[ { "path": ".bazelignore", "content": "node_modules\nimages/container-client-test/node_modules\nsrc/workerd/api/tests/opennextjs/src/node_modules\n\n# Nested modules\nbuild/google-benchmark\nbuild/perfetto\nbuild/workerd-v8\n" }, { "path": ".bazelrc", "content": "common --enable_platform_specific_config\nbuild --verbose_failures\nbuild --build_tag_filters=-off-by-default,-requires-container-engine\n# block network access by default\nbuild --nosandbox_default_allow_network\ntest --test_tag_filters=-off-by-default,-requires-fuzzilli,-requires-container-engine\ntest:asan --test_tag_filters=-off-by-default,-no-asan,-requires-fuzzilli,-requires-container-engine\n# exclude enormous tests by default\nbuild --test_size_filters=-enormous\n\n# use lower test timeouts: https://bazel.build/reference/test-encyclopedia#role-test-runner\n# corresponds to small,medium,large,enormous tests (medium is default)\nbuild --test_timeout=3,15,60,240\n\n# As part of starlarkification, Bazel 8 and 9 remove a number of rules which now need to be imported\n# from other repositories. In the long term, load() statements will be needed to import these rules.\n# For now, we can still autoload the affected repositories when needed. Do this only for a remaining\n# protobuf components and rules_cc (needed with Bazel 9).\ncommon --incompatible_autoload_externally=\"+ProtoInfo,+cc_binary,+cc_import,+cc_library,+cc_shared_library,+cc_test,+cc_toolchain\"\n\n# TODO(cleanup): Bazel 9 sets this by default, which breaks the macOS-cross build. Fix and re-enable.\ncommon --@bazel_tools//tools/test:incompatible_use_default_test_toolchain=False\n\n# Enable proto toolchain resolution to use prebuilt protoc (starting with protobuf v34.0). Will be\n# the default starting with Bazel 10.\ncommon --incompatible_enable_proto_toolchain_resolution\n\n# bazel7 enables Build without the Bytes (BwoB) by default. This significantly speeds up builds\n# using the remote cache since less data needs to be fetched.\n# Note that we use remote_download_minimal for test builds, which avoids fetching build outputs\n# where possible. While several previous BwoB bugs have been fixed, this is slower than it could be\n# due to https://github.com/bazelbuild/bazel/issues/20576.\n\n# Import CI-specific configuration. As the amount of custom configuration settings we use grows,\n# consider moving more flags out to separate files.\nimport %workspace%/build/ci.bazelrc\nimport %workspace%/build/rust_lint.bazelrc\nimport %workspace%/build/tools/clang_tidy/clang_tidy.bazelrc\n\n# Continue building locally when remote cache entries fail to materialize\nbuild --incompatible_remote_local_fallback_for_remote_cache\n\n# TODO(soon): Flipped by default in Bazel 9, add required variables to --repo_env and enable\nbuild --noincompatible_repo_env_ignores_action_env\n\n# Use -isystem for cc_library includes attribute – this prevents warnings for misbehaving external\n# code.\nbuild:linux --features=external_include_paths --host_features=external_include_paths\n\n# Forward compatibility with future Bazel versions:\n# Disable deprecated cfg = \"host\" Bazel rule setting. Blocked on perfetto.\n# common --incompatible_disable_starlark_host_transitions\n\n# Our dependencies (ICU, zlib, etc.) produce a lot of these warnings, so we disable them.\nbuild --per_file_copt='external@-Wno-error'\nbuild --per_file_copt='external@-Wno-suggest-override'\nbuild --per_file_copt='external/.*v8@-Wno-unused-function'\nbuild --per_file_copt='external/zlib@-Wno-deprecated-non-prototype'\nbuild --host_per_file_copt='external/zlib@-Wno-deprecated-non-prototype'\nbuild --per_file_copt=external/protobuf@-Wno-deprecated-declarations\nbuild --host_per_file_copt=external/protobuf@-Wno-deprecated-declarations\n\n# opt in to capnp deprecation warnings about trying to attach to a refcounted object\nbuild --cxxopt=-DKJ_WARN_REFCOUNTED_ATTACH=1\n\n# TODO(cleanup): Causes warnings with LLVM20, fix and enable again\nbuild --copt=-Wno-nontrivial-memaccess\n\n# Unconditionally optimize V8 heap.cc on macOS – when optimization or inlining are disabled, this\n# file appears to cause segfaults at workerd startup on macOS.\n# TODO(cleanup): Investigate why this happens, our patches do not modify heap.cc itself so the bug\n# might be introduced through a header included in heap.cc, through the Bazel build configuration or\n# a bug in Apple LLVM.\nbuild:macos --per_file_copt=v8/src/heap/heap.cc@-O3\n\n# The macOS apple_support toolchain sets -DDEBUG for fastbuild, unlike the Linux toolchain. This is\n# unhelpful for compile speeds and test performance, and may cause compile errors based on V8 DCHECK\n# macros that reference symbols only available with V8_VERIFY_WRITE_BARRIERS (a debug-only define),\n# causing compile errors. Undefine DEBUG to match Linux behavior.\nbuild:macos --copt=-UDEBUG\n\n# Increasing the optimization level of V8 significantly speeds up tests using V8 a lot, especially\n# python tests. This is useful for both CI and local development and enabled by default, but still\n# kept in a separate configuration to make it easy to disable.\nbuild:v8-codegen-opt --per_file_copt=v8/src@-O3\n# V8 is heavily using absl for hashing now, optimize it too.\nbuild:v8-codegen-opt --per_file_copt=external/abseil-cpp@-O3\n# zlib and tcmalloc (for Linux) are also CPU-intensive, optimize them too.\nbuild:v8-codegen-opt --per_file_copt=external/tcmalloc@-O3\nbuild:v8-codegen-opt --per_file_copt=external/zlib@-O3\n# BoringSSL is CPU-intensive for crypto tests, optimize it too.\nbuild:v8-codegen-opt --per_file_copt=external/boringssl@-O3\n# simdutf is used for fast string encoding/decoding\nbuild:v8-codegen-opt --per_file_copt=external/+http+simdutf@-O3\n# ICU and perfetto are generally updated with V8 and rarely need to be updated, optimize them too.\nbuild:v8-codegen-opt --per_file_copt=external/.*com_googlesource_chromium_icu@-O3\nbuild:v8-codegen-opt --per_file_copt=external/perfetto@-O3\n\nbuild:v8-codegen-opt-windows --per_file_copt=v8/src@/O2,/clang:-O3\nbuild:v8-codegen-opt-windows --per_file_copt=external/abseil-cpp@/O2,/clang:-O3\nbuild:v8-codegen-opt-windows --per_file_copt=external/zlib@/O2,/clang:-O3\nbuild:v8-codegen-opt-windows --per_file_copt=external/boringssl@/O2,/clang:-O3\nbuild:v8-codegen-opt-windows --per_file_copt=external/+http+simdutf@/O2,/clang:-O3\nbuild:v8-codegen-opt-windows --per_file_copt=external/.*com_googlesource_chromium_icu@/O2,/clang:-O3\nbuild:v8-codegen-opt-windows --per_file_copt=external/perfetto@/O2,/clang:-O3\n\nbuild:unix --config=v8-codegen-opt\nbuild:windows --config=v8-codegen-opt-windows\n\n# In Google projects, exceptions are not used as a rule. Disabling them is more consistent with the\n# canonical V8 build and improves code size. Paths are adjusted for bzlmod mangling – V8 and ICU use\n# a wildcard for this as the prefix is some variation of +_repo_rules3+ where the number can change\n# when refactoring MODULE.bazel – setting this directly would be too brittle\nbuild:unix --per_file_copt=external/abseil-cpp@-fno-exceptions\nbuild:unix --per_file_copt=external/protobuf@-fno-exceptions\nbuild:unix --per_file_copt=external/tcmalloc@-fno-exceptions\nbuild:unix --per_file_copt=external/.*com_googlesource_chromium_icu@-fno-exceptions\nbuild:unix --per_file_copt=external/perfetto@-fno-exceptions\nbuild:unix --per_file_copt=external/boringssl@-fno-exceptions\nbuild:unix --per_file_copt=external/.*v8@-fno-exceptions\nbuild:unix --per_file_copt=external/ada-url@-fno-exceptions\nbuild:unix --per_file_copt=external/+http+simdutf@-fno-exceptions\nbuild:windows --per_file_copt=external/abseil-cpp@/clang:-fno-exceptions\nbuild:windows --per_file_copt=external/protobuf@/clang:-fno-exceptions\nbuild:windows --per_file_copt=external/tcmalloc@/clang:-fno-exceptions\nbuild:windows --per_file_copt=external/.*com_googlesource_chromium_icu@/clang:-fno-exceptions\nbuild:windows --per_file_copt=external/perfetto@/clang:-fno-exceptions\nbuild:windows --per_file_copt=external/boringssl@/clang:-fno-exceptions\nbuild:windows --per_file_copt=external/.*v8@/clang:-fno-exceptions\nbuild:windows --per_file_copt=external/ada-url@/clang:-fno-exceptions\nbuild:windows --per_file_copt=external/+http+simdutf@/clang:-fno-exceptions\n\n# V8 torque is an exception from this policy, see v8 BUILD.gn.\nbuild:unix --per_file_copt=external/.*v8/src/torque@-fexceptions\nbuild:windows --per_file_copt=external/.*v8/src/torque@/clang:-fexceptions\n\n# Limit transitive header includes within libc++. This improves compliance with IWYU, helps avoid\n# errors with downstream projects that implicitly define this already and reduces total include size.\nhttps://libcxx.llvm.org/DesignDocs/HeaderRemovalPolicy.html\nbuild:unix --cxxopt=-D_LIBCPP_REMOVE_TRANSITIVE_INCLUDES --host_cxxopt=-D_LIBCPP_REMOVE_TRANSITIVE_INCLUDES\n# Do not enable libc++ ABI tags. This makes mangled symbol names and thus include overhead and code\n# size slightly smaller and is safe as long as we don't link with several copies of libc++.\nbuild:unix --cxxopt=-D_LIBCPP_NO_ABI_TAG --host_cxxopt=-D_LIBCPP_NO_ABI_TAG\n# Disable the experimental (and currently incomplete) parallel STL implementation as with\n# downstream, this reduces the include overhead for .\nbuild:unix --cxxopt=-D_LIBCPP_HAS_NO_INCOMPLETE_PSTL --host_cxxopt=-D_LIBCPP_HAS_NO_INCOMPLETE_PSTL\n\n# V8 redefines the _WIN32_WINNT set by bazel, disable warnings for redefined macros. Since V8 uses\n# a global define for this, we need to apply it for everything.\n# TODO(cleanup): Patch upstream V8 to use local_defines for this instead.\nbuild:windows --copt='-Wno-macro-redefined'\nbuild:windows --host_copt='-Wno-macro-redefined'\n\n# typescript configuration\n# do more correct type checking\ncommon --@aspect_rules_ts//ts:skipLibCheck=honor_tsconfig\n# Use \"tsc\" as the transpiler when ts_project has no `transpiler` set.\ncommon --@aspect_rules_ts//ts:default_to_tsc_transpiler\n\n# optimized LTO build.\nbuild:thin-lto --config=opt\nbuild:thin-lto --copt='-flto=thin'\nbuild:thin-lto --linkopt='-flto=thin'\n\n# configuration used for performance profiling\nbuild:profile --config=thin-lto\nbuild:profile --copt=\"-fno-omit-frame-pointer\" --copt=\"-mno-omit-leaf-frame-pointer\"\nbuild:profile --config=limited-dbg-info\nbuild:profile --strip=never\n\n# configuration used for performance benchmarking is the same as profiling for consistency\nbuild:benchmark --config=profile\n\n# Define a debug config which is primarily intended for local development.\nbuild:debug -c dbg\n\n# Using simple template names saves around 5% of binary size of workerd.\nbuild:unix --cxxopt='-gsimple-template-names' --host_cxxopt='-gsimple-template-names'\n# Enable hidden visibility for inline functions. This can cause problems when comparing pointers to\n# inline functions across shared library boundaries, but this is unlikely to be done anywhere\n# within workerd, V8 explicitly supports hidden visibility.\nbuild:unix --cxxopt='-fvisibility-inlines-hidden' --host_cxxopt='-fvisibility-inlines-hidden'\n\n# Define a config mode which is fastbuild but with basic debug info.\nbuild:fastdbg -c fastbuild\nbuild:fastdbg --config=limited-dbg-info\nbuild:fastdbg --config=rust-debug\nbuild:fastdbg --strip=never\nbuild:fastdbg --//:dead_strip=False\n\n# provide a limited amount of debug info, sufficient for qualified stack traces.\nbuild:limited-dbg-info --copt='-g1' --copt=\"-fdebug-info-for-profiling\"\n\n# Miscellaneous platform-independent options\nbuild --@capnp-cpp//src/kj:openssl=True --@capnp-cpp//src/kj:zlib=True --@capnp-cpp//src/kj:brotli=True\nbuild --@capnp-cpp//src/capnp:gen_rust=True\n# always have KJ_IREQUIRE checks enabled, this matches workers production.\nbuild --@capnp-cpp//src/kj:kj_enable_irequire=True\n# overriden in config=opt\nbuild --@capnp-cpp//src/kj:debug_memory=True\nbuild --cxxopt=\"-fbracket-depth=512\" --host_cxxopt=\"-fbracket-depth=512\"\n\n# Additional Rust flags (see https://doc.rust-lang.org/rustc/codegen-options/index.html)\n# Need to disable debug-assertions for fastbuild, should be off automatically for opt.\n# Using extra_rustc_flag for non-exec flags so they can be overwritten selectively.\nbuild --@rules_rust//:extra_rustc_flag=-Cdebug-assertions=n\nbuild --@rules_rust//:extra_exec_rustc_flags=-Cdebug-assertions=n\nbuild --@rules_rust//:rustfmt.toml=//src/rust:rustfmt.toml\n\n# We default to not enabling debug assertions and unwinding for Rust. For debug builds this is not\n# the right setting, but unfortunately we can't set that directly.\nbuild:rust-debug --@rules_rust//:extra_rustc_flag=-Cdebug-assertions=y\n# Use the equivalent of -g/-g2 for Rust here, this is necessary to get qualified stack traces while\n# -Zdebug-info-for-profiling is unavailable. Unlike gcc/clang, Rust defaults to -g3 otherwise.\nbuild:rust-debug --@rules_rust//:extra_rustc_flag=-Cdebuginfo=1\nbuild:rust-debug --@rules_rust//:extra_rustc_flag=-Cstrip=none\n\n# Adding -C lto=thin here would improve binary size significantly – disable it for now due to\n# compile errors and wrong code generation when bazel and rust use different LLVM versions.\nbuild:thin-lto --@rules_rust//:extra_rustc_flag=-Ccodegen-units=1\n\n# common sanitizers options\nbuild:sanitizer-common --@workerd//src/workerd/server:use_tcmalloc=False\nbuild:sanitizer-common --copt=\"-fsanitize-link-c++-runtime\" --linkopt=\"-fsanitize-link-c++-runtime\"\nbuild:sanitizer-common --copt=\"-Og\"\nbuild:sanitizer-common --copt=\"-g\" --strip=never\nbuild:sanitizer-common --copt=\"-fno-optimize-sibling-calls\"\nbuild:sanitizer-common --copt=\"-fno-omit-frame-pointer\" --copt=\"-mno-omit-leaf-frame-pointer\"\n\n# address sanitizer (https://github.com/google/sanitizers/wiki/AddressSanitizer)\nbuild:asan --config=sanitizer-common\nbuild:asan --copt=\"-fsanitize=address\" --linkopt=\"-fsanitize=address\"\nbuild:asan --test_env=ASAN_OPTIONS=abort_on_error=true\nbuild:asan --test_env=KJ_CLEAN_SHUTDOWN=1\n# Enable ASan, LSan support in V8\nbuild:asan --copt=\"-DV8_USE_ADDRESS_SANITIZER\"\nbuild:asan --per_file_copt='external/.*v8@-DADDRESS_SANITIZER,-DLEAK_SANITIZER'\n\n# fuzzilli (https://github.com/googleprojectzero/fuzzilli/)\nbuild:fuzzilli --config=asan\nbuild:fuzzilli --copt=\"-DWORKERD_FUZZILLI\"\nbuild:fuzzilli --linkopt=\"-DWORKERD_FUZZILLI\"\nbuild:fuzzilli --copt=\"-fsanitize-coverage=trace-pc-guard\"\nbuild:fuzzilli --linkopt=\"-fsanitize-coverage=trace-pc-guard\"\nbuild:fuzzilli --linkopt=\"-static-libasan\"\n# Set ASan/UBSan options globally to abort on error (raise SIGABRT) for proper Fuzzilli crash detection\nbuild:fuzzilli --action_env=ASAN_OPTIONS=abort_on_error=1:symbolize=false\nbuild:fuzzilli --action_env=UBSAN_OPTIONS=abort_on_error=1:symbolize=false\n# Override test filters to include requires-fuzzilli tests (inherits asan's -no-asan filter)\ntest:fuzzilli --test_tag_filters=-off-by-default\n\n#\n# Linux and macOS\n#\nbuild:unix --workspace_status_command=./tools/unix/workspace-status.sh\n\nbuild:unix --cxxopt='-std=c++23' --host_cxxopt='-std=c++23'\nbuild:unix --@capnp-cpp//src/kj:libdl=True\n\n# Bazel uses CC to compile C and C++ actions, no need to define CXX.\nbuild:unix --action_env=BAZEL_COMPILER=clang\nbuild:unix --action_env=CC=clang\n\nbuild:unix --test_env=LLVM_SYMBOLIZER=llvm-symbolizer\n\n# Warning options.\nbuild:unix --cxxopt='-Wall' --host_cxxopt='-Wall'\nbuild:unix --cxxopt='-Wextra' --host_cxxopt='-Wextra'\nbuild:unix --cxxopt='-Wunused-function' --host_cxxopt='-Wunused-function'\nbuild:unix --cxxopt='-Wunused-lambda-capture' --host_cxxopt='-Wunused-lambda-capture'\nbuild:unix --cxxopt='-Wunused-variable' --host_cxxopt='-Wunused-variable'\nbuild:unix --cxxopt='-Wno-sign-compare' --host_cxxopt='-Wno-sign-compare'\nbuild:unix --cxxopt='-Wno-unused-parameter' --host_cxxopt='-Wno-unused-parameter'\nbuild:unix --cxxopt='-Wno-missing-field-initializers' --host_cxxopt='-Wno-missing-field-initializers'\nbuild:unix --cxxopt='-Wsuggest-override'\n\nbuild:linux --config=unix\nbuild:macos --config=unix\n\n# Support macOS 13 as the minimum version. There should be at least a warning when backward\n# compatibility is broken as -Wunguarded-availability-new is enabled by default. Only enable for\n# target configuration as host configuration tools are only used during the build process.\nbuild:macos --macos_minimum_os=13.5\n\n# Avoid emitting duplicate unwind info where compact unwind info can be used. This reduces the\n# object size by ~5% on average, improving disk space usage and link times. The final binary size\n# is not affected. Note that this is on-by-default on arm64, but turning it on for all mac builds\n# is easier than adding the flag only on x86. See https://reviews.llvm.org/D122258 for detailed\n# information on the flag.