@dragonmastery/tamer 0.1.1 → 0.28.0

package/dist/logpush-job-xS7270FZ.mjs

@@ -0,0 +1,1106 @@
+import { m as getLogpushJobs } from "./normalize-Bx0bpFop.mjs";
+import { n as r2S3CredentialsFromEnv, t as emptyR2BucketViaS3 } from "./r2S3EmptyBucket-DD81ZWQ7.mjs";
+
+//#region src/features/logpush-job/logpush-job.resolve.ts
+const DEFAULT_WORKERS_TRACE_LOG_FIELD_NAMES = [
+	"Event",
+	"EventTimestampMs",
+	"Outcome",
+	"Exceptions",
+	"Logs",
+	"ScriptName"
+];
+function logpushJobStateKey(tenantId, logicalName, env) {
+	return `logpush_job:t-${tenantId}-${logicalName}-${env}`;
+}
+function logpushJobCloudflareName(config, tenant, env) {
+	return config.jobName?.trim() || `tamer-${tenant.slug}-${config.logicalName}-${env}`;
+}
+function findR2BucketDerivedName(state, logicalName) {
+	for (const e of Object.values(state.getAll())) if (e.type === "r2_bucket" && e.logicalName === logicalName) return e.derivedName;
+}
+function buildR2WorkersTraceDestinationConf(args) {
+	const prefix = args.pathPrefix.replace(/^\/+|\/+$/g, "");
+	const path = prefix ? `${args.bucketDerivedName}/${prefix}/{DATE}` : `${args.bucketDerivedName}/{DATE}`;
+	const ak = encodeURIComponent(args.accessKeyId);
+	const sk = encodeURIComponent(args.secretAccessKey);
+	return `r2://${path}?account-id=${args.accountId}&access-key-id=${ak}&secret-access-key=${sk}`;
+}
+const PIPELINES_INGEST_HOST_SUFFIX = "ingest.cloudflare.com";
+/**
+* Pipelines list/create may return `endpoint` (full ingest URL). Prefer its
+* origin for Logpush `destination_conf` so the hostname matches what Cloudflare
+* registered for the stream.
+*/
+function ingestOriginFromPipelinesStreamEndpoint(endpoint) {
+	const raw = endpoint?.trim();
+	if (!raw) return void 0;
+	try {
+		return new URL(raw).origin;
+	} catch {
+		return;
+	}
+}
+/** Normalize a Pipelines id to 32 lowercase hex digits (strip UUID dashes). */
+function normalizePipelinesHexId(raw, label) {
+	const s = raw.trim().toLowerCase().replace(/-/g, "");
+	if (!/^[0-9a-f]{32}$/.test(s)) throw new Error(`${label} must be 32 hex characters (UUID with or without dashes); got "${raw}"`);
+	return s;
+}
+/**
+* Logpush `destination_conf` for Workers trace → Pipelines stream HTTP ingest.
+* Matches the shape produced by Cloudflare when creating a Pipelines Logpush job
+* (`pipeline_id` + `header_Authorization` query params).
+*/
+function buildPipelinesIngestDestinationConf(args) {
+	const pipeline = normalizePipelinesHexId(args.pipelineId, "pipelinesIngest.pipelineId");
+	const header = encodeURIComponent(`Bearer ${args.bearerToken}`);
+	return `${args.ingestBaseUrl?.trim().replace(/\/+$/, "") || `https://${normalizePipelinesHexId(args.streamId, "pipelinesIngest.streamId")}.${PIPELINES_INGEST_HOST_SUFFIX}`}?pipeline_id=${pipeline}&header_Authorization=${header}`;
+}
+
+//#endregion
+//#region src/features/logpush-job/logpush-pipelines-key.ts
+/** State row for a provisioned Pipelines graph backing a `pipelinesAuto` Logpush job. */
+function logpushPipelinesStateKey(tenantId, logicalName, env) {
+	return `logpush_pipelines:t-${tenantId}-${logicalName}-${env}`;
+}
+
+//#endregion
+//#region src/features/logpush-job/logpush-pipelines-trace-schema.ts
+/**
+* Pipelines stream schema for `workers_trace_events` (matches Logpush field set).
+* @see https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/workers-trace/
+*/
+const WORKERS_TRACE_PIPELINES_SCHEMA_FIELDS = [
+	{
+		name: "CPUTimeMs",
+		type: "int64",
+		required: false
+	},
+	{
+		name: "DispatchNamespace",
+		type: "string",
+		required: false
+	},
+	{
+		name: "Entrypoint",
+		type: "string",
+		required: false
+	},
+	{
+		name: "Event",
+		type: "json",
+		required: false
+	},
+	{
+		name: "EventTimestampMs",
+		type: "int64",
+		required: false
+	},
+	{
+		name: "EventType",
+		type: "string",
+		required: false
+	},
+	{
+		name: "Exceptions",
+		type: "list",
+		required: false,
+		items: {
+			name: "item",
+			type: "json"
+		}
+	},
+	{
+		name: "Logs",
+		type: "list",
+		required: false,
+		items: {
+			name: "item",
+			type: "json"
+		}
+	},
+	{
+		name: "Outcome",
+		type: "string",
+		required: false
+	},
+	{
+		name: "ScriptName",
+		type: "string",
+		required: false
+	},
+	{
+		name: "ScriptTags",
+		type: "list",
+		required: false,
+		items: {
+			name: "item",
+			type: "string"
+		}
+	},
+	{
+		name: "ScriptVersion",
+		type: "json",
+		required: false
+	},
+	{
+		name: "WallTimeMs",
+		type: "int64",
+		required: false
+	}
+];
+function buildWorkersTracePipelinesStreamBody(streamName) {
+	return {
+		name: streamName,
+		format: {
+			type: "json",
+			timestamp_format: "rfc3339"
+		},
+		schema: { fields: WORKERS_TRACE_PIPELINES_SCHEMA_FIELDS },
+		http: {
+			enabled: true,
+			authentication: true,
+			cors: {}
+		},
+		worker_binding: { enabled: true }
+	};
+}
+
+//#endregion
+//#region src/features/logpush-job/logpush-pipelines-account-tokens.ts
+const MAX_TOKEN_NAME = 200;
+function trunc$1(s, max) {
+	return s.length <= max ? s : s.slice(0, max);
+}
+function findGroupId(groups, match, label) {
+	const g = groups.find((x) => match(x.name));
+	if (g) return g.id;
+	const sample = groups.filter((x) => /r2|pipeline|data catalog|send/i.test(x.name)).map((x) => x.name).slice(0, 12);
+	throw new Error(`logpushJobs pipelinesAuto: could not find permission group for ${label} (R2 / Pipelines names change over time). Sample matching names: ${sample.length ? sample.join("; ") : "(none)"}. Total groups listed: ${groups.length}.`);
+}
+async function resolvePipelinesAutoPermissionGroups(api) {
+	const groups = await api.accountTokenPermissionGroupsListAll();
+	return {
+		r2DataCatalogId: findGroupId(groups, (n) => n === "Workers R2 Data Catalog Write" || n === "Workers R2 Data Catalog Edit" || /r2/i.test(n) && /data catalog/i.test(n) && /(write|edit)/i.test(n), "Workers R2 Data Catalog (Edit / Write — same as dashboard token builder)"),
+		r2AccountStorageWriteId: findGroupId(groups, (n) => !/bucket item/i.test(n) && (n === "Workers R2 Storage Write" || n === "Workers R2 Storage Edit" || /workers r2 storage/i.test(n) && /(write|edit)/i.test(n)), "Workers R2 Storage Write (account — required for R2 Data Catalog warehouse / Iceberg data paths)"),
+		pipelinesSendId: findGroupId(groups, (n) => /pipelines/i.test(n) && /send/i.test(n) || n === "Workers Pipelines Send", "Workers Pipelines Send (stream ingest)")
+	};
+}
+/**
+* Create two account tokens to match the Cloudflare dashboard:
+* - **Pipelines Send** only (Logpush → stream HTTP ingest).
