@decocms/start 3.0.0 → 4.0.0

package/.github/workflows/deploy.yml

@@ -1,141 +0,0 @@
-name: deploy (central)
-
-# Reusable workflow that drives `wrangler deploy` for any storefront repo.
-# Worker name is the storefront repo basename by convention; there is no
-# per-site registry. The deploy is gated by the `decocms-deployer` GitHub App
-# being installed on the target storefront repo -- the App-token mint fails
-# (and the deploy never starts) if the App isn't installed there.
-#
-# v3 architecture (D6.2): triggered via `workflow_dispatch` from the storefront,
-# authenticated as the `decocms-deployer` GitHub App. The deploy runs IN THIS
-# REPO'S CONTEXT, so `CLOUDFLARE_API_TOKEN` / `CLOUDFLARE_ACCOUNT_ID` resolve
-# from this repo's plain repo secrets and never leave decocms/deco-start.
-#
-# Caller usage (in the storefront repo, `.github/workflows/deploy.yml`):
-#
-#   on:
-#     push:
-#       branches: [main]
-#   permissions:
-#     contents: read
-#   jobs:
-#     trigger:
-#       runs-on: ubuntu-latest
-#       steps:
-#         - uses: actions/create-github-app-token@v1
-#           id: app-token
-#           with:
-#             app-id: ${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
-#             private-key: ${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
-#             owner: decocms
-#             repositories: deco-start
-#         - env:
-#             GH_TOKEN: ${{ steps.app-token.outputs.token }}
-#           run: |
-#             gh workflow run deploy.yml \
-#               --repo decocms/deco-start \
-#               --ref v3 \
-#               -f site_owner=${GITHUB_REPOSITORY%%/*} \
-#               -f site_name=${GITHUB_REPOSITORY##*/}
-
-on:
-  workflow_dispatch:
-    inputs:
-      site_owner:
-        description: "GitHub org of the storefront (e.g. deco-sites). Defaults to deco-sites."
-        type: string
-        required: false
-        default: deco-sites
-      site_name:
-        description: "Storefront repo basename. Becomes the Cloudflare worker name."
-        type: string
-        required: true
-
-permissions:
-  contents: read
-
-concurrency:
-  group: deploy-${{ inputs.site_owner }}-${{ inputs.site_name }}
-  cancel-in-progress: false
-
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout deco-start (template + scripts)
-        uses: actions/checkout@v4
-
-      - name: Mint App token for storefront checkout
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
-          private-key: ${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
-          owner: ${{ inputs.site_owner }}
-          repositories: ${{ inputs.site_name }}
-
-      # SECURITY: production deploys IGNORE any caller-supplied sha. The deploy
-      # always targets the storefront's CURRENT default-branch HEAD. This means
-      # an attacker with push to repo A who triggers a deploy of repo B can
-      # only force a no-op redeploy of B's current main -- they cannot select
-      # an arbitrary historical commit (no force-rollback attack).
