@solcreek/cli 0.3.0

package/dist/utils/repo-url.js

@@ -0,0 +1,201 @@
+/**
+ * Git repository URL parsing and security validation.
+ *
+ * Security model:
+ * - HTTPS only (no git://, ssh://, file://, ext::)
+ * - Hostname allowlist (github.com, gitlab.com, bitbucket.org only)
+ * - Owner/repo validated against strict character set
+ * - No embedded credentials
+ * - Subpath validated against traversal attacks
+ */
+// --- Allowed hostnames (SSRF prevention) ---
+const PROVIDER_HOSTS = {
+    "github.com": "github",
+    "www.github.com": "github",
+    "gitlab.com": "gitlab",
+    "www.gitlab.com": "gitlab",
+    "bitbucket.org": "bitbucket",
+    "www.bitbucket.org": "bitbucket",
+};
+const SHORTHAND_PREFIXES = {
+    "github:": "github",
+    "gitlab:": "gitlab",
+    "bitbucket:": "bitbucket",
+};
+// Strict character set for owner and repo names
+const SAFE_NAME = /^[a-zA-Z0-9._-]+$/;
+// --- Public API ---
+/**
+ * Quick check: does this string look like a repo URL or shorthand?
+ * Used to route between directory deploy and repo deploy.
+ */
+export function isRepoUrl(input) {
+    if (!input)
+        return false;
+    // Shorthand: github:user/repo
+    for (const prefix of Object.keys(SHORTHAND_PREFIXES)) {
+        if (input.startsWith(prefix))
+            return true;
+    }
+    // HTTPS URL to known host
+    try {
+        const url = new URL(input.split("#")[0]);
+        return url.protocol === "https:" && url.hostname in PROVIDER_HOSTS;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Parse a repo URL or shorthand into structured components.
+ * Supports:
+ *   https://github.com/owner/repo
+ *   https://github.com/owner/repo.git
+ *   https://github.com/owner/repo#branch
+ *   https://github.com/owner/repo/tree/branch
+ *   github:owner/repo
+ *   github:owner/repo#branch
+ */
+export function parseRepoUrl(input) {
+    if (!input || typeof input !== "string") {
+        throw new RepoUrlError("Empty or invalid input");
+    }
+    // Shorthand: github:owner/repo#branch
+    for (const [prefix, provider] of Object.entries(SHORTHAND_PREFIXES)) {
+        if (input.startsWith(prefix)) {
+            return parseShorthand(input.slice(prefix.length), provider);
+        }
+    }
+    // Full URL
+    return parseFullUrl(input);
+}
+/**
+ * Validate a parsed repo URL for security.
+ * Throws RepoUrlError on any violation.
+ */
+export function validateRepoUrl(parsed) {
+    // Protocol: only HTTPS (enforced during parsing, but belt-and-suspenders)
+    if (!parsed.cloneUrl.startsWith("https://")) {
+        throw new RepoUrlError("Only HTTPS URLs are allowed");
+    }
+    // Owner and repo name: strict character set
+    if (!SAFE_NAME.test(parsed.owner)) {
+        throw new RepoUrlError(`Invalid owner name: ${JSON.stringify(parsed.owner)}`);
+    }
+    if (!SAFE_NAME.test(parsed.repo)) {
+        throw new RepoUrlError(`Invalid repo name: ${JSON.stringify(parsed.repo)}`);
+    }
+    // Branch: strict character set (if present)
+    if (parsed.branch !== null && !/^[a-zA-Z0-9._\/-]+$/.test(parsed.branch)) {
+        throw new RepoUrlError(`Invalid branch name: ${JSON.stringify(parsed.branch)}`);
+    }
+    // No null bytes anywhere
+    const allParts = [parsed.owner, parsed.repo, parsed.branch, parsed.cloneUrl].filter(Boolean);
+    for (const part of allParts) {
+        if (part.includes("\0")) {
+            throw new RepoUrlError("Null bytes are not allowed");
+        }
+    }
+}
+/**
+ * Validate a --path subdirectory argument.
+ * Prevents path traversal and other filesystem attacks.
+ */
+export function validateSubpath(path) {