\nbuild:macos --copt='-femit-dwarf-unwind=no-compact-unwind'\n\n# Cross-Compilation\n# Only cross-compiling on macOS from Apple Silicon to x86_64 is supported – using apple_support\n# makes this much easier than on other platforms. We could define a configuration for cross-\n# compiling from Intel Mac too, but it lacks a means to run Apple Silicon binaries. We would have to\n# change V8 mksnapshot to build in the host configuration again (effectively compiling much of V8\n# twice) and couldn't run tests, so it would provide little value.\n#\n# Define the target platform\nbuild:macos-cross-x86_64 --cpu=darwin_x86_64 --host_cpu=darwin_arm64 --platforms //:macOS_x86\n# Some cross-compiled tests are slower when run over Rosetta, increase the medium test size timeout.\n# Test performance is still very much satisfactory considering that emulation is being used here.\nbuild:macos-cross-x86_64 --test_timeout=1,30,60,240\n\n# On Linux, always link libc++ statically to avoid compatibility issues with different OS versions.\n# macOS links with dynamic libc++ by default, which has good backwards compatibility.\n# Drop default link flags, which include libstdc++ for Linux\nbuild:linux --features=-default_link_libs --host_features=-default_link_libs\nbuild:linux --cxxopt='-stdlib=libc++' --host_cxxopt='-stdlib=libc++'\nbuild:linux --linkopt='-stdlib=libc++' --host_linkopt='-stdlib=libc++'\nbuild:linux --linkopt='-l:libc++.a' --linkopt='-lm' --linkopt='-static-libgcc'\n# We don't expect to distribute host tools, no need to statically link libgcc.\n# TODO(cleanup): Ideally we'd also use shared libc++ here, we'd just need to install the\n# libunwind--dev and libc++abi--dev packages on CI to have all of shared libc++\n# available.\nbuild:linux --host_linkopt='-l:libc++.a' --host_linkopt='-lm'\n\n# On Linux, enable PIC. In macos pic is the default, and the objc_library rule does not work\n# correctly if we use this flag since it will not find the object files to include\n# https://github.com/bazelbuild/bazel/issues/12439#issuecomment-914449079\nbuild:linux --force_pic\n\n# On Linux, garbage collection sections and optimize binary size. These do not apply to the macOS\n# toolchain.\nbuild:linux --linkopt=\"-Wl,--gc-sections\"\nbuild:linux --copt=\"-ffunction-sections\" --host_copt=\"-ffunction-sections\"\nbuild:linux --copt=\"-fdata-sections\" --host_copt=\"-fdata-sections\"\n\n# On Linux, use clang lld.\nbuild:linux --linkopt=\"-fuse-ld=lld\"\n\n#\n# Windows\n#\n\n# See https://bazel.build/configure/windows#symlink\nstartup --windows_enable_symlinks\nbuild:windows --workspace_status_command=./tools/windows/workspace-status.cmd\nbuild:windows --enable_runfiles\n# We use LLVM's MSVC-compatible compiler driver to compile our code on Windows,\n# as opposed to using MSVC directly. This enables us to use the \"same\" compiler\n# frontend on Linux, macOS, and Windows, massively reducing the effort required\n# to compile workerd on Windows. Notably, this provides proper support for\n# `#pragma once` when using symlinked virtual includes, `__atomic_*` functions,\n# a standards-compliant preprocessor, support for GNU statement expressions\n# used by some KJ macros, and understands the `.c++` extension by default.\n# As of bazel 7, toolchain resolution is enabled by default, so we need to define a platform for\n# the clang-cl build.\nbuild:windows --extra_toolchains=@local_config_cc//:cc-toolchain-x64_windows-clang-cl\nbuild:windows --extra_execution_platforms=//:x64_windows-clang-cl\n\n# The Windows fastbuild bazel configuration is broken in that it necessarily generates PDB debug\n# information while the Linux and macOS toolchains only compile with debug information in the dbg\n# configuration or when requested with the -g flag. This causes huge increases in compile time and\n# disk/cache space usage – a single test may come with a 490MB PDB file.\n# In an optional configuration, use the opt configuration and manually disable optimizations as a\n# workaround.\n\nbuild:windows_no_dbg -c opt\nbuild:windows_no_dbg --copt='/Od'\nbuild:windows_no_dbg --linkopt='/INCREMENTAL:NO'\nbuild:windows_no_dbg --features=-smaller_binary\n\n# Mitigate the large size impact of Windows debug binaries somewhat by applying string merging and\n# linker garbage collection.\nbuild:windows_dbg --config=debug\nbuild:windows_dbg --copt='/Gy' --copt='/Gw'\nbuild:windows_dbg --linkopt='/OPT:REF'\nbuild:windows_dbg --linkopt='/OPT:LLDTAILMERGE' --linkopt='/OPT:SAFEICF'\n\n# This hides inline symbols in classes that are marked to be exported, similar to\n# -fvisibility-inlines-hidden on Unix systems (https://blog.llvm.org/2018/11/30-faster-windows-builds-with-clang-cl_14.html)\n# Currently this only reduces object sizes slightly, larger gains are possible if we compile V8 as\n# a shared library.\nbuild:windows --copt='/Zc:dllexportInlines-'\n\n# Configuration for header parsing. Requires bazel toolchain support (available for macOS, Linux).\nbuild:parse_headers --features=parse_headers --process_headers_in_dependencies\n# Silence some capnproto warnings/errors that are not relevant for header parsing\nbuild:parse_headers --per_file_copt='.*\\.h@-Wno-unused-function,-Wno-pragma-system-header-outside-header'\nbuild:parse_headers --per_file_copt=external/+http+capnp-cpp/src/kj/common.h@-Wno-unreachable-code\nbuild:parse_headers --per_file_copt=external/+http+capnp-cpp/src/capnp/arena.h@-DCAPNP_PRIVATE\n\n# optimized configuration\nbuild:opt -c opt\nbuild:opt --@capnp-cpp//src/kj:debug_memory=False\n\n# Release configuration.\nbuild:release --config=opt\nbuild:release --@rules_rust//:extra_rustc_flag=-Ccodegen-units=1\n\n# enable -O3 for the release configuration. Based on benchmarking there is little difference in\n# performance, but -O3 should generally be expected to be faster for at least parts of the workerd API.\nbuild:release_unix --copt='-O3'\nbuild:release_unix --config=release\n\nbuild:release_linux --config=release_unix\nbuild:release_linux --linkopt=\"-Wl,-O2\"\n\nbuild:release_macos --config=release_unix\n# Disable generating LC_DATA_IN_CODE and LC_FUNCTION_STARTS binary sections, two rarely used types\n# of macOS debug info. These sections are largely undocumented, but are used by LLDB to improve\n# debugging on binaries that are otherwise stripped. There should be no need to include this\n# data in releases.\nbuild:release_macos --linkopt=\"-Wl,-no_data_in_code_info\"\nbuild:release_macos --linkopt=\"-Wl,-no_function_starts\"\n\n# Cross-compiled release build for x86_64.\nbuild:release_macos_cross_x86_64 --config=release_macos\nbuild:release_macos_cross_x86_64 --config=macos-cross-x86_64\n\n# On macOS, optionally compile using LLD (19 or higher is compatible with the default flags added by\n# apple_support). Requires Homebrew's lld package to be installed and symlinked into /usr/local/bin.\n# This is less CPU intensive than the system linker, but also slightly slower in terms of wall time\n# since it is less parallel. More importantly, it allows us to enable LLD's ICF pass, which\n# significantly decreases binary sizes. We could use Xcode 16's -Wl,-deduplicate option instead, but\n# LLD's ICF appears to be superior. We also want to enable ICF for Linux, but there it causes\n# warnings when dynamically linking with libc++.\nbuild:macos_lld --linkopt=-fuse-ld=lld --linkopt=--ld-path=/usr/local/bin/ld64.lld\nbuild:macos_lld_icf --config=macos_lld\nbuild:macos_lld_icf --linkopt=\"-Wl,--icf=safe\"\n\nbuild:release_windows --config=release\n# Windows uses /O2 as its preferred optimization setting and enabled by bazel in the opt\n# configuration, but for clang-cl this is equivalent to only -O2 and a few other things. -O3 is\n# not exposed directly in the clang-cl driver, but we can access regular clang\n# flags using the /clang prefix anyway. https://clang.llvm.org/docs/UsersManual.html#the-clang-option\nbuild:release_windows --copt=\"/clang:-O3\"\n# clang-cl does not enable strict aliasing by default to match MSVC's approach, unlike clang on\n# Unix which turns it on for opt builds.\nbuild:release_windows --copt=\"-fstrict-aliasing\"\n# This file breaks our CI windows release builds when compiled using O2/O3\n# Ref: https://github.com/llvm/llvm-project/issues/136481\nbuild:release_windows --per_file_copt=.*capnp/rpc\\.c++@/clang:-O1\n\nbuild:windows --cxxopt='/std:c++23preview' --host_cxxopt='/std:c++23preview'\nbuild:windows --copt='/D_CRT_USE_BUILTIN_OFFSETOF' --host_copt='/D_CRT_USE_BUILTIN_OFFSETOF'\nbuild:windows --copt='/DWIN32_LEAN_AND_MEAN' --host_copt='/DWIN32_LEAN_AND_MEAN'\nbuild:windows --copt='/EHs' --host_copt='/EHs'\n# The `/std:c++23preview` argument is unused during BoringSSL compilation and we don't\n# want a warning when compiling each file.\nbuild:windows --per_file_copt=external/boringssl@-Wno-unused-command-line-argument --host_per_file_copt=external/boringssl@-Wno-unused-command-line-argument\n\n# MSVC disappointingly sets __cplusplus to 199711L by default. Defining /Zc:__cplusplus makes it\n# set the correct value. We currently don't check __cplusplus, but some dependencies do.\nbuild:windows --cxxopt='/Zc:__cplusplus' --host_cxxopt='/Zc:__cplusplus'\n\n# Coverage configuration using LLVM tools. These environment variables are used by rules_cc\n# to locate LLVM coverage tools. Users should ensure llvm-profdata and llvm-cov are available\n# in PATH (create symlinks to version-specific binaries if needed, e.g., ln -s llvm-cov-19 llvm-cov).\nbuild:coverage --action_env=BAZEL_USE_LLVM_NATIVE_COVERAGE=1\nbuild:coverage --test_env=BAZEL_USE_LLVM_NATIVE_COVERAGE=1\n# GCOV is used by rules_cc to merge raw profile data (.profraw) into indexed profile data (.profdata)\nbuild:coverage --action_env=GCOV=llvm-profdata\nbuild:coverage --test_env=GCOV=llvm-profdata\n# COVERAGE_GCOV_PATH is used by collect_cc_coverage.sh for merging .profraw files.\nbuild:coverage --action_env=COVERAGE_GCOV_PATH=/usr/bin/llvm-profdata\nbuild:coverage --test_env=COVERAGE_GCOV_PATH=/usr/bin/llvm-profdata\n# BAZEL_LLVM_COV is used by rules_cc to generate coverage reports from profile data\nbuild:coverage --action_env=BAZEL_LLVM_COV=llvm-cov\nbuild:coverage --test_env=BAZEL_LLVM_COV=llvm-cov\n# LLVM_COV is used by collect_cc_coverage.sh for generating LCOV output\nbuild:coverage --test_env=LLVM_COV=llvm-cov\n# GENERATE_LLVM_LCOV=1 tells collect_cc_coverage.sh to use llvm-cov export to generate LCOV format\n# instead of just outputting raw profdata. LLVM_COV specifies the llvm-cov binary to use.\nbuild:coverage --test_env=GENERATE_LLVM_LCOV=1\nbuild:coverage --experimental_use_llvm_covmap\nbuild:coverage --experimental_generate_llvm_lcov\n# Ensure that we fetch coverage data from remote cache\nbuild:coverage --experimental_fetch_all_coverage_outputs\nbuild:coverage --experimental_split_coverage_postprocessing\n# Allow coverage outputs to be writable for post-processing\nbuild:coverage --experimental_writable_outputs\nbuild:coverage --collect_code_coverage\n# Only instrument source code, not tests or tools - significantly speeds up coverage builds\nbuild:coverage --instrumentation_filter=\"^//src/workerd[/:],^//src/rust[/:]\"\nbuild:coverage --instrument_test_targets\n# Disable coverage instrumentation for external dependencies to speed up compilation.\n# Coverage for V8/external code is not useful for our purposes.\n# These flags negate -fprofile-instr-generate and -fcoverage-mapping set by rules_cc.\nbuild:coverage --per_file_copt=external/.*@-fno-profile-instr-generate,-fno-coverage-mapping\n# KJ uses _exit() by default which bypasses atexit handlers and prevents LLVM profile runtime\n# from writing coverage data. KJ_CLEAN_SHUTDOWN forces use of normal exit() instead.\nbuild:coverage --test_env=KJ_CLEAN_SHUTDOWN=1\n# Use -O1 for faster compilation - coverage builds don't need heavy optimization\nbuild:coverage --copt=-O1\n# Reduce debug info for faster compilation and smaller binaries\nbuild:coverage --copt=-g1\n# Use limited coverage mode for smaller binaries and faster execution (used by Chromium)\nbuild:coverage --copt=-mllvm --copt=-limited-coverage-experimental=true\ncoverage --test_tag_filters=-off-by-default,-requires-fuzzilli,-requires-container-engine,-lint,-benchmark,-workerd-benchmark,-no-coverage\n# Coverage instrumentation slows down test execution, so extend timeouts\n# We disable enormous tests due to the slowdown (CI jobs have a 6h max duration)\ncoverage --test_size_filters=-enormous\ncoverage --test_timeout=240,240,240,240\ncoverage --build_tests_only\n\n# This config is defined internally and enabled on many machines.\n# Defining it as empty just so these machines can run build commands from the workerd repo\nbuild:rosetta-arm64 --define=rosetta_arm64_no_op=1\n" }, { "path": ".bazelversion", "content": "9.0.1\n" }, { "path": ".clang-format", "content": "Language: Cpp\nStandard: c++20\nColumnLimit: 100\n\nWhitespaceSensitiveMacros:\n # clang format doesn't understand TypeScript, so make sure it doesn't mangle\n # overrides and additional definitions\n - JSG_TS_OVERRIDE\n - JSG_TS_DEFINE\n - JSG_STRUCT_TS_OVERRIDE\n - JSG_STRUCT_TS_DEFINE\nAllowShortFunctionsOnASingleLine: Empty\n\nSortIncludes: true\nIncludeBlocks: Regroup\nIncludeCategories:\n # c++ system headers\n - Regex: <[a-zA-Z0-9_]+>\n Priority: 5\n # kj/capnp headers\n - Regex: <(kj|capnp)/.+>\n Priority: 4\n # workerd headers\n - Regex: \n Priority: 2\n # 3rd party headers\n - Regex: <.+>\n Priority: 3\n # local headers\n - Regex: '\".*\"'\n Priority: 1\n\nAllowShortIfStatementsOnASingleLine: true\nAllowShortLoopsOnASingleLine: true\nAllowShortBlocksOnASingleLine: Empty\n\nIndentWidth: 2\nIndentCaseBlocks: false\nIndentCaseLabels: true\nPointerAlignment: Left\nDerivePointerAlignment: true\n\n# Move public and private in by a half-indentation. This makes\n# diffs and Github code reviews more readable by letting you\n# see which class the diff snippet is part of.\nAccessModifierOffset: -1\n\n# Really \"Attach\" but empty braces aren't split.\nBreakBeforeBraces: Custom\nBraceWrapping:\n AfterCaseLabel: false\n AfterClass: false\n AfterControlStatement: Never\n AfterEnum: false\n AfterFunction: false\n AfterNamespace: false\n AfterObjCDeclaration: false\n AfterStruct: false\n AfterUnion: false\n AfterExternBlock: false\n BeforeCatch: false\n BeforeElse: false\n BeforeLambdaBody: false\n BeforeWhile: false\n IndentBraces: false\n SplitEmptyFunction: false\n SplitEmptyRecord: false\n SplitEmptyNamespace: false\n\nCpp11BracedListStyle: true\n\nAlignAfterOpenBracket: DontAlign\nAlignOperands: DontAlign\nAlignTrailingComments:\n Kind: Always\n OverEmptyLines: 0\nAlwaysBreakAfterReturnType: None\nAlwaysBreakTemplateDeclarations: Yes\nBreakStringLiterals: false\nBinPackArguments: true\nBinPackParameters: false\nBracedInitializerIndentWidth: 2\nBreakInheritanceList: BeforeColon\nContinuationIndentWidth: 4\nIfMacros:\n [\n \"KJ_SWITCH_ONEOF\",\n \"KJ_CASE_ONEOF\",\n \"KJ_IF_MAYBE\",\n \"KJ_IF_SOME\",\n \"CFJS_RESOURCE_TYPE\",\n ]\nLambdaBodyIndentation: OuterScope\nMacros:\n - \"KJ_MAP(x,y)=[y](auto x)\"\n - \"JSG_VISITABLE_LAMBDA(x,y,z)=[x,y](z)\"\n # The WhitespaceSensitiveMacros solution is flaky, adding the following ensures no formatting:\n - \"JSG_TS_OVERRIDE(x)=enum class\"\n - \"JSG_TS_DEFINE(x)=enum class\"\n - \"JSG_STRUCT_TS_OVERRIDE(x)=enum class\"\n - \"JSG_STRUCT_TS_DEFINE(x)=enum class\"\nPenaltyReturnTypeOnItsOwnLine: 1000\nPackConstructorInitializers: CurrentLine\nReflowComments: false\nSpaceBeforeCtorInitializerColon: false\nSpaceBeforeInheritanceColon: false\nSpaceBeforeParens: ControlStatementsExceptControlMacros\nSpaceBeforeRangeBasedForLoopColon: false\nSpaceBeforeCpp11BracedList: false\nSpacesBeforeTrailingComments: 2\n---\n# Some files with embedded typescript are incorrectly recognized by clang-format as Objective-C\n# This is because the C/C++ macro expansion step happens after the language recognition step, so\n# when trying to parse the file, the c++ parser fails with incorrect syntax and a fallback to\n# the Objective-C parser is used.\n# This is a workaround to hide the warning.\n# TODO: Remove this once we have a better solution.\nLanguage: ObjC\nDisableFormat: true\n" }, { "path": ".clang-tidy", "content": "---\n# TODO: We currently only enable select clang-tidy checks. While many checks provide little value or\n# produce false positives, try to incrementally enable most of them.\n# TODO: these checks are in progress of cleaning up\n# Note: cppcoreguidelines-noexcept-destructor is designed to detect destructors that are missing\n# noexcept. We always use noexcept(false) as per KJ-style, but this check works for our purposes\n# too.