@vibesdotdev/infra-cloudflare 0.0.1

package/src/implementations/rum.impl.ts

@@ -0,0 +1,192 @@
+/**
+ * Cloudflare Web Analytics RUM Implementation
+ *
+ * Maps the provider-agnostic `infra/rum` kind onto CF Web Analytics:
+ *
+ *   GET    /accounts/:account/rum/site_info/list           list sites
+ *   POST   /accounts/:account/rum/site_info                create site
+ *   PATCH  /accounts/:account/rum/site_info/:siteTag       update site
+ *   DELETE /accounts/:account/rum/site_info/:siteTag       delete
+ *
+ * Credentials route through `resolveAdapterCredential` (vibes secrets
+ * → `secrets/store`); no CF-specific helpers. Token candidates default
+ * to CLOUDFLARE_API_TOKEN (Account → RUM: Edit scope required for write).
+ */
+
+import * as z from 'zod/v4';
+import {
+	resolveAdapterCredential,
+	type InfraRumDescriptor,
+	type RumImplementation,
+	type RumSiteSnapshot
+} from '@vibesdotdev/infra-core';
+
+export const CloudflareRumDescriptorSchema = z.object({
+	kind: z.literal('infra/rum'),
+	id: z.string().min(1),
+	name: z.string().min(1),
+	description: z.string().optional(),
+	adapter: z.literal('cloudflare-web-analytics'),
+	adapterConfig: z.record(z.string(), z.unknown()).optional(),
+	environment: z.string().default('local'),
+	siteToken: z.unknown().optional(),
+	hostnames: z.array(z.string()).default([]),
+	injection: z.string().default('sveltekit-hook'),
+	privacy: z.unknown().optional(),
+	enabled: z.boolean().default(true)
+});
+
+export type CloudflareRumDescriptorInput = z.input<typeof CloudflareRumDescriptorSchema>;
+export type CloudflareRumDescriptor = z.infer<typeof CloudflareRumDescriptorSchema>;
+
+interface CfApiBody<T> {
+	success: boolean;
+	result: T;
+	errors?: Array<{ code: number; message: string }>;
+}
+
+interface CfRumSite {
+	site_tag: string;
+	created: string;
+	auto_install?: boolean;
+	rules?: Array<{ host: string; paths?: string[]; is_paused?: boolean; inclusive?: boolean }>;
+	ruleset?: { id?: string; zone_tag?: string };
+	snippet?: string;
+}
+
+function fromCfSite(cf: CfRumSite): RumSiteSnapshot {
+	const hosts = (cf.rules ?? []).map((r) => r.host);
+	const enabled = !(cf.rules ?? []).every((r) => r.is_paused === true);
+	return {
+		siteTag: cf.site_tag,
+		hostnames: hosts,
+		enabled,
+		injection: cf.auto_install ? 'provider-auto' : 'sveltekit-hook',
+		createdAt: cf.created
+	};
+}
+
+class CloudflareRumImplementation implements RumImplementation {
+	readonly id = 'cloudflare-web-analytics';
+	readonly descriptor: CloudflareRumDescriptor;
+	private creds: { accountId: string; apiToken: string } | null = null;
+
+	constructor(descriptor: CloudflareRumDescriptor) {
+		this.descriptor = CloudflareRumDescriptorSchema.parse(descriptor);
+	}
+
+	private async getCreds(): Promise<{ accountId: string; apiToken: string }> {
+		if (this.creds) return this.creds;
+		const env = this.descriptor.environment || 'local';
+		const ac = (this.descriptor.adapterConfig ?? {}) as Record<string, unknown>;
+		const accountKey =
+			typeof ac.accountIdEnvVar === 'string' ? ac.accountIdEnvVar : 'CLOUDFLARE_ACCOUNT_ID';
+		const primaryToken =
+			typeof ac.apiTokenEnvVar === 'string' ? ac.apiTokenEnvVar : 'CLOUDFLARE_API_TOKEN';
+		const accountRes = await resolveAdapterCredential({
+			keyCandidates: [accountKey],
+			environment: env,
+			humanName: 'Cloudflare account id'
+		});
