alepha 0.20.1 → 0.20.3

package/src/cli/platform/__tests__/CloudflareAdapter.spec.ts

@@ -119,6 +119,18 @@ class MemoryCloudflareApi extends CloudflareApi {
     return this.secrets.get(scriptName) ?? [];
   }
 
+  public override async putSecret(
+    scriptName: string,
+    name: string,
+    _value: string,
+  ) {
+    const existing = this.secrets.get(scriptName) ?? [];
+    if (!existing.some((s) => s.name === name)) {
+      existing.push({ name, type: "secret_text" });
+    }
+    this.secrets.set(scriptName, existing);
+  }
+
   public override async listDeployments() {
     return [];
   }
@@ -379,10 +391,10 @@ describe("CloudflareAdapter", () => {
   });
 
   describe("secrets", () => {
-    test("pushes non-binding env vars via wrangler secret bulk", async ({
+    test("pushes non-binding env vars via REST putSecret", async ({
       expect,
     }) => {
-      const { adapter, fs, shell, naming } = createTestEnv();
+      const { adapter, fs, naming, api } = createTestEnv();
       const ctx = makeCtx(naming, {
         apps: [
           {
@@ -400,7 +412,6 @@ describe("CloudflareAdapter", () => {
         ],
       });
 
-      // Write .env.production with a mix of secrets and excluded vars
       await fs.writeFile(
         "/project/.env.production",
         [
@@ -418,62 +429,13 @@ describe("CloudflareAdapter", () => {
       const run = createMockRun();
       await adapter.secrets(ctx, run);
 
-      // Should call wrangler secret bulk with the worker name
-      expect(
-        shell.wasCalledMatching(
-          /wrangler secret bulk.*--name=acme-portal-production/,
-        ),
-      ).toBe(true);
-
-      // Verify the secrets JSON was written (only non-excluded vars)
-      expect(
-        fs.wasWrittenMatching(
-          "/project/node_modules/.alepha/secrets.json",
-          /GOOGLE_API_KEY/,
-        ),
-      ).toBe(true);
-      expect(
-        fs.wasWrittenMatching(
-          "/project/node_modules/.alepha/secrets.json",
-          /APP_SECRET/,
-        ),
-      ).toBe(true);
-
-      // Excluded vars should NOT be in the secrets file
-      expect(
-        fs.wasWrittenMatching(
-          "/project/node_modules/.alepha/secrets.json",
-          /DATABASE_URL/,
-        ),
-      ).toBe(false);
-      expect(
-        fs.wasWrittenMatching(
-          "/project/node_modules/.alepha/secrets.json",
-          /R2_BUCKET_NAME/,
-        ),
-      ).toBe(false);
-      expect(
-        fs.wasWrittenMatching(
-          "/project/node_modules/.alepha/secrets.json",
-          /CLOUDFLARE_DOMAIN/,
-        ),
-      ).toBe(false);
-      expect(
-        fs.wasWrittenMatching(
-          "/project/node_modules/.alepha/secrets.json",
-          /VITE_PUBLIC_KEY/,
-        ),
-      ).toBe(false);
-      expect(
-        fs.wasWrittenMatching(
-          "/project/node_modules/.alepha/secrets.json",
-          /NODE_ENV/,
-        ),
-      ).toBe(false);
+      const pushed = api.secrets.get("acme-portal-production") ?? [];
+      const names = pushed.map((s) => s.name).sort();
+      expect(names).toEqual(["APP_SECRET", "GOOGLE_API_KEY"]);
     });
 
     test("skips when no env file exists", async ({ expect }) => {
-      const { adapter, shell, naming } = createTestEnv();
+      const { adapter, naming, api } = createTestEnv();
       const ctx = makeCtx(naming, {
         apps: [
           {
@@ -494,11 +456,11 @@ describe("CloudflareAdapter", () => {
       const run = createMockRun();
       await adapter.secrets(ctx, run);
 
-      expect(shell.wasCalledMatching(/wrangler secret/)).toBe(false);
+      expect(api.secrets.size).toBe(0);
     });
 
     test("skips comments and empty lines", async ({ expect }) => {
-      const { adapter, fs, shell, naming } = createTestEnv();
+      const { adapter, fs, naming, api } = createTestEnv();
       const ctx = makeCtx(naming, {
         apps: [
           {
@@ -524,19 +486,8 @@ describe("CloudflareAdapter", () => {
       const run = createMockRun();
       await adapter.secrets(ctx, run);
 