+    if (!path || !path.trim()) {
+        throw new RepoUrlError("Subpath cannot be empty");
+    }
+    // No absolute paths
+    if (path.startsWith("/") || path.startsWith("\\")) {
+        throw new RepoUrlError("Subpath must be relative, not absolute");
+    }
+    // No path traversal
+    const segments = path.split(/[/\\]/);
+    if (segments.some((s) => s === "..")) {
+        throw new RepoUrlError("Path traversal (..) is not allowed in subpath");
+    }
+    // No null bytes
+    if (path.includes("\0")) {
+        throw new RepoUrlError("Null bytes are not allowed in subpath");
+    }
+    // Only safe characters
+    if (!/^[a-zA-Z0-9._\/-]+$/.test(path)) {
+        throw new RepoUrlError("Subpath contains invalid characters");
+    }
+}
+// --- Internal parsers ---
+function parseShorthand(rest, provider) {
+    // Split on # for branch
+    const [pathPart, ...branchParts] = rest.split("#");
+    const branch = branchParts.length > 0 ? branchParts.join("#") : null;
+    const segments = pathPart.replace(/\.git$/, "").split("/").filter(Boolean);
+    if (segments.length !== 2) {
+        throw new RepoUrlError(`Expected owner/repo format, got: ${pathPart}`);
+    }
+    const [owner, repo] = segments;
+    const host = provider === "github" ? "github.com" : provider === "gitlab" ? "gitlab.com" : "bitbucket.org";
+    return {
+        provider,
+        owner,
+        repo,
+        branch: branch || null,
+        cloneUrl: `https://${host}/${owner}/${repo}.git`,
+        displayUrl: `${owner}/${repo}${branch ? `#${branch}` : ""}`,
+    };
+}
+function parseFullUrl(input) {
+    // Extract branch from fragment before parsing URL
+    const [urlPart, ...fragmentParts] = input.split("#");
+    const fragment = fragmentParts.length > 0 ? fragmentParts.join("#") : null;
+    let url;
+    try {
+        // Strip query params and trailing slash
+        const cleanUrl = urlPart.split("?")[0].replace(/\/$/, "");
+        url = new URL(cleanUrl);
+    }
+    catch {
+        throw new RepoUrlError(`Invalid URL: ${input}`);
+    }
+    // Protocol check
+    if (url.protocol !== "https:") {
+        throw new RepoUrlError(`Only HTTPS URLs are allowed. Got: ${url.protocol}`);
+    }
+    // Hostname allowlist (SSRF prevention)
+    const hostname = url.hostname.toLowerCase();
+    const provider = PROVIDER_HOSTS[hostname];
+    if (!provider) {
+        throw new RepoUrlError(`Unsupported host: ${hostname}. Supported: github.com, gitlab.com, bitbucket.org`);
+    }
+    // No embedded credentials
+    if (url.username || url.password) {
+        throw new RepoUrlError("URLs with embedded credentials are not allowed");
+    }
+    // Parse path segments: /owner/repo[/tree/branch][.git]
+    const pathSegments = url.pathname.split("/").filter(Boolean);
+    if (pathSegments.length < 2) {
+        throw new RepoUrlError(`Expected /{owner}/{repo} in URL path, got: ${url.pathname}`);
+    }
+    const owner = pathSegments[0];
+    const repo = pathSegments[1].replace(/\.git$/, "");
+    // Extract branch from /tree/branch path (GitHub convention)
+    let branch = fragment;
+    if (pathSegments.length >= 4 && pathSegments[2] === "tree") {
+        branch = pathSegments.slice(3).join("/");
+    }
+    return {
+        provider,
+        owner,
+        repo,
+        branch: branch || null,
+        cloneUrl: `https://${hostname}/${owner}/${repo}.git`,
+        displayUrl: `${owner}/${repo}${branch ? `#${branch}` : ""}`,
+    };
+}
+// --- Error ---
+export class RepoUrlError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "RepoUrlError";
+    }
+}
+//# sourceMappingURL=repo-url.js.map

