@vibesdotdev/infra-cloudflare 0.0.1

package/src/implementations/alerts.impl.ts

@@ -0,0 +1,332 @@
+/**
+ * Cloudflare Alerts Implementation
+ *
+ * Maps the provider-agnostic `infra/alerts` kind onto Cloudflare's
+ * Notifications API (`/accounts/:account/alerting/v3/policies`).
+ *
+ * Native type translation:
+ *   budget       → billing_budget_alert
+ *   usage        → billing_usage_alert
+ *   error-rate   → workers_alert (filter: outcome=exception)
+ *   latency      → (not supported by CF — adapter throws on create)
+ *   custom       → adapter passes through the `native_alert_type` filter
+ *
+ * Credentials: prefers a scoped CLOUDFLARE_NOTIFICATIONS_API_TOKEN (with
+ * notifications:edit), falls back to CLOUDFLARE_API_TOKEN for read-only
+ * operations. Account id from CLOUDFLARE_ACCOUNT_ID. Both resolve via
+ * the standard runtime secrets chain (encrypted-local + env file +
+ * CF Secrets Store).
+ */
+
+import * as z from 'zod/v4';
+import type { AlertPolicy, AlertsImplementation } from '@vibesdotdev/infra-core/kinds';
+import { resolveAdapterCredential } from '@vibesdotdev/infra-core';
+
+export const CloudflareAlertsDescriptorSchema = z.object({
+	kind: z.literal('infra/alerts'),
+	id: z.string().min(1),
+	name: z.string().min(1),
+	description: z.string().optional(),
+	adapter: z.literal('cloudflare-alerts'),
+	adapterConfig: z.record(z.string(), z.unknown()).optional(),
+	// Default to 'local' to match the infra-core kind schema. CLI ops
+	// resolve credentials from the local vibes secrets vault; Workers
+	// in production receive credentials via CF Secrets Store bindings
+	// without going through this adapter.
+	environment: z.string().default('local'),
+	policies: z.array(z.unknown()).default([])
+});
+
+export type CloudflareAlertsDescriptorInput = z.input<typeof CloudflareAlertsDescriptorSchema>;
+export type CloudflareAlertsDescriptor = z.infer<typeof CloudflareAlertsDescriptorSchema>;
+
+interface CfApiBody<T> {
+	success: boolean;
+	result: T;
+	errors?: Array<{ code: number; message: string }>;
+}
+
+interface CfPolicy {
+	id: string;
+	name: string;
+	description?: string;
+	alert_type: string;
+	enabled: boolean;
+	filters?: Record<string, string[]>;
+	mechanisms?: { email?: Array<{ id: string }>; webhooks?: Array<{ id: string }>; pagerduty?: Array<{ id: string }> };
+}
+
+/** Map provider-agnostic AlertType → CF native alert_type. */
+function nativeAlertType(policy: AlertPolicy): string {
+	switch (policy.type) {
+		case 'budget':
+			return 'billing_budget_alert';
+		case 'usage':
+			return 'billing_usage_alert';
+		case 'error-rate':
+			// CF exposes Worker error alerts under a single type. The filters
+			// narrow scope (worker_name, etc.).
+			return 'workers_alert';
+		case 'latency':
+			throw new Error(
+				'cloudflare-alerts: latency alerts are not supported by CF Notifications. ' +
+					'Use traces / Workers Observability dashboards instead.'
+			);
+		case 'custom': {
+			const explicit = policy.filters['native_alert_type'];
+			if (!explicit) {
+				throw new Error(
+					'cloudflare-alerts: type=custom requires filters.native_alert_type to be set'
+				);
+			}
+			return explicit;
+		}
+	}
+}
+
+/** Map provider-agnostic policy → CF body shape. */
+function toCfPayload(policy: AlertPolicy): Record<string, unknown> {
+	const alertType = nativeAlertType(policy);
+	const filters: Record<string, string[]> = {};
+
+	// Translate the threshold + filters into CF's filters shape.