+		const tokenRes = await resolveAdapterCredential({
+			keyCandidates: [primaryToken],
+			environment: env,
+			humanName: 'Cloudflare API token (Account RUM: Edit scope for write ops)'
+		});
+		this.creds = { accountId: accountRes.value, apiToken: tokenRes.value };
+		return this.creds;
+	}
+
+	private async call<T>(path: string, init?: RequestInit): Promise<CfApiBody<T>> {
+		const { apiToken } = await this.getCreds();
+		const res = await fetch(`https://api.cloudflare.com/client/v4${path}`, {
+			...init,
+			headers: {
+				Authorization: `Bearer ${apiToken}`,
+				'Content-Type': 'application/json',
+				...(init?.headers ?? {})
+			}
+		});
+		const text = await res.text();
+		let body: CfApiBody<T>;
+		try {
+			body = JSON.parse(text) as CfApiBody<T>;
+		} catch {
+			throw new Error(
+				`cloudflare-web-analytics: non-JSON response from ${path}: ${text.slice(0, 200)}`
+			);
+		}
+		if (!res.ok || body.success === false) {
+			const errSummary = body.errors?.map((e) => `${e.code}: ${e.message}`).join('; ') ?? text.slice(0, 200);
+			throw new Error(`cloudflare-web-analytics: ${path} → ${res.status} ${errSummary}`);
+		}
+		return body;
+	}
+
+	async listSites(): Promise<RumSiteSnapshot[]> {
+		const { accountId } = await this.getCreds();
+		const body = await this.call<CfRumSite[]>(
+			`/accounts/${accountId}/rum/site_info/list?per_page=50`
+		);
+		return (body.result ?? []).map(fromCfSite);
+	}
+
+	async getSite(siteTag: string): Promise<RumSiteSnapshot | null> {
+		const { accountId } = await this.getCreds();
+		try {
+			const body = await this.call<CfRumSite>(`/accounts/${accountId}/rum/site_info/${siteTag}`);
+			return fromCfSite(body.result);
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : String(err);
+			if (msg.includes('404') || msg.toLowerCase().includes('not found')) return null;
+			throw err;
+		}
+	}
+
+	async ensureSite(descriptor: InfraRumDescriptor): Promise<{ siteTag: string; created: boolean }> {
+		const { accountId } = await this.getCreds();
+		// If the descriptor already names an explicit siteToken (string),
+		// treat that as the existing siteTag and just return it. CF Web
+		// Analytics rotates tags only on explicit re-creation.
+		const declaredToken =
+			typeof descriptor.siteToken === 'string' ? descriptor.siteToken : undefined;
+		if (declaredToken) {
+			const live = await this.getSite(declaredToken);
+			if (live) return { siteTag: live.siteTag, created: false };
+		}
+
+		// Otherwise look for an existing site matching one of the declared hostnames.
+		const all = await this.listSites();
+		const match = all.find((s) => descriptor.hostnames.some((h) => s.hostnames.includes(h)));
+		if (match) return { siteTag: match.siteTag, created: false };
+
+		// Create a new site.
+		const payload = {
+			host: descriptor.hostnames[0] ?? '*',
+			auto_install: descriptor.injection === 'provider-auto'
+		};
+		const body = await this.call<CfRumSite>(`/accounts/${accountId}/rum/site_info`, {
+			method: 'POST',
+			body: JSON.stringify(payload)
+		});
+		return { siteTag: body.result.site_tag, created: true };
+	}
+
+	async setEnabled(siteTag: string, enabled: boolean): Promise<void> {
+		const { accountId } = await this.getCreds();
+		// CF doesn't expose a single "enabled" toggle — it pauses rules
+		// instead. We touch the first rule per the dashboard pattern.