-      expect(shell.wasCalledMatching(/wrangler secret bulk/)).toBe(true);
-      expect(
-        fs.wasWrittenMatching(
-          "/project/node_modules/.alepha/secrets.json",
-          /ONLY_SECRET/,
-        ),
-      ).toBe(true);
-      expect(
-        fs.wasWrittenMatching(
-          "/project/node_modules/.alepha/secrets.json",
-          /comment/,
-        ),
-      ).toBe(false);
+      const pushed = api.secrets.get("acme-portal-production") ?? [];
+      expect(pushed.map((s) => s.name)).toEqual(["ONLY_SECRET"]);
     });
   });
 

package/src/cli/platform/__tests__/SecretsCommand.spec.ts

@@ -252,8 +252,10 @@ describe("SecretsCommand", () => {
 
       const output = writes.join("");
       expect(output).toContain("env:");
+      // biome-ignore lint/suspicious/noTemplateCurlyInString: GitHub Actions `${{ ... }}` syntax in plain string
       expect(output).toContain("API_KEY: ${{ secrets.API_KEY }}");
       expect(output).toContain(
+        // biome-ignore lint/suspicious/noTemplateCurlyInString: GitHub Actions `${{ ... }}` syntax in plain string
         "GITHUB_CLIENT_ID: ${{ secrets.APP_GITHUB_CLIENT_ID }}",
       );
     });

package/src/cli/platform/adapters/CloudflareAdapter.ts

@@ -1,5 +1,4 @@
 import { $inject, Alepha } from "alepha";
-import { AlephaCliUtils } from "alepha/cli";
 import { EnvUtils, Runner, type RunnerMethod } from "alepha/command";
 import { $logger } from "alepha/logger";
 import { FileSystemProvider, ShellProvider } from "alepha/system";
@@ -24,7 +23,6 @@ export class CloudflareAdapter extends PlatformAdapter {
   protected readonly log = $logger();
   protected readonly fs = $inject(FileSystemProvider);
   protected readonly shell = $inject(ShellProvider);
-  protected readonly utils = $inject(AlephaCliUtils);
   protected readonly cache = $inject(PlatformCacheProvider);
   protected readonly alepha = $inject(Alepha);
   protected readonly envUtils = $inject(EnvUtils);
@@ -57,6 +55,7 @@ export class CloudflareAdapter extends PlatformAdapter {
    */
   protected configureApi(ctx: PlatformContext): void {
     this.api.setJurisdiction(ctx.envConfig.jurisdiction);
+    this.api.setAccountId(ctx.envConfig.accountId);
   }
 
   protected async runShell(
@@ -256,7 +255,9 @@ export class CloudflareAdapter extends PlatformAdapter {
       return;
     }
 
-    // Push secrets to each worker
+    // Push secrets to each worker via the REST API (one PUT per secret).
+    // Historically we shelled out to `wrangler secret bulk`, but it has an
+    // open hang issue (workers-sdk#10555) and is redundant given putSecret.
     for (const app of ctx.apps) {
       const workerName = ctx.naming.worker(
         ctx.apps.length > 1 ? app.name : undefined,
@@ -265,13 +266,9 @@ export class CloudflareAdapter extends PlatformAdapter {
       await run({
         name: `push secrets to ${workerName}`,
         handler: async () => {
-          const secretsPath = await this.utils.writeConfigFile(
-            "secrets.json",
-            JSON.stringify(secrets),
-            ctx.root,
-          );
-
-          await this.wrangler.secretBulk(secretsPath, workerName);
+          for (const [name, value] of Object.entries(secrets)) {
+            await this.api.putSecret(workerName, name, value);
+          }
         },
       });
     }
@@ -882,7 +879,11 @@ export class CloudflareAdapter extends PlatformAdapter {
   > {
     const deployments = await this.api.listDeployments(workerName);
 
