@mizchi/k1c 0.1.0

package/dist/manifest/lower.js

@@ -0,0 +1,913 @@
+import { Buffer } from 'node:buffer';
+import { createHash } from 'node:crypto';
+import { generateDispatcher } from "../canary/dispatcher-template.js";
+export class LowerError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'LowerError';
+    }
+}
+const DEFAULT_COMPATIBILITY_DATE = '2025-01-01';
+export async function lower(resources, options) {
+    const tables = {
+        configMaps: new Map(),
+        secrets: new Map(),
+        r2Buckets: new Map(),
+        kvNamespaces: new Map(),
+        hyperdrives: new Map(),
+        d1Databases: new Map(),
+        queues: new Map(),
+        vectorizes: new Map(),
+        serviceTargets: new Map(),
+    };
+    const deployments = [];
+    const rollouts = [];
+    const statefulSets = [];
+    const dispatchNamespaces = [];
+    const services = [];
+    const cronJobs = [];
+    const jobs = [];
+    const dnsRecords = [];
+    const logpushJobs = [];
+    for (const r of resources) {
+        const label = labelOf(r);
+        switch (r.kind) {
+            case 'Namespace':
+                break;
+            case 'ConfigMap':
+                tables.configMaps.set(label, r);
+                break;
+            case 'Secret':
+                tables.secrets.set(label, r);
+                break;
+            case 'R2Bucket':
+                tables.r2Buckets.set(label, r);
+                break;
+            case 'KVNamespace':
+                tables.kvNamespaces.set(label, r);
+                break;
+            case 'DispatchNamespace':
+                dispatchNamespaces.push(r);
+                break;
+            case 'Service':
+                services.push(r);
+                break;
+            case 'Deployment':
+                deployments.push(r);
+                break;
+            case 'Rollout':
+                rollouts.push(r);
+                break;
+            case 'StatefulSet':
+                statefulSets.push(r);
+                break;
+            case 'CronJob':
+                cronJobs.push(r);
+                break;
+            case 'Hyperdrive':
+                tables.hyperdrives.set(label, r);
+                break;
+            case 'D1Database':
+                tables.d1Databases.set(label, r);
+                break;
+            case 'Queue':
+                tables.queues.set(label, r);
+                break;
+            case 'Vectorize':
+                tables.vectorizes.set(label, r);
+                break;
+            case 'DNSRecord':
+                dnsRecords.push(r);
+                break;
+            case 'Job':
+                jobs.push(r);
+                break;
+            case 'LogpushJob':
+                logpushJobs.push(r);
+                break;
+        }
+    }
+    const desired = [];
+    const warnings = [];
+    // Pre-pass: build the Service → target Worker map so volume serviceRef resolution
+    // works regardless of resource declaration order in the manifest.
+    for (const s of services) {
+        const target = findServiceTarget(s, deployments, rollouts);
+        if (target !== null) {
+            const ns = s.metadata.namespace ?? 'default';
+            tables.serviceTargets.set(`${ns}/${s.metadata.name}`, target);
+        }
+    }
+    for (const b of tables.r2Buckets.values())
+        desired.push(lowerR2Bucket(b));
+    for (const kv of tables.kvNamespaces.values())
+        desired.push(lowerKVNamespace(kv));
+    for (const dn of dispatchNamespaces)
+        desired.push(lowerDispatchNamespace(dn));
+    for (const h of tables.hyperdrives.values())
+        desired.push(lowerHyperdrive(h, tables));
+    for (const d of tables.d1Databases.values())
+        desired.push(lowerD1Database(d));
+    for (const q of tables.queues.values()) {
+        desired.push(lowerQueue(q));
+    }
+    for (const v of tables.vectorizes.values())
+        desired.push(lowerVectorize(v));
+    for (const r of dnsRecords)
+        desired.push(lowerDNSRecord(r));
+    for (const j of logpushJobs)
+        desired.push(lowerLogpushJob(j));
+    for (const d of deployments) {
+        for (const w of await lowerDeployment(d, tables, options)) {
+            desired.push(w);
+        }
+    }
+    const emittedStateKvs = new Set();
+    for (const r of rollouts) {
+        for (const d of await lowerRollout(r, tables, warnings, emittedStateKvs, options)) {
+            desired.push(d);
+        }
+    }
+    for (const c of cronJobs) {
+        desired.push(await lowerCronJob(c, tables, options));
+    }
+    for (const s of statefulSets) {
+        desired.push(await lowerStatefulSet(s, tables, options));
+    }
+    for (const j of jobs) {
+        for (const d of await lowerJob(j, tables, options)) {
+            desired.push(d);
+        }
+    }
+    for (const s of services) {
+        const out = lowerService(s, deployments, rollouts, warnings);
+        if (out !== null)
+            desired.push(out);
+    }
