@vibesdotdev/infra-cloudflare 0.0.1

package/src/implementations/observability.impl.ts

@@ -0,0 +1,307 @@
+/**
+ * Cloudflare Workers Observability Implementation
+ *
+ * Reads/writes per-Worker observability via the CF Workers Settings API:
+ *
+ *   GET   /accounts/:account/workers/scripts/:script/settings
+ *   PATCH /accounts/:account/workers/scripts/:script/settings
+ *
+ * The PATCH body shape is the same as the GET response — supply only
+ * the keys you want to change. We translate the kind's
+ * `ObservabilitySettings` shape onto CF's nested observability.{logs,
+ * traces} fields.
+ *
+ * Credentials resolve through the standard `secrets/store` runtime
+ * chain via `resolveAdapterCredential`; no CF-specific helpers. Token
+ * candidates default to CLOUDFLARE_API_TOKEN (Workers Scripts: Edit
+ * scope required for write).
+ */
+
+import * as z from 'zod/v4';
+import {
+	resolveAdapterCredential,
+	type ObservabilityImplementation,
+	type ObservabilityScope,
+	type ObservabilitySettings,
+	type ObservabilitySnapshot,
+	type SetObservabilityInput,
+	type SetObservabilityResult
+} from '@vibesdotdev/infra-core';
+
+export const CloudflareObservabilityDescriptorSchema = z.object({
+	kind: z.literal('infra/observability'),
+	id: z.string().min(1),
+	name: z.string().min(1),
+	description: z.string().optional(),
+	adapter: z.literal('cloudflare-workers-observability'),
+	adapterConfig: z.record(z.string(), z.unknown()).optional(),
+	environment: z.string().default('local'),
+	defaultScope: z.unknown().optional(),
+	settings: z.unknown().optional()
+});
+
+export type CloudflareObservabilityDescriptorInput = z.input<typeof CloudflareObservabilityDescriptorSchema>;
+export type CloudflareObservabilityDescriptor = z.infer<typeof CloudflareObservabilityDescriptorSchema>;
+
+interface CfObservabilityBody {
+	enabled?: boolean;
+	head_sampling_rate?: number;
+	logs?: {
+		enabled?: boolean;
+		head_sampling_rate?: number;
+		persist?: boolean;
+		invocation_logs?: boolean;
+	};
+	traces?: {
+		enabled?: boolean;
+		head_sampling_rate?: number;
+		persist?: boolean;
+	};
+}
+
+interface CfScriptSettings {
+	observability?: CfObservabilityBody;
+	modified_on?: string;
+}
+
+interface CfApiBody<T> {
+	success: boolean;
+	result: T;
+	errors?: Array<{ code: number; message: string }>;
+}
+
+interface CfScriptListItem {
+	id: string;
+	modified_on?: string;
+}
+
+/** Map CF native observability → provider-agnostic ObservabilitySettings. */
+function fromCfObservability(cf: CfObservabilityBody | undefined): ObservabilitySettings {
+	const out: ObservabilitySettings = {};
+	if (cf?.logs) {
+		out.logs = {
+			enabled: cf.logs.enabled ?? cf.enabled ?? false,
+			headSamplingRate: cf.logs.head_sampling_rate ?? cf.head_sampling_rate,
+			persist: cf.logs.persist,
+			invocationLogs: cf.logs.invocation_logs
+		};
+	}
+	if (cf?.traces) {
+		out.traces = {
+			enabled: cf.traces.enabled ?? false,
+			headSamplingRate: cf.traces.head_sampling_rate,
+			persist: cf.traces.persist
+		};
+	}
+	return out;
+}
+
+/** Map ObservabilitySettings → CF PATCH body (only includes provided keys). */
+function toCfObservability(settings: ObservabilitySettings): CfObservabilityBody {
+	const body: CfObservabilityBody = {};
+	if (settings.logs) {
+		// CF gates everything under `enabled` at the top-level; mirror the
+		// logs.enabled value so single-toggle clients work as expected.
