wrangler 2.9.0 → 2.10.0

package/src/__tests__/user.test.ts

@@ -60,7 +60,7 @@ describe("User", () => {
 			expect(counter).toBe(1);
 			expect(std.out).toMatchInlineSnapshot(`
 			"Attempting to login via OAuth...
-			Opening a link in your default browser: https://dash.cloudflare.com/oauth2/auth?response_type=code&client_id=54d11594-84e4-41aa-b438-e81b8fa78ee7&redirect_uri=http%3A%2F%2Flocalhost%3A8976%2Foauth%2Fcallback&scope=account%3Aread%20user%3Aread%20workers%3Awrite%20workers_kv%3Awrite%20workers_routes%3Awrite%20workers_scripts%3Awrite%20workers_tail%3Aread%20d1%3Awrite%20pages%3Awrite%20zone%3Aread%20offline_access&state=MOCK_STATE_PARAM&code_challenge=MOCK_CODE_CHALLENGE&code_challenge_method=S256
+			Opening a link in your default browser: https://dash.cloudflare.com/oauth2/auth?response_type=code&client_id=54d11594-84e4-41aa-b438-e81b8fa78ee7&redirect_uri=http%3A%2F%2Flocalhost%3A8976%2Foauth%2Fcallback&scope=account%3Aread%20user%3Aread%20workers%3Awrite%20workers_kv%3Awrite%20workers_routes%3Awrite%20workers_scripts%3Awrite%20workers_tail%3Aread%20d1%3Awrite%20pages%3Awrite%20zone%3Aread%20ssl_certs%3Awrite%20offline_access&state=MOCK_STATE_PARAM&code_challenge=MOCK_CODE_CHALLENGE&code_challenge_method=S256
 			Successfully logged in."
 		`);
 			expect(readAuthConfigFile()).toEqual<UserAuthConfig>({

package/src/__tests__/whoami.test.tsx

@@ -160,7 +160,7 @@ describe("getUserInfo()", () => {
 		await getUserInfo();
 
 		expect(std.warn).toMatchInlineSnapshot(`
-		      "▲ [WARNING] It looks like you have used Wrangler 1's \`config\` command to login with an API token.
+		      "▲ [WARNING] It looks like you have used Wrangler v1's \`config\` command to login with an API token.
 
 		        This is no longer supported in the current version of Wrangler.
 		        If you wish to authenticate via an API token then please set the \`CLOUDFLARE_API_TOKEN\`

package/src/__tests__/worker-namespace.test.ts

@@ -17,7 +17,7 @@ describe("dispatch-namespace", () => {
 	mockAccountId();
 	mockApiToken();
 
-	it("should should display a list of available subcommands, for dispatch-namespace with no subcommand", async () => {
+	it("should display a list of available subcommands, for dispatch-namespace with no subcommand", async () => {
 		await runWrangler("dispatch-namespace");
 
 		// wait a tick for the help menu to be printed

package/src/api/index.ts

@@ -1,3 +1,11 @@
 export { unstable_dev } from "./dev";
 export type { UnstableDevWorker, UnstableDevOptions } from "./dev";
 export { unstable_pages } from "./pages";
+export {
+	uploadMTlsCertificate,
+	uploadMTlsCertificateFromFs,
+	listMTlsCertificates,
+	getMTlsCertificate,
+	getMTlsCertificateByName,
+	deleteMTlsCertificate,
+} from "./mtls-certificate";