-      - name: Resolve target sha (storefront default branch HEAD)
-        id: target
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-          SITE_REPO: ${{ inputs.site_owner }}/${{ inputs.site_name }}
-        run: |
-          set -euo pipefail
-          DEFAULT_BRANCH=$(gh api "repos/$SITE_REPO" --jq .default_branch)
-          SHA=$(gh api "repos/$SITE_REPO/branches/$DEFAULT_BRANCH" --jq .commit.sha)
-          echo "ref=$DEFAULT_BRANCH" >> "$GITHUB_OUTPUT"
-          echo "sha=$SHA" >> "$GITHUB_OUTPUT"
-          echo "::notice::Deploying $SITE_REPO @ $DEFAULT_BRANCH ($SHA)"
-
-      - name: Checkout storefront at default-branch HEAD
-        uses: actions/checkout@v4
-        with:
-          repository: ${{ inputs.site_owner }}/${{ inputs.site_name }}
-          ref: ${{ steps.target.outputs.sha }}
-          token: ${{ steps.app-token.outputs.token }}
-          path: site
-          fetch-depth: 1
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-
-      - name: Restore npm cache
-        uses: actions/cache@v4
-        with:
-          path: ~/.npm
-          key: npm-${{ runner.os }}-${{ hashFiles('site/package-lock.json') }}
-          restore-keys: npm-${{ runner.os }}-
-
-      - name: Install dependencies
-        working-directory: site
-        run: |
-          if [ ! -f package-lock.json ]; then
-            npm install --package-lock-only
-          fi
-          npm ci
-
-      - name: Build
-        working-directory: site
-        run: npm run build
-
-      - name: Generate wrangler.jsonc from template
-        working-directory: site
-        env:
-          DECO_START_PATH: "${{ github.workspace }}"
-          WORKER_NAME: ${{ inputs.site_name }}
-          OUTPUT_PATH: "./wrangler.jsonc"
-        run: node "$DECO_START_PATH/scripts/deploy/build-wrangler-config.mjs"
-
-      - name: Deploy to Cloudflare Workers
-        working-directory: site
-        env:
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          BUILD_HASH: ${{ steps.target.outputs.sha }}
-        run: npx wrangler deploy --var "BUILD_HASH:${BUILD_HASH:0:7}"

package/.github/workflows/preview.yml

@@ -1,200 +0,0 @@
-name: preview (central)
-
-# Reusable workflow that uploads a preview Worker version (alias) for any
-# storefront repo. Worker name is the storefront repo basename by convention;
-# there is no per-site registry. The preview is gated by the `decocms-deployer`
-# GitHub App being installed on the target storefront repo.
-#
-# v3 architecture (D6.2): triggered via `workflow_dispatch` from the storefront,
-# authenticated as the `decocms-deployer` GitHub App. CF secrets resolve from
-# this repo's plain repo secrets and never leave decocms/deco-start.
-#
-# Caller usage (in the storefront repo, `.github/workflows/preview.yml`):
-#
-#   on:
-#     pull_request:
-#       types: [opened, synchronize, reopened]
-#     push:
-#       branches: ['env/**']
-#   permissions:
-#     contents: read
-#   jobs:
-#     trigger:
-#       runs-on: ubuntu-latest
-#       steps:
-#         - id: meta
-#           run: |
-#             if [ "${{ github.event_name }}" = "pull_request" ]; then
-#               echo "alias=pr-${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
-#               echo "sha=${{ github.event.pull_request.head.sha }}" >> "$GITHUB_OUTPUT"
-#             else
-#               REF="${GITHUB_REF#refs/heads/env/}"
-#               echo "alias=$(echo "$REF" | sed 's|[^a-z0-9-]|-|g')" >> "$GITHUB_OUTPUT"
-#               echo "sha=${{ github.sha }}" >> "$GITHUB_OUTPUT"
-#             fi
-#         - uses: actions/create-github-app-token@v1
-#           id: app-token
-#           with:
-#             app-id: ${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
-#             private-key: ${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
-#             owner: decocms
-#             repositories: deco-start
-#         - env:
-#             GH_TOKEN: ${{ steps.app-token.outputs.token }}
-#           run: |
-#             gh workflow run preview.yml \
-#               --repo decocms/deco-start \
-#               --ref v3 \
-#               -f site_owner=${GITHUB_REPOSITORY%%/*} \
-#               -f site_name=${GITHUB_REPOSITORY##*/} \
-#               -f site_sha=${{ steps.meta.outputs.sha }} \
-#               -f alias=${{ steps.meta.outputs.alias }} \
-#               -f pr_number=${{ github.event.pull_request.number || '' }}
-#
-# Note on forks: pull_request runs from forked repos cannot access repo
-# secrets (incl. DECOCMS_DEPLOYER_APP_*), so they cannot trigger previews.
-
-on:
-  workflow_dispatch:
-    inputs:
-      site_owner:
-        description: "GitHub org of the storefront. Defaults to deco-sites."
-        type: string
-        required: false
-        default: deco-sites
-      site_name:
-        description: "Storefront repo basename. Becomes the Cloudflare worker name."
-        type: string
-        required: true
-      site_sha:
-        description: "Commit sha to build & preview. Trusted as-is (preview alias has no production blast radius)."
