@mizchi/k1c 0.2.0 → 0.4.0

package/dist/manifest/schemas.js

@@ -32,6 +32,8 @@ const volumeSchema = z.object({
     queueRef: z.object({ name: z.string() }).optional(),
     vectorizeRef: z.object({ name: z.string() }).optional(),
     analyticsEngineRef: z.object({ dataset: z.string() }).optional(),
+    mtlsCertificateRef: z.object({ certificateId: z.string() }).optional(),
+    pipelinesRef: z.object({ pipelineId: z.string() }).optional(),
 });
 const containerSchema = z.object({
     name: z.string(),
@@ -286,6 +288,64 @@ export const logpushJobSchema = z.object({
         message: 'LogpushJob.spec must specify exactly one of zoneId / accountId',
     }),
 });
+const ingressBackendSchema = z.object({
+    service: z.object({
+        name: z.string().min(1),
+        port: z
+            .object({
+            number: z.number().int().positive().optional(),
+            name: z.string().optional(),
+        })
+            .optional(),
+    }),
+});
+const ingressPathSchema = z.object({
+    path: z.string().min(1),
+    pathType: z.enum(['Prefix', 'Exact', 'ImplementationSpecific']),
+    backend: ingressBackendSchema,
+});
+const ingressRuleSchema = z.object({
+    host: z.string().min(1).optional(),
+    http: z.object({ paths: z.array(ingressPathSchema).min(1) }),
+});
+const accessRuleSchema = z.union([
+    z.object({ email: z.object({ email: z.string().min(1) }) }),
+    z.object({ emailDomain: z.object({ domain: z.string().min(1) }) }),
+    z.object({ everyone: z.object({}).strict() }),
+    z.object({ ip: z.object({ ip: z.string().min(1) }) }),
+    z.object({ country: z.object({ code: z.string().min(2) }) }),
+    z.object({ serviceToken: z.object({ tokenId: z.string().min(1) }) }),
+    z.object({ anyValidServiceToken: z.object({}).strict() }),
+]);
+const accessAppPolicySchema = z.object({
+    name: z.string().min(1),
+    decision: z.enum(['allow', 'deny', 'bypass', 'non_identity']),
+    include: z.array(accessRuleSchema).min(1),
+    exclude: z.array(accessRuleSchema).optional(),
+    require: z.array(accessRuleSchema).optional(),
+    sessionDuration: z.string().optional(),
+});
+export const accessApplicationSchema = z.object({
+    apiVersion: z.literal('cloudflare.k1c.io/v1alpha1'),
+    kind: z.literal('AccessApplication'),
+    metadata: objectMetaSchema,
+    spec: z.object({
+        domain: z.string().min(1),
+        sessionDuration: z.string().optional(),
+        autoRedirectToIdentity: z.boolean().optional(),
+        allowedIdps: z.array(z.string()).optional(),
+        policies: z.array(accessAppPolicySchema).min(1),
+    }),
+});
+export const ingressSchema = z.object({
+    apiVersion: z.literal('networking.k8s.io/v1'),
+    kind: z.literal('Ingress'),
+    metadata: objectMetaSchema,
+    spec: z.object({
+        rules: z.array(ingressRuleSchema).min(1),
+        defaultBackend: ingressBackendSchema.optional(),
+    }),
+});
 export const k1cResourceSchema = z.discriminatedUnion('kind', [
     deploymentSchema,
     rolloutSchema,
@@ -305,5 +365,7 @@ export const k1cResourceSchema = z.discriminatedUnion('kind', [
     vectorizeSchema,
     dnsRecordSchema,
     logpushJobSchema,
+    ingressSchema,
+    accessApplicationSchema,
 ]);
 //# sourceMappingURL=schemas.js.map

