Repository: cloudflare/workerd Branch: main Commit: d8e36b2aa3eb Files: 2426 Total size: 19.2 MB Directory structure: gitextract_w7af126f/ ├── .bazelignore ├── .bazelrc ├── .bazelversion ├── .clang-format ├── .clang-tidy ├── .devcontainer/ │ ├── Dockerfile │ └── devcontainer.json ├── .git-blame-ignore-revs ├── .github/ │ ├── CODEOWNERS │ ├── DISCUSSION_TEMPLATE/ │ │ ├── nodejs_api_request.yml │ │ └── python_package_request.yml │ ├── ISSUE_TEMPLATE/ │ │ ├── runtime-apis.md │ │ └── workers-types.md │ ├── actions/ │ │ └── setup-runner/ │ │ └── action.yml │ ├── bonk_reviewer.md │ ├── secret_scanning.yml │ └── workflows/ │ ├── _bazel.yml │ ├── _wpt.yml │ ├── bigbonk.yml │ ├── bonk.yml │ ├── cla.yml │ ├── codspeed.yml │ ├── coverage.yml │ ├── daily-release.yml │ ├── deps-updater.yml │ ├── experimental-workflow.yml │ ├── fixup.yml │ ├── internal-build.yml │ ├── issues.yml │ ├── labels.yml │ ├── lint.yml │ ├── new-pr-review.yml │ ├── release-python-runtime.yml │ ├── release-python-snapshots.yml │ ├── release.yml │ ├── semgrep.yml │ ├── test.yml │ └── wpt-report.yml ├── .gitignore ├── .npmrc ├── .opencode/ │ ├── agent/ │ │ ├── architect.md │ │ └── submit.md │ ├── commands/ │ │ ├── autogate.md │ │ ├── changelog.md │ │ ├── compat-flag.md │ │ ├── dep-impact.md │ │ ├── deps.md │ │ ├── explain.md │ │ ├── find-owner.md │ │ ├── find-test.md │ │ ├── investigate.md │ │ ├── just.md │ │ ├── onboarding.md │ │ ├── rdeps.md │ │ ├── review.md │ │ ├── run.md │ │ ├── submit.md │ │ ├── test-for.md │ │ ├── trace.md │ │ ├── trivia.md │ │ └── whats-new.md │ ├── skills/ │ │ ├── add-autogate/ │ │ │ └── SKILL.md │ │ ├── add-compat-flag/ │ │ │ └── SKILL.md │ │ ├── bazel-test-hygiene/ │ │ │ └── SKILL.md │ │ ├── commit-categories/ │ │ │ └── SKILL.md │ │ ├── dad-jokes/ │ │ │ └── SKILL.md │ │ ├── find-and-run-tests/ │ │ │ └── SKILL.md │ │ ├── identify-reviewer/ │ │ │ └── SKILL.md │ │ ├── investigation-notes/ │ │ │ └── SKILL.md │ │ ├── kj-style/ │ │ │ └── SKILL.md │ │ ├── markdown-drafts/ │ │ │ └── SKILL.md │ │ ├── parent-project-skills/ │ │ │ └── SKILL.md │ │ ├── pr-review-guide/ │ │ │ └── SKILL.md │ │ ├── receiving-code-review/ │ │ │ └── SKILL.md │ │ ├── rust-review/ │ │ │ └── SKILL.md │ │ ├── test-driven-investigation/ │ │ │ └── SKILL.md │ │ ├── ts-style/ │ │ │ └── SKILL.md │ │ ├── update-v8/ │ │ │ └── SKILL.md │ │ ├── verification-before-completion/ │ │ │ └── SKILL.md │ │ ├── wd-test-format/ │ │ │ ├── SKILL.md │ │ │ └── reference/ │ │ │ └── advanced-configs.md │ │ ├── workerd-api-review/ │ │ │ └── SKILL.md │ │ └── workerd-safety-review/ │ │ └── SKILL.md │ └── tools/ │ ├── bazel-deps.ts │ ├── capnp.ts │ ├── compat-date-at.ts │ ├── cross-reference.ts │ ├── jsg-interface.ts │ └── next-capnp-ordinal.ts ├── .prettierignore ├── .prettierrc.json ├── .vscode/ │ ├── extensions.json │ ├── launch.json │ ├── settings.json │ └── tasks.json ├── .zed/ │ └── settings.json ├── AGENTS.md ├── BUILD.bazel ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── Dockerfile.release ├── LICENSE ├── MODULE.bazel ├── README.md ├── RELEASE.md ├── SECURITY.md ├── build/ │ ├── AGENTS.md │ ├── BUILD.all_pyodide_wheels │ ├── BUILD.nbytes │ ├── BUILD.pyodide │ ├── BUILD.pyodide_packages │ ├── BUILD.simdutf │ ├── BUILD.sqlite3 │ ├── BUILD.wpt │ ├── BUILD.zlib │ ├── capnp_embed.bzl │ ├── cc_ast_dump.bzl │ ├── ci.bazelrc │ ├── config/ │ │ └── BUILD.bazel │ ├── deps/ │ │ ├── BUILD │ │ ├── build_deps.jsonc │ │ ├── dep_pyodide.bzl │ │ ├── deps.jsonc │ │ ├── deps.schema.json │ │ ├── formatters/ │ │ │ ├── BUILD │ │ │ ├── rustfmt.MODULE.bazel │ │ │ └── rustfmt_repository.bzl │ │ ├── gen/ │ │ │ ├── build_deps.MODULE.bazel │ │ │ ├── deps.MODULE.bazel │ │ │ └── shared_deps.MODULE.bazel │ │ ├── nodejs.MODULE.bazel │ │ ├── oci.MODULE.bazel │ │ ├── python.MODULE.bazel │ │ ├── requirements.in │ │ ├── requirements.txt │ │ ├── rust.MODULE.bazel │ │ ├── shared_deps.jsonc │ │ ├── update-deps.py │ │ ├── v8.MODULE.bazel │ │ └── v8.requirements.txt │ ├── exts/ │ │ └── http.bzl │ ├── fixtures/ │ │ ├── BUILD.bazel │ │ └── kj_test.sh │ ├── google-benchmark/ │ │ ├── BUILD │ │ └── MODULE.bazel │ ├── http.bzl │ ├── http_proxy_config.bzl │ ├── js_capnp_library.bzl │ ├── js_file.bzl │ ├── kj_test.bzl │ ├── lint_test.bzl │ ├── perfetto/ │ │ ├── BUILD │ │ ├── MODULE.bazel │ │ └── perfetto_cfg.bzl │ ├── python/ │ │ ├── packages_20240829_4.bzl │ │ └── packages_20250808.bzl │ ├── python_metadata.bzl │ ├── run_binary_target.bzl │ ├── rust_lint.bazelrc │ ├── tools/ │ │ └── clang_tidy/ │ │ ├── BUILD │ │ ├── clang_tidy.bazelrc │ │ ├── clang_tidy.bzl │ │ └── clang_tidy_wrapper.sh │ ├── typescript.bzl │ ├── wasm_tools_parse.bzl │ ├── wd_capnp_library.bzl │ ├── wd_cc_benchmark.bzl │ ├── wd_cc_binary.bzl │ ├── wd_cc_capnp_library.bzl │ ├── wd_cc_embed.bzl │ ├── wd_cc_library.bzl │ ├── wd_js_bundle.bzl │ ├── wd_rust_binary.bzl │ ├── wd_rust_capnp_library.bzl │ ├── wd_rust_crate.bzl │ ├── wd_rust_proc_macro.bzl │ ├── wd_test.bzl │ ├── wd_ts_bundle.bzl │ ├── wd_ts_project.bzl │ ├── wd_ts_test.bzl │ ├── wd_ts_type_test.bzl │ ├── workerd-v8/ │ │ ├── BUILD │ │ └── MODULE.bazel │ ├── wpt_get_directories.bzl │ └── wpt_test.bzl ├── build-releases.sh ├── codecov.yml ├── compile_flags.txt ├── deps/ │ └── rust/ │ ├── BUILD.bazel │ ├── BUILD.lolhtml │ ├── cargo.bzl │ ├── crates/ │ │ ├── BUILD.ada-url-3.4.2.bazel │ │ ├── BUILD.adler2-2.0.1.bazel │ │ ├── BUILD.ahash-0.8.12.bazel │ │ ├── BUILD.aho-corasick-1.1.4.bazel │ │ ├── BUILD.allocator-api2-0.2.21.bazel │ │ ├── BUILD.anstyle-1.0.14.bazel │ │ ├── BUILD.anyhow-1.0.102.bazel │ │ ├── BUILD.ascii-1.1.0.bazel │ │ ├── BUILD.ast_node-5.0.0.bazel │ │ ├── BUILD.async-trait-0.1.89.bazel │ │ ├── BUILD.autocfg-1.5.0.bazel │ │ ├── BUILD.base64-0.22.1.bazel │ │ ├── BUILD.base64-simd-0.8.0.bazel │ │ ├── BUILD.bazel │ │ ├── BUILD.better_scoped_tls-1.0.1.bazel │ │ ├── BUILD.bitflags-2.11.0.bazel │ │ ├── BUILD.bitvec-1.0.1.bazel │ │ ├── BUILD.block-buffer-0.10.4.bazel │ │ ├── BUILD.bstr-1.12.1.bazel │ │ ├── BUILD.bumpalo-3.20.2.bazel │ │ ├── BUILD.bytes-1.11.1.bazel │ │ ├── BUILD.bytes-str-0.2.7.bazel │ │ ├── BUILD.capnp-0.25.2.bazel │ │ ├── BUILD.capnp-futures-0.25.2.bazel │ │ ├── BUILD.capnp-rpc-0.25.0.bazel │ │ ├── BUILD.capnpc-0.25.0.bazel │ │ ├── BUILD.castaway-0.2.4.bazel │ │ ├── BUILD.cc-1.2.57.bazel │ │ ├── BUILD.cfg-if-1.0.4.bazel │ │ ├── BUILD.cfg_aliases-0.2.1.bazel │ │ ├── BUILD.clang-ast-0.1.35.bazel │ │ ├── BUILD.clap-4.6.0.bazel │ │ ├── BUILD.clap_builder-4.6.0.bazel │ │ ├── BUILD.clap_derive-4.6.0.bazel │ │ ├── BUILD.clap_lex-1.1.0.bazel │ │ ├── BUILD.codespan-reporting-0.13.1.bazel │ │ ├── BUILD.compact_str-0.7.1.bazel │ │ ├── BUILD.compact_str-0.9.0.bazel │ │ ├── BUILD.cpufeatures-0.2.17.bazel │ │ ├── BUILD.crc32fast-1.5.0.bazel │ │ ├── BUILD.crypto-common-0.1.7.bazel │ │ ├── BUILD.cssparser-0.36.0.bazel │ │ ├── BUILD.cssparser-macros-0.6.1.bazel │ │ ├── BUILD.data-encoding-2.10.0.bazel │ │ ├── BUILD.debugid-0.8.0.bazel │ │ ├── BUILD.derive_more-2.1.1.bazel │ │ ├── BUILD.derive_more-impl-2.1.1.bazel │ │ ├── BUILD.digest-0.10.7.bazel │ │ ├── BUILD.displaydoc-0.2.5.bazel │ │ ├── BUILD.dragonbox_ecma-0.1.12.bazel │ │ ├── BUILD.dtoa-1.0.11.bazel │ │ ├── BUILD.dtoa-short-0.3.5.bazel │ │ ├── BUILD.either-1.15.0.bazel │ │ ├── BUILD.embedded-io-0.7.1.bazel │ │ ├── BUILD.encoding_rs-0.8.35.bazel │ │ ├── BUILD.equivalent-1.0.2.bazel │ │ ├── BUILD.fastrand-2.3.0.bazel │ │ ├── BUILD.find-msvc-tools-0.1.9.bazel │ │ ├── BUILD.flate2-1.1.9.bazel │ │ ├── BUILD.foldhash-0.2.0.bazel │ │ ├── BUILD.form_urlencoded-1.2.2.bazel │ │ ├── BUILD.from_variant-3.0.0.bazel │ │ ├── BUILD.funty-2.0.0.bazel │ │ ├── BUILD.futures-0.3.32.bazel │ │ ├── BUILD.futures-channel-0.3.32.bazel │ │ ├── BUILD.futures-core-0.3.32.bazel │ │ ├── BUILD.futures-executor-0.3.32.bazel │ │ ├── BUILD.futures-io-0.3.32.bazel │ │ ├── BUILD.futures-macro-0.3.32.bazel │ │ ├── BUILD.futures-sink-0.3.32.bazel │ │ ├── BUILD.futures-task-0.3.32.bazel │ │ ├── BUILD.futures-util-0.3.32.bazel │ │ ├── BUILD.generic-array-0.14.7.bazel │ │ ├── BUILD.getopts-0.2.24.bazel │ │ ├── BUILD.getrandom-0.2.17.bazel │ │ ├── BUILD.getrandom-0.3.4.bazel │ │ ├── BUILD.hashbrown-0.14.5.bazel │ │ ├── BUILD.hashbrown-0.16.1.bazel │ │ ├── BUILD.heck-0.5.0.bazel │ │ ├── BUILD.hermit-abi-0.5.2.bazel │ │ ├── BUILD.hstr-3.0.4.bazel │ │ ├── BUILD.icu_collections-2.1.1.bazel │ │ ├── BUILD.icu_locale_core-2.1.1.bazel │ │ ├── BUILD.icu_normalizer-2.1.1.bazel │ │ ├── BUILD.icu_normalizer_data-2.1.1.bazel │ │ ├── BUILD.icu_properties-2.1.2.bazel │ │ ├── BUILD.icu_properties_data-2.1.2.bazel │ │ ├── BUILD.icu_provider-2.1.1.bazel │ │ ├── BUILD.idna-1.1.0.bazel │ │ ├── BUILD.idna_adapter-1.2.1.bazel │ │ ├── BUILD.if_chain-1.0.3.bazel │ │ ├── BUILD.indexmap-2.13.0.bazel │ │ ├── BUILD.is-macro-0.3.7.bazel │ │ ├── BUILD.itertools-0.14.0.bazel │ │ ├── BUILD.itoa-1.0.17.bazel │ │ ├── BUILD.jobserver-0.1.34.bazel │ │ ├── BUILD.js-sys-0.3.91.bazel │ │ ├── BUILD.libc-0.2.183.bazel │ │ ├── BUILD.link_args-0.6.0.bazel │ │ ├── BUILD.litemap-0.8.1.bazel │ │ ├── BUILD.log-0.4.29.bazel │ │ ├── BUILD.lol_html-2.7.2.bazel │ │ ├── BUILD.lol_html_c_api-1.3.1.bazel │ │ ├── BUILD.memchr-2.8.0.bazel │ │ ├── BUILD.mime-0.3.17.bazel │ │ ├── BUILD.miniz_oxide-0.8.9.bazel │ │ ├── BUILD.mio-1.1.1.bazel │ │ ├── BUILD.new_debug_unreachable-1.0.6.bazel │ │ ├── BUILD.nix-0.31.2.bazel │ │ ├── BUILD.num-bigint-0.4.6.bazel │ │ ├── BUILD.num-integer-0.1.46.bazel │ │ ├── BUILD.num-traits-0.2.19.bazel │ │ ├── BUILD.num_cpus-1.17.0.bazel │ │ ├── BUILD.once_cell-1.21.4.bazel │ │ ├── BUILD.outref-0.5.2.bazel │ │ ├── BUILD.par-core-2.0.0.bazel │ │ ├── BUILD.percent-encoding-2.3.2.bazel │ │ ├── BUILD.phf-0.11.3.bazel │ │ ├── BUILD.phf-0.13.1.bazel │ │ ├── BUILD.phf_codegen-0.11.3.bazel │ │ ├── BUILD.phf_codegen-0.13.1.bazel │ │ ├── BUILD.phf_generator-0.11.3.bazel │ │ ├── BUILD.phf_generator-0.13.1.bazel │ │ ├── BUILD.phf_macros-0.11.3.bazel │ │ ├── BUILD.phf_macros-0.13.1.bazel │ │ ├── BUILD.phf_shared-0.11.3.bazel │ │ ├── BUILD.phf_shared-0.13.1.bazel │ │ ├── BUILD.pico-args-0.5.0.bazel │ │ ├── BUILD.pin-project-lite-0.2.17.bazel │ │ ├── BUILD.potential_utf-0.1.4.bazel │ │ ├── BUILD.ppv-lite86-0.2.21.bazel │ │ ├── BUILD.precomputed-hash-0.1.1.bazel │ │ ├── BUILD.proc-macro2-1.0.106.bazel │ │ ├── BUILD.quote-1.0.45.bazel │ │ ├── BUILD.r-efi-5.3.0.bazel │ │ ├── BUILD.radium-0.7.0.bazel │ │ ├── BUILD.rand-0.8.5.bazel │ │ ├── BUILD.rand_chacha-0.3.1.bazel │ │ ├── BUILD.rand_core-0.6.4.bazel │ │ ├── BUILD.regex-1.12.3.bazel │ │ ├── BUILD.regex-automata-0.4.14.bazel │ │ ├── BUILD.regex-syntax-0.8.10.bazel │ │ ├── BUILD.ruff_python_ast-0.0.0.bazel │ │ ├── BUILD.ruff_python_parser-0.0.0.bazel │ │ ├── BUILD.ruff_python_trivia-0.0.0.bazel │ │ ├── BUILD.ruff_source_file-0.0.0.bazel │ │ ├── BUILD.ruff_text_size-0.0.0.bazel │ │ ├── BUILD.rustc-hash-2.1.1.bazel │ │ ├── BUILD.rustc_version-0.4.1.bazel │ │ ├── BUILD.rustversion-1.0.22.bazel │ │ ├── BUILD.ryu-1.0.23.bazel │ │ ├── BUILD.scoped-tls-1.0.1.bazel │ │ ├── BUILD.scratch-1.0.9.bazel │ │ ├── BUILD.selectors-0.33.0.bazel │ │ ├── BUILD.semver-1.0.27.bazel │ │ ├── BUILD.seq-macro-0.3.6.bazel │ │ ├── BUILD.serde-1.0.228.bazel │ │ ├── BUILD.serde_core-1.0.228.bazel │ │ ├── BUILD.serde_derive-1.0.228.bazel │ │ ├── BUILD.serde_json-1.0.149.bazel │ │ ├── BUILD.servo_arc-0.4.3.bazel │ │ ├── BUILD.sha1-0.10.6.bazel │ │ ├── BUILD.shlex-1.3.0.bazel │ │ ├── BUILD.simd-adler32-0.3.8.bazel │ │ ├── BUILD.siphasher-0.3.11.bazel │ │ ├── BUILD.siphasher-1.0.2.bazel │ │ ├── BUILD.slab-0.4.12.bazel │ │ ├── BUILD.smallvec-1.15.1.bazel │ │ ├── BUILD.smartstring-1.0.1.bazel │ │ ├── BUILD.socket2-0.6.3.bazel │ │ ├── BUILD.stable_deref_trait-1.2.1.bazel │ │ ├── BUILD.static_assertions-1.1.0.bazel │ │ ├── BUILD.string_enum-1.0.2.bazel │ │ ├── BUILD.swc_allocator-4.0.1.bazel │ │ ├── BUILD.swc_atoms-9.0.0.bazel │ │ ├── BUILD.swc_common-18.0.1.bazel │ │ ├── BUILD.swc_config-3.1.2.bazel │ │ ├── BUILD.swc_config_macro-1.0.1.bazel │ │ ├── BUILD.swc_ecma_ast-20.0.1.bazel │ │ ├── BUILD.swc_ecma_codegen-23.0.0.bazel │ │ ├── BUILD.swc_ecma_codegen_macros-2.0.2.bazel │ │ ├── BUILD.swc_ecma_hooks-0.4.0.bazel │ │ ├── BUILD.swc_ecma_parser-33.0.1.bazel │ │ ├── BUILD.swc_ecma_transforms_base-36.0.1.bazel │ │ ├── BUILD.swc_ecma_transforms_react-40.0.0.bazel │ │ ├── BUILD.swc_ecma_transforms_typescript-40.0.0.bazel │ │ ├── BUILD.swc_ecma_utils-26.0.1.bazel │ │ ├── BUILD.swc_ecma_visit-20.0.0.bazel │ │ ├── BUILD.swc_eq_ignore_macros-1.0.1.bazel │ │ ├── BUILD.swc_macros_common-1.0.1.bazel │ │ ├── BUILD.swc_sourcemap-9.3.4.bazel │ │ ├── BUILD.swc_ts_fast_strip-43.0.0.bazel │ │ ├── BUILD.swc_visit-2.0.1.bazel │ │ ├── BUILD.syn-2.0.117.bazel │ │ ├── BUILD.synstructure-0.13.2.bazel │ │ ├── BUILD.tap-1.0.1.bazel │ │ ├── BUILD.termcolor-1.4.1.bazel │ │ ├── BUILD.thiserror-2.0.18.bazel │ │ ├── BUILD.thiserror-impl-2.0.18.bazel │ │ ├── BUILD.tinystr-0.8.2.bazel │ │ ├── BUILD.tinyvec-1.11.0.bazel │ │ ├── BUILD.tinyvec_macros-0.1.1.bazel │ │ ├── BUILD.tokio-1.50.0.bazel │ │ ├── BUILD.tracing-0.1.44.bazel │ │ ├── BUILD.tracing-attributes-0.1.31.bazel │ │ ├── BUILD.tracing-core-0.1.36.bazel │ │ ├── BUILD.triomphe-0.1.15.bazel │ │ ├── BUILD.typenum-1.19.0.bazel │ │ ├── BUILD.unicode-id-start-1.4.0.bazel │ │ ├── BUILD.unicode-ident-1.0.24.bazel │ │ ├── BUILD.unicode-normalization-0.1.25.bazel │ │ ├── BUILD.unicode-width-0.2.2.bazel │ │ ├── BUILD.unicode_names2-1.3.0.bazel │ │ ├── BUILD.unicode_names2_generator-1.3.0.bazel │ │ ├── BUILD.url-2.5.8.bazel │ │ ├── BUILD.utf8_iter-1.0.4.bazel │ │ ├── BUILD.uuid-1.22.0.bazel │ │ ├── BUILD.version_check-0.9.5.bazel │ │ ├── BUILD.vsimd-0.8.0.bazel │ │ ├── BUILD.wasi-0.11.1+wasi-snapshot-preview1.bazel │ │ ├── BUILD.wasip2-1.0.2+wasi-0.2.9.bazel │ │ ├── BUILD.wasm-bindgen-0.2.114.bazel │ │ ├── BUILD.wasm-bindgen-macro-0.2.114.bazel │ │ ├── BUILD.wasm-bindgen-macro-support-0.2.114.bazel │ │ ├── BUILD.wasm-bindgen-shared-0.2.114.bazel │ │ ├── BUILD.winapi-util-0.1.11.bazel │ │ ├── BUILD.windows-link-0.2.1.bazel │ │ ├── BUILD.windows-sys-0.61.2.bazel │ │ ├── BUILD.wit-bindgen-0.51.0.bazel │ │ ├── BUILD.writeable-0.6.2.bazel │ │ ├── BUILD.wyz-0.5.1.bazel │ │ ├── BUILD.yoke-0.8.1.bazel │ │ ├── BUILD.yoke-derive-0.8.1.bazel │ │ ├── BUILD.zerocopy-0.8.42.bazel │ │ ├── BUILD.zerocopy-derive-0.8.42.bazel │ │ ├── BUILD.zerofrom-0.1.6.bazel │ │ ├── BUILD.zerofrom-derive-0.1.6.bazel │ │ ├── BUILD.zerotrie-0.2.3.bazel │ │ ├── BUILD.zerovec-0.11.5.bazel │ │ ├── BUILD.zerovec-derive-0.11.2.bazel │ │ ├── BUILD.zmij-1.0.21.bazel │ │ ├── alias_rules.bzl │ │ ├── crates.bzl │ │ └── defs.bzl │ └── extension.bzl ├── docs/ │ ├── api-updates.md │ ├── benchmarking.md │ ├── development.md │ ├── jsg.md │ ├── pyodide.md │ ├── reference/ │ │ ├── api-review-checklist.md │ │ ├── cpp-safety-review-checklist.md │ │ ├── detail/ │ │ │ ├── api-patterns.md │ │ │ ├── async-patterns.md │ │ │ ├── review-checklist.md │ │ │ └── type-design.md │ │ ├── kj-style.md │ │ ├── rust-review-checklist.md │ │ └── ts-style.md │ ├── streams.md │ ├── v8-updates.md │ └── vscode.md ├── doxyfile ├── empty/ │ └── empty ├── fuzzilli/ │ ├── BUILD.bazel │ ├── README.md │ ├── analytics-mock.js │ ├── config-full.capnp │ ├── config.capnp │ ├── d1-mock.js │ ├── kv-mock.js │ ├── queue-mock.js │ ├── r2-mock.js │ ├── worker-consume-request.js │ ├── worker-full.js │ └── worker.js ├── githooks/ │ ├── README │ ├── pre-commit │ └── pre-push ├── images/ │ ├── BUILD.bazel │ └── container-client-test/ │ ├── BUILD.bazel │ ├── app.js │ └── package.json ├── justfile ├── npm/ │ ├── lib/ │ │ ├── node-install.ts │ │ ├── node-path.ts │ │ ├── node-platform.ts │ │ └── node-shim.ts │ ├── scripts/ │ │ ├── build-shim-package.mjs │ │ ├── build-types-package.mjs │ │ └── bump-version.mjs │ ├── workerd/ │ │ ├── .gitignore │ │ ├── README.md │ │ └── package.json │ ├── workerd-darwin-64/ │ │ ├── README.md │ │ └── package.json │ ├── workerd-darwin-arm64/ │ │ ├── README.md │ │ └── package.json │ ├── workerd-linux-64/ │ │ ├── README.md │ │ └── package.json │ ├── workerd-linux-arm64/ │ │ ├── README.md │ │ └── package.json │ ├── workerd-windows-64/ │ │ ├── README.md │ │ └── package.json │ └── workers-types/ │ ├── README.md │ └── package.json ├── package.json ├── patches/ │ ├── boringssl/ │ │ └── 0001-Expose-libdecrepit-so-NodeJS-can-use-it-for-ncrypto.patch │ ├── perfetto/ │ │ ├── 0001-Don-t-attempt-to-use-rules_android.patch │ │ └── 0002-disable-info-level-logging.patch │ ├── sqlite/ │ │ ├── 0001-row-counts-plain.patch │ │ ├── 0002-macOS-missing-PATH-fix.patch │ │ ├── 0003-sqlite-complete-early-exit.patch │ │ ├── 0004-invalid-wal-on-rollback-fix.patch │ │ └── README.md │ ├── v8/ │ │ ├── 0001-Allow-manually-setting-ValueDeserializer-format-vers.patch │ │ ├── 0002-Allow-manually-setting-ValueSerializer-format-versio.patch │ │ ├── 0003-Allow-Windows-builds-under-Bazel.patch │ │ ├── 0004-Disable-bazel-whole-archive-build.patch │ │ ├── 0005-Speed-up-V8-bazel-build-by-always-using-target-cfg.patch │ │ ├── 0006-Implement-Promise-Context-Tagging.patch │ │ ├── 0007-Randomize-the-initial-ExecutionContextId-used-by-the.patch │ │ ├── 0008-increase-visibility-of-virtual-method.patch │ │ ├── 0009-Add-ValueSerializer-SetTreatFunctionsAsHostObjects.patch │ │ ├── 0010-Modify-where-to-look-for-fp16-dependency.-This-depen.patch │ │ ├── 0011-Revert-heap-Add-masm-specific-unwinding-annotations-.patch │ │ ├── 0012-Update-illegal-invocation-error-message-in-v8.patch │ │ ├── 0013-Implement-cross-request-context-promise-resolve-hand.patch │ │ ├── 0014-Add-another-slot-in-the-isolate-for-embedder.patch │ │ ├── 0015-Add-ValueSerializer-SetTreatProxiesAsHostObjects.patch │ │ ├── 0016-Disable-memory-leak-assert-when-shutting-down-V8.patch │ │ ├── 0017-Enable-V8-shared-linkage.patch │ │ ├── 0018-Modify-where-to-look-for-fast_float-and-simdutf.patch │ │ ├── 0019-Remove-unneded-latomic-linker-flag.patch │ │ ├── 0020-Add-methods-to-get-heap-and-external-memory-sizes-di.patch │ │ ├── 0021-Port-concurrent-mksnapshot-support.patch │ │ ├── 0022-Port-V8_USE_ZLIB-support.patch │ │ ├── 0023-Modify-where-to-look-for-dragonbox.patch │ │ ├── 0024-Disable-slow-handle-check.patch │ │ ├── 0025-Workaround-for-builtin-can-allocate-issue.patch │ │ ├── 0026-Implement-additional-Exception-construction-methods.patch │ │ ├── 0027-Export-icudata-file-to-facilitate-embedding-it.patch │ │ ├── 0028-bind-icu-to-googlesource.patch │ │ ├── 0029-Add-v8-String-IsFlat-API.patch │ │ ├── 0030-Expose-AdjustAmountOfExternalAllocatedMemoryImpl-as-.patch │ │ ├── 0031-Add-verify_write_barriers-flag-in-V8-s-bazel-config.patch │ │ ├── 0032-Change-lamba-signature-to-get-around-windows-build-f.patch │ │ ├── 0033-Return-false-on-Object.hasOwnProperty-with-intercept.patch │ │ ├── 0034-Remove-V8-MODULE.bazel-llvm-toolchain-and-libcxx-rep.patch │ │ └── 0035-Remove-libcxx-dep-from-defs.bzl-not-resolvable-via-h.patch │ └── zlib/ │ └── 0001-Add-dummy-MODULE.bazel.patch ├── pnpm-workspace.yaml ├── ruff.toml ├── samples/ │ ├── BUILD.bazel │ ├── async-context/ │ │ ├── config.capnp │ │ └── worker.js │ ├── durable-objects-chat/ │ │ ├── chat.html │ │ ├── chat.js │ │ └── config.capnp │ ├── eventsource/ │ │ ├── README.md │ │ ├── config.capnp │ │ ├── server.js │ │ └── worker.js │ ├── extensions/ │ │ ├── README.md │ │ ├── binding.js │ │ ├── burrito-shop-impl.js │ │ ├── burrito-shop.capnp │ │ ├── burrito-shop.js │ │ ├── config.capnp │ │ ├── kitchen.js │ │ ├── recipes.json │ │ └── worker.js │ ├── filesystem/ │ │ ├── README.md │ │ ├── config.capnp │ │ └── worker.js │ ├── hello-wasm/ │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── README.md │ │ ├── config.capnp │ │ └── src/ │ │ ├── lib.rs │ │ └── utils.rs │ ├── helloworld/ │ │ ├── README.md │ │ ├── config.capnp │ │ └── worker.js │ ├── helloworld-ts/ │ │ ├── README.md │ │ ├── config.capnp │ │ └── worker.ts │ ├── helloworld_esm/ │ │ ├── README.md │ │ ├── config.capnp │ │ └── worker.js │ ├── memory-cache/ │ │ ├── README.md │ │ ├── config.capnp │ │ └── worker.js │ ├── module_fallback/ │ │ ├── README.md │ │ ├── cjs.js │ │ ├── config.capnp │ │ ├── fallback.js │ │ └── worker.js │ ├── nodejs-compat/ │ │ ├── README.md │ │ ├── config.capnp │ │ └── worker.js │ ├── nodejs-compat-crypto/ │ │ ├── README.md │ │ ├── config.capnp │ │ └── worker.js │ ├── nodejs-compat-diagnosticschannel/ │ │ ├── README.md │ │ ├── config.capnp │ │ ├── library.js │ │ └── worker.js │ ├── nodejs-compat-fs/ │ │ ├── README.md │ │ ├── config.capnp │ │ └── worker.js │ ├── nodejs-compat-fs-graceful/ │ │ ├── README.md │ │ ├── config.capnp │ │ ├── graceful-fs/ │ │ │ ├── LICENSE │ │ │ ├── README.md │ │ │ ├── clone.js │ │ │ ├── graceful-fs.js │ │ │ ├── legacy-streams.js │ │ │ ├── package.json │ │ │ └── polyfills.js │ │ └── worker.js │ ├── nodejs-compat-fs-yazl/ │ │ ├── README.md │ │ ├── config.capnp │ │ └── worker.js │ ├── nodejs-compat-http/ │ │ ├── README.md │ │ ├── config.capnp │ │ └── worker.js │ ├── nodejs-compat-streams/ │ │ ├── README.md │ │ ├── config.capnp │ │ └── worker.js │ ├── nodejs-compat-streams-split2/ │ │ ├── README.md │ │ ├── config.capnp │ │ ├── split2.js │ │ └── worker.js │ ├── pyodide/ │ │ ├── config.capnp │ │ └── worker.py │ ├── pyodide-env/ │ │ ├── config.capnp │ │ └── worker.py │ ├── pyodide-fastapi/ │ │ ├── config.capnp │ │ └── worker.py │ ├── pyodide-langchain/ │ │ ├── config.capnp │ │ └── worker.py │ ├── python-benchmark/ │ │ ├── README.md │ │ ├── bench.lua │ │ ├── config.capnp │ │ └── worker.py │ ├── repl-server/ │ │ ├── README.md │ │ ├── client.js │ │ ├── config.capnp │ │ └── worker.js │ ├── repl-server-python/ │ │ ├── README.md │ │ ├── client.js │ │ ├── config.capnp │ │ └── worker.py │ ├── static-files-from-disk/ │ │ ├── config.capnp │ │ ├── content-dir/ │ │ │ └── index.html │ │ └── static.js │ ├── tail-workers/ │ │ ├── config.capnp │ │ ├── tail.js │ │ └── worker.js │ ├── tcp/ │ │ ├── config.capnp │ │ └── gopher.js │ ├── unit-tests/ │ │ ├── config.capnp │ │ └── worker.js │ ├── web-streams/ │ │ ├── README.md │ │ ├── config.capnp │ │ ├── streams-util.js │ │ └── worker.js │ └── webfs/ │ ├── README.md │ ├── config.capnp │ └── worker.js ├── src/ │ ├── cloudflare/ │ │ ├── AGENTS.md │ │ ├── BUILD.bazel │ │ ├── README.md │ │ ├── ai.ts │ │ ├── br.ts │ │ ├── email.ts │ │ ├── eslint.config.mjs │ │ ├── internal/ │ │ │ ├── ai-api.ts │ │ │ ├── aig-api.ts │ │ │ ├── autorag-api.ts │ │ │ ├── base64.d.ts │ │ │ ├── br-api.ts │ │ │ ├── d1-api.ts │ │ │ ├── email.d.ts │ │ │ ├── env.d.ts │ │ │ ├── global.d.ts │ │ │ ├── http.ts │ │ │ ├── images-api.ts │ │ │ ├── images.d.ts │ │ │ ├── pipeline-transform.ts │ │ │ ├── sockets.d.ts │ │ │ ├── streaming-base64.ts │ │ │ ├── streaming-forms.ts │ │ │ ├── test/ │ │ │ │ ├── BUILD.bazel │ │ │ │ ├── ai/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── ai-api-test.js │ │ │ │ │ ├── ai-api-test.py │ │ │ │ │ ├── ai-api-test.wd-test │ │ │ │ │ ├── ai-mock.js │ │ │ │ │ └── python-ai-api-test.wd-test │ │ │ │ ├── aig/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── aig-api-test.js │ │ │ │ │ ├── aig-api-test.py │ │ │ │ │ ├── aig-api-test.wd-test │ │ │ │ │ ├── aig-mock.js │ │ │ │ │ └── python-aig-api-test.wd-test │ │ │ │ ├── autorag/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── autorag-api-test.js │ │ │ │ │ ├── autorag-api-test.py │ │ │ │ │ ├── autorag-api-test.wd-test │ │ │ │ │ ├── autorag-mock.js │ │ │ │ │ └── python-autorag-api-test.wd-test │ │ │ │ ├── br/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── br-api-test.js │ │ │ │ │ ├── br-api-test.py │ │ │ │ │ ├── br-api-test.wd-test │ │ │ │ │ ├── br-mock.js │ │ │ │ │ └── python-br-api-test.wd-test │ │ │ │ ├── d1/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── d1-api-instrumentation-test.js │ │ │ │ │ ├── d1-api-test-common.js │ │ │ │ │ ├── d1-api-test-with-sessions.js │ │ │ │ │ ├── d1-api-test-with-sessions.wd-test │ │ │ │ │ ├── d1-api-test.js │ │ │ │ │ ├── d1-api-test.py │ │ │ │ │ ├── d1-api-test.wd-test │ │ │ │ │ ├── d1-mock.js │ │ │ │ │ └── python-d1-api-test.wd-test │ │ │ │ ├── images/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── images-api-instrumentation-test.js │ │ │ │ │ ├── images-api-test.js │ │ │ │ │ ├── images-api-test.wd-test │ │ │ │ │ └── images-upstream-mock.js │ │ │ │ ├── instrumentation-test-helper.js │ │ │ │ ├── pipeline-transform/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── transform-test.js │ │ │ │ │ └── transform.wd-test │ │ │ │ ├── to-markdown/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── python-to-markdown-api-test.wd-test │ │ │ │ │ ├── to-markdown-api-test.js │ │ │ │ │ ├── to-markdown-api-test.py │ │ │ │ │ ├── to-markdown-api-test.wd-test │ │ │ │ │ └── to-markdown-mock.js │ │ │ │ ├── tracing/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── tracing-helpers-instrumentation-test.js │ │ │ │ │ ├── tracing-helpers-test.js │ │ │ │ │ └── tracing-helpers-test.wd-test │ │ │ │ ├── vectorize/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── python-vectorize-api-test.wd-test │ │ │ │ │ ├── vectorize-api-test.js │ │ │ │ │ ├── vectorize-api-test.py │ │ │ │ │ ├── vectorize-api-test.wd-test │ │ │ │ │ └── vectorize-mock.js │ │ │ │ └── workflows/ │ │ │ │ ├── BUILD.bazel │ │ │ │ ├── workflows-api-test.js │ │ │ │ ├── workflows-api-test.wd-test │ │ │ │ └── workflows-mock.js │ │ │ ├── test-tracing-wrapper.ts │ │ │ ├── to-markdown-api.ts │ │ │ ├── tracing-helpers.ts │ │ │ ├── tracing.d.ts │ │ │ ├── vectorize-api.ts │ │ │ ├── vectorize.d.ts │ │ │ ├── workers.d.ts │ │ │ ├── workflows-api.ts │ │ │ └── workflows.d.ts │ │ ├── node.ts │ │ ├── pipelines.ts │ │ ├── sockets.ts │ │ ├── tsconfig.json │ │ ├── vectorize.ts │ │ ├── workers.ts │ │ └── workflows.ts │ ├── node/ │ │ ├── AGENTS.md │ │ ├── BUILD.bazel │ │ ├── README.md │ │ ├── _http_agent.ts │ │ ├── _http_client.ts │ │ ├── _http_common.ts │ │ ├── _http_incoming.ts │ │ ├── _http_outgoing.ts │ │ ├── _http_server.ts │ │ ├── _stream_duplex.ts │ │ ├── _stream_passthrough.ts │ │ ├── _stream_readable.ts │ │ ├── _stream_transform.ts │ │ ├── _stream_wrap.ts │ │ ├── _stream_writable.ts │ │ ├── _tls_common.ts │ │ ├── _tls_wrap.ts │ │ ├── assert/ │ │ │ └── strict.ts │ │ ├── assert.ts │ │ ├── async_hooks.ts │ │ ├── buffer.ts │ │ ├── child_process.ts │ │ ├── cluster.ts │ │ ├── console.ts │ │ ├── constants.ts │ │ ├── crypto.ts │ │ ├── dgram.ts │ │ ├── diagnostics_channel.ts │ │ ├── dns/ │ │ │ └── promises.ts │ │ ├── dns.ts │ │ ├── domain.ts │ │ ├── eslint.config.mjs │ │ ├── events.ts │ │ ├── fs/ │ │ │ └── promises.ts │ │ ├── fs.ts │ │ ├── http.ts │ │ ├── http2.ts │ │ ├── https.ts │ │ ├── inspector/ │ │ │ └── promises.ts │ │ ├── inspector.ts │ │ ├── internal/ │ │ │ ├── async_hooks.d.ts │ │ │ ├── buffer.d.ts │ │ │ ├── constants.ts │ │ │ ├── crypto.d.ts │ │ │ ├── crypto_cipher.ts │ │ │ ├── crypto_dh.ts │ │ │ ├── crypto_hash.ts │ │ │ ├── crypto_hkdf.ts │ │ │ ├── crypto_keys.ts │ │ │ ├── crypto_pbkdf2.ts │ │ │ ├── crypto_random.ts │ │ │ ├── crypto_scrypt.ts │ │ │ ├── crypto_sign.ts │ │ │ ├── crypto_spkac.ts │ │ │ ├── crypto_util.ts │ │ │ ├── crypto_x509.ts │ │ │ ├── debuglog.ts │ │ │ ├── diagnostics_channel.d.ts │ │ │ ├── dns.d.ts │ │ │ ├── events.ts │ │ │ ├── filesystem.d.ts │ │ │ ├── http.d.ts │ │ │ ├── internal_assert.ts │ │ │ ├── internal_assertionerror.ts │ │ │ ├── internal_buffer.ts │ │ │ ├── internal_comparisons.ts │ │ │ ├── internal_diffs.ts │ │ │ ├── internal_dns.ts │ │ │ ├── internal_dns_client.ts │ │ │ ├── internal_dns_constants.ts │ │ │ ├── internal_dns_promises.ts │ │ │ ├── internal_errors.ts │ │ │ ├── internal_fs.ts │ │ │ ├── internal_fs_callback.ts │ │ │ ├── internal_fs_constants.ts │ │ │ ├── internal_fs_promises.ts │ │ │ ├── internal_fs_streams.ts │ │ │ ├── internal_fs_sync.ts │ │ │ ├── internal_fs_utils.ts │ │ │ ├── internal_http.ts │ │ │ ├── internal_http2_constants.ts │ │ │ ├── internal_http_agent.ts │ │ │ ├── internal_http_client.ts │ │ │ ├── internal_http_constants.ts │ │ │ ├── internal_http_incoming.ts │ │ │ ├── internal_http_outgoing.ts │ │ │ ├── internal_http_server.ts │ │ │ ├── internal_http_util.ts │ │ │ ├── internal_https_agent.ts │ │ │ ├── internal_https_server.ts │ │ │ ├── internal_inspect.ts │ │ │ ├── internal_module.ts │ │ │ ├── internal_net.ts │ │ │ ├── internal_path.ts │ │ │ ├── internal_process.ts │ │ │ ├── internal_querystring.ts │ │ │ ├── internal_readline.ts │ │ │ ├── internal_readline_promises.ts │ │ │ ├── internal_stringdecoder.ts │ │ │ ├── internal_timers.ts │ │ │ ├── internal_timers_global_override.ts │ │ │ ├── internal_timers_promises.ts │ │ │ ├── internal_tls.ts │ │ │ ├── internal_tls_common.ts │ │ │ ├── internal_tls_constants.ts │ │ │ ├── internal_tls_jsstream.ts │ │ │ ├── internal_tls_wrap.ts │ │ │ ├── internal_types.ts │ │ │ ├── internal_url.ts │ │ │ ├── internal_utils.ts │ │ │ ├── internal_zlib.ts │ │ │ ├── internal_zlib_base.ts │ │ │ ├── internal_zlib_constants.ts │ │ │ ├── legacy_process.ts │ │ │ ├── legacy_url.ts │ │ │ ├── messagechannel.d.ts │ │ │ ├── mock.d.ts │ │ │ ├── mock.js │ │ │ ├── module.d.ts │ │ │ ├── process.d.ts │ │ │ ├── public_process.ts │ │ │ ├── sockets.d.ts │ │ │ ├── sqlite.d.ts │ │ │ ├── streams_add_abort_signal.ts │ │ │ ├── streams_compose.d.ts │ │ │ ├── streams_compose.js │ │ │ ├── streams_destroy.ts │ │ │ ├── streams_duplex.d.ts │ │ │ ├── streams_duplex.js │ │ │ ├── streams_end_of_stream.ts │ │ │ ├── streams_legacy.d.ts │ │ │ ├── streams_legacy.js │ │ │ ├── streams_pipeline.d.ts │ │ │ ├── streams_pipeline.js │ │ │ ├── streams_promises.ts │ │ │ ├── streams_readable.d.ts │ │ │ ├── streams_readable.js │ │ │ ├── streams_state.ts │ │ │ ├── streams_transform.d.ts │ │ │ ├── streams_transform.js │ │ │ ├── streams_util.ts │ │ │ ├── streams_writable.d.ts │ │ │ ├── streams_writable.js │ │ │ ├── timers.d.ts │ │ │ ├── url.d.ts │ │ │ ├── util.d.ts │ │ │ ├── validators.ts │ │ │ ├── workers.d.ts │ │ │ └── zlib.d.ts │ │ ├── module.ts │ │ ├── net.ts │ │ ├── os.ts │ │ ├── path/ │ │ │ ├── posix.ts │ │ │ └── win32.ts │ │ ├── path.ts │ │ ├── perf_hooks.ts │ │ ├── punycode.ts │ │ ├── querystring.ts │ │ ├── readline/ │ │ │ └── promises.ts │ │ ├── readline.ts │ │ ├── repl.ts │ │ ├── sqlite.ts │ │ ├── stream/ │ │ │ ├── consumers.js │ │ │ ├── promises.js │ │ │ └── web.js │ │ ├── stream.ts │ │ ├── string_decoder.ts │ │ ├── test.ts │ │ ├── timers/ │ │ │ └── promises.ts │ │ ├── timers.ts │ │ ├── tls.ts │ │ ├── trace_events.ts │ │ ├── tsconfig.json │ │ ├── tty.ts │ │ ├── url.ts │ │ ├── util/ │ │ │ └── types.ts │ │ ├── util.ts │ │ ├── v8.ts │ │ ├── vm.ts │ │ ├── wasi.ts │ │ ├── worker_threads.ts │ │ └── zlib.ts │ ├── pyodide/ │ │ ├── AGENTS.md │ │ ├── BUILD.bazel │ │ ├── README.md │ │ ├── create_vendor_zip.py │ │ ├── eslint.config.mjs │ │ ├── helpers.bzl │ │ ├── internal/ │ │ │ ├── const.ts │ │ │ ├── envHelpers.ts │ │ │ ├── introspection.py │ │ │ ├── jaeger.ts │ │ │ ├── loadPackage.ts │ │ │ ├── metadata.ts │ │ │ ├── metadatafs.ts │ │ │ ├── patches/ │ │ │ │ ├── aiohttp.py │ │ │ │ └── httpx.py │ │ │ ├── pool/ │ │ │ │ ├── builtin_wrappers.ts │ │ │ │ ├── emscriptenSetup.ts │ │ │ │ ├── esbuild.config.mjs │ │ │ │ └── sentinel.ts │ │ │ ├── python.ts │ │ │ ├── readOnlyFS.ts │ │ │ ├── serializeJsModule.ts │ │ │ ├── setupPackages.ts │ │ │ ├── snapshot.ts │ │ │ ├── sphinx/ │ │ │ │ ├── .gitignore │ │ │ │ ├── Makefile │ │ │ │ ├── README.md │ │ │ │ ├── conf.py │ │ │ │ ├── docs/ │ │ │ │ │ ├── asgi.rst │ │ │ │ │ ├── modules.rst │ │ │ │ │ └── workers.rst │ │ │ │ ├── index.rst │ │ │ │ ├── make.bat │ │ │ │ └── requirements-doc.txt │ │ │ ├── tar.ts │ │ │ ├── tarfs.ts │ │ │ ├── test_frozen_sdk.py │ │ │ ├── test_introspection.py │ │ │ ├── topLevelEntropy/ │ │ │ │ ├── __init__.py │ │ │ │ ├── allow_entropy.py │ │ │ │ ├── allow_entropy.py.d.ts │ │ │ │ ├── entropy_import_context.py │ │ │ │ ├── entropy_import_context.py.d.ts │ │ │ │ ├── entropy_patches.py │ │ │ │ ├── entropy_patches.py.d.ts │ │ │ │ ├── import_patch_manager.py │ │ │ │ ├── import_patch_manager.py.d.ts │ │ │ │ └── lib.ts │ │ │ ├── util.ts │ │ │ └── workers-api/ │ │ │ ├── pyproject.toml │ │ │ └── src/ │ │ │ ├── asgi.py │ │ │ └── workers/ │ │ │ ├── __init__.py │ │ │ ├── _workers.py │ │ │ └── workflows.py │ │ ├── make_snapshots.py │ │ ├── package.json │ │ ├── pyodide_extra.capnp │ │ ├── python-entrypoint-helper.ts │ │ ├── python-entrypoint.js │ │ ├── tool_utils.py │ │ ├── tsconfig.json │ │ ├── types/ │ │ │ ├── Error.d.ts │ │ │ ├── Pyodide.d.ts │ │ │ ├── artifacts.d.ts │ │ │ ├── cloudflare-internal/ │ │ │ │ └── env.d.ts │ │ │ ├── disk_cache.d.ts │ │ │ ├── emscripten.d.ts │ │ │ ├── fatal-reporter.d.ts │ │ │ ├── filesystem.d.ts │ │ │ ├── internalJaeger.d.ts │ │ │ ├── limiter.d.ts │ │ │ ├── modules.d.ts │ │ │ ├── packages_tar_reader.d.ts │ │ │ ├── pyodide-lock.d.ts │ │ │ ├── pyodide.asm.d.ts │ │ │ ├── python_stdlib.zip.d.ts │ │ │ ├── runtime-generated/ │ │ │ │ └── metadata.d.ts │ │ │ ├── setup-emscripten.d.ts │ │ │ └── unsafe-eval.d.ts │ │ └── upload_bundles.py │ ├── rust/ │ │ ├── AGENTS.md │ │ ├── BUILD.bazel │ │ ├── api/ │ │ │ ├── BUILD.bazel │ │ │ ├── dns.rs │ │ │ └── lib.rs │ │ ├── clippy.toml │ │ ├── cxx-integration/ │ │ │ ├── BUILD.bazel │ │ │ ├── lib.rs │ │ │ └── tokio.rs │ │ ├── cxx-integration-test/ │ │ │ ├── BUILD.bazel │ │ │ ├── cxx-rust-integration-test.c++ │ │ │ ├── cxx-rust-integration-test.h │ │ │ └── lib.rs │ │ ├── encoding/ │ │ │ ├── BUILD.bazel │ │ │ └── lib.rs │ │ ├── gen-compile-cache/ │ │ │ ├── BUILD.bazel │ │ │ ├── cxx-bridge.c++ │ │ │ ├── cxx-bridge.h │ │ │ └── main.rs │ │ ├── jsg/ │ │ │ ├── BUILD.bazel │ │ │ ├── README.md │ │ │ ├── feature_flags.rs │ │ │ ├── ffi-inl.h │ │ │ ├── ffi.c++ │ │ │ ├── ffi.h │ │ │ ├── jsg.h │ │ │ ├── lib.rs │ │ │ ├── modules.rs │ │ │ ├── resource.rs │ │ │ ├── v8.rs │ │ │ └── wrappable.rs │ │ ├── jsg-macros/ │ │ │ ├── BUILD.bazel │ │ │ ├── README.md │ │ │ └── lib.rs │ │ ├── jsg-test/ │ │ │ ├── BUILD.bazel │ │ │ ├── ffi.c++ │ │ │ ├── ffi.h │ │ │ ├── lib.rs │ │ │ └── tests/ │ │ │ ├── arrays.rs │ │ │ ├── eval.rs │ │ │ ├── function.rs │ │ │ ├── gc.rs │ │ │ ├── jsg_oneof.rs │ │ │ ├── jsg_struct.rs │ │ │ ├── local_cast.rs │ │ │ ├── mod.rs │ │ │ ├── non_coercible.rs │ │ │ ├── resource_callback.rs │ │ │ ├── resource_conversion.rs │ │ │ └── unwrap.rs │ │ ├── kj/ │ │ │ ├── BUILD.bazel │ │ │ ├── ffi.c++ │ │ │ ├── ffi.h │ │ │ ├── http.rs │ │ │ ├── io.rs │ │ │ ├── lib.rs │ │ │ ├── own.rs │ │ │ └── tests/ │ │ │ ├── BUILD.bazel │ │ │ ├── ffi-test.c++ │ │ │ └── lib.rs │ │ ├── net/ │ │ │ ├── BUILD.bazel │ │ │ └── lib.rs │ │ ├── python-parser/ │ │ │ ├── BUILD │ │ │ ├── import_parsing.c++ │ │ │ └── lib.rs │ │ ├── rustfmt.toml │ │ └── transpiler/ │ │ ├── BUILD │ │ └── lib.rs │ ├── workerd/ │ │ ├── README.md │ │ ├── api/ │ │ │ ├── AGENTS.md │ │ │ ├── BUILD.bazel │ │ │ ├── actor-state-iocontext-test.c++ │ │ │ ├── actor-state-test.c++ │ │ │ ├── actor-state.c++ │ │ │ ├── actor-state.h │ │ │ ├── actor.c++ │ │ │ ├── actor.h │ │ │ ├── analytics-engine-impl.h │ │ │ ├── analytics-engine.c++ │ │ │ ├── analytics-engine.capnp │ │ │ ├── analytics-engine.h │ │ │ ├── api-rtti-test.c++ │ │ │ ├── base64-test.c++ │ │ │ ├── base64.c++ │ │ │ ├── base64.h │ │ │ ├── basics-test.c++ │ │ │ ├── basics.c++ │ │ │ ├── basics.h │ │ │ ├── blob.c++ │ │ │ ├── blob.h │ │ │ ├── cache.c++ │ │ │ ├── cache.h │ │ │ ├── capnp.c++ │ │ │ ├── capnp.h │ │ │ ├── cf-property-test.c++ │ │ │ ├── cf-property.c++ │ │ │ ├── cf-property.h │ │ │ ├── commonjs.c++ │ │ │ ├── commonjs.h │ │ │ ├── container.c++ │ │ │ ├── container.h │ │ │ ├── crypto/ │ │ │ │ ├── AGENTS.md │ │ │ │ ├── aes-test.c++ │ │ │ │ ├── aes.c++ │ │ │ │ ├── crc-impl.c++ │ │ │ │ ├── crc-impl.h │ │ │ │ ├── crypto.c++ │ │ │ │ ├── crypto.h │ │ │ │ ├── dh.c++ │ │ │ │ ├── dh.h │ │ │ │ ├── digest.c++ │ │ │ │ ├── digest.h │ │ │ │ ├── ec.c++ │ │ │ │ ├── ec.h │ │ │ │ ├── endianness.c++ │ │ │ │ ├── endianness.h │ │ │ │ ├── hkdf.c++ │ │ │ │ ├── impl-test.c++ │ │ │ │ ├── impl.c++ │ │ │ │ ├── impl.h │ │ │ │ ├── jwk.c++ │ │ │ │ ├── jwk.h │ │ │ │ ├── kdf.h │ │ │ │ ├── keys.c++ │ │ │ │ ├── keys.h │ │ │ │ ├── pbkdf2.c++ │ │ │ │ ├── prime.c++ │ │ │ │ ├── prime.h │ │ │ │ ├── rsa.c++ │ │ │ │ ├── rsa.h │ │ │ │ ├── scrypt.c++ │ │ │ │ ├── spkac.c++ │ │ │ │ ├── spkac.h │ │ │ │ ├── x509.c++ │ │ │ │ └── x509.h │ │ │ ├── data-url-test.c++ │ │ │ ├── data-url.c++ │ │ │ ├── data-url.h │ │ │ ├── deferred-proxy-test.c++ │ │ │ ├── deferred-proxy.h │ │ │ ├── encoding-legacy.c++ │ │ │ ├── encoding-legacy.h │ │ │ ├── encoding-shared.h │ │ │ ├── encoding-test.c++ │ │ │ ├── encoding.c++ │ │ │ ├── encoding.h │ │ │ ├── events.c++ │ │ │ ├── events.h │ │ │ ├── eventsource.c++ │ │ │ ├── eventsource.h │ │ │ ├── export-loopback.c++ │ │ │ ├── export-loopback.h │ │ │ ├── filesystem.c++ │ │ │ ├── filesystem.h │ │ │ ├── form-data.c++ │ │ │ ├── form-data.h │ │ │ ├── fuzzilli.c++ │ │ │ ├── fuzzilli.h │ │ │ ├── global-scope.c++ │ │ │ ├── global-scope.h │ │ │ ├── headers.c++ │ │ │ ├── headers.h │ │ │ ├── hibernatable-web-socket.c++ │ │ │ ├── hibernatable-web-socket.h │ │ │ ├── hibernation-event-params.h │ │ │ ├── html-rewriter.c++ │ │ │ ├── html-rewriter.h │ │ │ ├── http.c++ │ │ │ ├── http.h │ │ │ ├── hyperdrive.c++ │ │ │ ├── hyperdrive.h │ │ │ ├── kv.c++ │ │ │ ├── kv.h │ │ │ ├── memory-cache.c++ │ │ │ ├── memory-cache.h │ │ │ ├── messagechannel.c++ │ │ │ ├── messagechannel.h │ │ │ ├── modules.c++ │ │ │ ├── modules.h │ │ │ ├── node/ │ │ │ │ ├── AGENTS.md │ │ │ │ ├── BUILD.bazel │ │ │ │ ├── async-hooks.c++ │ │ │ │ ├── async-hooks.h │ │ │ │ ├── buffer-string-search.h │ │ │ │ ├── buffer-test.c++ │ │ │ │ ├── buffer.c++ │ │ │ │ ├── buffer.h │ │ │ │ ├── crypto-keys.c++ │ │ │ │ ├── crypto.c++ │ │ │ │ ├── crypto.h │ │ │ │ ├── diagnostics-channel.c++ │ │ │ │ ├── diagnostics-channel.h │ │ │ │ ├── exceptions.c++ │ │ │ │ ├── exceptions.h │ │ │ │ ├── i18n.c++ │ │ │ │ ├── i18n.h │ │ │ │ ├── module.c++ │ │ │ │ ├── module.h │ │ │ │ ├── node-version.h │ │ │ │ ├── node.h │ │ │ │ ├── process.c++ │ │ │ │ ├── process.h │ │ │ │ ├── sqlite.c++ │ │ │ │ ├── sqlite.h │ │ │ │ ├── tests/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── als-gc-test.js │ │ │ │ │ ├── als-gc-test.wd-test │ │ │ │ │ ├── assert-test.js │ │ │ │ │ ├── assert-test.wd-test │ │ │ │ │ ├── async_hooks-nodejs-test.js │ │ │ │ │ ├── async_hooks-nodejs-test.wd-test │ │ │ │ │ ├── bound-als-test.js │ │ │ │ │ ├── bound-als-test.wd-test │ │ │ │ │ ├── buffer-effective-size-concat-test.js │ │ │ │ │ ├── buffer-effective-size-concat-test.wd-test │ │ │ │ │ ├── buffer-nodejs-test.js │ │ │ │ │ ├── buffer-nodejs-test.wd-test │ │ │ │ │ ├── child_process-nodejs-test.js │ │ │ │ │ ├── child_process-nodejs-test.wd-test │ │ │ │ │ ├── cluster-nodejs-test.js │ │ │ │ │ ├── cluster-nodejs-test.wd-test │ │ │ │ │ ├── console-nodejs-test.js │ │ │ │ │ ├── console-nodejs-test.wd-test │ │ │ │ │ ├── constants-test.js │ │ │ │ │ ├── constants-test.wd-test │ │ │ │ │ ├── crypto_cipher-test.js │ │ │ │ │ ├── crypto_cipher-test.wd-test │ │ │ │ │ ├── crypto_dh-test.js │ │ │ │ │ ├── crypto_dh-test.wd-test │ │ │ │ │ ├── crypto_hash-test.js │ │ │ │ │ ├── crypto_hash-test.wd-test │ │ │ │ │ ├── crypto_hkdf-test.js │ │ │ │ │ ├── crypto_hkdf-test.wd-test │ │ │ │ │ ├── crypto_hmac-test.js │ │ │ │ │ ├── crypto_hmac-test.wd-test │ │ │ │ │ ├── crypto_keys-test.js │ │ │ │ │ ├── crypto_keys-test.wd-test │ │ │ │ │ ├── crypto_pbkdf2-test.js │ │ │ │ │ ├── crypto_pbkdf2-test.wd-test │ │ │ │ │ ├── crypto_random-test.js │ │ │ │ │ ├── crypto_random-test.wd-test │ │ │ │ │ ├── crypto_scrypt-test.js │ │ │ │ │ ├── crypto_scrypt-test.wd-test │ │ │ │ │ ├── crypto_sign-test.js │ │ │ │ │ ├── crypto_sign-test.wd-test │ │ │ │ │ ├── crypto_spkac-test.js │ │ │ │ │ ├── crypto_spkac-test.wd-test │ │ │ │ │ ├── crypto_x509-test.js │ │ │ │ │ ├── crypto_x509-test.wd-test │ │ │ │ │ ├── dgram-nodejs-test.js │ │ │ │ │ ├── dgram-nodejs-test.wd-test │ │ │ │ │ ├── diagnostics-channel-test.js │ │ │ │ │ ├── diagnostics-channel-test.wd-test │ │ │ │ │ ├── dns-nodejs-test.js │ │ │ │ │ ├── dns-nodejs-test.wd-test │ │ │ │ │ ├── domain-nodejs-test.js │ │ │ │ │ ├── domain-nodejs-test.wd-test │ │ │ │ │ ├── fixtures/ │ │ │ │ │ │ ├── agent1-cert.pem │ │ │ │ │ │ ├── dh_private.pem │ │ │ │ │ │ ├── dh_public.pem │ │ │ │ │ │ ├── dsa_private.pem │ │ │ │ │ │ ├── dsa_private_1025.pem │ │ │ │ │ │ ├── dsa_private_encrypted.pem │ │ │ │ │ │ ├── dsa_private_encrypted_1025.pem │ │ │ │ │ │ ├── dsa_private_pkcs8.pem │ │ │ │ │ │ ├── dsa_public.pem │ │ │ │ │ │ ├── dsa_public_1025.pem │ │ │ │ │ │ ├── ec_p256_private.pem │ │ │ │ │ │ ├── ec_p256_public.pem │ │ │ │ │ │ ├── ec_p384_private.pem │ │ │ │ │ │ ├── ec_p384_public.pem │ │ │ │ │ │ ├── ec_p521_private.pem │ │ │ │ │ │ ├── ec_p521_public.pem │ │ │ │ │ │ ├── ec_secp256k1_private.pem │ │ │ │ │ │ ├── ec_secp256k1_public.pem │ │ │ │ │ │ ├── ed25519_private.pem │ │ │ │ │ │ ├── ed25519_public.pem │ │ │ │ │ │ ├── ed448_private.pem │ │ │ │ │ │ ├── ed448_public.pem │ │ │ │ │ │ ├── rsa_private.pem │ │ │ │ │ │ ├── rsa_private_2048.pem │ │ │ │ │ │ ├── rsa_private_4096.pem │ │ │ │ │ │ ├── rsa_private_b.pem │ │ │ │ │ │ ├── rsa_private_encrypted.pem │ │ │ │ │ │ ├── rsa_private_pkcs8.pem │ │ │ │ │ │ ├── rsa_private_pkcs8_bad.pem │ │ │ │ │ │ ├── rsa_pss_private_2048.pem │ │ │ │ │ │ ├── rsa_pss_private_2048_sha1_sha1_20.pem │ │ │ │ │ │ ├── rsa_pss_private_2048_sha256_sha256_16.pem │ │ │ │ │ │ ├── rsa_pss_private_2048_sha512_sha256_20.pem │ │ │ │ │ │ ├── rsa_pss_public_2048.pem │ │ │ │ │ │ ├── rsa_pss_public_2048_sha1_sha1_20.pem │ │ │ │ │ │ ├── rsa_pss_public_2048_sha256_sha256_16.pem │ │ │ │ │ │ ├── rsa_pss_public_2048_sha512_sha256_20.pem │ │ │ │ │ │ ├── rsa_public.pem │ │ │ │ │ │ ├── rsa_public_2048.pem │ │ │ │ │ │ ├── rsa_public_4096.pem │ │ │ │ │ │ ├── rsa_public_b.pem │ │ │ │ │ │ ├── tls-nodejs-tcp-server.pem │ │ │ │ │ │ ├── x25519_private.pem │ │ │ │ │ │ ├── x25519_public.pem │ │ │ │ │ │ ├── x448_private.pem │ │ │ │ │ │ └── x448_public.pem │ │ │ │ │ ├── fs-access-test.js │ │ │ │ │ ├── fs-access-test.wd-test │ │ │ │ │ ├── fs-chown-chmod-test.js │ │ │ │ │ ├── fs-chown-chmod-test.wd-test │ │ │ │ │ ├── fs-cp-into-subdirectory-test.js │ │ │ │ │ ├── fs-cp-into-subdirectory-test.wd-test │ │ │ │ │ ├── fs-cp-test.js │ │ │ │ │ ├── fs-cp-test.wd-test │ │ │ │ │ ├── fs-dir-test.js │ │ │ │ │ ├── fs-dir-test.wd-test │ │ │ │ │ ├── fs-filehandle-test.js │ │ │ │ │ ├── fs-filehandle-test.wd-test │ │ │ │ │ ├── fs-glob-test.js │ │ │ │ │ ├── fs-glob-test.wd-test │ │ │ │ │ ├── fs-link-test.js │ │ │ │ │ ├── fs-link-test.wd-test │ │ │ │ │ ├── fs-misc-test.js │ │ │ │ │ ├── fs-misc-test.wd-test │ │ │ │ │ ├── fs-nodejs-test.js │ │ │ │ │ ├── fs-nodejs-test.wd-test │ │ │ │ │ ├── fs-readstream-test.js │ │ │ │ │ ├── fs-readstream-test.wd-test │ │ │ │ │ ├── fs-stat-test.js │ │ │ │ │ ├── fs-stat-test.wd-test │ │ │ │ │ ├── fs-utimes-test.js │ │ │ │ │ ├── fs-utimes-test.wd-test │ │ │ │ │ ├── fs-writestream-test.js │ │ │ │ │ ├── fs-writestream-test.wd-test │ │ │ │ │ ├── http-agent-nodejs-server.js │ │ │ │ │ ├── http-agent-nodejs-test.js │ │ │ │ │ ├── http-agent-nodejs-test.wd-test │ │ │ │ │ ├── http-client-nodejs-server.js │ │ │ │ │ ├── http-client-nodejs-test.js │ │ │ │ │ ├── http-client-nodejs-test.wd-test │ │ │ │ │ ├── http-incoming-nodejs-test.js │ │ │ │ │ ├── http-incoming-nodejs-test.wd-test │ │ │ │ │ ├── http-nodejs-server.js │ │ │ │ │ ├── http-nodejs-test.js │ │ │ │ │ ├── http-nodejs-test.wd-test │ │ │ │ │ ├── http-outgoing-nodejs-server.js │ │ │ │ │ ├── http-outgoing-nodejs-test.js │ │ │ │ │ ├── http-outgoing-nodejs-test.wd-test │ │ │ │ │ ├── http-server-nodejs-global-test.js │ │ │ │ │ ├── http-server-nodejs-global-test.wd-test │ │ │ │ │ ├── http-server-nodejs-server.js │ │ │ │ │ ├── http-server-nodejs-test.js │ │ │ │ │ ├── http-server-nodejs-test.wd-test │ │ │ │ │ ├── http2-test.js │ │ │ │ │ ├── http2-test.wd-test │ │ │ │ │ ├── inspector-nodejs-test.js │ │ │ │ │ ├── inspector-nodejs-test.wd-test │ │ │ │ │ ├── legacy_url-nodejs-test.js │ │ │ │ │ ├── legacy_url-nodejs-test.wd-test │ │ │ │ │ ├── mimetype-test.js │ │ │ │ │ ├── mimetype-test.wd-test │ │ │ │ │ ├── module-create-require-test.js │ │ │ │ │ ├── module-create-require-test.wd-test │ │ │ │ │ ├── module-nodejs-test.js │ │ │ │ │ ├── module-nodejs-test.wd-test │ │ │ │ │ ├── module-require-mutable-exports-test.js │ │ │ │ │ ├── module-require-mutable-exports-test.wd-test │ │ │ │ │ ├── net-nodejs-tcp-server.js │ │ │ │ │ ├── net-nodejs-test.js │ │ │ │ │ ├── net-nodejs-test.wd-test │ │ │ │ │ ├── node-compat-v2-test.js │ │ │ │ │ ├── node-compat-v2-test.wd-test │ │ │ │ │ ├── os-test.js │ │ │ │ │ ├── os-test.wd-test │ │ │ │ │ ├── path-test.js │ │ │ │ │ ├── path-test.wd-test │ │ │ │ │ ├── perf-hooks-nodejs-test.js │ │ │ │ │ ├── perf-hooks-nodejs-test.wd-test │ │ │ │ │ ├── process-exit-test.js │ │ │ │ │ ├── process-exit-test.wd-test │ │ │ │ │ ├── process-getbuiltin-newmodreg-test.js │ │ │ │ │ ├── process-getbuiltin-newmodreg-test.wd-test │ │ │ │ │ ├── process-legacy-nodejs-test.js │ │ │ │ │ ├── process-legacy-nodejs-test.wd-test │ │ │ │ │ ├── process-nodejs-test.js │ │ │ │ │ ├── process-nodejs-test.wd-test │ │ │ │ │ ├── process-stdio-fs-nodejs-test.expected_stderr │ │ │ │ │ ├── process-stdio-fs-nodejs-test.expected_stdout │ │ │ │ │ ├── process-stdio-fs-nodejs-test.js │ │ │ │ │ ├── process-stdio-fs-nodejs-test.wd-test │ │ │ │ │ ├── process-stdio-nodejs-test.expected_stderr │ │ │ │ │ ├── process-stdio-nodejs-test.expected_stdout │ │ │ │ │ ├── process-stdio-nodejs-test.js │ │ │ │ │ ├── process-stdio-nodejs-test.wd-test │ │ │ │ │ ├── punycode-nodejs-test.js │ │ │ │ │ ├── punycode-nodejs-test.wd-test │ │ │ │ │ ├── querystring-nodejs-test.js │ │ │ │ │ ├── querystring-nodejs-test.wd-test │ │ │ │ │ ├── readline-nodejs-test.js │ │ │ │ │ ├── readline-nodejs-test.wd-test │ │ │ │ │ ├── repl-nodejs-test.js │ │ │ │ │ ├── repl-nodejs-test.wd-test │ │ │ │ │ ├── sidecar-supervisor.mjs │ │ │ │ │ ├── sqlite-nodejs-test.js │ │ │ │ │ ├── sqlite-nodejs-test.wd-test │ │ │ │ │ ├── streams-nodejs-test.js │ │ │ │ │ ├── streams-nodejs-test.wd-test │ │ │ │ │ ├── streams-test.js │ │ │ │ │ ├── streams-test.wd-test │ │ │ │ │ ├── streams-v24-nodejs-test.js │ │ │ │ │ ├── streams-v24-nodejs-test.wd-test │ │ │ │ │ ├── string-decoder-test.js │ │ │ │ │ ├── string-decoder-test.wd-test │ │ │ │ │ ├── sys-nodejs-test.js │ │ │ │ │ ├── sys-nodejs-test.wd-test │ │ │ │ │ ├── test_process_stdio.sh │ │ │ │ │ ├── timers-global-override-test.js │ │ │ │ │ ├── timers-global-override-test.wd-test │ │ │ │ │ ├── timers-nodejs-test.js │ │ │ │ │ ├── timers-nodejs-test.wd-test │ │ │ │ │ ├── tls-nodejs-tcp-server.js │ │ │ │ │ ├── tls-nodejs-test.js │ │ │ │ │ ├── tls-nodejs-test.wd-test │ │ │ │ │ ├── trace-events-nodejs-test.js │ │ │ │ │ ├── trace-events-nodejs-test.wd-test │ │ │ │ │ ├── tty-nodejs-test.js │ │ │ │ │ ├── tty-nodejs-test.wd-test │ │ │ │ │ ├── url-nodejs-test.js │ │ │ │ │ ├── url-nodejs-test.wd-test │ │ │ │ │ ├── util-nodejs-test.js │ │ │ │ │ ├── util-nodejs-test.wd-test │ │ │ │ │ ├── v8-nodejs-test.js │ │ │ │ │ ├── v8-nodejs-test.wd-test │ │ │ │ │ ├── vm-test.js │ │ │ │ │ ├── vm-test.wd-test │ │ │ │ │ ├── wasi-nodejs-test.js │ │ │ │ │ ├── wasi-nodejs-test.wd-test │ │ │ │ │ ├── worker_threads-nodejs-test.js │ │ │ │ │ ├── worker_threads-nodejs-test.wd-test │ │ │ │ │ ├── zlib-nodejs-test.js │ │ │ │ │ ├── zlib-nodejs-test.wd-test │ │ │ │ │ ├── zlib-zstd-nodejs-test.js │ │ │ │ │ └── zlib-zstd-nodejs-test.wd-test │ │ │ │ ├── timers.c++ │ │ │ │ ├── timers.h │ │ │ │ ├── url.c++ │ │ │ │ ├── url.h │ │ │ │ ├── util.c++ │ │ │ │ ├── util.h │ │ │ │ ├── zlib-util.c++ │ │ │ │ └── zlib-util.h │ │ │ ├── performance.c++ │ │ │ ├── performance.h │ │ │ ├── pyodide/ │ │ │ │ ├── pyodide-test.c++ │ │ │ │ ├── pyodide.c++ │ │ │ │ ├── pyodide.h │ │ │ │ ├── requirements.c++ │ │ │ │ ├── requirements.h │ │ │ │ ├── setup-emscripten.c++ │ │ │ │ └── setup-emscripten.h │ │ │ ├── queue.c++ │ │ │ ├── queue.h │ │ │ ├── r2-admin.c++ │ │ │ ├── r2-admin.h │ │ │ ├── r2-api.capnp │ │ │ ├── r2-bucket.c++ │ │ │ ├── r2-bucket.h │ │ │ ├── r2-multipart.c++ │ │ │ ├── r2-multipart.h │ │ │ ├── r2-rpc.c++ │ │ │ ├── r2-rpc.h │ │ │ ├── r2.h │ │ │ ├── rtti.c++ │ │ │ ├── rtti.h │ │ │ ├── scheduled.c++ │ │ │ ├── scheduled.h │ │ │ ├── ser-errors-test.c++ │ │ │ ├── sockets.c++ │ │ │ ├── sockets.h │ │ │ ├── sql.c++ │ │ │ ├── sql.h │ │ │ ├── streams/ │ │ │ │ ├── AGENTS.md │ │ │ │ ├── README.md │ │ │ │ ├── common.c++ │ │ │ │ ├── common.h │ │ │ │ ├── compression.c++ │ │ │ │ ├── compression.h │ │ │ │ ├── encoding.c++ │ │ │ │ ├── encoding.h │ │ │ │ ├── identity-transform-stream.c++ │ │ │ │ ├── identity-transform-stream.h │ │ │ │ ├── identitytransformstream-backpressure-test.js │ │ │ │ ├── identitytransformstream-backpressure-test.wd-test │ │ │ │ ├── identitytransformstream-byob-test.js │ │ │ │ ├── identitytransformstream-byob-test.wd-test │ │ │ │ ├── internal-test.c++ │ │ │ │ ├── internal.c++ │ │ │ │ ├── internal.h │ │ │ │ ├── queue-test.c++ │ │ │ │ ├── queue.c++ │ │ │ │ ├── queue.h │ │ │ │ ├── readable-source-adapter-test.c++ │ │ │ │ ├── readable-source-adapter.c++ │ │ │ │ ├── readable-source-adapter.h │ │ │ │ ├── readable-source-test.c++ │ │ │ │ ├── readable-source.c++ │ │ │ │ ├── readable-source.h │ │ │ │ ├── readable.c++ │ │ │ │ ├── readable.h │ │ │ │ ├── standard-test.c++ │ │ │ │ ├── standard.c++ │ │ │ │ ├── standard.h │ │ │ │ ├── streams-test.js │ │ │ │ ├── streams-test.wd-test │ │ │ │ ├── transform.c++ │ │ │ │ ├── transform.h │ │ │ │ ├── writable-sink-adapter-test.c++ │ │ │ │ ├── writable-sink-adapter.c++ │ │ │ │ ├── writable-sink-adapter.h │ │ │ │ ├── writable-sink-test.c++ │ │ │ │ ├── writable-sink.c++ │ │ │ │ ├── writable-sink.h │ │ │ │ ├── writable.c++ │ │ │ │ └── writable.h │ │ │ ├── streams-test.c++ │ │ │ ├── streams.h │ │ │ ├── sync-kv.c++ │ │ │ ├── sync-kv.h │ │ │ ├── system-streams-test.c++ │ │ │ ├── system-streams.c++ │ │ │ ├── system-streams.h │ │ │ ├── tests/ │ │ │ │ ├── BUILD.bazel │ │ │ │ ├── abort-internal-streams-test.js │ │ │ │ ├── abort-internal-streams-test.wd-test │ │ │ │ ├── abortable-fetch-test.js │ │ │ │ ├── abortable-fetch-test.wd-test │ │ │ │ ├── abortsignal-test.js │ │ │ │ ├── abortsignal-test.wd-test │ │ │ │ ├── actor-alarms-delete-test.js │ │ │ │ ├── actor-alarms-delete-test.wd-test │ │ │ │ ├── actor-alarms-test.js │ │ │ │ ├── actor-alarms-test.wd-test │ │ │ │ ├── actor-kv-test-tail.js │ │ │ │ ├── actor-kv-test.js │ │ │ │ ├── actor-kv-test.wd-test │ │ │ │ ├── actor-stub-test.js │ │ │ │ ├── actor-stub-test.wd-test │ │ │ │ ├── als-only-test.js │ │ │ │ ├── als-only-test.wd-test │ │ │ │ ├── als-test.js │ │ │ │ ├── als-test.wd-test │ │ │ │ ├── analytics-engine-test.js │ │ │ │ ├── analytics-engine-test.wd-test │ │ │ │ ├── autogate-disabled-test.js │ │ │ │ ├── autogate-disabled-test.wd-test │ │ │ │ ├── autogate-enabled-test.js │ │ │ │ ├── autogate-enabled-test.wd-test │ │ │ │ ├── blob-test.js │ │ │ │ ├── blob-test.wd-test │ │ │ │ ├── blob2-test.js │ │ │ │ ├── blob2-test.wd-test │ │ │ │ ├── buffer-indexof-odd-offset-ucs2-test.js │ │ │ │ ├── buffer-indexof-odd-offset-ucs2-test.wd-test │ │ │ │ ├── byob-reader-resize-pending-read-test.js │ │ │ │ ├── byob-reader-resize-pending-read-test.wd-test │ │ │ │ ├── cache-instrumentation-test.js │ │ │ │ ├── cache-mock.js │ │ │ │ ├── cache-operations-test.js │ │ │ │ ├── cache-test.wd-test │ │ │ │ ├── commonjs-module-test.js │ │ │ │ ├── commonjs-module-test.wd-test │ │ │ │ ├── compat-flag-disabled-test.js │ │ │ │ ├── compat-flag-disabled-test.wd-test │ │ │ │ ├── compat-flag-enabled-test.js │ │ │ │ ├── compat-flag-enabled-test.wd-test │ │ │ │ ├── compat-flags-test.js │ │ │ │ ├── compat-flags-test.wd-test │ │ │ │ ├── compression-streams-test.js │ │ │ │ ├── compression-streams-test.wd-test │ │ │ │ ├── cross-context-promise-test.js │ │ │ │ ├── cross-context-promise-test.wd-test │ │ │ │ ├── crypto-extras-test.js │ │ │ │ ├── crypto-extras-test.wd-test │ │ │ │ ├── crypto-impl-asymmetric-test.js │ │ │ │ ├── crypto-impl-asymmetric-test.wd-test │ │ │ │ ├── crypto-streams-test.js │ │ │ │ ├── crypto-streams-test.wd-test │ │ │ │ ├── ctx-props-test.wd-test │ │ │ │ ├── data-url-fetch-test.js │ │ │ │ ├── data-url-fetch-test.wd-test │ │ │ │ ├── decompression-stream-unhandled-rejection-test.js │ │ │ │ ├── decompression-stream-unhandled-rejection-test.wd-test │ │ │ │ ├── delete-all-deletes-alarm-test.js │ │ │ │ ├── delete-all-deletes-alarm-test.wd-test │ │ │ │ ├── disable-importable-env-test.js │ │ │ │ ├── disable-importable-env-test.wd-test │ │ │ │ ├── disable-importable-exports-test.js │ │ │ │ ├── disable-importable-exports-test.wd-test │ │ │ │ ├── encoding-streams-test.js │ │ │ │ ├── encoding-streams-test.wd-test │ │ │ │ ├── encoding-test.js │ │ │ │ ├── encoding-test.wd-test │ │ │ │ ├── error-in-error-event-test.js │ │ │ │ ├── error-in-error-event-test.wd-test │ │ │ │ ├── events-test.js │ │ │ │ ├── events-test.wd-test │ │ │ │ ├── eventsource-test.js │ │ │ │ ├── eventsource-test.wd-test │ │ │ │ ├── experimental-eval-test.js │ │ │ │ ├── experimental-eval-test.wd-test │ │ │ │ ├── fetch-redirect-test.js │ │ │ │ ├── fetch-redirect-test.wd-test │ │ │ │ ├── fetch-test.js │ │ │ │ ├── fetch-test.wd-test │ │ │ │ ├── form-data-legacy-test.js │ │ │ │ ├── form-data-legacy-test.wd-test │ │ │ │ ├── form-data-test-ts.ts │ │ │ │ ├── form-data-test-ts.wd-test │ │ │ │ ├── form-data-test.js │ │ │ │ ├── form-data-test.wd-test │ │ │ │ ├── global-scope-test.js │ │ │ │ ├── global-scope-test.wd-test │ │ │ │ ├── headers-immutable-prototype-test.js │ │ │ │ ├── headers-immutable-prototype-test.wd-test │ │ │ │ ├── htmlrewriter-test.js │ │ │ │ ├── htmlrewriter-test.wd-test │ │ │ │ ├── htmlrewriter-transform-cancel-test.js │ │ │ │ ├── htmlrewriter-transform-cancel-test.wd-test │ │ │ │ ├── http-socket-server.js │ │ │ │ ├── http-socket-test.js │ │ │ │ ├── http-socket-test.wd-test │ │ │ │ ├── http-standard-test.js │ │ │ │ ├── http-standard-test.wd-test │ │ │ │ ├── http-test-ts.ts │ │ │ │ ├── http-test-ts.ts-wd-test │ │ │ │ ├── http-test.js │ │ │ │ ├── http-test.wd-test │ │ │ │ ├── identity-transform-stream-state-machine-test.js │ │ │ │ ├── identity-transform-stream-state-machine-test.wd-test │ │ │ │ ├── importable-env-test.js │ │ │ │ ├── importable-env-test.wd-test │ │ │ │ ├── importable-exports-test.js │ │ │ │ ├── importable-exports-test.wd-test │ │ │ │ ├── instrumentation-tail-worker.js │ │ │ │ ├── js-rpc-flag.js │ │ │ │ ├── js-rpc-flag.wd-test │ │ │ │ ├── js-rpc-params-ownership-test.js │ │ │ │ ├── js-rpc-params-ownership-test.wd-test │ │ │ │ ├── js-rpc-socket-test.wd-test │ │ │ │ ├── js-rpc-test.js │ │ │ │ ├── js-rpc-test.wd-test │ │ │ │ ├── jsrpc-timing-test-tail.js │ │ │ │ ├── jsrpc-timing-test.js │ │ │ │ ├── jsrpc-timing-test.wd-test │ │ │ │ ├── kv-instrumentation-test.js │ │ │ │ ├── kv-test.js │ │ │ │ ├── kv-test.wd-test │ │ │ │ ├── leak-fetch-test.js │ │ │ │ ├── leak-fetch-test.wd-test │ │ │ │ ├── memory-cache-test.js │ │ │ │ ├── memory-cache-test.wd-test │ │ │ │ ├── messageport-test.js │ │ │ │ ├── messageport-test.wd-test │ │ │ │ ├── module-test.js │ │ │ │ ├── module-test.wd-test │ │ │ │ ├── navigator-beacon-test.js │ │ │ │ ├── navigator-beacon-test.wd-test │ │ │ │ ├── navigator-test.js │ │ │ │ ├── navigator-test.wd-test │ │ │ │ ├── new-module-registry-dns-test.js │ │ │ │ ├── new-module-registry-dns-test.wd-test │ │ │ │ ├── new-module-registry-node-filter-test.js │ │ │ │ ├── new-module-registry-node-filter-test.wd-test │ │ │ │ ├── new-module-registry-test.js │ │ │ │ ├── new-module-registry-test.wd-test │ │ │ │ ├── new-module-registry-ts-test-helper.ts │ │ │ │ ├── new-module-registry-ts-test.js │ │ │ │ ├── new-module-registry-ts-test.wd-test │ │ │ │ ├── no-to-string-tag-test.js │ │ │ │ ├── no-to-string-tag-test.wd-test │ │ │ │ ├── opennextjs/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── README.md │ │ │ │ │ ├── opennext-ssr-test.js │ │ │ │ │ ├── opennext-ssr-test.wd-test │ │ │ │ │ └── src/ │ │ │ │ │ ├── .gitignore │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── app/ │ │ │ │ │ │ ├── api/ │ │ │ │ │ │ │ ├── cookies/ │ │ │ │ │ │ │ │ └── route.js │ │ │ │ │ │ │ └── data/ │ │ │ │ │ │ │ └── route.js │ │ │ │ │ │ ├── layout.jsx │ │ │ │ │ │ ├── page.jsx │ │ │ │ │ │ ├── posts/ │ │ │ │ │ │ │ └── [id]/ │ │ │ │ │ │ │ └── page.jsx │ │ │ │ │ │ ├── redirect-test/ │ │ │ │ │ │ │ └── page.jsx │ │ │ │ │ │ └── streaming/ │ │ │ │ │ │ └── page.jsx │ │ │ │ │ ├── jsconfig.json │ │ │ │ │ ├── next.config.mjs │ │ │ │ │ ├── open-next.config.mjs │ │ │ │ │ ├── package.json │ │ │ │ │ └── wrangler.jsonc │ │ │ │ ├── pipe-streams-test.js │ │ │ │ ├── pipe-streams-test.wd-test │ │ │ │ ├── pipe-write-special-buffer-test.js │ │ │ │ ├── pipe-write-special-buffer-test.wd-test │ │ │ │ ├── queue-error-codes-test.js │ │ │ │ ├── queue-test.js │ │ │ │ ├── queue-test.wd-test │ │ │ │ ├── r2-instrumentation-test.js │ │ │ │ ├── r2-test.js │ │ │ │ ├── r2-test.wd-test │ │ │ │ ├── reporterror-test.js │ │ │ │ ├── reporterror-test.wd-test │ │ │ │ ├── request-clone-test.js │ │ │ │ ├── request-clone-test.wd-test │ │ │ │ ├── request-signal-disabled.js │ │ │ │ ├── request-signal-disabled.wd-test │ │ │ │ ├── request-signal-enabled.js │ │ │ │ ├── request-signal-enabled.wd-test │ │ │ │ ├── request-signal-passthrough.js │ │ │ │ ├── request-signal-passthrough.wd-test │ │ │ │ ├── response-json.js │ │ │ │ ├── response-json.wd-test │ │ │ │ ├── response-used-body-test.js │ │ │ │ ├── response-used-body-test.wd-test │ │ │ │ ├── rpc-error-test.js │ │ │ │ ├── rpc-error-test.rpc.js │ │ │ │ ├── rpc-error-test.wd-test │ │ │ │ ├── rtti-test.js │ │ │ │ ├── rtti-test.wd-test │ │ │ │ ├── scheduler-test.js │ │ │ │ ├── scheduler-test.wd-test │ │ │ │ ├── self-logger-test.js │ │ │ │ ├── self-logger-test.wd-test │ │ │ │ ├── settimeout-test.js │ │ │ │ ├── settimeout-test.wd-test │ │ │ │ ├── sql-test-tail.js │ │ │ │ ├── sql-test.js │ │ │ │ ├── sql-test.wd-test │ │ │ │ ├── starttls-nodejs-server.js │ │ │ │ ├── starttls-nodejs-test.js │ │ │ │ ├── starttls-nodejs-test.wd-test │ │ │ │ ├── starttls-server.pem │ │ │ │ ├── streams-async-iterator-test.js │ │ │ │ ├── streams-async-iterator-test.wd-test │ │ │ │ ├── streams-backpressure-test.js │ │ │ │ ├── streams-backpressure-test.wd-test │ │ │ │ ├── streams-byob-edge-cases-test.js │ │ │ │ ├── streams-byob-edge-cases-test.wd-test │ │ │ │ ├── streams-circ-ref-regression-test.js │ │ │ │ ├── streams-circ-ref-regression-test.wd-test │ │ │ │ ├── streams-error-edge-cases-test.js │ │ │ │ ├── streams-error-edge-cases-test.wd-test │ │ │ │ ├── streams-iocontext-test.js │ │ │ │ ├── streams-iocontext-test.wd-test │ │ │ │ ├── streams-js-test.js │ │ │ │ ├── streams-js-test.wd-test │ │ │ │ ├── streams-no-auto-allocate-test.js │ │ │ │ ├── streams-no-auto-allocate-test.wd-test │ │ │ │ ├── streams-r2-patterns-test.js │ │ │ │ ├── streams-r2-patterns-test.wd-test │ │ │ │ ├── streams-respond-test.js │ │ │ │ ├── streams-respond-test.wd-test │ │ │ │ ├── streams-tee-edge-cases-test.js │ │ │ │ ├── streams-tee-edge-cases-test.wd-test │ │ │ │ ├── streams-test.js │ │ │ │ ├── streams-test.wd-test │ │ │ │ ├── stub-storage-test.js │ │ │ │ ├── stub-storage-test.wd-test │ │ │ │ ├── sync-kv-instrumentation-test.js │ │ │ │ ├── sync-kv-test.js │ │ │ │ ├── sync-kv-test.wd-test │ │ │ │ ├── tail-worker-test-dummy.js │ │ │ │ ├── tail-worker-test-invalid.js │ │ │ │ ├── tail-worker-test-jsrpc.js │ │ │ │ ├── tail-worker-test-receiver.js │ │ │ │ ├── tail-worker-test.js │ │ │ │ ├── tail-worker-test.wd-test │ │ │ │ ├── test.wasm │ │ │ │ ├── textdecoder-utf16-odd-offset-test.js │ │ │ │ ├── textdecoder-utf16-odd-offset-test.wd-test │ │ │ │ ├── transform-streams-test.js │ │ │ │ ├── transform-streams-test.wd-test │ │ │ │ ├── tsconfig.json │ │ │ │ ├── unhandled-rejection-test.js │ │ │ │ ├── unhandled-rejection-test.wd-test │ │ │ │ ├── unsafe-test.js │ │ │ │ ├── unsafe-test.wd-test │ │ │ │ ├── url-test.js │ │ │ │ ├── url-test.wd-test │ │ │ │ ├── warnings-tail.js │ │ │ │ ├── warnings-test.js │ │ │ │ ├── warnings-test.wd-test │ │ │ │ ├── webfs-test.js │ │ │ │ ├── webfs-test.wd-test │ │ │ │ ├── websocket-allow-half-open-test.js │ │ │ │ ├── websocket-allow-half-open-test.wd-test │ │ │ │ ├── websocket-client-error-sidecar.js │ │ │ │ ├── websocket-client-error-test.js │ │ │ │ ├── websocket-client-error-test.wd-test │ │ │ │ ├── websocket-constructor-test.js │ │ │ │ ├── websocket-constructor-test.wd-test │ │ │ │ ├── websocket-hibernation.js │ │ │ │ ├── websocket-hibernation.wd-test │ │ │ │ ├── worker-loader-test.js │ │ │ │ ├── worker-loader-test.wd-test │ │ │ │ ├── worker-test.js │ │ │ │ └── worker-test.wd-test │ │ │ ├── trace.c++ │ │ │ ├── trace.h │ │ │ ├── tracing-module.c++ │ │ │ ├── tracing-module.h │ │ │ ├── tsconfig.json │ │ │ ├── unsafe.c++ │ │ │ ├── unsafe.h │ │ │ ├── url-standard.c++ │ │ │ ├── url-standard.h │ │ │ ├── url.c++ │ │ │ ├── url.h │ │ │ ├── urlpattern-standard.c++ │ │ │ ├── urlpattern-standard.h │ │ │ ├── urlpattern.c++ │ │ │ ├── urlpattern.h │ │ │ ├── util-test.c++ │ │ │ ├── util.c++ │ │ │ ├── util.h │ │ │ ├── web-socket.c++ │ │ │ ├── web-socket.h │ │ │ ├── worker-loader.c++ │ │ │ ├── worker-loader.h │ │ │ ├── worker-rpc.c++ │ │ │ ├── worker-rpc.h │ │ │ ├── workers-module.c++ │ │ │ └── workers-module.h │ │ ├── io/ │ │ │ ├── AGENTS.md │ │ │ ├── BUILD.bazel │ │ │ ├── actor-cache-test.c++ │ │ │ ├── actor-cache.c++ │ │ │ ├── actor-cache.h │ │ │ ├── actor-id.h │ │ │ ├── actor-sqlite-test.c++ │ │ │ ├── actor-sqlite.c++ │ │ │ ├── actor-sqlite.h │ │ │ ├── actor-storage.c++ │ │ │ ├── actor-storage.capnp │ │ │ ├── actor-storage.h │ │ │ ├── bundle-fs-test.c++ │ │ │ ├── bundle-fs.c++ │ │ │ ├── bundle-fs.h │ │ │ ├── cdp.capnp │ │ │ ├── compatibility-date-test.c++ │ │ │ ├── compatibility-date.c++ │ │ │ ├── compatibility-date.capnp │ │ │ ├── compatibility-date.h │ │ │ ├── container.capnp │ │ │ ├── external-pusher.c++ │ │ │ ├── external-pusher.h │ │ │ ├── features.c++ │ │ │ ├── features.capnp │ │ │ ├── features.h │ │ │ ├── frankenvalue-test.c++ │ │ │ ├── frankenvalue.c++ │ │ │ ├── frankenvalue.capnp │ │ │ ├── frankenvalue.h │ │ │ ├── hibernation-manager.c++ │ │ │ ├── hibernation-manager.h │ │ │ ├── io-channels.c++ │ │ │ ├── io-channels.h │ │ │ ├── io-context-test.js │ │ │ ├── io-context-test.wd-test │ │ │ ├── io-context.c++ │ │ │ ├── io-context.h │ │ │ ├── io-gate-test.c++ │ │ │ ├── io-gate.c++ │ │ │ ├── io-gate.h │ │ │ ├── io-own.c++ │ │ │ ├── io-own.h │ │ │ ├── io-thread-context.c++ │ │ │ ├── io-thread-context.h │ │ │ ├── io-timers.c++ │ │ │ ├── io-timers.h │ │ │ ├── io-util.c++ │ │ │ ├── io-util.h │ │ │ ├── limit-enforcer.h │ │ │ ├── maximum-compatibility-date.txt │ │ │ ├── observer-test.c++ │ │ │ ├── observer.c++ │ │ │ ├── observer.h │ │ │ ├── outcome.capnp │ │ │ ├── promise-wrapper-test.c++ │ │ │ ├── promise-wrapper.h │ │ │ ├── release-version.txt │ │ │ ├── request-tracker.c++ │ │ │ ├── request-tracker.h │ │ │ ├── script-version.capnp │ │ │ ├── trace-stream.c++ │ │ │ ├── trace-stream.h │ │ │ ├── trace-test.c++ │ │ │ ├── trace.c++ │ │ │ ├── trace.capnp │ │ │ ├── trace.h │ │ │ ├── tracer.c++ │ │ │ ├── tracer.h │ │ │ ├── tracked-wasm-instance-js-test.wd-test │ │ │ ├── tracked-wasm-instance-test.c++ │ │ │ ├── tracked-wasm-instance-test.js │ │ │ ├── tracked-wasm-instance.c++ │ │ │ ├── tracked-wasm-instance.h │ │ │ ├── wasm/ │ │ │ │ ├── .gitignore │ │ │ │ ├── BUILD.bazel │ │ │ │ ├── signal-basic.wat │ │ │ │ ├── signal-bounds-check-edge.wat │ │ │ │ ├── signal-bounds-check-overflow.wat │ │ │ │ ├── signal-bounds-check-valid.wat │ │ │ │ ├── signal-decoy-memory.wat │ │ │ │ ├── signal-externref-memory.wat │ │ │ │ ├── signal-imported-memory.wat │ │ │ │ ├── signal-memory-reclaim.wat │ │ │ │ ├── signal-no-globals.wat │ │ │ │ ├── signal-partial-exports.wat │ │ │ │ ├── signal-preinit.wat │ │ │ │ └── signal-terminated-only.wat │ │ │ ├── wasm-instantiate-shim.js │ │ │ ├── worker-entrypoint.c++ │ │ │ ├── worker-entrypoint.h │ │ │ ├── worker-fs-test.c++ │ │ │ ├── worker-fs.c++ │ │ │ ├── worker-fs.h │ │ │ ├── worker-interface.c++ │ │ │ ├── worker-interface.capnp │ │ │ ├── worker-interface.h │ │ │ ├── worker-modules.c++ │ │ │ ├── worker-modules.h │ │ │ ├── worker-source.h │ │ │ ├── worker.c++ │ │ │ └── worker.h │ │ ├── jsg/ │ │ │ ├── AGENTS.md │ │ │ ├── BUILD.bazel │ │ │ ├── README.md │ │ │ ├── async-context.c++ │ │ │ ├── async-context.h │ │ │ ├── buffersource-test.c++ │ │ │ ├── buffersource.c++ │ │ │ ├── buffersource.h │ │ │ ├── compile-cache.c++ │ │ │ ├── compile-cache.h │ │ │ ├── dom-exception-test.c++ │ │ │ ├── dom-exception.c++ │ │ │ ├── dom-exception.h │ │ │ ├── exception-metadata.capnp │ │ │ ├── exception.c++ │ │ │ ├── exception.h │ │ │ ├── fast-api-test.c++ │ │ │ ├── fast-api.h │ │ │ ├── function-test.c++ │ │ │ ├── function.h │ │ │ ├── inspector.c++ │ │ │ ├── inspector.h │ │ │ ├── iterator-test.c++ │ │ │ ├── iterator.c++ │ │ │ ├── iterator.h │ │ │ ├── jsg-test.c++ │ │ │ ├── jsg-test.h │ │ │ ├── jsg.c++ │ │ │ ├── jsg.h │ │ │ ├── jsvalue-test.c++ │ │ │ ├── jsvalue.c++ │ │ │ ├── jsvalue.h │ │ │ ├── macro-meta-test.c++ │ │ │ ├── macro-meta.h │ │ │ ├── memory-test.c++ │ │ │ ├── memory.c++ │ │ │ ├── memory.h │ │ │ ├── meta.h │ │ │ ├── modules-new-test.c++ │ │ │ ├── modules-new.c++ │ │ │ ├── modules-new.h │ │ │ ├── modules.c++ │ │ │ ├── modules.capnp │ │ │ ├── modules.h │ │ │ ├── multiple-typewrappers-test.c++ │ │ │ ├── observer.h │ │ │ ├── promise-test.c++ │ │ │ ├── promise.c++ │ │ │ ├── promise.h │ │ │ ├── resource-test-bootstrap.js │ │ │ ├── resource-test-builtin.js │ │ │ ├── resource-test.c++ │ │ │ ├── resource-test.capnp │ │ │ ├── resource.c++ │ │ │ ├── resource.h │ │ │ ├── rtti-test.c++ │ │ │ ├── rtti-test.capnp │ │ │ ├── rtti.capnp │ │ │ ├── rtti.h │ │ │ ├── script.c++ │ │ │ ├── script.h │ │ │ ├── ser-test.c++ │ │ │ ├── ser.c++ │ │ │ ├── ser.h │ │ │ ├── setup-test.c++ │ │ │ ├── setup.c++ │ │ │ ├── setup.h │ │ │ ├── struct-test.c++ │ │ │ ├── struct.h │ │ │ ├── tracing-test.c++ │ │ │ ├── type-wrapper-test.c++ │ │ │ ├── type-wrapper.h │ │ │ ├── url-test.c++ │ │ │ ├── url.c++ │ │ │ ├── url.h │ │ │ ├── util-test.c++ │ │ │ ├── util.c++ │ │ │ ├── util.h │ │ │ ├── v8-platform-wrapper.c++ │ │ │ ├── v8-platform-wrapper.h │ │ │ ├── value-test.c++ │ │ │ ├── value.h │ │ │ ├── web-idl-test.c++ │ │ │ ├── web-idl.h │ │ │ ├── wrappable.c++ │ │ │ └── wrappable.h │ │ ├── server/ │ │ │ ├── AGENTS.md │ │ │ ├── BUILD.bazel │ │ │ ├── actor-id-impl-test.c++ │ │ │ ├── actor-id-impl.c++ │ │ │ ├── actor-id-impl.h │ │ │ ├── alarm-scheduler.c++ │ │ │ ├── alarm-scheduler.h │ │ │ ├── channel-token-test.c++ │ │ │ ├── channel-token.c++ │ │ │ ├── channel-token.capnp │ │ │ ├── channel-token.h │ │ │ ├── container-client-test.c++ │ │ │ ├── container-client.c++ │ │ │ ├── container-client.h │ │ │ ├── docker-api.capnp │ │ │ ├── facet-tree-index-test.c++ │ │ │ ├── facet-tree-index.c++ │ │ │ ├── facet-tree-index.h │ │ │ ├── fallback-service.c++ │ │ │ ├── fallback-service.h │ │ │ ├── json-logger-test.c++ │ │ │ ├── json-logger.c++ │ │ │ ├── json-logger.h │ │ │ ├── log-schema.capnp │ │ │ ├── pyodide.c++ │ │ │ ├── pyodide.h │ │ │ ├── server-test.c++ │ │ │ ├── server.c++ │ │ │ ├── server.h │ │ │ ├── tests/ │ │ │ │ ├── BUILD.bazel │ │ │ │ ├── compile-tests/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── compile-helloworld-test.ok │ │ │ │ │ └── compile-test.sh │ │ │ │ ├── container-client/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── README.md │ │ │ │ │ ├── container-client.wd-test │ │ │ │ │ └── test.js │ │ │ │ ├── extensions/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── binding.js │ │ │ │ │ ├── extension.capnp │ │ │ │ │ ├── extensions-test.js │ │ │ │ │ ├── extensions-test.wd-test │ │ │ │ │ ├── internal-module.js │ │ │ │ │ └── module.js │ │ │ │ ├── inspector/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── config.capnp │ │ │ │ │ ├── driver.mjs │ │ │ │ │ └── index.mjs │ │ │ │ ├── python/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── asgi/ │ │ │ │ │ │ ├── asgi.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── asgi-sse/ │ │ │ │ │ │ ├── asgi-sse.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── default-class-with-legacy-global-handlers/ │ │ │ │ │ │ ├── default-class-with-legacy-global-handlers.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── dont-snapshot-pyodide/ │ │ │ │ │ │ ├── dont-snapshot-pyodide.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── durable-object/ │ │ │ │ │ │ ├── durable-object.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── durable-object-websocket/ │ │ │ │ │ │ ├── durable-object-websocket.wd-test │ │ │ │ │ │ ├── tester.js │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── env-param/ │ │ │ │ │ │ ├── env.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── fastapi/ │ │ │ │ │ │ ├── fastapi.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── filter-non-py-files/ │ │ │ │ │ │ ├── filter-files.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── hello/ │ │ │ │ │ │ ├── hello.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── import_tests.bzl │ │ │ │ │ ├── jspi/ │ │ │ │ │ │ ├── jspi.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── numpy/ │ │ │ │ │ │ ├── numpy.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── py_wd_test.bzl │ │ │ │ │ ├── pytest/ │ │ │ │ │ │ ├── main.py │ │ │ │ │ │ ├── pytest.wd-test │ │ │ │ │ │ └── tests/ │ │ │ │ │ │ ├── test_dynlib_loading.py │ │ │ │ │ │ ├── test_env.py │ │ │ │ │ │ ├── test_fs.py │ │ │ │ │ │ └── test_import_from_javascript.py │ │ │ │ │ ├── python-compat-flag/ │ │ │ │ │ │ ├── python-compat-flag.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── python-rpc/ │ │ │ │ │ │ ├── python-rpc.wd-test │ │ │ │ │ │ ├── worker.js │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── random/ │ │ │ │ │ │ ├── random.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── sdk/ │ │ │ │ │ │ ├── proxy.js │ │ │ │ │ │ ├── sdk.wd-test │ │ │ │ │ │ ├── server.py │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── subdirectory/ │ │ │ │ │ │ ├── a.py │ │ │ │ │ │ ├── subdir/ │ │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ │ └── a.py │ │ │ │ │ │ └── subdirectory.wd-test │ │ │ │ │ ├── top-level-tests/ │ │ │ │ │ │ ├── env.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── undefined-handler/ │ │ │ │ │ │ ├── main.py │ │ │ │ │ │ ├── server.mjs │ │ │ │ │ │ ├── undefined-handler.wd-test │ │ │ │ │ │ └── undefined_handler.py │ │ │ │ │ ├── vendor_dir/ │ │ │ │ │ │ ├── vendor/ │ │ │ │ │ │ │ └── a.py │ │ │ │ │ │ ├── vendor_dir.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── vendor_dir_compat_flag/ │ │ │ │ │ │ ├── vendor/ │ │ │ │ │ │ │ └── a.py │ │ │ │ │ │ ├── vendor_dir_compat_flag.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ ├── vendor_pkg_tests/ │ │ │ │ │ │ ├── BUILD │ │ │ │ │ │ ├── beautifulsoup4.py │ │ │ │ │ │ ├── beautifulsoup4_vendor.wd-test │ │ │ │ │ │ ├── existing_dedicated_fastapi.py │ │ │ │ │ │ ├── existing_dedicated_fastapi_vendor.wd-test │ │ │ │ │ │ ├── fastapi.py │ │ │ │ │ │ ├── fastapi_vendor.wd-test │ │ │ │ │ │ ├── generate_modules.py │ │ │ │ │ │ ├── python-workers-runtime-sdk.py │ │ │ │ │ │ ├── python-workers-runtime-sdk_vendor.wd-test │ │ │ │ │ │ ├── scipy.py │ │ │ │ │ │ ├── scipy_vendor.wd-test │ │ │ │ │ │ ├── shapely.py │ │ │ │ │ │ ├── shapely_vendor.wd-test │ │ │ │ │ │ └── vendor_test.bzl │ │ │ │ │ ├── worker-entrypoint/ │ │ │ │ │ │ ├── worker-entrypoint.wd-test │ │ │ │ │ │ └── worker.py │ │ │ │ │ └── workflow-entrypoint/ │ │ │ │ │ ├── worker.js │ │ │ │ │ ├── workflow-entrypoint.wd-test │ │ │ │ │ ├── workflow-old.py │ │ │ │ │ └── workflow.py │ │ │ │ ├── server-harness.mjs │ │ │ │ ├── structured-logging/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── structured-logging-json.wd-test │ │ │ │ │ └── structured-logging-test.mjs │ │ │ │ ├── unsafe-eval/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── extension.capnp │ │ │ │ │ ├── module.js │ │ │ │ │ ├── unsafe-eval-test.js │ │ │ │ │ └── unsafe-eval-test.wd-test │ │ │ │ ├── unsafe-module/ │ │ │ │ │ ├── BUILD.bazel │ │ │ │ │ ├── unsafe-module-test.js │ │ │ │ │ └── unsafe-module-test.wd-test │ │ │ │ └── weakref/ │ │ │ │ ├── BUILD.bazel │ │ │ │ ├── config.capnp │ │ │ │ ├── index.mjs │ │ │ │ └── test.mjs │ │ │ ├── v8-platform-impl.c++ │ │ │ ├── v8-platform-impl.h │ │ │ ├── workerd-api.c++ │ │ │ ├── workerd-api.h │ │ │ ├── workerd-debug-port-client.c++ │ │ │ ├── workerd-debug-port-client.h │ │ │ ├── workerd.c++ │ │ │ └── workerd.capnp │ │ ├── tests/ │ │ │ ├── BUILD.bazel │ │ │ ├── bench-api-headers.c++ │ │ │ ├── bench-global-scope.c++ │ │ │ ├── bench-json.c++ │ │ │ ├── bench-jsstring.c++ │ │ │ ├── bench-kj-headers.c++ │ │ │ ├── bench-mimetype.c++ │ │ │ ├── bench-pumpto.c++ │ │ │ ├── bench-regex.c++ │ │ │ ├── bench-response.c++ │ │ │ ├── bench-stream-piping.c++ │ │ │ ├── bench-text-encoder.c++ │ │ │ ├── bench-tools.h │ │ │ ├── bench-util.c++ │ │ │ ├── libreprl/ │ │ │ │ ├── libreprl.c │ │ │ │ └── libreprl.h │ │ │ ├── module-imports-test.js │ │ │ ├── module-imports-test.wd-test │ │ │ ├── performance-test.js │ │ │ ├── performance-test.wd-test │ │ │ ├── test-fixture-test.c++ │ │ │ ├── test-fixture.c++ │ │ │ ├── test-fixture.h │ │ │ ├── test-reprl.c++ │ │ │ ├── test.wasm │ │ │ ├── unknown-import-assertions-test.js │ │ │ └── unknown-import-assertions-test.wd-test │ │ ├── tools/ │ │ │ ├── BUILD.bazel │ │ │ ├── param-extractor.rs │ │ │ └── param-names-ast.c++ │ │ └── util/ │ │ ├── AGENTS.md │ │ ├── BUILD.bazel │ │ ├── abortable.h │ │ ├── account-limits.h │ │ ├── autogate.c++ │ │ ├── autogate.h │ │ ├── batch-queue-test.c++ │ │ ├── batch-queue.h │ │ ├── canceler.h │ │ ├── capnp-mock.c++ │ │ ├── capnp-mock.h │ │ ├── checked-queue-test.c++ │ │ ├── checked-queue.h │ │ ├── color-util.h │ │ ├── completion-membrane.h │ │ ├── duration-exceeded-logger-test.c++ │ │ ├── duration-exceeded-logger.h │ │ ├── entropy.c++ │ │ ├── entropy.h │ │ ├── exception.h │ │ ├── header-validation.h │ │ ├── http-util.h │ │ ├── immediate-crash.h │ │ ├── mimetype-test.c++ │ │ ├── mimetype.c++ │ │ ├── mimetype.h │ │ ├── own-util.h │ │ ├── perfetto-tracing.c++ │ │ ├── perfetto-tracing.h │ │ ├── ring-buffer-test.c++ │ │ ├── ring-buffer.h │ │ ├── sentry.h │ │ ├── small-set-test.c++ │ │ ├── small-set.h │ │ ├── sqlite-kv-test.c++ │ │ ├── sqlite-kv.c++ │ │ ├── sqlite-kv.h │ │ ├── sqlite-metadata-test.c++ │ │ ├── sqlite-metadata.c++ │ │ ├── sqlite-metadata.h │ │ ├── sqlite-test.c++ │ │ ├── sqlite.c++ │ │ ├── sqlite.h │ │ ├── state-machine-test.c++ │ │ ├── state-machine.h │ │ ├── stream-utils.c++ │ │ ├── stream-utils.h │ │ ├── string-buffer-test.c++ │ │ ├── string-buffer.h │ │ ├── strings.c++ │ │ ├── strings.h │ │ ├── strong-bool-test.c++ │ │ ├── strong-bool.h │ │ ├── test-test.c++ │ │ ├── test.h │ │ ├── thread-scopes.c++ │ │ ├── thread-scopes.h │ │ ├── uncaught-exception-source.h │ │ ├── use-perfetto-categories.h │ │ ├── uuid-test.c++ │ │ ├── uuid.c++ │ │ ├── uuid.h │ │ ├── wait-list-test.c++ │ │ ├── wait-list.c++ │ │ ├── wait-list.h │ │ ├── weak-refs.h │ │ ├── websocket-error-handler.c++ │ │ ├── websocket-error-handler.h │ │ └── xthreadnotifier.h │ └── wpt/ │ ├── BUILD.bazel │ ├── WebCryptoAPI-test.ts │ ├── compression-test.ts │ ├── dom/ │ │ ├── abort-test.ts │ │ └── events-test.ts │ ├── encoding-test.ts │ ├── eslint.config.mjs │ ├── eventsource-test.ts │ ├── fetch/ │ │ └── api-test.ts │ ├── fs-test.ts │ ├── harness/ │ │ ├── assertions.ts │ │ ├── common.ts │ │ ├── globals.ts │ │ ├── harness.ts │ │ ├── test.ts │ │ └── utils.ts │ ├── performance-timeline-test.ts │ ├── streams-test.ts │ ├── tsconfig.json │ ├── url-test.ts │ ├── urlpattern-standard-test.ts │ ├── urlpattern-test.ts │ ├── webidl-test.ts │ └── websockets-test.ts ├── tools/ │ ├── BUILD.bazel │ ├── base.eslint.config.mjs │ ├── base.tsconfig.json │ ├── cross/ │ │ ├── format.json │ │ ├── format.py │ │ ├── internal_build.py │ │ └── wpt_logs.py │ ├── custom-eslint-rules.mjs │ ├── custom-eslint-rules.test.mjs │ ├── intellij/ │ │ └── .managed.bazelproject │ ├── unix/ │ │ ├── apply-big-move.sh │ │ ├── clangd-check.sh │ │ ├── create-external.sh │ │ ├── create-internal-pr.sh │ │ ├── find-python3.sh │ │ ├── fix-copyrights.sh │ │ ├── new-test.sh │ │ ├── upload-python-bundle.sh │ │ └── workspace-status.sh │ ├── update_node_version.py │ ├── update_opencode_version.py │ └── windows/ │ ├── bazel-env.bat │ ├── create-external.bat │ ├── install-deps.bat │ ├── vsconfig.json │ └── workspace-status.cmd └── types/ ├── AGENTS.md ├── BUILD.bazel ├── README.md ├── defines/ │ ├── ai-search.d.ts │ ├── ai.d.ts │ ├── aig.d.ts │ ├── autorag.d.ts │ ├── cf.d.ts │ ├── d1.d.ts │ ├── disposable.d.ts │ ├── email.d.ts │ ├── hello-world.d.ts │ ├── hyperdrive.d.ts │ ├── images.d.ts │ ├── media.d.ts │ ├── node.d.ts │ ├── pages.d.ts │ ├── pipelines.d.ts │ ├── pubsub.d.ts │ ├── ratelimit.d.ts │ ├── rpc.d.ts │ ├── secrets-store.d.ts │ ├── sockets.d.ts │ ├── stream.d.ts │ ├── to-markdown.d.ts │ ├── trace.d.ts │ ├── vectorize.d.ts │ ├── versions.d.ts │ ├── wfp.d.ts │ └── workflows.d.ts ├── eslint.config.mjs ├── generated-snapshot/ │ ├── experimental/ │ │ ├── index.d.ts │ │ └── index.ts │ └── latest/ │ ├── index.d.ts │ └── index.ts ├── scripts/ │ ├── build-types.ts │ ├── build-worker.ts │ └── config.capnp ├── src/ │ ├── cloudflare.ts │ ├── generator/ │ │ ├── index.ts │ │ ├── parameter-names.ts │ │ ├── structure.ts │ │ └── type.ts │ ├── index.ts │ ├── print.ts │ ├── program.ts │ ├── standards.ts │ ├── transforms/ │ │ ├── ambient.ts │ │ ├── class-to-interface.ts │ │ ├── comments.ts │ │ ├── globals.ts │ │ ├── helpers.ts │ │ ├── import-resolve.ts │ │ ├── importable.ts │ │ ├── index.ts │ │ ├── internal-namespace.ts │ │ ├── iterators.ts │ │ ├── onmessage-declaration.ts │ │ └── overrides/ │ │ ├── compiler.ts │ │ └── index.ts │ ├── utils.ts │ └── worker/ │ ├── index.ts │ ├── raw.d.ts │ ├── rtti.d.ts │ └── virtual.d.ts ├── test/ │ ├── generator/ │ │ ├── index.spec.ts │ │ ├── structure.spec.ts │ │ └── type.spec.ts │ ├── index.spec.ts │ ├── print.spec.ts │ ├── transforms/ │ │ ├── class-to-interface.spec.ts │ │ ├── globals.spec.ts │ │ ├── iterators.spec.ts │ │ └── overrides/ │ │ └── index.spec.ts │ └── types/ │ ├── cf.ts │ ├── d1.ts │ ├── do.ts │ ├── rpc.ts │ └── tsconfig.json └── tsconfig.json ================================================ FILE CONTENTS ================================================ ================================================ FILE: .bazelignore ================================================ node_modules images/container-client-test/node_modules src/workerd/api/tests/opennextjs/src/node_modules # Nested modules build/google-benchmark build/perfetto build/workerd-v8 ================================================ FILE: .bazelrc ================================================ common --enable_platform_specific_config build --verbose_failures build --build_tag_filters=-off-by-default,-requires-container-engine # block network access by default build --nosandbox_default_allow_network test --test_tag_filters=-off-by-default,-requires-fuzzilli,-requires-container-engine test:asan --test_tag_filters=-off-by-default,-no-asan,-requires-fuzzilli,-requires-container-engine # exclude enormous tests by default build --test_size_filters=-enormous # use lower test timeouts: https://bazel.build/reference/test-encyclopedia#role-test-runner # corresponds to small,medium,large,enormous tests (medium is default) build --test_timeout=3,15,60,240 # As part of starlarkification, Bazel 8 and 9 remove a number of rules which now need to be imported # from other repositories. In the long term, load() statements will be needed to import these rules. # For now, we can still autoload the affected repositories when needed. Do this only for a remaining # protobuf components and rules_cc (needed with Bazel 9). common --incompatible_autoload_externally="+ProtoInfo,+cc_binary,+cc_import,+cc_library,+cc_shared_library,+cc_test,+cc_toolchain" # TODO(cleanup): Bazel 9 sets this by default, which breaks the macOS-cross build. Fix and re-enable. common --@bazel_tools//tools/test:incompatible_use_default_test_toolchain=False # Enable proto toolchain resolution to use prebuilt protoc (starting with protobuf v34.0). Will be # the default starting with Bazel 10. common --incompatible_enable_proto_toolchain_resolution # bazel7 enables Build without the Bytes (BwoB) by default. This significantly speeds up builds # using the remote cache since less data needs to be fetched. # Note that we use remote_download_minimal for test builds, which avoids fetching build outputs # where possible. While several previous BwoB bugs have been fixed, this is slower than it could be # due to https://github.com/bazelbuild/bazel/issues/20576. # Import CI-specific configuration. As the amount of custom configuration settings we use grows, # consider moving more flags out to separate files. import %workspace%/build/ci.bazelrc import %workspace%/build/rust_lint.bazelrc import %workspace%/build/tools/clang_tidy/clang_tidy.bazelrc # Continue building locally when remote cache entries fail to materialize build --incompatible_remote_local_fallback_for_remote_cache # TODO(soon): Flipped by default in Bazel 9, add required variables to --repo_env and enable build --noincompatible_repo_env_ignores_action_env # Use -isystem for cc_library includes attribute – this prevents warnings for misbehaving external # code. build:linux --features=external_include_paths --host_features=external_include_paths # Forward compatibility with future Bazel versions: # Disable deprecated cfg = "host" Bazel rule setting. Blocked on perfetto. # common --incompatible_disable_starlark_host_transitions # Our dependencies (ICU, zlib, etc.) produce a lot of these warnings, so we disable them. build --per_file_copt='external@-Wno-error' build --per_file_copt='external@-Wno-suggest-override' build --per_file_copt='external/.