
+    /**
+     * Set a single secret on a namespaced script. The CF API replaces the
+     * value if a secret with that name already exists, so this is safely
+     * re-runnable.
+     */
+    setNamespacedScriptSecret(namespace: string, scriptName: string, secretName: string, secretValue: string): Promise<void>;
+    private request;
+}
 interface CloudflareAdapters {
     customDomains: CustomDomainsAdapter;
     cache: CacheAdapter;
@@ -519,5 +858,5 @@ interface CloudflareAdapters {
 }
 declare function createAdapters(config: CloudflareConfig): CloudflareAdapters;
-export { CloudflareCodeExecutor, DispatchNamespaceCodeExecutor, WorkerLoaderCodeExecutor, createAnalyticsEngineActionExecutionsAdapter, createAnalyticsEngineAnalyticsAdapter, createAnalyticsEngineLogsAdapter, createAnalyticsEngineStatsAdapter, createCloudflareRateLimitAdapter, createR2SQLLogsAdapter, createR2SQLStatsAdapter, createAdapters as default, generateWorkerScript };
-export type { AnalyticsEngineActionExecutionsAdapterConfig, AnalyticsEngineDataset, AnalyticsEngineLogsAdapterConfig, CloudflareAdapters, CloudflareCodeExecutorConfig, CloudflareConfig, CloudflareRateLimitBinding, CloudflareRateLimitBindings, DispatchNamespace, DispatchNamespaceCodeExecutorConfig, R2SQLLogsAdapterConfig, WorkerCode, WorkerLoader, WorkerLoaderCodeExecutorOptions, WorkerStub };
+export { CloudflareApiClient, CloudflareApiError, CloudflareCodeExecutor, DispatchNamespaceCodeExecutor, WorkerLoaderCodeExecutor, createAnalyticsEngineActionExecutionsAdapter, createAnalyticsEngineAnalyticsAdapter, createAnalyticsEngineLogsAdapter, createAnalyticsEngineStatsAdapter, createCloudflareRateLimitAdapter, createCloudflareWfpD1Provisioner, createR2SQLLogsAdapter, createR2SQLStatsAdapter, createWfpTenantProvisioningHook, createAdapters as default, generateWorkerScript };
+export type { AnalyticsEngineActionExecutionsAdapterConfig, AnalyticsEngineDataset, AnalyticsEngineLogsAdapterConfig, CfApiClientOptions, CloudflareAdapters, CloudflareCodeExecutorConfig, CloudflareConfig, CloudflareRateLimitBinding, CloudflareRateLimitBindings, CloudflareWfpD1Provisioner, CloudflareWfpD1ProvisionerOptions, D1Database, D1QueryResult, DispatchNamespace, DispatchNamespaceCodeExecutorConfig, ProvisionResult, ProvisionerMigration, R2SQLLogsAdapterConfig, ScriptBinding, ScriptUploadOptions, TenantSecretsResolver, WfpTenantProvisioningHook, WfpTenantProvisioningHookOptions, WorkerCode, WorkerLoader, WorkerLoaderCodeExecutorOptions, WorkerStub };