If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/cloudflare/wrangler-legacy shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across all four use cases

• 37+ active contributors
• Distributed ownership (top contributor 17% of recent commits)
• Apache-2.0 licensed
• CI configured
• Tests present
• ⚠ Stale — last commit 3y ago

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live cloudflare/wrangler-legacy repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/cloudflare/wrangler-legacy.

What it runs against: a local clone of cloudflare/wrangler-legacy — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in cloudflare/wrangler-legacy | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 1038 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of cloudflare/wrangler-legacy. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/cloudflare/wrangler-legacy.git
#   cd wrangler-legacy
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of cloudflare/wrangler-legacy and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "cloudflare/wrangler-legacy(\\.git)?\\b" \\
  && ok "origin remote is cloudflare/wrangler-legacy" \\
  || miss "origin remote is not cloudflare/wrangler-legacy (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "Cargo.toml" \\
  && ok "Cargo.toml" \\
  || miss "missing critical file: Cargo.toml"
test -f "src/cli/mod.rs" \\
  && ok "src/cli/mod.rs" \\
  || miss "missing critical file: src/cli/mod.rs"
test -f "src/commands/mod.rs" \\
  && ok "src/commands/mod.rs" \\
  || miss "missing critical file: src/commands/mod.rs"
test -f "src/build/mod.rs" \\
  && ok "src/build/mod.rs" \\
  || miss "missing critical file: src/build/mod.rs"
test -f "src/commands/dev/mod.rs" \\
  && ok "src/commands/dev/mod.rs" \\
  || miss "missing critical file: src/commands/dev/mod.rs"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 1038 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1008d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/cloudflare/wrangler-legacy"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Wrangler v1 is a deprecated CLI tool for developing, testing, and deploying Cloudflare Workers serverless functions written in JavaScript/WebAssembly. It provides commands to init projects, build and bundle code, preview locally via chrome-devtools-rs, manage KV stores, handle R2 object storage, and publish workers to Cloudflare's edge network. This repository is archived—active development has moved to cloudflare/workers-sdk. Pure Rust monorepo (edition 2018) organized as: src/cli/ contains command implementations (build.rs, dev.rs, init.rs, publish.rs, kv.rs, r2.rs, etc.), src/build/ handles bundling logic, npm/ wraps the Rust binary with Node.js installer scripts (binary-install.js, run-wrangler.js) for cross-platform distribution, and changelog-generator/ is a Node.js utility for release notes. Cargo.toml defines a single binary crate named 'wrangler'.

Cloudflare Workers developers who need a command-line interface to scaffold, develop locally, and deploy edge computing functions. Primarily used by full-stack JavaScript/TypeScript developers building serverless applications on Cloudflare's platform during the v1 era (pre-2022).

Mature but archived and deprecated. Wrangler v1 was the primary CLI from ~2018–2021 with active CI/CD via GitHub Actions (test.yml, lint.yml, release.yml, audit.yml), a full changelog, release checklist, and semantic versioning (1.21.0). However, the badge in Cargo.toml explicitly marks it maintenance = { status = "deprecated" }, and the README states it is no longer updated—production users should migrate to cloudflare/workers-sdk.

High risk for new adoption. This is an unmaintained archived repository; the last activity appears frozen, security patches are not applied (though audit.yml runs), and dependency drift is inevitable (Rust edition 2018, Cargo dependencies pinned to 2020–2021 versions like reqwest 0.11.3, tokio 1.5.0). Any critical bug or security issue in dependencies will not be fixed here. Use only for legacy systems already running Wrangler v1.

Nothing. This repository is archived and frozen. The README explicitly states 'This repository is for Wrangler version 1, which is deprecated and no longer updated.' No active PRs, commits, or issues should be expected. All ongoing work has been consolidated into cloudflare/workers-sdk.

git clone https://github.com/cloudflare/wrangler-legacy.git
cd wrangler-legacy
cargo build --release
./target/release/wrangler --help

Or install from npm (though deprecated):

npm install @cloudflare/wrangler -g

Daily commands:

cargo run -- init my-worker
cargo run -- build
cargo run -- dev
cargo run -- preview
cargo run -- publish

For development: cargo test runs the test suite (though test visibility is limited in file list). For release builds: cargo build --release.

