@mizchi/k1c 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 mizchi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,150 @@
+# k1c
+
+Experimental `kubectl apply`-style tool for Cloudflare. Pronounced **"kick"**.
+
+This is a learning / proof-of-concept project. It is **not production-ready**, and its public surface is subject to breaking changes without notice.
+
+## What it does
+
+`k1c` parses a defined subset of Kubernetes manifests and applies them to a Cloudflare account via the official SDK. The motivation is to reuse `kubectl`-style declarative manifests for personal-scale Cloudflare projects without paying for a real Kubernetes control plane.
+
+```yaml
+apiVersion: cloudflare.k1c.io/v1alpha1
+kind: R2Bucket
+metadata: { name: media }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata: { name: api }
+spec:
+  selector: { matchLabels: { app: api } }
+  template:
+    spec:
+      containers:
+        - name: api
+          image: ./dist/worker.js
+          volumeMounts:
+            - { name: bucket, mountPath: R2_MEDIA }
+      volumes:
+        - { name: bucket, r2BucketRef: { name: media } }
+```
+
+```sh
+$ K1C_ACCOUNT_ID=...  CLOUDFLARE_API_TOKEN=... pnpm k1c apply -f manifest.yaml
+```
+
+## Status
+
+| Manifest kind | Backed by | State |
+|---|---|---|
+| `Deployment` (single- or multi-container Pods) | Worker(s) wired by service bindings | working |
+| `ConfigMap` / `Secret` | folded into Worker `vars` / `secrets` | working |
+| `Service` (`ClusterIP` / `LoadBalancer`) | service binding / Custom Domain | working |
+| `R2Bucket`, `KVNamespace`, `D1Database`, `Vectorize`, `Hyperdrive` (CRDs) | matching CF data services | working |
+| `Queue` (CRD) + producer / consumer wiring | Cloudflare Queues + consumer | working |
+| `DispatchNamespace` (CRD) | Workers for Platforms namespace | working |
+| `Rollout` (Argo Rollouts subset, `blueGreen` / `canary.steps`) | Worker Versions, or WfP dispatcher with KV-stored canary state | working |
+| `StatefulSet` → `DurableObject` class | Workers Durable Objects + migrations | working (greenfield only) |
+| `CronJob` / `Job` | Worker + Cron Trigger / Workflow registration | working |
+| `DNSRecord` (CRD) | DNS records | working |
+| `LogpushJob` (CRD) | Logpush (zone- or account-scoped) | working |
+| `ai` / `browser` / `version_metadata` / `analytics_engine` Worker bindings | annotation- / volume-driven | working |
+| `Ingress` / `CustomHostname` / Zero Trust Access | — | not implemented (see [`TODO.md`](TODO.md)) |
+
+See [`docs/resources.md`](docs/resources.md) for the full mapping and limitations,
+and [`TODO.md`](TODO.md) for what's queued.
+
+## Why this exists
+
+I wanted a `kubectl apply` UX for personal Cloudflare projects but did not want to pay for a managed Kubernetes control plane (GKE minimum is roughly JPY 8,000 / month). `k1c` is the smallest tool that lets a Kubernetes-shaped manifest drive Cloudflare resources directly. See [ADR-0001](docs/adr/0001-project-goal.md) for the full reasoning.
+
+The architecture is documented as [Architecture Decision Records](docs/adr/) (ADR-0001 through ADR-0007).
+
+## Install
+
+Once published:
+
+```sh
+npm install -g @mizchi/k1c
