{
	"$schema": "node_modules/wrangler/config-schema.json",
	"name": "emdash-flue-review",
	"account_id": "1f74638c495bc9f0330ce5c8e64c1b6b",
	"compatibility_date": "2026-04-01",
	"compatibility_flags": ["nodejs_compat"],
	"ai": {
		"binding": "AI",
	},
	// Worker Loader binding for the Cloudflare Shell sandbox (cf-shell): runs the
	// agent's JavaScript `code` tool in an isolate against the durable Workspace.
	// Replaces the @cloudflare/sandbox container for this read-only reviewer.
	"worker_loaders": [
		{
			"binding": "LOADER",
		},
	],
	// Large-file backing store for the cf-shell Workspace. Files over the
	// inlineThreshold (~1.5 MB), e.g. a git packfile, spill to R2 instead of
	// the DO SQLite single-blob limit (SQLITE_TOOBIG).
	"r2_buckets": [
		{
			"binding": "REVIEW_WORKSPACE",
			"bucket_name": "emdash-flue-review-workspace",
		},
	],
	"durable_objects": {
		"bindings": [
			{
				"name": "REVIEW_WATCHDOG",
				"class_name": "ReviewWatchdog",
			},
		],
	},
	// Migration history must stay append-only and keep every previously applied
	// tag so Cloudflare can locate the deployed cursor and apply only what's new.
	// The live worker's cursor is `flue-class-ReviewWorkflow` (it has Sandbox,
	// ReviewWorkflow, and FlueRegistry). @flue 0.11 renamed the workflow DO class
	// `ReviewWorkflow` -> `FlueReviewWorkflow`; the v2 rename below bridges to it
	// without re-creating or resetting any class. The first two tags are already
	// applied (their bodies are not re-executed) and exist only to anchor the cursor.
	"migrations": [
		{
			"tag": "v1",
			"new_sqlite_classes": ["Sandbox"],
		},
		{
			"tag": "flue-class-ReviewWorkflow",
			"new_sqlite_classes": ["ReviewWorkflow", "FlueRegistry"],
		},
		{
			"tag": "v2-flue-0.11",
			"renamed_classes": [
				{
					"from": "ReviewWorkflow",
					"to": "FlueReviewWorkflow",
				},
			],
		},
		// Reset the FlueRegistry run-index DO. Upgrading @flue in place left its
		// `flue_registry_runs` table with the pre-1.0 schema (an `owner_kind NOT
		// NULL` column 1.0-beta no longer writes); `ensureRegistryTables` only
		// does CREATE TABLE IF NOT EXISTS so it never reconciles, and every
		// recordRunStart/End fails the NOT NULL constraint. The registry holds
		// only run-index bookkeeping (no review/workflow state), so we drop and
		// recreate it to get a fresh 1.0-beta schema. Cloudflare refuses to delete
		// a class while a binding references it, so this is applied via a
		// two-step deploy: deploy once with the FLUE_REGISTRY binding removed
		// (drops + recreates the class, unbound), then a normal deploy rebinds it.
		{
			"tag": "v3-reset-registry-drop",
			"deleted_classes": ["FlueRegistry"],
		},
		{
			"tag": "v4-reset-registry-new",
			"new_sqlite_classes": ["FlueRegistry"],
		},
		// Remove the @cloudflare/sandbox container DO: the reviewer moved to the
		// Worker-Loader-backed cf-shell sandbox (no firecracker container). Sandbox
		// is a user-declared class, so dropping the binding + deleting the class in
		// one deploy is allowed.
		{
			"tag": "v5-remove-sandbox",
			"deleted_classes": ["Sandbox"],
		},
		{
			"tag": "v6-review-watchdog",
			"new_sqlite_classes": ["ReviewWatchdog"],
		},
		{
			"tag": "v7-reset-registry-drop-v2",
			"deleted_classes": ["FlueRegistry"],
		},
		{
			"tag": "v8-reset-registry-new-v2",
			"new_sqlite_classes": ["FlueRegistry"],
		},
	],
	"vars": {
		"NODE_OPTIONS": "--max-old-space-size=6144",
		// emdashbot GitHub App. Not secret (app id is public; installation id is
		// low-sensitivity). Only the private key and webhook secret are secrets.
		// Owner/repo come from the webhook payload, so they aren't configured here.
		"GITHUB_APP_ID": "3255304",
		"GITHUB_APP_INSTALLATION_ID": "120963314",
	},
	// Set with `wrangler secret put <NAME>`. The webhook secret is used by the
	// public handler; the private key is used only by the workflow DO to mint an
	// installation token, fetch prior reviews, and post (never by the agent
	// container). GITHUB_APP_PRIVATE_KEY must be a PKCS#8 PEM (convert GitHub's
	// download with `openssl pkcs8 -topk8 -nocrypt -in key.pem`).
	"secrets": {
		"required": ["GITHUB_WEBHOOK_SECRET", "GITHUB_APP_PRIVATE_KEY"],
	},
	"observability": {
		"enabled": true,
	},
}