+		const current = await this.call<CfRumSite>(`/accounts/${accountId}/rum/site_info/${siteTag}`);
+		const rules = (current.result.rules ?? []).map((r) => ({ ...r, is_paused: !enabled }));
+		await this.call<unknown>(`/accounts/${accountId}/rum/site_info/${siteTag}`, {
+			method: 'PATCH',
+			body: JSON.stringify({ rules })
+		});
+	}
+}
+
+export function createCloudflareRumImplementation(
+	input: CloudflareRumDescriptorInput
+): RumImplementation {
+	return new CloudflareRumImplementation(CloudflareRumDescriptorSchema.parse(input));
+}

package/src/implementations/web-app.impl.ts

@@ -0,0 +1,494 @@
+/**
+ * Cloudflare Web App (Workers + Static Assets) Implementation
+ *
+ * Generates the COMPLETE wrangler.jsonc shape for SvelteKit (and other SSR-asset)
+ * apps that deploy as a Cloudflare Worker with a Static Assets binding —
+ * the production target for every web app in this monorepo.
+ *
+ * `createCloudflareWebAppDeployment({ ... })` takes the provider-agnostic
+ * `AppDeployment` plus every Cloudflare-specific config group, and emits a
+ * `WranglerWebAppConfig` covering every wrangler key currently in use across
+ * the repo: `name`, `main`, `compatibility_date`, `compatibility_flags`,
+ * `assets`, `routes`, `placement`, `vars`, `secrets_store_secrets`, `secrets.required`,
+ * `d1_databases`, `r2_buckets`, `services`, `observability`, `triggers`,
+ * `queues`, `durable_objects`, `migrations`, `send_email`, `workers_dev`,
+ * `preview_urls`.
+ *
+ * The output of `generateWranglerConfig()` is the authoritative shape;
+ * `apps/<name>/wrangler.jsonc` is a build artifact written by
+ * `vibes infra deploy regenerate` (the sole supported path) from each app's
+ * `deployment.config.ts`. Drift is caught by the CLI with `--check`.
+ */
+
+import * as z from 'zod/v4';
+import type { AppDeployment } from '@vibesdotdev/infra-core/deployment';
+
+export const CloudflareWebAppDescriptorSchema = z.object({
+	kind: z.literal('infra/web-app'),
+	id: z.string().min(1),
+	name: z.string().min(1),
+	adapter: z.literal('cloudflare-workers'),
+	/** Cloudflare Workers script name (e.g., "vibes-ai") */
+	cfWorkerName: z.string().min(1),
+	/** Build output directory consumed by both `main` and `assets.directory` */
+	outputDir: z.string().min(1),
+	/** Path to the `_worker.js` entry point relative to `outputDir` */
+	workerEntry: z.string().min(1).default('_worker.js'),
+	/** Compatibility date for wrangler */
+	compatibilityDate: z.string().regex(/^\d{4}-\d{2}-\d{2}$/).optional(),
+	/** Compatibility flags for wrangler */
+	compatibilityFlags: z.array(z.string()).default(['nodejs_compat']),
+	/** Environment variables to include */
+	env: z.record(z.string(), z.string()).default({}),
+	/**
+	 * Account-level Cloudflare Secrets Store ID. When set, secret env vars
+	 * emit as `secrets_store_secrets[]` bindings; otherwise the generator
+	 * falls back to `secrets.required[]` for deploy-time validation.
