[codex] adapt workerd 20260701#2
Conversation
Upgrade workerd to 1.20260701.1, split process-level and loaded-worker experimental usage, add workerLoader env/code guards, bound log-tail cleanup for workerd #6832, and document compatibility and ECS capacity impacts. Signed-off-by: Lu Zhang <lu@wdl.dev>
There was a problem hiding this comment.
Pull request overview
Upgrades bundled workerd / @cloudflare/workers-types to the 2026-07-01 baseline and adjusts WDL runtime/control behavior to match upstream changes (notably tightening the experimental surface, adding workerLoader size/budget guards, and hard-bounding log-tail session cleanup).
Changes:
- Remove broad loaded-worker
experimentalcompatibility behavior (compatibilityFlags: ["experimental"]andallowExperimental) while keeping process-level--experimentalonly where workerLoader still requires it. - Add control-plane prechecks for workerLoader limits (64 MiB code total; headroomed 1 MiB serialized user env budget across vars + secrets).
- Make log-tail cleanup independent of
ReadableStream.cancel()and relax the client-disconnect integration test to a bounded regression anchor for current workerd behavior.
Reviewed changes
Copilot reviewed 40 out of 41 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/style-contracts.test.js | Extends invariants to ensure --experimental is present only on workerLoader-owning processes across compose/k8s/terraform/supervisor. |
| tests/unit/runtime-load.test.js | Updates loader-callback expectations to ensure allowExperimental is no longer emitted. |
| tests/unit/runtime-lib.test.js | Updates compatibility-flag floor expectations after removing experimental injection. |
| tests/unit/do-runtime-protocol.test.js | Updates DO protocol normalization test to ensure allowExperimental is absent. |
| tests/unit/control-secret-envelope-handlers.test.js | Updates handler stubs/import wiring for added env-budget and version modules and required redis methods. |
| tests/unit/control-logs-tail.test.js | Adds unit coverage for max-session watchdog cleanup even when stream cancel doesn’t occur. |
| tests/unit/control-lib.test.js | Adjusts date validation test harness “today” to avoid false positives with newer bundled workerd. |
| tests/unit/control-env-budget.test.js | New unit tests for merged env precedence, env budget enforcement, and secret decryption used by budget checks. |
| tests/unit/control-deploy-watch.test.js | Adds deploy precheck coverage for env-budget and code-size rejection paths prior to version allocation. |
| tests/integration/http-features.test.js | Relaxes disconnect assertion to accept current workerd behavior impacted by workerd #6832. |
| terraform/README.md | Documents SQLite heap cap change implications for ECS sizing on newer workerd. |
| terraform/modules/compute/gateway_service.tf | Removes --experimental from gateway workerd command line. |
| rust/supervisor/src/lib.rs | Splits DO vs D1 workerd args to selectively include process --experimental. |
| rust/supervisor/src/config.rs | Makes --experimental conditional in workerd_args() and adds unit test. |
| runtime/load.js | Stops adding allowExperimental to generated WorkerCode for loaded workers. |
| runtime/lib.js | Removes experimental compatibility-flag floor injection logic. |
| runtime/config-user.capnp | Removes experimental from runtime loader worker compatibility flags. |
| runtime/config-system.capnp | Removes experimental from runtime loader worker; wires in control-env-budget module and LOG_TAIL_MAX_SESSION_MS. |
| package.json | Bumps workerd and @cloudflare/workers-types versions to 20260701.1. |
| package-lock.json | Locks updated workerd / platform binaries and @cloudflare/workers-types versions. |
| docs/modules/runtime.zh.md | Updates runtime module docs for experimental tightening and new workerLoader budgets (env/code). |
| docs/modules/runtime.md | Updates runtime module docs for experimental tightening and new workerLoader budgets (env/code). |
| docs/modules/log-tail-observability.zh.md | Documents workerd #6832 impact and the new independent max-session watchdog. |
| docs/modules/log-tail-observability.md | Documents workerd #6832 impact and the new independent max-session watchdog. |
| docs/modules/cli.zh.md | Documents deploy-time code-size and env-budget constraints surfaced by control. |
| docs/modules/cli.md | Documents deploy-time code-size and env-budget constraints surfaced by control. |
| docs/compatibility.zh.md | Documents reserved _cf_ SQLite naming restriction and new workerLoader size constraints. |
| docs/compatibility.md | Documents reserved _cf_ SQLite naming restriction and new workerLoader size constraints. |
| Dockerfile.workerd | Updates documented ECS command lines; notes supervisor child workerd includes --experimental for workerLoader. |
| docker-compose.yml | Removes --experimental from gateway-local workerd command. |
| do-runtime/protocol.js | Removes allowExperimental normalization from forwarded WorkerCode. |
| do-runtime/load.js | Removes allowExperimental injection in DO loaded worker code path and updates typedef. |
| do-runtime/config.capnp | Removes experimental from DO runtime worker compatibility flags. |
| deploy/kubernetes/base/gateway.yaml | Removes --experimental from gateway container args. |
| control/handlers/worker-secrets.js | Adds env-budget enforcement for worker secret PUT before promotion; adds envelope error handling. |
| control/handlers/secret-put.js | Returns plaintext alongside encrypted value to support control-side budget prechecks. |
| control/handlers/ns-secrets.js | Adds namespace secret budget validation across active workers before writing the secret. |
| control/handlers/logs-tail.js | Adds independent max-session watchdog and makes cleanup independent of cancel() being invoked. |
| control/handlers/deploy.js | Adds workerLoader code-size precheck and committed env-budget precheck before version allocation. |
| control/env-budget.js | New shared helpers for env merging, byte accounting, budget enforcement, and secret decryption for budget checks. |