+    return { desired, warnings };
+}
+function lowerVectorize(v) {
+    const ns = v.metadata.namespace ?? 'default';
+    const name = v.metadata.name;
+    return {
+        resourceType: 'Vectorize',
+        ref: refOf(v),
+        label: `${ns}/${name}`,
+        properties: {
+            indexName: `k1c-${ns}-${name}`,
+            dimensions: v.spec.dimensions,
+            metric: v.spec.metric,
+            ...(v.spec.description !== undefined ? { description: v.spec.description } : {}),
+        },
+    };
+}
+function lowerLogpushJob(l) {
+    const ns = l.metadata.namespace ?? 'default';
+    const name = l.metadata.name;
+    const scope = l.spec.zoneId !== undefined ? { zoneId: l.spec.zoneId } : { accountId: l.spec.accountId };
+    return {
+        resourceType: 'LogpushJob',
+        ref: refOf(l),
+        label: `${ns}/${name}`,
+        properties: {
+            jobName: `k1c-${ns}-${name}`,
+            scope,
+            dataset: l.spec.dataset,
+            destinationConf: l.spec.destinationConf,
+            ...(l.spec.enabled !== undefined ? { enabled: l.spec.enabled } : {}),
+            ...(l.spec.filter !== undefined ? { filter: l.spec.filter } : {}),
+        },
+    };
+}
+function lowerDNSRecord(r) {
+    const ns = r.metadata.namespace ?? 'default';
+    const name = r.metadata.name;
+    return {
+        resourceType: 'DNSRecord',
+        ref: refOf(r),
+        label: `${ns}/${name}`,
+        properties: {
+            zoneId: r.spec.zoneId,
+            type: r.spec.type,
+            name: r.spec.name,
+            content: r.spec.content,
+            ...(r.spec.ttl !== undefined ? { ttl: r.spec.ttl } : {}),
+            ...(r.spec.proxied !== undefined ? { proxied: r.spec.proxied } : {}),
+            ...(r.spec.priority !== undefined ? { priority: r.spec.priority } : {}),
+        },
+    };
+}
+async function lowerJob(j, tables, options) {
+    const ns = j.metadata.namespace ?? 'default';
+    const name = j.metadata.name;
+    const containers = j.spec.template.spec.containers;
+    if (containers.length !== 1) {
+        throw new LowerError(`Job ${ns}/${name}: jobTemplate must have exactly one container in v0.2 (got ${containers.length})`);
+    }
+    const annotations = j.metadata.annotations ?? {};
+    const className = annotations['cloudflare.com/workflow-class'] ??
+        `${name.charAt(0).toUpperCase()}${name.slice(1).replace(/-/g, '')}`;
+    if (!/^[A-Z][A-Za-z0-9_]*$/.test(className)) {
+        throw new LowerError(`Job ${ns}/${name}: derived Workflow class "${className}" is not a valid JS identifier; set \`cloudflare.com/workflow-class\` annotation explicitly`);
+    }
+    const ref = refOf(j);
+    const workers = await buildWorkerDesireds('Job', ref, j.metadata, j.spec.template, tables, options);
+    const worker = workers[0];
+    const scriptName = `k1c--${ns}--${name}`;
+    const workflowName = `k1c-${ns}-${name}`;
+    const workflowDesired = {
+        resourceType: 'Workflow',
+        ref: { ...ref, name: `${name}--workflow` },
+        label: `${ns}/${name}`,
+        properties: {
+            workflowName,
+            className,
+            scriptName,
+        },
+        dependsOn: [ref],
+    };
+    return [worker, workflowDesired];
+}
+async function lowerStatefulSet(s, tables, options) {
+    const ns = s.metadata.namespace ?? 'default';
+    const name = s.metadata.name;
+    const containers = s.spec.template.spec.containers;
+    if (containers.length !== 1) {
+        throw new LowerError(`StatefulSet ${ns}/${name}: only single-container Pods are supported in v0.2 (got ${containers.length})`);
+    }
+    const annotations = s.metadata.annotations ?? {};
+    const className = annotations['cloudflare.com/durable-object-class'] ??
+        `${name.charAt(0).toUpperCase()}${name.slice(1)}`;
+    if (!/^[A-Z][A-Za-z0-9_]*$/.test(className)) {
+        throw new LowerError(`StatefulSet ${ns}/${name}: derived Durable Object class "${className}" is not a valid JS identifier; set \`cloudflare.com/durable-object-class\` annotation explicitly`);
+    }
+    const ref = refOf(s);
+    const workers = await buildWorkerDesireds('StatefulSet', ref, s.metadata, s.spec.template, tables, options);
+    const worker = workers[0];
+    return {
+        ...worker,
+        properties: { ...worker.properties, durableObjectClasses: [className] },
+    };
+}
+async function lowerCronJob(c, tables, options) {
+    const ns = c.metadata.namespace ?? 'default';
+    const name = c.metadata.name;
+    const containers = c.spec.jobTemplate.spec.template.spec.containers;
+    if (containers.length !== 1) {
+        throw new LowerError(`CronJob ${ns}/${name}: jobTemplate must have exactly one container in v0.2 (got ${containers.length})`);
+    }
+    const ref = refOf(c);
+    const workers = await buildWorkerDesireds('CronJob', ref, c.metadata, c.spec.jobTemplate.spec.template, tables, options);
+    const worker = workers[0];
+    // Suspend semantics: keep the script but clear all schedules.