package/dist/manifest/types.d.ts

@@ -61,6 +61,12 @@ export interface Volume {
     readonly analyticsEngineRef?: {
         readonly dataset: string;
     };
+    readonly mtlsCertificateRef?: {
+        readonly certificateId: string;
+    };
+    readonly pipelinesRef?: {
+        readonly pipelineId: string;
+    };
 }
 export interface PodTemplateSpec {
     readonly metadata?: ObjectMeta;
@@ -233,7 +239,75 @@ export interface LogpushJobSpec {
     readonly filter?: string;
 }
 export type LogpushJob = BaseResource<'LogpushJob', 'cloudflare.k1c.io/v1alpha1', LogpushJobSpec>;
-export type K1cResource = Deployment | Rollout | StatefulSet | CronJob | Job | ConfigMapResource | SecretResource | NamespaceResource | ServiceResource | R2Bucket | KVNamespace | DispatchNamespace | Hyperdrive | D1Database | Queue | Vectorize | DNSRecord | LogpushJob;
+export type IngressPathType = 'Prefix' | 'Exact' | 'ImplementationSpecific';
+export interface IngressBackend {
+    readonly service: {
+        readonly name: string;
+        readonly port?: {
+            readonly number?: number;
+            readonly name?: string;
+        };
+    };
+}
+export interface IngressPath {
+    readonly path: string;
+    readonly pathType: IngressPathType;
+    readonly backend: IngressBackend;
+}
+export interface IngressRule {
+    readonly host?: string;
+    readonly http: {
+        readonly paths: ReadonlyArray<IngressPath>;
+    };
+}
+export interface IngressSpec {
+    readonly rules: ReadonlyArray<IngressRule>;
+    readonly defaultBackend?: IngressBackend;
+}
+export type Ingress = BaseResource<'Ingress', 'networking.k8s.io/v1', IngressSpec>;
+export type AccessDecision = 'allow' | 'deny' | 'bypass' | 'non_identity';
+export type AccessRule = {
+    readonly email: {
+        readonly email: string;
+    };
+} | {
+    readonly emailDomain: {
+        readonly domain: string;
+    };
+} | {
+    readonly everyone: Readonly<Record<string, never>>;
+} | {
+    readonly ip: {
+        readonly ip: string;
+    };
+} | {
+    readonly country: {
+        readonly code: string;
+    };
+} | {
+    readonly serviceToken: {
+        readonly tokenId: string;
+    };
+} | {
+    readonly anyValidServiceToken: Readonly<Record<string, never>>;
+};
+export interface AccessAppPolicy {
+    readonly name: string;
+    readonly decision: AccessDecision;
+    readonly include: ReadonlyArray<AccessRule>;
+    readonly exclude?: ReadonlyArray<AccessRule>;
+    readonly require?: ReadonlyArray<AccessRule>;
+    readonly sessionDuration?: string;
+}
+export interface AccessApplicationSpec {
+    readonly domain: string;
+    readonly sessionDuration?: string;
+    readonly autoRedirectToIdentity?: boolean;
+    readonly allowedIdps?: ReadonlyArray<string>;
+    readonly policies: ReadonlyArray<AccessAppPolicy>;
+}
+export type AccessApplication = BaseResource<'AccessApplication', 'cloudflare.k1c.io/v1alpha1', AccessApplicationSpec>;
+export type K1cResource = Deployment | Rollout | StatefulSet | CronJob | Job | ConfigMapResource | SecretResource | NamespaceResource | ServiceResource | R2Bucket | KVNamespace | DispatchNamespace | Hyperdrive | D1Database | Queue | Vectorize | DNSRecord | LogpushJob | Ingress | AccessApplication;
 export type ResourceKind = K1cResource['kind'];
 export interface ResourceRef {
     readonly apiVersion: string;