+	 */
+	secretsStoreId: z.string().min(1).optional()
+});
+
+export type CloudflareWebAppDescriptor = z.infer<typeof CloudflareWebAppDescriptorSchema>;
+export type CloudflareWebAppDescriptorInput = z.input<typeof CloudflareWebAppDescriptorSchema>;
+
+export interface WranglerSecretsStoreBinding {
+	binding: string;
+	store_id: string;
+	secret_name: string;
+}
+
+export interface WranglerWebAppRoute {
+	pattern: string;
+	custom_domain?: boolean;
+}
+
+export interface WranglerWebAppAssets {
+	directory: string;
+	binding?: string;
+	not_found_handling?: 'none' | 'single-page-application' | '404-page';
+	run_worker_first?: boolean | string[];
+}
+
+export interface WranglerD1Database {
+	binding: string;
+	database_name: string;
+	database_id?: string;
+	migrations_dir?: string;
+}
+
+export interface WranglerR2Bucket {
+	binding: string;
+	bucket_name: string;
+}
+
+export interface WranglerServiceBinding {
+	binding: string;
+	service: string;
+	entrypoint?: string;
+}
+
+export interface WranglerObservability {
+	enabled: boolean;
+	head_sampling_rate?: number;
+}
+
+export interface WranglerAiBinding {
+	binding: string;
+	staging?: boolean;
+	remote?: boolean;
+}
+
+export interface WranglerPlacement {
+	mode: 'smart';
+}
+
+export interface WranglerTriggers {
+	crons: string[];
+}
+
+export interface WranglerQueueProducer {
+	queue: string;
+	binding: string;
+}
+
+export interface WranglerQueueConsumer {
+	queue: string;
+	max_batch_size?: number;
+	max_batch_timeout?: number;
+	max_retries?: number;
+	dead_letter_queue?: string;
+}
+
+export interface WranglerQueues {
+	producers?: WranglerQueueProducer[];
+	consumers?: WranglerQueueConsumer[];
+}
+
+export interface WranglerDurableObjectBinding {
+	name: string;
+	class_name: string;
+	script_name?: string;
+	environment?: string;
+}
+
+export interface WranglerDurableObjects {
+	bindings: WranglerDurableObjectBinding[];
+}
+
+export interface WranglerMigration {
+	tag: string;
+	new_classes?: string[];
+	new_sqlite_classes?: string[];
+	deleted_classes?: string[];
+	renamed_classes?: Array<{ from: string; to: string }>;
+	transferred_classes?: Array<{ from: string; from_script: string; to: string }>;
+}
+
+export interface WranglerSendEmailBinding {
+	name: string;
+	destination_address?: string;
+	allowed_destination_addresses?: string[];
+}
+
+export interface WranglerAnalyticsEngineBinding {
+	binding: string;
+	dataset: string;
+}
+
+export interface WranglerWebAppConfig {
+	$schema?: string;
+	name: string;
+	/** Worker entry. Omitted only for `staticAssetsOnly` configs (e.g. apps/docs). */
+	main?: string;
+	compatibility_date: string;
+	compatibility_flags: string[];
+	workers_dev?: boolean;
+	preview_urls?: boolean;
+	upload_source_maps?: boolean;
+	observability?: WranglerObservability;
+	placement?: WranglerPlacement;
+	/** Always present: every CF Worker in this repo binds static assets. */
+	assets: WranglerWebAppAssets;
+	routes?: WranglerWebAppRoute[];
+	vars?: Record<string, string>;
+	secrets_store_secrets?: WranglerSecretsStoreBinding[];
+	secrets?: { required: string[] };
+	d1_databases?: WranglerD1Database[];
+	kv_namespaces?: Array<{
+		binding: string;
+		id: string;
+		preview_id?: string;
+	}>;
+	r2_buckets?: WranglerR2Bucket[];
+	services?: WranglerServiceBinding[];
+	ai?: WranglerAiBinding;
+	triggers?: WranglerTriggers;
+	queues?: WranglerQueues;
+	durable_objects?: WranglerDurableObjects;
+	migrations?: WranglerMigration[];
+	send_email?: WranglerSendEmailBinding[];
+	analytics_engine_datasets?: WranglerAnalyticsEngineBinding[];
+	/** esbuild/wrangler bundler rules (e.g. to treat leaked .svelte icon files from @lucide/svelte as text). */
+	rules?: Array<{
+		type: string;
+		globs: string[];
+		fallthrough?: boolean;
+	}>;
+}
+
+/**
+ * Shared Workers Analytics Engine dataset used for per-org bandwidth
+ * attribution. Bound automatically into every customer-facing Worker so
+ * the `billing.bandwidth-sampler` job has a uniform write target. Apps
+ * that need to opt out can pass `analyticsEngineDatasets: []`.