+* - **R2 Data Catalog** only (account scope), for `POST …/r2-catalog/…/credential` and
+*   the `r2_data_catalog` sink `config.token` — like `[Pipelines] Data Catalog: …` in the UI.
+*/
+async function mintPipelinesAutoAccountTokens(api, accountId, tokenNamePrefix) {
+	console.log("pipelinesAuto: fetching API token permission groups (paginated) and minting two account tokens…");
+	const g = await resolvePipelinesAutoPermissionGroups(api);
+	const accountRes = `com.cloudflare.api.account.${accountId}`;
+	const dataCatalogName = trunc$1(`${tokenNamePrefix} data-catalog`, MAX_TOKEN_NAME);
+	const r2Result = await api.accountTokenCreate({
+		name: dataCatalogName,
+		policies: [{
+			effect: "allow",
+			permission_groups: [{ id: g.r2DataCatalogId }, { id: g.r2AccountStorageWriteId }],
+			resources: { [accountRes]: "*" }
+		}]
+	});
+	if (!r2Result.value) throw new Error("Account Token API: expected result.value (secret) for R2 Data Catalog token — token create response incomplete");
+	const sendName = trunc$1(`${tokenNamePrefix} pipelines-send`, MAX_TOKEN_NAME);
+	const sendResult = await api.accountTokenCreate({
+		name: sendName,
+		policies: [{
+			effect: "allow",
+			permission_groups: [{ id: g.pipelinesSendId }],
+			resources: { [accountRes]: "*" }
+		}]
+	});
+	if (!sendResult.value) {
+		try {
+			await api.accountTokenDelete(r2Result.id);
+		} catch {}
+		throw new Error("Account Token API: expected result.value (secret) for Pipelines Send token — token create response incomplete");
+	}
+	return {
+		r2CatalogTokenId: r2Result.id,
+		r2CatalogTokenValue: r2Result.value,
+		pipelinesSendTokenId: sendResult.id,
+		pipelinesSendTokenValue: sendResult.value
+	};
+}
+/**
+* Display names (after truncation) for the two minted account tokens. Must
+* match {@link mintPipelinesAutoAccountTokens} and `tokenPrefix` in
+* `ensurePipelinesLogpushProvision` (`Tamer {slug} {logical} {env}`).
+*/
+function derivePipelinesAutoMintedTokenNames(tenant, logicalName, env) {
+	const tokenPrefix = `Tamer ${tenant.slug} ${logicalName} ${env}`;
+	return {
+		dataCatalog: trunc$1(`${tokenPrefix} data-catalog`, MAX_TOKEN_NAME),
+		pipelinesSend: trunc$1(`${tokenPrefix} pipelines-send`, MAX_TOKEN_NAME)
+	};
+}
+/**
+* List account API tokens and revoke any that match the minted `pipelinesAuto`
+* names. Use on destroy when state did not have token ids, deletes failed, or
+* ids were wrong — same names as at mint time.
+*/
+async function reconcilePipelinesAutoMintedAccountTokensByName(api, tenant, logicalName, env) {
+	const { dataCatalog, pipelinesSend } = derivePipelinesAutoMintedTokenNames(tenant, logicalName, env);
+	const legacyDataCatalog = trunc$1(`${`Tamer ${tenant.slug} ${logicalName} ${env}`} r2+catalog+sink`, MAX_TOKEN_NAME);
+	const want = new Set([
+		dataCatalog,
+		pipelinesSend,
+		legacyDataCatalog
+	]);
+	const tokens = await api.accountTokenListAll();
+	for (const t of tokens) {
+		const name = t.name ?? "";
+		if (!t.id || !want.has(name)) continue;
+		try {
+			await api.accountTokenDelete(t.id);
+			console.log(`Pipelines: destroy reconcile — revoked account API token "${name}" [id ${t.id}].`);
+		} catch (e) {
+			console.warn(`Pipelines: destroy reconcile — account API token "${name}" [id ${t.id}]:`, e instanceof Error ? e.message : e);
+		}
+	}
+}
+
+//#endregion
+//#region src/features/logpush-job/pipelinesSinkCatalogTableError.ts
+/**
+* Pipelines v1 `r2_data_catalog` sink HTTP 422 / code 1012: existing Iceberg
+* table in the R2 Data Catalog — not “wrong token”.
+*/
+function isPipelinesSinkExistingCatalogTableError(err) {
+	const m = err instanceof Error ? err.message : String(err);
+	return /\b(code:\s*1012|1012)\b/i.test(m) && /existing catalog|not yet supported|sink definition was invalid/i.test(m);
+}
+/**
+* Actionable copy for `tamer apply` when Cloudflare refuses to create a sink
+* that would write to an existing table.
+*/
+function pipelinesSink1012RecoveryMessage(logicalName, namespace, tableName, catalogBucket) {
+	return [
+		`logpushJobs.${logicalName}: Pipelines r2_data_catalog sink was rejected (HTTP 422, code 1012).`,
+		`The Iceberg table "${namespace}" / "${tableName}" already exists in the R2 Data Catalog for bucket "${catalogBucket}".`,
+		`This API path only creates a new table — it does not attach to an existing one.`,
+		``,
+		`What to do:`,
+		`  • In tamer/project.config.ts, set a new pipelinesAuto.tableName (e.g. "${tableName}_v2" or a dated suffix), and/or change pipelinesAuto.namespace.`,
+		`  • Or use a new catalog R2 bucket with no prior Iceberg layout.`,
+		`  • Removing old catalog data in the bucket is possible but advanced — only if you intend to delete that data.`
+	].join("\n");
+}
+
+//#endregion
+//#region src/features/logpush-job/logpush-pipelines-provision.ts
+const MAX_CF_NAME = 200;
+/**
+* Resolves the Iceberg `table_name` for a **new** `r2_data_catalog` sink.
+* When `tableNameAppendTimestamp` is not `false`, appends `_${ms}` to avoid
+* HTTP 422 / 1012 if a table with the same base name is still in the catalog.
+*/
+function pipelinesAutoIcebergTableNameForNewSink(baseTable, tableNameAppendTimestamp, now = Date.now()) {
+	const base = baseTable.trim();
+	if (!base) throw new Error("pipelinesAuto: tableName (base) is required");
+	if (tableNameAppendTimestamp === false) return base;
+	return `${base}_${now}`;
+}
+/**
+* Pipelines `GET /sinks/{id}` is the source of truth for how the catalog
+* registered the table (may differ from the `table_name` sent on create, e.g.