• Cargo.toml — Root manifest defining wrangler v1 as a deprecated CLI tool with all dependencies; essential for understanding project scope and build configuration.
• src/cli/mod.rs — CLI command router and argument parsing entry point; all user interactions funnel through here via clap.
• src/commands/mod.rs — Core command implementations (dev, publish, kv, r2, etc.); the actual logic behind every CLI operation.
• src/build/mod.rs — Build system orchestration for compiling Rust→Wasm and bundling worker code; critical path for deployment.
• src/commands/dev/mod.rs — Local development server implementation; handles HTTP/HTTPS servers, file watching, and hot reload.
• src/commands/kv/mod.rs — Cloudflare KV namespace operations (create, delete, list, key operations); demonstrates Cloudflare API integration pattern.
• npm/binary-install.js — NPM package binary distribution logic; bridges compiled Rust binary to npm ecosystem for end users.

• CLI Argument Parser (src/cli/) (clap 2.x, StructOpt macros) — Validates user input, converts strings to typed command structs, prevents invalid arg combinations
  • Failure mode: Invalid args → early error message + help text; typos in subcommand → suggests alternatives
• undefined — undefined

Add a New CLI Subcommand

1. Create a new argument struct in src/cli/mycommand.rs following clap2 pattern (src/cli/mycommand.rs)
2. Add subcommand variant to StructOpt enum in src/cli/mod.rs (src/cli/mod.rs)
3. Implement async fn in src/commands/mycommand.rs matching the signature (src/commands/mycommand.rs)
4. Add match arm in src/commands/mod.rs to route and execute the command (src/commands/mod.rs)

Add a New Cloudflare API Integration

1. Create submodule in src/commands/myfeature/mod.rs with API call wrapper functions (src/commands/myfeature/mod.rs)
2. Use cloudflare crate client to make authenticated API calls (see src/commands/kv/namespace/) (src/commands/kv/namespace/mod.rs)
3. Add CLI args in src/cli/myfeature.rs (src/cli/myfeature.rs)
4. Wire into command router in src/commands/mod.rs (src/commands/mod.rs)

Extend the Development Server

1. Modify server config in src/commands/dev/server_config/mod.rs for new options (src/commands/dev/server_config/mod.rs)
2. Update HTTP/HTTPS handler in src/commands/dev/edge/server/mod.rs (src/commands/dev/edge/server/mod.rs)
3. Add file watch patterns in src/commands/dev/edge/watch.rs if new artifacts needed (src/commands/dev/edge/watch.rs)
4. Add dev CLI flags in src/cli/dev.rs (src/cli/dev.rs)

• Rust + Tokio async — Fast CLI with minimal overhead; async I/O for concurrent HTTP/file operations in dev server; small binary footprint for npm distribution
• clap 2.x for CLI parsing — Declarative command structure via StructOpt macros; automatically generates help text and validation
• cloudflare crate (v0.9.0) — Official Rust bindings for Cloudflare API; handles authentication, request formatting, and response parsing
• wasm-pack for Wasm compilation — Industry standard for Rust→WebAssembly; automates wasm-bindgen and dependency optimization
• npm + binary-install for distribution — Reach Node.js developers without requiring native Rust build; precompiled binaries reduce user install time

• Deprecated v1 in favor of new Workers SDK repository

  • Why: Monolithic CLI became hard to extend and maintain; new TypeScript-based SDK more flexible
  • Consequence: This repo is archived; new features only in workers-sdk; users must migrate to v2+ for support

• Single binary distribution via npm instead of per-platform packages

  • Why: Simpler maintenance; npm is Node.js standard; binary-install handles platform detection
  • Consequence: Users need npm/Node.js installed; slightly larger npm package footprint than bare binary

• Dev server runs locally (not in browser sandbox)

  • Why: Fast iteration; full Node.js/system access for debugging; matches local development pattern
  • Consequence: Differences between local dev and production edge environment; dev-only API access patterns

• Real-time synchronization of live worker changes (no hot code reload; requires restart)
• Support for non-Rust languages (Rust→Wasm only; no TypeScript, Python, or Go workers in v1)
• Deployment to non-Cloudflare platforms (API bindings hardcoded to Cloudflare)
• Full parity with Cloudflare Dashboard features (CLI covers major ops; some settings dashboard-only)