+    const cronSchedules = c.spec.suspend === true ? [] : [c.spec.schedule];
+    return {
+        ...worker,
+        properties: { ...worker.properties, cronSchedules },
+    };
+}
+function lowerService(s, deployments, rollouts, warnings) {
+    const ns = s.metadata.namespace ?? 'default';
+    const name = s.metadata.name;
+    const ref = refOf(s);
+    const type = s.spec.type ?? 'ClusterIP';
+    if (type === 'ClusterIP') {
+        // ClusterIP services do not produce a Cloudflare resource. They are a name → Worker
+        // mapping consumed by `volumes[].serviceRef` in other Pods (handled by the pre-pass
+        // that populates tables.serviceTargets). If no workload matches, warn so the user
+        // knows the binding will fail.
+        if (findServiceTarget(s, deployments, rollouts) === null) {
+            warnings.push({
+                ref,
+                message: `Service ${ns}/${name}: type=ClusterIP has no matching Deployment / Rollout for selector ${JSON.stringify(s.spec.selector)} (no workers will be reachable via this service)`,
+            });
+        }
+        return null;
+    }
+    const annotations = s.metadata.annotations ?? {};
+    const zoneId = annotations['cloudflare.com/zone-id'];
+    const hostname = annotations['cloudflare.com/hostname'];
+    if (!zoneId || !hostname) {
+        throw new LowerError(`Service ${ns}/${name}: type=LoadBalancer requires both \`cloudflare.com/zone-id\` and \`cloudflare.com/hostname\` annotations`);
+    }
+    // Match the selector against Deployment / Rollout in the same namespace.
+    const target = findWorkloadBySelector(s.spec.selector, ns, deployments, rollouts);
+    if (target === null) {
+        throw new LowerError(`Service ${ns}/${name}: no Deployment or Rollout in namespace "${ns}" matches selector ${JSON.stringify(s.spec.selector)}`);
+    }
+    const targetScriptName = `k1c--${ns}--${target.name}`;
+    return {
+        resourceType: 'CustomDomain',
+        ref,
+        label: hostname,
+        properties: {
+            hostname,
+            service: targetScriptName,
+            zoneId,
+            environment: annotations['cloudflare.com/environment'] ?? 'production',
+        },
+        dependsOn: [
+            {
+                apiVersion: target.apiVersion,
+                kind: target.kind,
+                namespace: ns,
+                name: target.name,
+            },
+        ],
+    };
+}
+function findWorkloadBySelector(selector, namespace, deployments, rollouts) {
+    for (const d of deployments) {
+        if ((d.metadata.namespace ?? 'default') !== namespace)
+            continue;
+        if (isSubset(selector, d.spec.selector.matchLabels)) {
+            return { apiVersion: d.apiVersion, kind: 'Deployment', name: d.metadata.name };
+        }
+    }
+    for (const r of rollouts) {
+        if ((r.metadata.namespace ?? 'default') !== namespace)
+            continue;
+        if (isSubset(selector, r.spec.selector.matchLabels)) {
+            return { apiVersion: r.apiVersion, kind: 'Rollout', name: r.metadata.name };
+        }
+    }
+    return null;
+}
+/**
+ * Resolves a Service to the script name of its primary target Worker, or null when
+ * no Deployment / Rollout in the same namespace matches the Service selector.