+ */
+export const SHARED_BANDWIDTH_TELEMETRY_DATASET: WranglerAnalyticsEngineBinding = {
+	binding: 'BANDWIDTH_TELEMETRY',
+	dataset: 'bandwidth_egress'
+};
+
+/**
+ * Provider-agnostic cloudflare-side configuration for `createCloudflareWebAppDeployment`.
+ * Every field is optional; the generator emits only what the app declares so
+ * existing apps that don't (e.g.) bind R2 don't get an empty `r2_buckets: []`
+ * key in their wrangler.jsonc.
+ */
+export interface CloudflareWebAppOptions {
+	workerName: string;
+	deployment: AppDeployment;
+	compatibilityDate?: string;
+	compatibilityFlags?: string[];
+	/** When set, secret env vars are emitted as `secrets_store_secrets[]`. */
+	secretsStoreId?: string;
+	/** `_worker.js`-relative path inside outputDir; defaults to `_worker.js`. */
+	workerEntry?: string;
+	/** Override `assets.binding`; defaults to `ASSETS`. */
+	assetsBinding?: string;
+	/** Override `assets.not_found_handling`; defaults to `'none'`. */
+	assetsNotFoundHandling?: 'none' | 'single-page-application' | '404-page';
+	/** Override `assets.run_worker_first`; defaults to `true` for SSR adapters. */
+	assetsRunWorkerFirst?: boolean | string[];
+	/** Omit `main` and emit a static-assets-only Worker (used for `apps/docs`). */
+	staticAssetsOnly?: boolean;
+	/** `workers_dev` flag — defaults to omitted (CF default behavior). */
+	workersDev?: boolean;
+	/** `preview_urls` flag — defaults to omitted (CF default behavior). */
+	previewUrls?: boolean;
+	/** Observability config; pass `{ enabled: true }` to emit `observability: { enabled: true }`. */
+	observability?: WranglerObservability;
+	/** Placement config; use `{ mode: 'smart' }` for Cloudflare Smart Placement. */
+	placement?: WranglerPlacement;
+	/** Convenience flag for `placement: { mode: 'smart' }`. */
+	smartPlacement?: boolean;
+	/** D1 database bindings. */
+	d1Databases?: WranglerD1Database[];
+	/** KV namespace bindings. */
+	kvNamespaces?: Array<{
+		binding: string;
+		id: string;
+		preview_id?: string;
+	}>;
+	/** R2 bucket bindings. */
+	r2Buckets?: WranglerR2Bucket[];
+	/** Worker-to-Worker Service Bindings (e.g. `AUTH_SERVICE` → `vibes-auth`). */
+	services?: WranglerServiceBinding[];
+	/** Cloudflare Workers AI binding. */
+	ai?: WranglerAiBinding;
+	/** `triggers.crons` cron expressions. */
+	crons?: string[];
+	/** CF Queue producer bindings. */
+	queueProducers?: WranglerQueueProducer[];
+	/** CF Queue consumer configs (declared on the consuming Worker). */
+	queueConsumers?: WranglerQueueConsumer[];
+	/** Durable Object class bindings. */
+	durableObjects?: WranglerDurableObjectBinding[];
+	/** DO migration tags (required when declaring `durableObjects`). */
+	migrations?: WranglerMigration[];
+	/** `send_email[]` bindings for the Cloudflare Email Workers API. */
+	sendEmail?: WranglerSendEmailBinding[];
+	/**
+	 * Workers Analytics Engine dataset bindings. Used for per-org bandwidth
+	 * attribution by `@vibesdotdev/cloudflare-bandwidth-telemetry` (see
+	 * `billing.bandwidth-sampler`). All customer-facing Workers in this
+	 * monorepo share the same `bandwidth_egress` dataset.
+	 */
+	analyticsEngineDatasets?: WranglerAnalyticsEngineBinding[];
+	/**
+	 * When `true` (default), this deployment is managed by the Vibes infra system
+	 * and wrangler.jsonc should be regenerated from the deployment config.
+	 * Set to `false` to opt out of automatic wrangler.jsonc regeneration.