+		body.enabled = settings.logs.enabled;
+		body.head_sampling_rate = settings.logs.headSamplingRate;
+		body.logs = {
+			enabled: settings.logs.enabled,
+			head_sampling_rate: settings.logs.headSamplingRate,
+			persist: settings.logs.persist,
+			invocation_logs: settings.logs.invocationLogs
+		};
+	}
+	if (settings.traces) {
+		body.traces = {
+			enabled: settings.traces.enabled,
+			head_sampling_rate: settings.traces.headSamplingRate,
+			persist: settings.traces.persist
+		};
+	}
+	return body;
+}
+
+function settingsEqual(a: ObservabilitySettings, b: ObservabilitySettings): boolean {
+	return JSON.stringify(a) === JSON.stringify(b);
+}
+
+class CloudflareObservabilityImplementation implements ObservabilityImplementation {
+	readonly id = 'cloudflare-workers-observability';
+	readonly descriptor: CloudflareObservabilityDescriptor;
+	private creds: { accountId: string; apiToken: string } | null = null;
+
+	constructor(descriptor: CloudflareObservabilityDescriptor) {
+		this.descriptor = CloudflareObservabilityDescriptorSchema.parse(descriptor);
+	}
+
+	private async getCreds(): Promise<{ accountId: string; apiToken: string }> {
+		if (this.creds) return this.creds;
+
+		const env = this.descriptor.environment || 'local';
+		const ac = (this.descriptor.adapterConfig ?? {}) as Record<string, unknown>;
+		const accountKey =
+			typeof ac.accountIdEnvVar === 'string' ? ac.accountIdEnvVar : 'CLOUDFLARE_ACCOUNT_ID';
+		const primaryToken =
+			typeof ac.apiTokenEnvVar === 'string' ? ac.apiTokenEnvVar : 'CLOUDFLARE_API_TOKEN';
+		const fallbackToken = typeof ac.apiTokenFallbackEnvVar === 'string' ? ac.apiTokenFallbackEnvVar : null;
+
+		const tokenCandidates = fallbackToken ? [primaryToken, fallbackToken] : [primaryToken];
+
+		const accountRes = await resolveAdapterCredential({
+			keyCandidates: [accountKey],
+			environment: env,
+			humanName: 'Cloudflare account id'
+		});
+		const tokenRes = await resolveAdapterCredential({
+			keyCandidates: tokenCandidates,
+			environment: env,
+			humanName: 'Cloudflare API token (Workers Scripts: Edit scope for write ops)'
+		});
+
+		this.creds = { accountId: accountRes.value, apiToken: tokenRes.value };
+		return this.creds;
+	}
+
+	private async call<T>(path: string, init?: RequestInit): Promise<CfApiBody<T>> {
+		const { apiToken } = await this.getCreds();
+		// Note: callers that need the multipart/form-data shape (the
+		// script settings PATCH endpoint) must set their own Content-Type
+		// via the init.headers override — otherwise we apply JSON by default.
+		const callerHeaders = (init?.headers ?? {}) as Record<string, string>;
+		const explicitContentType = Object.keys(callerHeaders).some(
+			(k) => k.toLowerCase() === 'content-type'
+		);
+		const defaultHeaders: Record<string, string> = {
+			Authorization: `Bearer ${apiToken}`
+		};
+		if (!explicitContentType && !(init?.body instanceof FormData)) {
+			defaultHeaders['Content-Type'] = 'application/json';
+		}
+		const res = await fetch(`https://api.cloudflare.com/client/v4${path}`, {
+			...init,
+			headers: {
+				...defaultHeaders,
+				...callerHeaders
+			}
+		});
+		const text = await res.text();
+		let body: CfApiBody<T>;
+		try {
+			body = JSON.parse(text) as CfApiBody<T>;
+		} catch {
+			throw new Error(
+				`cloudflare-observability: non-JSON response from ${path}: ${text.slice(0, 200)}`
+			);
+		}
+		if (!res.ok || body.success === false) {
+			const errSummary = body.errors?.map((e) => `${e.code}: ${e.message}`).join('; ') ?? text.slice(0, 200);
+			throw new Error(`cloudflare-observability: ${path} → ${res.status} ${errSummary}`);
+		}
+		return body;
+	}
+
+	private async listWorkerNames(filter?: string): Promise<string[]> {
+		const { accountId } = await this.getCreds();
+		const body = await this.call<CfScriptListItem[]>(
+			`/accounts/${accountId}/workers/scripts?per_page=200`
+		);
+		const all = (body.result ?? []).map((s) => s.id);
+		if (!filter) return all;
+		// Simple glob: support * as a wildcard.
