@vibesdotdev/infra-cloudflare 0.0.1

package/src/secrets/cloudflare-secrets-store.impl.ts

@@ -0,0 +1,87 @@
+/**
+ * Cloudflare Secrets Store Backend Implementation
+ *
+ * Manages secrets at the Cloudflare account level. Workers consume them via
+ * wrangler `secrets_store_secrets` bindings, generated by pages.impl.ts.
+ *
+ * Like the per-Worker secrets API, store secrets are write-only — get() / getAll()
+ * always return empty results. List() returns names only.
+ */
+
+import { createRuntimeImplementation } from '@vibesdotdev/runtime/factory/implementation';
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import type { SecretsStoreDescriptor } from '@vibesdotdev/secrets/kinds/store.schema';
+import type { SecretsStoreImplementation, SecretEntry } from '@vibesdotdev/secrets/kinds/store.interface';
+import { CloudflareSecretsManagerConnector } from '@vibesdotdev/connector-cloudflare';
+import descriptor from './cloudflare-secrets-store.descriptor';
+import { resolveCfCredentialKeys } from './resolve-cf-credentials';
+
+class CloudflareSecretsStore implements SecretsStoreImplementation {
+	readonly id = 'cloudflare-secrets-store';
+	readonly descriptor: SecretsStoreDescriptor;
+	private connector: CloudflareSecretsManagerConnector | null = null;
+
+	constructor(desc: SecretsStoreDescriptor) {
+		this.descriptor = desc;
+	}
+
+	private async getConnector(): Promise<CloudflareSecretsManagerConnector> {
+		if (this.connector) return this.connector;
+
+		const tokenVar = this.descriptor.config?.apiTokenEnvVar ?? 'CLOUDFLARE_API_TOKEN';
+		const accountVar = this.descriptor.config?.accountIdEnvVar ?? 'CLOUDFLARE_ACCOUNT_ID';
+		const storeVar = this.descriptor.config?.storeIdEnvVar ?? 'CLOUDFLARE_SECRETS_STORE_ID';
+
+		const envReader = await resolveCfCredentialKeys([tokenVar, accountVar, storeVar]);
+
+		this.connector = await CloudflareSecretsManagerConnector.create({
+			accountId: { source: 'env', key: accountVar },
+			apiToken: { source: 'env', key: tokenVar },
+			storeId: { source: 'env', key: storeVar }
+		}, {
+			environment: 'production',
+			envReader
+		});
+
+		return this.connector;
+	}
+
+	async list(_environment: string): Promise<SecretEntry[]> {
+		const connector = await this.getConnector();
+		const names = await connector.listStore();
+		return names.map((key) => ({ key, hasValue: true, source: this.id }));
+	}
+
+	async get(_environment: string, _key: string): Promise<string | undefined> {
+		return undefined;
+	}
+
+	async set(environment: string, key: string, value: string): Promise<void> {
+		const connector = await this.getConnector();
+		await connector.setStore({ [key]: value });
+	}
+
+	async unset(_environment: string, key: string): Promise<void> {
+		const connector = await this.getConnector();
+		await connector.unsetStore(key);
+	}
+
+	async getAll(_environment: string): Promise<Record<string, string>> {
+		return {};
+	}
+
+	async setAll(environment: string, secrets: Record<string, string>): Promise<void> {
+		const connector = await this.getConnector();
+		await connector.setStore(secrets);
+	}
+}
+
+export function createCloudflareSecretsStore() {
+	const store = new CloudflareSecretsStore(descriptor);
+	return createRuntimeImplementation({
+		id: 'cloudflare-secrets-store',
+		kind: 'secrets/store',
+		priority: 30,
+		implementation: store
+	});
+}

package/src/secrets/index.ts

@@ -0,0 +1,13 @@
+export { default as cloudflareApiDescriptor } from './cloudflare-api.descriptor';
+export { createCloudflareApiStore } from './cloudflare-api.impl';
+
+export { default as cloudflareSecretsStoreDescriptor } from './cloudflare-secrets-store.descriptor';
+export { createCloudflareSecretsStore } from './cloudflare-secrets-store.impl';
+
+export {
+	type CFClientConfig,
+	listPagesSecrets,
+	setPagesSecrets,
+	listWorkerSecrets,
+	setWorkerSecrets
+} from '@vibesdotdev/connector-cloudflare/api';

