@vibesdotdev/infra-cloudflare 0.0.1

package/src/implementations/workers.impl.ts

@@ -0,0 +1,336 @@
+/**
+ * Cloudflare Workers Implementation
+ *
+ * Config generator for `infra/worker` kind when adapter is `cloudflare-workers`.
+ * Takes an infra descriptor and outputs a wrangler config for a CF Worker
+ * that consumes from CF Queues.
+ */
+
+import * as z from 'zod/v4';
+
+const QueueConsumerSchema = z.object({
+	queue: z.string().min(1),
+	maxBatchSize: z.number().int().positive().default(10),
+	maxRetries: z.number().int().min(0).default(3),
+	deadLetterQueue: z.string().optional()
+});
+
+export const CloudflareWorkerDescriptorSchema = z.object({
+	kind: z.literal('infra/worker'),
+	id: z.string().min(1),
+	name: z.string().min(1),
+	adapter: z.literal('cloudflare-workers'),
+	/** Wrangler worker name (e.g. "vibes-billing-worker") */
+	workerName: z.string().min(1),
+	/** Entry point for the worker */
+	main: z.string().min(1).default('src/worker.ts'),
+	compatibilityDate: z
+		.string()
+		.regex(/^\d{4}-\d{2}-\d{2}$/)
+		.optional(),
+	compatibilityFlags: z.array(z.string()).default(['nodejs_compat']),
+	/** Environment variables */
+	vars: z.record(z.string(), z.string()).default({}),
+	/** Queue consumers this worker processes */
+	consumers: z.array(QueueConsumerSchema).default([]),
+	/** KV namespace bindings */
+	kvNamespaces: z
+		.array(
+			z.object({
+				binding: z.string().min(1),
+				id: z.string().min(1)
+			})
+		)
+		.default([]),
+	/** R2 bucket bindings */
+	r2Buckets: z
+		.array(
+			z.object({
+				binding: z.string().min(1),
+				bucketName: z.string().min(1)
+			})
+		)
+		.default([]),
+	/** Queue producer bindings (worker can also produce to queues) */
+	queueProducers: z
+		.array(
+			z.object({
+				queue: z.string().min(1),
+				binding: z.string().min(1)
+			})
+		)
+		.default([]),
+	/** Durable Object class bindings */
+	durableObjects: z
+		.array(
+			z.object({
+				binding: z.string().regex(/^[_A-Z0-9]+$/),
+				className: z.string().min(1),
+				/** Cross-script DO bindings; omit when the DO class is in this same worker */
+				scriptName: z.string().min(1).optional()
+			})
+		)
+		.default([]),
+	/**
+	 * Durable Object migrations. Each entry corresponds to one
+	 * `[[migrations]]` block in wrangler.toml. The first deploy of any new
+	 * DO class needs `newClasses: ['ClassName']` under a fresh tag; later
+	 * renames/deletes append further migration entries.
+	 */
+	migrations: z
+		.array(
+			z.object({
+				tag: z.string().min(1),
+				newClasses: z.array(z.string().min(1)).optional(),
+				renamedClasses: z
+					.array(z.object({ from: z.string().min(1), to: z.string().min(1) }))
+					.optional(),
+				deletedClasses: z.array(z.string().min(1)).optional(),
+				newSqliteClasses: z.array(z.string().min(1)).optional()
+			})
+		)
+		.default([]),
+	/**
+	 * Service bindings — call other Workers by name from this Worker via
+	 * `env.<binding>.fetch(...)`.
+	 */
+	services: z
+		.array(
+			z.object({
+				binding: z.string().regex(/^[_A-Z0-9]+$/),
+				service: z.string().min(1),
+				environment: z.string().min(1).optional()
+			})
+		)
+		.default([]),
+	/**
+	 * D1 database bindings — `env.<binding>` exposes a D1 client.
+	 */
+	d1Databases: z
+		.array(
+			z.object({
+				binding: z.string().regex(/^[_A-Z0-9]+$/),
+				databaseName: z.string().min(1),
+				databaseId: z.string().min(1)
+			})
+		)
+		.default([]),
+	/** Enable smart placement */