package/src/api/mtls-certificate.ts

@@ -0,0 +1,148 @@
+import { fetchResult } from "../cfetch";
+import { readFileSync } from "../parse";
+
+/**
+ * the representation of an mTLS certificate in the account certificate store
+ */
+export interface MTlsCertificateResponse {
+	id: string;
+	name?: string;
+	ca: boolean;
+	certificates: string;
+	expires_on: string;
+	issuer: string;
+	serial_number: string;
+	signature: string;
+	uploaded_on: string;
+}
+
+/**
+ * details for uploading an mTLS certificate from disk
+ */
+export interface MTlsCertificateUploadDetails {
+	certificateChainFilename: string;
+	privateKeyFilename: string;
+	name?: string;
+}
+
+/**
+ * details for uploading an mTLS certificate via the ssl api
+ */
+export interface MTlsCertificateBody {
+	certificateChain: string;
+	privateKey: string;
+	name?: string;
+}
+
+/**
+ * supported filters for listing mTLS certificates via the ssl api
+ */
+export interface MTlsCertificateListFilter {
+	name?: string;
+}
+
+/**
+ * indicates that looking up a certificate by name failed due to zero matching results
+ */
+export class ErrorMTlsCertificateNameNotFound extends Error {}
+
+/**
+ * indicates that looking up a certificate by name failed due to more than one matching results
+ */
+export class ErrorMTlsCertificateManyNamesMatch extends Error {}
+
+/**
+ * reads an mTLS certificate and private key pair from disk and uploads it to the account mTLS certificate store
+ */
+export async function uploadMTlsCertificateFromFs(
+	accountId: string,
+	details: MTlsCertificateUploadDetails
+): Promise<MTlsCertificateResponse> {
+	return await uploadMTlsCertificate(accountId, {
+		certificateChain: readFileSync(details.certificateChainFilename),
+		privateKey: readFileSync(details.privateKeyFilename),
+		name: details.name,
+	});
+}
+
+/**
+ *  uploads an mTLS certificate and private key pair to the account mTLS certificate store
+ */
+export async function uploadMTlsCertificate(
+	accountId: string,
+	body: MTlsCertificateBody
+): Promise<MTlsCertificateResponse> {
+	return await fetchResult(`/accounts/${accountId}/mtls_certificates`, {
+		method: "POST",
+		body: JSON.stringify({
+			name: body.name,
+			certificates: body.certificateChain,
+			private_key: body.privateKey,
+			ca: false,
+		}),
+	});
+}
+
+/**
+ *  fetches an mTLS certificate from the account mTLS certificate store by ID
+ */
+export async function getMTlsCertificate(
+	accountId: string,
+	id: string
+): Promise<MTlsCertificateResponse> {
+	return await fetchResult(
+		`/accounts/${accountId}/mtls_certificates/${id}`,
+		{}
+	);
+}
+
+/**
+ *  lists mTLS certificates for an account. filtering by name is supported
+ */
+export async function listMTlsCertificates(
+	accountId: string,
+	filter: MTlsCertificateListFilter
+): Promise<MTlsCertificateResponse[]> {
+	const params = new URLSearchParams();
+	params.append("ca", "false");
+	if (filter.name) {
+		params.append("name", filter.name);
+	}
+	return await fetchResult(
+		`/accounts/${accountId}/mtls_certificates`,
+		{},
+		params
+	);
+}
+
+/**
+ *  fetches an mTLS certificate from the account mTLS certificate store by name. will throw an error if no certificates are found, or multiple are found with that name
+ */
+export async function getMTlsCertificateByName(
+	accountId: string,
+	name: string
+): Promise<MTlsCertificateResponse> {
+	const certificates = await listMTlsCertificates(accountId, { name });
+	if (certificates.length === 0) {
+		throw new ErrorMTlsCertificateNameNotFound(
+			`certificate not found with name "${name}"`
+		);
+	}
+	if (certificates.length > 1) {
+		throw new ErrorMTlsCertificateManyNamesMatch(
+			`multiple certificates found with name "${name}"`
+		);
+	}
+	const certificate = certificates[0];
+	return certificate;
+}
+
+export async function deleteMTlsCertificate(
+	accountId: string,
+	certificateId: string
+) {
+	return await fetchResult(
+		`/accounts/${accountId}/mtls_certificates/${certificateId}`,
+		{ method: "DELETE" }
+	);
+}