+* suffix normalization).
+*/
+function r2DataCatalogFromSinkGet(result) {
+	if (result.type !== "r2_data_catalog" || !result.config) return {};
+	const c = result.config;
+	const tableName = typeof c.table_name === "string" ? c.table_name.trim() : void 0;
+	const namespace = typeof c.namespace === "string" ? c.namespace.trim() : void 0;
+	return {
+		tableName: tableName || void 0,
+		namespace: namespace || void 0
+	};
+}
+/**
+* Pipelines may report `worker_trace_events_<ms>` from create/GET while R2 SQL
+* `SHOW TABLES` only lists the base name (e.g. `worker_trace_events`). Use the
+* base + long-numeric-suffix pattern so stack outputs match R2 SQL.
+*/
+function normalizeIcebergTableNameForR2SqlState(pipelinesReported, configBaseTable) {
+	const p = pipelinesReported.trim();
+	const base = configBaseTable.trim();
+	if (!base) return p;
+	if (p === base) return p;
+	const escaped = base.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+	if ((/* @__PURE__ */ new RegExp(`^${escaped}_(\\d{10,})$`)).test(p)) return base;
+	return p;
+}
+/**
+* R2 Data Catalog `GET …/r2-catalog` and `POST …/r2-catalog/…/enable` use
+* **CLOUDFLARE_API_TOKEN** (apply token) — not the minted sub-tokens.
+*/
+function throwPipelinesAutoR2CatalogApplyTokenError(logicalName, step, cause) {
+	const orig = cause instanceof Error ? cause.message : String(cause);
+	throw new Error(`logpushJobs.${logicalName} pipelinesAuto: ${step} — your **apply** API token (CLOUDFLARE_API_TOKEN) must be allowed to use the **R2 Data Catalog** account API (\`/accounts/.../r2-catalog/...\` — e.g. **Workers R2 Data Catalog: Edit** in the API token permissions for this account). That is separate from **Account API Tokens: Edit** (used only to mint the two sub-tokens) and separate from those minted tokens, which are only for the catalog credential + Pipelines. Original: ${orig}`);
+}
+function safeIdPart(s) {
+	return s.replace(/[^a-zA-Z0-9_]/g, "_").toLowerCase();
+}
+function trunc(s) {
+	return s.length <= MAX_CF_NAME ? s : s.slice(0, MAX_CF_NAME);
+}
+/** Stream / sink / pipeline names safe for Pipelines SQL identifiers. */
+function derivePipelinesLogpushResourceNames(tenant, logicalName, env) {
+	const base = trunc(`tamer_${safeIdPart(tenant.slug)}_${safeIdPart(logicalName)}_${safeIdPart(env)}_wtr`);
+	return {
+		streamName: trunc(`${base}_stream`),
+		sinkName: trunc(`${base}_sink`),
+		pipelineName: trunc(`${base}_pl`)
+	};
+}
+/**
+* Idempotent: enables R2 catalog, stores credentials, creates stream, sink, pipeline.
+*/
+async function ensurePipelinesLogpushProvision(config, auto, tenant, env, accountId, state, api) {
+	const pkey = logpushPipelinesStateKey(tenant.id, config.logicalName, env);
+	const prior = state.get(pkey);
+	const tokenPrefix = `Tamer ${tenant.slug} ${config.logicalName} ${env}`;
+	const bucketDerived = findR2BucketDerivedName(state, auto.catalogBucketLogicalName);
+	if (!bucketDerived) throw new Error(`logpushJobs.${config.logicalName}: R2 bucket "${auto.catalogBucketLogicalName}" is not in state — apply R2 first`);
+	let r2CatId = prior?.type === "logpush_pipelines" ? prior.mintedR2CatalogTokenId : void 0;
+	let r2CatVal = prior?.type === "logpush_pipelines" ? prior.mintedR2CatalogTokenValue : void 0;
+	let sendId = prior?.type === "logpush_pipelines" ? prior.mintedPipelinesSendTokenId : void 0;
+	let sendVal = prior?.type === "logpush_pipelines" ? prior.mintedPipelinesSendTokenValue : void 0;
+	if (!r2CatId || !r2CatVal || !sendId || !sendVal) {
+		if (prior?.type === "logpush_pipelines" && (r2CatId || r2CatVal || sendId || sendVal)) console.warn(`logpushJobs.${config.logicalName}: state has partial minted token fields — creating fresh account tokens; old token ids may need manual cleanup in the dashboard.`);
+		const minted = await mintPipelinesAutoAccountTokens(api, accountId, tokenPrefix);
+		r2CatId = minted.r2CatalogTokenId;
+		r2CatVal = minted.r2CatalogTokenValue;
+		sendId = minted.pipelinesSendTokenId;
+		sendVal = minted.pipelinesSendTokenValue;
+	}
+	const cred = r2CatVal;
+	console.log(`logpushJobs.${config.logicalName}: enabling R2 Data Catalog on \"${bucketDerived}\" (uses **CLOUDFLARE_API_TOKEN**; see README)…`);
+	try {
+		await api.r2DataCatalogEnable(bucketDerived);
+	} catch (e) {
+		const msg = e instanceof Error ? e.message : String(e);
+		if (!/exists|already|active/i.test(msg)) throwPipelinesAutoR2CatalogApplyTokenError(config.logicalName, "R2 Data Catalog enable (POST .../r2-catalog/{bucket}/enable)", e);
+	}
+	try {
+		await api.r2DataCatalogStoreCredential(bucketDerived, cred);
+	} catch (e) {
+		const msg = e instanceof Error ? e.message : String(e);
+		if (!/exists|already|present/i.test(msg)) throwPipelinesAutoR2CatalogApplyTokenError(config.logicalName, "store R2 Data Catalog credentials (POST .../r2-catalog/{bucket}/credential)", e);
+	}
+	const ns = (auto.namespace ?? "default").trim() || "default";
+	const baseTable = auto.tableName.trim();
+	if (!baseTable) throw new Error(`logpushJobs.${config.logicalName}: pipelinesAuto.tableName is required`);
+	const names = derivePipelinesLogpushResourceNames(tenant, config.logicalName, env);
+	let stream = (await api.pipelinesV1StreamListAll()).find((s) => s.name === names.streamName);
+	let streamCreatedFresh = false;
+	if (!stream) {
+		const body = buildWorkersTracePipelinesStreamBody(names.streamName);
+		stream = await api.pipelinesV1StreamCreate(body);
+		streamCreatedFresh = true;
+		console.log(`Created Pipelines stream "${names.streamName}" [id ${stream.id}] (Workers trace schema).`);
+	} else console.log(`Pipelines stream "${names.streamName}" already exists [id ${stream.id}].`);
+	const streamIngestBaseUrl = ingestOriginFromPipelinesStreamEndpoint(stream.endpoint);