-    const latest = deployments.at(-1);
+    // API ordering is not guaranteed across releases — sort explicitly.
+    const sorted = [...deployments].sort((a, b) =>
+      b.created_on.localeCompare(a.created_on),
+    );
+    const latest = sorted[0];
     if (!latest?.versions?.[0]) {
       return undefined;
     }

package/src/cli/platform/atoms/platformOptions.ts

@@ -74,6 +74,14 @@ export const platformOptions = $atom({
            * Omit for the default (global) jurisdiction.
            */
           jurisdiction: t.optional(t.enum(["eu", "fedramp"])),
+          /**
+           * Cloudflare account ID to deploy into.
+           *
+           * Falls back to `CLOUDFLARE_ACCOUNT_ID` env var, then to the
+           * token's account when the token is scoped to exactly one.
+           * Required when the token has access to multiple accounts.
+           */
+          accountId: t.optional(t.text()),
         }),
       ),
     }),
@@ -93,4 +101,5 @@ export interface EnvironmentConfig {
   domain?: string;
   vars?: Record<string, string>;
   jurisdiction?: "eu" | "fedramp";
+  accountId?: string;
 }

package/src/cli/platform/schemas/cloudflare.ts

@@ -40,7 +40,7 @@ export type CloudflareKV = Static<typeof cloudflareKVSchema>;
 
 export const cloudflareR2Schema = t.object({
   name: t.string(),
-  creation_date: t.string(),
+  creation_date: t.optional(t.string()),
 });
 
 export type CloudflareR2 = Static<typeof cloudflareR2Schema>;
@@ -61,8 +61,9 @@ export const cloudflareQueueSchema = t.object({
 export type CloudflareQueue = Static<typeof cloudflareQueueSchema>;
 
 export const cloudflareQueueConsumerSchema = t.object({
+  consumer_id: t.string(),
   service: t.string(),
-  environment: t.string(),
+  environment: t.optional(t.string()),
 });
 
 export type CloudflareQueueConsumer = Static<

package/src/cli/platform/services/CloudflareApi.ts

@@ -22,9 +22,9 @@ import {
   cloudflareKVSchema,
   cloudflareQueueConsumerSchema,
   cloudflareQueueSchema,
-  cloudflareR2ListSchema,
+  cloudflareR2Schema,
   cloudflareSecretSchema,
-  cloudflareVersionListSchema,
+  cloudflareVersionSchema,
   cloudflareWorkerSchema,
   createD1BodySchema,
   createHyperdriveBodySchema,
@@ -81,6 +81,16 @@ export class CloudflareApi {
     this.jurisdiction = jurisdiction;
   }
 
+  /**
+   * Override the Cloudflare account ID (from platform config).
+   *
+   * When unset, `resolveAccountId` falls back to `CLOUDFLARE_ACCOUNT_ID` env
+   * var or the token's single account.
+   */
+  public setAccountId(accountId?: string): void {
+    this.accountId = accountId;
+  }
+
   // -------------------------------------------------------------------------
   // Auth
   // -------------------------------------------------------------------------
@@ -107,6 +117,12 @@ export class CloudflareApi {
       return this.accountId;
     }
 
+    const fromEnv = process.env.CLOUDFLARE_ACCOUNT_ID;
+    if (fromEnv) {
+      this.accountId = fromEnv;
+      return this.accountId;
+    }
+
     const res = await this.fetch<CloudflareAccount[]>("/accounts", {
       schema: t.array(cloudflareAccountSchema),
     });
@@ -115,6 +131,15 @@ export class CloudflareApi {
       throw new AlephaError("No Cloudflare accounts found for this token.");
     }
 
+    if (res.length > 1) {
+      const list = res.map((a) => `  - ${a.id}  ${a.name}`).join("\n");
+      throw new AlephaError(
+        `Cloudflare token has access to ${res.length} accounts; set ` +
+          `\`CLOUDFLARE_ACCOUNT_ID\` or the \`accountId\` field in your ` +
+          `platform config to pick one:\n${list}`,
+      );
+    }
+
     this.accountId = res[0].id;
     return this.accountId;
   }
@@ -125,9 +150,9 @@ export class CloudflareApi {
 
   public async listD1(): Promise<CloudflareD1[]> {
     const accountId = await this.resolveAccountId();
-    return await this.fetch<CloudflareD1[]>(
+    return await this.paginate<CloudflareD1>(
       `/accounts/${accountId}/d1/database`,
-      { schema: t.array(cloudflareD1Schema) },
+      cloudflareD1Schema,
     );
   }
 