+		const pattern = filter.replace(/[.+?^${}()|[\]\\]/g, '\\$&').replace(/\*/g, '.*');
+		const re = new RegExp(`^${pattern}$`);
+		return all.filter((name) => re.test(name));
+	}
+
+	private async resolveScopeToWorkers(scope: ObservabilityScope): Promise<string[]> {
+		if (scope.kind === 'worker') return [scope.workerName];
+		return this.listWorkerNames(scope.filter);
+	}
+
+	async getStatus(scope: ObservabilityScope): Promise<ObservabilitySnapshot[]> {
+		const { accountId } = await this.getCreds();
+		const workers = await this.resolveScopeToWorkers(scope);
+		const snapshots: ObservabilitySnapshot[] = [];
+		for (const workerName of workers) {
+			try {
+				const body = await this.call<CfScriptSettings>(
+					`/accounts/${accountId}/workers/scripts/${workerName}/settings`
+				);
+				snapshots.push({
+					workerName,
+					settings: fromCfObservability(body.result.observability),
+					modifiedAt: body.result.modified_on
+				});
+			} catch (err) {
+				// Skip workers that don't exist or aren't readable, but
+				// surface as snapshots with empty settings so the CLI can
+				// distinguish "not present" from "100% sampling".
+				snapshots.push({
+					workerName,
+					settings: {},
+					modifiedAt: undefined
+				});
+				if (process.env.VIBES_DEBUG_OBSERVABILITY === '1') {
+					console.error(`[observability-debug] ${workerName}: ${(err as Error).message}`);
+				}
+			}
+		}
+		return snapshots;
+	}
+
+	async set(input: SetObservabilityInput): Promise<SetObservabilityResult> {
+		const { accountId } = await this.getCreds();
+		const skipUnchanged = input.skipUnchanged ?? true;
+		const workers = await this.resolveScopeToWorkers(input.scope);
+		const result: SetObservabilityResult = { changed: [], unchanged: [], failed: [] };
+
+		for (const workerName of workers) {
+			try {
+				const current = await this.call<CfScriptSettings>(
+					`/accounts/${accountId}/workers/scripts/${workerName}/settings`
+				);
+				const before = fromCfObservability(current.result.observability);
+
+				// Merge requested settings into existing, then check for change.
+				const desired: ObservabilitySettings = {
+					logs: { ...(before.logs ?? { enabled: false }), ...(input.settings.logs ?? {}) },
+					traces: { ...(before.traces ?? { enabled: false }), ...(input.settings.traces ?? {}) }
+				};
+
+				if (skipUnchanged && settingsEqual(before, desired)) {
+					result.unchanged.push(workerName);
+					continue;
+				}
+
+				// CF's script-settings PATCH requires multipart/form-data with
+				// a `settings` field carrying the JSON metadata. Bare JSON
+				// returns 415 ("Content-Type must be one of: multipart/form-data").
+				const form = new FormData();
+				form.append(
+					'settings',
+					JSON.stringify({ observability: toCfObservability(desired) })
+				);
+				await this.call<unknown>(`/accounts/${accountId}/workers/scripts/${workerName}/settings`, {
+					method: 'PATCH',
+					body: form
+				});
+				result.changed.push({ workerName, before, after: desired });
+			} catch (err) {
+				result.failed.push({
+					workerName,
+					error: err instanceof Error ? err.message : String(err)
+				});
+			}
+		}
+
+		return result;
+	}
+}
+
+export function createCloudflareObservabilityImplementation(
+	input: CloudflareObservabilityDescriptorInput
+): ObservabilityImplementation {
+	return new CloudflareObservabilityImplementation(
+		CloudflareObservabilityDescriptorSchema.parse(input)
+	);
+}

package/src/implementations/pages.impl.ts

@@ -0,0 +1,189 @@
+/**
+ * Cloudflare Pages Implementation
+ *
+ * Config generator and deployment helpers for Cloudflare Pages projects.
+ * Wraps an infra-core AppDeployment into a Cloudflare Pages-compatible
+ * wrangler.jsonc fragment and provides rendering utilities.
