Adapt CLI to wdl.20260701.1 and audit findings#5
Conversation
Harden control transport, effective CONTROL_CONNECT_HOST handling, header validation, request error wrapping, response caps, and token-store writes. Tighten command behavior for tail reconnects, D1 migration uploads, R2 object access, secret mutation errors, workflow status flags, doctor strict mode, and unexpected arguments. Adapt Wrangler packaging for WDL by following config priority, rejecting unsupported modules and flags, checking env binding collisions including implicit ASSETS, capping queue timeout, and cleaning temp configs. Refresh docs, scaffolded examples, and live/unit coverage for the new deploy, runtime, credential, and diagnostics behavior. Signed-off-by: Lu Zhang <lu@wdl.dev>
There was a problem hiding this comment.
Pull request overview
Updates the WDL companion CLI to match the wdl.20260701.1 control/runtime shape, incorporating audit-driven hardening, stricter local validation, and refreshed docs/examples/tests for the updated platform behavior.
Changes:
- Hardens control transport + credential handling (CONTROL_CONNECT_HOST overrides, header validation, better HTTP/JSON errors) and improves tail reconnection/limits.
- Tightens CLI-side validation and UX across deploy/secret/d1/r2/workflows/doctor (unexpected args, env-budget hints, config priority warnings,
doctor --strict). - Refreshes docs, templates, examples, changelog, and unit/integration coverage (including new runtime features like assets/queues/DO/env overrides).
Reviewed changes
Copilot reviewed 68 out of 69 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/cli-token.test.js | Adds symlink-safe token-store write test. |
| tests/unit/cli-lifecycle.test.js | Expands cross-command validation/error tests. |
| tests/unit/cli-init.test.js | Updates init default compatibility_date assertions. |
| tests/unit/cli-deploy.test.js | Adds deploy validation + temp cleanup tests. |
| tests/unit/cli-d1.test.js | Adds D1 symlink/body-cap/arg validation tests. |
| tests/unit/cli-credentials.test.js | Tests dotenv parsing + insecure URL warnings. |
| tests/unit/cli-control-fetch.test.js | Adds transport/header/connect-host behavior tests. |
| tests/unit/cli-config-doctor.test.js | Adds doctor strict + config shadow tests. |
| tests/unit/cli-bundle-modules.test.js | Updates module type expectations for .py. |
| tests/integration/cli-live.test.js | Extends live coverage (assets/queues/DO/env). |
| templates/AGENTS.md | Updates agent guidance for new constraints. |
| README-zh.md | Fixes docs link to deploy-zh. |
| lib/wrangler/modules.js | Rejects reserved module names + Python modules. |
| lib/wrangler/module-limits.js | Adds reserved injected module name list. |
| lib/wrangler/config.js | Implements Wrangler config priority + shadow list. |
| lib/wrangler/command.js | Adds bundled wrangler resolution fallback. |
| lib/wrangler/bindings.js | Caps queue consumer batch timeout (0..60). |
| lib/wrangler/assets.js | Wraps invalid .assetsignore pattern errors. |
| lib/wrangler-pack.js | Adds shadow warnings, binding collisions, temp cleanup. |
| lib/whoami.js | Passes init env to controlFetch. |
| lib/token-store.js | Switches to temp-file+rename token-store writes. |
| lib/d1-files.js | Wraps file read errors + rejects symlink migrations. |
| lib/credentials.js | Improves insecure URL warnings + dotenv robustness. |
| lib/control-fetch.js | Adds CONNECT_HOST overrides, UA, header validation, error wrapping. |
| lib/common.js | Better JSON/HTTP error formatting + path segment validation. |
| lib/command.js | Threads env into insecure URL warnings. |
| lib/bundle-modules.js | Drops Python wire module emission (WDL unsupported). |
| GUIDE.md | Updates docs for strict doctor, tail recycle, constraints. |
| GUIDE-zh.md | Mirrors GUIDE updates in Chinese. |
| examples/workflows-demo/wrangler.toml | Bumps compatibility_date baseline. |
| examples/queues-demo/wrangler.toml | Bumps compatibility_date baseline. |
| examples/pages-assets/wrangler.jsonc | Bumps compatibility_date baseline. |
| examples/kv-demo/wrangler.toml | Bumps compatibility_date baseline. |
| examples/inspection-demo/wrangler.toml | Bumps compatibility_date baseline. |
| examples/inspection-demo/README.md | Updates compatibility_date mention. |
| examples/hello-jsonc/wrangler.jsonc | Bumps compatibility_date baseline. |
| examples/env-overrides-demo/wrangler.toml | Bumps compatibility_date baseline. |
| examples/durable-objects-demo/wrangler.toml | Bumps compatibility_date baseline. |
| examples/d1-demo/wrangler.toml | Bumps compatibility_date baseline. |
| examples/cron-demo/wrangler.toml | Bumps compatibility_date baseline. |
| docs/secrets.md | Documents atomic mutations + env budget impacts. |
| docs/secrets-zh.md | Chinese counterpart for secrets updates. |
| docs/r2.md | Documents limit validation + key segment rules. |
| docs/r2-zh.md | Chinese counterpart for r2 updates. |
| docs/queues.md | Documents max_batch_timeout constraint. |