package/dist/providers/access-application.d.ts

@@ -0,0 +1,53 @@
+import { z } from 'zod';
+import type { CloudflareResourceProvider } from './types.ts';
+export type AccessDecisionWire = 'allow' | 'deny' | 'bypass' | 'non_identity';
+/**
+ * SDK-shaped (snake_case) Access rule. The lowering layer translates the camelCase
+ * manifest form into this once and the provider then ferries it across the API
+ * verbatim. Keeping a flat wire shape here makes the discriminated union match
+ * Cloudflare's response without a second translation step.
+ */
+export type AccessRuleWire = {
+    readonly email: {
+        readonly email: string;
+    };
+} | {
+    readonly email_domain: {
+        readonly domain: string;
+    };
+} | {
+    readonly everyone: Readonly<Record<string, never>>;
+} | {
+    readonly ip: {
+        readonly ip: string;
+    };
+} | {
+    readonly country: {
+        readonly country_code: string;
+    };
+} | {
+    readonly service_token: {
+        readonly token_id: string;
+    };
+} | {
+    readonly any_valid_service_token: Readonly<Record<string, never>>;
+};
+export interface AccessAppPolicyWire {
+    readonly name: string;
+    readonly decision: AccessDecisionWire;
+    readonly include: ReadonlyArray<AccessRuleWire>;
+    readonly exclude?: ReadonlyArray<AccessRuleWire>;
+    readonly require?: ReadonlyArray<AccessRuleWire>;
+    readonly session_duration?: string;
+}
+export interface AccessApplicationProperties {
+    readonly appName: string;
+    readonly domain: string;
+    readonly sessionDuration?: string;
+    readonly autoRedirectToIdentity?: boolean;
+    readonly allowedIdps?: ReadonlyArray<string>;
+    readonly policies: ReadonlyArray<AccessAppPolicyWire>;
+}
+export declare const accessApplicationSchema: z.ZodType<AccessApplicationProperties>;
+export declare const accessApplicationProvider: CloudflareResourceProvider<AccessApplicationProperties>;
+//# sourceMappingURL=access-application.d.ts.map