package/src/api/pages/create-worker-bundle-contents.ts

@@ -0,0 +1,75 @@
+import { readFileSync } from "node:fs";
+import path from "node:path";
+import { Response } from "undici";
+import { createWorkerUploadForm } from "../../create-worker-upload-form";
+import type { BundleResult } from "../../bundle";
+import type { CfWorkerInit } from "../../worker";
+import type { Blob } from "node:buffer";
+import type { FormData } from "undici";
+
+/**
+ * Takes a Worker bundle - `BundleResult` - and generates the _worker.bundle
+ * contents
+ */
+export async function createUploadWorkerBundleContents(
+	workerBundle: BundleResult
+): Promise<Blob> {
+	const workerBundleFormData = createWorkerBundleFormData(workerBundle);
+	const metadata = JSON.parse(workerBundleFormData.get("metadata") as string);
+
+	/**
+	 * Pages doesn't need the metadata bindings returned by
+	 * `createWorkerBundleFormData`. Let's strip them out and return only
+	 * the contents we need
+	 */
+	workerBundleFormData.set(
+		"metadata",
+		JSON.stringify({ main_module: metadata.main_module })
+	);
+
+	return await new Response(workerBundleFormData).blob();
+}
+
+/**
+ * Creates a `FormData` upload from a `BundleResult`
+ */
+function createWorkerBundleFormData(workerBundle: BundleResult): FormData {
+	const mainModule = {
+		name: path.basename(workerBundle.resolvedEntryPointPath),
+		content: readFileSync(workerBundle.resolvedEntryPointPath, {
+			encoding: "utf-8",
+		}),
+		type: workerBundle.bundleType || "esm",
+	};
+
+	const worker: CfWorkerInit = {
+		name: mainModule.name,
+		main: mainModule,
+		modules: workerBundle.modules,
+		bindings: {
+			vars: undefined,
+			kv_namespaces: undefined,
+			wasm_modules: undefined,
+			text_blobs: undefined,
+			data_blobs: undefined,
+			durable_objects: undefined,
+			queues: undefined,
+			r2_buckets: undefined,
+			d1_databases: undefined,
+			services: undefined,
+			analytics_engine_datasets: undefined,
+			dispatch_namespaces: undefined,
+			mtls_certificates: undefined,
+			logfwdr: undefined,
+			unsafe: undefined,
+		},
+		migrations: undefined,
+		compatibility_date: undefined,
+		compatibility_flags: undefined,
+		usage_model: undefined,
+		keepVars: undefined,
+		logpush: undefined,
+	};
+
+	return createWorkerUploadForm(worker);
+}

package/src/api/pages/publish.tsx

@@ -17,6 +17,8 @@ import {
 } from "../../pages/functions/buildWorker";
 import { validateRoutes } from "../../pages/functions/routes-validation";
 import { upload } from "../../pages/upload";
+import { createUploadWorkerBundleContents } from "./create-worker-bundle-contents";
+import type { BundleResult } from "../../bundle";
 import type { Project, Deployment } from "@cloudflare/types";
 
 interface PagesPublishOptions {
@@ -67,6 +69,14 @@ interface PagesPublishOptions {
 	 */
 	bundle?: boolean;
 
+	/**
+	 * Whether to process non-JS module imports or not, such as
+	 * wasm/text/binary, when we run bundling on `functions` or
+	 * `_worker.js`
+	 * Default: false
+	 */
+	experimentalWorkerBundle?: boolean;
+
 	// TODO: Allow passing in the API key and plumb it through
 	// to the API calls so that the publish function does not
 	// rely on the `CLOUDFLARE_API_KEY` environment variable
@@ -88,6 +98,7 @@ export async function publish({
 	commitDirty,
 	functionsDirectory: customFunctionsDirectory,
 	bundle,
+	experimentalWorkerBundle,
 }: PagesPublishOptions) {
 	let _headers: string | undefined,
 		_redirects: string | undefined,
@@ -132,6 +143,8 @@ export async function publish({
 	 * Functions first and exit if it failed
 	 */
 	let builtFunctions: string | undefined = undefined;
+	let workerBundle: BundleResult | undefined = undefined;
+
 	const functionsDirectory =
 		customFunctionsDirectory || join(cwd(), "functions");
 	const routesOutputPath = !existsSync(join(directory, "_routes.json"))
@@ -154,7 +167,7 @@ export async function publish({
 		);
 