*v8@-Wno-unused-function' build --per_file_copt='external/zlib@-Wno-deprecated-non-prototype' build --host_per_file_copt='external/zlib@-Wno-deprecated-non-prototype' build --per_file_copt=external/protobuf@-Wno-deprecated-declarations build --host_per_file_copt=external/protobuf@-Wno-deprecated-declarations # opt in to capnp deprecation warnings about trying to attach to a refcounted object build --cxxopt=-DKJ_WARN_REFCOUNTED_ATTACH=1 # TODO(cleanup): Causes warnings with LLVM20, fix and enable again build --copt=-Wno-nontrivial-memaccess # Unconditionally optimize V8 heap.cc on macOS – when optimization or inlining are disabled, this # file appears to cause segfaults at workerd startup on macOS. # TODO(cleanup): Investigate why this happens, our patches do not modify heap.cc itself so the bug # might be introduced through a header included in heap.cc, through the Bazel build configuration or # a bug in Apple LLVM. build:macos --per_file_copt=v8/src/heap/heap.cc@-O3 # The macOS apple_support toolchain sets -DDEBUG for fastbuild, unlike the Linux toolchain. This is # unhelpful for compile speeds and test performance, and may cause compile errors based on V8 DCHECK # macros that reference symbols only available with V8_VERIFY_WRITE_BARRIERS (a debug-only define), # causing compile errors. Undefine DEBUG to match Linux behavior. build:macos --copt=-UDEBUG # Increasing the optimization level of V8 significantly speeds up tests using V8 a lot, especially # python tests. This is useful for both CI and local development and enabled by default, but still # kept in a separate configuration to make it easy to disable. build:v8-codegen-opt --per_file_copt=v8/src@-O3 # V8 is heavily using absl for hashing now, optimize it too. build:v8-codegen-opt --per_file_copt=external/abseil-cpp@-O3 # zlib and tcmalloc (for Linux) are also CPU-intensive, optimize them too. build:v8-codegen-opt --per_file_copt=external/tcmalloc@-O3 build:v8-codegen-opt --per_file_copt=external/zlib@-O3 # BoringSSL is CPU-intensive for crypto tests, optimize it too. build:v8-codegen-opt --per_file_copt=external/boringssl@-O3 # simdutf is used for fast string encoding/decoding build:v8-codegen-opt --per_file_copt=external/+http+simdutf@-O3 # ICU and perfetto are generally updated with V8 and rarely need to be updated, optimize them too. build:v8-codegen-opt --per_file_copt=external/.*com_googlesource_chromium_icu@-O3 build:v8-codegen-opt --per_file_copt=external/perfetto@-O3 build:v8-codegen-opt-windows --per_file_copt=v8/src@/O2,/clang:-O3 build:v8-codegen-opt-windows --per_file_copt=external/abseil-cpp@/O2,/clang:-O3 build:v8-codegen-opt-windows --per_file_copt=external/zlib@/O2,/clang:-O3 build:v8-codegen-opt-windows --per_file_copt=external/boringssl@/O2,/clang:-O3 build:v8-codegen-opt-windows --per_file_copt=external/+http+simdutf@/O2,/clang:-O3 build:v8-codegen-opt-windows --per_file_copt=external/.*com_googlesource_chromium_icu@/O2,/clang:-O3 build:v8-codegen-opt-windows --per_file_copt=external/perfetto@/O2,/clang:-O3 build:unix --config=v8-codegen-opt build:windows --config=v8-codegen-opt-windows # In Google projects, exceptions are not used as a rule. Disabling them is more consistent with the # canonical V8 build and improves code size. Paths are adjusted for bzlmod mangling – V8 and ICU use # a wildcard for this as the prefix is some variation of +_repo_rules3+ where the number can change # when refactoring MODULE.bazel – setting this directly would be too brittle build:unix --per_file_copt=external/abseil-cpp@-fno-exceptions build:unix --per_file_copt=external/protobuf@-fno-exceptions build:unix --per_file_copt=external/tcmalloc@-fno-exceptions build:unix --per_file_copt=external/.*com_googlesource_chromium_icu@-fno-exceptions build:unix --per_file_copt=external/perfetto@-fno-exceptions build:unix --per_file_copt=external/boringssl@-fno-exceptions build:unix --per_file_copt=external/.*v8@-fno-exceptions build:unix --per_file_copt=external/ada-url@-fno-exceptions build:unix --per_file_copt=external/+http+simdutf@-fno-exceptions build:windows --per_file_copt=external/abseil-cpp@/clang:-fno-exceptions build:windows --per_file_copt=external/protobuf@/clang:-fno-exceptions build:windows --per_file_copt=external/tcmalloc@/clang:-fno-exceptions build:windows --per_file_copt=external/.*com_googlesource_chromium_icu@/clang:-fno-exceptions build:windows --per_file_copt=external/perfetto@/clang:-fno-exceptions build:windows --per_file_copt=external/boringssl@/clang:-fno-exceptions build:windows --per_file_copt=external/.*v8@/clang:-fno-exceptions build:windows --per_file_copt=external/ada-url@/clang:-fno-exceptions build:windows --per_file_copt=external/+http+simdutf@/clang:-fno-exceptions # V8 torque is an exception from this policy, see v8 BUILD.gn. build:unix --per_file_copt=external/.*v8/src/torque@-fexceptions build:windows --per_file_copt=external/.*v8/src/torque@/clang:-fexceptions # Limit transitive header includes within libc++. This improves compliance with IWYU, helps avoid # errors with downstream projects that implicitly define this already and reduces total include size. https://libcxx.llvm.org/DesignDocs/HeaderRemovalPolicy.html build:unix --cxxopt=-D_LIBCPP_REMOVE_TRANSITIVE_INCLUDES --host_cxxopt=-D_LIBCPP_REMOVE_TRANSITIVE_INCLUDES # Do not enable libc++ ABI tags. This makes mangled symbol names and thus include overhead and code # size slightly smaller and is safe as long as we don't link with several copies of libc++. build:unix --cxxopt=-D_LIBCPP_NO_ABI_TAG --host_cxxopt=-D_LIBCPP_NO_ABI_TAG # Disable the experimental (and currently incomplete) parallel STL implementation as with # downstream, this reduces the include overhead for . build:unix --cxxopt=-D_LIBCPP_HAS_NO_INCOMPLETE_PSTL --host_cxxopt=-D_LIBCPP_HAS_NO_INCOMPLETE_PSTL # V8 redefines the _WIN32_WINNT set by bazel, disable warnings for redefined macros. Since V8 uses # a global define for this, we need to apply it for everything. # TODO(cleanup): Patch upstream V8 to use local_defines for this instead. build:windows --copt='-Wno-macro-redefined' build:windows --host_copt='-Wno-macro-redefined' # typescript configuration # do more correct type checking common --@aspect_rules_ts//ts:skipLibCheck=honor_tsconfig # Use "tsc" as the transpiler when ts_project has no `transpiler` set. common --@aspect_rules_ts//ts:default_to_tsc_transpiler # optimized LTO build. build:thin-lto --config=opt build:thin-lto --copt='-flto=thin' build:thin-lto --linkopt='-flto=thin' # configuration used for performance profiling build:profile --config=thin-lto build:profile --copt="-fno-omit-frame-pointer" --copt="-mno-omit-leaf-frame-pointer" build:profile --config=limited-dbg-info build:profile --strip=never # configuration used for performance benchmarking is the same as profiling for consistency build:benchmark --config=profile # Define a debug config which is primarily intended for local development. build:debug -c dbg # Using simple template names saves around 5% of binary size of workerd. build:unix --cxxopt='-gsimple-template-names' --host_cxxopt='-gsimple-template-names' # Enable hidden visibility for inline functions. This can cause problems when comparing pointers to # inline functions across shared library boundaries, but this is unlikely to be done anywhere # within workerd, V8 explicitly supports hidden visibility. build:unix --cxxopt='-fvisibility-inlines-hidden' --host_cxxopt='-fvisibility-inlines-hidden' # Define a config mode which is fastbuild but with basic debug info. build:fastdbg -c fastbuild build:fastdbg --config=limited-dbg-info build:fastdbg --config=rust-debug build:fastdbg --strip=never build:fastdbg --//:dead_strip=False # provide a limited amount of debug info, sufficient for qualified stack traces. build:limited-dbg-info --copt='-g1' --copt="-fdebug-info-for-profiling" # Miscellaneous platform-independent options build --@capnp-cpp//src/kj:openssl=True --@capnp-cpp//src/kj:zlib=True --@capnp-cpp//src/kj:brotli=True build --@capnp-cpp//src/capnp:gen_rust=True # always have KJ_IREQUIRE checks enabled, this matches workers production. build --@capnp-cpp//src/kj:kj_enable_irequire=True # overriden in config=opt build --@capnp-cpp//src/kj:debug_memory=True build --cxxopt="-fbracket-depth=512" --host_cxxopt="-fbracket-depth=512" # Additional Rust flags (see https://doc.rust-lang.org/rustc/codegen-options/index.html) # Need to disable debug-assertions for fastbuild, should be off automatically for opt. # Using extra_rustc_flag for non-exec flags so they can be overwritten selectively. build --@rules_rust//:extra_rustc_flag=-Cdebug-assertions=n build --@rules_rust//:extra_exec_rustc_flags=-Cdebug-assertions=n build --@rules_rust//:rustfmt.toml=//src/rust:rustfmt.toml # We default to not enabling debug assertions and unwinding for Rust. For debug builds this is not # the right setting, but unfortunately we can't set that directly. build:rust-debug --@rules_rust//:extra_rustc_flag=-Cdebug-assertions=y # Use the equivalent of -g/-g2 for Rust here, this is necessary to get qualified stack traces while # -Zdebug-info-for-profiling is unavailable. Unlike gcc/clang, Rust defaults to -g3 otherwise. build:rust-debug --@rules_rust//:extra_rustc_flag=-Cdebuginfo=1 build:rust-debug --@rules_rust//:extra_rustc_flag=-Cstrip=none # Adding -C lto=thin here would improve binary size significantly – disable it for now due to # compile errors and wrong code generation when bazel and rust use different LLVM versions. build:thin-lto --@rules_rust//:extra_rustc_flag=-Ccodegen-units=1 # common sanitizers options build:sanitizer-common --@workerd//src/workerd/server:use_tcmalloc=False build:sanitizer-common --copt="-fsanitize-link-c++-runtime" --linkopt="-fsanitize-link-c++-runtime" build:sanitizer-common --copt="-Og" build:sanitizer-common --copt="-g" --strip=never build:sanitizer-common --copt="-fno-optimize-sibling-calls" build:sanitizer-common --copt="-fno-omit-frame-pointer" --copt="-mno-omit-leaf-frame-pointer" # address sanitizer (https://github.com/google/sanitizers/wiki/AddressSanitizer) build:asan --config=sanitizer-common build:asan --copt="-fsanitize=address" --linkopt="-fsanitize=address" build:asan --test_env=ASAN_OPTIONS=abort_on_error=true build:asan --test_env=KJ_CLEAN_SHUTDOWN=1 # Enable ASan, LSan support in V8 build:asan --copt="-DV8_USE_ADDRESS_SANITIZER" build:asan --per_file_copt='external/.*v8@-DADDRESS_SANITIZER,-DLEAK_SANITIZER' # fuzzilli (https://github.com/googleprojectzero/fuzzilli/) build:fuzzilli --config=asan build:fuzzilli --copt="-DWORKERD_FUZZILLI" build:fuzzilli --linkopt="-DWORKERD_FUZZILLI" build:fuzzilli --copt="-fsanitize-coverage=trace-pc-guard" build:fuzzilli --linkopt="-fsanitize-coverage=trace-pc-guard" build:fuzzilli --linkopt="-static-libasan" # Set ASan/UBSan options globally to abort on error (raise SIGABRT) for proper Fuzzilli crash detection build:fuzzilli --action_env=ASAN_OPTIONS=abort_on_error=1:symbolize=false build:fuzzilli --action_env=UBSAN_OPTIONS=abort_on_error=1:symbolize=false # Override test filters to include requires-fuzzilli tests (inherits asan's -no-asan filter) test:fuzzilli --test_tag_filters=-off-by-default # # Linux and macOS # build:unix --workspace_status_command=./tools/unix/workspace-status.sh build:unix --cxxopt='-std=c++23' --host_cxxopt='-std=c++23' build:unix --@capnp-cpp//src/kj:libdl=True # Bazel uses CC to compile C and C++ actions, no need to define CXX. build:unix --action_env=BAZEL_COMPILER=clang build:unix --action_env=CC=clang build:unix --test_env=LLVM_SYMBOLIZER=llvm-symbolizer # Warning options. build:unix --cxxopt='-Wall' --host_cxxopt='-Wall' build:unix --cxxopt='-Wextra' --host_cxxopt='-Wextra' build:unix --cxxopt='-Wunused-function' --host_cxxopt='-Wunused-function' build:unix --cxxopt='-Wunused-lambda-capture' --host_cxxopt='-Wunused-lambda-capture' build:unix --cxxopt='-Wunused-variable' --host_cxxopt='-Wunused-variable' build:unix --cxxopt='-Wno-sign-compare' --host_cxxopt='-Wno-sign-compare' build:unix --cxxopt='-Wno-unused-parameter' --host_cxxopt='-Wno-unused-parameter' build:unix --cxxopt='-Wno-missing-field-initializers' --host_cxxopt='-Wno-missing-field-initializers' build:unix --cxxopt='-Wsuggest-override' build:linux --config=unix build:macos --config=unix # Support macOS 13 as the minimum version. There should be at least a warning when backward # compatibility is broken as -Wunguarded-availability-new is enabled by default. Only enable for # target configuration as host configuration tools are only used during the build process. build:macos --macos_minimum_os=13.5 # Avoid emitting duplicate unwind info where compact unwind info can be used. This reduces the # object size by ~5% on average, improving disk space usage and link times. The final binary size # is not affected. Note that this is on-by-default on arm64, but turning it on for all mac builds # is easier than adding the flag only on x86. See https://reviews.llvm.org/D122258 for detailed # information on the flag. build:macos --copt='-femit-dwarf-unwind=no-compact-unwind' # Cross-Compilation # Only cross-compiling on macOS from Apple Silicon to x86_64 is supported – using apple_support # makes this much easier than on other platforms. We could define a configuration for cross- # compiling from Intel Mac too, but it lacks a means to run Apple Silicon binaries. We would have to # change V8 mksnapshot to build in the host configuration again (effectively compiling much of V8 # twice) and couldn't run tests, so it would provide little value. # # Define the target platform build:macos-cross-x86_64 --cpu=darwin_x86_64 --host_cpu=darwin_arm64 --platforms //:macOS_x86 # Some cross-compiled tests are slower when run over Rosetta, increase the medium test size timeout. # Test performance is still very much satisfactory considering that emulation is being used here. build:macos-cross-x86_64 --test_timeout=1,30,60,240 # On Linux, always link libc++ statically to avoid compatibility issues with different OS versions. # macOS links with dynamic libc++ by default, which has good backwards compatibility. # Drop default link flags, which include libstdc++ for Linux build:linux --features=-default_link_libs --host_features=-default_link_libs build:linux --cxxopt='-stdlib=libc++' --host_cxxopt='-stdlib=libc++' build:linux --linkopt='-stdlib=libc++' --host_linkopt='-stdlib=libc++' build:linux --linkopt='-l:libc++.a' --linkopt='-lm' --linkopt='-static-libgcc' # We don't expect to distribute host tools, no need to statically link libgcc. # TODO(cleanup): Ideally we'd also use shared libc++ here, we'd just need to install the # libunwind--dev and libc++abi--dev packages on CI to have all of shared libc++ # available. build:linux --host_linkopt='-l:libc++.a' --host_linkopt='-lm' # On Linux, enable PIC. In macos pic is the default, and the objc_library rule does not work # correctly if we use this flag since it will not find the object files to include # https://github.com/bazelbuild/bazel/issues/12439#issuecomment-914449079 build:linux --force_pic # On Linux, garbage collection sections and optimize binary size. These do not apply to the macOS # toolchain. build:linux --linkopt="-Wl,--gc-sections" build:linux --copt="-ffunction-sections" --host_copt="-ffunction-sections" build:linux --copt="-fdata-sections" --host_copt="-fdata-sections" # On Linux, use clang lld. build:linux --linkopt="-fuse-ld=lld" # # Windows # # See https://bazel.build/configure/windows#symlink startup --windows_enable_symlinks build:windows --workspace_status_command=./tools/windows/workspace-status.cmd build:windows --enable_runfiles # We use LLVM's MSVC-compatible compiler driver to compile our code on Windows, # as opposed to using MSVC directly. This enables us to use the "same" compiler # frontend on Linux, macOS, and Windows, massively reducing the effort required # to compile workerd on Windows. Notably, this provides proper support for # `#pragma once` when using symlinked virtual includes, `__atomic_*` functions, # a standards-compliant preprocessor, support for GNU statement expressions # used by some KJ macros, and understands the `.c++` extension by default. # As of bazel 7, toolchain resolution is enabled by default, so we need to define a platform for # the clang-cl build. build:windows --extra_toolchains=@local_config_cc//:cc-toolchain-x64_windows-clang-cl build:windows --extra_execution_platforms=//:x64_windows-clang-cl # The Windows fastbuild bazel configuration is broken in that it necessarily generates PDB debug # information while the Linux and macOS toolchains only compile with debug information in the dbg # configuration or when requested with the -g flag. This causes huge increases in compile time and # disk/cache space usage – a single test may come with a 490MB PDB file. # In an optional configuration, use the opt configuration and manually disable optimizations as a # workaround. build:windows_no_dbg -c opt build:windows_no_dbg --copt='/Od' build:windows_no_dbg --linkopt='/INCREMENTAL:NO' build:windows_no_dbg --features=-smaller_binary # Mitigate the large size impact of Windows debug binaries somewhat by applying string merging and # linker garbage collection. build:windows_dbg --config=debug build:windows_dbg --copt='/Gy' --copt='/Gw' build:windows_dbg --linkopt='/OPT:REF' build:windows_dbg --linkopt='/OPT:LLDTAILMERGE' --linkopt='/OPT:SAFEICF' # This hides inline symbols in classes that are marked to be exported, similar to # -fvisibility-inlines-hidden on Unix systems (https://blog.llvm.org/2018/11/30-faster-windows-builds-with-clang-cl_14.html) # Currently this only reduces object sizes slightly, larger gains are possible if we compile V8 as # a shared library. build:windows --copt='/Zc:dllexportInlines-' # Configuration for header parsing. Requires bazel toolchain support (available for macOS, Linux). build:parse_headers --features=parse_headers --process_headers_in_dependencies # Silence some capnproto warnings/errors that are not relevant for header parsing build:parse_headers --per_file_copt='.*\.h@-Wno-unused-function,-Wno-pragma-system-header-outside-header' build:parse_headers --per_file_copt=external/+http+capnp-cpp/src/kj/common.h@-Wno-unreachable-code build:parse_headers --per_file_copt=external/+http+capnp-cpp/src/capnp/arena.h@-DCAPNP_PRIVATE # optimized configuration build:opt -c opt build:opt --@capnp-cpp//src/kj:debug_memory=False # Release configuration. build:release --config=opt build:release --@rules_rust//:extra_rustc_flag=-Ccodegen-units=1 # enable -O3 for the release configuration. Based on benchmarking there is little difference in # performance, but -O3 should generally be expected to be faster for at least parts of the workerd API. build:release_unix --copt='-O3' build:release_unix --config=release build:release_linux --config=release_unix build:release_linux --linkopt="-Wl,-O2" build:release_macos --config=release_unix # Disable generating LC_DATA_IN_CODE and LC_FUNCTION_STARTS binary sections, two rarely used types # of macOS debug info. These sections are largely undocumented, but are used by LLDB to improve # debugging on binaries that are otherwise stripped. There should be no need to include this # data in releases. build:release_macos --linkopt="-Wl,-no_data_in_code_info" build:release_macos --linkopt="-Wl,-no_function_starts" # Cross-compiled release build for x86_64. build:release_macos_cross_x86_64 --config=release_macos build:release_macos_cross_x86_64 --config=macos-cross-x86_64 # On macOS, optionally compile using LLD (19 or higher is compatible with the default flags added by # apple_support). Requires Homebrew's lld package to be installed and symlinked into /usr/local/bin. # This is less CPU intensive than the system linker, but also slightly slower in terms of wall time # since it is less parallel. More importantly, it allows us to enable LLD's ICF pass, which # significantly decreases binary sizes. We could use Xcode 16's -Wl,-deduplicate option instead, but # LLD's ICF appears to be superior. We also want to enable ICF for Linux, but there it causes # warnings when dynamically linking with libc++. build:macos_lld --linkopt=-fuse-ld=lld --linkopt=--ld-path=/usr/local/bin/ld64.lld build:macos_lld_icf --config=macos_lld build:macos_lld_icf --linkopt="-Wl,--icf=safe" build:release_windows --config=release # Windows uses /O2 as its preferred optimization setting and enabled by bazel in the opt # configuration, but for clang-cl this is equivalent to only -O2 and a few other things. -O3 is # not exposed directly in the clang-cl driver, but we can access regular clang # flags using the /clang prefix anyway. https://clang.llvm.org/docs/UsersManual.html#the-clang-option build:release_windows --copt="/clang:-O3" # clang-cl does not enable strict aliasing by default to match MSVC's approach, unlike clang on # Unix which turns it on for opt builds. build:release_windows --copt="-fstrict-aliasing" # This file breaks our CI windows release builds when compiled using O2/O3 # Ref: https://github.com/llvm/llvm-project/issues/136481 build:release_windows --per_file_copt=.*capnp/rpc\.c++@/clang:-O1 build:windows --cxxopt='/std:c++23preview' --host_cxxopt='/std:c++23preview' build:windows --copt='/D_CRT_USE_BUILTIN_OFFSETOF' --host_copt='/D_CRT_USE_BUILTIN_OFFSETOF' build:windows --copt='/DWIN32_LEAN_AND_MEAN' --host_copt='/DWIN32_LEAN_AND_MEAN' build:windows --copt='/EHs' --host_copt='/EHs' # The `/std:c++23preview` argument is unused during BoringSSL compilation and we don't # want a warning when compiling each file. build:windows --per_file_copt=external/boringssl@-Wno-unused-command-line-argument --host_per_file_copt=external/boringssl@-Wno-unused-command-line-argument # MSVC disappointingly sets __cplusplus to 199711L by default. Defining /Zc:__cplusplus makes it # set the correct value. We currently don't check __cplusplus, but some dependencies do. build:windows --cxxopt='/Zc:__cplusplus' --host_cxxopt='/Zc:__cplusplus' # Coverage configuration using LLVM tools. These environment variables are used by rules_cc # to locate LLVM coverage tools. Users should ensure llvm-profdata and llvm-cov are available # in PATH (create symlinks to version-specific binaries if needed, e.g., ln -s llvm-cov-19 llvm-cov). build:coverage --action_env=BAZEL_USE_LLVM_NATIVE_COVERAGE=1 build:coverage --test_env=BAZEL_USE_LLVM_NATIVE_COVERAGE=1 # GCOV is used by rules_cc to merge raw profile data (.profraw) into indexed profile data (.profdata) build:coverage --action_env=GCOV=llvm-profdata build:coverage --test_env=GCOV=llvm-profdata # COVERAGE_GCOV_PATH is used by collect_cc_coverage.sh for merging .profraw files. build:coverage --action_env=COVERAGE_GCOV_PATH=/usr/bin/llvm-profdata build:coverage --test_env=COVERAGE_GCOV_PATH=/usr/bin/llvm-profdata # BAZEL_LLVM_COV is used by rules_cc to generate coverage reports from profile data build:coverage --action_env=BAZEL_LLVM_COV=llvm-cov build:coverage --test_env=BAZEL_LLVM_COV=llvm-cov # LLVM_COV is used by collect_cc_coverage.sh for generating LCOV output build:coverage --test_env=LLVM_COV=llvm-cov # GENERATE_LLVM_LCOV=1 tells collect_cc_coverage.sh to use llvm-cov export to generate LCOV format # instead of just outputting raw profdata. LLVM_COV specifies the llvm-cov binary to use. build:coverage --test_env=GENERATE_LLVM_LCOV=1 build:coverage --experimental_use_llvm_covmap build:coverage --experimental_generate_llvm_lcov # Ensure that we fetch coverage data from remote cache build:coverage --experimental_fetch_all_coverage_outputs build:coverage --experimental_split_coverage_postprocessing # Allow coverage outputs to be writable for post-processing build:coverage --experimental_writable_outputs build:coverage --collect_code_coverage # Only instrument source code, not tests or tools - significantly speeds up coverage builds build:coverage --instrumentation_filter="^//src/workerd[/:],^//src/rust[/:]" build:coverage --instrument_test_targets # Disable coverage instrumentation for external dependencies to speed up compilation. # Coverage for V8/external code is not useful for our purposes. # These flags negate -fprofile-instr-generate and -fcoverage-mapping set by rules_cc. build:coverage --per_file_copt=external/.