+	smartPlacement: z.boolean().default(false)
+});
+
+export type CloudflareWorkerDescriptorInput = z.input<typeof CloudflareWorkerDescriptorSchema>;
+export type CloudflareWorkerDescriptor = z.infer<typeof CloudflareWorkerDescriptorSchema>;
+
+export interface WranglerWorkerConfig {
+	$schema?: string;
+	name: string;
+	main: string;
+	compatibility_date: string;
+	compatibility_flags: string[];
+	vars?: Record<string, string>;
+	placement?: { mode: string };
+	queues?: {
+		consumers?: Array<{
+			queue: string;
+			max_batch_size: number;
+			max_retries: number;
+			dead_letter_queue?: string;
+		}>;
+		producers?: Array<{ queue: string; binding: string }>;
+	};
+	kv_namespaces?: Array<{ binding: string; id: string }>;
+	r2_buckets?: Array<{ binding: string; bucket_name: string }>;
+	durable_objects?: {
+		bindings: Array<{ name: string; class_name: string; script_name?: string }>;
+	};
+	migrations?: Array<{
+		tag: string;
+		new_classes?: string[];
+		renamed_classes?: Array<{ from: string; to: string }>;
+		deleted_classes?: string[];
+		new_sqlite_classes?: string[];
+	}>;
+	services?: Array<{ binding: string; service: string; environment?: string }>;
+	d1_databases?: Array<{ binding: string; database_name: string; database_id: string }>;
+}
+
+/**
+ * Generate a wrangler config from a Workers descriptor.
+ */
+export function generateCloudflareWorkerConfig(
+	descriptor: CloudflareWorkerDescriptor
+): WranglerWorkerConfig {
+	const parsed = CloudflareWorkerDescriptorSchema.parse(descriptor);
+	const compatibilityDate = parsed.compatibilityDate ?? new Date().toISOString().slice(0, 10);
+
+	const config: WranglerWorkerConfig = {
+		$schema: 'node_modules/wrangler/config-schema.json',
+		name: parsed.workerName,
+		main: parsed.main,
+		compatibility_date: compatibilityDate,
+		compatibility_flags: parsed.compatibilityFlags
+	};
+
+	if (Object.keys(parsed.vars).length > 0) {
+		config.vars = parsed.vars;
+	}
+
+	if (parsed.smartPlacement) {
+		config.placement = { mode: 'smart' };
+	}
+
+	const queues: WranglerWorkerConfig['queues'] = {};
+
+	if (parsed.consumers.length > 0) {
+		queues.consumers = parsed.consumers.map((c) => {
+			const consumer: {
+				queue: string;
+				max_batch_size: number;
+				max_retries: number;
+				dead_letter_queue?: string;
+			} = {
+				queue: c.queue,
+				max_batch_size: c.maxBatchSize,
+				max_retries: c.maxRetries
+			};
+			if (c.deadLetterQueue) {
+				consumer.dead_letter_queue = c.deadLetterQueue;
+			}
+			return consumer;
+		});
+	}
+
+	if (parsed.queueProducers.length > 0) {
+		queues.producers = parsed.queueProducers.map((p) => ({
+			queue: p.queue,
+			binding: p.binding
+		}));
+	}
+
+	if (queues.consumers || queues.producers) {
+		config.queues = queues;
+	}
+
+	if (parsed.kvNamespaces.length > 0) {
+		config.kv_namespaces = parsed.kvNamespaces.map((ns) => ({
+			binding: ns.binding,
+			id: ns.id
+		}));
+	}
+
+	if (parsed.r2Buckets.length > 0) {
+		config.r2_buckets = parsed.r2Buckets.map((bucket) => ({
+			binding: bucket.binding,
+			bucket_name: bucket.bucketName
+		}));
+	}
+
+	if (parsed.durableObjects.length > 0) {
+		config.durable_objects = {
+			bindings: parsed.durableObjects.map((binding) => {
+				const out: { name: string; class_name: string; script_name?: string } = {
+					name: binding.binding,
+					class_name: binding.className
+				};
+				if (binding.scriptName) out.script_name = binding.scriptName;