 		try {
-			await buildFunctions({
+			workerBundle = await buildFunctions({
 				outfile,
 				outputConfigPath,
 				functionsDirectory,
@@ -163,6 +176,7 @@ export async function publish({
 				routesOutputPath,
 				local: false,
 				d1Databases,
+				experimentalWorkerBundle,
 			});
 
 			builtFunctions = readFileSync(outfile, "utf-8");
@@ -234,9 +248,11 @@ export async function publish({
 	 */
 	if (_workerJS) {
 		let workerFileContents = _workerJS;
-		if (bundle) {
+		const enableBundling = bundle || experimentalWorkerBundle;
+
+		if (enableBundling) {
 			const outfile = join(tmpdir(), `./bundledWorker-${Math.random()}.mjs`);
-			await buildRawWorker({
+			workerBundle = await buildRawWorker({
 				workerScriptPath,
 				outfile,
 				directory: directory ?? ".",
@@ -245,14 +261,30 @@ export async function publish({
 				watch: false,
 				onEnd: () => {},
 				betaD1Shims: d1Databases,
+				experimentalWorkerBundle,
 			});
 			workerFileContents = readFileSync(outfile, "utf8");
 		} else {
 			await checkRawWorker(workerScriptPath, () => {});
 		}
 
-		formData.append("_worker.js", new File([workerFileContents], "_worker.js"));
-		logger.log(`✨ Uploading _worker.js`);
+		if (experimentalWorkerBundle) {
+			const workerBundleContents = await createUploadWorkerBundleContents(
+				workerBundle as BundleResult
+			);
+
+			formData.append(
+				"_worker.bundle",
+				new File([workerBundleContents], "_worker.bundle")
+			);
+			logger.log(`✨ Uploading Worker bundle`);
+		} else {
+			formData.append(
+				"_worker.js",
+				new File([workerFileContents], "_worker.js")
+			);
+			logger.log(`✨ Uploading _worker.js`);
+		}
 
 		if (_routesCustom) {
 			// user provided a custom _routes.json file
@@ -278,9 +310,21 @@ export async function publish({
 	 * https://developers.cloudflare.com/pages/platform/functions/
 	 */
 	if (builtFunctions && !_workerJS) {
-		// if Functions were build successfully, proceed to uploading the build file
-		formData.append("_worker.js", new File([builtFunctions], "_worker.js"));
-		logger.log(`✨ Uploading Functions`);
+		if (experimentalWorkerBundle) {
+			const workerBundleContents = await createUploadWorkerBundleContents(
+				workerBundle as BundleResult
+			);
+
+			formData.append(
+				"_worker.bundle",
+				new File([workerBundleContents], "_worker.bundle")
+			);
+			logger.log(`✨ Uploading Functions bundle`);
+		} else {
+			// if Functions were build successfully, proceed to uploading the build file
+			formData.append("_worker.js", new File([builtFunctions], "_worker.js"));
+			logger.log(`✨ Uploading Functions`);
+		}
 