-        type: string
-        required: true
-      alias:
-        description: "Preview alias name (e.g. pr-123, feature-foo). Must match wrangler alias rules."
-        type: string
-        required: true
-      pr_number:
-        description: "Optional PR number on the storefront repo. If set, the preview URL is commented back on the PR."
-        type: string
-        required: false
-        default: ""
-
-permissions:
-  contents: read
-
-concurrency:
-  group: preview-${{ inputs.site_owner }}-${{ inputs.site_name }}-${{ inputs.alias }}
-  cancel-in-progress: true
-
-jobs:
-  preview:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout deco-start (template + scripts)
-        uses: actions/checkout@v4
-
-      - name: Validate alias format
-        env:
-          ALIAS: ${{ inputs.alias }}
-        run: |
-          set -euo pipefail
-          if ! echo "$ALIAS" | grep -Eq '^[a-z0-9][a-z0-9-]{0,62}$'; then
-            echo "::error::Invalid alias '$ALIAS'. Must be lowercase alphanumeric/hyphens, max 63 chars, start with alphanumeric."
-            exit 1
-          fi
-
-      - name: Mint App token for storefront checkout
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
-          private-key: ${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
-          owner: ${{ inputs.site_owner }}
-          repositories: ${{ inputs.site_name }}
-
-      - name: Checkout storefront at requested sha
-        uses: actions/checkout@v4
-        with:
-          repository: ${{ inputs.site_owner }}/${{ inputs.site_name }}
-          ref: ${{ inputs.site_sha }}
-          token: ${{ steps.app-token.outputs.token }}
-          path: site
-          fetch-depth: 1
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-
-      - name: Restore npm cache
-        uses: actions/cache@v4
-        with:
-          path: ~/.npm
-          key: npm-${{ runner.os }}-${{ hashFiles('site/package-lock.json') }}
-          restore-keys: npm-${{ runner.os }}-
-
-      - name: Install dependencies
-        working-directory: site
-        run: |
-          if [ ! -f package-lock.json ]; then
-            npm install --package-lock-only
-          fi
-          npm ci
-
-      - name: Build
-        working-directory: site
-        run: npm run build
-
-      - name: Generate wrangler.jsonc from template
-        working-directory: site
-        env:
-          DECO_START_PATH: "${{ github.workspace }}"
-          WORKER_NAME: ${{ inputs.site_name }}
-          OUTPUT_PATH: "./wrangler.jsonc"
-        run: node "$DECO_START_PATH/scripts/deploy/build-wrangler-config.mjs"
-
-      - name: Upload preview version
-        id: deploy
-        working-directory: site
-        env:
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          ALIAS: ${{ inputs.alias }}
-        run: |
-          set +e
-          OUTPUT=$(npx wrangler versions upload --preview-alias "$ALIAS" 2>&1)
-          EXIT_CODE=$?
-          set -e
-          echo "$OUTPUT"
-          if [ $EXIT_CODE -ne 0 ]; then
-            echo "::error::wrangler versions upload failed with exit code $EXIT_CODE"
-            exit $EXIT_CODE
-          fi
-          PREVIEW_URL=$(echo "$OUTPUT" | grep 'Version Preview URL:' | sed 's/.*Version Preview URL: //')
-          ALIAS_URL=$(echo "$OUTPUT" | grep 'Version Preview Alias URL:' | sed 's/.*Version Preview Alias URL: //')
-          echo "preview_url=${PREVIEW_URL}" >> "$GITHUB_OUTPUT"
-          echo "alias_url=${ALIAS_URL}" >> "$GITHUB_OUTPUT"
-
-      - name: Mint App token for PR comment
-        id: comment-token
-        if: inputs.pr_number != ''
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
-          private-key: ${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
-          owner: ${{ inputs.site_owner }}
-          repositories: ${{ inputs.site_name }}
-          permission-pull-requests: write
-
-      - name: Comment preview URL on storefront PR
-        if: inputs.pr_number != ''
-        env:
-          GH_TOKEN: ${{ steps.comment-token.outputs.token }}
-          REPO: ${{ inputs.site_owner }}/${{ inputs.site_name }}
-          PR_NUMBER: ${{ inputs.pr_number }}
-          PREVIEW_URL: ${{ steps.deploy.outputs.preview_url }}
-          ALIAS_URL: ${{ steps.deploy.outputs.alias_url }}
-        run: |
-          set -euo pipefail
-          BODY=$(printf '### Preview deployed\n\n| | URL |\n|---|---|\n| **Version** | %s |\n| **Alias** | %s |\n' "$PREVIEW_URL" "$ALIAS_URL")
-          gh pr comment "$PR_NUMBER" --repo "$REPO" --body "$BODY"

package/.github/workflows/sync-secrets.yml

@@ -1,171 +0,0 @@
-name: sync-secrets (central)
-
-# Reusable workflow. Reconciles the per-storefront `SECRET_*` values stored in
-# this repo's `<site_name>-secrets` GitHub Environment with the Cloudflare
-# Worker's runtime secrets (with the `SECRET_` prefix stripped).