+ *
+ * Retained for ecosystem/SDK consumers that target Cloudflare Pages.
+ * Vibes monorepo apps deploy as Workers + Static Assets — see web-app.impl.ts.
+ */
+
+import * as z from 'zod/v4';
+import type { AppDeployment } from '@vibesdotdev/infra-core/deployment';
+
+export const CloudflarePagesDescriptorSchema = z.object({
+	kind: z.literal('infra/web-app'),
+	id: z.string().min(1),
+	name: z.string().min(1),
+	adapter: z.enum(['cloudflare-pages', 'cloudflare-workers']),
+	/** Cloudflare Pages project name (e.g., "vibes-platform") */
+	cfProjectName: z.string().min(1),
+	/** Build output directory */
+	outputDir: z.string().min(1),
+	/** Compatibility date for wrangler */
+	compatibilityDate: z.string().regex(/^\d{4}-\d{2}-\d{2}$/).optional(),
+	/** Compatibility flags for wrangler */
+	compatibilityFlags: z.array(z.string()).default(['nodejs_compat']),
+	/** Environment variables to include */
+	env: z.record(z.string(), z.string()).default({}),
+	/**
+	 * Account-level Cloudflare Secrets Store ID. When set, secret env vars
+	 * emit as `secrets_store_secrets[]` bindings against this store. UUID,
+	 * not a secret value — safe to commit.
+	 */
+	secretsStoreId: z.string().min(1).optional()
+});
+
+export type CloudflarePagesDescriptor = z.infer<typeof CloudflarePagesDescriptorSchema>;
+export type CloudflarePagesDescriptorInput = z.input<typeof CloudflarePagesDescriptorSchema>;
+
+export interface CloudflarePagesDeployment {
+	projectName: string;
+	deployment: AppDeployment;
+	compatibilityDate: string;
+	/** Generate wrangler.jsonc fragment for this Pages deployment */
+	generateWranglerConfig(): WranglerPagesConfig;
+}
+
+export interface WranglerSecretsStoreBinding {
+	binding: string;
+	store_id: string;
+	secret_name: string;
+}
+
+export interface WranglerPagesConfig {
+	$schema?: string;
+	name: string;
+	compatibility_date: string;
+	compatibility_flags: string[];
+	/** Pages build output directory */
+	pages_build_output_dir: string;
+	/** Environment variables for production */
+	vars?: Record<string, string>;
+	/** Account-level Secrets Store bindings (one per secret env var) */
+	secrets_store_secrets?: WranglerSecretsStoreBinding[];
+	/** Per-Pages-project required secret names (deploy-time validation only) */
+	secrets?: { required: string[] };
+}
+
+/**
+ * Create a Cloudflare Pages deployment wrapper around an AppDeployment.
+ *
+ * @param options - Deployment options including projectName and the base deployment
+ * @returns A CloudflarePagesDeployment with wrangler config generation
+ */
+export function createCloudflarePagesDeployment(options: {
+	projectName: string;
+	deployment: AppDeployment;
+	compatibilityDate?: string;
+	/**
+	 * Account-level Secrets Store ID. When set, secret env vars are emitted
+	 * as `secrets_store_secrets[]` bindings instead of being silently dropped.
+	 */
+	secretsStoreId?: string;
+}): CloudflarePagesDeployment {
+	const { projectName, deployment, compatibilityDate, secretsStoreId } = options;
+	const compatDate = compatibilityDate ?? new Date().toISOString().slice(0, 10);
+
+	return {
+		projectName,
+		deployment,
+		compatibilityDate: compatDate,
+
+		generateWranglerConfig(): WranglerPagesConfig {
+			const config: WranglerPagesConfig = {
+				$schema: 'node_modules/wrangler/config-schema.json',
+				name: projectName,
+				compatibility_date: compatDate,
+				compatibility_flags: ['nodejs_compat'],
+				pages_build_output_dir: deployment.build.outputDir
+			};
+
+			// Add non-secret env vars with explicit values as vars.