+ */
+function findServiceTarget(s, deployments, rollouts) {
+    const ns = s.metadata.namespace ?? 'default';
+    const match = findWorkloadBySelector(s.spec.selector, ns, deployments, rollouts);
+    if (match === null)
+        return null;
+    return `k1c--${ns}--${match.name}`;
+}
+function isSubset(small, large) {
+    for (const [k, v] of Object.entries(small)) {
+        if (large[k] !== v)
+            return false;
+    }
+    return true;
+}
+async function defaultReadFile(path) {
+    const fs = await import('node:fs/promises');
+    return fs.readFile(path);
+}
+async function hashEntrypoint(props, options) {
+    let bytes;
+    if (props.entrypointContent !== undefined) {
+        bytes = new TextEncoder().encode(props.entrypointContent);
+    }
+    else {
+        const reader = options?.readFile ?? defaultReadFile;
+        bytes = await reader(props.entrypoint);
+    }
+    return createHash('sha256').update(bytes).digest('hex');
+}
+function lowerDispatchNamespace(dn) {
+    const ns = dn.metadata.namespace ?? 'default';
+    const name = dn.metadata.name;
+    return {
+        resourceType: 'DispatchNamespace',
+        ref: refOf(dn),
+        label: `${ns}/${name}`,
+        properties: { namespaceName: `k1c-${ns}-${name}` },
+    };
+}
+function labelOf(r) {
+    return `${r.metadata.namespace ?? 'default'}/${r.metadata.name}`;
+}
+function refOf(r) {
+    return {
+        apiVersion: r.apiVersion,
+        kind: r.kind,
+        namespace: r.metadata.namespace ?? 'default',
+        name: r.metadata.name,
+    };
+}
+function lowerR2Bucket(b) {
+    const ns = b.metadata.namespace ?? 'default';
+    const name = b.metadata.name;
+    const properties = {
+        bucketName: `k1c-${ns}-${name}`,
+        ...(b.spec.location !== undefined ? { location: b.spec.location } : {}),
+        ...(b.spec.storageClass !== undefined ? { storageClass: b.spec.storageClass } : {}),
+    };
+    return {
+        resourceType: 'R2Bucket',
+        ref: refOf(b),
+        label: `${ns}/${name}`,
+        properties,
+    };
+}
+function lowerHyperdrive(h, tables) {
+    const ns = h.metadata.namespace ?? 'default';
+    const name = h.metadata.name;
+    const sRef = h.spec.origin.passwordSecretRef;
+    const sec = tables.secrets.get(`${ns}/${sRef.name}`);
+    if (!sec) {
+        throw new LowerError(`Hyperdrive ${ns}/${name}: Secret "${sRef.name}" referenced by passwordSecretRef not found in namespace "${ns}"`);
+    }
+    const password = secretValue(sec, sRef.key);
+    if (password === undefined) {
+        throw new LowerError(`Hyperdrive ${ns}/${name}: Secret "${sRef.name}" has no key "${sRef.key}"`);
+    }
+    const cfgName = `k1c-${ns}-${name}`;
+    return {
+        resourceType: 'Hyperdrive',
+        ref: refOf(h),
+        label: `${ns}/${name}`,
+        properties: {
+            name: cfgName,
+            origin: {
+                scheme: h.spec.origin.scheme,
+                host: h.spec.origin.host,
+                port: h.spec.origin.port,
+                database: h.spec.origin.database,
+                user: h.spec.origin.user,
+                password,
+            },
+            ...(h.spec.caching !== undefined ? { caching: h.spec.caching } : {}),
+            ...(h.spec.originConnectionLimit !== undefined
+                ? { originConnectionLimit: h.spec.originConnectionLimit }
+                : {}),
+        },
+        dependsOn: [refOf(sec)],
+    };
+}
+function lowerD1Database(d) {
+    const ns = d.metadata.namespace ?? 'default';
+    const name = d.metadata.name;
+    return {
+        resourceType: 'D1Database',
+        ref: refOf(d),
+        label: `${ns}/${name}`,
+        properties: {
+            databaseName: `k1c-${ns}-${name}`,
+            ...(d.spec?.primaryLocationHint !== undefined
+                ? { primaryLocationHint: d.spec.primaryLocationHint }
+                : {}),
+        },
+    };
+}
+function lowerQueue(q) {
+    const ns = q.metadata.namespace ?? 'default';
+    const name = q.metadata.name;
+    const consumer = q.spec?.consumer;
+    return {
+        resourceType: 'Queue',
+        ref: refOf(q),
+        label: `${ns}/${name}`,
+        properties: {
+            queueName: `k1c-${ns}-${name}`,
+            ...(consumer !== undefined
+                ? { consumerWorkerName: `k1c--${ns}--${consumer.workerName}` }
+                : {}),
+        },
+        ...(consumer !== undefined
+            ? {
+                dependsOn: [
+                    {
+                        apiVersion: 'apps/v1',
+                        kind: 'Deployment',
+                        namespace: ns,
+                        name: consumer.workerName,
+                    },
+                ],
+            }
+            : {}),
+    };
+}