+	/** Logpush validates HTTPS to ingest; new stream subdomains can lag DNS briefly. */
+	if (streamCreatedFresh) {
+		const settleMs = 2500;
+		console.log(`logpushJobs.${config.logicalName}: waiting ${settleMs}ms for new stream ingest hostname before Logpush job step…`);
+		await new Promise((r) => setTimeout(r, settleMs));
+	}
+	const sinks = await api.pipelinesV1SinkListAll();
+	const rowGroup = auto.sinkRowGroupBytes ?? 134217728;
+	const fileSize = auto.sinkRollingFileSizeBytes ?? 100 * 1024 * 1024;
+	const interval = auto.sinkRollingIntervalSeconds ?? 300;
+	let sink = sinks.find((s) => s.name === names.sinkName);
+	let r2DataCatalogTableName = prior?.type === "logpush_pipelines" ? prior.r2DataCatalogTableName : void 0;
+	let r2DataCatalogTableNamePipelines = prior?.type === "logpush_pipelines" ? prior.r2DataCatalogTableNamePipelines : void 0;
+	if (!sink) {
+		const icebergTable = pipelinesAutoIcebergTableNameForNewSink(baseTable, auto.tableNameAppendTimestamp);
+		try {
+			sink = await api.pipelinesV1SinkCreate({
+				name: names.sinkName,
+				type: "r2_data_catalog",
+				format: {
+					type: "parquet",
+					compression: "zstd",
+					row_group_bytes: rowGroup
+				},
+				schema: { fields: [] },
+				config: {
+					token: cred,
+					account_id: accountId,
+					bucket: bucketDerived,
+					namespace: ns,
+					table_name: icebergTable,
+					rolling_policy: {
+						file_size_bytes: fileSize,
+						interval_seconds: interval
+					}
+				}
+			});
+		} catch (e) {
+			if (isPipelinesSinkExistingCatalogTableError(e)) throw new Error(pipelinesSink1012RecoveryMessage(config.logicalName, ns, icebergTable, bucketDerived), { cause: e });
+			throw e;
+		}
+		r2DataCatalogTableName = icebergTable;
+		console.log(`Created Pipelines sink "${names.sinkName}" (r2_data_catalog) [id ${sink.id}] → Iceberg table "${ns}" / "${icebergTable}".`);
+	} else console.log(`Pipelines sink "${names.sinkName}" already exists [id ${sink.id}].`);
+	let catalogNs = ns;
+	try {
+		const fromApi = r2DataCatalogFromSinkGet(await api.pipelinesV1SinkGet(sink.id));
+		if (fromApi.tableName) r2DataCatalogTableName = fromApi.tableName;
+		if (fromApi.namespace) catalogNs = fromApi.namespace;
+	} catch (e) {
+		const msg = e instanceof Error ? e.message : String(e);
+		console.warn(`logpushJobs.${config.logicalName}: Pipelines GET sink not used (${msg}) — Iceberg name falls back to create-time value in state; re-run apply after fixing API access if needed.`);
+	}
+	if (r2DataCatalogTableName) {
+		const raw = r2DataCatalogTableName;
+		r2DataCatalogTableNamePipelines = raw;
+		const normalized = normalizeIcebergTableNameForR2SqlState(raw, baseTable);
+		if (normalized !== raw) console.log(`logpushJobs.${config.logicalName}: R2 SQL table name for stack outputs: "${raw}" → "${normalized}" (Pipelines reports a suffixed id; catalog uses the base name).`);
+		r2DataCatalogTableName = normalized;
+	}
+	const sql = `INSERT INTO ${names.sinkName} SELECT * FROM ${names.streamName};`;
+	let pipeline = (await api.pipelineListAll()).find((p) => p.name === names.pipelineName);
+	if (!pipeline) {
+		pipeline = await api.pipelineCreate({
+			name: names.pipelineName,
+			sql
+		});
+		console.log(`Created Pipelines job "${names.pipelineName}" [id ${pipeline.id}].`);
+	} else if (pipeline.sql?.trim() !== sql.trim()) console.warn(`Pipelines job "${names.pipelineName}" exists with different SQL — not updating (replace manually or delete & re-apply).`);
+	else console.log(`Pipelines job "${names.pipelineName}" already exists [id ${pipeline.id}].`);
+	const ts = (/* @__PURE__ */ new Date()).toISOString();
+	const existing = state.get(pkey);
+	const entry = {
+		type: "logpush_pipelines",
+		logicalName: config.logicalName,
+		streamId: stream.id,
+		streamIngestBaseUrl,
+		sinkId: sink.id,
+		pipelineId: pipeline.id,
+		streamName: names.streamName,
+		sinkName: names.sinkName,
+		pipelineName: names.pipelineName,
+		r2DataCatalogTableName,
+		r2DataCatalogTableNamePipelines,
+		r2DataCatalogNamespace: catalogNs,
+		catalogBucketDerivedName: bucketDerived,
+		mintedR2CatalogTokenId: r2CatId,
+		mintedR2CatalogTokenValue: r2CatVal,
+		mintedPipelinesSendTokenId: sendId,
+		mintedPipelinesSendTokenValue: sendVal,
+		createdAt: existing?.type === "logpush_pipelines" ? existing.createdAt : ts,
+		updatedAt: ts
+	};
+	state.set(pkey, entry);
+}
+function samePipelinesV1Id(a, b) {
+	return a.replace(/-/g, "").toLowerCase() === b.replace(/-/g, "").toLowerCase();
+}
+/**
+* Pipelines v1 may 404 on DELETE when state stores 32-hex ids but the path must
+* be a hyphenated UUID, or the id drifts — list by name and retry once.
+*/
+async function deletePipelinesV1StreamWithLookup(api, streamId, streamName) {
+	try {
+		await api.pipelinesV1StreamDelete(streamId);
+		return;
+	} catch (e) {
+		const streams = await api.pipelinesV1StreamListAll();
+		const hit = streams.find((s) => s.name === streamName) ?? streams.find((s) => samePipelinesV1Id(s.id, streamId));
+		if (hit) {
+			await api.pipelinesV1StreamDelete(hit.id);
+			return;
+		}
+		throw e;
+	}
+}
+async function deletePipelinesV1SinkWithLookup(api, sinkId, sinkName) {
+	try {
+		await api.pipelinesV1SinkDelete(sinkId);
+		return;
+	} catch (e) {
+		const sinks = await api.pipelinesV1SinkListAll();
+		const hit = sinks.find((s) => s.name === sinkName) ?? sinks.find((s) => samePipelinesV1Id(s.id, sinkId));
+		if (hit) {
+			await api.pipelinesV1SinkDelete(hit.id);
+			return;
+		}
+		throw e;
+	}
+}
+/**
+* Best-effort teardown: SQL pipeline, then sink, then stream (after Logpush job is gone).
+* Order avoids leaving the sink (e.g. r2_data_catalog) while the stream still exists.