\nChecks: >\n bugprone-argument-comment,\n bugprone-capturing-this-in-member-variable,\n bugprone-dynamic-static-initializers,\n bugprone-forward-declaration-namespace,\n bugprone-invalid-enum-default-initialization,\n bugprone-move-forwarding-reference,\n bugprone-return-const-ref-from-parameter,\n bugprone-suspicious-*,\n -bugprone-suspicious-semicolon,\n bugprone-undefined-memory-manipulation,\n bugprone-unhandled-self-assignment,\n bugprone-unused-raii,\n bugprone-use-after-move,\n cppcoreguidelines-c-copy-assignment-signature,\n cppcoreguidelines-misleading-capture-default-by-value,\n cppcoreguidelines-noexcept-destructor,\n cppcoreguidelines-prefer-member-initializer,\n google-readability-casting,\n misc-confusable-identifiers,\n misc-header-include-cycle,\n misc-redundant-expression,\n misc-throw-by-value-catch-by-reference,\n misc-unused-alias-decls,\n misc-unused-using-decls,\n modernize-loop-convert,\n modernize-macro-to-enum,\n modernize-redundant-void-arg,\n modernize-type-traits,\n modernize-unary-static-assert,\n modernize-use-bool-literals,\n modernize-use-constraints,\n modernize-use-emplace,\n modernize-use-equals-delete,\n modernize-use-nullptr,\n modernize-use-string-view,\n modernize-use-transparent-functors,\n modernize-use-using,\n performance-*,\n -performance-enum-size,\n -performance-no-int-to-ptr,\n -performance-noexcept-move-constructor,\n -performance-noexcept-swap,\n -performance-unnecessary-value-param,\n readability-avoid-const-params-in-decls,\n readability-container-contains,\n readability-container-size-empty,\n readability-delete-null-pointer,\n readability-duplicate-include,\n readability-enum-initial-value,\n readability-redundant-*,\n -readability-redundant-inline-specifier,\n -readability-redundant-parentheses,\n -readability-redundant-smartptr-get,\n readability-reference-to-constructed-temporary,\n readability-static-accessed-through-instance,\n readability-use-concise-preprocessor-directives\n\n# TODO: Fix and enable\n# bugprone-derived-method-shadowing-base-method\n# bugprone-parent-virtual-call\n# cppcoreguidelines-interfaces-global-init\n# cppcoreguidelines-missing-std-forward\n# cppcoreguidelines-pro-type-member-init\n# modernize-use-equals-default\n# modernize-use-override\n# modernize-use-ranges\n# readability-avoid-return-with-void-value\n# modernize-avoid-variadic-functions\n# readability-convert-member-functions-to-static\n# readability-redundant-smartptr-get\n# readability-use-anyofallof\n\nWarningsAsErrors: '*'\nHeaderFilterRegex: '.*src/workerd/.*'\n\nCheckOptions:\n # JSG has very entrenched include cycles\n - key: misc-header-include-cycle.IgnoredFilesList\n value: \"jsg/jsg.h|jsg/dom-exception.h\"\n - key: cppcoreguidelines-missing-std-forward.ForwardFunction\n value: \"kj::fwd\"\n" }, { "path": ".devcontainer/Dockerfile", "content": "FROM mcr.microsoft.com/vscode/devcontainers/javascript-node:22\n\n# Install dependencies, including clang via through LLVM APT repository. Note that this\n# will also install lldb and clangd alongside dependencies.\nARG LLVM_VERSION=19\nRUN apt-get update && export DEBIAN_FRONTEND=noninteractive \\\n && apt-get -y install software-properties-common python3 python3-distutils tclsh nodejs npm \\\n && curl -fSsL -o /tmp/llvm.sh https://apt.llvm.org/llvm.sh && chmod +x /tmp/llvm.sh && bash /tmp/llvm.sh ${LLVM_VERSION} \\\n && apt-get -y install --no-install-recommends libunwind-${LLVM_VERSION} libc++abi1-${LLVM_VERSION} libc++1-${LLVM_VERSION} libc++-${LLVM_VERSION}-dev libclang-rt-${LLVM_VERSION}-dev -o DPkg::options::=\"--force-overwrite\"\nENV PATH /usr/lib/llvm-${LLVM_VERSION}/bin:$PATH\n\n# Install Bazel (via Bazelisk)\nRUN npm install -g @bazel/bazelisk\n\n# Install Just\nRUN npm install -g rust-just\n" }, { "path": ".devcontainer/devcontainer.json", "content": "{\n\t\"name\": \"C++: Workerd\",\n\t\"build\": {\n\t\t\"dockerfile\": \"Dockerfile\"\n\t},\n\t\"customizations\": {\n\t\t// Configure properties specific to VS Code.\n\t\t\"vscode\": {\n\t\t\t// Add the IDs of extensions you want installed when the container is created.\n\t\t\t\"extensions\": [\n\t\t\t\t\"BazelBuild.vscode-bazel\",\n\t\t\t\t\"eamodio.gitlens\",\n\t\t\t\t\"streetsidesoftware.code-spell-checker\",\n\t\t\t\t\"llvm-vs-code-extensions.vscode-clangd\",\n\t\t\t\t\"ms-vscode.cpptools\",\n\t\t\t\t\"abronan.capnproto-syntax\",\n\t\t\t\t\"DavidAnson.vscode-markdownlint\"\n\t\t\t],\n\t\t\t\"settings\": {\n\t\t\t\t// The Microsoft C/C++ extension has IntelliSense support that is not compatible with the clangd extension.\n\t\t\t\t\"C_Cpp.intelliSenseEngine\": \"disabled\",\n\t\t\t\t\"C_Cpp.default.cppStandard\": \"c++20\"\n\t\t\t}\n\t\t}\n\t}\n\t// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.\n\t// \"remoteUser\": \"root\"\n}\n" }, { "path": ".git-blame-ignore-revs", "content": "# Apply prettier to the project\n0523bf8b36a937348f1bb79eceda2463a5c220b5\n\n# Apply clang-format to the project.\n5e8537a77e760c160ace3dfe23ee8c76ee5aeeb3\n\n# Apply ruff format to the project\nd6d0607a845e6f71084ce272a1c1e8c50e244bdd\n\n# Apply buildifier to the project\nf457f19039b82536b35659c1f9cb898a198e6cd1\n\n# Apply ruff linter to the project\n893774eab71fd7be5000436ff2ff0b5dd85ef073\n\n# Use clang-format to sort includes.\nfaabf00af72bbce956221b40624f8a3d57f82b7c\nb9e9fb144f44494017e77fbe959355e92f10ae69\n\n# Add `AllowShortBlocksOnASingleLine: Empty` to clang-format\nfa2c488219a5e96792e61f3d51838595e2907c8d\n\n# clang-tidy: Add google-readability-casting, modernize-use-using\n21dc6eb66a2344b8e756b897ade27cc107b58153\n\n# clang-tidy: Add more readability checks\nd8987b2c4206c8b28b637c24219a580431873d12\n" }, { "path": ".github/CODEOWNERS", "content": "* @cloudflare/workers-runtime-1 @cloudflare/workers-durable-objects\n.github/workflows/ @cloudflare/wrangler @cloudflare/workers-runtime-1\nnpm/ @cloudflare/wrangler @cloudflare/workers-runtime-1\nbuild-releases.sh @cloudflare/wrangler @cloudflare/workers-runtime-1\nRELEASE.md @cloudflare/wrangler @cloudflare/workers-runtime-1\npackage.json @cloudflare/wrangler @cloudflare/workers-runtime-1\npnpm-lock.yaml @cloudflare/wrangler @cloudflare/workers-runtime-1\n/types/ @cloudflare/wrangler\n/types/generated-snapshot/experimental/ @cloudflare/workers-runtime-1 @cloudflare/workers-durable-objects\nsrc/workerd/tools/ @cloudflare/wrangler @cloudflare/workers-runtime-1 @cloudflare/workers-durable-objects\nsrc/workerd/io/release-version.txt @cloudflare/wrangler @cloudflare/workers-runtime-1\nsrc/workerd/io/maximum-compatibility-date.txt @cloudflare/wrangler @cloudflare/workers-runtime-1\nsrc/node/ @cloudflare/workers-runtime-1 @cloudflare/workers-durable-objects @cloudflare/workers-frameworks @cloudflare/workers-runtime-nodejs\nsrc/workerd/api/node/ @cloudflare/workers-runtime-1 @cloudflare/workers-durable-objects @cloudflare/workers-frameworks @cloudflare/workers-runtime-nodejs\n" }, { "path": ".github/DISCUSSION_TEMPLATE/nodejs_api_request.yml", "content": "title: \"Node.js API Request\"\nlabels: [\"Node.js API Request\"]\nbody:\n - type: input\n id: module\n attributes:\n label: Module\n description: \"Name of the Node.js module you want to work on Workers. Ex: fs\"\n value:\n validations:\n required: true\n - type: input\n id: method\n attributes:\n label: API Method\n description: \"Name of the specific API method you want to work on Workers. Ex: fs.readFile\"\n value:\n validations:\n required: true\n - type: markdown\n id: context\n attributes:\n value: |\n ## Context\n" }, { "path": ".github/DISCUSSION_TEMPLATE/python_package_request.yml", "content": "title: \"Python Package Request\"\nlabels: [\"Python Package Request\"]\nbody:\n - type: input\n id: package\n attributes:\n label: Package Name\n description: \"Name of the Python package you want to work on Workers\"\n value:\n validations:\n required: true\n - type: input\n id: version\n attributes:\n label: Package Version\n description: \"Optional — specify a particular version of the package\"\n value:\n validations:\n required: false\n - type: markdown\n id: context\n attributes:\n value: |\n ## Context\n" }, { "path": ".github/ISSUE_TEMPLATE/runtime-apis.md", "content": "---\nname: runtime-apis\nabout: Report an issue with an API provided by workerd\ntitle: '🐛 Bug Report — Runtime APIs'\nlabels: runtime-api\n\n---\n\n" }, { "path": ".github/ISSUE_TEMPLATE/workers-types.md", "content": "---\nname: workers-types\nabout: Report an issue or suggestion for `@cloudflare/workers-types`\ntitle: ''\nlabels: types\nassignees: workers-devprod\n\n---\n\n\n" }, { "path": ".github/actions/setup-runner/action.yml", "content": "name: 'Setup runner environment'\ndescription: 'Sets up runner environment with proper toolchain for building workerd'\nruns:\n using: 'composite'\n steps:\n - name: Setup Linux\n shell: bash\n if: runner.os == 'Linux'\n run: |\n export DEBIAN_FRONTEND=noninteractive\n wget https://apt.llvm.org/llvm.sh\n sed -i '/apt-get install/d' llvm.sh\n chmod +x llvm.sh\n sudo ./llvm.sh 19\n # keep in sync with build/ci.bazelrc\n sudo apt-get install -y -qq --no-install-recommends \\\n clang-19 \\\n lld-19 \\\n libunwind-19 \\\n libc++abi1-19 \\\n libc++1-19 \\\n libc++-19-dev \\\n libclang-rt-19-dev \\\n llvm-19\n sudo ln -s /usr/bin/llvm-symbolizer-19 /usr/bin/llvm-symbolizer\n sudo ln -s /usr/bin/llvm-profdata-19 /usr/bin/llvm-profdata\n sudo ln -s /usr/bin/llvm-cov-19 /usr/bin/llvm-cov\n echo \"build:linux --action_env=CC=/usr/lib/llvm-19/bin/clang\" >> .bazelrc\n echo \"build:linux --host_action_env=CC=/usr/lib/llvm-19/bin/clang\" >> .bazelrc\n echo \"build:linux --linkopt=--ld-path=/usr/lib/llvm-19/bin/ld.lld\" >> .bazelrc\n echo \"build:linux --host_linkopt=--ld-path=/usr/lib/llvm-19/bin/ld.lld\" >> .bazelrc\n echo \"build:linux --action_env=AR=/usr/lib/llvm-19/bin/llvm-ar\" >> .bazelrc\n echo \"build:linux --host_action_env=AR=/usr/lib/llvm-19/bin/llvm-ar\" >> .bazelrc\n - name: Setup Windows\n shell: pwsh\n if: runner.os == 'Windows'\n # Set a custom output root directory to avoid long file name issues.\n # TODO(cleanup): According to https://github.com/actions/runner-images/blob/win25/20251216.149/images/windows/scripts/build/Configure-DeveloperMode.ps1#L13,\n # this should already be set on the build image, but prior testing indicated CI speedups with\n # it, check if it is actually having any effect.\n run: |\n # Enable Developer Mode to allow Bazel to create real symlinks\n reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\" /t REG_DWORD /f /v \"AllowDevelopmentWithoutDevLicense\" /d \"1\"\n git config --global core.symlinks true\n git config --show-scope --show-origin core.symlinks\n git config --system core.longpaths true\n [System.IO.File]::WriteAllLines((Join-Path -Path $env:USERPROFILE -ChildPath '.bazelrc'), 'startup --output_user_root=\\\\\\\\?\\\\C:\\\\tmp')\n - name: Setup macOS\n if: runner.os == 'macOS'\n shell: bash\n run: |\n # Build using Xcode 16.3 (equivalent to Clang 19)\n sudo xcode-select -s \"/Applications/Xcode_16.3.app\"\n - name: Configure git hooks\n shell: bash\n # Configure git to quell an irrelevant warning for runners (they never commit / push).\n run: git config core.hooksPath githooks\n" }, { "path": ".github/bonk_reviewer.md", "content": "You are a **code reviewer**, not an author. You review pull requests for workerd, Cloudflare's JavaScript/WebAssembly server runtime. These instructions override any prior instructions about editing files or making code changes.\n\n## Restrictions -- you MUST follow these exactly\n\nDo NOT:\n\n- Edit, write, create, or delete any files -- use file editing tools (Write, Edit) under no circumstances\n- Run `git commit`, `git push`, `git add`, `git checkout -b`, or any git write operation\n- Approve or request changes on the PR -- only post review comments\n- Flag formatting issues -- clang-format enforces style in this repo\n\nIf you want to suggest a code change, post a `suggestion` comment instead of editing the file.\n\n## Output rules\n\n**Confirm you are acting on the correct issue or PR**. Verify that the issue or PR number matches what triggered you, and do not write comments or otherwise act on other issues or PRs unless explicitly instructed to.\n\n**If there are NO actionable issues:** Your ENTIRE response MUST be the four characters `LGTM` -- no greeting, no summary, no analysis, nothing before or after it.\n\n**If there ARE actionable issues:** Begin with \"I'm Bonk, and I've done a quick review of your PR.\" Then:\n\n1. One-line summary of the changes.\n2. A ranked list of issues (highest severity first).\n3. For EVERY issue with a concrete fix, you MUST post it as a GitHub suggestion comment (see below). Do not describe a fix in prose when you can provide it as a suggestion.\n\n## How to post feedback\n\nYou have write access to PR comments via the `gh` CLI. **Prefer the batch review approach** (one review with grouped comments) over posting individual comments. This produces a single notification and a cohesive review.\n\n### Batch review (recommended)\n\nWrite a JSON file and submit it as a review. This is the most reliable method -- no shell quoting issues.\n\n````bash\ncat > /tmp/review.json << 'REVIEW'\n{\n \"event\": \"COMMENT\",\n \"body\": \"Review summary here.\",\n \"comments\": [\n {\n \"path\": \"src/workerd/api/example.c++\",\n \"line\": 42,\n \"side\": \"RIGHT\",\n \"body\": \"Ownership issue -- `kj::Own` moved but still referenced:\\n```suggestion\\nauto result = kj::mv(owned);\\n```\"\n }\n ]\n}\nREVIEW\ngh api repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/reviews --input /tmp/review.json\n````\n\nEach comment needs `path`, `line`, `side`, and `body`. Use `suggestion` fences in `body` for applicable changes.\n\n- `side`: `\"RIGHT\"` for added or unchanged lines, `\"LEFT\"` for deleted lines\n- For multi-line suggestions, add `start_line` and `start_side` to the comment object\n- If `gh api` returns a 422 (wrong line number, stale commit), fall back to a top-level PR comment with `gh pr comment` instead of retrying\n\n## Review focus areas\n\n**Code quality:** Refer to the following checklists:\n- For C++, use the `kj-style`, and `workerd-safety-review` skills\n- For JavaScript and TypeScript, use the `ts-style` skill\n- For Rust, use the `rust-review` skill\n- For all code, use the `workerd-api-review` skill for API design, performance, security, and\n standards compliance\n- Review added or updated tests to ensure they cover the relevant code changes\n- Review code comments for clarity and accuracy\n\n**Backward compatibility:** workerd has a strong backward compat commitment. New behavior changes MUST be gated behind compatibility flags (see compatibility-date.capnp). Flag any ungated behavioral change as high severity.\n\n**Autogates:** Risky changes should use autogate flags (src/workerd/util/autogate.\\*) for staged rollout. If a change looks risky and has no autogate, flag it.\n\n**Security:** This is a production runtime that executes untrusted code. Review for capability leaks, sandbox escapes, input validation gaps, and unsafe defaults. High severity.\n\n**Cap'n Proto schemas:** Check .capnp file changes for wire compatibility. Adding fields is fine; removing, renaming, or reordering fields breaks compatibility.\n\n**JSG bindings:** Changes in jsg/ must correctly bridge V8 and C++. Check type conversions, GC safety, and proper use of jsg:: macros.\n\n**Node.js compatibility (src/node/, src/workerd/api/node/):** Verify behavior matches Node.js. Check for missing error cases and edge cases in polyfills.\n\n**Build system:** Bazel BUILD file changes should have correct deps and visibility.\n\n## What counts as actionable\n\nLogic bugs, security issues, backward compat violations, missing compat flags, memory safety problems, incorrect API behavior. Be pragmatic -- do not nitpick, do not flag subjective preferences.\n" }, { "path": ".github/secret_scanning.yml", "content": "paths-ignore:\n - \"src/workerd/api/node/crypto_keys-test.js\"\n - \"src/workerd/api/node/crypto_dh-test.js\"\n - \"src/workerd/jsg/url-test-corpus-success.h\"\n - \"src/workerd/api/node/tests/crypto_x509-test.js\"\n - \"src/workerd/api/node/tests/fixtures/dh_private.pem\"\n - \"src/workerd/api/node/tests/fixtures/dsa_private_pkcs8.pem\"\n - \"src/workerd/api/node/tests/fixtures/ed25519_private.pem\"\n - \"src/workerd/api/node/tests/fixtures/rsa_private_encrypted.pem\"\n - \"src/workerd/api/node/tests/fixtures/rsa_pss_private_2048_sha1_sha1_20.pem\"\n - \"src/workerd/api/node/tests/fixtures/dsa_private_1025.pem\"\n - \"src/workerd/api/node/tests/fixtures/ec_p256_private.pem\"\n - \"src/workerd/api/node/tests/fixtures/ed448_private.pem\"\n - \"src/workerd/api/node/tests/fixtures/rsa_private.pem\"\n - \"src/workerd/api/node/tests/fixtures/rsa_pss_private_2048_sha256_sha256_16.pem\"\n - \"src/workerd/api/node/tests/fixtures/dsa_private_encrypted_1025.pem\"\n - \"src/workerd/api/node/tests/fixtures/ec_p384_private.pem\"\n - \"src/workerd/api/node/tests/fixtures/rsa_private_2048.pem\"\n - \"src/workerd/api/node/tests/fixtures/rsa_private_pkcs8_bad.pem\"\n - \"src/workerd/api/node/tests/fixtures/rsa_pss_private_2048_sha512_sha256_20.pem\"\n - \"src/workerd/api/node/tests/fixtures/dsa_private_encrypted.pem\"\n - \"src/workerd/api/node/tests/fixtures/ec_p521_private.pem\"\n - \"src/workerd/api/node/tests/fixtures/rsa_private_4096.pem\"\n - \"src/workerd/api/node/tests/fixtures/rsa_private_pkcs8.pem\"\n - \"src/workerd/api/node/tests/fixtures/x25519_private.pem\"\n - \"src/workerd/api/node/tests/fixtures/dsa_private.pem\"\n - \"src/workerd/api/node/tests/fixtures/ec_secp256k1_private.pem\"\n - \"src/workerd/api/node/tests/fixtures/rsa_private_b.pem\"\n - \"src/workerd/api/node/tests/fixtures/rsa_pss_private_2048.pem\"\n - \"src/workerd/api/node/tests/fixtures/x448_private.pem\"\n - \"src/workerd/api/node/tests/fixtures/tls-nodejs-tcp-server.pem\"\n - \"src/workerd/api/tests/startls-server.pem\"\n - \"src/workerd/api/tests/starttls-nodejs-server.js\"\n" }, { "path": ".github/workflows/_bazel.yml", "content": "name: 'Run Bazel'\non:\n workflow_call:\n inputs:\n image:\n type: string\n required: false\n default: 'ubuntu-22.04-16core'\n os_name:\n type: string\n required: false\n default: 'linux'\n\n arch_name:\n type: string\n required: false\n default: 'X64'\n phase:\n type: string\n required: false\n default: ''\n suffix:\n type: string\n required: false\n default: ''\n run_tests:\n type: boolean\n required: false\n default: true\n test_target:\n type: string\n required: false\n default: //...