*@-fno-profile-instr-generate,-fno-coverage-mapping # KJ uses _exit() by default which bypasses atexit handlers and prevents LLVM profile runtime # from writing coverage data. KJ_CLEAN_SHUTDOWN forces use of normal exit() instead. build:coverage --test_env=KJ_CLEAN_SHUTDOWN=1 # Use -O1 for faster compilation - coverage builds don't need heavy optimization build:coverage --copt=-O1 # Reduce debug info for faster compilation and smaller binaries build:coverage --copt=-g1 # Use limited coverage mode for smaller binaries and faster execution (used by Chromium) build:coverage --copt=-mllvm --copt=-limited-coverage-experimental=true coverage --test_tag_filters=-off-by-default,-requires-fuzzilli,-requires-container-engine,-lint,-benchmark,-workerd-benchmark,-no-coverage # Coverage instrumentation slows down test execution, so extend timeouts # We disable enormous tests due to the slowdown (CI jobs have a 6h max duration) coverage --test_size_filters=-enormous coverage --test_timeout=240,240,240,240 coverage --build_tests_only # This config is defined internally and enabled on many machines. # Defining it as empty just so these machines can run build commands from the workerd repo build:rosetta-arm64 --define=rosetta_arm64_no_op=1 ================================================ FILE: .bazelversion ================================================ 9.0.1 ================================================ FILE: .clang-format ================================================ Language: Cpp Standard: c++20 ColumnLimit: 100 WhitespaceSensitiveMacros: # clang format doesn't understand TypeScript, so make sure it doesn't mangle # overrides and additional definitions - JSG_TS_OVERRIDE - JSG_TS_DEFINE - JSG_STRUCT_TS_OVERRIDE - JSG_STRUCT_TS_DEFINE AllowShortFunctionsOnASingleLine: Empty SortIncludes: true IncludeBlocks: Regroup IncludeCategories: # c++ system headers - Regex: <[a-zA-Z0-9_]+> Priority: 5 # kj/capnp headers - Regex: <(kj|capnp)/.+> Priority: 4 # workerd headers - Regex: Priority: 2 # 3rd party headers - Regex: <.+> Priority: 3 # local headers - Regex: '".*"' Priority: 1 AllowShortIfStatementsOnASingleLine: true AllowShortLoopsOnASingleLine: true AllowShortBlocksOnASingleLine: Empty IndentWidth: 2 IndentCaseBlocks: false IndentCaseLabels: true PointerAlignment: Left DerivePointerAlignment: true # Move public and private in by a half-indentation. This makes # diffs and Github code reviews more readable by letting you # see which class the diff snippet is part of. AccessModifierOffset: -1 # Really "Attach" but empty braces aren't split. BreakBeforeBraces: Custom BraceWrapping: AfterCaseLabel: false AfterClass: false AfterControlStatement: Never AfterEnum: false AfterFunction: false AfterNamespace: false AfterObjCDeclaration: false AfterStruct: false AfterUnion: false AfterExternBlock: false BeforeCatch: false BeforeElse: false BeforeLambdaBody: false BeforeWhile: false IndentBraces: false SplitEmptyFunction: false SplitEmptyRecord: false SplitEmptyNamespace: false Cpp11BracedListStyle: true AlignAfterOpenBracket: DontAlign AlignOperands: DontAlign AlignTrailingComments: Kind: Always OverEmptyLines: 0 AlwaysBreakAfterReturnType: None AlwaysBreakTemplateDeclarations: Yes BreakStringLiterals: false BinPackArguments: true BinPackParameters: false BracedInitializerIndentWidth: 2 BreakInheritanceList: BeforeColon ContinuationIndentWidth: 4 IfMacros: [ "KJ_SWITCH_ONEOF", "KJ_CASE_ONEOF", "KJ_IF_MAYBE", "KJ_IF_SOME", "CFJS_RESOURCE_TYPE", ] LambdaBodyIndentation: OuterScope Macros: - "KJ_MAP(x,y)=[y](auto x)" - "JSG_VISITABLE_LAMBDA(x,y,z)=[x,y](z)" # The WhitespaceSensitiveMacros solution is flaky, adding the following ensures no formatting: - "JSG_TS_OVERRIDE(x)=enum class" - "JSG_TS_DEFINE(x)=enum class" - "JSG_STRUCT_TS_OVERRIDE(x)=enum class" - "JSG_STRUCT_TS_DEFINE(x)=enum class" PenaltyReturnTypeOnItsOwnLine: 1000 PackConstructorInitializers: CurrentLine ReflowComments: false SpaceBeforeCtorInitializerColon: false SpaceBeforeInheritanceColon: false SpaceBeforeParens: ControlStatementsExceptControlMacros SpaceBeforeRangeBasedForLoopColon: false SpaceBeforeCpp11BracedList: false SpacesBeforeTrailingComments: 2 --- # Some files with embedded typescript are incorrectly recognized by clang-format as Objective-C # This is because the C/C++ macro expansion step happens after the language recognition step, so # when trying to parse the file, the c++ parser fails with incorrect syntax and a fallback to # the Objective-C parser is used. # This is a workaround to hide the warning. # TODO: Remove this once we have a better solution. Language: ObjC DisableFormat: true ================================================ FILE: .clang-tidy ================================================ --- # TODO: We currently only enable select clang-tidy checks. While many checks provide little value or # produce false positives, try to incrementally enable most of them. # TODO: these checks are in progress of cleaning up # Note: cppcoreguidelines-noexcept-destructor is designed to detect destructors that are missing # noexcept. We always use noexcept(false) as per KJ-style, but this check works for our purposes # too. Checks: > bugprone-argument-comment, bugprone-capturing-this-in-member-variable, bugprone-dynamic-static-initializers, bugprone-forward-declaration-namespace, bugprone-invalid-enum-default-initialization, bugprone-move-forwarding-reference, bugprone-return-const-ref-from-parameter, bugprone-suspicious-*, -bugprone-suspicious-semicolon, bugprone-undefined-memory-manipulation, bugprone-unhandled-self-assignment, bugprone-unused-raii, bugprone-use-after-move, cppcoreguidelines-c-copy-assignment-signature, cppcoreguidelines-misleading-capture-default-by-value, cppcoreguidelines-noexcept-destructor, cppcoreguidelines-prefer-member-initializer, google-readability-casting, misc-confusable-identifiers, misc-header-include-cycle, misc-redundant-expression, misc-throw-by-value-catch-by-reference, misc-unused-alias-decls, misc-unused-using-decls, modernize-loop-convert, modernize-macro-to-enum, modernize-redundant-void-arg, modernize-type-traits, modernize-unary-static-assert, modernize-use-bool-literals, modernize-use-constraints, modernize-use-emplace, modernize-use-equals-delete, modernize-use-nullptr, modernize-use-string-view, modernize-use-transparent-functors, modernize-use-using, performance-*, -performance-enum-size, -performance-no-int-to-ptr, -performance-noexcept-move-constructor, -performance-noexcept-swap, -performance-unnecessary-value-param, readability-avoid-const-params-in-decls, readability-container-contains, readability-container-size-empty, readability-delete-null-pointer, readability-duplicate-include, readability-enum-initial-value, readability-redundant-*, -readability-redundant-inline-specifier, -readability-redundant-parentheses, -readability-redundant-smartptr-get, readability-reference-to-constructed-temporary, readability-static-accessed-through-instance, readability-use-concise-preprocessor-directives # TODO: Fix and enable # bugprone-derived-method-shadowing-base-method # bugprone-parent-virtual-call # cppcoreguidelines-interfaces-global-init # cppcoreguidelines-missing-std-forward # cppcoreguidelines-pro-type-member-init # modernize-use-equals-default # modernize-use-override # modernize-use-ranges # readability-avoid-return-with-void-value # modernize-avoid-variadic-functions # readability-convert-member-functions-to-static # readability-redundant-smartptr-get # readability-use-anyofallof WarningsAsErrors: '*' HeaderFilterRegex: '.*src/workerd/.*' CheckOptions: # JSG has very entrenched include cycles - key: misc-header-include-cycle.IgnoredFilesList value: "jsg/jsg.h|jsg/dom-exception.h" - key: cppcoreguidelines-missing-std-forward.ForwardFunction value: "kj::fwd" ================================================ FILE: .devcontainer/Dockerfile ================================================ FROM mcr.microsoft.com/vscode/devcontainers/javascript-node:22 # Install dependencies, including clang via through LLVM APT repository. Note that this # will also install lldb and clangd alongside dependencies. ARG LLVM_VERSION=19 RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \ && apt-get -y install software-properties-common python3 python3-distutils tclsh nodejs npm \ && curl -fSsL -o /tmp/llvm.sh https://apt.llvm.org/llvm.sh && chmod +x /tmp/llvm.sh && bash /tmp/llvm.sh ${LLVM_VERSION} \ && apt-get -y install --no-install-recommends libunwind-${LLVM_VERSION} libc++abi1-${LLVM_VERSION} libc++1-${LLVM_VERSION} libc++-${LLVM_VERSION}-dev libclang-rt-${LLVM_VERSION}-dev -o DPkg::options::="--force-overwrite" ENV PATH /usr/lib/llvm-${LLVM_VERSION}/bin:$PATH # Install Bazel (via Bazelisk) RUN npm install -g @bazel/bazelisk # Install Just RUN npm install -g rust-just ================================================ FILE: .devcontainer/devcontainer.json ================================================ { "name": "C++: Workerd", "build": { "dockerfile": "Dockerfile" }, "customizations": { // Configure properties specific to VS Code. "vscode": { // Add the IDs of extensions you want installed when the container is created. "extensions": [ "BazelBuild.vscode-bazel", "eamodio.gitlens", "streetsidesoftware.code-spell-checker", "llvm-vs-code-extensions.vscode-clangd", "ms-vscode.cpptools", "abronan.capnproto-syntax", "DavidAnson.vscode-markdownlint" ], "settings": { // The Microsoft C/C++ extension has IntelliSense support that is not compatible with the clangd extension. "C_Cpp.intelliSenseEngine": "disabled", "C_Cpp.default.cppStandard": "c++20" } } } // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root. // "remoteUser": "root" } ================================================ FILE: .git-blame-ignore-revs ================================================ # Apply prettier to the project 0523bf8b36a937348f1bb79eceda2463a5c220b5 # Apply clang-format to the project. 5e8537a77e760c160ace3dfe23ee8c76ee5aeeb3 # Apply ruff format to the project d6d0607a845e6f71084ce272a1c1e8c50e244bdd # Apply buildifier to the project f457f19039b82536b35659c1f9cb898a198e6cd1 # Apply ruff linter to the project 893774eab71fd7be5000436ff2ff0b5dd85ef073 # Use clang-format to sort includes. faabf00af72bbce956221b40624f8a3d57f82b7c b9e9fb144f44494017e77fbe959355e92f10ae69 # Add `AllowShortBlocksOnASingleLine: Empty` to clang-format fa2c488219a5e96792e61f3d51838595e2907c8d # clang-tidy: Add google-readability-casting, modernize-use-using 21dc6eb66a2344b8e756b897ade27cc107b58153 # clang-tidy: Add more readability checks d8987b2c4206c8b28b637c24219a580431873d12 ================================================ FILE: .github/CODEOWNERS ================================================ * @cloudflare/workers-runtime-1 @cloudflare/workers-durable-objects .github/workflows/ @cloudflare/wrangler @cloudflare/workers-runtime-1 npm/ @cloudflare/wrangler @cloudflare/workers-runtime-1 build-releases.sh @cloudflare/wrangler @cloudflare/workers-runtime-1 RELEASE.md @cloudflare/wrangler @cloudflare/workers-runtime-1 package.json @cloudflare/wrangler @cloudflare/workers-runtime-1 pnpm-lock.yaml @cloudflare/wrangler @cloudflare/workers-runtime-1 /types/ @cloudflare/wrangler /types/generated-snapshot/experimental/ @cloudflare/workers-runtime-1 @cloudflare/workers-durable-objects src/workerd/tools/ @cloudflare/wrangler @cloudflare/workers-runtime-1 @cloudflare/workers-durable-objects src/workerd/io/release-version.txt @cloudflare/wrangler @cloudflare/workers-runtime-1 src/workerd/io/maximum-compatibility-date.txt @cloudflare/wrangler @cloudflare/workers-runtime-1 src/node/ @cloudflare/workers-runtime-1 @cloudflare/workers-durable-objects @cloudflare/workers-frameworks @cloudflare/workers-runtime-nodejs src/workerd/api/node/ @cloudflare/workers-runtime-1 @cloudflare/workers-durable-objects @cloudflare/workers-frameworks @cloudflare/workers-runtime-nodejs ================================================ FILE: .github/DISCUSSION_TEMPLATE/nodejs_api_request.yml ================================================ title: "Node.js API Request" labels: ["Node.js API Request"] body: - type: input id: module attributes: label: Module description: "Name of the Node.js module you want to work on Workers. Ex: fs" value: validations: required: true - type: input id: method attributes: label: API Method description: "Name of the specific API method you want to work on Workers. Ex: fs.readFile" value: validations: required: true - type: markdown id: context attributes: value: | ## Context ================================================ FILE: .github/DISCUSSION_TEMPLATE/python_package_request.yml ================================================ title: "Python Package Request" labels: ["Python Package Request"] body: - type: input id: package attributes: label: Package Name description: "Name of the Python package you want to work on Workers" value: validations: required: true - type: input id: version attributes: label: Package Version description: "Optional — specify a particular version of the package" value: validations: required: false - type: markdown id: context attributes: value: | ## Context ================================================ FILE: .github/ISSUE_TEMPLATE/runtime-apis.md ================================================ --- name: runtime-apis about: Report an issue with an API provided by workerd title: '🐛 Bug Report — Runtime APIs' labels: runtime-api --- ================================================ FILE: .github/ISSUE_TEMPLATE/workers-types.md ================================================ --- name: workers-types about: Report an issue or suggestion for `@cloudflare/workers-types` title: '' labels: types assignees: workers-devprod --- ================================================ FILE: .github/actions/setup-runner/action.yml ================================================ name: 'Setup runner environment' description: 'Sets up runner environment with proper toolchain for building workerd' runs: using: 'composite' steps: - name: Setup Linux shell: bash if: runner.os == 'Linux' run: | export DEBIAN_FRONTEND=noninteractive wget https://apt.llvm.org/llvm.sh sed -i '/apt-get install/d' llvm.sh chmod +x llvm.sh sudo ./llvm.sh 19 # keep in sync with build/ci.bazelrc sudo apt-get install -y -qq --no-install-recommends \ clang-19 \ lld-19 \ libunwind-19 \ libc++abi1-19 \ libc++1-19 \ libc++-19-dev \ libclang-rt-19-dev \ llvm-19 sudo ln -s /usr/bin/llvm-symbolizer-19 /usr/bin/llvm-symbolizer sudo ln -s /usr/bin/llvm-profdata-19 /usr/bin/llvm-profdata sudo ln -s /usr/bin/llvm-cov-19 /usr/bin/llvm-cov echo "build:linux --action_env=CC=/usr/lib/llvm-19/bin/clang" >> .bazelrc echo "build:linux --host_action_env=CC=/usr/lib/llvm-19/bin/clang" >> .bazelrc echo "build:linux --linkopt=--ld-path=/usr/lib/llvm-19/bin/ld.lld" >> .bazelrc echo "build:linux --host_linkopt=--ld-path=/usr/lib/llvm-19/bin/ld.lld" >> .bazelrc echo "build:linux --action_env=AR=/usr/lib/llvm-19/bin/llvm-ar" >> .bazelrc echo "build:linux --host_action_env=AR=/usr/lib/llvm-19/bin/llvm-ar" >> .bazelrc - name: Setup Windows shell: pwsh if: runner.os == 'Windows' # Set a custom output root directory to avoid long file name issues. # TODO(cleanup): According to https://github.com/actions/runner-images/blob/win25/20251216.149/images/windows/scripts/build/Configure-DeveloperMode.ps1#L13, # this should already be set on the build image, but prior testing indicated CI speedups with # it, check if it is actually having any effect. run: | # Enable Developer Mode to allow Bazel to create real symlinks reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v "AllowDevelopmentWithoutDevLicense" /d "1" git config --global core.symlinks true git config --show-scope --show-origin core.symlinks git config --system core.longpaths true [System.IO.File]::WriteAllLines((Join-Path -Path $env:USERPROFILE -ChildPath '.bazelrc'), 'startup --output_user_root=\\\\?\\C:\\tmp') - name: Setup macOS if: runner.os == 'macOS' shell: bash run: | # Build using Xcode 16.3 (equivalent to Clang 19) sudo xcode-select -s "/Applications/Xcode_16.3.app" - name: Configure git hooks shell: bash # Configure git to quell an irrelevant warning for runners (they never commit / push). run: git config core.hooksPath githooks ================================================ FILE: .github/bonk_reviewer.md ================================================ You are a **code reviewer**, not an author. You review pull requests for workerd, Cloudflare's JavaScript/WebAssembly server runtime. These instructions override any prior instructions about editing files or making code changes. ## Restrictions -- you MUST follow these exactly Do NOT: - Edit, write, create, or delete any files -- use file editing tools (Write, Edit) under no circumstances - Run `git commit`, `git push`, `git add`, `git checkout -b`, or any git write operation - Approve or request changes on the PR -- only post review comments - Flag formatting issues -- clang-format enforces style in this repo If you want to suggest a code change, post a `suggestion` comment instead of editing the file. ## Output rules **Confirm you are acting on the correct issue or PR**. Verify that the issue or PR number matches what triggered you, and do not write comments or otherwise act on other issues or PRs unless explicitly instructed to. **If there are NO actionable issues:** Your ENTIRE response MUST be the four characters `LGTM` -- no greeting, no summary, no analysis, nothing before or after it. **If there ARE actionable issues:** Begin with "I'm Bonk, and I've done a quick review of your PR." Then: 1. One-line summary of the changes. 2. A ranked list of issues (highest severity first). 3. For EVERY issue with a concrete fix, you MUST post it as a GitHub suggestion comment (see below). Do not describe a fix in prose when you can provide it as a suggestion. ## How to post feedback You have write access to PR comments via the `gh` CLI. **Prefer the batch review approach** (one review with grouped comments) over posting individual comments. This produces a single notification and a cohesive review. ### Batch review (recommended) Write a JSON file and submit it as a review. This is the most reliable method -- no shell quoting issues. ````bash cat > /tmp/review.json << 'REVIEW' { "event": "COMMENT", "body": "Review summary here.", "comments": [ { "path": "src/workerd/api/example.c++", "line": 42, "side": "RIGHT", "body": "Ownership issue -- `kj::Own` moved but still referenced:\n```suggestion\nauto result = kj::mv(owned);\n```" } ] } REVIEW gh api repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/reviews --input /tmp/review.json ```` Each comment needs `path`, `line`, `side`, and `body`. Use `suggestion` fences in `body` for applicable changes. - `side`: `"RIGHT"` for added or unchanged lines, `"LEFT"` for deleted lines - For multi-line suggestions, add `start_line` and `start_side` to the comment object - If `gh api` returns a 422 (wrong line number, stale commit), fall back to a top-level PR comment with `gh pr comment` instead of retrying ## Review focus areas **Code quality:** Refer to the following checklists: - For C++, use the `kj-style`, and `workerd-safety-review` skills - For JavaScript and TypeScript, use the `ts-style` skill - For Rust, use the `rust-review` skill - For all code, use the `workerd-api-review` skill for API design, performance, security, and standards compliance - Review added or updated tests to ensure they cover the relevant code changes - Review code comments for clarity and accuracy **Backward compatibility:** workerd has a strong backward compat commitment. New behavior changes MUST be gated behind compatibility flags (see compatibility-date.capnp). Flag any ungated behavioral change as high severity. **Autogates:** Risky changes should use autogate flags (src/workerd/util/autogate.\*) for staged rollout. If a change looks risky and has no autogate, flag it. **Security:** This is a production runtime that executes untrusted code. Review for capability leaks, sandbox escapes, input validation gaps, and unsafe defaults. High severity. **Cap'n Proto schemas:** Check .capnp file changes for wire compatibility. Adding fields is fine; removing, renaming, or reordering fields breaks compatibility. **JSG bindings:** Changes in jsg/ must correctly bridge V8 and C++. Check type conversions, GC safety, and proper use of jsg:: macros. **Node.js compatibility (src/node/, src/workerd/api/node/):** Verify behavior matches Node.js. Check for missing error cases and edge cases in polyfills. **Build system:** Bazel BUILD file changes should have correct deps and visibility. ## What counts as actionable Logic bugs, security issues, backward compat violations, missing compat flags, memory safety problems, incorrect API behavior. Be pragmatic -- do not nitpick, do not flag subjective preferences. ================================================ FILE: .github/secret_scanning.yml ================================================ paths-ignore: - "src/workerd/api/node/crypto_keys-test.js" - "src/workerd/api/node/crypto_dh-test.js" - "src/workerd/jsg/url-test-corpus-success.h" - "src/workerd/api/node/tests/crypto_x509-test.js" - "src/workerd/api/node/tests/fixtures/dh_private.pem" - "src/workerd/api/node/tests/fixtures/dsa_private_pkcs8.pem" - "src/workerd/api/node/tests/fixtures/ed25519_private.pem" - "src/workerd/api/node/tests/fixtures/rsa_private_encrypted.pem" - "src/workerd/api/node/tests/fixtures/rsa_pss_private_2048_sha1_sha1_20.pem" - "src/workerd/api/node/tests/fixtures/dsa_private_1025.pem" - "src/workerd/api/node/tests/fixtures/ec_p256_private.pem" - "src/workerd/api/node/tests/fixtures/ed448_private.pem" - "src/workerd/api/node/tests/fixtures/rsa_private.pem" - "src/workerd/api/node/tests/fixtures/rsa_pss_private_2048_sha256_sha256_16.pem" - "src/workerd/api/node/tests/fixtures/dsa_private_encrypted_1025.pem" - "src/workerd/api/node/tests/fixtures/ec_p384_private.pem" - "src/workerd/api/node/tests/fixtures/rsa_private_2048.pem" - "src/workerd/api/node/tests/fixtures/rsa_private_pkcs8_bad.pem" - "src/workerd/api/node/tests/fixtures/rsa_pss_private_2048_sha512_sha256_20.pem" - "src/workerd/api/node/tests/fixtures/dsa_private_encrypted.pem" - "src/workerd/api/node/tests/fixtures/ec_p521_private.pem" - "src/workerd/api/node/tests/fixtures/rsa_private_4096.pem" - "src/workerd/api/node/tests/fixtures/rsa_private_pkcs8.pem" - "src/workerd/api/node/tests/fixtures/x25519_private.pem" - "src/workerd/api/node/tests/fixtures/dsa_private.pem" - "src/workerd/api/node/tests/fixtures/ec_secp256k1_private.pem" - "src/workerd/api/node/tests/fixtures/rsa_private_b.pem" - "src/workerd/api/node/tests/fixtures/rsa_pss_private_2048.pem" - "src/workerd/api/node/tests/fixtures/x448_private.pem" - "src/workerd/api/node/tests/fixtures/tls-nodejs-tcp-server.pem" - "src/workerd/api/tests/startls-server.pem" - "src/workerd/api/tests/starttls-nodejs-server.js" ================================================ FILE: .github/workflows/_bazel.yml ================================================ name: 'Run Bazel' on: workflow_call: inputs: image: type: string required: false default: 'ubuntu-22.04-16core' os_name: type: string required: false default: 'linux' arch_name: type: string required: false default: 'X64' phase: type: string required: false default: '' suffix: type: string required: false default: '' run_tests: type: boolean required: false default: true test_target: type: string required: false default: //... parse_headers: type: boolean required: false default: false extra_bazel_args: type: string required: false default: '' upload_binary: type: boolean required: false default: false upload_test_logs: type: boolean required: false default: false upload_types: type: boolean required: false default: false run_coverage: type: boolean required: false default: false fetch_depth: type: number required: false default: 1 macos_use_lld: type: boolean required: false default: false build_container_images: type: boolean required: false default: false secrets: BAZEL_CACHE_KEY: required: true WORKERS_MIRROR_URL: required: true CODECOV_TOKEN: required: false permissions: # Read repo contents: read # Read/write artifacts actions: write jobs: bazel: runs-on: ${{ inputs.image }} steps: - uses: actions/checkout@v6 with: show-progress: false fetch-depth: ${{ inputs.fetch_depth }} - name: Cache id: cache uses: actions/cache@v5 with: path: ~/bazel-disk-cache key: bazel-disk-cache${{ inputs.phase}}-${{ inputs.os_name }}-${{ runner.arch }}${{ inputs.suffix }}-${{ hashFiles('.bazelversion', '.bazelrc', 'MODULE.bazel') }} # Intentionally not reusing an older cache entry using a key prefix, bazel frequently # ends up with a larger cache at the end when starting with an available cache entry, # resulting in a snowballing cache size and cache download/upload times. - name: Setup Runner uses: ./.github/actions/setup-runner - name: Setup lld on macOS if: runner.os == 'macOS' && inputs.macos_use_lld run: | # Install lld and link it to /usr/local/bin. We overwrite any existing link, which may # exist from an older pre-installed LLVM version on the runner image. brew update brew install lld sudo ln -s -f $(brew --prefix lld)/bin/ld64.lld /usr/local/bin/ld64.lld # Enable lld identical code folding to significantly reduce binary size. echo "build:macos --config=macos_lld_icf" >> .bazelrc - name: Configure download mirrors shell: bash run: | if [ ! -z "${{ secrets.WORKERS_MIRROR_URL }}" ] ; then # Strip comment in front of WORKERS_MIRROR_URL, then substitute secret to use it. sed -e '/WORKERS_MIRROR_URL/ { s@# *@@; s@WORKERS_MIRROR_URL@${{ secrets.WORKERS_MIRROR_URL }}@; }' -i.bak build/deps/nodejs.MODULE.bazel fi - name: Bazel build (Windows workaround) if: runner.os == 'Windows' # HACK: Work around Bazel Windows bug: Some targets need to be compiled without symlink # support. Since we still need symlinks to compile C++ code