+# or:
+pnpm dlx @mizchi/k1c apply -f manifest.yaml
+```
+
+From source (this repo):
+
+```sh
+pnpm install
+pnpm test          # 297 tests
+pnpm typecheck
+pnpm build         # emits dist/
+
+# Run the CLI in-repo (TypeScript via Node strip-types):
+pnpm k1c apply   -f examples/hello-worker.yaml [--dry-run]
+```
+
+## CLI
+
+```sh
+k1c apply    -f <manifest.yaml> [--dry-run | --watch]
+k1c diff     -f <manifest.yaml> [-o text|json]
+k1c delete   -f <manifest.yaml> [--cascade]
+k1c get      <kind> [name] [-n <namespace>] [-o text|json]
+k1c describe <kind> <name> [-n <namespace>] [-o text|json]
+k1c rollout  {status|promote|abort} <ns>/<name> --dispatch <name>
+k1c version
+```
+
+Authentication is via two environment variables:
+
+| Variable | Purpose |
+|---|---|
+| `K1C_ACCOUNT_ID` | Cloudflare account id |
+| `CLOUDFLARE_API_TOKEN` | API token with Workers Edit + R2 + KV permissions |
+
+## Architecture in one screen
+
+```
+manifest.yaml
+   │
+   ▼  src/manifest/parse.ts        — YAML → typed K1cResource[] (validated by zod)
+   │
+   ▼  src/manifest/lower.ts        — resolves refs, folds ConfigMap/Secret into Workers,
+   │                                  generates DispatcherWorker / state KV for canary Rollouts
+   ▼  src/reconciler/plan.ts       — compares desired vs actual via providers, topological sort
+   │
+   ▼  src/reconciler/apply.ts      — executes operations (create/update/delete) with retry
+   │
+   ▼  src/canary/runtime.ts        — for canary Rollouts: read KV state, run state machine,
+   │                                  upload canary + rewrite weight + promote
+   ▼  Cloudflare account
+```
+
+Providers live under `src/providers/` and are uniform across resource types. The interface mirrors AWS CloudControl (CRUD + Status + List + Discovery); see [ADR-0006](docs/adr/0006-provider-interface.md).
+
+## Limitations
+
+This is experimental. In particular:
+
+- Worker entrypoint content is not yet hashed at lower time, so editing only the JS file (without changing the manifest) does not currently trigger an update outside the canary path. Deferred (`docs/future-considerations.md`).
+- Async polling for Custom Hostname SSL provisioning is not implemented.
+- The reconciler model assumes a single Cloudflare account at a time.
+- No real end-to-end tests against Cloudflare yet — provider behavior is validated through SDK mocks only.
+
+## Releases
+
+Versioning is automated via [release-please](https://github.com/googleapis/release-please-action):
+
+- Conventional Commit messages on `main` (`feat:`, `fix:`, `chore:`, etc.) feed
+  into a release PR that bumps `package.json`, updates `CHANGELOG.md`, and
+  cuts a Git tag plus a GitHub Release.
+- Merging that release PR triggers `.github/workflows/publish.yml`, which
+  publishes `@mizchi/k1c` to npm via [OIDC trusted publishing](https://docs.npmjs.com/trusted-publishers)
+  (no `NPM_TOKEN` involved) with `--provenance` SLSA attestation.
+
+The npm package must be registered as a trusted publisher on `npmjs.com` once,
+pointing at `mizchi/k1c` + the `publish.yml` workflow. After that the entire
+flow (PR → merge → tag → npm) is hands-off.
+
+## License
+
+MIT