\n parse_headers:\n type: boolean\n required: false\n default: false\n extra_bazel_args:\n type: string\n required: false\n default: ''\n upload_binary:\n type: boolean\n required: false\n default: false\n upload_test_logs:\n type: boolean\n required: false\n default: false\n upload_types:\n type: boolean\n required: false\n default: false\n run_coverage:\n type: boolean\n required: false\n default: false\n fetch_depth:\n type: number\n required: false\n default: 1\n macos_use_lld:\n type: boolean\n required: false\n default: false\n build_container_images:\n type: boolean\n required: false\n default: false\n secrets:\n BAZEL_CACHE_KEY:\n required: true\n WORKERS_MIRROR_URL:\n required: true\n CODECOV_TOKEN:\n required: false\n\npermissions:\n # Read repo\n contents: read\n # Read/write artifacts\n actions: write\n\njobs:\n bazel:\n runs-on: ${{ inputs.image }}\n steps:\n - uses: actions/checkout@v6\n with:\n show-progress: false\n fetch-depth: ${{ inputs.fetch_depth }}\n - name: Cache\n id: cache\n uses: actions/cache@v5\n with:\n path: ~/bazel-disk-cache\n key: bazel-disk-cache${{ inputs.phase}}-${{ inputs.os_name }}-${{ runner.arch }}${{ inputs.suffix }}-${{ hashFiles('.bazelversion', '.bazelrc', 'MODULE.bazel') }}\n # Intentionally not reusing an older cache entry using a key prefix, bazel frequently\n # ends up with a larger cache at the end when starting with an available cache entry,\n # resulting in a snowballing cache size and cache download/upload times.\n - name: Setup Runner\n uses: ./.github/actions/setup-runner\n - name: Setup lld on macOS\n if: runner.os == 'macOS' && inputs.macos_use_lld\n run: |\n # Install lld and link it to /usr/local/bin. We overwrite any existing link, which may\n # exist from an older pre-installed LLVM version on the runner image.\n brew update\n brew install lld\n sudo ln -s -f $(brew --prefix lld)/bin/ld64.lld /usr/local/bin/ld64.lld\n # Enable lld identical code folding to significantly reduce binary size.\n echo \"build:macos --config=macos_lld_icf\" >> .bazelrc\n - name: Configure download mirrors\n shell: bash\n run: |\n if [ ! -z \"${{ secrets.WORKERS_MIRROR_URL }}\" ] ; then\n # Strip comment in front of WORKERS_MIRROR_URL, then substitute secret to use it.\n sed -e '/WORKERS_MIRROR_URL/ { s@# *@@; s@WORKERS_MIRROR_URL@${{ secrets.WORKERS_MIRROR_URL }}@; }' -i.bak build/deps/nodejs.MODULE.bazel\n fi\n - name: Bazel build (Windows workaround)\n if: runner.os == 'Windows'\n # HACK: Work around Bazel Windows bug: Some targets need to be compiled without symlink\n # support. Since we still need symlinks to compile C++ code properly, compile these targets\n # separately.\n run: |\n bazel --nowindows_enable_symlinks build ${{ inputs.extra_bazel_args }} --config=ci --profile build-win-workaround.bazel-profile.gz --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev //src/wpt:wpt-all@tsproject //src/node:node@tsproject //src/pyodide:pyodide_static@tsproject\n - name: Bazel build\n run: |\n bazel build --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci ${{ inputs.extra_bazel_args }} //...\n - name: Configure Docker daemon for IPv6\n if: inputs.build_container_images\n run: |\n sudo mkdir -p /etc/docker\n echo '{\"ipv6\": true, \"fixed-cidr-v6\": \"fd00::/80\"}' | sudo tee /etc/docker/daemon.json\n sudo systemctl restart docker\n - name: Build and load container images\n if: inputs.build_container_images\n run: |\n docker context use default\n echo \"Docker info:\"\n docker info\n echo \"Docker version:\"\n docker version\n bazel run --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci ${{ inputs.extra_bazel_args }} //images:load_all\n - name: Bazel test\n if: inputs.run_tests\n run: |\n bazel test --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci ${{ inputs.extra_bazel_args }} ${{ inputs.test_target }}\n - name: Bazel coverage\n if: inputs.run_coverage\n run: |\n bazel coverage --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci ${{ inputs.extra_bazel_args }} ${{ inputs.test_target }}\n - name: Upload coverage to Codecov\n if: inputs.run_coverage\n uses: codecov/codecov-action@v5\n with:\n # Use bazel info to get the actual output path, avoiding symlink issues\n files: ${{ github.workspace }}/bazel-out/_coverage/_coverage_report.dat\n fail_ci_if_error: true\n verbose: true\n disable_search: true\n root_dir: ${{ github.workspace }}\n env:\n CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}\n - name: Parse headers\n # TODO(cleanup): Bazel does not allow for only parsing headers in non-recursive targets, so\n # we can't widely enable header parsing for now (dependencies like V8 do not specify\n # dependencies of header targets properly).\n if: inputs.parse_headers\n run: |\n bazel build --config=parse_headers --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci ${{ inputs.extra_bazel_args }} //src/workerd/util\n - name: Upload test logs\n if: always() && inputs.upload_test_logs\n uses: actions/upload-artifact@v7\n with:\n name: test-logs-${{ inputs.os_name }}-${{ inputs.arch_name }}${{ inputs.suffix }}.zip\n path: bazel-testlogs/**/test.xml\n - name: Report disk usage (in MB)\n if: always() && runner.os != 'Windows'\n shell: bash\n run: |\n BAZEL_OUTPUT_BASE=$(bazel info output_base)\n BAZEL_REPOSITORY_CACHE=$(bazel info repository_cache)\n echo \"Bazel cache usage statistics\"\n du -ms -t 1 ~/bazel-disk-cache/* $BAZEL_REPOSITORY_CACHE\n echo \"Bazel output usage statistics\"\n du -ms -t 1 $BAZEL_OUTPUT_BASE\n echo \"Workspace usage statistics\"\n du -ms -t 1 $GITHUB_WORKSPACE\n - name: Report disk usage (in MB)\n if: always() && runner.os == 'Windows'\n shell: pwsh\n run: |\n function Get-SizeMB($path) {\n if (Test-Path $path) {\n $size = (Get-ChildItem -Path $path -Recurse -Force -ErrorAction SilentlyContinue |\n Measure-Object -Property Length -Sum -ErrorAction SilentlyContinue).Sum\n [math]::Round($size / 1MB)\n } else { 0 }\n }\n $outputBase = bazel info output_base 2>$null\n $repoCache = bazel info repository_cache 2>$null\n echo \"Bazel cache usage statistics\"\n echo \"$(Get-SizeMB $env:USERPROFILE\\bazel-disk-cache)`t$env:USERPROFILE\\bazel-disk-cache\"\n echo \"$(Get-SizeMB $repoCache)`t$repoCache\"\n echo \"Bazel output usage statistics\"\n echo \"$(Get-SizeMB $outputBase)`t$outputBase\"\n echo \"Workspace usage statistics\"\n echo \"$(Get-SizeMB $env:GITHUB_WORKSPACE)`t$env:GITHUB_WORKSPACE\"\n\n - name: Upload binary\n if: inputs.upload_binary\n uses: actions/upload-artifact@v7\n with:\n name: ${{ inputs.os_name }}-${{ inputs.arch_name }}${{ inputs.suffix }}-binary\n path: bazel-bin/src/workerd/server/workerd${{ runner.os == 'Windows' && '.exe' || '' }}\n if-no-files-found: error\n - name: Upload build statistics\n if: always() && inputs.run_tests\n uses: actions/upload-artifact@v7\n with:\n name: ${{ inputs.os_name }}${{ inputs.arch_name }}${{ inputs.suffix }}-bazel-profile\n path: '*.bazel-profile.gz'\n\n - name: Drop large Bazel cache files\n if: always()\n # Github has a nominal 10GB of storage for all cached builds associated with a project.\n # Drop large files (>100MB) in our cache to improve shared build cache efficiency. This is\n # particularly helpful for asan and debug builds that produce larger executables. Also\n # the process of saving the Bazel disk cache generates a tarball on the runners disk, and\n # it is possible to run out of storage in that process (does not fail the workflow).\n shell: bash\n run: |\n if [ -d ~/bazel-disk-cache ]; then\n find ~/bazel-disk-cache -size +100M -type f -exec rm {} \\;\n echo \"Trimmed Bazel cache usage statistics\"\n du -ms -t 1 ~/bazel-disk-cache/*\n else\n echo \"Disk cache does not exist: ~/bazel-disk-cache\"\n fi\n\n - name: Bazel shutdown\n if: always()\n # Check that there are no .bazelrc issues that prevent shutdown.\n run: bazel shutdown\n" }, { "path": ".github/workflows/_wpt.yml", "content": "name: 'WPT Report'\non:\n workflow_call:\n inputs:\n image:\n description: 'Runner image to use'\n required: true\n type: string\n logs_artifact:\n description: 'Name of artifact containing test logs'\n required: true\n type: string\n report_artifact:\n description: 'Name of artifact to use for WPT report JSON file'\n required: true\n type: string\n\npermissions:\n # Read repo\n contents: read\n # Read/write artifacts\n actions: write\njobs:\n wpt-report:\n runs-on: ${{ inputs.image }}\n steps:\n - uses: actions/checkout@v6\n - name: Download test logs\n uses: actions/download-artifact@v8\n continue-on-error: true\n with:\n name: ${{ inputs.logs_artifact }}\n path: testlogs\n - name: Generate WPT report and stats\n run: ./tools/cross/wpt_logs.py --print-stats --write-report=wpt-report.json testlogs/ >> $GITHUB_STEP_SUMMARY\n - name: Upload WPT report\n uses: actions/upload-artifact@v7\n with:\n name: ${{ inputs.report_artifact }}\n path: wpt-report.json\n" }, { "path": ".github/workflows/bigbonk.yml", "content": "name: Bonk\n\non:\n issue_comment:\n types: [created]\n pull_request_review_comment:\n types: [created]\n pull_request_review:\n types: [submitted]\n\nconcurrency:\n group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.issue.number || github.ref }}\n cancel-in-progress: false\n\njobs:\n bonk:\n if: github.event.sender.type != 'Bot' && contains(github.event.comment.body, '/bigbonk')\n runs-on: ubuntu-latest\n timeout-minutes: 30\n permissions:\n id-token: write\n contents: write\n issues: write\n pull-requests: write\n steps:\n - name: Checkout repository\n uses: actions/checkout@v6\n with:\n fetch-depth: 1\n\n - name: Run Bonk\n uses: ask-bonk/ask-bonk/github@main\n env:\n CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_AI_GATEWAY_ACCOUNT_ID }}\n CLOUDFLARE_GATEWAY_ID: ${{ secrets.CF_AI_GATEWAY_NAME }}\n CLOUDFLARE_API_TOKEN: ${{ secrets.CF_AI_GATEWAY_TOKEN }}\n with:\n model: 'cloudflare-ai-gateway/anthropic/claude-opus-4-6'\n mentions: '/bigbonk'\n variant: 'max'\n permissions: write\n opencode_version: '1.2.27'\n # token_permissions defaults to WRITE (i.e. Bonk can push commits).\n # We intentionally leave it that way here because users may ask Bonk\n # to update their PR via /bigbonk.\n" }, { "path": ".github/workflows/bonk.yml", "content": "name: Bonk\n\non:\n issue_comment:\n types: [created]\n pull_request_review_comment:\n types: [created]\n pull_request_review:\n types: [submitted]\n\nconcurrency:\n group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.issue.number || github.ref }}\n cancel-in-progress: false\n\njobs:\n bonk:\n if: github.event.sender.type != 'Bot' && (contains(github.event.comment.body, '/bonk') || contains(github.event.comment.body, '@ask-bonk'))\n runs-on: ubuntu-latest\n timeout-minutes: 30\n permissions:\n id-token: write\n contents: write\n issues: write\n pull-requests: write\n steps:\n - name: Checkout repository\n uses: actions/checkout@v6\n with:\n fetch-depth: 1\n\n - name: Run Bonk\n uses: ask-bonk/ask-bonk/github@main\n env:\n CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_AI_GATEWAY_ACCOUNT_ID }}\n CLOUDFLARE_GATEWAY_ID: ${{ secrets.CF_AI_GATEWAY_NAME }}\n CLOUDFLARE_API_TOKEN: ${{ secrets.CF_AI_GATEWAY_TOKEN }}\n with:\n model: 'cloudflare-ai-gateway/anthropic/claude-opus-4-6'\n mentions: '/bonk,@ask-bonk'\n permissions: write\n opencode_version: '1.2.27'\n # token_permissions defaults to WRITE (i.e. Bonk can push commits).\n # We intentionally leave it that way here because users may ask Bonk\n # to update their PR via /bonk.\n" }, { "path": ".github/workflows/cla.yml", "content": "name: \"CLA Assistant\"\non:\n issue_comment:\n types: [created]\n pull_request_target:\n types: [opened,synchronize]\n merge_group:\n\njobs:\n CLAssistant:\n runs-on: ubuntu-latest\n steps:\n - name: \"CLA Assistant\"\n if: (github.event.issue.pull_request && (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target'\n uses: contributor-assistant/github-action@v2.6.1\n env:\n # CLA Action uses this in-built GitHub token to make the API calls for interacting with GitHub.\n # It is built into Github Actions and does not need to be manually specified in your secrets store.\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n # The below token should have repo scope and must be manually added by you in the repository's secret\n PERSONAL_ACCESS_TOKEN : ${{ secrets.CLA_PERSONAL_ACCESS_TOKEN }}\n with:\n path-to-signatures: 'signatures/version1/cla.json'\n path-to-document: 'https://www.cloudflare.com/cla/'\n # branch should not be protected\n branch: 'cla-signatures'\n allowlist: dependabot[bot],workers-devprod\n lock-pullrequest-aftermerge: false\n" }, { "path": ".github/workflows/codspeed.yml", "content": "name: CodSpeed\n\non:\n pull_request:\n paths-ignore:\n - 'docs/**'\n - 'justfile'\n - '.devcontainer'\n - '**/*.md'\n - '.gitignore'\n merge_group:\n push:\n branches:\n - main\n\nconcurrency:\n group: codspeed.yml-${{ github.event.pull_request.number || github.run_id }}\n cancel-in-progress: true\n\npermissions:\n # Write cache\n contents: write\n\njobs:\n benchmarks:\n name: Run benchmarks\n runs-on: ubuntu-22.04-16core\n env:\n BAZEL_ARGS: --config=benchmark --@google_benchmark//:codspeed_mode=simulation --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev\n steps:\n - uses: actions/checkout@v6\n with:\n show-progress: false\n\n - name: Cache\n id: cache\n uses: actions/cache@v5\n with:\n path: ~/bazel-disk-cache\n key: bazel-disk-cache-benchmarks-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.bazelversion', '.bazelrc', 'MODULE.bazel') }}\n\n - name: Setup Runner\n uses: ./.github/actions/setup-runner\n\n - name: Build benchmarks\n run: |\n bazel build ${{ env.BAZEL_ARGS }} --build_tag_filters=google_benchmark //... @capnp-cpp//...\n\n - name: Generate benchmark script\n run: |\n echo '#!/bin/bash' > run_benchmarks.sh\n echo 'set -ex' >> run_benchmarks.sh\n targets=$(bazel query 'attr(tags, \"[\\[ ]google_benchmark[,\\]]\", //... + @capnp-cpp//...) except attr(tags, \"[\\[ ]manual[,\\]]\", //...)' --output=label 2>/dev/null)\n for target in $targets; do\n echo \"echo 'Running benchmark: $target'\" >> run_benchmarks.sh\n echo \"bazel run ${{ env.BAZEL_ARGS }} $target -- --benchmark_min_time=1s\" >> run_benchmarks.sh\n done\n chmod +x run_benchmarks.sh\n\n - name: Run benchmarks\n uses: CodSpeedHQ/action@v4\n with:\n mode: simulation\n run: ./run_benchmarks.sh\n\n - name: Bazel shutdown\n run: bazel shutdown\n" }, { "path": ".github/workflows/coverage.yml", "content": "name: Coverage\n\non:\n pull_request:\n merge_group:\n push:\n branches:\n - main\n\nconcurrency:\n group: coverage.yml-${{ github.event.pull_request.number || github.run_id }}\n cancel-in-progress: true\n\npermissions:\n # Read repo\n contents: read\n # Read/write artifacts\n actions: write\n\njobs:\n coverage-linux:\n uses: ./.github/workflows/_bazel.yml\n with:\n image: ubuntu-22.04-16core\n os_name: linux\n arch_name: 'X64'\n suffix: 'coverage'\n # Don't use ci-test here because it enables --remote_download_minimal which prevents\n # coverage data from being fetched from cache. The coverage config already sets\n # --test_env=CI=true and --config=wpt-test which are the relevant parts of ci-test.