package/dist/utils/sandbox.d.ts

@@ -0,0 +1,50 @@
+import type { TosAcceptance } from "./tos.js";
+interface SandboxDeployResponse {
+    sandboxId: string;
+    status: string;
+    statusUrl: string;
+    previewUrl: string;
+    expiresAt: string;
+    tier?: string;
+}
+interface SandboxStatusResponse {
+    sandboxId: string;
+    status: string;
+    previewUrl: string;
+    deployDurationMs?: number;
+    expiresAt: string;
+    expiresInSeconds: number;
+    claimable: boolean;
+    failedStep?: string;
+    errorMessage?: string;
+}
+/**
+ * Deploy a bundle to the sandbox API (no auth required).
+ * Manifest is optional — the API derives asset list from the assets keys.
+ */
+export declare function sandboxDeploy(bundle: {
+    manifest?: {
+        assets: string[];
+        hasWorker: boolean;
+        entrypoint: string | null;
+        renderMode: string;
+    };
+    assets: Record<string, string>;
+    serverFiles?: Record<string, string>;
+    framework?: string;
+    templateId?: string;
+    source: string;
+}, opts?: {
+    tos?: TosAcceptance;
+    agentToken?: string;
+}): Promise<SandboxDeployResponse>;
+/**
+ * Poll sandbox status until terminal state.
+ */
+export declare function pollSandboxStatus(statusUrl: string): Promise<SandboxStatusResponse>;
+/**
+ * Print sandbox success message with claim instructions.
+ */
+export declare function printSandboxSuccess(previewUrl: string, expiresAt: string, sandboxId: string): void;
+export {};
+//# sourceMappingURL=sandbox.d.ts.map

package/dist/utils/sandbox.js

@@ -0,0 +1,69 @@
+import consola from "consola";
+import { getSandboxApiUrl } from "./config.js";
+import { isTTY } from "./output.js";
+/**
+ * Deploy a bundle to the sandbox API (no auth required).
+ * Manifest is optional — the API derives asset list from the assets keys.
+ */
+export async function sandboxDeploy(bundle, opts) {
+    const apiUrl = getSandboxApiUrl();
+    const headers = {
+        "Content-Type": "application/json",
+    };
+    // Signal TTY status for tiered rate limiting
+    if (isTTY)
+        headers["X-Creek-TTY"] = "1";
+    // Agent token for elevated rate limit
+    if (opts?.agentToken)
+        headers["Authorization"] = `Bearer ${opts.agentToken}`;
+    // ToS acceptance metadata
+    if (opts?.tos) {
+        headers["X-Creek-ToS-Version"] = opts.tos.version;
+        headers["X-Creek-ToS-Accepted-At"] = opts.tos.acceptedAt;
+    }
+    const res = await fetch(`${apiUrl}/api/sandbox/deploy`, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(bundle),
+    });
+    if (!res.ok) {
+        const err = await res.json().catch(() => ({ message: res.statusText }));
+        throw new Error(err.message ?? `Sandbox deploy failed (${res.status})`);
+    }
+    return res.json();
+}
+/**
+ * Poll sandbox status until terminal state.
+ */
+export async function pollSandboxStatus(statusUrl) {
+    const POLL_INTERVAL = 1000;
+    const POLL_TIMEOUT = 60_000;
+    const start = Date.now();
+    while (Date.now() - start < POLL_TIMEOUT) {
+        const res = await fetch(statusUrl);
+        if (!res.ok)
+            throw new Error(`Status check failed (${res.status})`);
+        const status = (await res.json());
+        if (status.status === "active")
+            return status;
+        if (status.status === "failed") {
+            const step = status.failedStep ? ` at ${status.failedStep}` : "";
+            throw new Error(`Sandbox deploy failed${step}: ${status.errorMessage ?? "Unknown error"}`);
+        }
+        if (status.status === "expired") {
+            throw new Error("Sandbox expired before activation");
+        }
+        await new Promise((r) => setTimeout(r, POLL_INTERVAL));
+    }
+    throw new Error("Sandbox deploy timed out");
+}
+/**
+ * Print sandbox success message with claim instructions.
+ */
+export function printSandboxSuccess(previewUrl, expiresAt, sandboxId) {
+    consola.success(`  Live → ${previewUrl}`);
+    consola.info("");
+    consola.info("  Free preview — available for 60 minutes.");
+    consola.info("  Make it permanent: creek login && creek claim " + sandboxId);
+}
+//# sourceMappingURL=sandbox.js.map

package/dist/utils/ssr-bundle.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Bundle an SSR server entry point into a single standalone worker script.
+ * Uses esbuild (same bundler as wrangler) with node: builtins as externals.
+ */
+export declare function bundleSSRServer(entryPoint: string): Promise<string>;
+//# sourceMappingURL=ssr-bundle.d.ts.map