+				return out;
+			})
+		};
+	}
+
+	if (parsed.migrations.length > 0) {
+		config.migrations = parsed.migrations.map((migration) => {
+			const out: {
+				tag: string;
+				new_classes?: string[];
+				renamed_classes?: Array<{ from: string; to: string }>;
+				deleted_classes?: string[];
+				new_sqlite_classes?: string[];
+			} = { tag: migration.tag };
+			if (migration.newClasses?.length) out.new_classes = migration.newClasses;
+			if (migration.renamedClasses?.length) out.renamed_classes = migration.renamedClasses;
+			if (migration.deletedClasses?.length) out.deleted_classes = migration.deletedClasses;
+			if (migration.newSqliteClasses?.length) out.new_sqlite_classes = migration.newSqliteClasses;
+			return out;
+		});
+	}
+
+	if (parsed.services.length > 0) {
+		config.services = parsed.services.map((service) => {
+			const out: { binding: string; service: string; environment?: string } = {
+				binding: service.binding,
+				service: service.service
+			};
+			if (service.environment) out.environment = service.environment;
+			return out;
+		});
+	}
+
+	if (parsed.d1Databases.length > 0) {
+		config.d1_databases = parsed.d1Databases.map((db) => ({
+			binding: db.binding,
+			database_name: db.databaseName,
+			database_id: db.databaseId
+		}));
+	}
+
+	return config;
+}
+
+/**
+ * Convention defaults for cloud Flow job consumers.
+ *
+ * The `workers` runtime cloud impl rendezvous protocol expects a Durable
+ * Object class named `JobResultStore` exported from the consumer worker
+ * and exposed under the binding `JOB_RESULT_STORE`. Apps shouldn't
+ * re-derive this every time — call `generateJobConsumerWorkerConfig`
+ * and the convention is filled in.
+ */
+export const JOB_RESULT_STORE_BINDING = 'JOB_RESULT_STORE';
+export const JOB_RESULT_STORE_CLASS = 'JobResultStore';
+export const JOB_RESULT_STORE_INITIAL_MIGRATION_TAG = 'v1-job-result-store';
+
+export type JobConsumerWorkerInput = Omit<
+	CloudflareWorkerDescriptorInput,
+	'durableObjects' | 'migrations'
+> & {
+	/** Extra DO bindings beyond the JOB_RESULT_STORE convention. */
+	extraDurableObjects?: NonNullable<CloudflareWorkerDescriptorInput['durableObjects']>;
+	/** Extra migrations appended after the JobResultStore registration. */
+	extraMigrations?: NonNullable<CloudflareWorkerDescriptorInput['migrations']>;
+};
+
+/** Re-exported convention bindings for use in tests + descriptor declarations. */
+
+/**
+ * Generate a wrangler config for a worker that consumes cloud Flow jobs.
+ *
+ * Injects the `JOB_RESULT_STORE` → `JobResultStore` DO binding and the
+ * initial migration that registers `JobResultStore` as a SQLite-backed
+ * Durable Object (the modern default — required for new DO classes on
+ * accounts created after 2024-04-01). Callers may add extra DO bindings
+ * and migrations via `extraDurableObjects` / `extraMigrations`.
+ */
+export function generateJobConsumerWorkerConfig(
+	input: JobConsumerWorkerInput
+): WranglerWorkerConfig {
+	const { extraDurableObjects = [], extraMigrations = [], ...rest } = input;
+	return generateCloudflareWorkerConfig({
+		...rest,
+		durableObjects: [
+			{
+				binding: JOB_RESULT_STORE_BINDING,
+				className: JOB_RESULT_STORE_CLASS
+			},
+			...extraDurableObjects
+		],
+		migrations: [
+			{
+				tag: JOB_RESULT_STORE_INITIAL_MIGRATION_TAG,
+				newSqliteClasses: [JOB_RESULT_STORE_CLASS]
+			},
+			...extraMigrations
+		]
+	} as CloudflareWorkerDescriptor);
+}