+*/
+async function deletePipelinesLogpushGraph(api, entry) {
+	const { pipelineId, streamId, sinkId } = entry;
+	for (const [label, id] of [["Pipelines Send", entry.mintedPipelinesSendTokenId], ["Data Catalog (minted)", entry.mintedR2CatalogTokenId]]) {
+		if (!id) continue;
+		try {
+			await api.accountTokenDelete(id);
+			console.log(`Deleted account API token [${label}] [id ${id}].`);
+		} catch (e) {
+			console.warn(`Account API token delete [${label}] [id ${id}]:`, e instanceof Error ? e.message : e);
+		}
+	}
+	try {
+		await api.pipelineDelete(pipelineId);
+		console.log(`Deleted Pipelines job "${entry.pipelineName}" [id ${pipelineId}].`);
+	} catch (e) {
+		console.warn(`Pipelines job delete [id ${pipelineId}]:`, e instanceof Error ? e.message : e);
+	}
+	try {
+		await deletePipelinesV1SinkWithLookup(api, sinkId, entry.sinkName);
+		console.log(`Deleted Pipelines sink "${entry.sinkName}" [id ${sinkId}].`);
+	} catch (e) {
+		console.warn(`Pipelines sink delete [id ${sinkId}]:`, e instanceof Error ? e.message : e);
+	}
+	try {
+		await deletePipelinesV1StreamWithLookup(api, streamId, entry.streamName);
+		console.log(`Deleted Pipelines stream "${entry.streamName}" [id ${streamId}].`);
+	} catch (e) {
+		console.warn(`Pipelines stream delete [id ${streamId}]:`, e instanceof Error ? e.message : e);
+	}
+	await pipelinesAutoTeardownR2DataCatalog(api, entry.catalogBucketDerivedName);
+}
+/**
+* Stopping the Pipelines `r2_data_catalog` sink does not drop the Iceberg
+* table. Disable the Data Catalog, then (when `R2_ACCESS_KEY_ID` is set) empty
+* the catalog bucket so a later `tamer apply` is not blocked by HTTP 422 / 1012
+* (table already exists in this catalog).
+*/
+async function pipelinesAutoTeardownR2DataCatalog(api, catalogBucketDerivedName) {
+	try {
+		await api.r2DataCatalogDisable(catalogBucketDerivedName);
+		console.log(`Pipelines: disabled R2 Data Catalog on "${catalogBucketDerivedName}" (pipelinesAuto teardown).`);
+	} catch (e) {
+		const msg = e instanceof Error ? e.message : String(e);
+		if (!/\b(404|10006|not found)\b/i.test(msg)) console.warn(`Pipelines: R2 Data Catalog disable for "${catalogBucketDerivedName}": ${msg}`);
+	}
+	const s3creds = r2S3CredentialsFromEnv();
+	if (!s3creds) {
+		console.warn("Pipelines: set R2_ACCESS_KEY_ID and R2_SECRET_ACCESS_KEY to empty the catalog bucket and remove Iceberg table metadata; otherwise a future `tamer apply` may hit HTTP 422 / 1012 (table already exists). Alternatively bump `pipelinesAuto.tableName` or use a new catalog bucket.");
+		return;
+	}
+	try {
+		const accountId = api.getAccountId();
+		console.log(`Pipelines: emptying catalog bucket "${catalogBucketDerivedName}" via S3 (removes Iceberg layout)…`);
+		const { objectsDeleted, uploadsAborted } = await emptyR2BucketViaS3(accountId, catalogBucketDerivedName, s3creds);
+		console.log(`Pipelines: catalog bucket empty — ${objectsDeleted} object(s), ${uploadsAborted} incomplete multipart upload(s) aborted.`);
+	} catch (e) {
+		console.warn(`Pipelines: S3 empty of catalog bucket "${catalogBucketDerivedName}":`, e instanceof Error ? e.message : e);
+	}
+}
+/**
+* After state-driven `deletePipelinesLogpushGraph`, or when `logpush_pipelines`
+* state is missing, delete the SQL pipeline / sink / stream by the names derived
+* from `derivePipelinesLogpushResourceNames` (config + env). Uses live ids from
+* list APIs so stale state ids do not block teardown.
+*/
+async function reconcilePipelinesAutoCloudResourcesByName(api, tenant, logicalName, env, opts) {
+	const names = derivePipelinesLogpushResourceNames(tenant, logicalName, env);
+	const pl = (await api.pipelineListAll()).find((p) => p.name === names.pipelineName);
+	if (pl) try {
+		await api.pipelineDelete(pl.id);
+		console.log(`Pipelines: destroy reconcile — removed SQL pipeline "${names.pipelineName}" [id ${pl.id}].`);
+	} catch (e) {
+		console.warn(`Pipelines: destroy reconcile — SQL pipeline "${names.pipelineName}":`, e instanceof Error ? e.message : e);
+	}
+	const sk = (await api.pipelinesV1SinkListAll()).find((s) => s.name === names.sinkName);
+	if (sk) try {
+		await deletePipelinesV1SinkWithLookup(api, sk.id, sk.name);
+		console.log(`Pipelines: destroy reconcile — removed sink "${names.sinkName}" [id ${sk.id}].`);
+	} catch (e) {
+		console.warn(`Pipelines: destroy reconcile — sink "${names.sinkName}":`, e instanceof Error ? e.message : e);
+	}
+	const st = (await api.pipelinesV1StreamListAll()).find((s) => s.name === names.streamName);
+	if (st) try {
+		await deletePipelinesV1StreamWithLookup(api, st.id, st.name);
+		console.log(`Pipelines: destroy reconcile — removed stream "${names.streamName}" [id ${st.id}].`);
+	} catch (e) {
+		console.warn(`Pipelines: destroy reconcile — stream "${names.streamName}":`, e instanceof Error ? e.message : e);
+	}
+	const cat = opts?.catalogBucketDerivedName?.trim();
+	if (cat) await pipelinesAutoTeardownR2DataCatalog(api, cat);
+}
+
+//#endregion
+//#region src/features/logpush-job/logpush-job.desired.ts
+function resolvedFilter(config, templateFilter) {
+	const explicit = config.filter?.trim();
+	if (explicit) return explicit;
+	const t = templateFilter?.trim();
+	if (t) return t;
+}
+/**
+* Merge `output_options` from a template job (dashboard bootstrap) with
+* optional `fieldNames` override from config.