+			const plainEnvVars: Record<string, string> = {};
+			for (const envVar of deployment.env) {
+				if (!envVar.secret && envVar.value !== undefined) {
+					plainEnvVars[envVar.name] = envVar.value;
+				}
+			}
+
+			if (Object.keys(plainEnvVars).length > 0) {
+				config.vars = plainEnvVars;
+			}
+
+			const secretEnvVars = deployment.env
+				.filter((envVar) => envVar.secret)
+				.sort((a, b) => a.name.localeCompare(b.name));
+
+			if (secretEnvVars.length > 0) {
+				if (secretsStoreId) {
+					config.secrets_store_secrets = secretEnvVars.map((envVar) => ({
+						binding: envVar.name,
+						store_id: secretsStoreId,
+						secret_name: envVar.storeKey ?? envVar.name
+					}));
+				} else {
+					config.secrets = {
+						required: secretEnvVars
+							.filter((envVar) => envVar.required !== false)
+							.map((envVar) => envVar.name)
+					};
+				}
+			}
+
+			return config;
+		}
+	};
+}
+
+/**
+ * Render a wrangler.jsonc string from a wrangler config object.
+ *
+ * Canonical output: tab-indented JSON with a leading JSONC header and a
+ * trailing newline. The same renderer is used for Pages and Workers
+ * (`infra-cloudflare/web-app`) — pass `headerLines` to customize the
+ * leading comment block.
+ *
+ * @param config - The wrangler config object to render
+ * @param options - Optional header override
+ * @returns JSONC-formatted string (JSON with comments)
+ */
+export function renderWranglerJson(
+	config: WranglerPagesConfig | Record<string, unknown>,
+	options?: { headerLines?: string[] }
+): string {
+	const headerLines = options?.headerLines ?? [
+		'Generated by @vibesdotdev/infra-cloudflare',
+		'https://developers.cloudflare.com/workers/wrangler/configuration/'
+	];
+	const header = headerLines.map((line) => `// ${line}`).join('\n');
+	const jsonContent = JSON.stringify(config, null, '\t');
+	return `${header}\n${jsonContent}\n`;
+}
+
+/**
+ * Generate a Pages deployment descriptor from an existing AppDeployment.
+ * This creates a descriptor that can be used for runtime discovery.
+ *
+ * @param deployment - The base AppDeployment
+ * @param cfProjectName - Explicit Cloudflare project name (required, no hardcoded conventions)
+ * @returns A validated Pages descriptor
+ */
+export function generateCloudflarePagesDescriptor(
+	deployment: AppDeployment,
+	cfProjectName: string
+): CloudflarePagesDescriptor {
+	return CloudflarePagesDescriptorSchema.parse({
+		kind: 'infra/web-app',
+		id: deployment.appId,
+		name: deployment.appName,
+		adapter: 'cloudflare-workers', // Our apps use Workers Static Assets via adapter
+		cfProjectName,
+		outputDir: deployment.build.outputDir,
+		env: deployment.env.reduce((acc, e) => {
+			if (e.value) acc[e.name] = e.value;
+			return acc;
+		}, {} as Record<string, string>)
+	});
+}

package/src/implementations/queues.impl.ts

@@ -0,0 +1,48 @@
+/**
+ * Cloudflare Queues Implementation
+ *
+ * Config generator for `infra/queue` kind when engine is `cloudflare-queues`.
+ * Produces queue binding config to be merged into the producer app's wrangler config.
+ */
+
+import * as z from 'zod/v4';
+
+export const CloudflareQueueDescriptorSchema = z.object({
+	kind: z.literal('infra/queue'),
+	id: z.string().min(1),
+	name: z.string().min(1),
+	engine: z.literal('cloudflare-queues'),
+	/** Queue name in Cloudflare (e.g. "billing-jobs") */
+	queueName: z.string().min(1),
+	/** Binding name for the producer (e.g. "BILLING_QUEUE") */
+	binding: z.string().regex(/^[_A-Z0-9]+$/)
+});
+
+export type CloudflareQueueDescriptor = z.infer<typeof CloudflareQueueDescriptorSchema>;
+
+export interface WranglerQueueProducerConfig {
+	queues: {
+		producers: Array<{
+			queue: string;
+			binding: string;
+		}>;
+	};
+}
+
+/**
+ * Generate queue producer binding config to merge into a wrangler config.