-#
-# Examples:
-#   SECRET_STRIPE_KEY in deco-start env  ->  STRIPE_KEY on the worker
-#
-# v3 architecture (D6.2 / S1): SECRET_* values live in deco-start environments
-# named `<site_name>-secrets` (e.g. `baggagio-tanstack-secrets`). Site teams
-# get per-environment edit/approve permissions via GitHub Environment
-# protection rules, enforced by GitHub itself. CF credentials never leave
-# decocms/deco-start, AND site secrets never leave decocms/deco-start either.
-# The storefront repo holds zero credentials.
-#
-# Defaults to dry-run; the caller must pass `mode=apply` to actually write.
-# Orphans on the worker (present on worker but not in the env as SECRET_*) are
-# warned about, never deleted.
-#
-# Caller usage (in the storefront repo, `.github/workflows/sync-secrets.yml`):
-#
-#   on:
-#     workflow_dispatch:
-#       inputs:
-#         mode:
-#           type: choice
-#           options: [dry-run, apply]
-#           default: dry-run
-#   permissions:
-#     contents: read
-#   jobs:
-#     trigger:
-#       runs-on: ubuntu-latest
-#       steps:
-#         - uses: actions/create-github-app-token@v1
-#           id: app-token
-#           with:
-#             app-id: ${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
-#             private-key: ${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
-#             owner: decocms
-#             repositories: deco-start
-#         - env:
-#             GH_TOKEN: ${{ steps.app-token.outputs.token }}
-#           run: |
-#             gh workflow run sync-secrets.yml \
-#               --repo decocms/deco-start \
-#               --ref v3 \
-#               -f site_name=${GITHUB_REPOSITORY##*/} \
-#               -f mode=${{ inputs.mode }}
-
-on:
-  workflow_dispatch:
-    inputs:
-      site_name:
-        description: "Storefront repo basename. Becomes the Cloudflare worker name AND the environment name (`<site_name>-secrets`)."
-        type: string
-        required: true
-      mode:
-        description: "dry-run = print diff only | apply = set secrets on worker"
-        type: string
-        required: false
-        default: "dry-run"
-
-permissions:
-  contents: read
-
-concurrency:
-  group: sync-secrets-${{ inputs.site_name }}
-  cancel-in-progress: false
-
-jobs:
-  sync:
-    runs-on: ubuntu-latest
-    # Dynamic per-storefront environment. Site teams get edit/approve
-    # permissions on their own environment via GitHub Environment protection
-    # rules (set up in this repo's Settings -> Environments).
-    environment: ${{ inputs.site_name }}-secrets
-    steps:
-      - name: Checkout deco-start (template + scripts)
-        uses: actions/checkout@v4
-
-      - name: Generate wrangler.jsonc (so wrangler knows which worker to target)
-        env:
-          DECO_START_PATH: "."