+*/
+function mergeLogpushOutputOptions(config, template) {
+	const baseline = template && typeof template === "object" && !Array.isArray(template) ? { ...template } : {};
+	if (config.fieldNames?.length) {
+		baseline.field_names = config.fieldNames;
+		return baseline;
+	}
+	if (!template || typeof template !== "object") {
+		baseline.field_names = [...DEFAULT_WORKERS_TRACE_LOG_FIELD_NAMES];
+		return baseline;
+	}
+	if (!Array.isArray(baseline.field_names)) baseline.field_names = [...DEFAULT_WORKERS_TRACE_LOG_FIELD_NAMES];
+	return baseline;
+}
+async function resolveLogpushJobDesired(config, accountId, state, api, tenantId, env) {
+	if (config.destinationConfEnv) {
+		const raw = process.env[config.destinationConfEnv]?.trim();
+		if (!raw) throw new Error(`logpushJobs.${config.logicalName}: environment variable "${config.destinationConfEnv}" is empty (set it to the full Logpush destination_conf, or remove this logpushJobs entry)`);
+		const filter$1 = resolvedFilter(config, void 0);
+		const output_options$1 = mergeLogpushOutputOptions(config, void 0);
+		return {
+			destination_conf: raw,
+			...filter$1 ? { filter: filter$1 } : {},
+			output_options: output_options$1
+		};
+	}
+	if (config.pipelinesAuto) {
+		const pkey = logpushPipelinesStateKey(tenantId, config.logicalName, env);
+		const lpp = state.get(pkey);
+		if (!lpp || lpp.type !== "logpush_pipelines") throw new Error(`logpushJobs.${config.logicalName}: pipelinesAuto graph not in state — \`tamer apply\` provisions stream/sink/pipeline first`);
+		const token = lpp.mintedPipelinesSendTokenValue?.trim();
+		if (!token) throw new Error(`logpushJobs.${config.logicalName}: pipelinesAuto minted Pipelines Send token missing from state — run \`tamer apply\` to provision tokens and graph`);
+		const destination_conf$1 = buildPipelinesIngestDestinationConf({
+			streamId: lpp.streamId,
+			pipelineId: lpp.pipelineId,
+			bearerToken: token,
+			ingestBaseUrl: lpp.streamIngestBaseUrl
+		});
+		const filter$1 = resolvedFilter(config, void 0);
+		const output_options$1 = mergeLogpushOutputOptions(config, void 0);
+		return {
+			destination_conf: destination_conf$1,
+			...filter$1 ? { filter: filter$1 } : {},
+			output_options: output_options$1
+		};
+	}
+	if (config.pipelinesIngest) {
+		const pi = config.pipelinesIngest;
+		const token = process.env[pi.bearerTokenEnv]?.trim();
+		if (!token) throw new Error(`logpushJobs.${config.logicalName}: environment variable "${pi.bearerTokenEnv}" is empty (Pipelines stream ingest Bearer token for Logpush)`);
+		let destination_conf$1;
+		try {
+			destination_conf$1 = buildPipelinesIngestDestinationConf({
+				streamId: pi.streamId,
+				pipelineId: pi.pipelineId,
+				bearerToken: token
+			});
+		} catch (e) {
+			const msg = e instanceof Error ? e.message : String(e);
+			throw new Error(`logpushJobs.${config.logicalName}: ${msg}`);
+		}
+		const filter$1 = resolvedFilter(config, void 0);
+		const output_options$1 = mergeLogpushOutputOptions(config, void 0);
+		return {
+			destination_conf: destination_conf$1,
+			...filter$1 ? { filter: filter$1 } : {},
+			output_options: output_options$1
+		};
+	}
+	let sourceJobId;
+	if (config.destinationConfFromJobId != null) sourceJobId = config.destinationConfFromJobId;
+	else if (config.destinationConfFromJobIdEnv) {
+		const raw = process.env[config.destinationConfFromJobIdEnv]?.trim();
+		if (!raw) throw new Error(`logpushJobs.${config.logicalName}: environment variable "${config.destinationConfFromJobIdEnv}" is empty (set it to the numeric Cloudflare Logpush job id whose destination_conf should be copied)`);
+		const n = Number(raw);
+		if (!Number.isInteger(n) || n <= 0) throw new Error(`logpushJobs.${config.logicalName}: "${config.destinationConfFromJobIdEnv}" must be a positive integer job id (got "${raw}")`);
+		sourceJobId = n;
+	}
+	if (sourceJobId != null) {
+		const src = await api.logpushAccountJobGet(sourceJobId);
+		const conf = src.destination_conf?.trim();
+		if (!conf) throw new Error(`logpushJobs.${config.logicalName}: Logpush job ${sourceJobId} has no destination_conf`);
+		if (src.dataset && src.dataset !== config.dataset) throw new Error(`logpushJobs.${config.logicalName}: source job ${sourceJobId} dataset is "${src.dataset}" but this job declares "${config.dataset}"`);
+		const filter$1 = resolvedFilter(config, src.filter);
+		const templateOpts = src.output_options;
+		const output_options$1 = mergeLogpushOutputOptions(config, templateOpts);
+		return {
+			destination_conf: conf,
+			...filter$1 ? { filter: filter$1 } : {},
+			output_options: output_options$1
+		};
+	}
+	const r2 = config.r2;
+	if (!r2) throw new Error(`logpushJobs.${config.logicalName}: internal: no destination source (expected loader to enforce r2 | pipelinesIngest | pipelinesAuto | env | job id)`);
+	const bucket = findR2BucketDerivedName(state, r2.bucketLogicalName);
+	if (!bucket) throw new Error(`logpushJobs.${config.logicalName}: R2 bucket logical "${r2.bucketLogicalName}" is not in state — run \`tamer apply\` so the bucket is created first, then re-run apply`);
+	const ak = process.env[r2.accessKeyIdEnv]?.trim();
+	const sk = process.env[r2.secretAccessKeyEnv]?.trim();
+	if (!ak || !sk) throw new Error(`logpushJobs.${config.logicalName}: set ${r2.accessKeyIdEnv} and ${r2.secretAccessKeyEnv} (R2 S3-compatible credentials for Logpush)`);
+	const destination_conf = buildR2WorkersTraceDestinationConf({
+		bucketDerivedName: bucket,
+		pathPrefix: r2.pathPrefix ?? "workers-trace-events",
+		accountId,
+		accessKeyId: ak,
+		secretAccessKey: sk
+	});
+	const filter = resolvedFilter(config, void 0);
+	const output_options = mergeLogpushOutputOptions(config, void 0);
+	return {
+		destination_conf,
+		...filter ? { filter } : {},
+		output_options
+	};
+}
+
+//#endregion
+//#region src/features/logpush-job/logpush-job.diff.ts
+function normalizeLogpushOutputOptions(o) {
+	if (!o || typeof o !== "object" || Array.isArray(o)) return o;
+	const x = { ...o };
+	if (Array.isArray(x.field_names)) x.field_names = [...x.field_names].sort();
+	return x;
+}
+function normLogpushFilter(f) {
+	return f?.trim() || void 0;
+}
+/** Build `filter` for PUT when it must change (including clear). */
+function logpushFilterPutBody(desired, live) {
+	const d = normLogpushFilter(desired.filter);
+	if (d === normLogpushFilter(live.filter)) return {};
+	return { filter: d ?? "" };
+}
+function logpushJobFieldChanges(desired, live, enabledDesired) {
+	const changes = [];
+	const dc = desired.destination_conf.trim();
+	const lc = (live.destination_conf ?? "").trim();