+function lowerKVNamespace(kv) {
+    const ns = kv.metadata.namespace ?? 'default';
+    const name = kv.metadata.name;
+    return {
+        resourceType: 'KVNamespace',
+        ref: refOf(kv),
+        label: `${ns}/${name}`,
+        properties: { title: kv.spec.title ?? `k1c/${ns}/${name}` },
+    };
+}
+async function lowerDeployment(d, tables, options) {
+    return buildWorkerDesireds('Deployment', refOf(d), d.metadata, d.spec.template, tables, options);
+}
+async function lowerRollout(r, tables, warnings, emittedStateKvs, options) {
+    const ns = r.metadata.namespace ?? 'default';
+    const name = r.metadata.name;
+    const ref = refOf(r);
+    const annotations = r.metadata.annotations ?? {};
+    const dispatchAnno = annotations['cloudflare.com/dispatch-namespace'];
+    if (dispatchAnno !== undefined) {
+        return lowerCanaryRollout(r, dispatchAnno, tables, warnings, emittedStateKvs, options);
+    }
+    if ('canary' in r.spec.strategy) {
+        warnings.push({
+            ref,
+            message: `Rollout ${ns}/${name}: canary strategy is not yet implemented in v0.1; deploying new version at 100% (treating as immediate cutover)`,
+        });
+    }
+    else {
+        const bg = r.spec.strategy.blueGreen;
+        if (bg.autoPromotionEnabled === false) {
+            warnings.push({
+                ref,
+                message: `Rollout ${ns}/${name}: blueGreen with autoPromotionEnabled=false is not yet implemented in v0.1; deploying new version at 100%`,
+            });
+        }
+    }
+    return buildWorkerDesireds('Rollout', ref, r.metadata, r.spec.template, tables, options);
+}
+async function lowerCanaryRollout(r, dispatchAnno, tables, warnings, emittedStateKvs, options) {
+    const ns = r.metadata.namespace ?? 'default';
+    const name = r.metadata.name;
+    const ref = refOf(r);
+    const dispatchNsCFName = `k1c-${ns}-${dispatchAnno}`;
+    const stableScriptName = `k1c--${ns}--${name}--stable`;
+    const canaryScriptName = `k1c--${ns}--${name}--canary`;
+    const dispatcherScriptName = `k1c--${ns}--${name}`;
+    const stateKvK8sName = `rollout-state-${dispatchAnno}`;
+    const stateKvCFTitle = `k1c/rollout-state/${dispatchAnno}`;
+    const dispatchNsRef = {
+        apiVersion: 'cloudflare.k1c.io/v1alpha1',
+        kind: 'DispatchNamespace',
+        namespace: ns,
+        name: dispatchAnno,
+    };
+    const stateKvRef = {
+        apiVersion: 'cloudflare.k1c.io/v1alpha1',
+        kind: 'KVNamespace',
+        namespace: ns,
+        name: stateKvK8sName,
+    };
+    const results = [];
+    // Auto-emit the rollout-state KV (shared across all rollouts in the same dispatch namespace).
+    if (!emittedStateKvs.has(stateKvCFTitle)) {
+        emittedStateKvs.add(stateKvCFTitle);
+        results.push({
+            resourceType: 'KVNamespace',
+            ref: stateKvRef,
+            label: `${ns}/${stateKvK8sName}`,
+            properties: { title: stateKvCFTitle },
+        });
+    }
+    // Canary path is single-container in v0.1.6. Multi-container Rollout-with-dispatch
+    // would need per-container canary lifecycles, deferred to a future ADR.
+    if (r.spec.template.spec.containers.length !== 1) {
+        throw new LowerError(`Rollout ${ns}/${name}: canary Rollouts (with cloudflare.com/dispatch-namespace) currently support a single container only; got ${r.spec.template.spec.containers.length}`);
+    }
+    // Stable Worker = the user's code, deployed into the dispatch namespace under <name>--stable.
+    const userWorkers = await buildWorkerDesireds('Rollout', ref, r.metadata, r.spec.template, tables, options);
+    const userWorker = userWorkers[0];
+    const stableRef = { ...ref, name: `${name}--stable` };
+    const stableProperties = {
+        ...userWorker.properties,
+        scriptName: stableScriptName,
+        dispatchNamespace: dispatchNsCFName,
+    };
+    const stableDeps = [...(userWorker.dependsOn ?? []), dispatchNsRef];
+    results.push({
+        resourceType: 'Worker',
+        ref: stableRef,
+        label: `${ns}/${name}--stable`,
+        properties: stableProperties,
+        dependsOn: stableDeps,
+    });
+    // Dispatcher Worker = generated by k1c, deployed top-level. Routes via env.NAMESPACE.get(...)
+    // based on the weight stored in env.STATE under the rollout key.
+    const dispatcherSource = generateDispatcher({
+        rolloutKey: `rollout/${ns}/${name}`,
+        stableName: stableScriptName,
+        canaryName: canaryScriptName,
+    });
+    const dispatcherBaseProperties = {
+        scriptName: dispatcherScriptName,
+        entrypoint: '<k1c-generated:dispatcher>',
+        entrypointContent: dispatcherSource,
+        compatibilityDate: r.metadata.annotations?.['cloudflare.com/compatibility-date'] ??