package/dist/providers/access-application.js

@@ -0,0 +1,183 @@
+import { z } from 'zod';
+import { NotFound } from "./types.js";
+import { toProviderError } from "./errors.js";
+const accessRuleWireSchema = z.union([
+    z.object({ email: z.object({ email: z.string() }) }),
+    z.object({ email_domain: z.object({ domain: z.string() }) }),
+    z.object({ everyone: z.object({}).strict() }),
+    z.object({ ip: z.object({ ip: z.string() }) }),
+    z.object({ country: z.object({ country_code: z.string() }) }),
+    z.object({ service_token: z.object({ token_id: z.string() }) }),
+    z.object({ any_valid_service_token: z.object({}).strict() }),
+]);
+const accessAppPolicyWireSchema = z.object({
+    name: z.string(),
+    decision: z.enum(['allow', 'deny', 'bypass', 'non_identity']),
+    include: z.array(accessRuleWireSchema),
+    exclude: z.array(accessRuleWireSchema).optional(),
+    require: z.array(accessRuleWireSchema).optional(),
+    session_duration: z.string().optional(),
+});
+export const accessApplicationSchema = z.object({
+    appName: z.string(),
+    domain: z.string(),
+    sessionDuration: z.string().optional(),
+    autoRedirectToIdentity: z.boolean().optional(),
+    allowedIdps: z.array(z.string()).optional(),
+    policies: z.array(accessAppPolicyWireSchema),
+});
+const NAME_PREFIX = 'k1c-';
+/**
+ * Cloudflare Access Applications carry no per-app comment field, so ownership is
+ * inferred from the application name starting with the `k1c-` prefix. This is
+ * the same approach used by other prefix-named resources.
+ */
+function parseLabel(name) {
+    if (typeof name !== 'string' || !name.startsWith(NAME_PREFIX))
+        return null;
+    const rest = name.slice(NAME_PREFIX.length);
+    const dash = rest.indexOf('-');
+    if (dash <= 0 || dash === rest.length - 1)
+        return null;
+    return `${rest.slice(0, dash)}/${rest.slice(dash + 1)}`;
+}
+function buildBody(props) {
+    return {
+        name: props.appName,
+        domain: props.domain,
+        type: 'self_hosted',
+        ...(props.sessionDuration !== undefined ? { session_duration: props.sessionDuration } : {}),
+        ...(props.autoRedirectToIdentity !== undefined
+            ? { auto_redirect_to_identity: props.autoRedirectToIdentity }
+            : {}),
+        ...(props.allowedIdps !== undefined ? { allowed_idps: [...props.allowedIdps] } : {}),
+        policies: props.policies.map((p) => ({
+            name: p.name,
+            decision: p.decision,
+            include: [...p.include],
+            ...(p.exclude !== undefined ? { exclude: [...p.exclude] } : {}),
+            ...(p.require !== undefined ? { require: [...p.require] } : {}),
+            ...(p.session_duration !== undefined ? { session_duration: p.session_duration } : {}),
+        })),
+    };
+}
+export const accessApplicationProvider = {
+    resourceType: 'AccessApplication',
+    schema: accessApplicationSchema,
+    async *list(ctx) {
+        let iter;
+        try {
+            iter = ctx.cloudflare.zeroTrust.access.applications.list({ account_id: ctx.accountId });
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+        try {
+            for await (const app of iter) {
+                const a = app;
+                if (!a.id)
+                    continue;
+                const label = parseLabel(a.name);
+                if (label === null)
+                    continue;
+                yield { nativeId: a.id, label };
+            }
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+    async read(ctx, nativeId) {
+        try {
+            const app = (await ctx.cloudflare.zeroTrust.access.applications.get(nativeId, {
+                account_id: ctx.accountId,
+            }));
+            if (!app.name || !app.domain)
+                return NotFound;
+            // Reading back the policies is best-effort: Cloudflare returns a richer shape
+            // than we store, so we narrow back to the wire types we know how to emit.
+            // Unknown rule types are dropped from the read result, which means a manual
+            // edit in the dashboard may produce a perpetual "drift" — accepted for v0.4.
+            const policies = [];
+            for (const raw of app.policies ?? []) {
+                const p = raw;
+                if (!p.name || !p.decision || !p.include)
+                    continue;
+                policies.push({
+                    name: p.name,
+                    decision: p.decision,
+                    include: p.include,
+                    ...(p.exclude !== undefined
+                        ? { exclude: p.exclude }
+                        : {}),
+                    ...(p.require !== undefined
+                        ? { require: p.require }
+                        : {}),
+                    ...(p.session_duration !== undefined ? { session_duration: p.session_duration } : {}),
+                });
+            }
+            return {
+                appName: app.name,
+                domain: app.domain,
+                ...(app.session_duration !== undefined
+                    ? { sessionDuration: app.session_duration }
+                    : {}),
+                ...(app.auto_redirect_to_identity !== undefined
+                    ? { autoRedirectToIdentity: app.auto_redirect_to_identity }
+                    : {}),
+                ...(app.allowed_idps !== undefined ? { allowedIdps: [...app.allowed_idps] } : {}),
+                policies,
+            };
+        }
+        catch (raw) {
+            const err = toProviderError(raw);
+            if (err.code === 'NotFound')
+                return NotFound;
+            throw err;
+        }
+    },
+    async create(ctx, _label, desired) {
+        try {
+            const app = (await ctx.cloudflare.zeroTrust.access.applications.create({
+                account_id: ctx.accountId,
+                ...buildBody(desired),
+            }));
+            return {
+                kind: 'sync',
+                nativeId: app.id ?? desired.appName,
+                properties: desired,
+            };
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+    async update(ctx, nativeId, _prior, desired) {
+        try {
+            const app = (await ctx.cloudflare.zeroTrust.access.applications.update(nativeId, {
+                account_id: ctx.accountId,
+                ...buildBody(desired),
+            }));
+            return {
+                kind: 'sync',
+                nativeId: app.id ?? nativeId,
+                properties: desired,
+            };
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+    async delete(ctx, nativeId) {
+        try {
+            await ctx.cloudflare.zeroTrust.access.applications.delete(nativeId, {
+                account_id: ctx.accountId,
+            });
+            return { kind: 'sync' };
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+};
+//# sourceMappingURL=access-application.js.map

package/dist/providers/index.js

@@ -13,6 +13,8 @@ import { vectorizeProvider } from "./vectorize.js";
 import { dnsRecordProvider } from "./dns-record.js";
 import { workflowProvider } from "./workflow.js";
 import { logpushJobProvider } from "./logpush-job.js";
+import { workerRouteProvider } from "./worker-route.js";
+import { accessApplicationProvider } from "./access-application.js";
 export function createDefaultRegistry() {
     const r = new ProviderRegistry();
     r.register(workerProvider);
@@ -29,6 +31,8 @@ export function createDefaultRegistry() {
     r.register(dnsRecordProvider);
     r.register(workflowProvider);
     r.register(logpushJobProvider);
+    r.register(workerRouteProvider);
+    r.register(accessApplicationProvider);
     return r;
 }
 export { ProviderRegistry } from "./registry.js";