+	if (dc !== lc) changes.push({
+		field: "destination_conf",
+		from: lc,
+		to: dc,
+		kind: "mutable"
+	});
+	const df = normLogpushFilter(desired.filter);
+	const lf = normLogpushFilter(live.filter);
+	if (df !== lf) changes.push({
+		field: "filter",
+		from: lf ?? "(none)",
+		to: df ?? "(none)",
+		kind: "mutable"
+	});
+	const doo = JSON.stringify(normalizeLogpushOutputOptions(desired.output_options));
+	const loo = JSON.stringify(normalizeLogpushOutputOptions(live.output_options ?? {}));
+	if (doo !== loo) changes.push({
+		field: "output_options",
+		from: JSON.parse(loo),
+		to: JSON.parse(doo),
+		kind: "mutable"
+	});
+	const enabledLive = live.enabled !== false;
+	if (enabledLive !== enabledDesired) changes.push({
+		field: "enabled",
+		from: enabledLive,
+		to: enabledDesired,
+		kind: "mutable"
+	});
+	return changes;
+}
+async function logpushJobDiffPlanItems(args) {
+	const { resources, tenant, env, state, api, accountId } = args;
+	if (env === "local") return [];
+	const items = [];
+	for (const config of resources) {
+		if (config.dataset !== "workers_trace_events") continue;
+		const key = logpushJobStateKey(tenant.id, config.logicalName, env);
+		const entry = state.get(key);
+		if (!entry || entry.type !== "logpush_job") continue;
+		if (config.pipelinesAuto) {
+			const pkey = logpushPipelinesStateKey(tenant.id, config.logicalName, env);
+			const lpp = state.get(pkey);
+			if (!lpp || lpp.type !== "logpush_pipelines") continue;
+		}
+		const cfName = logpushJobCloudflareName(config, tenant, env);
+		let liveFull;
+		try {
+			liveFull = await api.logpushAccountJobGet(entry.cfJobId);
+		} catch {
+			continue;
+		}
+		const desired = await resolveLogpushJobDesired(config, accountId, state, api, tenant.id, env);
+		const enabledDesired = config.enabled !== false;
+		const changes = logpushJobFieldChanges(desired, {
+			destination_conf: liveFull.destination_conf,
+			filter: liveFull.filter,
+			output_options: liveFull.output_options,
+			enabled: liveFull.enabled
+		}, enabledDesired);
+		if (changes.length === 0) continue;
+		items.push({
+			kind: "logpush_job",
+			action: "update",
+			logicalName: config.logicalName,
+			derivedName: cfName,
+			detail: changes.map((c) => `${c.field}`).join(", "),
+			changes
+		});
+	}
+	return items;
+}
+
+//#endregion
+//#region src/features/logpush-job/logpush-job.apply.ts
+/** Logpush validates the Pipelines ingest URL; new streams can return DNS 1002 until the hostname propagates. */
+function isRetriableLogpushIngestDnsError(message) {
+	return /\bDNSError\b/i.test(message) && /\b1002\b/.test(message);
+}
+async function logpushAccountJobCreateWithIngestRetry(api, body) {
+	const maxAttempts = 8;
+	let lastError;
+	for (let attempt = 1; attempt <= maxAttempts; attempt++) try {
+		return await api.logpushAccountJobCreate(body);
+	} catch (e) {
+		lastError = e;
+		const msg = e instanceof Error ? e.message : String(e);
+		if (attempt === maxAttempts || !isRetriableLogpushIngestDnsError(msg)) throw e;
+		const waitMs = Math.min(3e4, 1500 * 2 ** (attempt - 1));
+		console.warn(`Logpush create "${body.name}": destination validation error, retry ${attempt}/${maxAttempts} in ${waitMs}ms (ingest DNS may lag right after a new Pipelines stream). ${msg.slice(0, 240)}`);
+		await new Promise((r) => setTimeout(r, waitMs));
+	}
+	throw lastError;
+}
+function writeState(state, key, config, cfName, cfJobId, dataset, existingCreatedAt) {
+	const ts = (/* @__PURE__ */ new Date()).toISOString();
+	state.set(key, {
+		type: "logpush_job",
+		logicalName: config.logicalName,
+		derivedName: cfName,
+		cfJobId,
+		dataset,
+		createdAt: existingCreatedAt ?? ts,
+		updatedAt: ts
+	});
+}
+async function reconcileLogpushJob(config, cfJobId, cfName, accountId, tenant, env, state, api, key, st) {
+	const fullLive = await api.logpushAccountJobGet(cfJobId);
+	const desired = await resolveLogpushJobDesired(config, accountId, state, api, tenant.id, env);
+	const enabledDesired = config.enabled !== false;
+	const changes = logpushJobFieldChanges(desired, {
+		destination_conf: fullLive.destination_conf,
+		filter: fullLive.filter,
+		output_options: fullLive.output_options,
+		enabled: fullLive.enabled
+	}, enabledDesired);
+	if (changes.length === 0) return;
+	await api.logpushAccountJobUpdate(cfJobId, {
+		destination_conf: desired.destination_conf,
+		enabled: enabledDesired,
+		output_options: desired.output_options,
+		...logpushFilterPutBody(desired, fullLive)
+	});
+	const ts = (/* @__PURE__ */ new Date()).toISOString();
+	state.set(key, {
+		...st,
+		updatedAt: ts
+	});
+	console.log(`Updated Logpush job "${cfName}" (${config.dataset}) [id ${cfJobId}]: ${changes.map((c) => c.field).join(", ")}`);
+}
+async function logpushJobApply(resources, tenant, env, accountId, api, state) {
+	if (resources.length === 0 || env === "local") return;
+	const jobs = await api.logpushAccountJobsList();
+	const byNameDataset = /* @__PURE__ */ new Map();
+	for (const j of jobs) if (j.name && j.dataset) byNameDataset.set(`${j.dataset}\0${j.name}`, j);
+	for (const config of resources) {
+		if (config.dataset !== "workers_trace_events") throw new Error(`logpushJobs.${config.logicalName}: unsupported dataset "${config.dataset}" (only workers_trace_events)`);
+		if (config.pipelinesAuto) await ensurePipelinesLogpushProvision(config, config.pipelinesAuto, tenant, env, accountId, state, api);
+		const key = logpushJobStateKey(tenant.id, config.logicalName, env);
+		const cfName = logpushJobCloudflareName(config, tenant, env);
+		const mapKey = `${config.dataset}\0${cfName}`;
+		const existingState = state.get(key);
+		if (existingState?.type === "logpush_job") {
+			if (jobs.find((j) => j.id === existingState.cfJobId)) {
+				await reconcileLogpushJob(config, existingState.cfJobId, cfName, accountId, tenant, env, state, api, key, existingState);
+				continue;
+			}
+		}
+		const hit = byNameDataset.get(mapKey);
+		if (hit?.id != null) {
+			writeState(state, key, config, cfName, hit.id, config.dataset, existingState?.type === "logpush_job" ? existingState.createdAt : void 0);
+			console.log(`Logpush job "${cfName}" (${config.dataset}) already exists [id ${hit.id}] — recorded in state.`);
+			const st = state.get(key);
+			if (st?.type === "logpush_job") await reconcileLogpushJob(config, hit.id, cfName, accountId, tenant, env, state, api, key, st);
+			continue;
+		}
+		const desired = await resolveLogpushJobDesired(config, accountId, state, api, tenant.id, env);
+		const created = await logpushAccountJobCreateWithIngestRetry(api, {
+			name: cfName,