+	switch (policy.type) {
+		case 'budget':
+			filters.total_spend_dollars = [String(policy.threshold)];
+			break;
+		case 'usage':
+			if (!policy.filters.product) {
+				throw new Error(
+					"cloudflare-alerts: type=usage requires filters.product. Confirmed valid slugs (probed against /alerting/v3/policies, 2026-05): " +
+						'worker_requests, worker_kv_storage, worker_kv_reads, worker_kv_writes, ' +
+						'd1_storage, d1_rows_read, d1_rows_written, r2_storage. ' +
+						'Workers Observability is not exposed as a billing_usage_alert product.'
+				);
+			}
+			filters.product = [policy.filters.product];
+			filters.limit = [String(policy.threshold)];
+			break;
+		case 'error-rate':
+			if (policy.filters.worker) filters.scriptName = [policy.filters.worker];
+			filters.error_rate_percentage = [String(policy.threshold)];
+			break;
+		case 'custom': {
+			// Pass remaining filters verbatim; drop the meta key.
+			for (const [k, v] of Object.entries(policy.filters)) {
+				if (k === 'native_alert_type') continue;
+				filters[k] = [v];
+			}
+			break;
+		}
+	}
+
+	const mechanisms: Record<string, Array<{ id: string }>> = {};
+	for (const m of policy.mechanisms) {
+		switch (m.kind) {
+			case 'email':
+				(mechanisms.email ??= []).push({ id: m.target });
+				break;
+			case 'webhook':
+				(mechanisms.webhooks ??= []).push({ id: m.target });
+				break;
+			case 'pagerduty':
+				(mechanisms.pagerduty ??= []).push({ id: m.target });
+				break;
+			case 'slack':
+				// CF treats Slack as a webhook destination
+				(mechanisms.webhooks ??= []).push({ id: m.target });
+				break;
+		}
+	}
+
+	return {
+		name: policy.name,
+		description: policy.description,
+		enabled: policy.enabled,
+		alert_type: alertType,
+		filters,
+		mechanisms
+	};
+}
+
+/** Reverse-map a CF policy → AlertPolicy (best-effort; filters are lossy). */
+function fromCfPolicy(cf: CfPolicy): AlertPolicy & { providerId: string } {
+	let type: AlertPolicy['type'] = 'custom';
+	let threshold = 0;
+	const filters: Record<string, string> = {};
+
+	switch (cf.alert_type) {
+		case 'billing_budget_alert':
+			type = 'budget';
+			threshold = Number(cf.filters?.total_spend_dollars?.[0] ?? 0);
+			break;
+		case 'billing_usage_alert':
+			type = 'usage';
+			threshold = Number(cf.filters?.limit?.[0] ?? 0);
+			if (cf.filters?.product?.[0]) filters.product = cf.filters.product[0]!;
+			break;
+		case 'workers_alert':
+			type = 'error-rate';
+			threshold = Number(cf.filters?.error_rate_percentage?.[0] ?? 0);
+			if (cf.filters?.scriptName?.[0]) filters.worker = cf.filters.scriptName[0]!;
+			break;
+		default:
+			type = 'custom';
+			filters.native_alert_type = cf.alert_type;
+			for (const [k, v] of Object.entries(cf.filters ?? {})) {
+				if (Array.isArray(v) && v[0] != null) filters[k] = String(v[0]);
+			}
+	}
+
+	const mechanisms: AlertPolicy['mechanisms'] = [];
+	for (const e of cf.mechanisms?.email ?? []) mechanisms.push({ kind: 'email', target: e.id });
+	for (const w of cf.mechanisms?.webhooks ?? []) {
+		// Heuristic: hooks.slack.com → Slack; otherwise generic webhook
+		const target = w.id;
+		if (target.includes('hooks.slack.com')) mechanisms.push({ kind: 'slack', target });