+ */
+export function generateCloudflareQueueConfig(descriptor: CloudflareQueueDescriptor): WranglerQueueProducerConfig {
+	const parsed = CloudflareQueueDescriptorSchema.parse(descriptor);
+
+	return {
+		queues: {
+			producers: [
+				{
+					queue: parsed.queueName,
+					binding: parsed.binding
+				}
+			]
+		}
+	};
+}

package/src/implementations/r2.impl.ts

@@ -0,0 +1,58 @@
+/**
+ * Cloudflare R2 Implementation
+ *
+ * Config generator for `infra/object-storage` kind when adapter is `cloudflare-r2`.
+ * Produces R2 bucket binding config to merge into a wrangler config.
+ */
+
+import * as z from 'zod/v4';
+
+export const CloudflareR2DescriptorSchema = z.object({
+	kind: z.literal('infra/object-storage'),
+	id: z.string().min(1),
+	name: z.string().min(1),
+	adapter: z.literal('cloudflare-r2'),
+	/** Binding name (e.g. "ASSETS") */
+	binding: z.string().regex(/^[_A-Z0-9]+$/),
+	/** R2 bucket name (e.g. "vibes-assets") */
+	bucketName: z.string().min(1),
+	/** Optional preview bucket for non-production environments */
+	previewBucketName: z.string().optional(),
+	/** Jurisdiction restriction (e.g. "eu") */
+	jurisdiction: z.string().optional()
+});
+
+export type CloudflareR2Descriptor = z.infer<typeof CloudflareR2DescriptorSchema>;
+
+export interface WranglerR2Config {
+	r2_buckets: Array<{
+		binding: string;
+		bucket_name: string;
+		preview_bucket_name?: string;
+		jurisdiction?: string;
+	}>;
+}
+
+/**
+ * Generate R2 bucket binding config to merge into a wrangler config.
+ */
+export function generateCloudflareR2Config(descriptor: CloudflareR2Descriptor): WranglerR2Config {
+	const parsed = CloudflareR2DescriptorSchema.parse(descriptor);
+
+	const bucket: WranglerR2Config['r2_buckets'][number] = {
+		binding: parsed.binding,
+		bucket_name: parsed.bucketName
+	};
+
+	if (parsed.previewBucketName) {
+		bucket.preview_bucket_name = parsed.previewBucketName;
+	}
+
+	if (parsed.jurisdiction) {
+		bucket.jurisdiction = parsed.jurisdiction;
+	}
+
+	return {
+		r2_buckets: [bucket]
+	};
+}

package/src/implementations/rum.descriptor.ts

@@ -0,0 +1,35 @@
+/**
+ * Default Cloudflare Web Analytics RUM descriptor — registered at
+ * plugin load so `runtime.assets('infra/rum').descriptors()` surfaces
+ * the production vibes.dev site without each consumer declaring one.
+ *
+ * Site token (`96bb815cb0bc4afc87a793e6f34652b2`) is the existing
+ * vibes.dev site created in the CF dashboard months ago. Public —
+ * embedded in client HTML.
+ */
+
+import type { InfraRumDescriptor } from '@vibesdotdev/infra-core';
+
+const descriptor: InfraRumDescriptor = {
+	kind: 'infra/rum',
+	id: 'cloudflare-web-analytics',
+	name: 'Cloudflare Web Analytics',
+	description: 'CF Web Analytics RUM for vibes.dev (beacon-based page-load + Core Web Vitals)',
+	adapter: 'cloudflare-web-analytics',
+	adapterConfig: {
+		apiTokenEnvVar: 'CLOUDFLARE_API_TOKEN',
+		accountIdEnvVar: 'CLOUDFLARE_ACCOUNT_ID'
+	},
+	environment: 'local',
+	siteToken: '96bb815cb0bc4afc87a793e6f34652b2',
+	hostnames: ['*'],
+	// SSR Workers (every customer-facing surface in this monorepo) need
+	// manual beacon injection — CF auto-injection only fires for origin
+	// / cache responses. The cloudflare-web-analytics SvelteKit hook
+	// covers the runtime side.
+	injection: 'sveltekit-hook',
+	privacy: { excludeEU: false, respectDoNotTrack: true, stripQueryParams: false },
+	enabled: true
+};
+
+export default descriptor;