package/src/index.ts

@@ -0,0 +1,60 @@
+export {
+	CloudflareWorkerDescriptorSchema,
+	generateCloudflareWorkerConfig,
+	JOB_RESULT_STORE_BINDING,
+	JOB_RESULT_STORE_CLASS,
+	JOB_RESULT_STORE_INITIAL_MIGRATION_TAG,
+	generateJobConsumerWorkerConfig
+} from './implementations/workers.impl';
+export type {
+	CloudflareWorkerDescriptorInput,
+	CloudflareWorkerDescriptor,
+	WranglerWorkerConfig,
+	JobConsumerWorkerInput
+} from './implementations/workers.impl';
+export {
+	CloudflareLogsDescriptorSchema,
+	createCloudflareLogsImplementation,
+	type CloudflareLogsDescriptorInput,
+	type CloudflareLogsDescriptor,
+	type LogsImplementation
+} from './implementations/logs.impl';
+export {
+	CloudflareQueueDescriptorSchema,
+	generateCloudflareQueueConfig
+} from './implementations/queues.impl';
+export type { CloudflareQueueDescriptor, WranglerQueueProducerConfig } from './implementations/queues.impl';
+export {
+	CloudflareR2DescriptorSchema,
+	generateCloudflareR2Config
+} from './implementations/r2.impl';
+export type { CloudflareR2Descriptor, WranglerR2Config } from './implementations/r2.impl';
+export {
+	CloudflareKVDescriptorSchema,
+	generateCloudflareKVConfig
+} from './implementations/kv.impl';
+export type { CloudflareKVDescriptor, WranglerKVConfig } from './implementations/kv.impl';
+export {
+	CloudflarePagesDescriptorSchema,
+	createCloudflarePagesDeployment,
+	renderWranglerJson,
+	generateCloudflarePagesDescriptor
+} from './implementations/pages.impl';
+export type {
+	CloudflarePagesDescriptor,
+	CloudflarePagesDescriptorInput,
+	CloudflarePagesDeployment,
+	WranglerSecretsStoreBinding,
+	WranglerPagesConfig
+} from './implementations/pages.impl';
+export {
+	cloudflareApiDescriptor,
+	createCloudflareApiStore
+} from './secrets/index.ts';
+export { cloudflareApiDescriptor as cloudflareApiDescriptorDefault } from './secrets/index.ts';
+export {
+	cloudflareSecretsStoreDescriptor,
+	createCloudflareSecretsStore
+} from './secrets/index.ts';
+export { cloudflareSecretsStoreDescriptor as cloudflareSecretsStoreDescriptorDefault } from './secrets/index.ts';
+export { default as cloudflarePlugin } from './cloudflare.plugin';

package/src/pages.ts

@@ -0,0 +1,18 @@
+/**
+ * Cloudflare Pages Deployment Module
+ *
+ * Public entrypoint for Cloudflare Pages deployment helpers.
+ * Re-exports the Pages implementation for creating wrangler configs
+ * and rendering deployment artifacts.
+ */
+
+export {
+	createCloudflarePagesDeployment,
+	renderWranglerJson,
+	generateCloudflarePagesDescriptor,
+	CloudflarePagesDescriptorSchema,
+	type CloudflarePagesDeployment,
+	type CloudflarePagesDescriptor,
+	type CloudflarePagesDescriptorInput,
+	type WranglerPagesConfig
+} from './implementations/pages.impl';