+		else if (target.startsWith('http')) mechanisms.push({ kind: 'webhook', target });
+		else mechanisms.push({ kind: 'pagerduty', target });
+	}
+	for (const p of cf.mechanisms?.pagerduty ?? []) mechanisms.push({ kind: 'pagerduty', target: p.id });
+
+	return {
+		providerId: cf.id,
+		id: cf.id,
+		name: cf.name,
+		type,
+		threshold,
+		filters,
+		mechanisms,
+		enabled: cf.enabled,
+		description: cf.description
+	};
+}
+
+class CloudflareAlertsImplementation implements AlertsImplementation {
+	readonly id = 'cloudflare-alerts';
+	readonly descriptor: CloudflareAlertsDescriptor;
+	private creds: { accountId: string; apiToken: string } | null = null;
+
+	constructor(descriptor: CloudflareAlertsDescriptor) {
+		this.descriptor = CloudflareAlertsDescriptorSchema.parse(descriptor);
+	}
+
+	private async getCreds(): Promise<{ accountId: string; apiToken: string }> {
+		if (this.creds) return this.creds;
+
+		// Both credentials route through the `secrets/store` runtime kind
+		// (vibes secrets). Adapters declare key NAMES; the runtime picks
+		// the right backend by tier (encrypted-local for local, the CF
+		// secrets store for staging/production). process.env can override
+		// for CI / explicit shell sessions.
+		const env = this.descriptor.environment || 'local';
+		const ac = (this.descriptor.adapterConfig ?? {}) as Record<string, unknown>;
+		const accountKey = (typeof ac.accountIdEnvVar === 'string' ? ac.accountIdEnvVar : 'CLOUDFLARE_ACCOUNT_ID');
+		const primaryToken = (typeof ac.apiTokenEnvVar === 'string' ? ac.apiTokenEnvVar : 'CLOUDFLARE_NOTIFICATIONS_API_TOKEN');
+		const fallbackToken = (typeof ac.apiTokenFallbackEnvVar === 'string' ? ac.apiTokenFallbackEnvVar : 'CLOUDFLARE_API_TOKEN');
+
+		const accountRes = await resolveAdapterCredential({
+			keyCandidates: [accountKey],
+			environment: env,
+			humanName: 'Cloudflare account id'
+		});
+		const tokenRes = await resolveAdapterCredential({
+			keyCandidates: [primaryToken, fallbackToken],
+			environment: env,
+			humanName: 'Cloudflare API token (notifications scope preferred)'
+		});
+
+		this.creds = { accountId: accountRes.value, apiToken: tokenRes.value };
+		return this.creds;
+	}
+
+	private async call<T>(path: string, init?: RequestInit): Promise<CfApiBody<T>> {
+		const { apiToken } = await this.getCreds();
+		const res = await fetch(`https://api.cloudflare.com/client/v4${path}`, {
+			...init,
+			headers: {
+				Authorization: `Bearer ${apiToken}`,
+				'Content-Type': 'application/json',
+				...(init?.headers ?? {})
+			}
+		});
+		const text = await res.text();
+		let body: CfApiBody<T>;
+		try {
+			body = JSON.parse(text) as CfApiBody<T>;
+		} catch {
+			throw new Error(`cloudflare-alerts: non-JSON response from ${path}: ${text.slice(0, 200)}`);
+		}
+		if (!res.ok || body.success === false) {
+			const errSummary = body.errors?.map((e) => `${e.code}: ${e.message}`).join('; ') ?? text.slice(0, 200);
+			throw new Error(`cloudflare-alerts: ${path} → ${res.status} ${errSummary}`);
+		}
+		return body;
+	}
+
+	async listPolicies(): Promise<Array<AlertPolicy & { providerId: string }>> {
+		const { accountId } = await this.getCreds();