-          WORKER_NAME: ${{ inputs.site_name }}
-          OUTPUT_PATH: "./wrangler.jsonc"
-        run: node scripts/deploy/build-wrangler-config.mjs
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-
-      - name: Install wrangler
-        run: npm install --no-save wrangler@4
-
-      - name: Plan and (optionally) apply
-        env:
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          # ALL_SECRETS includes both repo secrets (CLOUDFLARE_*) AND
-          # environment secrets (SECRET_*) because we're bound to the env.
-          ALL_SECRETS: ${{ toJSON(secrets) }}
-          MODE: ${{ inputs.mode }}
-        run: |
-          set -euo pipefail
-
-          desired_json=$(printf '%s' "$ALL_SECRETS" | jq '
-            to_entries
-            | map(select(.key | startswith("SECRET_")))
-            | map({ key: (.key | sub("^SECRET_"; "")), value: .value })
-            | from_entries
-          ')
-
-          desired_names=$(printf '%s' "$desired_json" | jq -r 'keys[]' | sort)
-
-          while IFS= read -r name; do
-            [ -z "$name" ] && continue
-            if ! [[ "$name" =~ ^[A-Z][A-Z0-9_]{0,63}$ ]]; then
-              echo "::error::Invalid worker secret name derived from SECRET_${name}: must match ^[A-Z][A-Z0-9_]{0,63}$"
-              exit 1
-            fi
-          done <<< "$desired_names"
-
-          existing=$(npx wrangler secret list --format=json | jq -r '.[].name' | sort)
-
-          to_set="$desired_names"
-          orphans=$(comm -23 <(printf '%s\n' "$existing") <(printf '%s\n' "$desired_names") || true)
-
-          {
-            echo "## Diff for ${{ inputs.site_name }}"
-            echo ""
-            echo "### Will set (from SECRET_* in \`${{ inputs.site_name }}-secrets\` environment):"
-            if [ -z "$to_set" ]; then
-              echo "  (none -- environment has no SECRET_* values)"
-            else
-              echo "$to_set" | sed 's/^/  + /'
-            fi
-            echo ""
-            echo "### Orphans (on worker, not in env as SECRET_*):"
-            if [ -z "$orphans" ]; then
-              echo "  (none)"
-            else
-              echo "$orphans" | sed 's/^/  ! /'
-              echo ""
-              echo "  These will NOT be deleted automatically. To remove manually:"
-              echo "$orphans" | sed 's|^|    npx wrangler secret delete "|; s|$|" --force|'
-            fi
-          } | tee -a "$GITHUB_STEP_SUMMARY"
-
-          if [ -n "$orphans" ]; then
-            echo "::warning::${orphans//$'\n'/, } exist on the worker but not in env as SECRET_*. Not deleting."
-          fi
-
-          if [ "$MODE" = "dry-run" ]; then
-            echo "::notice::dry-run mode -- no changes applied"
-            exit 0
-          fi
-
-          if [ -z "$to_set" ]; then
-            echo "Nothing to apply."
-            exit 0
-          fi
-
-          printf '%s' "$desired_json" | jq -r 'to_entries[] | "\(.key)\t\(.value)"' \
-            | while IFS=$'\t' read -r name value; do
-                echo "Setting $name..."
-                printf '%s' "$value" | npx wrangler secret put "$name"
-              done
-
-          echo "::notice::Applied $(echo "$to_set" | wc -l | tr -d ' ') secrets."

package/deploy/README.md

@@ -1,121 +0,0 @@
-# `deploy/` — central wrangler template
-
-This directory holds **`wrangler-template.jsonc`** — the canonical wrangler config
-that every storefront on the platform inherits. It is consumed by the reusable
-GitHub workflows under [`.github/workflows/`](../.github/workflows/)
-(`deploy.yml`, `preview.yml`, `sync-secrets.yml`) and by the local
-`deco-wrangler` CLI.
-
-There is **no per-site registry**. Worker name is the storefront repo basename
-by convention (`deco-sites/baggagio-tanstack` → worker `baggagio-tanstack`).
-Anything that must vary deterministically per worker (like the Analytics Engine
-dataset name) is encoded as a substitution token in the template — see
-[Substitution tokens](#substitution-tokens) below.