+            DEFAULT_COMPATIBILITY_DATE,
+        bindings: [
+            { type: 'dispatch_namespace', name: 'NAMESPACE', dispatchNamespace: dispatchNsCFName },
+            { type: 'kv_namespace', name: 'STATE', namespaceId: `<resolved-at-apply:${stateKvK8sName}>` },
+        ],
+    };
+    const dispatcherProperties = {
+        ...dispatcherBaseProperties,
+        entrypointHash: await hashEntrypoint(dispatcherBaseProperties, options),
+    };
+    results.push({
+        resourceType: 'Worker',
+        ref,
+        label: `${ns}/${name}`,
+        properties: dispatcherProperties,
+        dependsOn: [dispatchNsRef, stateKvRef, stableRef],
+    });
+    // Note: the canary script itself is not emitted at lower time — its lifecycle (create
+    // / update / delete) is owned by the v0.1.2-ε state machine on apply, which compares
+    // current code against the stored "stable hash" to decide when to spawn a candidate.
+    if ('canary' in r.spec.strategy) {
+        warnings.push({
+            ref,
+            message: `Rollout ${ns}/${name}: canary state machine is not yet implemented (v0.1.2-ε); dispatcher routes 100% to stable until rollout-state KV is populated`,
+        });
+    }
+    else if (r.spec.strategy.blueGreen.autoPromotionEnabled === false) {
+        warnings.push({
+            ref,
+            message: `Rollout ${ns}/${name}: manual blueGreen promotion is not yet implemented; dispatcher routes 100% to stable`,
+        });
+    }
+    return results;
+}
+/**
+ * Lowers a Pod template into one Worker per container. The first container is the
+ * "primary" front-door and keeps the unsuffixed script name (`k1c--<ns>--<name>`); any
+ * additional container becomes a sidecar Worker named `k1c--<ns>--<name>--<container>`.
+ *
+ * When the Pod has multiple containers, every Worker gets `service` bindings to all of
+ * its siblings, addressable inside the Worker as `env.<container-name>.fetch(req)`.
+ * This preserves the k8s "containers in a Pod talk to each other" mental model on top
+ * of Cloudflare's flat Worker namespace.
+ */
+async function buildWorkerDesireds(kind, ref, meta, template, tables, options) {
+    const ns = meta.namespace ?? 'default';
+    const name = meta.name;
+    const containers = template.spec.containers;
+    if (containers.length === 0) {
+        throw new LowerError(`${kind} ${ns}/${name}: at least one container is required`);
+    }
+    const baseScriptName = `k1c--${ns}--${name}`;
+    const scriptNames = containers.map((c, i) => i === 0 ? baseScriptName : `${baseScriptName}--${c.name}`);
+    const results = [];
+    for (let i = 0; i < containers.length; i += 1) {
+        const container = containers[i];
+        const scriptName = scriptNames[i];
+        const containerRef = i === 0 ? ref : { ...ref, name: `${name}--${container.name}` };
+        const containerLabel = i === 0 ? `${ns}/${name}` : `${ns}/${name}--${container.name}`;
+        const built = await buildContainerProperties(kind, ns, name, scriptName, container, template, meta.annotations ?? {}, tables);
+        // Auto-wire sibling service bindings for multi-container Pods.
+        let bindings = built.bindings;
+        if (containers.length > 1) {
+            const siblings = [];
+            for (let j = 0; j < containers.length; j += 1) {
+                if (j === i)
+                    continue;
+                siblings.push({
+                    type: 'service',
+                    name: containers[j].name,
+                    service: scriptNames[j],
+                });
+            }
+            bindings = [...bindings, ...siblings];
+        }
+        const baseProperties = {
+            scriptName,
+            entrypoint: container.image,
+            compatibilityDate: built.compatibilityDate,
+            ...(built.compatibilityFlags !== undefined
+                ? { compatibilityFlags: built.compatibilityFlags }
+                : {}),
+            ...(Object.keys(built.vars).length > 0 ? { vars: built.vars } : {}),
+            ...(Object.keys(built.secrets).length > 0 ? { secrets: built.secrets } : {}),
+            ...(bindings.length > 0 ? { bindings } : {}),
+            ...(built.observability !== undefined
+                ? { observability: built.observability }
+                : {}),
+            ...(built.placement !== undefined ? { placement: built.placement } : {}),
+        };
+        const properties = {
+            ...baseProperties,
+            entrypointHash: await hashEntrypoint(baseProperties, options),
+        };
+        results.push({
+            resourceType: 'Worker',
+            ref: containerRef,
+            label: containerLabel,
+            properties,
+            ...(built.dependsOn.length > 0 ? { dependsOn: built.dependsOn } : {}),