+		const body = await this.call<CfPolicy[]>(`/accounts/${accountId}/alerting/v3/policies`);
+		return (body.result ?? []).map(fromCfPolicy);
+	}
+
+	async createPolicy(policy: AlertPolicy): Promise<{ providerId: string }> {
+		const { accountId } = await this.getCreds();
+		const payload = toCfPayload(policy);
+		const body = await this.call<{ id: string }>(
+			`/accounts/${accountId}/alerting/v3/policies`,
+			{ method: 'POST', body: JSON.stringify(payload) }
+		);
+		return { providerId: body.result.id };
+	}
+
+	async deletePolicy(providerId: string): Promise<void> {
+		const { accountId } = await this.getCreds();
+		await this.call(`/accounts/${accountId}/alerting/v3/policies/${providerId}`, {
+			method: 'DELETE'
+		});
+	}
+
+	async diff(desired: AlertPolicy[]): Promise<{
+		create: AlertPolicy[];
+		update: Array<{ providerId: string; policy: AlertPolicy }>;
+		delete: Array<{ providerId: string; name: string }>;
+	}> {
+		const live = await this.listPolicies();
+		const liveByName = new Map(live.map((p) => [p.name, p]));
+		const create: AlertPolicy[] = [];
+		const update: Array<{ providerId: string; policy: AlertPolicy }> = [];
+
+		for (const policy of desired) {
+			const match = liveByName.get(policy.name);
+			if (!match) {
+				create.push(policy);
+				continue;
+			}
+			liveByName.delete(policy.name);
+			// Coarse-grained diff: re-create if threshold or mechanisms changed.
+			const changed =
+				match.threshold !== policy.threshold ||
+				match.type !== policy.type ||
+				match.enabled !== policy.enabled ||
+				JSON.stringify(match.mechanisms) !== JSON.stringify(policy.mechanisms) ||
+				JSON.stringify(match.filters) !== JSON.stringify(policy.filters);
+			if (changed) {
+				update.push({ providerId: match.providerId, policy });
+			}
+		}
+
+		const deleteList = Array.from(liveByName.values()).map((p) => ({
+			providerId: p.providerId,
+			name: p.name
+		}));
+
+		return { create, update, delete: deleteList };
+	}
+}
+
+export function createCloudflareAlertsImplementation(
+	input: CloudflareAlertsDescriptorInput
+): AlertsImplementation {
+	return new CloudflareAlertsImplementation(CloudflareAlertsDescriptorSchema.parse(input));
+}

package/src/implementations/kv.impl.ts

@@ -0,0 +1,51 @@
+/**
+ * Cloudflare KV Implementation
+ *
+ * Config generator for `infra/cache` kind when engine is `cloudflare-kv`.
+ * Produces KV namespace binding config to merge into a wrangler config.
+ */
+
+import * as z from 'zod/v4';
+
+export const CloudflareKVDescriptorSchema = z.object({
+	kind: z.literal('infra/cache'),
+	id: z.string().min(1),
+	name: z.string().min(1),
+	engine: z.literal('cloudflare-kv'),
+	/** Binding name (e.g. "SESSION_CACHE") */
+	binding: z.string().regex(/^[_A-Z0-9]+$/),
+	/** KV namespace ID (from Cloudflare dashboard or wrangler) */
+	namespaceId: z.string().min(1),
+	/** Optional preview namespace ID for non-production */
+	previewNamespaceId: z.string().optional()
+});
+
+export type CloudflareKVDescriptor = z.infer<typeof CloudflareKVDescriptorSchema>;
+
+export interface WranglerKVConfig {
+	kv_namespaces: Array<{
+		binding: string;
+		id: string;
+		preview_id?: string;
+	}>;
+}
+
+/**
+ * Generate KV namespace binding config to merge into a wrangler config.