-
-## Trust model
-
-The deploy is gated by the `decocms-deployer` **GitHub App** being installed on
-the target storefront repo:
-
-1. The storefront's caller workflow mints a short-lived App-installation token.
-2. It calls `gh workflow run deploy.yml --repo decocms/deco-start -f site_owner=… -f site_name=…`.
-3. The central deploy workflow runs **in this repo's context** and itself mints
-   another short-lived App-installation token to check out the storefront. If
-   the App isn't installed on `<site_owner>/<site_name>`, the mint fails and
-   the deploy never starts.
-4. The central workflow then runs build + `wrangler deploy` using
-   `CLOUDFLARE_API_TOKEN` and `CLOUDFLARE_ACCOUNT_ID` from this repo's plain
-   repo secrets.
-
-Properties this gives:
-
-- **CF credentials never leave decocms/deco-start.** The storefront repo holds
-  zero Cloudflare credentials — it only has the GitHub App credentials, which
-  can be used solely to trigger workflows on this repo.
-- **Worker naming is convention-based and not customer-controlled.** A
-  customer with push access to their own storefront cannot rename the worker
-  their deploy lands on (the central workflow always uses
-  `inputs.site_name` as the worker name; modifying the caller stub to pass a
-  different `site_name` would also require the App to be installed on that
-  other repo).
-- **Force-rollback is impossible for production.** The central deploy
-  workflow ignores any caller-supplied sha and always resolves the
-  storefront's current default-branch HEAD itself. The worst a compromised
-  storefront can do across tenants is trigger a no-op redeploy of another
-  storefront's current main.
-
-`deploy/` and `scripts/deploy/` and the central workflow files are
-CODEOWNERS-protected — only the platform team approves changes.
-
-### Where Cloudflare credentials live
-
-| Secret class | Lives in | How it reaches the worker |
-|---|---|---|
-| `CLOUDFLARE_API_TOKEN` / `CLOUDFLARE_ACCOUNT_ID` | this repo's **repo secrets** | central workflow runs in this repo's context, env-var resolves natively |
-| `DECOCMS_DEPLOYER_APP_ID` / `DECOCMS_DEPLOYER_APP_PRIVATE_KEY` | this repo's repo secrets AND deco-sites org-level secrets | mints short-lived installation tokens for both directions of the dispatch flow |
-| `SECRET_*` runtime secrets (per site) | this repo's `<site_name>-secrets` GitHub Environment | `sync-secrets.yml` binds to that environment, reads `SECRET_*` from `${{ secrets }}`, runs `wrangler secret put` |
-
-To rotate Cloudflare credentials, edit them in this repo only. To rotate a
-runtime secret for one storefront, edit the corresponding environment in this
-repo only. No storefront PR needed for either.
-
-## How `wrangler.jsonc` is generated
-
-At deploy time, the central workflow runs
-[`scripts/deploy/build-wrangler-config.mjs`](../scripts/deploy/build-wrangler-config.mjs),
-which:
-
-1. Loads `deploy/wrangler-template.jsonc`.
-2. Substitutes `$WORKER_*` tokens (see below) using the worker name passed by
-   the central workflow (= storefront repo basename).
-3. Writes the result to `./wrangler.jsonc` in the storefront checkout, with
-   `name` injected as the first key.
-
-`account_id` is never written to JSON — wrangler reads it from
-`CLOUDFLARE_ACCOUNT_ID` (env var in CI; `wrangler login` locally). This way a
-typo cannot misroute a deploy to a different Cloudflare account.
-
-### Substitution tokens
-
-Any string in the template containing one of these literals is replaced at
-build time:
-
-| Token | Replacement | Example use |
-|---|---|---|
-| `$WORKER_NAME` | worker name verbatim | rare; mostly available for parity |
-| `$WORKER_UNDERSCORE` | worker name with `-` → `_` | `analytics_engine_datasets[].dataset` (must be a valid Postgres-style identifier) |
-
-To add a new derived field, add the token wherever it makes sense in
-`wrangler-template.jsonc`. Anything not in the substitution table appears
-verbatim in the generated config.