@@ -136,15 +161,19 @@ export class CloudflareApi {
     location = "weur", // TODO: move to config (or auto-resolve based on account info, or ask ?)
   ): Promise<CloudflareD1> {
     const accountId = await this.resolveAccountId();
+    // When jurisdiction is set, `primary_location_hint` is silently ignored
+    // by the API, so omit it to avoid confusion.
+    const body: Record<string, unknown> = { name };
+    if (this.jurisdiction) {
+      body.jurisdiction = this.jurisdiction;
+    } else {
+      body.primary_location_hint = location;
+    }
     return await this.fetch<CloudflareD1>(
       `/accounts/${accountId}/d1/database`,
       {
         method: "POST",
-        body: {
-          name,
-          primary_location_hint: location,
-          ...(this.jurisdiction ? { jurisdiction: this.jurisdiction } : {}),
-        },
+        body,
         bodySchema: createD1BodySchema,
         schema: cloudflareD1Schema,
       },
@@ -164,9 +193,10 @@ export class CloudflareApi {
 
   public async listKV(): Promise<CloudflareKV[]> {
     const accountId = await this.resolveAccountId();
-    return await this.fetch<CloudflareKV[]>(
+    return await this.paginate<CloudflareKV>(
       `/accounts/${accountId}/storage/kv/namespaces`,
-      { schema: t.array(cloudflareKVSchema) },
+      cloudflareKVSchema,
+      100, // KV list caps at 100 per page
     );
   }
 
@@ -197,11 +227,11 @@ export class CloudflareApi {
 
   public async listR2(): Promise<CloudflareR2[]> {
     const accountId = await this.resolveAccountId();
-    const res = await this.fetch<{ buckets: CloudflareR2[] }>(
+    return await this.paginateCursor<CloudflareR2>(
       `/accounts/${accountId}/r2/buckets`,
-      { schema: cloudflareR2ListSchema },
+      "buckets",
+      cloudflareR2Schema,
     );
-    return res.buckets;
   }
 
   public async createR2(name: string): Promise<void> {
@@ -226,9 +256,9 @@ export class CloudflareApi {
 
   public async listQueues(): Promise<CloudflareQueue[]> {
     const accountId = await this.resolveAccountId();
-    return await this.fetch<CloudflareQueue[]>(
+    return await this.paginate<CloudflareQueue>(
       `/accounts/${accountId}/queues`,
-      { schema: t.array(cloudflareQueueSchema) },
+      cloudflareQueueSchema,
     );
   }
 
@@ -253,9 +283,9 @@ export class CloudflareApi {
     queueId: string,
   ): Promise<CloudflareQueueConsumer[]> {
     const accountId = await this.resolveAccountId();
-    return await this.fetch<CloudflareQueueConsumer[]>(
+    return await this.paginate<CloudflareQueueConsumer>(
       `/accounts/${accountId}/queues/${queueId}/consumers`,
-      { schema: t.array(cloudflareQueueConsumerSchema) },
+      cloudflareQueueConsumerSchema,
     );
   }
 
@@ -264,8 +294,13 @@ export class CloudflareApi {
     consumerService: string,
   ): Promise<void> {
     const accountId = await this.resolveAccountId();
+    const consumers = await this.listQueueConsumers(queueId);
+    const consumer = consumers.find((c) => c.service === consumerService);
+    if (!consumer) {
+      return;
+    }
     await this.fetch(
-      `/accounts/${accountId}/queues/${queueId}/consumers/${consumerService}`,
+      `/accounts/${accountId}/queues/${queueId}/consumers/${consumer.consumer_id}`,
       { method: "DELETE" },
     );
   }
@@ -276,9 +311,9 @@ export class CloudflareApi {
 
   public async listHyperdrive(): Promise<CloudflareHyperdrive[]> {
     const accountId = await this.resolveAccountId();
-    return await this.fetch<CloudflareHyperdrive[]>(
+    return await this.paginate<CloudflareHyperdrive>(
       `/accounts/${accountId}/hyperdrive/configs`,
-      { schema: t.array(cloudflareHyperdriveSchema) },
+      cloudflareHyperdriveSchema,
     );
   }
 