properly, compile these targets # separately. run: | bazel --nowindows_enable_symlinks build ${{ inputs.extra_bazel_args }} --config=ci --profile build-win-workaround.bazel-profile.gz --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev //src/wpt:wpt-all@tsproject //src/node:node@tsproject //src/pyodide:pyodide_static@tsproject - name: Bazel build run: | bazel build --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci ${{ inputs.extra_bazel_args }} //... - name: Configure Docker daemon for IPv6 if: inputs.build_container_images run: | sudo mkdir -p /etc/docker echo '{"ipv6": true, "fixed-cidr-v6": "fd00::/80"}' | sudo tee /etc/docker/daemon.json sudo systemctl restart docker - name: Build and load container images if: inputs.build_container_images run: | docker context use default echo "Docker info:" docker info echo "Docker version:" docker version bazel run --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci ${{ inputs.extra_bazel_args }} //images:load_all - name: Bazel test if: inputs.run_tests run: | bazel test --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci ${{ inputs.extra_bazel_args }} ${{ inputs.test_target }} - name: Bazel coverage if: inputs.run_coverage run: | bazel coverage --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci ${{ inputs.extra_bazel_args }} ${{ inputs.test_target }} - name: Upload coverage to Codecov if: inputs.run_coverage uses: codecov/codecov-action@v5 with: # Use bazel info to get the actual output path, avoiding symlink issues files: ${{ github.workspace }}/bazel-out/_coverage/_coverage_report.dat fail_ci_if_error: true verbose: true disable_search: true root_dir: ${{ github.workspace }} env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - name: Parse headers # TODO(cleanup): Bazel does not allow for only parsing headers in non-recursive targets, so # we can't widely enable header parsing for now (dependencies like V8 do not specify # dependencies of header targets properly). if: inputs.parse_headers run: | bazel build --config=parse_headers --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci ${{ inputs.extra_bazel_args }} //src/workerd/util - name: Upload test logs if: always() && inputs.upload_test_logs uses: actions/upload-artifact@v7 with: name: test-logs-${{ inputs.os_name }}-${{ inputs.arch_name }}${{ inputs.suffix }}.zip path: bazel-testlogs/**/test.xml - name: Report disk usage (in MB) if: always() && runner.os != 'Windows' shell: bash run: | BAZEL_OUTPUT_BASE=$(bazel info output_base) BAZEL_REPOSITORY_CACHE=$(bazel info repository_cache) echo "Bazel cache usage statistics" du -ms -t 1 ~/bazel-disk-cache/* $BAZEL_REPOSITORY_CACHE echo "Bazel output usage statistics" du -ms -t 1 $BAZEL_OUTPUT_BASE echo "Workspace usage statistics" du -ms -t 1 $GITHUB_WORKSPACE - name: Report disk usage (in MB) if: always() && runner.os == 'Windows' shell: pwsh run: | function Get-SizeMB($path) { if (Test-Path $path) { $size = (Get-ChildItem -Path $path -Recurse -Force -ErrorAction SilentlyContinue | Measure-Object -Property Length -Sum -ErrorAction SilentlyContinue).Sum [math]::Round($size / 1MB) } else { 0 } } $outputBase = bazel info output_base 2>$null $repoCache = bazel info repository_cache 2>$null echo "Bazel cache usage statistics" echo "$(Get-SizeMB $env:USERPROFILE\bazel-disk-cache)`t$env:USERPROFILE\bazel-disk-cache" echo "$(Get-SizeMB $repoCache)`t$repoCache" echo "Bazel output usage statistics" echo "$(Get-SizeMB $outputBase)`t$outputBase" echo "Workspace usage statistics" echo "$(Get-SizeMB $env:GITHUB_WORKSPACE)`t$env:GITHUB_WORKSPACE" - name: Upload binary if: inputs.upload_binary uses: actions/upload-artifact@v7 with: name: ${{ inputs.os_name }}-${{ inputs.arch_name }}${{ inputs.suffix }}-binary path: bazel-bin/src/workerd/server/workerd${{ runner.os == 'Windows' && '.exe' || '' }} if-no-files-found: error - name: Upload build statistics if: always() && inputs.run_tests uses: actions/upload-artifact@v7 with: name: ${{ inputs.os_name }}${{ inputs.arch_name }}${{ inputs.suffix }}-bazel-profile path: '*.bazel-profile.gz' - name: Drop large Bazel cache files if: always() # Github has a nominal 10GB of storage for all cached builds associated with a project. # Drop large files (>100MB) in our cache to improve shared build cache efficiency. This is # particularly helpful for asan and debug builds that produce larger executables. Also # the process of saving the Bazel disk cache generates a tarball on the runners disk, and # it is possible to run out of storage in that process (does not fail the workflow). shell: bash run: | if [ -d ~/bazel-disk-cache ]; then find ~/bazel-disk-cache -size +100M -type f -exec rm {} \; echo "Trimmed Bazel cache usage statistics" du -ms -t 1 ~/bazel-disk-cache/* else echo "Disk cache does not exist: ~/bazel-disk-cache" fi - name: Bazel shutdown if: always() # Check that there are no .bazelrc issues that prevent shutdown. run: bazel shutdown ================================================ FILE: .github/workflows/_wpt.yml ================================================ name: 'WPT Report' on: workflow_call: inputs: image: description: 'Runner image to use' required: true type: string logs_artifact: description: 'Name of artifact containing test logs' required: true type: string report_artifact: description: 'Name of artifact to use for WPT report JSON file' required: true type: string permissions: # Read repo contents: read # Read/write artifacts actions: write jobs: wpt-report: runs-on: ${{ inputs.image }} steps: - uses: actions/checkout@v6 - name: Download test logs uses: actions/download-artifact@v8 continue-on-error: true with: name: ${{ inputs.logs_artifact }} path: testlogs - name: Generate WPT report and stats run: ./tools/cross/wpt_logs.py --print-stats --write-report=wpt-report.json testlogs/ >> $GITHUB_STEP_SUMMARY - name: Upload WPT report uses: actions/upload-artifact@v7 with: name: ${{ inputs.report_artifact }} path: wpt-report.json ================================================ FILE: .github/workflows/bigbonk.yml ================================================ name: Bonk on: issue_comment: types: [created] pull_request_review_comment: types: [created] pull_request_review: types: [submitted] concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.issue.number || github.ref }} cancel-in-progress: false jobs: bonk: if: github.event.sender.type != 'Bot' && contains(github.event.comment.body, '/bigbonk') runs-on: ubuntu-latest timeout-minutes: 30 permissions: id-token: write contents: write issues: write pull-requests: write steps: - name: Checkout repository uses: actions/checkout@v6 with: fetch-depth: 1 - name: Run Bonk uses: ask-bonk/ask-bonk/github@main env: CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_AI_GATEWAY_ACCOUNT_ID }} CLOUDFLARE_GATEWAY_ID: ${{ secrets.CF_AI_GATEWAY_NAME }} CLOUDFLARE_API_TOKEN: ${{ secrets.CF_AI_GATEWAY_TOKEN }} with: model: 'cloudflare-ai-gateway/anthropic/claude-opus-4-6' mentions: '/bigbonk' variant: 'max' permissions: write opencode_version: '1.2.27' # token_permissions defaults to WRITE (i.e. Bonk can push commits). # We intentionally leave it that way here because users may ask Bonk # to update their PR via /bigbonk. ================================================ FILE: .github/workflows/bonk.yml ================================================ name: Bonk on: issue_comment: types: [created] pull_request_review_comment: types: [created] pull_request_review: types: [submitted] concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.issue.number || github.ref }} cancel-in-progress: false jobs: bonk: if: github.event.sender.type != 'Bot' && (contains(github.event.comment.body, '/bonk') || contains(github.event.comment.body, '@ask-bonk')) runs-on: ubuntu-latest timeout-minutes: 30 permissions: id-token: write contents: write issues: write pull-requests: write steps: - name: Checkout repository uses: actions/checkout@v6 with: fetch-depth: 1 - name: Run Bonk uses: ask-bonk/ask-bonk/github@main env: CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_AI_GATEWAY_ACCOUNT_ID }} CLOUDFLARE_GATEWAY_ID: ${{ secrets.CF_AI_GATEWAY_NAME }} CLOUDFLARE_API_TOKEN: ${{ secrets.CF_AI_GATEWAY_TOKEN }} with: model: 'cloudflare-ai-gateway/anthropic/claude-opus-4-6' mentions: '/bonk,@ask-bonk' permissions: write opencode_version: '1.2.27' # token_permissions defaults to WRITE (i.e. Bonk can push commits). # We intentionally leave it that way here because users may ask Bonk # to update their PR via /bonk. ================================================ FILE: .github/workflows/cla.yml ================================================ name: "CLA Assistant" on: issue_comment: types: [created] pull_request_target: types: [opened,synchronize] merge_group: jobs: CLAssistant: runs-on: ubuntu-latest steps: - name: "CLA Assistant" if: (github.event.issue.pull_request && (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')) || github.event_name == 'pull_request_target' uses: contributor-assistant/github-action@v2.6.1 env: # CLA Action uses this in-built GitHub token to make the API calls for interacting with GitHub. # It is built into Github Actions and does not need to be manually specified in your secrets store. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # The below token should have repo scope and must be manually added by you in the repository's secret PERSONAL_ACCESS_TOKEN : ${{ secrets.CLA_PERSONAL_ACCESS_TOKEN }} with: path-to-signatures: 'signatures/version1/cla.json' path-to-document: 'https://www.cloudflare.com/cla/' # branch should not be protected branch: 'cla-signatures' allowlist: dependabot[bot],workers-devprod lock-pullrequest-aftermerge: false ================================================ FILE: .github/workflows/codspeed.yml ================================================ name: CodSpeed on: pull_request: paths-ignore: - 'docs/**' - 'justfile' - '.devcontainer' - '**/*.md' - '.gitignore' merge_group: push: branches: - main concurrency: group: codspeed.yml-${{ github.event.pull_request.number || github.run_id }} cancel-in-progress: true permissions: # Write cache contents: write jobs: benchmarks: name: Run benchmarks runs-on: ubuntu-22.04-16core env: BAZEL_ARGS: --config=benchmark --@google_benchmark//:codspeed_mode=simulation --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev steps: - uses: actions/checkout@v6 with: show-progress: false - name: Cache id: cache uses: actions/cache@v5 with: path: ~/bazel-disk-cache key: bazel-disk-cache-benchmarks-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.bazelversion', '.bazelrc', 'MODULE.bazel') }} - name: Setup Runner uses: ./.github/actions/setup-runner - name: Build benchmarks run: | bazel build ${{ env.BAZEL_ARGS }} --build_tag_filters=google_benchmark //... @capnp-cpp//... - name: Generate benchmark script run: | echo '#!/bin/bash' > run_benchmarks.sh echo 'set -ex' >> run_benchmarks.sh targets=$(bazel query 'attr(tags, "[\[ ]google_benchmark[,\]]", //... + @capnp-cpp//...) except attr(tags, "[\[ ]manual[,\]]", //...)' --output=label 2>/dev/null) for target in $targets; do echo "echo 'Running benchmark: $target'" >> run_benchmarks.sh echo "bazel run ${{ env.BAZEL_ARGS }} $target -- --benchmark_min_time=1s" >> run_benchmarks.sh done chmod +x run_benchmarks.sh - name: Run benchmarks uses: CodSpeedHQ/action@v4 with: mode: simulation run: ./run_benchmarks.sh - name: Bazel shutdown run: bazel shutdown ================================================ FILE: .github/workflows/coverage.yml ================================================ name: Coverage on: pull_request: merge_group: push: branches: - main concurrency: group: coverage.yml-${{ github.event.pull_request.number || github.run_id }} cancel-in-progress: true permissions: # Read repo contents: read # Read/write artifacts actions: write jobs: coverage-linux: uses: ./.github/workflows/_bazel.yml with: image: ubuntu-22.04-16core os_name: linux arch_name: 'X64' suffix: 'coverage' # Don't use ci-test here because it enables --remote_download_minimal which prevents # coverage data from being fetched from cache. The coverage config already sets # --test_env=CI=true and --config=wpt-test which are the relevant parts of ci-test. # Use ci-linux-common instead of ci-linux to avoid overriding coverage test_tag_filters # (ci-linux sets test_tag_filters that would include container tests which require docker) extra_bazel_args: '--config=ci-linux-common --config=ci-limit-storage --config=coverage --test_env=CI=true --config=wpt-test' upload_test_logs: true upload_binary: false build_container_images: false run_coverage: true run_tests: false secrets: BAZEL_CACHE_KEY: ${{ secrets.BAZEL_CACHE_KEY }} WORKERS_MIRROR_URL: ${{ secrets.WORKERS_MIRROR_URL }} CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} ================================================ FILE: .github/workflows/daily-release.yml ================================================ name: Daily Release on: schedule: # Run at 00:30 UTC every day - cron: '30 0 * * *' # Allow manual triggering for testing workflow_dispatch: jobs: update-compatibility-date: runs-on: ubuntu-latest permissions: contents: write steps: - name: Checkout code uses: actions/checkout@v6 with: token: ${{ secrets.DEVPROD_PAT }} ref: main - name: Get current date id: date run: | echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT echo "max_date=$(date -d '+7 days' +'%Y-%m-%d')" >> $GITHUB_OUTPUT - name: Update compatibility dates run: | echo "${{ steps.date.outputs.date }}" > src/workerd/io/release-version.txt echo "${{ steps.date.outputs.max_date }}" > src/workerd/io/maximum-compatibility-date.txt - name: Check for changes id: git-check run: | if [[ $(git status --porcelain src/workerd/io/release-version.txt src/workerd/io/maximum-compatibility-date.txt) ]]; then echo "changed=true" >> $GITHUB_OUTPUT else echo "changed=false" >> $GITHUB_OUTPUT fi echo "last_email=$(git show --format="%ae" -s)" >> $GITHUB_OUTPUT # Publish new version if compatibility-date changed and last commit wasn't a daily release # already. - name: Commit and push change if: steps.git-check.outputs.changed == 'true' && steps.git-check.outputs.last_email != 'workers-devprod@cloudflare.com' run: | git config user.email "workers-devprod@cloudflare.com" git config user.name "Workers DevProd" git add src/workerd/io/release-version.txt src/workerd/io/maximum-compatibility-date.txt git commit -m "Release ${{ steps.date.outputs.date }}" git push ================================================ FILE: .github/workflows/deps-updater.yml ================================================ name: Dependency updater on: schedule: # Run at 18:30 UTC every Monday - cron: '30 18 * * 1' # Allow manual triggering for testing workflow_dispatch: concurrency: group: deps-updater cancel-in-progress: true permissions: contents: read jobs: issue: runs-on: ubuntu-latest permissions: contents: write pull-requests: write steps: - uses: actions/checkout@v6 with: show-progress: false token: ${{ secrets.DEVPROD_PAT }} ref: main - name: Update dependencies run: build/deps/update-deps.py env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Update rust dependencies run: bazel run //deps/rust:crates_vendor -- --repin full - name: Update opencode version run: python3 tools/update_opencode_version.py continue-on-error: true - name: Reformat changed files run: ./tools/cross/format.py git - name: Open pull request id: create-pr uses: peter-evans/create-pull-request@v8 with: commit-message: "update dependencies to latest version" branch: "automatic-update-deps" title: "Update dependencies" token: ${{ secrets.DEVPROD_PAT }} author: "Workers DevProd " committer: "Workers DevProd " body: | This is an automated pull request for updating the dependencies of workerd. delete-branch: true - name: Enable Pull Request Automerge run: gh pr merge --rebase --auto ${{ steps.create-pr.outputs.pull-request-number }} env: GH_TOKEN: ${{ secrets.DEVPROD_PAT }} ================================================ FILE: .github/workflows/experimental-workflow.yml ================================================ name: Experimental Workflow on: workflow_dispatch: # You can modify this workflow in order to verify your changes to Github Actions on a branch. # DO NOT MERGE THESE CHANGES TO MAIN # This workflow exists to work around a limitation in Github Actions. You can only use # workflow_dispatch on files that exist in main. However, once the file exists, you can dispatch to # your branch and make sure changes work. permissions: contents: none jobs: experiment: runs-on: ubuntu-22.04 steps: - name: Hello World shell: bash run: echo Hello World ================================================ FILE: .github/workflows/fixup.yml ================================================ name: "Just say no to fixup commits" on: workflow_call: jobs: block-fixup: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - name: Block Fixup Commit Merge uses: 13rac1/block-fixup-merge-action@v2.0.0 ================================================ FILE: .github/workflows/internal-build.yml ================================================ name: Run internal build on: pull_request_target: # Read-only permissions are enough permissions: read-all concurrency: # Cancel existing builds for the same PR. # Otherwise, all other builds will be allowed to run through. group: internal-build-${{ github.event.pull_request.number || github.run_id }} cancel-in-progress: true jobs: internal-build: runs-on: ubuntu-latest steps: # Check if this is a fork and if the author is a Cloudflare org member - name: Check fork status and org membership if: github.event.pull_request.head.repo.fork env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} AUTHOR: ${{ github.event.pull_request.user.login }} run: | echo "Fork detected. Checking if $AUTHOR is a Cloudflare org member..." if gh api orgs/cloudflare/members/$AUTHOR --silent 2>/dev/null; then echo "✓ Cloudflare org member confirmed" else echo "✗ Not a Cloudflare org public member" echo "" echo "This workflow only runs for forks from Cloudflare organization public members." echo "If you're an external contributor, please ask the auto-assigned reviewers" echo "to run the internal build workflow on your behalf." exit 1 fi # Try to checkout the merge commit - will fail if PR isn't mergeable - uses: actions/checkout@v4 id: checkout_merge continue-on-error: true with: ref: refs/pull/${{ github.event.pull_request.number }}/merge show-progress: false # Fail the workflow if checkout failed (PR isn't mergeable) - name: Fail if PR isn't mergeable if: steps.checkout_merge.outcome != 'success' run: | echo "The pull request is not mergeable. Please rebase and resolve any conflicts." exit 1 - name: Get merge commit SHA id: get_sha run: echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - name: Run internal build env: CI_URL: ${{ secrets.CI_URL }} CI_CLIENT_ID: ${{ secrets.CI_CF_ACCESS_CLIENT_ID }} CI_CLIENT_SECRET: ${{ secrets.CI_CF_ACCESS_CLIENT_SECRET }} HEAD_REF: ${{ github.event.pull_request.head.ref }} USER_LOGIN: ${{ github.event.pull_request.user.login }} run: | # Format ref based on whether this is a fork if [ "${{ github.event.pull_request.head.repo.fork }}" = "true" ]; then REF="$USER_LOGIN/$HEAD_REF" else REF="$HEAD_REF" fi python3 -u ./tools/cross/internal_build.py \ ${{github.event.pull_request.number}} \ ${{steps.get_sha.outputs.sha}} \ ${{github.event.pull_request.head.sha}} \ ${{github.run_attempt}} \ "$REF" \ $CI_URL \ $CI_CLIENT_ID \ $CI_CLIENT_SECRET ================================================ FILE: .github/workflows/issues.yml ================================================ name: Issue on: issues: types: [opened, labeled, transferred] jobs: add-to-project: name: Add issue to GH project runs-on: ubuntu-latest steps: - uses: actions/add-to-project@v1.0.2 with: project-url: https://github.com/orgs/cloudflare/projects/1 github-token: ${{ secrets.DEVPROD_PAT }} labeled: types ================================================ FILE: .github/workflows/labels.yml ================================================ # Based on https://www.neilmacy.co.uk/blog/github-action-to-block-merging name: "Internal PR Required" on: workflow_call: pull_request: types: [labeled, unlabeled] jobs: InternalPRRequired: runs-on: ubuntu-latest steps: - name: Check for label if: contains(github.event.*.labels.*.name, 'needs-internal-pr') run: | echo "Pull request is labeled as 'needs-internal-pr'" echo "This workflow fails so the pull request cannot be merged" exit 1 ================================================ FILE: .github/workflows/lint.yml ================================================ name: Lint on: pull_request: merge_group: push: branches: - main concurrency: # Cancel existing builds for the same PR. # Otherwise, all other builds will be allowed to run through. group: lint.yml-${{ github.event.pull_request.number || github.run_id }} cancel-in-progress: true jobs: lint: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v6 with: show-progress: false - name: Configure git hooks # Configure git to quell an irrelevant warning for runners (they never commit / push). run: git config core.hooksPath githooks - name: Lint run: | bazel info output_base # Ensure bazel is initialized before proceeding python3 ./tools/cross/format.py --check ================================================ FILE: .github/workflows/new-pr-review.yml ================================================ name: New PR Review on: pull_request: types: [opened] jobs: review: if: github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name runs-on: ubuntu-latest timeout-minutes: 30 concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: false permissions: id-token: write contents: read issues: write pull-requests: write steps: - name: Checkout repository uses: actions/checkout@v6 with: fetch-depth: 30 # Fetch some history; not all of it - name: Load review prompt id: prompt run: | { echo 'value<> "$GITHUB_OUTPUT" - name: Run Bonk uses: ask-bonk/ask-bonk/github@main env: CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_AI_GATEWAY_ACCOUNT_ID }} CLOUDFLARE_GATEWAY_ID: ${{ secrets.CF_AI_GATEWAY_NAME }} CLOUDFLARE_API_TOKEN: ${{ secrets.CF_AI_GATEWAY_TOKEN }} with: model: 'cloudflare-ai-gateway/anthropic/claude-opus-4-6' forks: 'false' permissions: write opencode_version: '1.2.27' # The auto-reviewer must never push to PR branches. Its prompt # (bonk_reviewer.md) already forbids git write ops, but NO_PUSH # enforces that at the token level so it holds even if the model # ignores the instruction. token_permissions: 'NO_PUSH' prompt: ${{ steps.prompt.outputs.value }} ================================================ FILE: .github/workflows/release-python-runtime.yml ================================================ name: Build Python Runtime on: workflow_dispatch: inputs: update-released: description: 'Update already released versions?' required: false default: false type: boolean jobs: build: runs-on: ubuntu-22.04 name: build Python runtime steps: - uses: actions/checkout@v6 with: show-progress: false - uses: actions/setup-python@v6 with: python-version: '3.13' - name: Setup Runner uses: ./.github/actions/setup-runner - name: Configure download mirrors shell: bash run: | if [ ! -z "${{ secrets.WORKERS_MIRROR_URL }}" ] ; then # Strip comment in front of WORKERS_MIRROR_URL, then substitute secret to use it. sed -e '/WORKERS_MIRROR_URL/ { s@# *@@; s@WORKERS_MIRROR_URL@${{ secrets.WORKERS_MIRROR_URL }}@; }' -i.bak build/deps/nodejs.MODULE.bazel fi - name: Build and upload Pyodide capnproto bundle env: R2_ACCOUNT_ID: ${{ secrets.PYODIDE_CAPNP_R2_ACCOUNT_ID }} R2_ACCESS_KEY_ID: ${{ secrets.PYODIDE_CAPNP_R2_ACCESS_KEY_ID }} R2_SECRET_ACCESS_KEY: ${{ secrets.PYODIDE_CAPNP_R2_SECRET_ACCESS_KEY }} run: | bazel build @workerd//src/pyodide:python_bundles @workerd//src/pyodide:bundle_version_info --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev # boto3 v1.36.0 fails with: # NotImplemented error occurred in CreateMultipartUpload operation: Header 'x-amz-checksum-algorithm' with value 'CRC32' not implemented pip install 'boto3<1.36.0' requests python3 src/pyodide/upload_bundles.py ${{ inputs.update-released == true && '--update-released' || '' }} - name: Check for open PR and commit changes env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | # Commit changes to python_metadata.bzl and push to branch # Configure git git config --local user.email "action@github.com" git config --local user.name "release-python-runtime.yml GitHub Action" # Get current branch name BRANCH_NAME=$(git rev-parse --abbrev-ref HEAD) echo "Current branch: $BRANCH_NAME" # Check if there are changes to python_metadata.bzl if git diff --quiet build/python_metadata.bzl; then echo "No changes to python_metadata.bzl" exit 0 fi echo "Changes detected in python_metadata.bzl" # Check if there's an open PR for this branch PR_COUNT=$(gh pr list --head "$BRANCH_NAME" --state open --json number --jq length) if [ "$PR_COUNT" -eq 0 ]; then echo "No open PR found for branch $BRANCH_NAME, skipping commit" exit 0 fi echo "Found open PR for branch $BRANCH_NAME" # Commit and push the changes git add build/python_metadata.bzl build/deps/python.MODULE.bazel git commit --fixup HEAD -m "Update python_metadata.bzl with new bundle info This commit updates the backport and integrity values in python_metadata.bzl based on the latest Pyodide bundle upload. 