package/dist/utils/ssr-bundle.js

@@ -0,0 +1,48 @@
+import { build } from "esbuild";
+/**
+ * Bundle an SSR server entry point into a single standalone worker script.
+ * Uses esbuild (same bundler as wrangler) with node: builtins as externals.
+ */
+export async function bundleSSRServer(entryPoint) {
+    const result = await build({
+        entryPoints: [entryPoint],
+        bundle: true,
+        format: "esm",
+        platform: "neutral",
+        target: "es2022",
+        write: false,
+        minify: false,
+        external: [
+            "node:async_hooks",
+            "node:stream",
+            "node:stream/web",
+            "node:buffer",
+            "node:util",
+            "node:events",
+            "node:crypto",
+            "node:path",
+            "node:url",
+            "node:string_decoder",
+            "node:diagnostics_channel",
+            "node:process",
+            "node:fs",
+            "node:os",
+            "node:child_process",
+            "node:http",
+            "node:https",
+            "node:net",
+            "node:tls",
+            "node:zlib",
+            "node:perf_hooks",
+            "node:worker_threads",
+        ],
+        conditions: ["workerd", "worker", "import"],
+        mainFields: ["module", "main"],
+        logLevel: "warning",
+    });
+    if (result.errors.length > 0) {
+        throw new Error(`esbuild: ${result.errors.map((e) => e.text).join(", ")}`);
+    }
+    return result.outputFiles[0].text;
+}
+//# sourceMappingURL=ssr-bundle.js.map

package/dist/utils/tos.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Terms of Service acceptance for CLI.
+ *
+ * - First deploy: shows ToS notice + URL + interactive y/N prompt
+ * - Stored locally in ~/.creek/tos-accepted (version + timestamp)
+ * - --yes / non-TTY: implicit accept with notice printed
+ * - Sends tosVersion + tosAcceptedAt in deploy requests
+ */
+export declare const CURRENT_TOS_VERSION = "2026-03-28";
+export interface TosAcceptance {
+    version: string;
+    acceptedAt: string;
+}
+/** Read stored ToS acceptance, if any. */
+export declare function readTosAcceptance(): TosAcceptance | null;
+/** Store ToS acceptance locally. */
+export declare function writeTosAcceptance(acceptance: TosAcceptance): void;
+/** Check if current ToS version has been accepted. */
+export declare function isTosAccepted(): boolean;
+/**
+ * Ensure ToS is accepted before proceeding.
+ *
+ * @param autoConfirm - true if --yes flag is set
+ * @returns TosAcceptance record to send with deploy request
+ * @throws if user rejects ToS
+ */
+export declare function ensureTosAccepted(autoConfirm: boolean): Promise<TosAcceptance>;
+//# sourceMappingURL=tos.d.ts.map