+			dataset: config.dataset,
+			destination_conf: desired.destination_conf,
+			enabled: config.enabled !== false,
+			...logpushFilterPutBody(desired, {}),
+			output_options: desired.output_options
+		});
+		writeState(state, key, config, cfName, created.id, config.dataset, existingState?.type === "logpush_job" ? existingState.createdAt : void 0);
+		console.log(`Created Logpush job "${cfName}" (${config.dataset}) [id ${created.id}].`);
+	}
+}
+
+//#endregion
+//#region src/features/logpush-job/logpush-job.sync.ts
+async function logpushJobSync(resources, tenant, env, api, state) {
+	if (resources.length === 0 || env === "local") return;
+	const jobs = await api.logpushAccountJobsList();
+	for (const config of resources) {
+		const cfName = logpushJobCloudflareName(config, tenant, env);
+		const hit = jobs.find((j) => j.name === cfName && j.dataset === config.dataset);
+		if (!hit?.id) continue;
+		const key = logpushJobStateKey(tenant.id, config.logicalName, env);
+		const existing = state.get(key);
+		const ts = (/* @__PURE__ */ new Date()).toISOString();
+		state.set(key, {
+			type: "logpush_job",
+			logicalName: config.logicalName,
+			derivedName: cfName,
+			cfJobId: hit.id,
+			dataset: config.dataset,
+			createdAt: existing?.type === "logpush_job" ? existing.createdAt : ts,
+			updatedAt: ts
+		});
+	}
+}
+
+//#endregion
+//#region src/features/logpush-job/logpush-job.drift.ts
+function logpushJobDrift(allJobs, resources, env, tenant, state) {
+	const drift = {
+		kind: "logpush_job",
+		missingFromCloudflare: [],
+		unrecordedInState: [],
+		undeployed: []
+	};
+	for (const config of resources) {
+		const cfName = logpushJobCloudflareName(config, tenant, env);
+		const key = logpushJobStateKey(tenant.id, config.logicalName, env);
+		const tracked = state.get(key);
+		const st = tracked?.type === "logpush_job" ? tracked : void 0;
+		const onCf = allJobs.find((j) => j.name === cfName && j.dataset === config.dataset);
+		const idStillThere = st && allJobs.some((j) => j.id === st.cfJobId);
+		if (st && !idStillThere) drift.missingFromCloudflare.push({
+			logicalName: config.logicalName,
+			derivedName: cfName,
+			cfId: String(st.cfJobId)
+		});
+		else if (onCf && !st) drift.unrecordedInState.push({
+			logicalName: config.logicalName,
+			derivedName: cfName,
+			cfId: String(onCf.id)
+		});
+		else if (!onCf && !st) drift.undeployed.push({
+			logicalName: config.logicalName,
+			derivedName: cfName
+		});
+	}
+	return drift;
+}
+
+//#endregion
+//#region src/features/logpush-job/logpush-job.destroy.ts
+/**
+* `logpush_pipelines:t-${tenantId}-${logicalName}-${env}` (logical name may
+* contain hyphens, so we match prefix+suffix to scope to this stack).
+*/
+function isLogpushPipelinesKeyForStack(key, tenantId, env) {
+	const prefix = `logpush_pipelines:t-${tenantId}-`;
+	const suffix = `-${env}`;
+	return key.startsWith(prefix) && key.endsWith(suffix);
+}
+/**
+* Delete Logpush jobs declared in config and remove their state rows.
+* Runs before R2 teardown so the job stops writing to the bucket.
+* For `pipelinesAuto`, deletes the Logpush job first, then stream / sink / SQL pipeline.
+*
+* Also sweeps any remaining `logpush_pipelines` state for this stack (e.g. config
+* no longer lists logpush, or the job row was lost while pipelines state remained).
+*/
+async function logpushJobDestroy(env, state, api, config) {
+	if (env === "local") return;
+	const jobs = getLogpushJobs(config);
+	const allowed = new Set(jobs.map((j) => j.logicalName));
+	const autoByLogical = new Map(jobs.filter((j) => j.pipelinesAuto).map((j) => [j.logicalName, j]));
+	for (const [key, entry] of Object.entries(state.getAll())) {
+		if (entry.type !== "logpush_job") continue;
+		const job = entry;
+		if (allowed.size > 0 && !allowed.has(job.logicalName)) continue;
+		try {
+			await api.logpushAccountJobDelete(job.cfJobId);
+			state.delete(key);
+			console.log(`Deleted Logpush job "${job.derivedName}" [id ${job.cfJobId}].`);
+		} catch (err) {
+			console.warn(`Failed to delete Logpush job ${job.derivedName} [id ${job.cfJobId}]:`, err instanceof Error ? err.message : err);
+		}
+		if (autoByLogical.has(job.logicalName)) {
+			const pkey = logpushPipelinesStateKey(config.tenant.id, job.logicalName, env);
+			const lpp = state.get(pkey);
+			if (lpp?.type === "logpush_pipelines") {
+				await deletePipelinesLogpushGraph(api, lpp);
+				state.delete(pkey);
+			}
+		}
+	}
+	for (const [key, entry] of Object.entries(state.getAll())) {
+		if (entry.type !== "logpush_pipelines") continue;
+		if (!isLogpushPipelinesKeyForStack(key, config.tenant.id, env)) continue;
+		const lpp = entry;
+		try {
+			await deletePipelinesLogpushGraph(api, lpp);
+			state.delete(key);
+		} catch (err) {
+			console.warn(`Failed to destroy Pipelines graph for [${key}]:`, err instanceof Error ? err.message : err);
+		}
+	}
+	for (const j of jobs) {
+		if (!j.pipelinesAuto) continue;
+		const catBucket = findR2BucketDerivedName(state, j.pipelinesAuto.catalogBucketLogicalName);
+		try {
+			await reconcilePipelinesAutoCloudResourcesByName(api, config.tenant, j.logicalName, env, catBucket ? { catalogBucketDerivedName: catBucket } : void 0);
+		} catch (e) {
+			console.warn(`Pipelines: destroy reconcile (SQL/sink/stream) for logpush ${j.logicalName}:`, e instanceof Error ? e.message : e);
+		}
+		try {
+			await reconcilePipelinesAutoMintedAccountTokensByName(api, config.tenant, j.logicalName, env);
+		} catch (e) {
+			console.warn(`Pipelines: destroy reconcile (account API tokens) for logpush ${j.logicalName}:`, e instanceof Error ? e.message : e);
+		}
+	}
+}
+
+//#endregion
+//#region src/features/logpush-job/logpush-job.status.ts
+function logpushJobStatus(resources, tenant, env, state, liveJobs) {
+	const rows = [];
+	for (const config of resources) {
+		const key = logpushJobStateKey(tenant.id, config.logicalName, env);
+		const entry = state.get(key);
+		const st = entry?.type === "logpush_job" ? entry : void 0;
+		const live = liveJobs && st?.cfJobId != null ? liveJobs.find((j) => j.id === st.cfJobId) : void 0;
+		rows.push({
+			logicalName: config.logicalName,
+			jobName: st?.derivedName ?? "(unknown)",
+			cfJobId: st?.cfJobId,
+			status: st ? "ok" : "missing",
+			cfEnabled: live?.enabled,
+			cfError: live?.error_message
+		});
+	}
+	return rows;
+}
+
+//#endregion
+export { logpushJobApply as a, logpushJobSync as i, logpushJobDestroy as n, logpushJobDiffPlanItems as o, logpushJobDrift as r, logpushJobStateKey as s, logpushJobStatus as t };
+//# sourceMappingURL=logpush-job-xS7270FZ.mjs.map