| docs/queues-zh.md | Chinese counterpart for queues updates. |
| docs/env-overrides.md | Updates examples to new baseline date. |
| docs/env-overrides-zh.md | Chinese counterpart for env override updates. |
| docs/durable-objects.md | Adds _cf_ SQLite reserved-name guidance. |
| docs/durable-objects-zh.md | Chinese counterpart for DO guidance. |
| docs/deploy.md | Documents config priority + constraints + new errors. |
| docs/deploy-zh.md | Chinese counterpart for deploy doc updates. |
| docs/d1.md | Documents migrations cap + file readability rules. |
| docs/d1-zh.md | Chinese counterpart for d1 doc updates. |
| commands/workflows.js | Adds local validation for step-limit/include-steps. |
| commands/whoami.js | Passes effective env into whoami fetch. |
| commands/token.js | Threads env into whoami + insecure URL warning. |
| commands/tail.js | Adds header validation, connect timeout, recycle handling, SSE line cap. |
| commands/secret.js | Adds arg validation + richer mutation error hints. |
| commands/r2.js | Adds local limit validation + interactive stdout guard. |
| commands/init.js | Updates default compatibility_date constant. |
| commands/doctor.js | Adds --strict and config shadow reporting. |
| commands/deploy.js | Renders deploy warnings from error bodies + adds hints/arg validation. |
| commands/delete.js | Rejects unexpected positional arguments. |
| commands/d1.js | Adds arg validation + migrations body size preflight + config shadow warning. |
| CHANGELOG.md | Documents behavior changes, fixes, and security items. |
| bin/wdl.js | Adds wdl help <command> and stdout help routing. |
| AGENTS.md | Updates repo-level guidance on compatibility_date baseline. |
| .claude/skills/wdl-deploy/SKILL.md | Updates deploy skill docs for new constraints/baseline. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Keep deploy validation to CLI-owned packaging checks: Python module fail-fast, binding collisions including implicit ASSETS, and D1 migration 413 surfacing. Remove duplicated worker module-limit policy and leave canonical worker-code/compat-flag rejection to control. Harden token-store mutations with lock ownership, retry-safe temp writes, and escaped token diagnostics. Sync deploy/token/queue docs and agent guidance; make tail abort close SSE sockets with an explicit abort error. Signed-off-by: Lu Zhang <lu@wdl.dev>
Escape hostile argv, config, and filesystem-derived values before they reach human CLI errors. Wrap D1 migration file read failures as CliError, make direct command runner parse errors safe, and add regression coverage for terminal-control injection paths across init, d1, deploy, lifecycle, and shared command parsing. Signed-off-by: Lu Zhang <lu@wdl.dev>
Reject unmapped Wrangler runtime/deploy config instead of silently dropping it, tighten terminal-safe diagnostics, and sync deploy/env override docs with the effective CLI behavior. Cover CONTROL_CONNECT_HOST validation, deploy/delete/tail output escaping, env-specific DO migrations, and unsupported Wrangler runtime policy keys. Signed-off-by: Lu Zhang <lu@wdl.dev>
Avoid duplicate deploy warning context, report corrupt token stores in doctor, sync deploy docs for worker_code_too_large, and share small terminal-safe display helpers. Validation: npm run lint; npm run typecheck; npm test; git diff --check. Signed-off-by: Lu Zhang <lu@wdl.dev>
| function hasConfiguredKey(record, key) { | ||
| if (!record || !Object.hasOwn(record, key)) return false; | ||
| const value = record[key]; | ||
| return value == null || Array.isArray(value) ? hasConfiguredValue(value) : true; | ||
| } |
Escape remaining config diagnostics, restore dispatcher/version fallbacks, handle token-store doctor failures, and align secret-envelope deploy/docs guidance. Validation: git diff --cached --check; npm run typecheck; npm run lint; npm test; npm audit --audit-level=moderate; npm pack --dry-run. Signed-off-by: Lu Zhang <lu@wdl.dev>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: adbe1ac1ad
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| function bundledWrangler() { | ||
| try { | ||
| const script = resolveFromHere.resolve("wrangler/bin/wrangler.js"); |
There was a problem hiding this comment.
Use an exported Wrangler entry for package fallback
When Wrangler is available only through Node package resolution rather than a physical CLI_DIR/node_modules/wrangler tree (for example a hoisted install), this fallback is supposed to run the CLI's declared wrangler dependency. However, the pinned Wrangler package does not export ./bin/wrangler.js (checked its package.json exports), so this resolve() throws ERR_PACKAGE_PATH_NOT_EXPORTED and the fallback always returns null; deploy then falls through to PATH/npx and can fail even though the dependency is installed. Resolve the exported package entry or resolve wrangler/package.json and join to bin/wrangler.js instead.
Useful? React with 👍 / 👎.
Summary
Validation
npm run typechecknpm run lintnpm testnpm pack --dry-runnpm audit --audit-level=moderate