package/dist/canary/dispatcher-template.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Generates the JavaScript source for a k1c dispatcher Worker.
+ *
+ * The dispatcher reads canary state from a bound KV namespace and routes each request
+ * to either the stable or canary script in a Workers for Platforms dispatch namespace.
+ * State schema and routing logic are documented in ADR-0007.
+ */
+export interface DispatcherTemplateOptions {
+    /** KV key under which the per-rollout state JSON is stored. */
+    readonly rolloutKey: string;
+    /** Script name of the stable variant inside the dispatch namespace. */
+    readonly stableName: string;
+    /** Script name of the canary variant inside the dispatch namespace. */
+    readonly canaryName: string;
+}
+export declare function generateDispatcher(opts: DispatcherTemplateOptions): string;
+//# sourceMappingURL=dispatcher-template.d.ts.map

package/dist/canary/dispatcher-template.js

@@ -0,0 +1,42 @@
+/**
+ * Generates the JavaScript source for a k1c dispatcher Worker.
+ *
+ * The dispatcher reads canary state from a bound KV namespace and routes each request
+ * to either the stable or canary script in a Workers for Platforms dispatch namespace.
+ * State schema and routing logic are documented in ADR-0007.
+ */
+export function generateDispatcher(opts) {
+    const ROLLOUT_KEY = JSON.stringify(opts.rolloutKey);
+    const STABLE_NAME = JSON.stringify(opts.stableName);
+    const CANARY_NAME = JSON.stringify(opts.canaryName);
+    return `// k1c dispatcher (generated)
+// rolloutKey=${opts.rolloutKey}
+const ROLLOUT_KEY = ${ROLLOUT_KEY};
+const STABLE_NAME = ${STABLE_NAME};
+const CANARY_NAME = ${CANARY_NAME};
+
+export default {
+  async fetch(request, env) {
+    const target = await pickTarget(env);
+    return env.NAMESPACE.get(target).fetch(request);
+  },
+};
+
+async function pickTarget(env) {
+  const raw = await env.STATE.get(ROLLOUT_KEY);
+  if (!raw) return STABLE_NAME;
+  let state;
+  try {
+    state = JSON.parse(raw);
+  } catch (_e) {
+    return STABLE_NAME;
+  }
+  if (!state || state.status === 'idle' || !state.canaryScript) return STABLE_NAME;
+  const w = typeof state.weight === 'number' ? state.weight : 0;
+  if (w <= 0) return STABLE_NAME;
+  if (w >= 100) return CANARY_NAME;
+  return Math.random() * 100 < w ? CANARY_NAME : STABLE_NAME;
+}
+`;
+}
+//# sourceMappingURL=dispatcher-template.js.map

package/dist/canary/effects-cloudflare.d.ts

@@ -0,0 +1,9 @@
+import type Cloudflare from 'cloudflare';
+import type { CanaryEffects } from './runtime.ts';
+export interface BuildEffectsOptions {
+    readonly cloudflare: Cloudflare;
+    readonly accountId: string;
+    readonly managedByLabel: string;
+}
+export declare function buildCloudflareEffects(opts: BuildEffectsOptions): CanaryEffects;
+//# sourceMappingURL=effects-cloudflare.d.ts.map

package/dist/canary/effects-cloudflare.js

@@ -0,0 +1,66 @@
+const MAIN_MODULE = 'worker.mjs';
+function buildBindings(props) {
+    const out = [];
+    for (const [name, text] of Object.entries(props.vars ?? {})) {
+        out.push({ type: 'plain_text', name, text });
+    }
+    for (const [name, text] of Object.entries(props.secrets ?? {})) {
+        out.push({ type: 'secret_text', name, text });
+    }
+    for (const b of props.bindings ?? []) {
+        if (b.type === 'r2_bucket') {
+            out.push({ type: 'r2_bucket', name: b.name, bucket_name: b.bucketName });
+        }
+        else if (b.type === 'kv_namespace') {
+            out.push({ type: 'kv_namespace', name: b.name, namespace_id: b.namespaceId });
+        }
+        else if (b.type === 'service') {
+            out.push({ type: 'service', name: b.name, service: b.service });
+        }
+        else if (b.type === 'dispatch_namespace') {
+            out.push({ type: 'dispatch_namespace', name: b.name, namespace: b.dispatchNamespace });
+        }
+    }
+    return out;
+}
+function buildMetadata(props, managedByLabel) {
+    return {
+        main_module: MAIN_MODULE,
+        compatibility_date: props.compatibilityDate,
+        ...(props.compatibilityFlags !== undefined
+            ? { compatibility_flags: [...props.compatibilityFlags] }
+            : {}),
+        bindings: buildBindings(props),
+        tags: [managedByLabel, 'k1c.io/role=canary'],
+        ...(props.observability !== undefined
+            ? { observability: { enabled: props.observability.enabled } }
+            : {}),
+        ...(props.placement !== undefined ? { placement: { mode: props.placement.mode } } : {}),
+    };
+}
+export function buildCloudflareEffects(opts) {
+    const upload = async (dispatchNamespace, scriptName, content, properties) => {
+        const file = new File([content], MAIN_MODULE, {
+            type: 'application/javascript+module',
+        });
+        await opts.cloudflare.workersForPlatforms.dispatch.namespaces.scripts.update(dispatchNamespace, scriptName, {
+            account_id: opts.accountId,
+            metadata: buildMetadata(properties, opts.managedByLabel),
+            files: { [MAIN_MODULE]: file },
+        });
+    };
+    return {
+        async uploadCanary(input) {
+            await upload(input.dispatchNamespace, input.scriptName, input.content, input.properties);
+        },
+        async promoteCanaryToStable(input) {
+            // Re-upload the canary content as the stable script, then remove the canary.
+            await upload(input.dispatchNamespace, input.stableScriptName, input.content, input.properties);
+            await opts.cloudflare.workersForPlatforms.dispatch.namespaces.scripts.delete(input.dispatchNamespace, input.canaryScriptName, { account_id: opts.accountId });
+        },
+        async removeCanary(input) {
+            await opts.cloudflare.workersForPlatforms.dispatch.namespaces.scripts.delete(input.dispatchNamespace, input.scriptName, { account_id: opts.accountId });
+        },
+    };
+}
+//# sourceMappingURL=effects-cloudflare.js.map