package/dist/providers/worker-route.d.ts

@@ -0,0 +1,10 @@
+import { z } from 'zod';
+import type { CloudflareResourceProvider } from './types.ts';
+export interface WorkerRouteProperties {
+    readonly zoneId: string;
+    readonly pattern: string;
+    readonly scriptName: string;
+}
+export declare const workerRouteSchema: z.ZodType<WorkerRouteProperties>;
+export declare const workerRouteProvider: CloudflareResourceProvider<WorkerRouteProperties>;
+//# sourceMappingURL=worker-route.d.ts.map

package/dist/providers/worker-route.js

@@ -0,0 +1,115 @@
+import { z } from 'zod';
+import { NotFound } from "./types.js";
+import { toProviderError } from "./errors.js";
+export const workerRouteSchema = z.object({
+    zoneId: z.string(),
+    pattern: z.string(),
+    scriptName: z.string(),
+});
+const SCRIPT_PREFIX = 'k1c--';
+/**
+ * Cloudflare Workers Routes carry no per-route comment field, so ownership is
+ * inferred from the bound `script` starting with the k1c naming prefix. This
+ * is the same approach used by the CustomDomain provider.
+ */
+function isManaged(script) {
+    return typeof script === 'string' && script.startsWith(SCRIPT_PREFIX);
+}
+/**
+ * Routes are keyed on `pattern` for the purpose of label matching — the SDK
+ * surface lets us list by zone, and within a zone the pattern is unique.
+ */
+function labelFromPattern(pattern) {
+    if (typeof pattern !== 'string' || pattern.length === 0)
+        return null;
+    return pattern;
+}
+export const workerRouteProvider = {
+    resourceType: 'WorkerRoute',
+    schema: workerRouteSchema,
+    async *list(ctx) {
+        if (ctx.zoneId === undefined) {
+            // Routes are zone-scoped; without a zone we cannot enumerate. Yield nothing.
+            return;
+        }
+        let iter;
+        try {
+            iter = ctx.cloudflare.workers.routes.list({ zone_id: ctx.zoneId });
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+        try {
+            for await (const r of iter) {
+                if (!isManaged(r.script))
+                    continue;
+                const label = labelFromPattern(r.pattern);
+                if (label === null || !r.id)
+                    continue;
+                yield { nativeId: r.id, label };
+            }
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+    async read(ctx, nativeId) {
+        if (ctx.zoneId === undefined)
+            return NotFound;
+        try {
+            const r = await ctx.cloudflare.workers.routes.get(nativeId, { zone_id: ctx.zoneId });
+            if (!r.pattern || !r.script)
+                return NotFound;
+            return { zoneId: ctx.zoneId, pattern: r.pattern, scriptName: r.script };
+        }
+        catch (raw) {
+            const err = toProviderError(raw);
+            if (err.code === 'NotFound')
+                return NotFound;
+            throw err;
+        }
+    },
+    async create(_ctx, _label, desired) {
+        try {
+            const r = await _ctx.cloudflare.workers.routes.create({
+                zone_id: desired.zoneId,
+                pattern: desired.pattern,
+                script: desired.scriptName,
+            });
+            return { kind: 'sync', nativeId: r.id, properties: desired };
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+    async update(ctx, nativeId, _prior, desired) {
+        try {
+            const r = await ctx.cloudflare.workers.routes.update(nativeId, {
+                zone_id: desired.zoneId,
+                pattern: desired.pattern,
+                script: desired.scriptName,
+            });
+            return { kind: 'sync', nativeId: r.id, properties: desired };
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+    async delete(ctx, nativeId) {
+        if (ctx.zoneId === undefined) {
+            throw {
+                code: 'InvalidRequest',
+                recoverable: false,
+                message: 'WorkerRoute delete requires zoneId in ProviderContext',
+            };
+        }
+        try {
+            await ctx.cloudflare.workers.routes.delete(nativeId, { zone_id: ctx.zoneId });
+            return { kind: 'sync' };
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+};
+//# sourceMappingURL=worker-route.js.map

package/dist/providers/worker.d.ts

@@ -100,6 +100,14 @@ export type WorkerBinding = {
     readonly type: 'analytics_engine';
     readonly name: string;
     readonly dataset: string;
+} | {
+    readonly type: 'mtls_certificate';
+    readonly name: string;
+    readonly certificateId: string;
+} | {
+    readonly type: 'pipelines';
+    readonly name: string;
+    readonly pipeline: string;
 };
 export declare const workerSchema: z.ZodType<WorkerProperties>;
 export declare const workerProvider: CloudflareResourceProvider<WorkerProperties>;