package/dist/utils/tos.js

@@ -0,0 +1,95 @@
+/**
+ * Terms of Service acceptance for CLI.
+ *
+ * - First deploy: shows ToS notice + URL + interactive y/N prompt
+ * - Stored locally in ~/.creek/tos-accepted (version + timestamp)
+ * - --yes / non-TTY: implicit accept with notice printed
+ * - Sends tosVersion + tosAcceptedAt in deploy requests
+ */
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
+import { join } from "node:path";
+import consola from "consola";
+import { getConfigDir } from "./config.js";
+import { isTTY } from "./output.js";
+const TOS_FILE = join(getConfigDir(), "tos-accepted");
+// Bump this when ToS content changes — forces re-acceptance
+export const CURRENT_TOS_VERSION = "2026-03-28";
+const TOS_URL = "https://creek.dev/legal/terms";
+const AUP_URL = "https://creek.dev/legal/acceptable-use";
+/** Read stored ToS acceptance, if any. */
+export function readTosAcceptance() {
+    if (!existsSync(TOS_FILE))
+        return null;
+    try {
+        const data = JSON.parse(readFileSync(TOS_FILE, "utf-8"));
+        if (data.version && data.acceptedAt)
+            return data;
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+/** Store ToS acceptance locally. */
+export function writeTosAcceptance(acceptance) {
+    const dir = getConfigDir();
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true, mode: 0o700 });
+    }
+    writeFileSync(TOS_FILE, JSON.stringify(acceptance, null, 2), { mode: 0o600 });
+}
+/** Check if current ToS version has been accepted. */
+export function isTosAccepted() {
+    const acceptance = readTosAcceptance();
+    return acceptance?.version === CURRENT_TOS_VERSION;
+}
+/**
+ * Ensure ToS is accepted before proceeding.
+ *
+ * @param autoConfirm - true if --yes flag is set
+ * @returns TosAcceptance record to send with deploy request
+ * @throws if user rejects ToS
+ */
+export async function ensureTosAccepted(autoConfirm) {
+    // Already accepted current version?
+    const existing = readTosAcceptance();
+    if (existing?.version === CURRENT_TOS_VERSION)
+        return existing;
+    // Show ToS notice
+    consola.log("");
+    consola.log("  By deploying, you agree to Creek's Terms of Service");
+    consola.log("  and Acceptable Use Policy:");
+    consola.log(`  ${TOS_URL}`);
+    consola.log(`  ${AUP_URL}`);
+    consola.log("");
+    if (autoConfirm || !isTTY) {
+        // Non-interactive: implicit acceptance
+        consola.log("  Continuing implies acceptance of the above terms.");
+        consola.log("");
+    }
+    else {
+        // Interactive: ask for explicit acceptance
+        const readline = await import("node:readline");
+        const rl = readline.createInterface({
+            input: process.stdin,
+            output: process.stdout,
+        });
+        const answer = await new Promise((resolve) => {
+            rl.question("  Accept? [y/N] ", (ans) => {
+                rl.close();
+                resolve(ans.trim().toLowerCase());
+            });
+        });
+        if (answer !== "y" && answer !== "yes") {
+            consola.error("You must accept the Terms of Service to use Creek.");
+            process.exit(1);
+        }
+    }
+    const acceptance = {
+        version: CURRENT_TOS_VERSION,
+        acceptedAt: new Date().toISOString(),
+    };
+    writeTosAcceptance(acceptance);
+    return acceptance;
+}
+//# sourceMappingURL=tos.js.map

package/dist/utils/worker-bundle.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Generate the wrapper entry source that auto-injects _setEnv(env).
+ *
+ * The wrapper:
+ * 1. Imports _setEnv from creek runtime
+ * 2. Imports the user's app (Hono, custom Worker, etc.)
+ * 3. Calls _setEnv(env) before each request
+ * 4. Delegates to the user's fetch handler
+ * 5. If the handler returns 404, falls back to static assets (WfP Static Assets API)
+ */
+export declare function generateWorkerWrapper(entryPoint: string, wrapperDir: string, options?: {
+    hasClientAssets?: boolean;
+}): string;
+/**
+ * Bundle a Worker entry point with Creek runtime auto-injection.
+ *
+ * 1. Generates a wrapper entry that calls _setEnv(env)
+ * 2. Bundles wrapper + user code + creek runtime with esbuild
+ * 3. Returns the bundled JavaScript string
+ */
+export declare function bundleWorker(entryPoint: string, cwd: string, options?: {
+    hasClientAssets?: boolean;
+}): Promise<string>;
+//# sourceMappingURL=worker-bundle.d.ts.map