package/dist/canary/rollout-command.d.ts

@@ -0,0 +1,15 @@
+import type { RolloutStateClient } from './runtime.ts';
+import type { RolloutState } from './state-machine.ts';
+export type RolloutSubCommand = 'status' | 'promote' | 'abort';
+export interface RolloutCommandInput {
+    readonly subCommand: RolloutSubCommand;
+    readonly target: string;
+}
+export interface RolloutCommandDeps {
+    readonly state: RolloutStateClient;
+    readonly out: (msg: string) => void;
+    readonly err: (msg: string) => void;
+}
+export declare function runRolloutCommand(input: RolloutCommandInput, deps: RolloutCommandDeps): Promise<number>;
+export declare function formatStatus(state: RolloutState): string;
+//# sourceMappingURL=rollout-command.d.ts.map

package/dist/canary/rollout-command.js

@@ -0,0 +1,92 @@
+export async function runRolloutCommand(input, deps) {
+    const parts = input.target.split('/');
+    if (parts.length !== 2 || !parts[0] || !parts[1]) {
+        deps.err(`invalid target "${input.target}"; expected <namespace>/<name>`);
+        return 2;
+    }
+    const key = `rollout/${parts[0]}/${parts[1]}`;
+    switch (input.subCommand) {
+        case 'status':
+            return runStatus(key, deps);
+        case 'promote':
+            return runPromote(key, deps);
+        case 'abort':
+            return runAbort(key, deps);
+    }
+}
+async function runStatus(key, deps) {
+    const state = await readState(key, deps);
+    if (state === null) {
+        deps.out(`(no rollout state for ${key})`);
+        return 0;
+    }
+    deps.out(formatStatus(state));
+    return 0;
+}
+async function runPromote(key, deps) {
+    const state = await readState(key, deps);
+    if (state === null) {
+        deps.err(`no rollout state for ${key}; nothing to promote`);
+        return 1;
+    }
+    if (state.status !== 'paused') {
+        deps.err(`rollout ${key} is in status="${state.status}"; promote only applies to "paused"`);
+        return 1;
+    }
+    const next = {
+        ...state,
+        currentStepIndex: state.currentStepIndex + 1,
+        // Force the next apply to treat any pending duration as elapsed.
+        lastAdvanceAt: new Date(0).toISOString(),
+        status: 'progressing',
+    };
+    await deps.state.write(key, JSON.stringify(next));
+    deps.out(`rollout ${key}: unpaused; the next \`k1c apply\` will advance to step ${next.currentStepIndex}`);
+    return 0;
+}
+async function runAbort(key, deps) {
+    const state = await readState(key, deps);
+    if (state === null) {
+        deps.err(`no rollout state for ${key}; nothing to abort`);
+        return 1;
+    }
+    const next = {
+        ...state,
+        canaryScript: null,
+        canaryHash: null,
+        weight: 0,
+        status: 'idle',
+        currentStepIndex: 0,
+    };
+    await deps.state.write(key, JSON.stringify(next));
+    deps.out(`rollout ${key}: aborted; dispatcher routes 100% to stable`);
+    deps.out('(canary script remains in dispatch namespace; the next `k1c apply` will not redeploy it)');
+    return 0;
+}
+async function readState(key, deps) {
+    const raw = await deps.state.read(key);
+    if (raw === null)
+        return null;
+    try {
+        return JSON.parse(raw);
+    }
+    catch {
+        deps.err(`rollout state at ${key} is not valid JSON`);
+        return null;
+    }
+}
+export function formatStatus(state) {
+    const lines = [
+        `status:           ${state.status}`,
+        `currentStepIndex: ${state.currentStepIndex}`,
+        `weight:           ${state.weight}%`,
+        `stableScript:     ${state.stableScript}`,
+        `canaryScript:     ${state.canaryScript ?? '(none)'}`,
+        `stableHash:       ${state.stableHash}`,
+        `canaryHash:       ${state.canaryHash ?? '(none)'}`,
+        `startedAt:        ${state.startedAt ?? '(never)'}`,
+        `lastAdvanceAt:    ${state.lastAdvanceAt ?? '(never)'}`,
+    ];
+    return lines.join('\n');
+}
+//# sourceMappingURL=rollout-command.js.map