package/src/regen.ts

@@ -0,0 +1,87 @@
+/**
+ * Cloudflare wrangler.jsonc regeneration.
+ *
+ * Pure render layer for the deploy-pipeline regen check. Given a
+ * `CloudflareWebAppDeployment` (the default export of a managed
+ * `apps/<name>/deployment.config.ts`), produces the canonical
+ * wrangler.jsonc string.
+ *
+ * The render is intentionally separate from filesystem I/O — the
+ * `@vibesdotdev/infra-deploy` orchestrator owns reading the on-disk
+ * wrangler.jsonc, diffing, and writing. This module's only job is
+ * to turn typed config → canonical JSONC string.
+ *
+ * Subprocess use: this module is dynamically imported from inside
+ * the `infra-deploy/config-loader` subprocess so the rendered string
+ * can be returned to the orchestrator without requiring infra-deploy
+ * to take a static dep on infra-cloudflare.
+ */
+
+import type { CloudflareWebAppDeployment } from './implementations/web-app.impl';
+import { renderWranglerJson } from './implementations/pages.impl';
+
+/**
+ * Canonical header for Workers + Static Assets wrangler.jsonc.
+ * Includes the "(Workers + assets shape, per deployment.config.ts)"
+ * qualifier to distinguish it from Pages output.
+ */
+export const WEB_APP_HEADER_LINES = [
+	'Generated by @vibesdotdev/infra-cloudflare (Workers + assets shape, per deployment.config.ts)',
+	'https://developers.cloudflare.com/workers/wrangler/configuration/'
+];
+
+export interface WranglerRenderResult {
+	/** True iff the deployment opted in via `managed: true`. */
+	managed: boolean;
+	/**
+	 * Canonical wrangler.jsonc string. Null when the source isn't a
+	 * managed Cloudflare web-app deployment (regen skipped).
+	 */
+	rendered: string | null;
+	/** Workers script name, for logging. */
+	workerName: string | null;
+}
+
+/**
+ * Structural type guard for the wrapper. Avoids importing classes —
+ * any object with `generateWranglerConfig`, `workerName`, and `managed`
+ * is treated as a `CloudflareWebAppDeployment`. The cost of a false
+ * positive is a render attempt that throws, which the caller catches.
+ */
+export function isCloudflareWebAppDeployment(x: unknown): x is CloudflareWebAppDeployment {
+	if (!x || typeof x !== 'object') return false;
+	const obj = x as Record<string, unknown>;
+	return (
+		typeof obj.generateWranglerConfig === 'function' &&
+		typeof obj.workerName === 'string' &&
+		typeof obj.managed === 'boolean'
+	);
+}
+
+/**
+ * Render the canonical wrangler.jsonc string for a managed web-app
+ * deployment. Always uses `WEB_APP_HEADER_LINES`; rendered output is
+ * tab-indented JSON with a trailing newline.
+ */
+export function renderManagedWranglerJsonc(webAppDeployment: CloudflareWebAppDeployment): string {
+	const config = webAppDeployment.generateWranglerConfig() as unknown as Record<string, unknown>;
+	return renderWranglerJson(config, { headerLines: WEB_APP_HEADER_LINES });
+}
+
+/**
+ * Inspect the default export of a `deployment.config.ts` module and
+ * — when it's a managed Cloudflare web-app — return the rendered
+ * wrangler.jsonc string. Designed to be called from a subprocess
+ * loader; never throws on a non-managed export, just returns
+ * `{ managed: false, rendered: null, workerName: null }`.
+ */
+export function renderWranglerJsoncFromDefaultExport(raw: unknown): WranglerRenderResult {
+	if (!isCloudflareWebAppDeployment(raw)) {
+		return { managed: false, rendered: null, workerName: null };
+	}
+	return {
+		managed: raw.managed,
+		rendered: raw.managed ? renderManagedWranglerJsonc(raw) : null,
+		workerName: raw.workerName
+	};
+}