| CLAUDE.md | Updates agent guidance for env-budget enforcement and disconnect/cancel unreliability guidance. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7387099a94
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Validate namespace and worker secret mutations against retained worker versions, check DELETE paths that reveal lower-precedence env values, and parallelize secret decryption used by env-budget prechecks. Signed-off-by: Lu Zhang <lu@wdl.dev>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5fb5e7b3ff
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Make namespace-secret env-budget checks atomic with the secret write, validate namespace-secret deletes, and watch namespace secrets during worker-secret checks. Revalidate deploy env budget inside the deploy commit WATCH window and add bundle metadata parse context for retained-version budget checks. Signed-off-by: Lu Zhang <lu@wdl.dev>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6fa169abd3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Close the Redis tail session idempotently when cleanup runs and immediately close any session that finishes opening after the watchdog has already expired. Add a unit regression test for the pending-open race. Signed-off-by: Lu Zhang <lu@wdl.dev>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7e4f4ad816
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Include runtime-injected binding and workflow env values in the control-plane workerLoader env budget estimate, including required caller secret copies in service binding props. Update docs and add regression coverage for retained versions. Signed-off-by: Lu Zhang <lu@wdl.dev>
f5a2809 to
6e26d86
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6e26d863bb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Validate deploy env budget after materialized metadata, budget worker secret bumps with a conservative future version estimate, and skip decrypting secret envelopes removed by PUT/DELETE recovery paths. Signed-off-by: Lu Zhang <lu@wdl.dev>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7d7a3a6bee
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Count the configured ASSETS_CDN_BASE and do-runtime alarm binding in workerLoader env estimates so deploys and secret mutations fail before cold-load. Allow same-hash secret DELETE repair budget checks to skip corrupt remaining envelopes while keeping PUT and cross-layer decrypts fail-closed. Add regression coverage for deploy budget propagation, DO alarm env estimates, and namespace/worker secret repair behavior. Signed-off-by: Lu Zhang <lu@wdl.dev>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 68a2283874
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Use a null-prototype callerSecrets map so object-prototype secret keys remain data keys during workerLoader env estimates. Expose RedisSession.hasOpenResources() and use it to close log-tail sessions once open has allocated socket resources, including the pending SELECT window. Add unit coverage for both review findings and verify with targeted log-tail integration tests. Signed-off-by: Lu Zhang <lu@wdl.dev>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8ffaf121db
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Split workerd experimental surface, add workerLoader env/code guards, bound log-tail cleanup without stream cancel, reject unsupported Python/experimental tenant metadata, and cap D1/DO runtime container memory for the 0701 SQLite behavior. Signed-off-by: Lu Zhang <lu@wdl.dev>
8753459 to
3531849
Compare
Fix the experimental flag mirror and add read-only rollout scanning for retained metadata blockers, including missing metadata, Python modules, experimental flags, and env-size risks without decrypting secrets. Document the TLS, log-tail, runtime scanner, and Terraform memory boundaries for the 2026-07-01 workerd adaptation. Signed-off-by: Lu Zhang <lu@wdl.dev>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 725e40e2df
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Document the two-phase env-budget deploy check, pin the Durable Object env estimate to the real runtime shape, and leave explicit task memory headroom for the DO redis-proxy sidecar. Add regression coverage for the DO env estimate and Terraform memory contract. Signed-off-by: Lu Zhang <lu@wdl.dev>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 29d2af630b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Make deploy env-budget rejection authoritative after version allocation, keep DELETE secret repair paths from being blocked by unrelated corrupt envelopes, and update docs/tests for the revised contracts. Signed-off-by: Lu Zhang <lu@wdl.dev>
Summary
Upgrades the bundled workerd and worker type packages to
1.20260701.1/4.20260701.1and adapts WDL to the upstream behavior changes from the 20260617 baseline.Main changes:
experimentalcompatibility flag andallowExperimental, while keeping process-level--experimentalonly for workerLoader-owning runtimesReadableStream.cancel()to mitigate workerd #6832_cf_names, workerLoader limits, stream disconnect behavior, and ECS capacity implicationsNotes
workerd issue #6832 remains open upstream. This PR does not fork workerd or carry a patched binary; WDL bounds its own log-tail resource lifetime and records the tenant-visible streaming behavior change.
D1 no longer runs its child workerd process with
--experimental; DO still does because its supervisor loads tenant DO classes through workerLoader.Validation
npm testpassed, 1704 testsnpm run compile:workerdpassednode --test tests/unit/control-env-budget.test.js tests/unit/control-deploy-watch.test.jspassednpm run test:integration -- tests/integration/http-features.test.jspassednpm run test:integrationpassed, 53 filesterraform fmt -check -recursive terraformpassedgit diff --cached --checkpassedterraform validatewas attempted locally but could not load the cached provider plugins in this environment; the failure was provider plugin startup/handshake, not an HCL validation error.