package/dist/canary/runtime.d.ts

@@ -0,0 +1,59 @@
+import type { Rollout, ResourceRef } from '../manifest/types.ts';
+import type { WorkerProperties } from '../providers/worker.ts';
+import { type Action } from './state-machine.ts';
+/**
+ * Reads/writes the JSON state document for a single rollout. Production wires this to
+ * `cloudflare.kv.namespaces.values.{get, update}`; tests pass an in-memory implementation.
+ */
+export interface RolloutStateClient {
+    read(key: string): Promise<string | null>;
+    write(key: string, value: string): Promise<void>;
+}
+/**
+ * Side-effect hooks for the actions returned by the state machine. Implementations
+ * upload/remove canary scripts via the dispatch-namespace endpoint.
+ */
+export interface CanaryEffects {
+    uploadCanary(input: {
+        rolloutRef: ResourceRef;
+        scriptName: string;
+        dispatchNamespace: string;
+        content: Uint8Array;
+        properties: WorkerProperties;
+    }): Promise<void>;
+    promoteCanaryToStable(input: {
+        rolloutRef: ResourceRef;
+        stableScriptName: string;
+        canaryScriptName: string;
+        dispatchNamespace: string;
+        content: Uint8Array;
+        properties: WorkerProperties;
+    }): Promise<void>;
+    removeCanary(input: {
+        rolloutRef: ResourceRef;
+        scriptName: string;
+        dispatchNamespace: string;
+    }): Promise<void>;
+}
+export interface RolloutAdvanceInput {
+    readonly rollout: Rollout;
+    /** WorkerProperties of the user's stable Worker (resolved by lower). */
+    readonly stableProps: WorkerProperties;
+    /** Entrypoint bytes (already read from disk by caller). */
+    readonly entrypointContent: Uint8Array;
+}
+export interface RolloutAdvanceReport {
+    readonly label: string;
+    readonly previousStatus: string;
+    readonly nextStatus: string;
+    readonly nextWeight: number;
+    readonly actions: ReadonlyArray<Action>;
+}
+export interface RuntimeDeps {
+    readonly state: RolloutStateClient;
+    readonly effects: CanaryEffects;
+    readonly now: () => Date;
+}
+export declare function runCanaryAdvance(inputs: ReadonlyArray<RolloutAdvanceInput>, deps: RuntimeDeps): Promise<ReadonlyArray<RolloutAdvanceReport>>;
+export declare function bundleHash(props: WorkerProperties, entrypointContent: Uint8Array): string;
+//# sourceMappingURL=runtime.d.ts.map