package/src/secrets/cloudflare-api.descriptor.ts

@@ -0,0 +1,35 @@
+/**
+ * Cloudflare API Backend Descriptor
+ *
+ * Pushes secrets to Cloudflare Pages/Workers via the REST API.
+ * Write-only: CF does not expose secret values after setting.
+ */
+
+import type { SecretsStoreDescriptor } from '@vibesdotdev/secrets/kinds/store.schema';
+
+/**
+ * Cloudflare API secrets backend descriptor.
+ *
+ * @remarks
+ * Project names can be provided via descriptor.config.cfProjectNames.
+ * If not provided, the implementation will attempt to derive them from
+ * runtime-resolved infra/web-app descriptors (requires runtime context).
+ */
+const descriptor: SecretsStoreDescriptor = {
+	id: 'cloudflare-api',
+	kind: 'secrets/store',
+	name: 'Cloudflare API',
+	description: 'Push secrets to Cloudflare Pages and Workers via REST API',
+	tags: ['remote', 'cloudflare'],
+	enabled: true,
+	backend: 'cloudflare-api',
+	tiers: ['staging', 'production'],
+	priority: 20,
+	config: {
+		apiTokenEnvVar: 'CLOUDFLARE_API_TOKEN',
+		accountIdEnvVar: 'CLOUDFLARE_ACCOUNT_ID'
+		// cfProjectNames: optional string[] - omitted to allow runtime resolution
+	}
+};
+
+export default descriptor;