package/dist/utils/worker-bundle.js

@@ -0,0 +1,136 @@
+import { writeFileSync, mkdirSync } from "fs";
+import { join, relative } from "path";
+import { bundleSSRServer } from "./ssr-bundle.js";
+/**
+ * Generate the wrapper entry source that auto-injects _setEnv(env).
+ *
+ * The wrapper:
+ * 1. Imports _setEnv from creek runtime
+ * 2. Imports the user's app (Hono, custom Worker, etc.)
+ * 3. Calls _setEnv(env) before each request
+ * 4. Delegates to the user's fetch handler
+ * 5. If the handler returns 404, falls back to static assets (WfP Static Assets API)
+ */
+export function generateWorkerWrapper(entryPoint, wrapperDir, options) {
+    let importPath = relative(wrapperDir, entryPoint).replace(/\\/g, "/");
+    // Remove .ts/.tsx extension — esbuild resolves it
+    importPath = importPath.replace(/\.tsx?$/, "");
+    if (!importPath.startsWith("."))
+        importPath = "./" + importPath;
+    const hasAssets = options?.hasClientAssets ?? false;
+    // When client assets exist (Worker + SPA hybrid):
+    // - Try static assets first for non-API paths
+    // - Fall back to the worker handler for API routes
+    // - SPA fallback: serve index.html for extensionless paths
+    if (hasAssets) {
+        return `import { _setEnv, _setCtx, generateWsToken } from "creek";
+import userModule from "${importPath}";
+
+const handler = userModule.default ?? userModule;
+
+function isApiPath(pathname) {
+  return pathname.startsWith("/api/") || pathname === "/__creek/config";
+}
+
+function hasExtension(pathname) {
+  const last = pathname.split("/").pop() || "";
+  return last.includes(".");
+}
+
+export default {
+  async fetch(request, env, ctx) {
+    _setEnv(env);
+    _setCtx(ctx);
+    const url = new URL(request.url);
+
+    // /__creek/config — auto-discovery for CreekRoom WebSocket
+    if (url.pathname === "/__creek/config" && request.method === "GET") {
+      const wsToken = await generateWsToken();
+      return new Response(JSON.stringify({
+        realtimeUrl: env.CREEK_REALTIME_URL || null,
+        projectSlug: env.CREEK_PROJECT_SLUG || null,
+        wsToken,
+      }), { headers: { "Content-Type": "application/json" } });
+    }
+
+    // API routes → always go to the worker handler
+    if (isApiPath(url.pathname)) {
+      if (typeof handler.fetch === "function") return handler.fetch(request, env, ctx);
+      if (typeof handler === "function") return handler(request, env, ctx);
+    }
+
+    // Static assets → try WfP Static Assets API
+    if (env.ASSETS) {
+      try {
+        const assetResponse = await env.ASSETS.fetch(request);
+        if (assetResponse.status !== 404) return assetResponse;
+      } catch {}
+
+      // SPA fallback: extensionless paths → index.html
+      if (!hasExtension(url.pathname)) {
+        try {
+          const indexReq = new Request(new URL("/index.html", request.url), request);
+          const indexResponse = await env.ASSETS.fetch(indexReq);
+          if (indexResponse.status !== 404) {
+            return new Response(indexResponse.body, {
+              status: 200,
+              headers: indexResponse.headers,
+            });
+          }
+        } catch {}
+      }
+    }
+
+    // Fallback: pass to worker handler
+    if (typeof handler.fetch === "function") return handler.fetch(request, env, ctx);
+    if (typeof handler === "function") return handler(request, env, ctx);
+    return new Response("Not Found", { status: 404 });
+  },
+};
+`;
+    }
+    // Pure Worker (no client assets)
+    return `import { _setEnv, _setCtx, generateWsToken } from "creek";
+import userModule from "${importPath}";
+
+const handler = userModule.default ?? userModule;
+
+export default {
+  async fetch(request, env, ctx) {
+    _setEnv(env);
+    _setCtx(ctx);
+
+    // /__creek/config — auto-discovery for CreekRoom WebSocket
+    const url = new URL(request.url);
+    if (url.pathname === "/__creek/config" && request.method === "GET") {
+      const wsToken = await generateWsToken();
+      return new Response(JSON.stringify({
+        realtimeUrl: env.CREEK_REALTIME_URL || null,
+        projectSlug: env.CREEK_PROJECT_SLUG || null,
+        wsToken,
+      }), { headers: { "Content-Type": "application/json" } });
+    }
+
+    if (typeof handler.fetch === "function") return handler.fetch(request, env, ctx);
+    if (typeof handler === "function") return handler(request, env, ctx);
+    throw new Error("[creek] Worker must export default a fetch handler, Hono app, or { fetch() } object.");
+  },
+};
+`;
+}
+/**
+ * Bundle a Worker entry point with Creek runtime auto-injection.
+ *
+ * 1. Generates a wrapper entry that calls _setEnv(env)
+ * 2. Bundles wrapper + user code + creek runtime with esbuild
+ * 3. Returns the bundled JavaScript string
+ */
+export async function bundleWorker(entryPoint, cwd, options) {
+    const wrapperDir = join(cwd, ".creek");
+    mkdirSync(wrapperDir, { recursive: true });
+    const wrapper = generateWorkerWrapper(entryPoint, wrapperDir, options);
+    const wrapperPath = join(wrapperDir, "__worker_entry.js");
+    writeFileSync(wrapperPath, wrapper);
+    return bundleSSRServer(wrapperPath);
+}
+//# sourceMappingURL=worker-bundle.js.map