package/dist/providers/worker.js

@@ -64,6 +64,16 @@ export const workerSchema = z.object({
             name: z.string(),
             dataset: z.string(),
         }),
+        z.object({
+            type: z.literal('mtls_certificate'),
+            name: z.string(),
+            certificateId: z.string(),
+        }),
+        z.object({
+            type: z.literal('pipelines'),
+            name: z.string(),
+            pipeline: z.string(),
+        }),
     ]))
         .optional(),
     observability: z.object({ enabled: z.boolean() }).optional(),
@@ -137,6 +147,12 @@ function buildBindings(props) {
         else if (b.type === 'analytics_engine') {
             out.push({ type: 'analytics_engine', name: b.name, dataset: b.dataset });
         }
+        else if (b.type === 'mtls_certificate') {
+            out.push({ type: 'mtls_certificate', name: b.name, certificate_id: b.certificateId });
+        }
+        else if (b.type === 'pipelines') {
+            out.push({ type: 'pipelines', name: b.name, pipeline: b.pipeline });
+        }
     }
     return out;
 }
@@ -306,6 +322,12 @@ function fromCFBinding(b) {
     if (b.type === 'analytics_engine' && b.dataset !== undefined) {
         return { type: 'analytics_engine', name: b.name, dataset: b.dataset };
     }
+    if (b.type === 'mtls_certificate' && b.certificate_id !== undefined) {
+        return { type: 'mtls_certificate', name: b.name, certificateId: b.certificate_id };
+    }
+    if (b.type === 'pipelines' && b.pipeline !== undefined) {
+        return { type: 'pipelines', name: b.name, pipeline: b.pipeline };
+    }
     return null;
 }
 export const workerProvider = {

package/dist/reconciler/plan.js

@@ -102,9 +102,52 @@ function orderByDependencies(operations, desired) {
     });
     const sortedMutating = topoSort(nodes).map((n) => n.op);
     noops.sort((a, b) => a.label.localeCompare(b.label));
-    deletes.sort((a, b) => a.label.localeCompare(b.label));
+    deletes.sort((a, b) => {
+        const pa = deletePriority(a.resourceType);
+        const pb = deletePriority(b.resourceType);
+        if (pa !== pb)
+            return pa - pb;
+        return a.label.localeCompare(b.label);
+    });
     return [...sortedMutating, ...noops, ...deletes];
 }
+/**
+ * Reverse-topological priority for deletes. Smaller priority is deleted first.
+ *
+ * The reconciler has no per-instance dependency record for resources that are
+ * being deleted (they are no longer in `desired`), so we approximate the
+ * dependency direction with a static type ordering that mirrors how creates
+ * actually flow in `lower.ts`. Workers depend on data services; CustomDomain /
+ * Workflow / LogpushJob depend on Workers; DispatchNamespace hosts Workers.
+ *
+ * Unknown types fall through with a neutral priority so the sort is still stable.
+ */
+function deletePriority(resourceType) {
+    switch (resourceType) {
+        // Top-level edges — nothing else points at these. Delete first so we do not
+        // serve traffic to a Worker we are about to remove.
+        case 'CustomDomain':
+        case 'WorkerRoute':
+        case 'DNSRecord':
+        case 'LogpushJob':
+        case 'Workflow':
+        case 'AccessApplication':
+            return 0;
+        case 'Worker':
+            return 1;
+        case 'R2Bucket':
+        case 'KVNamespace':
+        case 'D1Database':
+        case 'Hyperdrive':
+        case 'Vectorize':
+        case 'Queue':
+            return 2;
+        case 'DispatchNamespace':
+            return 3;
+        default:
+            return 1;
+    }
+}
 export function propertiesEqual(a, b) {
     return canonicalize(a) === canonicalize(b);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mizchi/k1c",
-  "version": "0.2.0",
+  "version": "0.4.0",
   "description": "Experimental kubectl-style apply tool for Cloudflare",
   "keywords": [
     "cloudflare",