\n # Use ci-linux-common instead of ci-linux to avoid overriding coverage test_tag_filters\n # (ci-linux sets test_tag_filters that would include container tests which require docker)\n extra_bazel_args: '--config=ci-linux-common --config=ci-limit-storage --config=coverage --test_env=CI=true --config=wpt-test'\n upload_test_logs: true\n upload_binary: false\n build_container_images: false\n run_coverage: true\n run_tests: false\n secrets:\n BAZEL_CACHE_KEY: ${{ secrets.BAZEL_CACHE_KEY }}\n WORKERS_MIRROR_URL: ${{ secrets.WORKERS_MIRROR_URL }}\n CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}\n" }, { "path": ".github/workflows/daily-release.yml", "content": "name: Daily Release\n\non:\n schedule:\n # Run at 00:30 UTC every day\n - cron: '30 0 * * *'\n # Allow manual triggering for testing\n workflow_dispatch:\n\njobs:\n update-compatibility-date:\n runs-on: ubuntu-latest\n permissions:\n contents: write\n\n steps:\n - name: Checkout code\n uses: actions/checkout@v6\n with:\n token: ${{ secrets.DEVPROD_PAT }}\n ref: main\n\n - name: Get current date\n id: date\n run: |\n echo \"date=$(date +'%Y-%m-%d')\" >> $GITHUB_OUTPUT\n echo \"max_date=$(date -d '+7 days' +'%Y-%m-%d')\" >> $GITHUB_OUTPUT\n\n - name: Update compatibility dates\n run: |\n echo \"${{ steps.date.outputs.date }}\" > src/workerd/io/release-version.txt\n echo \"${{ steps.date.outputs.max_date }}\" > src/workerd/io/maximum-compatibility-date.txt\n\n - name: Check for changes\n id: git-check\n run: |\n if [[ $(git status --porcelain src/workerd/io/release-version.txt src/workerd/io/maximum-compatibility-date.txt) ]]; then\n echo \"changed=true\" >> $GITHUB_OUTPUT\n else\n echo \"changed=false\" >> $GITHUB_OUTPUT\n fi\n echo \"last_email=$(git show --format=\"%ae\" -s)\" >> $GITHUB_OUTPUT\n\n # Publish new version if compatibility-date changed and last commit wasn't a daily release\n # already.\n - name: Commit and push change\n if: steps.git-check.outputs.changed == 'true' && steps.git-check.outputs.last_email != 'workers-devprod@cloudflare.com'\n run: |\n git config user.email \"workers-devprod@cloudflare.com\"\n git config user.name \"Workers DevProd\"\n git add src/workerd/io/release-version.txt src/workerd/io/maximum-compatibility-date.txt\n git commit -m \"Release ${{ steps.date.outputs.date }}\"\n git push\n" }, { "path": ".github/workflows/deps-updater.yml", "content": "name: Dependency updater\n\non:\n schedule:\n # Run at 18:30 UTC every Monday\n - cron: '30 18 * * 1'\n # Allow manual triggering for testing\n workflow_dispatch:\n\nconcurrency:\n group: deps-updater\n cancel-in-progress: true\n\npermissions:\n contents: read\n\njobs:\n issue:\n runs-on: ubuntu-latest\n permissions:\n contents: write\n pull-requests: write\n steps:\n - uses: actions/checkout@v6\n with:\n show-progress: false\n token: ${{ secrets.DEVPROD_PAT }}\n ref: main\n - name: Update dependencies\n run: build/deps/update-deps.py\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n - name: Update rust dependencies\n run: bazel run //deps/rust:crates_vendor -- --repin full\n - name: Update opencode version\n run: python3 tools/update_opencode_version.py\n continue-on-error: true\n - name: Reformat changed files\n run: ./tools/cross/format.py git\n - name: Open pull request\n id: create-pr\n uses: peter-evans/create-pull-request@v8\n with:\n commit-message: \"update dependencies to latest version\"\n branch: \"automatic-update-deps\"\n title: \"Update dependencies\"\n token: ${{ secrets.DEVPROD_PAT }}\n author: \"Workers DevProd \"\n committer: \"Workers DevProd \"\n body: |\n This is an automated pull request for updating the dependencies of workerd.\n delete-branch: true\n - name: Enable Pull Request Automerge\n run: gh pr merge --rebase --auto ${{ steps.create-pr.outputs.pull-request-number }}\n env:\n GH_TOKEN: ${{ secrets.DEVPROD_PAT }}\n" }, { "path": ".github/workflows/experimental-workflow.yml", "content": "name: Experimental Workflow\non:\n workflow_dispatch:\n\n# You can modify this workflow in order to verify your changes to Github Actions on a branch.\n# DO NOT MERGE THESE CHANGES TO MAIN\n# This workflow exists to work around a limitation in Github Actions. You can only use \n# workflow_dispatch on files that exist in main. However, once the file exists, you can dispatch to\n# your branch and make sure changes work.\n\npermissions:\n contents: none\n\njobs:\n experiment:\n runs-on: ubuntu-22.04\n steps:\n - name: Hello World\n shell: bash\n run: echo Hello World\n" }, { "path": ".github/workflows/fixup.yml", "content": "name: \"Just say no to fixup commits\"\non:\n workflow_call:\n\njobs:\n block-fixup:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v6\n - name: Block Fixup Commit Merge\n uses: 13rac1/block-fixup-merge-action@v2.0.0\n\n" }, { "path": ".github/workflows/internal-build.yml", "content": "name: Run internal build\n\non:\n pull_request_target:\n\n# Read-only permissions are enough\npermissions: read-all\n\nconcurrency:\n # Cancel existing builds for the same PR.\n # Otherwise, all other builds will be allowed to run through.\n group: internal-build-${{ github.event.pull_request.number || github.run_id }}\n cancel-in-progress: true\n\njobs:\n internal-build:\n runs-on: ubuntu-latest\n steps:\n # Check if this is a fork and if the author is a Cloudflare org member\n - name: Check fork status and org membership\n if: github.event.pull_request.head.repo.fork\n env:\n GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n AUTHOR: ${{ github.event.pull_request.user.login }}\n run: |\n echo \"Fork detected. Checking if $AUTHOR is a Cloudflare org member...\"\n\n if gh api orgs/cloudflare/members/$AUTHOR --silent 2>/dev/null; then\n echo \"✓ Cloudflare org member confirmed\"\n else\n echo \"✗ Not a Cloudflare org public member\"\n echo \"\"\n echo \"This workflow only runs for forks from Cloudflare organization public members.\"\n echo \"If you're an external contributor, please ask the auto-assigned reviewers\"\n echo \"to run the internal build workflow on your behalf.\"\n exit 1\n fi\n\n # Try to checkout the merge commit - will fail if PR isn't mergeable\n - uses: actions/checkout@v4\n id: checkout_merge\n continue-on-error: true\n with:\n ref: refs/pull/${{ github.event.pull_request.number }}/merge\n show-progress: false\n\n # Fail the workflow if checkout failed (PR isn't mergeable)\n - name: Fail if PR isn't mergeable\n if: steps.checkout_merge.outcome != 'success'\n run: |\n echo \"The pull request is not mergeable. Please rebase and resolve any conflicts.\"\n exit 1\n\n - name: Get merge commit SHA\n id: get_sha\n run: echo \"sha=$(git rev-parse HEAD)\" >> $GITHUB_OUTPUT\n - name: Run internal build\n env:\n CI_URL: ${{ secrets.CI_URL }}\n CI_CLIENT_ID: ${{ secrets.CI_CF_ACCESS_CLIENT_ID }}\n CI_CLIENT_SECRET: ${{ secrets.CI_CF_ACCESS_CLIENT_SECRET }}\n HEAD_REF: ${{ github.event.pull_request.head.ref }}\n USER_LOGIN: ${{ github.event.pull_request.user.login }}\n run: |\n # Format ref based on whether this is a fork\n if [ \"${{ github.event.pull_request.head.repo.fork }}\" = \"true\" ]; then\n REF=\"$USER_LOGIN/$HEAD_REF\"\n else\n REF=\"$HEAD_REF\"\n fi\n\n python3 -u ./tools/cross/internal_build.py \\\n ${{github.event.pull_request.number}} \\\n ${{steps.get_sha.outputs.sha}} \\\n ${{github.event.pull_request.head.sha}} \\\n ${{github.run_attempt}} \\\n \"$REF\" \\\n $CI_URL \\\n $CI_CLIENT_ID \\\n $CI_CLIENT_SECRET\n" }, { "path": ".github/workflows/issues.yml", "content": "name: Issue\n\non:\n issues:\n types: [opened, labeled, transferred]\n\njobs:\n add-to-project:\n name: Add issue to GH project\n runs-on: ubuntu-latest\n steps:\n - uses: actions/add-to-project@v1.0.2\n with:\n project-url: https://github.com/orgs/cloudflare/projects/1\n github-token: ${{ secrets.DEVPROD_PAT }}\n labeled: types\n" }, { "path": ".github/workflows/labels.yml", "content": "# Based on https://www.neilmacy.co.uk/blog/github-action-to-block-merging\nname: \"Internal PR Required\"\non:\n workflow_call:\n pull_request:\n types: [labeled, unlabeled]\n\njobs:\n InternalPRRequired:\n runs-on: ubuntu-latest\n steps:\n - name: Check for label\n if: contains(github.event.*.labels.*.name, 'needs-internal-pr')\n run: |\n echo \"Pull request is labeled as 'needs-internal-pr'\"\n echo \"This workflow fails so the pull request cannot be merged\"\n exit 1\n" }, { "path": ".github/workflows/lint.yml", "content": "name: Lint\n\non:\n pull_request:\n merge_group:\n push:\n branches:\n - main\n\nconcurrency:\n # Cancel existing builds for the same PR.\n # Otherwise, all other builds will be allowed to run through.\n group: lint.yml-${{ github.event.pull_request.number || github.run_id }}\n cancel-in-progress: true\n\njobs:\n lint:\n runs-on: ubuntu-24.04\n steps:\n - uses: actions/checkout@v6\n with:\n show-progress: false\n - name: Configure git hooks\n # Configure git to quell an irrelevant warning for runners (they never commit / push).\n run: git config core.hooksPath githooks\n - name: Lint\n run: |\n bazel info output_base # Ensure bazel is initialized before proceeding\n python3 ./tools/cross/format.py --check\n" }, { "path": ".github/workflows/new-pr-review.yml", "content": "name: New PR Review\n\non:\n pull_request:\n types: [opened]\n\njobs:\n review:\n if: github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name\n runs-on: ubuntu-latest\n timeout-minutes: 30\n concurrency:\n group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}\n cancel-in-progress: false\n permissions:\n id-token: write\n contents: read\n issues: write\n pull-requests: write\n steps:\n - name: Checkout repository\n uses: actions/checkout@v6\n with:\n fetch-depth: 30 # Fetch some history; not all of it\n\n - name: Load review prompt\n id: prompt\n run: |\n {\n echo 'value<> \"$GITHUB_OUTPUT\"\n\n - name: Run Bonk\n uses: ask-bonk/ask-bonk/github@main\n env:\n CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_AI_GATEWAY_ACCOUNT_ID }}\n CLOUDFLARE_GATEWAY_ID: ${{ secrets.CF_AI_GATEWAY_NAME }}\n CLOUDFLARE_API_TOKEN: ${{ secrets.CF_AI_GATEWAY_TOKEN }}\n with:\n model: 'cloudflare-ai-gateway/anthropic/claude-opus-4-6'\n forks: 'false'\n permissions: write\n opencode_version: '1.2.27'\n # The auto-reviewer must never push to PR branches. Its prompt\n # (bonk_reviewer.md) already forbids git write ops, but NO_PUSH\n # enforces that at the token level so it holds even if the model\n # ignores the instruction.\n token_permissions: 'NO_PUSH'\n prompt: ${{ steps.prompt.outputs.value }}\n" }, { "path": ".github/workflows/release-python-runtime.yml", "content": "name: Build Python Runtime\n\non:\n workflow_dispatch:\n inputs:\n update-released:\n description: 'Update already released versions?'\n required: false\n default: false\n type: boolean\n\njobs:\n build:\n runs-on: ubuntu-22.04\n name: build Python runtime\n steps:\n - uses: actions/checkout@v6\n with:\n show-progress: false\n - uses: actions/setup-python@v6\n with:\n python-version: '3.13'\n - name: Setup Runner\n uses: ./.github/actions/setup-runner\n - name: Configure download mirrors\n shell: bash\n run: |\n if [ ! -z \"${{ secrets.WORKERS_MIRROR_URL }}\" ] ; then\n # Strip comment in front of WORKERS_MIRROR_URL, then substitute secret to use it.\n sed -e '/WORKERS_MIRROR_URL/ { s@# *@@; s@WORKERS_MIRROR_URL@${{ secrets.WORKERS_MIRROR_URL }}@; }' -i.bak build/deps/nodejs.MODULE.bazel\n fi\n - name: Build and upload Pyodide capnproto bundle\n env:\n R2_ACCOUNT_ID: ${{ secrets.PYODIDE_CAPNP_R2_ACCOUNT_ID }}\n R2_ACCESS_KEY_ID: ${{ secrets.PYODIDE_CAPNP_R2_ACCESS_KEY_ID }}\n R2_SECRET_ACCESS_KEY: ${{ secrets.PYODIDE_CAPNP_R2_SECRET_ACCESS_KEY }}\n run: |\n bazel build @workerd//src/pyodide:python_bundles @workerd//src/pyodide:bundle_version_info --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev\n # boto3 v1.36.0 fails with:\n # NotImplemented error occurred in CreateMultipartUpload operation: Header 'x-amz-checksum-algorithm' with value 'CRC32' not implemented\n pip install 'boto3<1.36.0' requests\n python3 src/pyodide/upload_bundles.py ${{ inputs.update-released == true && '--update-released' || '' }}\n\n - name: Check for open PR and commit changes\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: |\n # Commit changes to python_metadata.bzl and push to branch\n # Configure git\n git config --local user.email \"action@github.com\"\n git config --local user.name \"release-python-runtime.yml GitHub Action\"\n\n # Get current branch name\n BRANCH_NAME=$(git rev-parse --abbrev-ref HEAD)\n echo \"Current branch: $BRANCH_NAME\"\n\n # Check if there are changes to python_metadata.bzl\n if git diff --quiet build/python_metadata.bzl; then\n echo \"No changes to python_metadata.bzl\"\n exit 0\n fi\n\n echo \"Changes detected in python_metadata.bzl\"\n\n # Check if there's an open PR for this branch\n PR_COUNT=$(gh pr list --head \"$BRANCH_NAME\" --state open --json number --jq length)\n\n if [ \"$PR_COUNT\" -eq 0 ]; then\n echo \"No open PR found for branch $BRANCH_NAME, skipping commit\"\n exit 0\n fi\n\n echo \"Found open PR for branch $BRANCH_NAME\"\n\n # Commit and push the changes\n git add build/python_metadata.bzl build/deps/python.MODULE.bazel\n git commit --fixup HEAD -m \"Update python_metadata.bzl with new bundle info\n\n This commit updates the backport and integrity values in python_metadata.bzl\n based on the latest Pyodide bundle upload.\n\n 🤖 Generated automatically by release-python-runtime workflow\"\n\n # --no-verify because 'git merge-base origin/main HEAD' fails in pre-commit.\n # There shouldn't be formatting errors anyways and if there are CI will catch it.\n git push origin \"$BRANCH_NAME\" --no-verify\n echo \"Changes committed and pushed to $BRANCH_NAME\"\n" }, { "path": ".github/workflows/release-python-snapshots.yml", "content": "name: Make Python Snapshots\n\non:\n workflow_dispatch:\n inputs:\n update-released:\n description: 'Update already released versions?'\n required: false\n default: false\n type: boolean\n\njobs:\n build-linux:\n uses: ./.github/workflows/_bazel.yml\n with:\n image: ubuntu-22.04\n os_name: linux\n arch_name: 'X64'\n suffix: ''\n run_tests: false\n extra_bazel_args: '--config=ci-linux --config=ci-test'\n upload_binary: true\n secrets:\n BAZEL_CACHE_KEY: ${{ secrets.BAZEL_CACHE_KEY }}\n WORKERS_MIRROR_URL: ${{ secrets.WORKERS_MIRROR_URL }}\n\n build:\n needs: [build-linux]\n runs-on: ubuntu-22.04\n name: Build and upload Python memory snapshots\n steps:\n - uses: actions/checkout@v6\n with:\n show-progress: false\n - uses: actions/setup-python@v6\n with:\n python-version: '3.13'\n - name: Setup Runner\n uses: ./.github/actions/setup-runner\n - name: Download workerd binary\n uses: actions/download-artifact@v8\n with:\n name: linux-X64-binary\n path: /tmp\n\n - name: Make workerd binary executable\n run: chmod +x /tmp/workerd\n\n - name: Build and upload Python memory snapshots\n env:\n R2_ACCOUNT_ID: ${{ secrets.PYODIDE_CAPNP_R2_ACCOUNT_ID }}\n R2_ACCESS_KEY_ID: ${{ secrets.PYODIDE_CAPNP_R2_ACCESS_KEY_ID }}\n R2_SECRET_ACCESS_KEY: ${{ secrets.PYODIDE_CAPNP_R2_SECRET_ACCESS_KEY }}\n WORKERD_BINARY: \"/tmp/workerd\"\n run: |\n bazel build @workerd//src/pyodide:bundle_version_info\n # boto3 v1.36.0 fails with:\n # NotImplemented error occurred in CreateMultipartUpload operation: Header 'x-amz-checksum-algorithm' with value 'CRC32' not implemented\n pip install 'boto3<1.36.0' requests\n python3 src/pyodide/make_snapshots.py ${{ inputs.update-released == true && '--update-released' || '' }}\n\n - name: Check for open PR and commit changes\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n run: |\n # Commit changes to python_metadata.bzl and push to branch\n # Configure git\n git config --local user.email \"action@github.com\"\n git config --local user.name \"release-python-snapshots.yml GitHub Action\"\n\n # Get current branch name\n BRANCH_NAME=$(git rev-parse --abbrev-ref HEAD)\n echo \"Current branch: $BRANCH_NAME\"\n\n # Check if there are changes to python_metadata.bzl\n if git diff --quiet build/python_metadata.bzl; then\n echo \"No changes to python_metadata.bzl\"\n exit 0\n fi\n\n echo \"Changes detected in python_metadata.bzl\"\n\n # Check if there's an open PR for this branch\n PR_COUNT=$(gh pr list --head \"$BRANCH_NAME\" --state open --json number --jq length)\n\n if [ \"$PR_COUNT\" -eq 0 ]; then\n echo \"No open PR found for branch $BRANCH_NAME, skipping commit\"\n exit 0\n fi\n\n echo \"Found open PR for branch $BRANCH_NAME\"\n\n # Commit and push the changes\n git add build/python_metadata.bzl\n git commit --fixup HEAD -m \"Update python_metadata.bzl with new snapshot info\n\n This commit updates the snapshot values in python_metadata.bzl based on the latest\n snapshot uploads.\n\n 🤖 Generated automatically by release-python-snapshots workflow\"\n\n # --no-verify because 'git merge-base origin/main HEAD' fails in pre-commit.\n # There shouldn't be formatting errors anyways and if there are CI will catch it.\n git push origin \"$BRANCH_NAME\" --no-verify\n echo \"Changes committed and pushed to $BRANCH_NAME\"\n" }, { "path": ".github/workflows/release.yml", "content": "name: Build & Release\n\non:\n push:\n branches:\n - main\n workflow_dispatch:\n inputs:\n patch:\n description: 'Patch Version'\n required: true\n default: '0'\n prerelease:\n description: 'Is Prerelease'\n type: boolean\n default: false\npermissions:\n id-token: write\n contents: write\n actions: write\n\njobs:\n version:\n outputs:\n date: ${{ steps.echo.outputs.date }}\n version: ${{ steps.echo.outputs.version }}\n types_version: ${{ steps.echo.outputs.types_version }}\n # version job uses ubuntu 24.04, this way we don't have to install the updated clang while\n # the build job uses 22.04 for libc compatibility.