 		if (_routesCustom) {
 			// user provided a custom _routes.json file

package/src/bundle.ts

@@ -116,7 +116,7 @@ export async function bundleWorker(
 		loader?: Record<string, string>;
 		sourcemap?: esbuild.CommonOptions["sourcemap"];
 		plugins?: esbuild.Plugin[];
-		// TODO: Rip these out https://github.com/cloudflare/wrangler2/issues/2153
+		// TODO: Rip these out https://github.com/cloudflare/workers-sdk/issues/2153
 		disableModuleCollection?: boolean;
 		isOutfile?: boolean;
 	}
@@ -344,7 +344,7 @@ export async function bundleWorker(
 		...(process.env.NODE_ENV && {
 			define: {
 				// use process.env["NODE_ENV" + ""] so that esbuild doesn't replace it
-				// when we do a build of wrangler. (re: https://github.com/cloudflare/wrangler2/issues/1477)
+				// when we do a build of wrangler. (re: https://github.com/cloudflare/workers-sdk/issues/1477)
 				"process.env.NODE_ENV": `"${process.env["NODE_ENV" + ""]}"`,
 				...(nodeCompat ? { global: "globalThis" } : {}),
 				...(checkFetch ? { fetch: "checkedFetch" } : {}),
@@ -574,9 +574,10 @@ async function applyMiddlewareLoaderFacade(
 			],
 			outfile: targetPathInsertion,
 		});
-
-		let targetPathLoader = path.join(tmpDirPath, path.basename(entry.file));
-		if (path.extname(entry.file) === "") targetPathLoader += ".js";
+		const targetPathLoader = path.join(
+			tmpDirPath,
+			"middleware-loader.entry.js"
+		);
 		const loaderPath = path.resolve(
 			getBasePath(),
 			"templates/middleware/loader-modules.ts"

package/src/config/config.ts

@@ -18,7 +18,7 @@ import type { CamelCaseKey } from "yargs";
  *
  * Legend for the annotations:
  *
- * - `@breaking`: the deprecation/optionality is a breaking change from wrangler 1.
+ * - `@breaking`: the deprecation/optionality is a breaking change from Wrangler v1.
  * - `@todo`: there's more work to be done (with details attached).
  */
 export type Config = ConfigFields<DevConfig> & Environment;
@@ -32,7 +32,7 @@ export interface ConfigFields<Dev extends RawDevConfig> {
 	configPath: string | undefined;
 
 	/**
-	 * A boolean to enable "legacy" style wrangler environments (from wrangler 1).
+	 * A boolean to enable "legacy" style wrangler environments (from Wrangler v1).
 	 * These have been superseded by Services, but there may be projects that won't
 	 * (or can't) use them. If you're using a legacy environment, you can set this
 	 * to `true` to enable it.
@@ -96,7 +96,7 @@ export interface ConfigFields<Dev extends RawDevConfig> {
 				/**
 				 * The location of your Worker script.
 				 *
-				 * @deprecated DO NOT use this (it's a holdover from wrangler 1.x). Either use the top level `main` field, or pass the path to your entry file as a command line argument.
+				 * @deprecated DO NOT use this (it's a holdover from Wrangler v1.x). Either use the top level `main` field, or pass the path to your entry file as a command line argument.
 				 * @breaking
 				 */
 				"entry-point"?: string;
@@ -216,10 +216,10 @@ export interface DevConfig {
 	 * Protocol that wrangler dev forwards requests on
 	 *
 	 * Setting this to `http` is not currently implemented.
-	 * See https://github.com/cloudflare/wrangler2/issues/583
+	 * See https://github.com/cloudflare/workers-sdk/issues/583
 	 *
 	 * @default `https`
-	 * @todo this needs to be implemented https://github.com/cloudflare/wrangler2/issues/583
+	 * @todo this needs to be implemented https://github.com/cloudflare/workers-sdk/issues/583
 	 */
 	upstream_protocol: "https" | "http";
 