@@ -338,20 +373,22 @@ export class CloudflareApi {
     scriptName: string,
   ): Promise<CloudflareDeployment[]> {
     const accountId = await this.resolveAccountId();
+    // Deployments list is wrapped in `{ deployments }` and returns newest
+    // first; for picking the active deployment we only need the top page.
     const res = await this.fetch<{ deployments: CloudflareDeployment[] }>(
       `/accounts/${accountId}/workers/scripts/${scriptName}/deployments`,
-      { schema: cloudflareDeploymentListSchema },
+      { schema: cloudflareDeploymentListSchema, query: { per_page: "100" } },
     );
     return res.deployments;
   }
 
   public async listVersions(scriptName: string): Promise<CloudflareVersion[]> {
     const accountId = await this.resolveAccountId();
-    const res = await this.fetch<{ items: CloudflareVersion[] }>(
+    return await this.paginateCursor<CloudflareVersion>(
       `/accounts/${accountId}/workers/scripts/${scriptName}/versions`,
-      { schema: cloudflareVersionListSchema },
+      "items",
+      cloudflareVersionSchema,
     );
-    return res.items;
   }
 
   // -------------------------------------------------------------------------
@@ -428,6 +465,13 @@ export class CloudflareApi {
       success: boolean;
       result: T;
       errors: CloudflareApiError[];
+      result_info?: {
+        page: number;
+        per_page: number;
+        total_pages?: number;
+        count?: number;
+        total_count?: number;
+      };
     };
 
     if (!json.success) {
@@ -444,6 +488,101 @@ export class CloudflareApi {
     return json.result;
   }
 
+  /**
+   * Paginate a page-based list endpoint (`result_info.total_pages`).
+   *
+   * Cloudflare defaults to `per_page=20`; we push it to 1000 (max on most
+   * list endpoints) and loop if more pages exist. Each page is validated
+   * against the item schema.
+   */
+  protected async paginate<T>(
+    path: string,
+    itemSchema: TSchema,
+    perPage = 1000,
+  ): Promise<T[]> {
+    const results: T[] = [];
+    let page = 1;
+
+    while (true) {
+      const token = await this.resolveToken();
+      const url = `${CloudflareApi.BASE}${path}?per_page=${perPage}&page=${page}`;
+
+      const headers: Record<string, string> = {
+        Authorization: `Bearer ${token}`,
+      };
+      if (this.jurisdiction && /\/r2\//.test(path)) {
+        headers["cf-r2-jurisdiction"] = this.jurisdiction;
+      }
+
+      const response = await globalThis.fetch(url, { method: "GET", headers });
+      const json = (await response.json()) as {
+        success: boolean;
+        result: T[];
+        errors: CloudflareApiError[];
+        result_info?: { page: number; total_pages?: number };
+      };
+
+      if (!json.success) {
+        const messages = json.errors.map((e) => e.message).join(", ");
+        throw new AlephaError(
+          `Cloudflare API error (GET ${path}): ${messages}`,
+        );
+      }
+
+      const validated = this.alepha.codec.validate(
+        t.array(itemSchema),
+        json.result,
+      ) as T[];
+      results.push(...validated);
+
+      const totalPages = json.result_info?.total_pages;
+      if (!totalPages || page >= totalPages || validated.length === 0) {
+        break;
+      }
+      page++;
+    }
+
+    return results;
+  }
+
+  /**
+   * Paginate a cursor-based list endpoint where `result` is an object
+   * containing both the items array and a `cursor` field (R2 buckets,
+   * Workers versions). Returns the flattened item array.
+   */
+  protected async paginateCursor<T>(
+    path: string,
+    itemsKey: string,
+    itemSchema: TSchema,
+    perPage = 1000,
+  ): Promise<T[]> {
+    const results: T[] = [];
+    let cursor: string | undefined;
+
+    while (true) {
+      const query: Record<string, string> = { per_page: String(perPage) };
+      if (cursor) {
+        query.cursor = cursor;
+      }
+
+      const res = await this.fetch<Record<string, unknown>>(path, { query });
+      const items = (res[itemsKey] as unknown[]) ?? [];
+      const validated = this.alepha.codec.validate(
+        t.array(itemSchema),
+        items,
+      ) as T[];
+      results.push(...validated);
+
+      const nextCursor = res.cursor as string | undefined;
+      if (!nextCursor || validated.length === 0) {
+        break;
+      }
+      cursor = nextCursor;
+    }
+
+    return results;
+  }
+
   // -------------------------------------------------------------------------
   // Helpers
   // -------------------------------------------------------------------------