+	 */
+	managed?: boolean;
+	/**
+	 * When `true`, run `wrangler d1 migrations apply` for each declared D1 database
+	 * with a `migrations_dir` before deploying the Worker. Defaults to `false`.
+	 */
+	autoMigrateD1?: boolean;
+	/**
+	 * When `true`, upload source maps alongside the Worker for better production
+	 * stack traces. Defaults to `true` for all managed deployments.
+	 */
+	uploadSourceMaps?: boolean;
+	/** Additional wrangler/esbuild rules (e.g. to treat third-party .svelte icon files as text so wrangler bundling doesn't fail). */
+	rules?: Array<{ type: string; globs: string[]; fallthrough?: boolean }>;
+}
+
+export interface CloudflareWebAppDeployment {
+	workerName: string;
+	deployment: AppDeployment;
+	compatibilityDate: string;
+	/**
+	 * When `true`, this deployment is managed by the Vibes infra system
+	 * and wrangler.jsonc should be regenerated from the deployment config.
+	 * Defaults to `true` for all Cloudflare web app deployments.
+	 */
+	managed: boolean;
+	/**
+	 * When `true`, run D1 migrations before deploying the Worker.
+	 */
+	autoMigrateD1: boolean;
+	generateWranglerConfig(): WranglerWebAppConfig;
+}
+
+/**
+ * Create a Cloudflare Workers + Static Assets deployment wrapper.
+ */
+export function createCloudflareWebAppDeployment(
+	options: CloudflareWebAppOptions
+): CloudflareWebAppDeployment {
+	const {
+		workerName,
+		deployment,
+		compatibilityDate,
+		compatibilityFlags = ['nodejs_compat'],
+		secretsStoreId,
+		workerEntry = '_worker.js',
+		assetsBinding = 'ASSETS',
+		assetsNotFoundHandling = 'none',
+		assetsRunWorkerFirst = true,
+		staticAssetsOnly = false,
+		workersDev,
+		previewUrls,
+		observability,
+		placement,
+		smartPlacement,
+		d1Databases,
+		kvNamespaces,
+		r2Buckets,
+		services,
+		ai,
+		crons,
+		queueProducers,
+		queueConsumers,
+		durableObjects,
+		migrations,
+		sendEmail,
+		analyticsEngineDatasets,
+		managed = true,
+		autoMigrateD1 = false,
+		uploadSourceMaps = true,
+		rules
+	} = options;
+
+	if (kvNamespaces?.length) (deployment as Record<string, unknown>).kvNamespaces = kvNamespaces;
+	const compatDate = compatibilityDate ?? new Date().toISOString().slice(0, 10);
+
+	return {
+		workerName,
+		deployment,
+		compatibilityDate: compatDate,
+		managed,
+		autoMigrateD1,
+
+		generateWranglerConfig(): WranglerWebAppConfig {
+			// wrangler.jsonc paths are resolved relative to the directory wrangler
+			// runs from. CI / infra-deploy both invoke `wrangler deploy --cwd <appDir>`,
+			// so the assets directory and `main` must be APP-relative even though
+			// `deployment.build.outputDir` is workspace-relative (that form is used
+			// by the build command and other consumers).