@@ -233,7 +233,7 @@ export type RawDevConfig = Partial<DevConfig>;
 
 export interface DeprecatedConfigFields {
 	/**
-	 * The project "type". A holdover from wrangler 1.x.
+	 * The project "type". A holdover from Wrangler v1.x.
 	 * Valid values were "webpack", "javascript", and "rust".
 	 *
 	 * @deprecated DO NOT USE THIS. Most common features now work out of the box with wrangler, including modules, jsx, typescript, etc. If you need anything more, use a custom build.
@@ -243,7 +243,7 @@ export interface DeprecatedConfigFields {
 
 	/**
 	 * Path to the webpack config to use when building your worker.
-	 * A holdover from wrangler 1.x, used with `type: "webpack"`.
+	 * A holdover from Wrangler v1.x, used with `type: "webpack"`.
 	 *
 	 * @deprecated DO NOT USE THIS. Most common features now work out of the box with wrangler, including modules, jsx, typescript, etc. If you need anything more, use a custom build.
 	 * @breaking

package/src/config/environment.ts

@@ -78,7 +78,7 @@ interface EnvironmentInheritable {
 	 * Whether we use <name>.<subdomain>.workers.dev to
 	 * test and deploy your worker.
 	 *
-	 * @default `true` (This is a breaking change from wrangler 1)
+	 * @default `true` (This is a breaking change from Wrangler v1)
 	 * @breaking
 	 * @inheritable
 	 */
@@ -480,6 +480,13 @@ interface EnvironmentNonInheritable {
 			[key: string]: unknown;
 		}[];
 	};
+
+	mtls_certificates: {
+		/** The binding name used to refer to the certificate in the worker */
+		binding: string;
+		/** The uuid of the uploaded mTLS certificate */
+		certificate_id: string;
+	}[];
 }
 
 /**
@@ -497,7 +504,7 @@ interface EnvironmentDeprecated {
 	/**
 	 * Legacy way of defining KVNamespaces that is no longer supported.
 	 *
-	 * @deprecated DO NOT USE. This was a legacy bug from wrangler 1, that we do not want to support.
+	 * @deprecated DO NOT USE. This was a legacy bug from Wrangler v1, that we do not want to support.
 	 */
 	"kv-namespaces"?: string;
 

package/src/config/index.ts

@@ -108,6 +108,7 @@ export function printBindings(bindings: CfWorkerInit["bindings"]) {
 		vars,
 		wasm_modules,
 		dispatch_namespaces,
+		mtls_certificates,
 	} = bindings;
 
 	if (data_blobs !== undefined && Object.keys(data_blobs).length > 0) {
@@ -306,6 +307,18 @@ export function printBindings(bindings: CfWorkerInit["bindings"]) {
 		});
 	}
 
+	if (mtls_certificates !== undefined && mtls_certificates.length > 0) {
+		output.push({
+			type: "mTLS Certificates",
+			entries: mtls_certificates.map(({ binding, certificate_id }) => {
+				return {
+					key: binding,
+					value: certificate_id,
+				};
+			}),
+		});
+	}
+
 	if (output.length === 0) {
 		return;
 	}

package/src/config/validation.ts

@@ -741,7 +741,7 @@ function isValidRouteValue(item: unknown): boolean {
 
 /**
  * If account_id has been passed as an empty string, normalise it to undefined.
- * This is to workaround older wrangler1-era templates that have account_id = '',
+ * This is to workaround older Wrangler v1-era templates that have account_id = '',
  * which isn't a valid value anyway
  */
 function mutateEmptyStringAccountIDValue(
@@ -760,7 +760,7 @@ function mutateEmptyStringAccountIDValue(
 