+        });
+    }
+    return results;
+}
+async function buildContainerProperties(kind, ns, name, scriptName, container, template, annotations, tables) {
+    const dependsOn = [];
+    const vars = {};
+    const secrets = {};
+    const ctxLabel = `${kind} ${ns}/${name}/${container.name}`;
+    for (const env of container.env ?? []) {
+        if (env.value !== undefined) {
+            vars[env.name] = env.value;
+            continue;
+        }
+        const valueFrom = env.valueFrom;
+        if (!valueFrom) {
+            throw new LowerError(`${ctxLabel}: env "${env.name}" has neither value nor valueFrom`);
+        }
+        if (valueFrom.configMapKeyRef) {
+            const cmRef = valueFrom.configMapKeyRef;
+            const cm = tables.configMaps.get(`${ns}/${cmRef.name}`);
+            if (!cm) {
+                throw new LowerError(`${ctxLabel}: ConfigMap "${cmRef.name}" not found in namespace "${ns}" (env ${env.name})`);
+            }
+            const value = cm.data?.[cmRef.key];
+            if (value === undefined) {
+                throw new LowerError(`${ctxLabel}: ConfigMap "${cmRef.name}" has no key "${cmRef.key}"`);
+            }
+            vars[env.name] = value;
+            pushUnique(dependsOn, refOf(cm));
+        }
+        else if (valueFrom.secretKeyRef) {
+            const sRef = valueFrom.secretKeyRef;
+            const sec = tables.secrets.get(`${ns}/${sRef.name}`);
+            if (!sec) {
+                throw new LowerError(`${ctxLabel}: Secret "${sRef.name}" not found in namespace "${ns}" (env ${env.name})`);
+            }
+            const value = secretValue(sec, sRef.key);
+            if (value === undefined) {
+                throw new LowerError(`${ctxLabel}: Secret "${sRef.name}" has no key "${sRef.key}"`);
+            }
+            secrets[env.name] = value;
+            pushUnique(dependsOn, refOf(sec));
+        }
+        else {
+            throw new LowerError(`${ctxLabel}: env "${env.name}" valueFrom must specify configMapKeyRef or secretKeyRef`);
+        }
+    }
+    const bindings = [];
+    const volumes = template.spec.volumes ?? [];
+    const volumesByName = new Map(volumes.map((v) => [v.name, v]));
+    for (const mount of container.volumeMounts ?? []) {
+        const vol = volumesByName.get(mount.name);
+        if (!vol) {
+            throw new LowerError(`${ctxLabel}: volumeMount "${mount.name}" has no matching volume`);
+        }
+        if (vol.r2BucketRef) {
+            const b = tables.r2Buckets.get(`${ns}/${vol.r2BucketRef.name}`);
+            if (!b) {
+                throw new LowerError(`${ctxLabel}: R2Bucket "${vol.r2BucketRef.name}" not found in namespace "${ns}"`);
+            }
+            bindings.push({
+                type: 'r2_bucket',
+                name: mount.mountPath,
+                bucketName: `k1c-${ns}-${b.metadata.name}`,
+            });
+            pushUnique(dependsOn, refOf(b));
+        }
+        else if (vol.kvNamespaceRef) {
+            const kv = tables.kvNamespaces.get(`${ns}/${vol.kvNamespaceRef.name}`);
+            if (!kv) {
+                throw new LowerError(`${ctxLabel}: KVNamespace "${vol.kvNamespaceRef.name}" not found in namespace "${ns}"`);
+            }
+            bindings.push({
+                type: 'kv_namespace',
+                name: mount.mountPath,
+                namespaceId: `<resolved-at-apply:${kv.metadata.name}>`,
+            });
+            pushUnique(dependsOn, refOf(kv));
+        }
+        else if (vol.serviceRef) {
+            const targetScriptName = tables.serviceTargets.get(`${ns}/${vol.serviceRef.name}`);
+            if (targetScriptName === undefined) {
+                throw new LowerError(`${ctxLabel}: Service "${vol.serviceRef.name}" not found (or has no matching workload) in namespace "${ns}"`);
+            }
+            bindings.push({
+                type: 'service',
+                name: mount.mountPath,
+                service: targetScriptName,
+            });
+            pushUnique(dependsOn, {
+                apiVersion: 'v1',
+                kind: 'Service',
+                namespace: ns,
+                name: vol.serviceRef.name,
+            });
+        }
+        else if (vol.hyperdriveRef) {
+            const h = tables.hyperdrives.get(`${ns}/${vol.hyperdriveRef.name}`);
+            if (!h) {
+                throw new LowerError(`${ctxLabel}: Hyperdrive "${vol.hyperdriveRef.name}" not found in namespace "${ns}"`);
+            }
+            bindings.push({
+                type: 'hyperdrive',
+                name: mount.mountPath,
+                hyperdriveId: `<resolved-at-apply:hyperdrive:${h.metadata.name}>`,
+            });