🤖 Generated automatically by release-python-runtime workflow" # --no-verify because 'git merge-base origin/main HEAD' fails in pre-commit. # There shouldn't be formatting errors anyways and if there are CI will catch it. git push origin "$BRANCH_NAME" --no-verify echo "Changes committed and pushed to $BRANCH_NAME" ================================================ FILE: .github/workflows/release-python-snapshots.yml ================================================ name: Make Python Snapshots on: workflow_dispatch: inputs: update-released: description: 'Update already released versions?' required: false default: false type: boolean jobs: build-linux: uses: ./.github/workflows/_bazel.yml with: image: ubuntu-22.04 os_name: linux arch_name: 'X64' suffix: '' run_tests: false extra_bazel_args: '--config=ci-linux --config=ci-test' upload_binary: true secrets: BAZEL_CACHE_KEY: ${{ secrets.BAZEL_CACHE_KEY }} WORKERS_MIRROR_URL: ${{ secrets.WORKERS_MIRROR_URL }} build: needs: [build-linux] runs-on: ubuntu-22.04 name: Build and upload Python memory snapshots steps: - uses: actions/checkout@v6 with: show-progress: false - uses: actions/setup-python@v6 with: python-version: '3.13' - name: Setup Runner uses: ./.github/actions/setup-runner - name: Download workerd binary uses: actions/download-artifact@v8 with: name: linux-X64-binary path: /tmp - name: Make workerd binary executable run: chmod +x /tmp/workerd - name: Build and upload Python memory snapshots env: R2_ACCOUNT_ID: ${{ secrets.PYODIDE_CAPNP_R2_ACCOUNT_ID }} R2_ACCESS_KEY_ID: ${{ secrets.PYODIDE_CAPNP_R2_ACCESS_KEY_ID }} R2_SECRET_ACCESS_KEY: ${{ secrets.PYODIDE_CAPNP_R2_SECRET_ACCESS_KEY }} WORKERD_BINARY: "/tmp/workerd" run: | bazel build @workerd//src/pyodide:bundle_version_info # boto3 v1.36.0 fails with: # NotImplemented error occurred in CreateMultipartUpload operation: Header 'x-amz-checksum-algorithm' with value 'CRC32' not implemented pip install 'boto3<1.36.0' requests python3 src/pyodide/make_snapshots.py ${{ inputs.update-released == true && '--update-released' || '' }} - name: Check for open PR and commit changes env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | # Commit changes to python_metadata.bzl and push to branch # Configure git git config --local user.email "action@github.com" git config --local user.name "release-python-snapshots.yml GitHub Action" # Get current branch name BRANCH_NAME=$(git rev-parse --abbrev-ref HEAD) echo "Current branch: $BRANCH_NAME" # Check if there are changes to python_metadata.bzl if git diff --quiet build/python_metadata.bzl; then echo "No changes to python_metadata.bzl" exit 0 fi echo "Changes detected in python_metadata.bzl" # Check if there's an open PR for this branch PR_COUNT=$(gh pr list --head "$BRANCH_NAME" --state open --json number --jq length) if [ "$PR_COUNT" -eq 0 ]; then echo "No open PR found for branch $BRANCH_NAME, skipping commit" exit 0 fi echo "Found open PR for branch $BRANCH_NAME" # Commit and push the changes git add build/python_metadata.bzl git commit --fixup HEAD -m "Update python_metadata.bzl with new snapshot info This commit updates the snapshot values in python_metadata.bzl based on the latest snapshot uploads. 🤖 Generated automatically by release-python-snapshots workflow" # --no-verify because 'git merge-base origin/main HEAD' fails in pre-commit. # There shouldn't be formatting errors anyways and if there are CI will catch it. git push origin "$BRANCH_NAME" --no-verify echo "Changes committed and pushed to $BRANCH_NAME" ================================================ FILE: .github/workflows/release.yml ================================================ name: Build & Release on: push: branches: - main workflow_dispatch: inputs: patch: description: 'Patch Version' required: true default: '0' prerelease: description: 'Is Prerelease' type: boolean default: false permissions: id-token: write contents: write actions: write jobs: version: outputs: date: ${{ steps.echo.outputs.date }} version: ${{ steps.echo.outputs.version }} types_version: ${{ steps.echo.outputs.types_version }} # version job uses ubuntu 24.04, this way we don't have to install the updated clang while # the build job uses 22.04 for libc compatibility. runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v6 - id: echo run: | echo "date=$(cat src/workerd/io/release-version.txt)" >> $GITHUB_OUTPUT; echo "version=${{ (github.event_name != 'push' && inputs.prerelease == true) && '0' || '1'}}.$(cat src/workerd/io/release-version.txt | tr -d '-').${{ github.event_name == 'push' && '1' || inputs.patch }}" >> $GITHUB_OUTPUT; echo "types_version=${{ (github.event_name != 'push' && inputs.prerelease == true) && '0' || '4'}}.$(cat src/workerd/io/release-version.txt | tr -d '-').${{ github.event_name == 'push' && '1' || inputs.patch }}" >> $GITHUB_OUTPUT; check-tag: name: Check tag is new outputs: exists: ${{ steps.check_tag.outputs.exists }} needs: [version] runs-on: ubuntu-latest steps: - name: Checkout Repo uses: actions/checkout@v6 with: fetch-depth: 0 - uses: mukunku/tag-exists-action@v1.7.0 id: check_tag with: tag: v${{ needs.version.outputs.version }} tag-and-release: name: Tag & Release outputs: upload_url: ${{ steps.create_release.outputs.upload_url }} needs: [check-tag, version] runs-on: ubuntu-latest if: ${{ needs.check-tag.outputs.exists != 'true' }} steps: - name: Checkout Repo uses: actions/checkout@v6 with: fetch-depth: 0 - run: git tag v${{ needs.version.outputs.version }} && git push origin v${{ needs.version.outputs.version }} - uses: ncipollo/release-action@v1 id: create_release with: generateReleaseNotes: true token: ${{ secrets.GITHUB_TOKEN }} tag: v${{ needs.version.outputs.version }} build: strategy: matrix: include: - title: linux os-name: Linux image: ubuntu-22.04-16core bazel-config: release_linux target-arch: X64 - title: linux-arm64 os-name: Linux image: ubuntu-22.04-arm-16core bazel-config: release_linux target-arch: ARM64 # Based on runner availability, we build both Apple Silicon and (cross-compiled) x86 # release binaries on the macos-15-xlarge runner. - title: macOS-x64 os-name: macOS # This configuration is used for cross-compiling – macos-15-xlarge is Apple Silicon-based but # we use it to compile the x64 release. image: macos-15-xlarge bazel-config: release_macos_cross_x86_64 target-arch: X64 - title: macOS-arm64 os-name: macOS image: macos-15-xlarge bazel-config: release_macos target-arch: ARM64 - title: windows os-name: Windows image: windows-2025-16core bazel-config: release_windows target-arch: X64 name: build (${{ matrix.title }}) uses: './.github/workflows/_bazel.yml' with: image: ${{ matrix.image }} os_name: ${{ matrix.os-name }} phase: '-release' extra_bazel_args: '--strip=always --config=${{matrix.bazel-config}} --config=ci-release --config=wpt-report --config=wpt-test' arch_name: ${{ matrix.target-arch }} upload_binary: true macos_use_lld: true # On release, generate a full WPT report... run_tests: true upload_test_logs: true test_target: //src/wpt/... secrets: BAZEL_CACHE_KEY: ${{ secrets.BAZEL_CACHE_KEY }} WORKERS_MIRROR_URL: ${{ secrets.WORKERS_MIRROR_URL }} upload-artifacts: name: Upload Artifacts needs: [version, tag-and-release, build] runs-on: ubuntu-latest strategy: matrix: arch: [linux-64, darwin-64, windows-64] # This variable itself is unused, but allows us to set up two macOS builds. arm64 builds for # other platforms will be supported later, then we'll list both architectures here. cpu: [X64] include: - arch: linux-64 name: Linux-X64 - arch: linux-arm64 name: Linux-ARM64 cpu: ARM64 - arch: darwin-64 name: macOS-X64 - arch: darwin-arm64 name: macOS-ARM64 cpu: ARM64 - arch: windows-64 name: Windows-X64 steps: - name: Checkout Repo uses: actions/checkout@v6 with: fetch-depth: 0 - name: Download ${{ matrix.name }} uses: actions/download-artifact@v8 with: name: ${{ matrix.name }}-binary path: /tmp # Set execute permissions before compressing the binary - if: matrix.arch != 'windows-64' run: chmod +x /tmp/workerd - name: Compress release binary run: | # As of release v1.20230404.0 the Linux x64 binary after debug_strip is 65.8 MB, # 21.0 MB with gzip and 17.3 MB with brotli -9. Use gzip as a widely supported format # which still produces an acceptable compressed size. gzip -9N -k /tmp/workerd${{ matrix.arch == 'windows-64' && '.exe' || '' }} - run: mv /tmp/workerd${{ matrix.arch == 'windows-64' && '.exe' || '' }}.gz /tmp/workerd-${{ matrix.arch }}.gz # Upload compressed release binaries – one set of artifacts is sufficient with gzip being # widely supported - name: Upload Release Assets id: upload-release-asset uses: actions/upload-release-asset@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.tag-and-release.outputs.upload_url }} asset_path: /tmp/workerd-${{ matrix.arch }}.gz asset_name: workerd-${{ matrix.arch }}.gz asset_content_type: application/gzip # Upload release to npm - name: Use Node uses: actions/setup-node@v6 with: node-version: 24 - name: Modify package.json version run: node npm/scripts/bump-version.mjs npm/workerd-${{ matrix.arch }}/package.json env: WORKERD_VERSION: ${{ needs.version.outputs.version }} LATEST_COMPATIBILITY_DATE: ${{ needs.version.outputs.date }} - run: mkdir npm/workerd-${{ matrix.arch }}/bin - run: cp /tmp/workerd${{ matrix.arch == 'windows-64' && '.exe' || '' }} npm/workerd-${{ matrix.arch }}/bin/workerd${{ matrix.arch == 'windows-64' && '.exe' || '' }} - run: echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' > npm/workerd-${{ matrix.arch }}/.npmrc - run: cd npm/workerd-${{ matrix.arch }} && npm publish --access public --tag ${{ startsWith(needs.version.outputs.version, '0') && 'beta' || 'latest'}} env: NPM_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }} miniflare-test: name: Run Miniflare tests needs: [build] runs-on: ubuntu-latest steps: - name: Checkout workers-sdk uses: actions/checkout@v6 with: repository: cloudflare/workers-sdk - name: Install pnpm uses: pnpm/action-setup@v4 - name: Use Node.js uses: actions/setup-node@v6 with: node-version: lts/* cache: 'pnpm' - name: Install workers-sdk dependencies run: pnpm install - name: Download workerd binary uses: actions/download-artifact@v8 with: name: Linux-X64-binary path: /tmp - name: Make workerd binary executable run: chmod +x /tmp/workerd - name: Build Miniflare and dependencies run: pnpm turbo build --filter miniflare - name: Run Miniflare tests run: pnpm --filter miniflare test env: MINIFLARE_WORKERD_PATH: /tmp/workerd publish-wrapper: name: Publish `workerd` to NPM needs: [version, upload-artifacts] runs-on: ubuntu-22.04-16core steps: - name: Checkout Repo uses: actions/checkout@v6 with: fetch-depth: 0 - name: Use Node uses: actions/setup-node@v6 with: node-version: 24 - name: Cache id: cache uses: actions/cache@v5 # Use same cache and build configuration as release build, this allows us to keep download # sizes small and generate types with optimization enabled, should be slightly faster. with: path: ~/bazel-disk-cache key: bazel-disk-cache-release-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.bazelversion', '.bazelrc', 'MODULE.bazel') }} - name: Setup Runner uses: ./.github/actions/setup-runner - name: Build type generating Worker run: | bazel build --strip=always --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci --config=release_linux //types:types_worker - name: Modify package.json version run: node npm/scripts/bump-version.mjs npm/workerd/package.json env: WORKERD_VERSION: ${{ needs.version.outputs.version }} LATEST_COMPATIBILITY_DATE: ${{ needs.version.outputs.date }} - run: mkdir -p npm/workerd/lib - run: mkdir -p npm/workerd/bin - name: Build node-install run: npx esbuild npm/lib/node-install.ts --outfile=npm/workerd/install.js --bundle --target=node22 --define:LATEST_COMPATIBILITY_DATE="\"${LATEST_COMPATIBILITY_DATE}\"" --define:WORKERD_VERSION="\"${WORKERD_VERSION}\"" --platform=node --external:workerd --log-level=warning env: WORKERD_VERSION: ${{ needs.version.outputs.version }} LATEST_COMPATIBILITY_DATE: ${{ needs.version.outputs.date }} - name: Build node-shim run: npx esbuild npm/lib/node-shim.ts --outfile=npm/workerd/bin/workerd --bundle --target=node22 --define:LATEST_COMPATIBILITY_DATE="\"${LATEST_COMPATIBILITY_DATE}\"" --define:WORKERD_VERSION="\"${WORKERD_VERSION}\"" --platform=node --external:workerd --log-level=warning env: WORKERD_VERSION: ${{ needs.version.outputs.version }} LATEST_COMPATIBILITY_DATE: ${{ needs.version.outputs.date }} - name: Build node-path run: npx esbuild npm/lib/node-path.ts --outfile=npm/workerd/lib/main.js --bundle --target=node22 --define:LATEST_COMPATIBILITY_DATE="\"${LATEST_COMPATIBILITY_DATE}\"" --define:WORKERD_VERSION="\"${WORKERD_VERSION}\"" --platform=node --external:workerd --log-level=warning env: WORKERD_VERSION: ${{ needs.version.outputs.version }} LATEST_COMPATIBILITY_DATE: ${{ needs.version.outputs.date }} - name: Build package run: node npm/scripts/build-shim-package.mjs env: WORKERD_VERSION: ${{ needs.version.outputs.version }} LATEST_COMPATIBILITY_DATE: ${{ needs.version.outputs.date }} - run: echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' > npm/workerd/.npmrc - run: cd npm/workerd && npm publish --access public --tag ${{ startsWith(needs.version.outputs.version, '0') && 'beta' || 'latest'}} build-and-publish-types: runs-on: ubuntu-22.04-16core needs: [version, upload-artifacts] steps: - uses: actions/checkout@v6 with: show-progress: false - name: Use Node uses: actions/setup-node@v6 with: node-version: 24 # needed for a version of npm that supports "trusted publishing". - name: Cache id: cache uses: actions/cache@v5 # Use same cache and build configuration as release build, this allows us to keep download # sizes small and generate types with optimization enabled, should be slightly faster. with: path: ~/bazel-disk-cache key: bazel-disk-cache-release-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.bazelversion', '.bazelrc', 'MODULE.bazel') }} - name: Setup Runner uses: ./.github/actions/setup-runner - name: build types run: | bazel build --strip=always --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci --config=release_linux //types - name: Build package run: node npm/scripts/build-types-package.mjs env: WORKERD_VERSION: ${{ needs.version.outputs.types_version }} LATEST_COMPATIBILITY_DATE: ${{ needs.version.outputs.date }} - run: cp -r bazel-bin/types/definitions/. npm/workers-types - run: cp npm/workers-types/oldest/* npm/workers-types - run: echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' > npm/workers-types/.npmrc - run: cd npm/workers-types && npm publish --access public --tag ${{ startsWith(needs.version.outputs.version, '0') && 'beta' || 'latest'}} ================================================ FILE: .github/workflows/semgrep.yml ================================================ on: workflow_dispatch: {} schedule: - cron: '0 0 * * *' name: Semgrep config jobs: semgrep: name: semgrep/ci runs-on: ubuntu-latest env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} SEMGREP_URL: https://cloudflare.semgrep.dev SEMGREP_APP_URL: https://cloudflare.semgrep.dev SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version container: image: semgrep/semgrep steps: - uses: actions/checkout@v6 - run: semgrep ci ================================================ FILE: .github/workflows/test.yml ================================================ name: Tests on: pull_request: merge_group: push: branches: - main concurrency: # Cancel existing builds for the same PR. # Otherwise, all other builds will be allowed to run through. group: test.yml-${{ github.event.pull_request.number || github.run_id }} cancel-in-progress: true permissions: # Read repo contents: read # Read/write artifacts actions: write # Required for adding comments to PR. # Specifically for sticky-pull-request-comment workflow action. pull-requests: write jobs: fixup: if: github.event_name == 'pull_request' uses: ./.github/workflows/fixup.yml labels: if: github.event_name == 'pull_request' uses: ./.github/workflows/labels.yml test: strategy: matrix: os: [ { name: linux, arch: X64, image: ubuntu-22.04-16core }, { name: linux-arm, arch: ARM64, image: ubuntu-22.04-arm-16core }, { name: macOS, arch: ARM64, image: macos-15-xlarge, use_lld: true }, { name: windows, arch: X64, image: windows-2025-16core }, ] config: [ # Default build: no suffix or additional bazel arguments { suffix: '' }, # Debug build { suffix: -debug }, ] include: # Add an Address Sanitizer (ASAN) build on Linux for additional checking. - os: { name: linux, arch: X64, image: ubuntu-22.04-16core } config: { suffix: -asan } # TODO (later): The custom Windows-debug configuration consistently runs out of disk # space on CI, disable it for now. Once https://github.com/bazelbuild/bazel/issues/21615 # has been resolved we can likely re-enable it and possibly fold up the custom # configurations, as we can more easily disable PDB file generation. # - os: { name : windows, image : windows-2025 } # config: { suffix: -debug, bazel-args: --config=windows_dbg } exclude: - os: { name: windows, arch: X64, image: windows-2025-16core } config: { suffix: -debug } # due to resource constraints, exclude the macOS and x64 Linux debug runners for now. # linux-asan and arm64 linux-debug should provide sufficient coverage for building in the # debug configuration. - os: { name: macOS, arch: ARM64, image: macos-15-xlarge } config: { suffix: -debug } - os: { name: linux, arch: X64, image: ubuntu-22.04-16core } config: { suffix: -debug } # linux release is handled by separate test-linux job - os: { name: linux, arch: X64, image: ubuntu-22.04-16core } config: { suffix: '' } fail-fast: false name: test (${{ matrix.os.name }}, ${{ matrix.os.image}}${{matrix.config.suffix != '' && format(', {0}', matrix.config.suffix) || ''}}) uses: ./.github/workflows/_bazel.yml with: image: ${{ matrix.os.image }} os_name: ${{ matrix.os.name }} arch_name: ${{ matrix.os.arch }} suffix: ${{ matrix.config.suffix }} extra_bazel_args: '--config=ci-test --config=ci-${{matrix.os.name}}${{matrix.config.suffix}}' macos_use_lld: ${{ matrix.os.use_lld || false }} secrets: BAZEL_CACHE_KEY: ${{ secrets.BAZEL_CACHE_KEY }} WORKERS_MIRROR_URL: ${{ secrets.WORKERS_MIRROR_URL }} # Handled separately from `test` to speed up execution of workers-sdk-test which depends on it. test-linux: uses: ./.github/workflows/_bazel.yml with: image: ubuntu-22.04-16core os_name: linux arch_name: 'X64' suffix: '' extra_bazel_args: '--config=ci-test --config=ci-linux --config=wpt-report' upload_test_logs: true upload_binary: true build_container_images: true secrets: BAZEL_CACHE_KEY: ${{ secrets.BAZEL_CACHE_KEY }} WORKERS_MIRROR_URL: ${{ secrets.WORKERS_MIRROR_URL }} lint: uses: ./.github/workflows/_bazel.yml with: extra_bazel_args: '--config=lint --config=clang-tidy --config=ci-test --config=ci-linux-common' run_tests: false parse_headers: true secrets: BAZEL_CACHE_KEY: ${{ secrets.BAZEL_CACHE_KEY }} WORKERS_MIRROR_URL: ${{ secrets.WORKERS_MIRROR_URL }} check-snapshot: runs-on: ubuntu-22.04-16core steps: - uses: actions/checkout@v6 with: show-progress: false - name: Cache id: cache uses: actions/cache@v5 # Use same cache and build configuration as release build, this allows us to keep download # sizes small and generate types with optimization enabled, should be slightly faster. with: path: ~/bazel-disk-cache key: bazel-disk-cache-release-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('.bazelversion', '.bazelrc', 'MODULE.bazel') }} - name: Setup Runner uses: ./.github/actions/setup-runner - name: build types run: | bazel build --strip=always --remote_cache=https://bazel:${{ secrets.BAZEL_CACHE_KEY }}@bazel-remote-cache.devprod.cloudflare.dev --config=ci --config=release_linux //types - name: Check snapshot diff run: | diff -r types/generated-snapshot/latest bazel-bin/types/definitions/latest > types.diff diff -r types/generated-snapshot/experimental bazel-bin/types/definitions/experimental >> types.diff - name: 'Put diff on the environment' if: failure() id: types_diff run: | { echo 'TYPES_DIFF<> "$GITHUB_ENV" - uses: actions/upload-artifact@v7 id: artifact-upload-step with: name: generated-snapshot path: bazel-bin/types/definitions/ - name: 'Comment on PR with error details' if: failure() uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 with: message: | The generated output of `@cloudflare/workers-types` has been changed by this PR. If this is intentional, run `just generate-types` to update the snapshot. Alternatively, you can download the full generated types: ${{ steps.artifact-upload-step.outputs.artifact-url }}
Full Type Diff ```diff ${{ env.TYPES_DIFF }} ```
- name: 'Comment on PR with error details' if: success() uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 with: only_update: true message: | The generated output of `@cloudflare/workers-types` matches the snapshot in `types/generated-snapshot` :tada: workers-sdk-test: needs: [test-linux, check-snapshot] name: Run workers-sdk tests runs-on: ubuntu-22.04-16core steps: - name: Checkout workers-sdk uses: actions/checkout@v6 with: repository: cloudflare/workers-sdk - name: Install pnpm uses: pnpm/action-setup@v4 - name: Use Node.js uses: actions/setup-node@v6 with: # Match workers-sdk node version node-version: 20.19.6 cache: 'pnpm' - name: Install workers-sdk dependencies run: pnpm install - name: Download workerd binary uses: actions/download-artifact@v8 with: name: linux-X64-binary path: /tmp - name: Make workerd binary executable run: chmod +x /tmp/workerd - name: Download generated types uses: actions/download-artifact@v8 with: name: generated-snapshot path: /tmp/test-types - name: Create and install workers-types package run: | cp /tmp/test-types/oldest/* /tmp/test-types cat > /tmp/test-types/package.json << EOF { "name": "@cloudflare/workers-types" } EOF pnpm add /tmp/test-types -w - name: Run Wrangler unit tests # Run all the wrangler unit tests besides the ConfigController ones since those # are currently very flaky (the ANT team will look into stabilizing them and # re-enabling them here as soon as possible, ref: https://jira.cfdata.org/browse/DEVX-2309) run: pnpm test:ci --filter wrangler -- -t '^((?!(ConfigController)).)*$' env: MINIFLARE_WORKERD_PATH: /tmp/workerd - name: Run Miniflare unit tests run: pnpm test:ci --filter miniflare env: MINIFLARE_WORKERD_PATH: /tmp/workerd - name: Run Vite unit tests run: pnpm test:ci --filter @cloudflare/vite-plugin env: MINIFLARE_WORKERD_PATH: /tmp/workerd - name: Run Vitest unit tests run: pnpm test:ci --filter="./fixtures/vitest-pool-workers-examples" env: MINIFLARE_WORKERD_PATH: /tmp/workerd - name: Run Wrangler Node.js e2e tests run: pnpm test:e2e --filter wrangler -- unenv-preset env: MINIFLARE_WORKERD_PATH: /tmp/workerd wpt-report: needs: [test-linux] uses: ./.github/workflows/_wpt.yml with: image: 'ubuntu-22.04-16core' logs_artifact: 'test-logs-linux-X64.zip' report_artifact: 'wpt-report-linux-X64.json' ================================================ FILE: .github/workflows/wpt-report.yml ================================================ name: WPT report on: # Allow manual triggering for testing workflow_dispatch: permissions: # Read repo contents: read # Read/write artifacts actions: write jobs: test: uses: ./.github/workflows/_bazel.yml with: os_name: linux suffix: '' extra_bazel_args: '--config=ci-test' test_target: '//src/wpt/...' upload_test_logs: true fetch_depth: 0 secrets: BAZEL_CACHE_KEY: ${{ secrets.BAZEL_CACHE_KEY }} WORKERS_MIRROR_URL: ${{ secrets.WORKERS_MIRROR_URL }} report: needs: [test] uses: ./.github/workflows/_wpt.yml with: image: ubuntu-22.04 logs_artifact: 'test-logs-linux-X64.zip' report_artifact: 'wpt-report.json' ================================================ FILE: .gitignore ================================================ .idea .DS_Store # directory for developers to store local resources /.local/ /*.code-workspace node_modules /npm/*/bin /npm/workerd/install.js /npm/workerd/lib/ package-lock.json # The external link for compile_flags.txt: Differs on Windows vs macOS/Linux, so we can't check it in. The pattern needs to not have a trailing / because it's a symlink on macOS/Linux. /external # Bazel output symlinks: Same reasoning as /external. You need the * because people can change the name of the directory your repository is cloned into, changing the bazel- symlink. /bazel-* # Bazel 8's MODULE lock, since we're not actually locking anything yet. MODULE.bazel.lock # Compiled output -> don't check in /compile_commands.json /rust-project.json # Directory where clangd puts its indexing work /.cache/ /.bazel-cache /workerd-* /docs/api *.tsbuildinfo # Bazel plugin for Intellij paths .clwb .aswb coverage perf.data .claude # opencode auto-generates package.json, bun.lock, and .gitignore inside .opencode/ # at startup to install plugin dependencies. These are runtime artifacts that should # not be committed — the opencode CLI version is pinned in CI workflows (see # .github/workflows/bonk.yml) which determines the plugin version deterministically. # Without these rules, Bonk (our AI reviewer) will see the generated files as dirty # and commit them to PR branches, causing merge conflicts. .opencode/package.json .opencode/bun.lock .opencode/.gitignore # python __pycache__ ================================================ FILE: .npmrc ================================================ # Ref: https://pnpm.io/npmrc#manage-package-manager-versions # When enabled, pnpm will automatically download and run the version of pnpm # specified in the packageManager field of package.json. manage-package-manager-versions = true # Disabling pnpm [hoisting](https://pnpm.io/npmrc#hoist) by setting `hoist=false` is recommended on # projects using rules_js so that pnpm outside of Bazel lays out a node_modules tree similar to what # rules_js lays out under Bazel (without a hidden node_modules/.pnpm/node_modules) hoist=false ================================================ FILE: .opencode/agent/architect.md ================================================ --- description: Read-only code review and architectural analysis. Provides findings and recommendations without making code changes. Use for PR reviews, deep dives, refactoring plans, and safety/security audits. mode: primary temperature: 0.1 permission: edit: '*': deny 'docs/planning/*': allow bash: '*': deny 'git log*': allow 'git show*': allow 'git diff*': allow 'git blame*': allow 'git fetch*': allow 'git branch*': allow 'git rev-parse*': allow 'git merge-base*': allow 'git config user.name': allow 'git config user.email': allow 'bazel query*': allow 'bazel cquery*': allow 'bazel aquery*': allow 'just clang-tidy*': allow 'clang-tidy*': allow 'rg *': allow 'grep *': allow 'find *': allow 'ls': allow 'ls *': allow 'cat *': allow 'head *': allow 'tail *': allow 'wc *': allow 'gh pr view*': allow 'gh pr checks*': allow 'gh pr status*': allow 'gh pr diff*': allow 'gh pr list*': allow 'gh pr checkout*': ask 'gh pr comment*': ask 'gh pr review*': ask 'gh issue view*': allow 'gh issue list*': allow 'gh issue comment*': ask 'gh issue create*': ask 'gh issue edit*': ask 'gh issue status': allow 'gh auth status': allow 'gh alias list': allow 'gh api *': ask --- You are an expert software architect specializing in C++ systems programming, Rust FFI integration, JavaScript runtime internals, and high-performance server software. **You are read-only. You do NOT make code changes.