 /**
  * Normalize empty string to `undefined` by mutating rawEnv.route value.
- * As part of backward compatibility with Wrangler1 converting empty string to `undefined`
+ * As part of backward compatibility with Wrangler v1 converting empty string to `undefined`
  */
 function mutateEmptyStringRouteValue(
 	diagnostics: Diagnostics,
@@ -1134,6 +1134,16 @@ function normalizeAndValidateEnvironment(
 			validateBindingArray(envName, validateWorkerNamespaceBinding),
 			[]
 		),
+		mtls_certificates: notInheritable(
+			diagnostics,
+			topLevelEnv,
+			rawConfig,
+			rawEnv,
+			envName,
+			"mtls_certificates",
+			validateBindingArray(envName, validateMTlsCertificateBinding),
+			[]
+		),
 		logfwdr: inheritable(
 			diagnostics,
 			topLevelEnv,
@@ -1590,6 +1600,7 @@ const validateUnsafeBinding: ValidatorFn = (diagnostics, field, value) => {
 			"r2_bucket",
 			"service",
 			"logfwdr",
+			"mtls_certificate",
 		];
 
 		if (safeBindings.includes(value.type)) {
@@ -1823,7 +1834,7 @@ const validateD1Binding: ValidatorFn = (diagnostics, field, value) => {
 	}
 	if (isValid && !process.env.NO_D1_WARNING) {
 		diagnostics.warnings.push(
-			"D1 Bindings are currently in alpha to allow the API to evolve before general availability.\nPlease report any issues to https://github.com/cloudflare/wrangler2/issues/new/choose\nNote: Run this command with the environment variable NO_D1_WARNING=true to hide this message\n\nFor example: `export NO_D1_WARNING=true && wrangler <YOUR COMMAND HERE>`"
+			"D1 Bindings are currently in alpha to allow the API to evolve before general availability.\nPlease report any issues to https://github.com/cloudflare/workers-sdk/issues/new/choose\nNote: Run this command with the environment variable NO_D1_WARNING=true to hide this message\n\nFor example: `export NO_D1_WARNING=true && wrangler <YOUR COMMAND HERE>`"
 		);
 	}
 	return isValid;
@@ -2036,6 +2047,42 @@ const validateWorkerNamespaceBinding: ValidatorFn = (
 	return isValid;
 };
 
+const validateMTlsCertificateBinding: ValidatorFn = (
+	diagnostics,
+	field,
+	value
+) => {
+	if (typeof value !== "object" || value === null) {
+		diagnostics.errors.push(
+			`"mtls_certificates" bindings should be objects, but got ${JSON.stringify(
+				value
+			)}`
+		);
+		return false;
+	}
+	let isValid = true;
+	if (!isRequiredProperty(value, "binding", "string")) {
+		diagnostics.errors.push(
+			`"${field}" bindings should have a string "binding" field but got ${JSON.stringify(
+				value
+			)}.`
+		);
+		isValid = false;
+	}
+	if (
+		!isRequiredProperty(value, "certificate_id", "string") ||
+		(value as { certificate_id: string }).certificate_id.length === 0
+	) {
+		diagnostics.errors.push(
+			`"${field}" bindings should have a string "certificate_id" field but got ${JSON.stringify(
+				value
+			)}.`
+		);
+		isValid = false;
+	}
+	return isValid;
+};
+
 function validateQueues(envName: string): ValidatorFn {
 	return (diagnostics, field, value, config) => {
 		const fieldPath =

package/src/create-worker-upload-form.ts

@@ -45,6 +45,7 @@ type WorkerMetadataBinding =
 	| { type: "service"; name: string; service: string; environment?: string }
 	| { type: "analytics_engine"; name: string; dataset?: string }
 	| { type: "dispatch_namespace"; name: string; namespace: string }
+	| { type: "mtls_certificate"; name: string; certificate_id: string }
 	| {
 			type: "logfwdr";
 			name: string;
@@ -166,6 +167,14 @@ export function createWorkerUploadForm(worker: CfWorkerInit): FormData {
 		});
 	});
 
+	bindings.mtls_certificates?.forEach(({ binding, certificate_id }) => {
+		metadataBindings.push({
+			name: binding,
+			type: "mtls_certificate",
+			certificate_id,
+		});
+	});
+
 	bindings.logfwdr?.bindings.forEach(({ name, destination }) => {
 		metadataBindings.push({
 			name: name,