+ */
+export function generateCloudflareKVConfig(descriptor: CloudflareKVDescriptor): WranglerKVConfig {
+	const parsed = CloudflareKVDescriptorSchema.parse(descriptor);
+
+	const namespace: WranglerKVConfig['kv_namespaces'][number] = {
+		binding: parsed.binding,
+		id: parsed.namespaceId
+	};
+
+	if (parsed.previewNamespaceId) {
+		namespace.preview_id = parsed.previewNamespaceId;
+	}
+
+	return {
+		kv_namespaces: [namespace]
+	};
+}

package/src/implementations/logs.descriptor.ts

@@ -0,0 +1,29 @@
+/**
+ * Default Cloudflare Logs descriptor — registered at plugin load time so
+ * `runtime.assets('infra/logs').descriptors()` returns at least one entry
+ * the moment the infra-cloudflare plugin is loaded.
+ *
+ * The descriptor only carries adapter identity + credential pointers. The
+ * concrete `sources` list (which workers to observe) is *not* declared
+ * here — that's app inventory, owned by each consumer's
+ * `deployment.config.ts`. CLI surfaces (e.g. `vibes infra logs`) discover
+ * sources from the workspace and merge them at display time.
+ */
+
+import type { InfraLogsDescriptor } from '@vibesdotdev/infra-core/kinds';
+
+const descriptor: InfraLogsDescriptor = {
+	kind: 'infra/logs',
+	id: 'cloudflare-logs',
+	name: 'Cloudflare Logs',
+	description: 'Cloudflare Workers, Pages, D1, R2, and KV logs',
+	adapter: 'cloudflare-logs',
+	adapterConfig: {
+		accountId: { source: 'secret', key: 'CLOUDFLARE_ACCOUNT_ID' },
+		apiToken: { source: 'secret', key: 'CLOUDFLARE_API_TOKEN' }
+	},
+	sources: [],
+	alerts: []
+};
+
+export default descriptor;

package/src/implementations/logs.impl.ts

@@ -0,0 +1,201 @@
+/**
+ * Cloudflare Logs Implementation
+ *
+ * Implements the `infra/logs` kind for Cloudflare Workers.
+ * Provides programmatic log tailing, queries, and analytics.
+ */
+
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import { CloudflareLogsConnector } from '@vibesdotdev/connector-cloudflare';
+import { resolveCurrentEnvironmentConfig } from '@vibesdotdev/config/environment/current';
+import type { InfraLogsDescriptor } from '@vibesdotdev/infra-core/kinds';
+import type { SecretsStoreImplementation } from '@vibesdotdev/secrets/kinds';
+import * as z from 'zod/v4';
+
+export const CloudflareLogsDescriptorSchema = z.object({
+	kind: z.literal('infra/logs'),
+	id: z.string().min(1),
+	name: z.string().min(1),
+	description: z.string().optional(),
+	adapter: z.literal('cloudflare-logs'),
+	adapterConfig: z.record(z.string(), z.unknown()).optional(),
+	// Support top-level for backward compat with old descriptors; prefer adapterConfig
+	accountId: z.union([
+		z.string().min(1),
+		z.object({ source: z.literal('secret'), key: z.string().min(1) }),
+		z.object({ source: z.literal('env'), key: z.string().min(1) })
+	]).optional(),
+	apiToken: z.union([
+		z.object({ source: z.literal('env'), key: z.string().min(1) }),
+		z.object({ source: z.literal('secret'), key: z.string().min(1) })
+	]).optional(),
+	/**
+	 * Optional legacy Global API Key + email pair. Provide both to fall back
+	 * to `X-Auth-Key` + `X-Auth-Email` for endpoints that 405 on Bearer auth.
+	 */
+	apiKey: z.union([
+		z.object({ source: z.literal('env'), key: z.string().min(1) }),
+		z.object({ source: z.literal('secret'), key: z.string().min(1) })
+	]).optional(),
+	email: z.union([
+		z.object({ source: z.literal('env'), key: z.string().min(1) }),
+		z.object({ source: z.literal('secret'), key: z.string().min(1) })
+	]).optional(),
+	/**
+	 * Optional override for the secrets-resolution environment scope. When
+	 * unset, the impl resolves the current active environment from the
+	 * config manifest (the same selection `vibes secrets list` honors),
+	 * falling back to `'local'`.