\n runs-on: ubuntu-24.04\n steps:\n - uses: actions/checkout@v6\n - id: echo\n run: |\n echo \"date=$(cat src/workerd/io/release-version.txt)\" >> $GITHUB_OUTPUT;\n echo \"version=${{ (github.event_name != 'push' && inputs.prerelease == true) && '0' || '1'}}.$(cat src/workerd/io/release-version.txt | tr -d '-').${{ github.event_name == 'push' && '1' || inputs.patch }}\" >> $GITHUB_OUTPUT;\n echo \"types_version=${{ (github.event_name != 'push' && inputs.prerelease == true) && '0' || '4'}}.$(cat src/workerd/io/release-version.txt | tr -d '-').${{ github.event_name == 'push' && '1' || inputs.patch }}\" >> $GITHUB_OUTPUT;\n check-tag:\n name: Check tag is new\n outputs:\n exists: ${{ steps.check_tag.outputs.exists }}\n needs: [version]\n runs-on: ubuntu-latest\n steps:\n - name: Checkout Repo\n uses: actions/checkout@v6\n with:\n fetch-depth: 0\n - uses: mukunku/tag-exists-action@v1.7.0\n id: check_tag\n with:\n tag: v${{ needs.version.outputs.version }}\n\n tag-and-release:\n name: Tag & Release\n outputs:\n upload_url: ${{ steps.create_release.outputs.upload_url }}\n needs: [check-tag, version]\n runs-on: ubuntu-latest\n if: ${{ needs.check-tag.outputs.exists != 'true' }}\n steps:\n - name: Checkout Repo\n uses: actions/checkout@v6\n with:\n fetch-depth: 0\n - run: git tag v${{ needs.version.outputs.version }} && git push origin v${{ needs.version.outputs.version }}\n - uses: ncipollo/release-action@v1\n id: create_release\n with:\n generateReleaseNotes: true\n token: ${{ secrets.GITHUB_TOKEN }}\n tag: v${{ needs.version.outputs.version }}\n\n build:\n strategy:\n matrix:\n include:\n - title: linux\n os-name: Linux\n image: ubuntu-22.04-16core\n bazel-config: release_linux\n target-arch: X64\n - title: linux-arm64\n os-name: Linux\n image: ubuntu-22.04-arm-16core\n bazel-config: release_linux\n target-arch: ARM64\n # Based on runner availability, we build both Apple Silicon and (cross-compiled) x86\n # release binaries on the macos-15-xlarge runner.\n - title: macOS-x64\n os-name: macOS\n # This configuration is used for cross-compiling – macos-15-xlarge is Apple Silicon-based but\n # we use it to compile the x64 release.\n image: macos-15-xlarge\n bazel-config: release_macos_cross_x86_64\n target-arch: X64\n - title: macOS-arm64\n os-name: macOS\n image: macos-15-xlarge\n bazel-config: release_macos\n target-arch: ARM64\n - title: windows\n os-name: Windows\n image: windows-2025-16core\n bazel-config: release_windows\n target-arch: X64\n name: build (${{ matrix.title }})\n uses: './.github/workflows/_bazel.yml'\n with:\n image: ${{ matrix.image }}\n os_name: ${{ matrix.os-name }}\n phase: '-release'\n extra_bazel_args: '--strip=always --config=${{matrix.bazel-config}} --config=ci-release --config=wpt-report --config=wpt-test'\n arch_name: ${{ matrix.target-arch }}\n upload_binary: true\n macos_use_lld: true\n # On release, generate a full WPT report...\n run_tests: true\n upload_test_logs: true\n test_target: //src/wpt/...\n secrets:\n BAZEL_CACHE_KEY: ${{ secrets.BAZEL_CACHE_KEY }}\n WORKERS_MIRROR_URL: ${{ secrets.WORKERS_MIRROR_URL }}\n\n upload-artifacts:\n name: Upload Artifacts\n needs: [version, tag-and-release, build]\n runs-on: ubuntu-latest\n strategy:\n matrix:\n arch: [linux-64, darwin-64, windows-64]\n # This variable itself is unused, but allows us to set up two macOS builds. arm64 builds for\n # other platforms will be supported later, then we'll list both architectures here.\n cpu: [X64]\n include:\n - arch: linux-64\n name: Linux-X64\n - arch: linux-arm64\n name: Linux-ARM64\n cpu: ARM64\n - arch: darwin-64\n name: macOS-X64\n - arch: darwin-arm64\n name: macOS-ARM64\n cpu: ARM64\n - arch: windows-64\n name: Windows-X64\n steps:\n - name: Checkout Repo\n uses: actions/checkout@v6\n with:\n fetch-depth: 0\n\n - name: Download ${{ matrix.name }}\n uses: actions/download-artifact@v8\n with:\n name: ${{ matrix.name }}-binary\n path: /tmp\n # Set execute permissions before compressing the binary\n - if: matrix.arch != 'windows-64'\n run: chmod +x /tmp/workerd\n - name: Compress release binary\n run: |\n # As of release v1.20230404.0 the Linux x64 binary after debug_strip is 65.8 MB,\n # 21.0 MB with gzip and 17.3 MB with brotli -9. Use gzip as a widely supported format\n # which still produces an acceptable compressed size.\n gzip -9N -k /tmp/workerd${{ matrix.arch == 'windows-64' && '.exe' || '' }}\n - run: mv /tmp/workerd${{ matrix.arch == 'windows-64' && '.exe' || '' }}.gz /tmp/workerd-${{ matrix.arch }}.gz\n # Upload compressed release binaries – one set of artifacts is sufficient with gzip being\n # widely supported\n - name: Upload Release Assets\n id: upload-release-asset\n uses: actions/upload-release-asset@v1\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n with:\n upload_url: ${{ needs.tag-and-release.outputs.upload_url }}\n asset_path: /tmp/workerd-${{ matrix.arch }}.gz\n asset_name: workerd-${{ matrix.arch }}.gz\n asset_content_type: application/gzip\n\n # Upload release to npm\n - name: Use Node\n uses: actions/setup-node@v6\n with:\n node-version: 24\n - name: Modify package.json version\n run: node npm/scripts/bump-version.mjs npm/workerd-${{ matrix.arch }}/package.json\n env:\n WORKERD_VERSION: ${{ needs.version.outputs.version }}\n LATEST_COMPATIBILITY_DATE: ${{ needs.version.outputs.date }}\n - run: mkdir npm/workerd-${{ matrix.arch }}/bin\n - run: cp /tmp/workerd${{ matrix.arch == 'windows-64' && '.exe' || '' }} npm/workerd-${{ matrix.arch }}/bin/workerd${{ matrix.arch == 'windows-64' && '.exe' || '' }}\n - run: echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' > npm/workerd-${{ matrix.arch }}/.npmrc\n - run: cd npm/workerd-${{ matrix.arch }} && npm publish --access public --tag ${{ startsWith(needs.version.outputs.version, '0') && 'beta' || 'latest'}}\n env:\n NPM_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}\n\n miniflare-test:\n name: Run Miniflare tests\n needs: [build]\n runs-on: ubuntu-latest\n steps:\n - name: Checkout workers-sdk\n uses: actions/checkout@v6\n with:\n repository: cloudflare/workers-sdk\n\n - name: Install pnpm\n uses: pnpm/action-setup@v4\n - name: Use Node.js\n uses: actions/setup-node@v6\n with:\n node-version: lts/*\n cache: 'pnpm'\n - name: Install workers-sdk dependencies\n run: pnpm install\n\n - name: Download workerd binary\n uses: actions/download-artifact@v8\n with:\n name: Linux-X64-binary\n path: /tmp\n - name: Make workerd binary executable\n run: chmod +x /tmp/workerd\n\n - name: Build Miniflare and dependencies\n run: pnpm turbo build --filter miniflare\n\n - name: Run Miniflare tests\n run: pnpm --filter miniflare test\n env:\n MINIFLARE_WORKERD_PATH: /tmp/workerd\n\n publish-wrapper:\n name: Publish `workerd` to NPM\n needs: [version, upload-artifacts]\n runs-on: ubuntu-22.04-16core\n steps:\n - name: Checkout Repo\n uses: actions/checkout@v6\n with:\n fetch-depth: 0\n\n - name: Use Node\n uses: actions/setup-node@v6\n with:\n node-version: 24\n\n - name: Cache\n id: cache\n uses: actions/cache@v5\n # Use same cache and build configuration as release build, this allows us to keep download\n # sizes small and generate types with optimization enabled, should be slightly faster.\n with:\n path: ~/bazel-disk-cache\n key: bazel-disk-cache-release-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.bazelversion', '.bazelrc', 'MODULE.bazel') }}\n - name: Setup Runner\n uses: ./.github/actions/setup-runner\n - name: Build type generating Worker\n run: |\n bazel build --strip=always --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci --config=release_linux //types:types_worker\n\n - name: Modify package.json version\n run: node npm/scripts/bump-version.mjs npm/workerd/package.json\n env:\n WORKERD_VERSION: ${{ needs.version.outputs.version }}\n LATEST_COMPATIBILITY_DATE: ${{ needs.version.outputs.date }}\n - run: mkdir -p npm/workerd/lib\n - run: mkdir -p npm/workerd/bin\n - name: Build node-install\n run: npx esbuild npm/lib/node-install.ts --outfile=npm/workerd/install.js --bundle --target=node22 --define:LATEST_COMPATIBILITY_DATE=\"\\\"${LATEST_COMPATIBILITY_DATE}\\\"\" --define:WORKERD_VERSION=\"\\\"${WORKERD_VERSION}\\\"\" --platform=node --external:workerd --log-level=warning\n env:\n WORKERD_VERSION: ${{ needs.version.outputs.version }}\n LATEST_COMPATIBILITY_DATE: ${{ needs.version.outputs.date }}\n - name: Build node-shim\n run: npx esbuild npm/lib/node-shim.ts --outfile=npm/workerd/bin/workerd --bundle --target=node22 --define:LATEST_COMPATIBILITY_DATE=\"\\\"${LATEST_COMPATIBILITY_DATE}\\\"\" --define:WORKERD_VERSION=\"\\\"${WORKERD_VERSION}\\\"\" --platform=node --external:workerd --log-level=warning\n env:\n WORKERD_VERSION: ${{ needs.version.outputs.version }}\n LATEST_COMPATIBILITY_DATE: ${{ needs.version.outputs.date }}\n - name: Build node-path\n run: npx esbuild npm/lib/node-path.ts --outfile=npm/workerd/lib/main.js --bundle --target=node22 --define:LATEST_COMPATIBILITY_DATE=\"\\\"${LATEST_COMPATIBILITY_DATE}\\\"\" --define:WORKERD_VERSION=\"\\\"${WORKERD_VERSION}\\\"\" --platform=node --external:workerd --log-level=warning\n env:\n WORKERD_VERSION: ${{ needs.version.outputs.version }}\n LATEST_COMPATIBILITY_DATE: ${{ needs.version.outputs.date }}\n - name: Build package\n run: node npm/scripts/build-shim-package.mjs\n env:\n WORKERD_VERSION: ${{ needs.version.outputs.version }}\n LATEST_COMPATIBILITY_DATE: ${{ needs.version.outputs.date }}\n - run: echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' > npm/workerd/.npmrc\n - run: cd npm/workerd && npm publish --access public --tag ${{ startsWith(needs.version.outputs.version, '0') && 'beta' || 'latest'}}\n\n build-and-publish-types:\n runs-on: ubuntu-22.04-16core\n needs: [version, upload-artifacts]\n steps:\n - uses: actions/checkout@v6\n with:\n show-progress: false\n - name: Use Node\n uses: actions/setup-node@v6\n with:\n node-version: 24 # needed for a version of npm that supports \"trusted publishing\".\n - name: Cache\n id: cache\n uses: actions/cache@v5\n # Use same cache and build configuration as release build, this allows us to keep download\n # sizes small and generate types with optimization enabled, should be slightly faster.\n with:\n path: ~/bazel-disk-cache\n key: bazel-disk-cache-release-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.bazelversion', '.bazelrc', 'MODULE.bazel') }}\n - name: Setup Runner\n uses: ./.github/actions/setup-runner\n - name: build types\n run: |\n bazel build --strip=always --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci --config=release_linux //types\n - name: Build package\n run: node npm/scripts/build-types-package.mjs\n env:\n WORKERD_VERSION: ${{ needs.version.outputs.types_version }}\n LATEST_COMPATIBILITY_DATE: ${{ needs.version.outputs.date }}\n - run: cp -r bazel-bin/types/definitions/. npm/workers-types\n - run: cp npm/workers-types/oldest/* npm/workers-types\n - run: echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' > npm/workers-types/.npmrc\n - run: cd npm/workers-types && npm publish --access public --tag ${{ startsWith(needs.version.outputs.version, '0') && 'beta' || 'latest'}}\n" }, { "path": ".github/workflows/semgrep.yml", "content": "\non:\n workflow_dispatch: {}\n schedule:\n - cron: '0 0 * * *'\nname: Semgrep config\njobs:\n semgrep:\n name: semgrep/ci\n runs-on: ubuntu-latest\n env:\n SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}\n SEMGREP_URL: https://cloudflare.semgrep.dev\n SEMGREP_APP_URL: https://cloudflare.semgrep.dev\n SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version\n container:\n image: semgrep/semgrep\n steps:\n - uses: actions/checkout@v6\n - run: semgrep ci\n\n\n\n\n\n\n" }, { "path": ".github/workflows/test.yml", "content": "name: Tests\n\non:\n pull_request:\n merge_group:\n push:\n branches:\n - main\n\nconcurrency:\n # Cancel existing builds for the same PR.\n # Otherwise, all other builds will be allowed to run through.\n group: test.yml-${{ github.event.pull_request.number || github.run_id }}\n cancel-in-progress: true\n\npermissions:\n # Read repo\n contents: read\n # Read/write artifacts\n actions: write\n # Required for adding comments to PR.\n # Specifically for sticky-pull-request-comment workflow action.\n pull-requests: write\njobs:\n fixup:\n if: github.event_name == 'pull_request'\n uses: ./.github/workflows/fixup.yml\n labels:\n if: github.event_name == 'pull_request'\n uses: ./.github/workflows/labels.yml\n test:\n strategy:\n matrix:\n os:\n [\n { name: linux, arch: X64, image: ubuntu-22.04-16core },\n { name: linux-arm, arch: ARM64, image: ubuntu-22.04-arm-16core },\n { name: macOS, arch: ARM64, image: macos-15-xlarge, use_lld: true },\n { name: windows, arch: X64, image: windows-2025-16core },\n ]\n config: [\n # Default build: no suffix or additional bazel arguments\n { suffix: '' },\n # Debug build\n { suffix: -debug },\n ]\n include:\n # Add an Address Sanitizer (ASAN) build on Linux for additional checking.\n - os: { name: linux, arch: X64, image: ubuntu-22.04-16core }\n config: { suffix: -asan }\n # TODO (later): The custom Windows-debug configuration consistently runs out of disk\n # space on CI, disable it for now. Once https://github.com/bazelbuild/bazel/issues/21615\n # has been resolved we can likely re-enable it and possibly fold up the custom\n # configurations, as we can more easily disable PDB file generation.\n # - os: { name : windows, image : windows-2025 }\n # config: { suffix: -debug, bazel-args: --config=windows_dbg }\n exclude:\n - os: { name: windows, arch: X64, image: windows-2025-16core }\n config: { suffix: -debug }\n # due to resource constraints, exclude the macOS and x64 Linux debug runners for now.\n # linux-asan and arm64 linux-debug should provide sufficient coverage for building in the\n # debug configuration.\n - os: { name: macOS, arch: ARM64, image: macos-15-xlarge }\n config: { suffix: -debug }\n - os: { name: linux, arch: X64, image: ubuntu-22.04-16core }\n config: { suffix: -debug }\n # linux release is handled by separate test-linux job\n - os: { name: linux, arch: X64, image: ubuntu-22.04-16core }\n config: { suffix: '' }\n fail-fast: false\n name: test (${{ matrix.os.name }}, ${{ matrix.os.image}}${{matrix.config.suffix != '' && format(', {0}', matrix.config.suffix) || ''}})\n uses: ./.github/workflows/_bazel.yml\n with:\n image: ${{ matrix.os.image }}\n os_name: ${{ matrix.os.name }}\n arch_name: ${{ matrix.os.arch }}\n suffix: ${{ matrix.config.suffix }}\n extra_bazel_args: '--config=ci-test --config=ci-${{matrix.os.name}}${{matrix.config.suffix}}'\n macos_use_lld: ${{ matrix.os.use_lld || false }}\n secrets:\n BAZEL_CACHE_KEY: ${{ secrets.BAZEL_CACHE_KEY }}\n WORKERS_MIRROR_URL: ${{ secrets.WORKERS_MIRROR_URL }}\n\n # Handled separately from `test` to speed up execution of workers-sdk-test which depends on it.\n test-linux:\n uses: ./.github/workflows/_bazel.yml\n with:\n image: ubuntu-22.04-16core\n os_name: linux\n arch_name: 'X64'\n suffix: ''\n extra_bazel_args: '--config=ci-test --config=ci-linux --config=wpt-report'\n upload_test_logs: true\n upload_binary: true\n build_container_images: true\n secrets:\n BAZEL_CACHE_KEY: ${{ secrets.BAZEL_CACHE_KEY }}\n WORKERS_MIRROR_URL: ${{ secrets.WORKERS_MIRROR_URL }}\n\n lint:\n uses: ./.github/workflows/_bazel.yml\n with:\n extra_bazel_args: '--config=lint --config=clang-tidy --config=ci-test --config=ci-linux-common'\n run_tests: false\n parse_headers: true\n secrets:\n BAZEL_CACHE_KEY: ${{ secrets.BAZEL_CACHE_KEY }}\n WORKERS_MIRROR_URL: ${{ secrets.WORKERS_MIRROR_URL }}\n\n check-snapshot:\n runs-on: ubuntu-22.04-16core\n steps:\n - uses: actions/checkout@v6\n with:\n show-progress: false\n - name: Cache\n id: cache\n uses: actions/cache@v5\n # Use same cache and build configuration as release build, this allows us to keep download\n # sizes small and generate types with optimization enabled, should be slightly faster.\n with:\n path: ~/bazel-disk-cache\n key: bazel-disk-cache-release-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.bazelversion', '.bazelrc', 'MODULE.bazel') }}\n - name: Setup Runner\n uses: ./.github/actions/setup-runner\n - name: build types\n run: |\n bazel build --strip=always --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci --config=release_linux //types\n - name: Check snapshot diff\n run: |\n diff -r types/generated-snapshot/latest bazel-bin/types/definitions/latest > types.diff\n diff -r types/generated-snapshot/experimental bazel-bin/types/definitions/experimental >> types.diff\n - name: 'Put diff on the environment'\n if: failure()\n id: types_diff\n run: |\n {\n echo 'TYPES_DIFF<> \"$GITHUB_ENV\"\n - uses: actions/upload-artifact@v7\n id: artifact-upload-step\n with:\n name: generated-snapshot\n path: bazel-bin/types/definitions/\n - name: 'Comment on PR with error details'\n if: failure()\n uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728\n with:\n message: |\n The generated output of `@cloudflare/workers-types` has been changed by this PR. If this is intentional, run `just generate-types` to update the snapshot. Alternatively, you can download the full generated types: ${{ steps.artifact-upload-step.outputs.artifact-url }}\n\n