package/src/secrets/cloudflare-api.impl.ts

@@ -0,0 +1,131 @@
+/**
+ * Cloudflare API Backend Implementation
+ *
+ * Manages secrets across CF Pages projects and Workers scripts.
+ * Maps infra/web-app descriptors to CF project names for push operations.
+ *
+ * Note: CF secrets are write-only. get() and getAll() return empty results.
+ */
+
+import { createRuntimeImplementation } from '@vibesdotdev/runtime/factory/implementation';
+import type { SecretsStoreDescriptor } from '@vibesdotdev/secrets/kinds/store.schema';
+import type { SecretsStoreImplementation, SecretEntry } from '@vibesdotdev/secrets/kinds/store.interface';
+import { CloudflareSecretsManagerConnector } from '@vibesdotdev/connector-cloudflare';
+import descriptor from './cloudflare-api.descriptor';
+import { resolveCfCredentialKeys } from './resolve-cf-credentials';
+
+/** Function type for resolving CF project names from descriptors */
+type CFProjectNamesResolver = () => string[];
+
+class CloudflareApiStore implements SecretsStoreImplementation {
+	readonly id = 'cloudflare-api';
+	readonly descriptor: SecretsStoreDescriptor;
+	private readonly cfProjectNamesResolver?: CFProjectNamesResolver;
+	private connector: CloudflareSecretsManagerConnector | null = null;
+
+	constructor(desc: SecretsStoreDescriptor, projectNamesResolver?: CFProjectNamesResolver) {
+		this.descriptor = desc;
+		this.cfProjectNamesResolver = projectNamesResolver;
+	}
+
+	private async getConnector(): Promise<CloudflareSecretsManagerConnector> {
+		if (this.connector) return this.connector;
+
+		const tokenVar = this.descriptor.config?.apiTokenEnvVar ?? 'CLOUDFLARE_API_TOKEN';
+		const accountVar = this.descriptor.config?.accountIdEnvVar ?? 'CLOUDFLARE_ACCOUNT_ID';
+
+		const envReader = await resolveCfCredentialKeys([tokenVar, accountVar]);
+
+		this.connector = await CloudflareSecretsManagerConnector.create({
+			accountId: { source: 'env', key: accountVar },
+			apiToken: { source: 'env', key: tokenVar }
+		}, {
+			environment: 'production',
+			envReader
+		});
+
+		return this.connector;
+	}
+
+	async list(_environment: string): Promise<SecretEntry[]> {
+		const connector = await this.getConnector();
+		const entries: SecretEntry[] = [];
+
+		try {
+			const projectNames = this.getCFProjectNames();
+			for (const projectName of projectNames) {
+				try {
+					const names = await connector.list(projectName);
+					for (const key of names) {
+						entries.push({ key, hasValue: true, source: this.id });
+					}
+				} catch {
+					// skip unreachable projects
+				}
+			}
+		} catch (e) {
+			console.warn(`[cloudflare-api] Failed to list secrets: ${e}`);
+		}
+
+		return entries;
+	}
+
+	async get(_environment: string, _key: string): Promise<string | undefined> {
+		return undefined; // CF does not return secret values
+	}
+
+	async set(environment: string, key: string, value: string): Promise<void> {
+		await this.setAll(environment, { [key]: value });
+	}
+
+	async unset(_environment: string, _key: string): Promise<void> {
+		console.warn('[cloudflare-api] CF does not support deleting individual secrets. Re-push all secrets to update.');
+	}
+
+	async getAll(_environment: string): Promise<Record<string, string>> {
+		return {}; // CF does not return secret values
+	}
+
+	async setAll(_environment: string, secrets: Record<string, string>): Promise<void> {
+		const connector = await this.getConnector();
+		const projectNames = this.getCFProjectNames();
+
+		for (const projectName of projectNames) {
+			try {
+				await connector.set(secrets, projectName);
+			} catch (e) {
+				console.warn(`[cloudflare-api] Failed to push to ${projectName}: ${e}`);
+			}
+		}
+	}
+
+	private getCFProjectNames(): string[] {
+		// First priority: explicit project names from descriptor config
+		const explicitNames = this.descriptor.config?.cfProjectNames as string[] | undefined;
+		if (explicitNames && explicitNames.length > 0) {
+			return explicitNames;
+		}
+
+		// Second priority: runtime-resolved project names via injected resolver
+		if (this.cfProjectNamesResolver) {
+			try {
+				return this.cfProjectNamesResolver();
+			} catch {
+				// Resolver failed, fall through to empty
+			}
+		}
+
+		// No project names available
+		return [];
+	}
+}
+
+export function createCloudflareApiStore(projectNamesResolver?: CFProjectNamesResolver) {
+	const store = new CloudflareApiStore(descriptor, projectNamesResolver);
+	return createRuntimeImplementation({
+		id: 'cloudflare-api',
+		kind: 'secrets/store',
+		priority: 20,
+		implementation: store
+	});
+}

package/src/secrets/cloudflare-secrets-store.descriptor.ts

@@ -0,0 +1,27 @@
+/**
+ * Cloudflare Secrets Store Backend Descriptor
+ *
+ * Account-level secrets, bound to Workers via wrangler `secrets_store_secrets`.
+ * Distinct from `cloudflare-api`, which writes per-Worker / per-Pages secrets.
+ */
+
+import type { SecretsStoreDescriptor } from '@vibesdotdev/secrets/kinds/store.schema';
+
+const descriptor: SecretsStoreDescriptor = {
+	id: 'cloudflare-secrets-store',
+	kind: 'secrets/store',
+	name: 'Cloudflare Secrets Store',
+	description: 'Account-level Cloudflare Secrets Store; bound to Workers via secrets_store_secrets',
+	tags: ['remote', 'cloudflare', 'shared'],
+	enabled: true,
+	backend: 'cloudflare-secrets-store',
+	tiers: ['staging', 'production'],
+	priority: 30,
+	config: {
+		apiTokenEnvVar: 'CLOUDFLARE_API_TOKEN',
+		accountIdEnvVar: 'CLOUDFLARE_ACCOUNT_ID',
+		storeIdEnvVar: 'CLOUDFLARE_SECRETS_STORE_ID'
+	}
+};
+
+export default descriptor;