+	 */
+	environment: z.string().optional(),
+	/** Log sources to monitor - matches infra/logs kind schema */
+	sources: z
+		.array(
+			z.object({
+				type: z.enum(['worker', 'pages', 'd1', 'r2', 'kv']),
+				name: z.string().min(1),
+				environment: z.string().optional()
+			})
+		)
+		.default([]),
+	retention: z
+		.object({
+			hotDays: z.number().int().positive().default(7),
+			coldDays: z.number().int().positive().default(30)
+		})
+		.optional(),
+	alerts: z
+		.array(
+			z.object({
+				name: z.string().min(1),
+				condition: z.enum(['errorRate', 'duration', 'invocationCount']),
+				threshold: z.number(),
+				window: z.string(),
+				channels: z.array(z.string()).default([])
+			})
+		)
+		.default([])
+});
+
+export type CloudflareLogsDescriptorInput = z.input<typeof CloudflareLogsDescriptorSchema>;
+export type CloudflareLogsDescriptor = z.infer<typeof CloudflareLogsDescriptorSchema>;
+
+export interface LogsImplementation {
+	/** Stream logs in real-time (returns WebSocket URL) */
+	tailLogs(sourceName: string, options?: { status?: 'ok' | 'error' | 'canceled'; limit?: number }): Promise<{ tailId: string; websocketUrl: string }>;
+	/** Stop a log tail session */
+	stopTail(sourceName: string, tailId: string): Promise<void>;
+	/** List active tail sessions */
+	listTails(sourceName: string): Promise<Array<{ id: string; createdAt: string }>>;
+	/** Get analytics summary */
+	getAnalytics(sourceName: string, timeRange?: { timeStart: string; timeEnd?: string }): Promise<{ totalInvocations: number; errorCount: number; errorRate: number; avgDurationMs: number; p99DurationMs: number; totalCpuTimeMs: number }>;
+	/** Get error rate */
+	getErrorRate(sourceName: string, timeRange?: { timeStart: string; timeEnd?: string }): Promise<number>;
+}
+
+class CloudflareLogsImplementation implements LogsImplementation {
+	readonly id = 'cloudflare-logs';
+	readonly descriptor: CloudflareLogsDescriptor;
+	private connector: CloudflareLogsConnector | null = null;
+
+	constructor(descriptor: CloudflareLogsDescriptor) {
+		this.descriptor = CloudflareLogsDescriptorSchema.parse(descriptor);
+	}
+
+	private async getConnector(): Promise<CloudflareLogsConnector> {
+		if (this.connector) return this.connector;
+
+		const runtime = getVibesRuntime();
+		const secretsStore = await runtime.query('secrets/store').resolve() as SecretsStoreImplementation;
+
+		// Prefer adapterConfig for constitution-aligned config (adapter-specific under adapterConfig)
+		const ac = (this.descriptor.adapterConfig || {}) as Record<string, unknown>;
+		const accountId = (this.descriptor.accountId ?? ac.accountId ?? { source: 'secret', key: 'CLOUDFLARE_ACCOUNT_ID' }) as any;
+		const apiToken = (this.descriptor.apiToken ?? ac.apiToken ?? { source: 'secret', key: 'CLOUDFLARE_API_TOKEN' }) as any;
+		// Legacy auth pair is optional — only used by endpoints that 405 on Bearer.
+		const apiKey = (this.descriptor.apiKey ?? ac.apiKey) as any;
+		const email = (this.descriptor.email ?? ac.email) as any;
+
+		// Resolve which environment scope to read secrets from. Descriptor
+		// override wins; otherwise follow the user's active environment
+		// selection (same source `vibes secrets list` reads). Final fallback
+		// is `'local'` so the CLI stays usable when the config manifest
+		// hasn't been initialized.