package/src/cli/platform/services/WranglerApi.ts

@@ -124,21 +124,4 @@ export class WranglerApi {
       { resolve: true, env: { CI: "1" } },
     );
   }
-
-  // -------------------------------------------------------------------------
-  // Secrets
-  // -------------------------------------------------------------------------
-
-  /**
-   * Push secrets in bulk to a worker.
-   */
-  public async secretBulk(
-    secretsPath: string,
-    workerName: string,
-  ): Promise<void> {
-    await this.runShell(
-      `wrangler secret bulk ${secretsPath} --name=${workerName}`,
-      { resolve: true },
-    );
-  }
 }

package/src/command/providers/CliProvider.ts

@@ -555,7 +555,7 @@ export class CliProvider {
     const parsed = this.parseFlags(argv, flagDefs);
 
     // Remove the mode flag from parsed result (it's handled separately)
-    delete parsed.__mode__;
+    parsed.__mode__ = undefined;
 
     // apply manually defaults for optional properties that have defaults
     for (const [key, value] of Object.entries(schema.properties)) {

package/src/core/Alepha.ts

@@ -826,6 +826,15 @@ export class Alepha {
     return this;
   }
 
+  /**
+   * Alias for {@link Alepha#with}.
+   */
+  public register<T extends object>(
+    serviceEntry: ServiceEntry<T> | { default: ServiceEntry<T> },
+  ): this {
+    return this.with(serviceEntry);
+  }
+
   /**
    * Get an instance of the specified service from the container.
    *

package/src/core/interfaces/Service.ts

@@ -8,7 +8,9 @@ export type Service<T extends object = any> =
   | AbstractClass<T>
   | RunFunction<T>;
 
-export type RunFunction<T extends object = any> = (...args: any[]) => T | void;
+export type RunFunction<T extends object = any> = (
+  ...args: any[]
+) => T | undefined;
 
 export type InstantiableClass<T extends object = any> = new (
   ...args: any[]

package/src/core/providers/TypeProvider.ts

@@ -447,7 +447,7 @@ export class TypeProvider {
   /**
    * Create a schema that maps all properties of an object schema to nullable.
    */
-  public nullify = <T extends TSchema>(schema: T, options?: TObjectOptions) =>
+  public nullify = (schema: TSchema, options?: TObjectOptions): TSchema =>
     Type.Mapped(
       Type.Identifier("K"),
       Type.KeyOf(schema),

package/src/logger/services/Logger.ts

@@ -146,7 +146,7 @@ export class Logger implements LoggerInterface {
     }
 
     let _data: object | Error | undefined;
-    if (typeof data === "object" && !!data) {
+    if (typeof data === "object" && data) {
       _data = data;
     } else if (typeof message === "object" && message) {
       _data = message;

package/src/mcp/__tests__/$resource.spec.ts

@@ -364,7 +364,7 @@ describe("$resource primitive", () => {
         uri: "protected://resource",
         handler: async ({ context }) => {
           const authHeader = context?.headers?.authorization;
-          if (!authHeader || !authHeader.toString().startsWith("Bearer ")) {
+          if (!authHeader?.toString().startsWith("Bearer ")) {
             throw new Error("Unauthorized");
           }
           return { text: "Secret content" };

package/src/mcp/__tests__/$tool.spec.ts

@@ -379,7 +379,7 @@ describe("$tool primitive", () => {
         },
         handler: async ({ context }) => {
           const authHeader = context?.headers?.authorization;
-          if (!authHeader || !authHeader.toString().startsWith("Bearer ")) {
+          if (!authHeader?.toString().startsWith("Bearer ")) {
             throw new Error("Unauthorized");
           }
           return "Access granted";

package/src/mcp/__tests__/McpServerProvider.spec.ts

@@ -751,7 +751,7 @@ describe("McpServerProvider", () => {
           schema: { result: t.text() },
           handler: async ({ context }) => {
             const auth = context?.headers?.authorization;
-            if (!auth || !auth.toString().startsWith("Bearer ")) {
+            if (!auth?.toString().startsWith("Bearer ")) {
               throw new Error("Unauthorized");
             }
             return "Access granted";