-
-## Adding a new site
-
-1. Install the `decocms-deployer` GitHub App on the new storefront repo
-   (Settings → Integrations → GitHub Apps in the deco-sites org).
-2. Add the four caller workflow stubs to the new repo (copy from any existing
-   storefront's `.github/workflows/{deploy,preview,sync-secrets,regen-blocks}.yml`).
-3. Add `wrangler.jsonc` to the new repo's `.gitignore` and add the
-   `gen:wrangler` / `predev` / `prebuild` / `types` scripts to `package.json`
-   so local dev still works (use any existing storefront as a template).
-4. If the site needs runtime secrets, create a new environment in this repo
-   named `<repo-basename>-secrets` and add the `SECRET_*` values there. Set
-   environment protection rules to grant the site team self-service access to
-   their own environment.
-5. Push to `main` and verify the deploy lands on a worker named after the repo.
-
-## Migrating an existing site whose worker name doesn't match its repo
-
-Two cases to be aware of:
-
-- **Worker rename.** The worker created by the first deploy will use the repo
-  basename. If an old worker exists with a different name (e.g.
-  `miess-01-tanstack` repo whose old worker was `miess-tanstack`), you'll need
-  a manual cutover: deploy the new worker, re-attach custom domain routes via
-  the Cloudflare dashboard, copy any wrangler secrets, then delete the old
-  worker. There is intentionally no per-site override for this — these cases
-  are rare and best resolved at the CF layer.
-- **AE dataset rename.** The dataset name is derived from worker name, so a
-  worker rename also changes the AE dataset. Old data remains queryable under
-  the old dataset name; new data goes to the new name. Update Grafana panels
-  and saved queries accordingly.

package/deploy/wrangler-template.jsonc

@@ -1,46 +0,0 @@
-// Canonical wrangler.jsonc template for every storefront on the platform.
-//
-// There is no per-site registry. Worker name == storefront repo basename by
-// convention; the central deploy workflows pass `WORKER_NAME` to the build
-// script, which substitutes `$WORKER_*` tokens in this template and writes
-// the result to `wrangler.jsonc` in the caller checkout.
-//
-// Substitution tokens (see scripts/deploy/site-registry.mjs):
-//   $WORKER_NAME        -> worker name verbatim         (e.g. "als-tanstack")
-//   $WORKER_UNDERSCORE  -> worker name, `-` -> `_`      (e.g. "als_tanstack")
-//
-// To upgrade compatibility flags, observability, KV bindings, or any field
-// that should change for every site at once, change this file and tag a new
-// deco-start release.
-//
-// Notes on what is INTENTIONALLY missing here:
-//   - "name" -- always derived from the per-site `worker_name`.
-//   - "account_id" -- never lives in the JSON. Wrangler reads it from the
-//     CLOUDFLARE_ACCOUNT_ID env var in CI and from local config otherwise.
-//     This way, a typo in JSON cannot misroute a deploy.
-//   - "routes" -- production custom domains are managed in the Cloudflare
-//     dashboard, not in JSON. Avoids drift between JSON and CF reality and
-//     means a site going live doesn't need a deco-start PR.
-//
-// To upgrade compatibility flags, observability, or worker-entry path across
-// every site at once, change this file and tag a new deco-start release.
-{
-  "compatibility_date": "2026-02-14",
-  "compatibility_flags": ["nodejs_compat", "no_handle_cross_request_promise_resolution"],
-  "main": "./src/worker-entry.ts",
-  "workers_dev": true,
-  "preview_urls": true,
-  "kv_namespaces": [
-    { "binding": "SITES_KV", "id": "ad0b74fc4d9341c9af9149c4ab85132f" }
-  ],
-  "version_metadata": { "binding": "CF_VERSION_METADATA" },
-  "analytics_engine_datasets": [
-    { "binding": "DECO_METRICS", "dataset": "deco_metrics_$WORKER_UNDERSCORE" }
-  ],
-  "observability": {
-    "logs": {
-      "enabled": true,
-      "invocation_logs": true
-    }
-  }
-}