** You analyze, critique, and recommend. If asked to make code changes or write documents you cannot produce, prompt the user to switch to Build mode. Your role is to perform deep architectural analysis and provide actionable recommendations in support of: - refactoring - complexity reduction - memory safety - performance optimization - thread safety - error handling - API design - security vulnerability mitigation - standards compliance - testing - documentation improvements - code review. You can produce detailed reports, refactoring plans, implementation plans, suggestion lists, and TODO lists in markdown format in the `docs/planning` directory. You will keep these documents up to date as work progresses and they should contain enough context to help resume work after interruptions. You can also perform code reviews on local changes, pull requests, or specific code snippets. When performing code reviews, you should provide clear and actionable feedback with specific references to the code in question. In addition to these instructions, check for AGENT.md files in specific directories for any additional context or instructions relevant to those areas (if present). Individual header and source files may also contain comments with specific additional context or instructions that should be taken into account when analyzing or reviewing those files. --- ## Context Management When analyzing code, be deliberate about how you gather context to avoid wasting your context window: - **Start narrow, expand as needed**: Begin by reading the specific files or functions under review. Only read dependencies, callers, and tests when a finding requires tracing across boundaries. - **Use the `cross-reference` tool for C++ class lookups**: When analyzing a C++ class, call `cross-reference` first to get the header, implementation files, JSG registration, type group, test files, and compat flag gating in one shot. This replaces 4-6 separate grep calls. - **Use search before read**: For large files (>500 lines), use grep or search to locate relevant sections (function definitions, class declarations, specific patterns) before reading full files. Read targeted ranges rather than entire files. - **Use the Task tool for broad exploration**: When you need to understand how a pattern is used across the codebase (e.g., "how is `IoOwn` used?"), delegate to an explore subagent rather than reading many files directly. - **Prioritize headers over implementations**: When understanding APIs or interfaces, read `.h` files first. Only read `.c++` files when analyzing implementation details. - **Check `src/workerd/util/` proactively**: Before suggesting a new utility or pattern, search the util directory to check if one already exists. --- ## Workflows ### Reviewing code or a pull request 1. **Gather context**: Read the changed files (use `git diff` for local changes, `gh pr diff` for PRs). For PRs, also check `gh pr view` for description and `gh pr checks` for CI status. 2. **Understand scope**: Identify what the change is trying to do. Read the PR description, commit messages, or ask the user if unclear. 3. **Check prior review comments**: For PRs, fetch existing review comments via `gh api repos/{owner}/{repo}/pulls/{number}/comments` and review threads via `gh api repos/{owner}/{repo}/pulls/{number}/reviews`. Identify any resolved comments whose concerns have not actually been addressed in the current code. Flag these in your findings. 4. **Read dependencies**: For each changed file, read its header and any directly referenced headers to understand the interfaces being used. 5. **Identify the reviewer**: Load `identify-reviewer` to determine the local user's GitHub handle and git identity. Use this throughout the review to refer to the reviewer's own prior comments and commits in second person. 6. **Load skills**: Based on the scope of the changes, load the relevant specialized analysis skills: - For **balanced reviews** (default): load `workerd-safety-review`, `workerd-api-review`, and `kj-style`. - For **PR reviews**: also load `pr-review-guide`. - For **focused reviews**: load only the skills relevant to the focus area (see Analysis Modes below). - Always load `kj-style` when reviewing C++ code. - When the diff contains `.rs` files under `src/rust/`, also load `rust-review`. For changes that span both C++ and Rust (e.g., CXX bridge changes with companion `ffi.c++`/`ffi.h` files), load both `kj-style` and `rust-review`. - When the diff contains `.ts` or `.js` files under `src/node/`, `src/cloudflare/`, `src/pyodide`, or test files under `src/workerd/`, load `ts-style`. 7. **Apply analysis areas and detection patterns**: Walk through the changes against the core analysis areas below and any loaded skill checklists. Focus on what's most relevant to the change. Perform step 8 in parallel as you review the code. 8. **Check for dependency changes** by scanning the diff for changes to dependency-related files `MODULE.bazel`, `build/deps/`, `deps/rust/crates/`, `patches/`, `package.json`, `Cargo.lock`, `cargo.bzl`, `crates/defs.bzl`, `crates/BAZEL.build`, etc. - If there are no dependency changes, skip this step. - Identify each changed dependency (name, version change) - Identify if it is a new, updated, or removed dependency. - For each updated dependency, use the `bazel-deps` tool with `direction: "rdeps"` to map the impacted code. - Include a **Dependencies** section in your findings with impacted components and recommended review focus areas. 9. **Formulate findings**: Write up findings using the output format. Prioritize CRITICAL/HIGH issues. For PRs with `pr-review-guide` loaded, post line-level review comments via `gh pr review` or `gh api`. When the fix is obvious and localized, include a suggested edit block. 10. **Summarize**: Provide a summary with prioritized recommendations. ### Analyzing a component or producing a plan 1. **Scope the analysis**: Clarify what component or area to analyze and what the goal is (refactoring plan, deep dive, etc.). Ask the user if ambiguous. 2. **Map the component**: Read the primary header files to understand the public API. Use grep/search to find the implementation files. Use the Task tool for broad exploration if the component spans many files. 3. **Trace key paths**: Identify the most important code paths (hot paths, error paths, lifecycle management) and trace them through the implementation. 4. **Load skills and apply analysis areas**: Load relevant skills based on the analysis focus. Work through the relevant analysis areas systematically. Apply detection patterns from loaded skills. 5. **Draft findings and recommendations**: Write up findings using the output format. Include a Context section with architecture overview. For refactoring plans, include a TODO list. 6. **Write to docs/planning**: If producing a plan or report, write it to `docs/planning/` so it persists across sessions. 7. **Never** miss an opportunity for a good dad joke. Don't overdo it, but don't avoid them either. When summarizing, always preserve any jokes from the subagent output, including the intro prefix ("Here's a dad joke for you:", etc.) so the user knows it's intentional. --- ## Core Analysis Areas These areas are always considered during analysis, regardless of focus mode. ### 1. Complexity Reduction - Identify overly complex abstractions and suggest simplifications - Find opportunities to reduce cyclomatic complexity - Spot code duplication and suggest consolidation patterns - Recommend clearer separation of concerns - Identify god classes/functions that should be decomposed. Ignore known and intentional god classes like `jsg::Lock` or `workerd::IoContext`. - Suggest opportunities for better encapsulation - Identify overly deep nesting of lambdas, loops, and conditionals - Look for large functions that could be decomposed - Identify excessive use of inheritance where composition would be better - Suggest improvements for better modularity and clarity - Identify places where existing utility libraries in `src/workerd/util/` could be used instead of reinventing functionality. - Identify places where duplicate patterns are used repeatedly and suggest using an existing utility or, if one does not exist, creating a new utility function or class to encapsulate it. ### 2. Error Handling - Review exception safety guarantees (basic, strong, nothrow) - Identify missing error checks and unchecked results - Analyze `kj::Maybe` and `kj::Exception` usage patterns - Look for swallowed errors or silent failures - Check error propagation consistency - Review cleanup code in error paths - Destructors generally use `noexcept(false)` unless there's a good reason not to - V8 callbacks should never throw C++ exceptions; they should catch and convert to JS exceptions. Refer to `liftKj` in `src/workerd/jsg/util.h` for the idiomatic pattern for this. - Remember that we use `kj::Exception`, not `std::exception` for general C++ error handling - Suggest use of `KJ_TRY/KJ_CATCH` and `JSG_TRY/JSG_CATCH` macros for better error handling patterns where applicable ### 3. Testing & Documentation - Review unit and integration test coverage - Identify missing test cases for edge conditions - Analyze test reliability and flakiness - Suggest improvements for test organization and structure - Review documentation accuracy and completeness - Identify gaps in code comments and explanations - Suggest improvements for onboarding new developers - Suggest updates to agent docs that would help AI tools understand the code better ### 4. Architectural Design - Evaluate high-level architecture and module interactions - Identify bottlenecks and single points of failure - Review scalability and extensibility - Analyze separation of concerns across modules - Suggest improvements for maintainability, modularity, clarity - Suggest improvements for better use of tools like `util/weak-refs.h`, `util/state-machine.h`, `util/ring-buffer.h`, `util/small-set.h`, etc, where applicable. - Review layering and dependency management - Suggest improvements for better alignment with project goals and constraints - Analyze trade-offs in design decisions ### 5. Coding Patterns & Best Practices For detailed C++ style conventions (naming, types, ownership, error handling, formatting), load the **kj-style** skill. For JS/TS conventions (TypeScript strictness, imports, exports, private fields, test patterns), load the **ts-style** skill. This section covers workerd-specific patterns beyond those base conventions. - Identify anti-patterns and suggest modern C++ practices baselined on C++20/23 - Review consistency with project coding standards (see kj-style skill for specifics) - Analyze use of language features for appropriateness - Review lambda usage for clarity and safety: - Never allow `[=]` captures. Use `[&]` only for non-escaping lambdas. - When the lambda is a coroutine, ensure proper use of the `kj::coCapture` helper for correct lifetime management. - Favor named functions or functor classes for complex logic. - Always carefully consider the lifetime of captured variables in asynchronous code. - Suggest improvements for better use of `constexpr`, `consteval`, and `constinit` where applicable. - Suggest appropriate annotations like `[[nodiscard]]`, `[[maybe_unused]]`, and `override`. Note: do **not** suggest `noexcept` — the project convention is to never declare functions `noexcept` (explicit destructors use `noexcept(false)`). - Analyze template and macro usage for appropriateness and clarity. - Call out discouraged patterns like: - passing bool flags to functions (prefer enum class or `WD_STRONG_BOOL`) - large functions that could be decomposed - excessive use of inheritance when composition would be better, etc. - Pay attention to class member ordering for cache locality and memory layout, suggest improvements where applicable. - Prefer the use of coroutines for async code over explicit kj::Promise chains. Suggest refactoring to coroutines where it would improve clarity and maintainability but avoid large sweeping changes. Keep in mind that JS isolate locks cannot be held across suspension points. - When a change sets a default enable date for a compatibility flag, the date must be at least 2-3 weeks in the future to allow for testing and rollout. If you see a default enable date that is too soon, flag it as an issue. --- ## Specialized Analysis Areas These areas contain detailed checklists and detection patterns that are loaded on demand via skills. Load the relevant skills based on the analysis focus to avoid unnecessary context usage. | Topic | Skill | Covers | | ------------------------------------------------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------- | | Memory safety, thread safety, concurrency, V8/GC interactions | `workerd-safety-review` | Ownership/lifetime analysis, cross-thread safety, CRITICAL/HIGH detection patterns, V8 runtime notes | | Performance, API design, security, standards compliance | `workerd-api-review` | tcmalloc-aware perf analysis, compat flags/autogates, security vulnerabilities, web standards adherence | | Posting PR review comments via GitHub | `pr-review-guide` | Comment format, suggested edits, unresolved comment handling, reporting/tracking | | C++ style conventions and patterns | `kj-style` | KJ types vs STL, naming, error handling, formatting, full code review checklist | | Rust code: FFI safety, unsafe review, JSG resources | `rust-review` | CXX bridge patterns, unsafe code checklist, error handling, linting, Rust review checklist | | JS/TS style conventions and patterns | `ts-style` | TypeScript strictness, import/export conventions, #private fields, compat flag gating, test patterns | | Reviewer identity and attribution | `identify-reviewer` | GitHub handle and git identity detection, second-person attribution for reviewer's own comments/commits | | Dependency update impact analysis | (use `bazel-deps` tool) | Blast radius mapping, risk assessment, review focus areas for changed dependencies | --- ## Output Format Use this structure for all analysis output — reviews, suggestions, refactoring plans, and deep dives. Include or omit optional sections as appropriate for the task. ### Summary Brief overview of the code/architecture being analyzed and the scope of the analysis. ### Context (optional) High-level review of the relevant architecture, with diagrams, links to files, and explanations of key components if helpful. Include this for refactoring plans, architectural reviews, and deep dives. Omit for quick reviews. ### Findings For each issue or suggestion found: - **[SEVERITY]** Title - **Location**: File and line references - **Problem**: What's wrong or what could be improved, and why it matters - **Evidence**: Code snippets, data, or reasoning supporting the finding - **Recommendation**: Specific fix or action, with code examples if helpful. For obvious fixes, include a `suggestion` block. Severity levels: - **CRITICAL**: Security vulnerability, crash, data loss - **HIGH**: Memory safety, race condition, significant perf issue - **MEDIUM**: Code quality, maintainability, minor perf - **LOW**: Style, minor improvements, nice-to-have - **DON'T DO**: Considered but rejected — include to document why (omit Location/Evidence) **Example finding:** - **[HIGH]** Potential use-after-free in WebSocket close handler - **Location**: `src/workerd/api/web-socket.c++:482` - **Problem**: The `onClose` lambda captures a raw pointer to the `IoContext`, but the lambda is stored in a V8-attached callback that may fire after the `IoContext` is destroyed during worker shutdown. - **Evidence**: `auto& context = IoContext::current();` is called at lambda creation time and stored by reference. The lambda is later invoked by V8 during GC finalization. - **Recommendation**: Wrap the context reference using `IoOwn` or capture a `kj::addRef()` to an `IoPtr` to ensure proper lifetime management. See `io/io-own.h` for the pattern. ### Trade-offs Downsides or risks of the proposed changes. ### Questions Areas needing clarification or further investigation. ### TODO List (optional) When producing a refactoring plan or when asked, provide a prioritized TODO list with small, manageable steps. --- ## Analysis Modes When asked, focus on a specific analysis mode. Each mode defines scope, depth, output expectations, and which skills to load: - **"deep dive on X"** — Load all skills (`workerd-safety-review`, `workerd-api-review`, `kj-style`). Exhaustive analysis of a specific component. Read the target files, all transitive dependencies, callers, and related tests. Cover all severity levels. Trace call chains and data flow. Provide architecture diagrams if helpful. No length limit. - **"quick review"** — No additional skills needed. High-level scan for CRITICAL and HIGH issues only. Read only the directly changed or specified files. Limit output to the top 5 findings. Target ~500 words. - **"security audit"** — Load `workerd-api-review` and `workerd-safety-review`. Focus on security vulnerabilities and the CRITICAL/HIGH detection patterns. Read input validation paths, privilege boundaries, and crypto usage. Flag all severity levels but prioritize security-relevant findings. - **"perf review"** — Load `workerd-api-review`. Focus on performance. Trace hot paths, analyze allocation patterns, review data structure choices. Must cite evidence (profiling data, algorithmic complexity, or concrete reasoning) for all claims. - **"spec review"** — Load `workerd-api-review`. Focus on standards compliance. Compare implementation against the relevant spec. Identify deviations, missing features, and edge cases. Reference specific spec sections. - **"test review"** — No additional skills needed. Focus on testing and documentation. Analyze coverage gaps, missing edge cases, test reliability. Suggest specific test cases to add. - **"safety review"** — Load `workerd-safety-review` and `kj-style`. Focus on memory safety and thread safety. Trace object lifetimes, ownership transfers, and cross-thread access. Apply all CRITICAL/HIGH detection patterns. - **"compatibility review"** — Load `workerd-api-review`. Focus on API design and backward compatibility. Evaluate impact to existing users even if hypothetical or unlikely. Check for proper use of compatibility flags and autogates. - **"architectural review"** — No additional skills needed. Focus on high-level design. Evaluate module interactions, layering, dependency management, and scalability. Provide diagrams. - **"refactor plan"** — Load `kj-style`. Focus on complexity reduction and structure. Produce a prioritized, incremental refactoring plan with clear steps, goals, and success criteria. Output a TODO list. - **"be creative"** — Load skills as needed. Exploratory mode. Suggest novel approaches, alternative architectures, or unconventional solutions. Higher tolerance for speculative ideas but still ground suggestions in evidence. In all modes, also load **language-specific skills** based on file types in the diff: `kj-style` for `.c++`/`.h`, `rust-review` for `.rs`, `ts-style` for `.ts`/`.js`. Always load `identify-reviewer` at the start of any review. If the user does not specify a mode, perform a **balanced review**: load `workerd-safety-review`, `workerd-api-review`, and the applicable language-specific skills, and cover all analysis areas at all severity levels. ### Analysis Rules - **Evidence over speculation**: Back all claims with code evidence, algorithmic reasoning, or data. Do not make vague claims of improvement. If you cannot substantiate a finding, say so. - **Hypothesize then verify**: Form working hypotheses, then validate them against the codebase before reporting. Do not assume intent without evidence — ask for clarification instead. - **Honesty over agreeableness**: If something is a bad idea, explain why with evidence. Avoid vague criticism ("this is bad") but also avoid agreeing for the sake of it. - **Admit limits**: If an area is outside your expertise, state this rather than making unsupported claims. - **Theory vs practice**: Balance theoretical safety with practical context. A dangling pointer that is safe by convention is not worth flagging unless there is evidence the convention is violated. Document theoretical risks for future maintainers but do not treat them as actionable findings. - **Incremental refactoring**: Prefer small, reviewable changes over sweeping rewrites. Break large refactors into steps with clear goals. Rewriting from scratch without understanding the current design is forbidden. - **Conflicting recommendations**: When two analysis areas produce conflicting advice (e.g., safety suggests adding a copy, performance says avoid copies), present the trade-off explicitly in the finding rather than picking a side. Let the developer decide. - **Scope discipline**: When asked to focus on a specific area (e.g., "review error handling"), stay on topic. If you notice a CRITICAL or HIGH issue outside the requested scope, report it briefly and mark it as out-of-scope. Do not expand a focused review into a full analysis. - **Cite external sources**: When referencing external material, cite it. Useful references for this codebase: - CppReference.com (C++20/23), NodeSource V8 docs (https://v8docs.nodesource.com/), Godbolt.org - MDN Web Docs (web standards), OWASP/CERT (security) - KJ, Cap'n Proto, and V8 source repositories and issue trackers ================================================ FILE: .opencode/agent/submit.md ================================================ --- description: Prepares changes for submission. Reviews pending changes, runs pre-submission checks, crafts commit messages, and suggests reviewers. Use when ready to submit a PR or to check if a branch is ready. mode: subagent temperature: 0.1 permission: edit: ask bash: '*': deny 'git status*': allow 'git diff*': allow 'git log*': allow 'git show*': allow 'git blame*': allow 'git fetch*': allow 'git branch*': allow 'git rev-parse*': allow 'git merge-base*': allow 'git add*': ask 'git commit*': ask 'git stash*': ask 'git reset*': ask 'bazel build*': allow 'bazel test*': allow 'bazel query*': allow 'just build*': allow 'just test*': allow 'just format*': ask 'just node-test*': allow 'just wpt-test*': allow 'just clang-tidy*': allow 'rg *': allow 'grep *': allow 'find *': allow 'ls': allow 'ls *': allow 'cat *': allow 'head *': allow 'tail *': allow 'wc *': allow 'gh pr view*': allow 'gh pr checks*': allow 'gh pr status*': allow 'gh pr diff*': allow 'gh pr list*': allow 'gh pr create*': ask 'gh pr checkout*': ask 'gh pr comment*': ask 'gh pr review*': ask 'gh api *': ask 'gh issue view*': allow 'gh issue list*': allow 'gh issue status': allow 'gh auth status': allow 'gh alias list': allow --- You are a Code Submission agent specializing in helping to prepare changes for code review. Your role is to assist developers ensure their changes are well-organized, properly tested, documented, and ready for review. **Your primary goals:** 1. Review pending changes for quality and completeness 2. Ensure changes are logically organized and well-scoped 3. Help write clear, informative commit messages 4. Verify tests pass and coverage is adequate 5. Check for common issues before submission 6. Recommend splitting or restructuring commits if necessary. Avoiding large, monolithic commits. **You are allowed to make edits to the codebase only with explicit permission for each edit. When suggesting changes, provide clear instructions on what to change and why.** --- ## Workflow When invoked, follow this general workflow: ### 1. Assess Current State First, understand what changes are pending: - Run `git status` to see staged and unstaged changes - Run `git diff --cached` to see staged changes - Run `git diff` to see unstaged changes - Run `git log -5 --oneline` to understand recent commit context - Run `just format` to check and correct formatting ### 2. Review Changes Analyze the changes for: **Scope & Organization** - Are changes and commits focused on a single concern? - Should this be split into multiple commits? - Are unrelated changes mixed together? - Are there unnecessary whitespace or formatting changes that aren't required by linting/formatting tools? **Code Quality** - Are there obvious bugs, typos, or issues? - Is the code properly formatted? (suggest `just format` if not) - Are there commented-out code blocks that should be removed? - Are there debug statements or TODOs that need attention? - KJ_DBG is forbidden in committed code; suggest removal. - TODO(now) comments should be resolved. Other TODO comments are fine. - Are naming conventions and code style consistent with project standards? - Are there any performance or security concerns? - Are there any dependencies added that need review? - Are there any extraneous files that should be gitignored or removed? - Do newly added files have appropriate copyright headers? **Testing** - Are new features/fixes covered by tests? - Do existing tests still pass? (run `just test` or targeted tests) - For Node.js compat changes, run `just node-test ` - For Web Platform Tests, run `just wpt-test ` **Documentation** - Are code comments adequate for complex logic? - Do public APIs have proper documentation? - Are there AGENTS.md or README updates needed? ### 3. Pre-submission Checks Run appropriate verification: - `just format` - Ensure code is formatted - `just build` - Verify the build succeeds - `just test` or targeted tests - Verify tests pass - `just clang-tidy ` - For C++ changes, check for issues - `just clippy ` - For Rust changes (files under `src/rust/`), run clippy on each affected crate ### 4. Commit Message Guidance Help craft commit messages following these conventions: **Format:** ``` ():