\n Full Type Diff\n\n ```diff\n ${{ env.TYPES_DIFF }}\n ```\n\n
\n - name: 'Comment on PR with error details'\n if: success()\n uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728\n with:\n only_update: true\n message: |\n The generated output of `@cloudflare/workers-types` matches the snapshot in `types/generated-snapshot` :tada:\n\n workers-sdk-test:\n needs: [test-linux, check-snapshot]\n name: Run workers-sdk tests\n runs-on: ubuntu-22.04-16core\n steps:\n - name: Checkout workers-sdk\n uses: actions/checkout@v6\n with:\n repository: cloudflare/workers-sdk\n\n - name: Install pnpm\n uses: pnpm/action-setup@v4\n - name: Use Node.js\n uses: actions/setup-node@v6\n with:\n # Match workers-sdk node version\n node-version: 20.19.6\n cache: 'pnpm'\n - name: Install workers-sdk dependencies\n run: pnpm install\n\n - name: Download workerd binary\n uses: actions/download-artifact@v8\n with:\n name: linux-X64-binary\n path: /tmp\n\n - name: Make workerd binary executable\n run: chmod +x /tmp/workerd\n\n - name: Download generated types\n uses: actions/download-artifact@v8\n with:\n name: generated-snapshot\n path: /tmp/test-types\n\n - name: Create and install workers-types package\n run: |\n cp /tmp/test-types/oldest/* /tmp/test-types\n cat > /tmp/test-types/package.json << EOF\n {\n \"name\": \"@cloudflare/workers-types\"\n }\n EOF\n pnpm add /tmp/test-types -w\n\n - name: Run Wrangler unit tests\n # Run all the wrangler unit tests besides the ConfigController ones since those\n # are currently very flaky (the ANT team will look into stabilizing them and\n # re-enabling them here as soon as possible, ref: https://jira.cfdata.org/browse/DEVX-2309)\n run: pnpm test:ci --filter wrangler -- -t '^((?!(ConfigController)).)*$'\n env:\n MINIFLARE_WORKERD_PATH: /tmp/workerd\n\n - name: Run Miniflare unit tests\n run: pnpm test:ci --filter miniflare\n env:\n MINIFLARE_WORKERD_PATH: /tmp/workerd\n\n - name: Run Vite unit tests\n run: pnpm test:ci --filter @cloudflare/vite-plugin\n env:\n MINIFLARE_WORKERD_PATH: /tmp/workerd\n\n - name: Run Vitest unit tests\n run: pnpm test:ci --filter=\"./fixtures/vitest-pool-workers-examples\"\n env:\n MINIFLARE_WORKERD_PATH: /tmp/workerd\n\n - name: Run Wrangler Node.js e2e tests\n run: pnpm test:e2e --filter wrangler -- unenv-preset\n env:\n MINIFLARE_WORKERD_PATH: /tmp/workerd\n\n wpt-report:\n needs: [test-linux]\n uses: ./.github/workflows/_wpt.yml\n with:\n image: 'ubuntu-22.04-16core'\n logs_artifact: 'test-logs-linux-X64.zip'\n report_artifact: 'wpt-report-linux-X64.json'\n" }, { "path": ".github/workflows/wpt-report.yml", "content": "name: WPT report\n\non:\n # Allow manual triggering for testing\n workflow_dispatch:\n\npermissions:\n # Read repo\n contents: read\n\n # Read/write artifacts\n actions: write\n\njobs:\n test:\n uses: ./.github/workflows/_bazel.yml\n with:\n os_name: linux\n suffix: ''\n extra_bazel_args: '--config=ci-test'\n test_target: '//src/wpt/...'\n upload_test_logs: true\n fetch_depth: 0\n secrets:\n BAZEL_CACHE_KEY: ${{ secrets.BAZEL_CACHE_KEY }}\n WORKERS_MIRROR_URL: ${{ secrets.WORKERS_MIRROR_URL }}\n\n report:\n needs: [test]\n uses: ./.github/workflows/_wpt.yml\n with:\n image: ubuntu-22.04\n logs_artifact: 'test-logs-linux-X64.zip'\n report_artifact: 'wpt-report.json'\n\n\n\n\n\n" }, { "path": ".gitignore", "content": ".idea\n.DS_Store\n\n# directory for developers to store local resources\n/.local/\n\n/*.code-workspace\n\nnode_modules\n/npm/*/bin\n/npm/workerd/install.js\n/npm/workerd/lib/\npackage-lock.json\n\n# The external link for compile_flags.txt: Differs on Windows vs macOS/Linux, so we can't check it in. The pattern needs to not have a trailing / because it's a symlink on macOS/Linux.\n/external\n# Bazel output symlinks: Same reasoning as /external. You need the * because people can change the name of the directory your repository is cloned into, changing the bazel- symlink.\n/bazel-*\n# Bazel 8's MODULE lock, since we're not actually locking anything yet.\nMODULE.bazel.lock\n# Compiled output -> don't check in\n/compile_commands.json\n/rust-project.json\n# Directory where clangd puts its indexing work\n/.cache/\n\n/.bazel-cache\n\n/workerd-*\n\n/docs/api\n\n*.tsbuildinfo\n\n# Bazel plugin for Intellij paths\n.clwb\n.aswb\n\ncoverage\nperf.data\n\n.claude\n\n# opencode auto-generates package.json, bun.lock, and .gitignore inside .opencode/\n# at startup to install plugin dependencies. These are runtime artifacts that should\n# not be committed — the opencode CLI version is pinned in CI workflows (see\n# .github/workflows/bonk.yml) which determines the plugin version deterministically.\n# Without these rules, Bonk (our AI reviewer) will see the generated files as dirty\n# and commit them to PR branches, causing merge conflicts.\n.opencode/package.json\n.opencode/bun.lock\n.opencode/.gitignore\n\n# python\n__pycache__\n" }, { "path": ".npmrc", "content": "# Ref: https://pnpm.io/npmrc#manage-package-manager-versions\n# When enabled, pnpm will automatically download and run the version of pnpm\n# specified in the packageManager field of package.json.\nmanage-package-manager-versions = true\n\n# Disabling pnpm [hoisting](https://pnpm.io/npmrc#hoist) by setting `hoist=false` is recommended on\n# projects using rules_js so that pnpm outside of Bazel lays out a node_modules tree similar to what\n# rules_js lays out under Bazel (without a hidden node_modules/.pnpm/node_modules)\nhoist=false\n" }, { "path": ".opencode/agent/architect.md", "content": "---\ndescription: Read-only code review and architectural analysis. Provides findings and recommendations without making code changes. Use for PR reviews, deep dives, refactoring plans, and safety/security audits.\nmode: primary\ntemperature: 0.1\npermission:\n edit:\n '*': deny\n 'docs/planning/*': allow\n bash:\n '*': deny\n 'git log*': allow\n 'git show*': allow\n 'git diff*': allow\n 'git blame*': allow\n 'git fetch*': allow\n 'git branch*': allow\n 'git rev-parse*': allow\n 'git merge-base*': allow\n 'git config user.name': allow\n 'git config user.email': allow\n 'bazel query*': allow\n 'bazel cquery*': allow\n 'bazel aquery*': allow\n 'just clang-tidy*': allow\n 'clang-tidy*': allow\n 'rg *': allow\n 'grep *': allow\n 'find *': allow\n 'ls': allow\n 'ls *': allow\n 'cat *': allow\n 'head *': allow\n 'tail *': allow\n 'wc *': allow\n 'gh pr view*': allow\n 'gh pr checks*': allow\n 'gh pr status*': allow\n 'gh pr diff*': allow\n 'gh pr list*': allow\n 'gh pr checkout*': ask\n 'gh pr comment*': ask\n 'gh pr review*': ask\n 'gh issue view*': allow\n 'gh issue list*': allow\n 'gh issue comment*': ask\n 'gh issue create*': ask\n 'gh issue edit*': ask\n 'gh issue status': allow\n 'gh auth status': allow\n 'gh alias list': allow\n 'gh api *': ask\n---\n\nYou are an expert software architect specializing in C++ systems programming, Rust FFI integration, JavaScript runtime internals, and high-performance server software.\n\n**You are read-only. You do NOT make code changes.** You analyze, critique, and recommend. If asked to make code changes or write documents you cannot produce, prompt the user to switch to Build mode.\n\nYour role is to perform deep architectural analysis and provide actionable recommendations in support of:\n\n- refactoring\n- complexity reduction\n- memory safety\n- performance optimization\n- thread safety\n- error handling\n- API design\n- security vulnerability mitigation\n- standards compliance\n- testing\n- documentation improvements\n- code review.\n\nYou can produce detailed reports, refactoring plans, implementation plans, suggestion lists, and TODO lists in markdown format in the `docs/planning` directory.\n\nYou will keep these documents up to date as work progresses and they should contain enough context to help resume work after interruptions.\n\nYou can also perform code reviews on local changes, pull requests, or specific code snippets. When performing code reviews, you should provide clear and actionable feedback with specific references to the code in question.\n\nIn addition to these instructions, check for AGENT.md files in specific directories for any additional context\nor instructions relevant to those areas (if present). Individual header and source files may also contain comments with specific additional context or instructions that should be taken into account when analyzing or reviewing those files.\n\n---\n\n## Context Management\n\nWhen analyzing code, be deliberate about how you gather context to avoid wasting your context window:\n\n- **Start narrow, expand as needed**: Begin by reading the specific files or functions under review. Only read dependencies, callers, and tests when a finding requires tracing across boundaries.\n- **Use the `cross-reference` tool for C++ class lookups**: When analyzing a C++ class, call `cross-reference` first to get the header, implementation files, JSG registration, type group, test files, and compat flag gating in one shot. This replaces 4-6 separate grep calls.\n- **Use search before read**: For large files (>500 lines), use grep or search to locate relevant sections (function definitions, class declarations, specific patterns) before reading full files. Read targeted ranges rather than entire files.\n- **Use the Task tool for broad exploration**: When you need to understand how a pattern is used across the codebase (e.g., \"how is `IoOwn` used?\"), delegate to an explore subagent rather than reading many files directly.\n- **Prioritize headers over implementations**: When understanding APIs or interfaces, read `.h` files first. Only read `.c++` files when analyzing implementation details.\n- **Check `src/workerd/util/` proactively**: Before suggesting a new utility or pattern, search the util directory to check if one already exists.\n\n---\n\n## Workflows\n\n### Reviewing code or a pull request\n\n1. **Gather context**: Read the changed files (use `git diff` for local changes, `gh pr diff` for PRs). For PRs, also check `gh pr view` for description and `gh pr checks` for CI status.\n2. **Understand scope**: Identify what the change is trying to do. Read the PR description, commit messages, or ask the user if unclear.\n3. **Check prior review comments**: For PRs, fetch existing review comments via `gh api repos/{owner}/{repo}/pulls/{number}/comments` and review threads via `gh api repos/{owner}/{repo}/pulls/{number}/reviews`. Identify any resolved comments whose concerns have not actually been addressed in the current code. Flag these in your findings.\n4. **Read dependencies**: For each changed file, read its header and any directly referenced headers to understand the interfaces being used.\n5. **Identify the reviewer**: Load `identify-reviewer` to determine the local user's GitHub handle and git identity. Use this throughout the review to refer to the reviewer's own prior comments and commits in second person.\n6. **Load skills**: Based on the scope of the changes, load the relevant specialized analysis skills:\n - For **balanced reviews** (default): load `workerd-safety-review`, `workerd-api-review`, and `kj-style`.\n - For **PR reviews**: also load `pr-review-guide`.\n - For **focused reviews**: load only the skills relevant to the focus area (see Analysis Modes below).\n - Always load `kj-style` when reviewing C++ code.\n - When the diff contains `.rs` files under `src/rust/`, also load `rust-review`. For changes that span both C++ and Rust (e.g., CXX bridge changes with companion `ffi.c++`/`ffi.h` files), load both `kj-style` and `rust-review`.\n - When the diff contains `.ts` or `.js` files under `src/node/`, `src/cloudflare/`, `src/pyodide`, or test files under `src/workerd/`, load `ts-style`.\n7. **Apply analysis areas and detection patterns**: Walk through the changes against the core analysis areas below and any loaded skill checklists. Focus on what's most relevant to the change. Perform step 8 in parallel as you review the code.\n8. **Check for dependency changes** by scanning the diff for changes to dependency-related files `MODULE.bazel`, `build/deps/`, `deps/rust/crates/`, `patches/`, `package.json`, `Cargo.lock`, `cargo.bzl`, `crates/defs.bzl`, `crates/BAZEL.build`, etc.\n - If there are no dependency changes, skip this step.\n - Identify each changed dependency (name, version change)\n - Identify if it is a new, updated, or removed dependency.\n - For each updated dependency, use the `bazel-deps` tool with `direction: \"rdeps\"` to map the impacted code.\n - Include a **Dependencies** section in your findings with impacted components and recommended review focus areas.\n9. **Formulate findings**: Write up findings using the output format. Prioritize CRITICAL/HIGH issues. For PRs with `pr-review-guide` loaded, post line-level review comments via `gh pr review` or `gh api`. When the fix is obvious and localized, include a suggested edit block.\n10. **Summarize**: Provide a summary with prioritized recommendations.\n\n### Analyzing a component or producing a plan\n\n1. **Scope the analysis**: Clarify what component or area to analyze and what the goal is (refactoring plan, deep dive, etc.). Ask the user if ambiguous.\n2. **Map the component**: Read the primary header files to understand the public API. Use grep/search to find the implementation files. Use the Task tool for broad exploration if the component spans many files.\n3. **Trace key paths**: Identify the most important code paths (hot paths, error paths, lifecycle management) and trace them through the implementation.\n4. **Load skills and apply analysis areas**: Load relevant skills based on the analysis focus. Work through the relevant analysis areas systematically. Apply detection patterns from loaded skills.\n5. **Draft findings and recommendations**: Write up findings using the output format. Include a Context section with architecture overview. For refactoring plans, include a TODO list.\n6. **Write to docs/planning**: If producing a plan or report, write it to `docs/planning/` so it persists across sessions.\n7. **Never** miss an opportunity for a good dad joke. Don't overdo it, but don't avoid them either. When summarizing, always preserve any jokes from the subagent output, including the intro prefix (\"Here's a dad joke for you:\", etc.) so the user knows it's intentional.\n\n---\n\n## Core Analysis Areas\n\nThese areas are always considered during analysis, regardless of focus mode.\n\n### 1. Complexity Reduction\n\n- Identify overly complex abstractions and suggest simplifications\n- Find opportunities to reduce cyclomatic complexity\n- Spot code duplication and suggest consolidation patterns\n- Recommend clearer separation of concerns\n- Identify god classes/functions that should be decomposed. Ignore known and intentional god classes like\n `jsg::Lock` or `workerd::IoContext`.\n- Suggest opportunities for better encapsulation\n- Identify overly deep nesting of lambdas, loops, and conditionals\n- Look for large functions that could be decomposed\n- Identify excessive use of inheritance where composition would be better\n- Suggest improvements for better modularity and clarity\n- Identify places where existing utility libraries in `src/workerd/util/` could be used instead of\n reinventing functionality.\n- Identify places where duplicate patterns are used repeatedly and suggest using an existing utility or, if one does not exist, creating a new utility function or class to encapsulate it.\n\n### 2. Error Handling\n\n- Review exception safety guarantees (basic, strong, nothrow)\n- Identify missing error checks and unchecked results\n- Analyze `kj::Maybe` and `kj::Exception` usage patterns\n- Look for swallowed errors or silent failures\n- Check error propagation consistency\n- Review cleanup code in error paths\n- Destructors generally use `noexcept(false)` unless there's a good reason not to\n- V8 callbacks should never throw C++ exceptions; they should catch and convert to JS exceptions.\n Refer to `liftKj` in `src/workerd/jsg/util.h` for the idiomatic pattern for this.