+            pushUnique(dependsOn, refOf(h));
+        }
+        else if (vol.d1DatabaseRef) {
+            const d = tables.d1Databases.get(`${ns}/${vol.d1DatabaseRef.name}`);
+            if (!d) {
+                throw new LowerError(`${ctxLabel}: D1Database "${vol.d1DatabaseRef.name}" not found in namespace "${ns}"`);
+            }
+            bindings.push({
+                type: 'd1',
+                name: mount.mountPath,
+                databaseId: `<resolved-at-apply:d1:${d.metadata.name}>`,
+            });
+            pushUnique(dependsOn, refOf(d));
+        }
+        else if (vol.queueRef) {
+            const q = tables.queues.get(`${ns}/${vol.queueRef.name}`);
+            if (!q) {
+                throw new LowerError(`${ctxLabel}: Queue "${vol.queueRef.name}" not found in namespace "${ns}"`);
+            }
+            bindings.push({
+                type: 'queue',
+                name: mount.mountPath,
+                queueName: `k1c-${ns}-${q.metadata.name}`,
+            });
+            pushUnique(dependsOn, refOf(q));
+        }
+        else if (vol.vectorizeRef) {
+            const v = tables.vectorizes.get(`${ns}/${vol.vectorizeRef.name}`);
+            if (!v) {
+                throw new LowerError(`${ctxLabel}: Vectorize "${vol.vectorizeRef.name}" not found in namespace "${ns}"`);
+            }
+            bindings.push({
+                type: 'vectorize',
+                name: mount.mountPath,
+                indexName: `k1c-${ns}-${v.metadata.name}`,
+            });
+            pushUnique(dependsOn, refOf(v));
+        }
+        else if (vol.analyticsEngineRef) {
+            bindings.push({
+                type: 'analytics_engine',
+                name: mount.mountPath,
+                dataset: vol.analyticsEngineRef.dataset,
+            });
+        }
+        else {
+            throw new LowerError(`${ctxLabel}: volume "${vol.name}" has no recognised reference (r2BucketRef, kvNamespaceRef, serviceRef, hyperdriveRef, d1DatabaseRef, queueRef, vectorizeRef, or analyticsEngineRef)`);
+        }
+    }
+    // Pod-level annotations for the no-config bindings: AI, Browser Rendering,
+    // Version Metadata. Value `enabled` uses the default JS binding name; any other
+    // string overrides it.
+    const aiAnno = annotations['cloudflare.com/ai'];
+    if (aiAnno !== undefined) {
+        bindings.push({ type: 'ai', name: aiAnno === 'enabled' ? 'AI' : aiAnno });
+    }
+    const browserAnno = annotations['cloudflare.com/browser-rendering'];
+    if (browserAnno !== undefined) {
+        bindings.push({
+            type: 'browser',
+            name: browserAnno === 'enabled' ? 'BROWSER' : browserAnno,
+        });
+    }
+    const vmAnno = annotations['cloudflare.com/version-metadata'];
+    if (vmAnno !== undefined) {
+        bindings.push({
+            type: 'version_metadata',
+            name: vmAnno === 'enabled' ? 'CF_VERSION' : vmAnno,
+        });
+    }
+    // Annotations are pod-level: every container in the Pod inherits compatibility-date,
+    // observability, smart-placement, etc. This matches kubectl semantics.
+    const flagsAnno = annotations['cloudflare.com/compatibility-flags'];
+    const compatibilityFlags = flagsAnno
+        ? flagsAnno
+            .split(',')
+            .map((s) => s.trim())
+            .filter((s) => s.length > 0)
+        : undefined;
+    // scriptName is parameter-only so the function compiles cleanly without referencing it
+    // outside the result; the caller wires it into WorkerProperties.
+    void scriptName;
+    return {
+        vars,
+        secrets,
+        bindings,
+        dependsOn,
+        compatibilityDate: annotations['cloudflare.com/compatibility-date'] ?? DEFAULT_COMPATIBILITY_DATE,
+        compatibilityFlags,
+        observability: annotations['cloudflare.com/observability'] === 'enabled'
+            ? { enabled: true }
+            : undefined,
+        placement: annotations['cloudflare.com/smart-placement'] === 'smart'
+            ? { mode: 'smart' }
+            : undefined,
+    };
+}
+function secretValue(sec, key) {
+    const fromString = sec.stringData?.[key];
+    if (fromString !== undefined)
+        return fromString;
+    const fromData = sec.data?.[key];
+    if (fromData !== undefined)
+        return Buffer.from(fromData, 'base64').toString('utf-8');
+    return undefined;
+}
+function pushUnique(list, ref) {
+    for (const existing of list) {
+        if (existing.apiVersion === ref.apiVersion &&
+            existing.kind === ref.kind &&
+            existing.namespace === ref.namespace &&
+            existing.name === ref.name) {
+            return;
+        }
+    }
+    list.push(ref);
+}
+//# sourceMappingURL=lower.js.map