+			const rawOutputDir = deployment.build.outputDir.replace(/\/$/, '');
+			const appDir = deployment.build.appDir.replace(/\/$/, '');
+			const outputDir = rawOutputDir.startsWith(`${appDir}/`)
+				? rawOutputDir.slice(appDir.length + 1)
+				: rawOutputDir;
+			const assets: WranglerWebAppAssets = staticAssetsOnly
+				? {
+					directory: outputDir,
+					not_found_handling: assetsNotFoundHandling
+				}
+				: {
+					directory: outputDir,
+					binding: assetsBinding,
+					not_found_handling: assetsNotFoundHandling,
+					run_worker_first: assetsRunWorkerFirst
+				};
+
+			const config: WranglerWebAppConfig = {
+				$schema: 'node_modules/wrangler/config-schema.json',
+				name: workerName,
+				compatibility_date: compatDate,
+				compatibility_flags: compatibilityFlags,
+				assets
+			};
+
+			if (!staticAssetsOnly) {
+				config.main = `${outputDir}/${workerEntry}`;
+			}
+
+			if (workersDev !== undefined) config.workers_dev = workersDev;
+			if (previewUrls !== undefined) config.preview_urls = previewUrls;
+			if (uploadSourceMaps) config.upload_source_maps = true;
+			if (observability) config.observability = observability;
+			if (placement) config.placement = placement;
+			else if (smartPlacement) config.placement = { mode: 'smart' };
+
+			const primaryRoutes = deployment.origins
+				.filter((o) => o.kind === 'primary')
+				.map((o) => ({ pattern: o.hostname, custom_domain: true }));
+			if (primaryRoutes.length > 0) {
+				config.routes = primaryRoutes;
+			}
+
+			const plainEnvVars: Record<string, string> = {};
+			for (const envVar of deployment.env) {
+				if (!envVar.secret && envVar.value !== undefined) {
+					plainEnvVars[envVar.name] = envVar.value;
+				}
+			}
+			if (Object.keys(plainEnvVars).length > 0) {
+				config.vars = plainEnvVars;
+			}
+
+			const secretEnvVars = deployment.env
+				.filter((envVar) => envVar.secret)
+				.sort((a, b) => a.name.localeCompare(b.name));
+
+			if (secretEnvVars.length > 0) {
+				if (secretsStoreId) {
+					config.secrets_store_secrets = secretEnvVars
+						.map((envVar) => ({
+							binding: envVar.name,
+							store_id: secretsStoreId,
+							secret_name: envVar.storeKey ?? envVar.name
+						}));
+				} else {
+					config.secrets = {
+						required: secretEnvVars
+							.filter((envVar) => envVar.required !== false)
+							.map((envVar) => envVar.name)
+					};
+				}
+			}
+
+			if (d1Databases?.length) config.d1_databases = d1Databases;
+			if (kvNamespaces?.length) config.kv_namespaces = kvNamespaces;
+			if (r2Buckets?.length) config.r2_buckets = r2Buckets;
+			if (services?.length) config.services = services;
+			if (ai) config.ai = ai;
+			if (crons?.length) config.triggers = { crons };
+			if (queueProducers?.length || queueConsumers?.length) {
+				config.queues = {};
+				if (queueProducers?.length) config.queues.producers = queueProducers;
+				if (queueConsumers?.length) config.queues.consumers = queueConsumers;
+			}
+			if (durableObjects?.length) {
+				config.durable_objects = { bindings: durableObjects };
+			}
+			if (migrations?.length) config.migrations = migrations;
+			if (sendEmail?.length) config.send_email = sendEmail;
+			// WAE binding default: every customer-facing Worker gets
+			// BANDWIDTH_TELEMETRY → bandwidth_egress so the
+			// billing.bandwidth-sampler aggregator can attribute bytes per
+			// org. Opt out by passing `analyticsEngineDatasets: []`.
+			const resolvedAnalyticsBindings =
+				analyticsEngineDatasets ?? [SHARED_BANDWIDTH_TELEMETRY_DATASET];
+			if (resolvedAnalyticsBindings.length > 0) {
+				config.analytics_engine_datasets = resolvedAnalyticsBindings;
+			}
+			if (rules?.length) (config as any).rules = rules;
+
+			return config;
+		}
+	};
+}
+
+/**
+ * Generate a Workers Static Assets descriptor from an existing AppDeployment.
+ */
+export function generateCloudflareWebAppDescriptor(
+	deployment: AppDeployment,
+	cfWorkerName: string
+): CloudflareWebAppDescriptor {
+	return CloudflareWebAppDescriptorSchema.parse({
+		kind: 'infra/web-app',
+		id: deployment.appId,
+		name: deployment.appName,
+		adapter: 'cloudflare-workers',
+		cfWorkerName,
+		outputDir: deployment.build.outputDir,
+		env: deployment.env.reduce((acc, e) => {
+			if (e.value) acc[e.name] = e.value;
+			return acc;
+		}, {} as Record<string, string>)
+	});
+}