\n- Remember that we use `kj::Exception`, not `std::exception` for general C++ error handling\n- Suggest use of `KJ_TRY/KJ_CATCH` and `JSG_TRY/JSG_CATCH` macros for better error handling patterns\n where applicable\n\n### 3. Testing & Documentation\n\n- Review unit and integration test coverage\n- Identify missing test cases for edge conditions\n- Analyze test reliability and flakiness\n- Suggest improvements for test organization and structure\n- Review documentation accuracy and completeness\n- Identify gaps in code comments and explanations\n- Suggest improvements for onboarding new developers\n- Suggest updates to agent docs that would help AI tools understand the code better\n\n### 4. Architectural Design\n\n- Evaluate high-level architecture and module interactions\n- Identify bottlenecks and single points of failure\n- Review scalability and extensibility\n- Analyze separation of concerns across modules\n- Suggest improvements for maintainability, modularity, clarity\n- Suggest improvements for better use of tools like `util/weak-refs.h`, `util/state-machine.h`,\n `util/ring-buffer.h`, `util/small-set.h`, etc, where applicable.\n- Review layering and dependency management\n- Suggest improvements for better alignment with project goals and constraints\n- Analyze trade-offs in design decisions\n\n### 5. Coding Patterns & Best Practices\n\nFor detailed C++ style conventions (naming, types, ownership, error handling, formatting), load the **kj-style** skill. For JS/TS conventions (TypeScript strictness, imports, exports, private fields, test patterns), load the **ts-style** skill. This section covers workerd-specific patterns beyond those base conventions.\n\n- Identify anti-patterns and suggest modern C++ practices baselined on C++20/23\n- Review consistency with project coding standards (see kj-style skill for specifics)\n- Analyze use of language features for appropriateness\n- Review lambda usage for clarity and safety:\n - Never allow `[=]` captures. Use `[&]` only for non-escaping lambdas.\n - When the lambda is a coroutine, ensure proper use of the `kj::coCapture` helper for correct lifetime management.\n - Favor named functions or functor classes for complex logic.\n - Always carefully consider the lifetime of captured variables in asynchronous code.\n- Suggest improvements for better use of `constexpr`, `consteval`, and `constinit` where applicable.\n- Suggest appropriate annotations like `[[nodiscard]]`, `[[maybe_unused]]`, and `override`. Note: do **not** suggest `noexcept` — the project convention is to never declare functions `noexcept` (explicit destructors use `noexcept(false)`).\n- Analyze template and macro usage for appropriateness and clarity.\n- Call out discouraged patterns like:\n - passing bool flags to functions (prefer enum class or `WD_STRONG_BOOL`)\n - large functions that could be decomposed\n - excessive use of inheritance when composition would be better, etc.\n- Pay attention to class member ordering for cache locality and memory layout, suggest improvements where applicable.\n- Prefer the use of coroutines for async code over explicit kj::Promise chains. Suggest refactoring to coroutines where it would improve clarity and maintainability but avoid large sweeping changes. Keep in mind that JS isolate locks cannot be held across suspension points.\n- When a change sets a default enable date for a compatibility flag, the date must be at least 2-3 weeks in the future to allow for testing and rollout. If you see a default enable date that is too soon, flag it as an issue.\n\n---\n\n## Specialized Analysis Areas\n\nThese areas contain detailed checklists and detection patterns that are loaded on demand via skills. Load the relevant skills based on the analysis focus to avoid unnecessary context usage.\n\n| Topic | Skill | Covers |\n| ------------------------------------------------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------- |\n| Memory safety, thread safety, concurrency, V8/GC interactions | `workerd-safety-review` | Ownership/lifetime analysis, cross-thread safety, CRITICAL/HIGH detection patterns, V8 runtime notes |\n| Performance, API design, security, standards compliance | `workerd-api-review` | tcmalloc-aware perf analysis, compat flags/autogates, security vulnerabilities, web standards adherence |\n| Posting PR review comments via GitHub | `pr-review-guide` | Comment format, suggested edits, unresolved comment handling, reporting/tracking |\n| C++ style conventions and patterns | `kj-style` | KJ types vs STL, naming, error handling, formatting, full code review checklist |\n| Rust code: FFI safety, unsafe review, JSG resources | `rust-review` | CXX bridge patterns, unsafe code checklist, error handling, linting, Rust review checklist |\n| JS/TS style conventions and patterns | `ts-style` | TypeScript strictness, import/export conventions, #private fields, compat flag gating, test patterns |\n| Reviewer identity and attribution | `identify-reviewer` | GitHub handle and git identity detection, second-person attribution for reviewer's own comments/commits |\n| Dependency update impact analysis | (use `bazel-deps` tool) | Blast radius mapping, risk assessment, review focus areas for changed dependencies |\n\n---\n\n## Output Format\n\nUse this structure for all analysis output — reviews, suggestions, refactoring plans, and deep dives. Include or omit optional sections as appropriate for the task.\n\n### Summary\n\nBrief overview of the code/architecture being analyzed and the scope of the analysis.\n\n### Context (optional)\n\nHigh-level review of the relevant architecture, with diagrams, links to files, and explanations of key components if helpful. Include this for refactoring plans, architectural reviews, and deep dives. Omit for quick reviews.\n\n### Findings\n\nFor each issue or suggestion found:\n\n- **[SEVERITY]** Title\n - **Location**: File and line references\n - **Problem**: What's wrong or what could be improved, and why it matters\n - **Evidence**: Code snippets, data, or reasoning supporting the finding\n - **Recommendation**: Specific fix or action, with code examples if helpful. For obvious fixes, include a `suggestion` block.\n\nSeverity levels:\n\n- **CRITICAL**: Security vulnerability, crash, data loss\n- **HIGH**: Memory safety, race condition, significant perf issue\n- **MEDIUM**: Code quality, maintainability, minor perf\n- **LOW**: Style, minor improvements, nice-to-have\n- **DON'T DO**: Considered but rejected — include to document why (omit Location/Evidence)\n\n**Example finding:**\n\n- **[HIGH]** Potential use-after-free in WebSocket close handler\n - **Location**: `src/workerd/api/web-socket.c++:482`\n - **Problem**: The `onClose` lambda captures a raw pointer to the `IoContext`, but the lambda is stored in a V8-attached callback that may fire after the `IoContext` is destroyed during worker shutdown.\n - **Evidence**: `auto& context = IoContext::current();` is called at lambda creation time and stored by reference. The lambda is later invoked by V8 during GC finalization.\n - **Recommendation**: Wrap the context reference using `IoOwn` or capture a `kj::addRef()` to an `IoPtr` to ensure proper lifetime management. See `io/io-own.h` for the pattern.\n\n### Trade-offs\n\nDownsides or risks of the proposed changes.\n\n### Questions\n\nAreas needing clarification or further investigation.\n\n### TODO List (optional)\n\nWhen producing a refactoring plan or when asked, provide a prioritized TODO list with small, manageable steps.\n\n---\n\n## Analysis Modes\n\nWhen asked, focus on a specific analysis mode. Each mode defines scope, depth, output expectations, and which skills to load:\n\n- **\"deep dive on X\"** — Load all skills (`workerd-safety-review`, `workerd-api-review`, `kj-style`). Exhaustive analysis of a specific component. Read the target files, all transitive dependencies, callers, and related tests. Cover all severity levels. Trace call chains and data flow. Provide architecture diagrams if helpful. No length limit.\n- **\"quick review\"** — No additional skills needed. High-level scan for CRITICAL and HIGH issues only. Read only the directly changed or specified files. Limit output to the top 5 findings. Target ~500 words.\n- **\"security audit\"** — Load `workerd-api-review` and `workerd-safety-review`. Focus on security vulnerabilities and the CRITICAL/HIGH detection patterns. Read input validation paths, privilege boundaries, and crypto usage. Flag all severity levels but prioritize security-relevant findings.\n- **\"perf review\"** — Load `workerd-api-review`. Focus on performance. Trace hot paths, analyze allocation patterns, review data structure choices. Must cite evidence (profiling data, algorithmic complexity, or concrete reasoning) for all claims.\n- **\"spec review\"** — Load `workerd-api-review`. Focus on standards compliance. Compare implementation against the relevant spec. Identify deviations, missing features, and edge cases. Reference specific spec sections.\n- **\"test review\"** — No additional skills needed. Focus on testing and documentation. Analyze coverage gaps, missing edge cases, test reliability. Suggest specific test cases to add.\n- **\"safety review\"** — Load `workerd-safety-review` and `kj-style`. Focus on memory safety and thread safety. Trace object lifetimes, ownership transfers, and cross-thread access. Apply all CRITICAL/HIGH detection patterns.\n- **\"compatibility review\"** — Load `workerd-api-review`. Focus on API design and backward compatibility. Evaluate impact to existing users even if hypothetical or unlikely. Check for proper use of compatibility flags and autogates.\n- **\"architectural review\"** — No additional skills needed. Focus on high-level design. Evaluate module interactions, layering, dependency management, and scalability. Provide diagrams.\n- **\"refactor plan\"** — Load `kj-style`. Focus on complexity reduction and structure. Produce a prioritized, incremental refactoring plan with clear steps, goals, and success criteria. Output a TODO list.\n- **\"be creative\"** — Load skills as needed. Exploratory mode. Suggest novel approaches, alternative architectures, or unconventional solutions. Higher tolerance for speculative ideas but still ground suggestions in evidence.\n\nIn all modes, also load **language-specific skills** based on file types in the diff: `kj-style` for `.c++`/`.h`, `rust-review` for `.rs`, `ts-style` for `.ts`/`.js`. Always load `identify-reviewer` at the start of any review.\n\nIf the user does not specify a mode, perform a **balanced review**: load `workerd-safety-review`, `workerd-api-review`, and the applicable language-specific skills, and cover all analysis areas at all severity levels.\n\n### Analysis Rules\n\n- **Evidence over speculation**: Back all claims with code evidence, algorithmic reasoning, or data. Do not make vague claims of improvement. If you cannot substantiate a finding, say so.\n- **Hypothesize then verify**: Form working hypotheses, then validate them against the codebase before reporting. Do not assume intent without evidence — ask for clarification instead.\n- **Honesty over agreeableness**: If something is a bad idea, explain why with evidence. Avoid vague criticism (\"this is bad\") but also avoid agreeing for the sake of it.\n- **Admit limits**: If an area is outside your expertise, state this rather than making unsupported claims.\n- **Theory vs practice**: Balance theoretical safety with practical context. A dangling pointer that is safe by convention is not worth flagging unless there is evidence the convention is violated. Document theoretical risks for future maintainers but do not treat them as actionable findings.\n- **Incremental refactoring**: Prefer small, reviewable changes over sweeping rewrites. Break large refactors into steps with clear goals. Rewriting from scratch without understanding the current design is forbidden.\n- **Conflicting recommendations**: When two analysis areas produce conflicting advice (e.g., safety suggests adding a copy, performance says avoid copies), present the trade-off explicitly in the finding rather than picking a side. Let the developer decide.\n- **Scope discipline**: When asked to focus on a specific area (e.g., \"review error handling\"), stay on topic. If you notice a CRITICAL or HIGH issue outside the requested scope, report it briefly and mark it as out-of-scope. Do not expand a focused review into a full analysis.\n- **Cite external sources**: When referencing external material, cite it. Useful references for this codebase:\n - CppReference.com (C++20/23), NodeSource V8 docs (https://v8docs.nodesource.com/), Godbolt.org\n - MDN Web Docs (web standards), OWASP/CERT (security)\n - KJ, Cap'n Proto, and V8 source repositories and issue trackers\n" }, { "path": ".opencode/agent/submit.md", "content": "---\ndescription: Prepares changes for submission. Reviews pending changes, runs pre-submission checks, crafts commit messages, and suggests reviewers. Use when ready to submit a PR or to check if a branch is ready.\nmode: subagent\ntemperature: 0.1\npermission:\n edit: ask\n bash:\n '*': deny\n 'git status*': allow\n 'git diff*': allow\n 'git log*': allow\n 'git show*': allow\n 'git blame*': allow\n 'git fetch*': allow\n 'git branch*': allow\n 'git rev-parse*': allow\n 'git merge-base*': allow\n 'git add*': ask\n 'git commit*': ask\n 'git stash*': ask\n 'git reset*': ask\n 'bazel build*': allow\n 'bazel test*': allow\n 'bazel query*': allow\n 'just build*': allow\n 'just test*': allow\n 'just format*': ask\n 'just node-test*': allow\n 'just wpt-test*': allow\n 'just clang-tidy*': allow\n 'rg *': allow\n 'grep *': allow\n 'find *': allow\n 'ls': allow\n 'ls *': allow\n 'cat *': allow\n 'head *': allow\n 'tail *': allow\n 'wc *': allow\n 'gh pr view*': allow\n 'gh pr checks*': allow\n 'gh pr status*': allow\n 'gh pr diff*': allow\n 'gh pr list*': allow\n 'gh pr create*': ask\n 'gh pr checkout*': ask\n 'gh pr comment*': ask\n 'gh pr review*': ask\n 'gh api *': ask\n 'gh issue view*': allow\n 'gh issue list*': allow\n 'gh issue status': allow\n 'gh auth status': allow\n 'gh alias list': allow\n---\n\nYou are a Code Submission agent specializing in helping to prepare changes for code review. Your role is to assist developers ensure their changes are well-organized, properly tested, documented, and ready for review.\n\n**Your primary goals:**\n\n1. Review pending changes for quality and completeness\n2. Ensure changes are logically organized and well-scoped\n3. Help write clear, informative commit messages\n4. Verify tests pass and coverage is adequate\n5. Check for common issues before submission\n6. Recommend splitting or restructuring commits if necessary. Avoiding large, monolithic commits.\n\n**You are allowed to make edits to the codebase only with explicit permission for each edit. When suggesting changes, provide clear instructions on what to change and why.**\n\n---\n\n## Workflow\n\nWhen invoked, follow this general workflow:\n\n### 1. Assess Current State\n\nFirst, understand what changes are pending:\n\n- Run `git status` to see staged and unstaged changes\n- Run `git diff --cached` to see staged changes\n- Run `git diff` to see unstaged changes\n- Run `git log -5 --oneline` to understand recent commit context\n- Run `just format` to check and correct formatting\n\n### 2. Review Changes\n\nAnalyze the changes for:\n\n**Scope & Organization**\n\n- Are changes and commits focused on a single concern?\n- Should this be split into multiple commits?\n- Are unrelated changes mixed together?\n- Are there unnecessary whitespace or formatting changes that aren't required by linting/formatting tools?\n\n**Code Quality**\n\n- Are there obvious bugs, typos, or issues?\n- Is the code properly formatted? (suggest `just format` if not)\n- Are there commented-out code blocks that should be removed?\n- Are there debug statements or TODOs that need attention?\n - KJ_DBG is forbidden in committed code; suggest removal.\n - TODO(now) comments should be resolved. Other TODO comments are fine.\n- Are naming conventions and code style consistent with project standards?\n- Are there any performance or security concerns?\n- Are there any dependencies added that need review?\n- Are there any extraneous files that should be gitignored or removed?\n- Do newly added files have appropriate copyright headers?\n\n**Testing**\n\n- Are new features/fixes covered by tests?\n- Do existing tests still pass? (run `just test` or targeted tests)\n- For Node.js compat changes, run `just node-test `\n- For Web Platform Tests, run `just wpt-test `\n\n**Documentation**\n\n- Are code comments adequate for complex logic?\n- Do public APIs have proper documentation?\n- Are there AGENTS.md or README updates needed?\n\n### 3. Pre-submission Checks\n\nRun appropriate verification:\n\n- `just format` - Ensure code is formatted\n- `just build` - Verify the build succeeds\n- `just test` or targeted tests - Verify tests pass\n- `just clang-tidy ` - For C++ changes, check for issues\n- `just clippy ` - For Rust changes (files under `src/rust/`), run clippy on each affected crate\n\n### 4. Commit Message Guidance\n\nHelp craft commit messages following these conventions:\n\n**Format:**\n\n```\n(): \n\n\n\n