+		let environment = this.descriptor.environment;
+		if (!environment) {
+			try {
+				const current = await resolveCurrentEnvironmentConfig();
+				environment = current.name;
+			} catch {
+				environment = 'local';
+			}
+		}
+
+		this.connector = await CloudflareLogsConnector.create({
+			accountId,
+			apiToken,
+			...(apiKey ? { apiKey } : {}),
+			...(email ? { email } : {})
+		}, {
+			environment,
+			secretsStore
+		});
+
+		return this.connector;
+	}
+
+	async tailLogs(
+		workerName: string,
+		options: { status?: 'ok' | 'error' | 'canceled'; method?: string; header?: string; limit?: number } = {}
+	): Promise<{ tailId: string; websocketUrl: string }> {
+		const connector = await this.getConnector();
+		try {
+			return await connector.tailLogs(workerName, options);
+		} catch (error: unknown) {
+			const msg = error instanceof Error ? error.message : String(error);
+			if (msg.includes('Method not allowed for this authentication scheme')) {
+				throw new Error(
+					'Cloudflare rejected log tail with "method not allowed for this authentication scheme". ' +
+						'Your API token likely lacks the "Workers Scripts:Edit" (or equivalent Tail) permission. ' +
+						'Either grant that permission to CLOUDFLARE_API_TOKEN, or configure ' +
+						'CLOUDFLARE_API_KEY + CLOUDFLARE_EMAIL in the secrets store for legacy auth fallback.'
+				);
+			}
+			throw error;
+		}
+	}
+
+	async stopTail(sourceName: string, tailId: string): Promise<void> {
+		const connector = await this.getConnector();
+		await connector.stopTail(sourceName, tailId);
+	}
+
+	async listTails(sourceName: string): Promise<Array<{ id: string; createdAt: string }>> {
+		const connector = await this.getConnector();
+		const sessions = await connector.listTails(sourceName);
+		return sessions.map((s) => ({ id: s.tailId, createdAt: s.createdAt.toISOString() }));
+	}
+
+	async getAnalytics(
+		sourceName: string,
+		timeRange?: { timeStart: string; timeEnd?: string }
+	): Promise<{ totalInvocations: number; errorCount: number; errorRate: number; avgDurationMs: number; p99DurationMs: number; totalCpuTimeMs: number }> {
+		const connector = await this.getConnector();
+		return connector.getAnalytics(sourceName, timeRange ?? {});
+	}
+
+	async getErrorRate(
+		sourceName: string,
+		timeRange?: { timeStart: string; timeEnd?: string }
+	): Promise<number> {
+		const connector = await this.getConnector();
+		return connector.getErrorRate(sourceName, timeRange ?? {});
+	}
+}
+
+export function createCloudflareLogsImplementation(
+	input: CloudflareLogsDescriptorInput
+): LogsImplementation {
+	const descriptor = CloudflareLogsDescriptorSchema.parse(input);
+	return new CloudflareLogsImplementation(descriptor);
+}

package/src/implementations/observability.descriptor.ts

@@ -0,0 +1,25 @@
+/**
+ * Default Cloudflare Workers Observability descriptor — auto-registered
+ * at plugin load so `runtime.assets('infra/observability').descriptors()`
+ * surfaces it without each consumer declaring one in their config.
+ */
+
+import type { InfraObservabilityDescriptor } from '@vibesdotdev/infra-core';
+
+const descriptor: InfraObservabilityDescriptor = {
+	kind: 'infra/observability',
+	id: 'cloudflare-workers-observability',
+	name: 'Cloudflare Workers Observability',
+	description: 'Per-Worker observability config (logs/traces sampling, exports) via CF Workers Settings API',
+	adapter: 'cloudflare-workers-observability',
+	adapterConfig: {
+		apiTokenEnvVar: 'CLOUDFLARE_API_TOKEN',
+		accountIdEnvVar: 'CLOUDFLARE_ACCOUNT_ID'
+	},
+	environment: 'local',
+	// Default scope: every Worker in the account. CLI commands can
+	// narrow with --worker.
+	defaultScope: { kind: 'account-wide' }
+};
+
+export default descriptor;