package/src/secrets/resolve-cf-credentials.ts

@@ -0,0 +1,63 @@
+/**
+ * CF credential resolver shared by the `cloudflare-api` and
+ * `cloudflare-secrets-store` backends.
+ *
+ * `CloudflareSecretsManagerConnector.create({ source: 'env', ... })` only
+ * reads `process.env` (or an `envReader` override) — it doesn't know how to
+ * peek at the runtime's secret backends. That's painful for the secrets CLI:
+ * a user who already ran `vibes secrets set CLOUDFLARE_API_TOKEN ...` still
+ * has to manually re-export the same values in their shell before
+ * `vibes secrets push --to cloudflare-secrets-store` will succeed.
+ *
+ * `resolveCfCredentialKeys` builds an `envReader` map that prefers
+ * `process.env` (so CI / explicit overrides still win) and falls back to
+ * the first available local-tier `secrets/store` backend. Pass the returned
+ * map to the connector via `opts.envReader`.
+ */
+
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+
+const LOCAL_BACKEND_IDS = ['encrypted-local', 'env-file'] as const;
+
+export async function resolveCfCredentialKeys(
+	keys: string[],
+	environment: string = 'local'
+): Promise<Record<string, string | undefined>> {
+	const resolved: Record<string, string | undefined> = {};
+	const runtime = getVibesRuntime();
+	let localStore: { get(env: string, key: string): Promise<string | undefined> } | null = null;
+
+	if (runtime.hasKind('secrets/store')) {
+		for (const id of LOCAL_BACKEND_IDS) {
+			try {
+				const impl = (await runtime
+					.query('secrets/store')
+					.withId(id)
+					.resolve()) as { get?: (env: string, key: string) => Promise<string | undefined> };
+				if (impl && typeof impl.get === 'function') {
+					localStore = { get: impl.get.bind(impl) };
+					break;
+				}
+			} catch {
+				// next candidate
+			}
+		}
+	}
+
+	for (const key of keys) {
+		const envValue = process.env[key];
+		if (envValue && envValue !== '') {
+			resolved[key] = envValue;
+			continue;
+		}
+		if (localStore) {
+			try {
+				resolved[key] = await localStore.get(environment, key);
+			} catch {
+				resolved[key] = undefined;
+			}
+		}
+	}
+
+	return resolved;
+}

package/src/web-app.ts

@@ -0,0 +1,32 @@
+/**
+ * Cloudflare Workers + Static Assets Web App Deployment Module
+ *
+ * Public entrypoint for the canonical Vibes deploy target: Cloudflare Workers
+ * with a Static Assets binding (the @sveltejs/adapter-cloudflare shape).
+ * Pages-targeting consumers should import from `./pages` instead.
+ */
+
+export {
+	createCloudflareWebAppDeployment,
+	generateCloudflareWebAppDescriptor,
+	CloudflareWebAppDescriptorSchema,
+	SHARED_BANDWIDTH_TELEMETRY_DATASET,
+	type CloudflareWebAppDeployment,
+	type CloudflareWebAppDescriptor,
+	type CloudflareWebAppDescriptorInput,
+	type WranglerWebAppConfig,
+	type WranglerWebAppRoute,
+	type WranglerWebAppAssets,
+	type WranglerSecretsStoreBinding,
+	type WranglerAnalyticsEngineBinding
+} from './implementations/web-app.impl';
+
+export { renderWranglerJson } from './implementations/pages.impl';
+
+export {
+	WEB_APP_HEADER_LINES,
+	isCloudflareWebAppDeployment,
+	renderManagedWranglerJsonc,
+	renderWranglerJsoncFromDefaultExport,
+	type WranglerRenderResult
+} from './regen.ts';