package/dist/canary/runtime.js

@@ -0,0 +1,138 @@
+import { createHash } from 'node:crypto';
+import { advance, } from "./state-machine.js";
+export async function runCanaryAdvance(inputs, deps) {
+    const reports = [];
+    for (const input of inputs) {
+        reports.push(await processRollout(input, deps));
+    }
+    return reports;
+}
+async function processRollout(input, deps) {
+    const ns = input.rollout.metadata.namespace ?? 'default';
+    const name = input.rollout.metadata.name;
+    const label = `${ns}/${name}`;
+    const stateKey = `rollout/${ns}/${name}`;
+    const stableScriptName = `k1c--${ns}--${name}--stable`;
+    const canaryScriptName = `k1c--${ns}--${name}--canary`;
+    const desiredHash = bundleHash(input.stableProps, input.entrypointContent);
+    const steps = extractCanarySteps(input.rollout);
+    const previous = await loadState(deps, stateKey);
+    const out = advance({
+        state: previous,
+        desiredHash,
+        steps,
+        stableScriptName,
+        canaryScriptName,
+        now: deps.now(),
+    });
+    await executeActions(input, out.actions, deps, {
+        canaryScriptName,
+        stableScriptName,
+    });
+    await deps.state.write(stateKey, JSON.stringify(out.nextState));
+    return {
+        label,
+        previousStatus: previous?.status ?? 'absent',
+        nextStatus: out.nextState.status,
+        nextWeight: out.nextState.weight,
+        actions: out.actions,
+    };
+}
+async function loadState(deps, key) {
+    const raw = await deps.state.read(key);
+    if (raw === null)
+        return null;
+    try {
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+async function executeActions(input, actions, deps, names) {
+    const dispatchNs = input.stableProps.dispatchNamespace;
+    if (dispatchNs === undefined) {
+        throw new Error(`Rollout ${input.rollout.metadata.name}: stable WorkerProperties is missing dispatchNamespace; canary runtime requires it`);
+    }
+    const ref = {
+        apiVersion: input.rollout.apiVersion,
+        kind: input.rollout.kind,
+        namespace: input.rollout.metadata.namespace ?? 'default',
+        name: input.rollout.metadata.name,
+    };
+    const canaryProps = {
+        ...input.stableProps,
+        scriptName: names.canaryScriptName,
+    };
+    for (const action of actions) {
+        switch (action.kind) {
+            case 'init-stable':
+            case 'wait':
+            case 'set-weight':
+                // No script-side work: stable is uploaded by the standard apply path,
+                // and `set-weight` is realised by the dispatcher reading our updated state JSON.
+                break;
+            case 'upload-canary':
+                await deps.effects.uploadCanary({
+                    rolloutRef: ref,
+                    scriptName: names.canaryScriptName,
+                    dispatchNamespace: dispatchNs,
+                    content: input.entrypointContent,
+                    properties: canaryProps,
+                });
+                break;
+            case 'promote-canary':
+                await deps.effects.promoteCanaryToStable({
+                    rolloutRef: ref,
+                    stableScriptName: names.stableScriptName,
+                    canaryScriptName: names.canaryScriptName,
+                    dispatchNamespace: dispatchNs,
+                    content: input.entrypointContent,
+                    properties: { ...input.stableProps, scriptName: names.stableScriptName },
+                });
+                break;
+            case 'remove-canary':
+                await deps.effects.removeCanary({
+                    rolloutRef: ref,
+                    scriptName: names.canaryScriptName,
+                    dispatchNamespace: dispatchNs,
+                });
+                break;
+        }
+    }
+}
+function extractCanarySteps(rollout) {
+    if ('canary' in rollout.spec.strategy) {
+        return rollout.spec.strategy.canary.steps;
+    }
+    // blueGreen → equivalent to single 100% step (immediate cutover)
+    return [{ setWeight: 100 }];
+}
+export function bundleHash(props, entrypointContent) {
+    const h = createHash('sha256');
+    h.update(entrypointContent);
+    const bindingsKey = canonicalize({
+        vars: props.vars ?? {},
+        secrets: props.secrets ?? {},
+        bindings: props.bindings ?? [],
+        compatibilityDate: props.compatibilityDate,
+        compatibilityFlags: props.compatibilityFlags ?? [],
+        observability: props.observability,
+        placement: props.placement,
+    });
+    h.update(bindingsKey);
+    return h.digest('hex');
+}
+function canonicalize(value) {
+    return JSON.stringify(value, (_k, v) => {
+        if (v !== null && typeof v === 'object' && !Array.isArray(v)) {
+            const sorted = {};
+            for (const k of Object.keys(v).sort()) {
+                sorted[k] = v[k];
+            }
+            return sorted;
+        }
+        return v;
+    });
+}
+//# sourceMappingURL=runtime.js.map