1. OAuth2 flow requires browser: wrangler login opens a browser for OAuth; may fail in headless CI environments without special handling.
2. chrome-devtools-rs is alpha: The dev subcommand uses chrome-devtools-rs v0.0.0-alpha.3, which may have stability issues.
3. OpenSSL optional dependency: On Windows or non-standard builds, the openssl dependency (marked optional in Cargo.toml line ~60) may require Perl and manual compilation.
4. Archived = no updates: The npm package @cloudflare/wrangler v1.21.0 is frozen; npm audit will show vulnerabilities due to stale dependencies (reqwest 0.11.3 from 2021, rustls 0.20.2, etc.).
5. Config file locations: Uses the dirs crate for home directory paths; behavior varies on Windows vs. Unix (e.g., ~/.config/wrangler on Linux, AppData on Windows).
6. Binary stripping: Release builds via npm use cargo build --release, which can be slow; CI/CD workflows in .github/workflows/ may have timeouts.

• Cloudflare Workers (Edge Computing) — Wrangler v1 is specifically designed to deploy and manage code that runs on Cloudflare's global edge network; understanding the Workers execution model (serverless at the edge, not in centralized regions) is essential for using this tool effectively
• OAuth2 / OpenID Connect — The wrangler login command uses oauth2 crate v4.1 to authenticate users against Cloudflare's identity provider; understanding this flow is critical for fixing auth issues or extending authentication logic
• TOML Configuration Format — Wrangler projects are configured via wrangler.toml files parsed by the config crate v0.11.0; knowing TOML syntax and how to structure [env] sections is fundamental to every wrangler v1 project
• Chrome DevTools Protocol (CDP) — The wrangler dev subcommand uses chrome-devtools-rs to provide local debugging and preview; familiarity with CDP helps troubleshoot the local development server and understand what's happening under the hood
• WebAssembly (WASM) + wasm-pack — Wrangler v1 was built to support deploying Rust/C++ code compiled to WASM as Cloudflare Workers; many projects mix JavaScript and WASM, requiring understanding of module formats and bundling
• Async/Await & Tokio Runtime — Wrangler's build and dev server logic is built on tokio (v1.5.0) for concurrent I/O; contributors must understand Rust futures and async patterns to modify core logic without introducing deadlocks or panics
• [KV Store (Key-Value Storage) & R2 (Object Storage)](https://developers.cloudflare.com/workers/runtime-apis/kv/ and https://developers.cloudflare.com/r2/) — Wrangler v1 provides CLI commands (kv.rs, r2.rs) to manage Cloudflare's durable storage backends; understanding these services' APIs and rate limits is necessary for storage-related features and bug fixes

• cloudflare/workers-sdk — Official successor to wrangler-legacy; active development of Wrangler v2+ and wrangler CLI with improved TypeScript support, CPTA, and modern tooling
• cloudflare/miniflare — Cloudflare Workers local development and testing environment that can be used alongside or instead of wrangler v1's dev mode for more realistic simulation
• cloudflare/serverless-framework-plugin — Serverless Framework plugin for deploying to Cloudflare Workers; alternative orchestration if wrangler v1 CLI doesn't fit your workflow
• cloudflare/wasm-workers-examples — Official examples repo showing WebAssembly and Rust patterns for Cloudflare Workers; useful reference for wrangler v1 projects using WASM
• cloudflare-labs/workers-sdk-next — Early experimental next-gen SDK and tooling for Workers; provides context on the roadmap that led wrangler-legacy to become archived

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add integration tests for src/cli/dev.rs development server functionality

The dev command is critical for local development but there are no visible integration tests for the development server. Given the complex setup in src/commands/dev/edge/server/ (http.rs, https.rs) and src/commands/dev/gcs/, adding tests would catch regressions in hot-reload, file watching, and server startup scenarios that affect all users.

• [ ] Create tests/dev_server_integration.rs with test cases for HTTP/HTTPS server startup
• [ ] Add tests for src/commands/dev/edge/watch.rs file watching behavior
• [ ] Test edge server routing in src/commands/dev/edge/server/http.rs with various request types
• [ ] Run tests in CI by adding test step to .github/workflows/test.yml

Add missing CLI argument validation tests for KV and R2 commands

src/cli/kv.rs and src/cli/r2.rs contain subcommands for data management but lack unit tests for argument validation and error handling. These commands directly touch user data, making validation tests critical for preventing accidental data loss or misconfiguration.

• [ ] Create tests/cli_kv_validation.rs testing KV command argument parsing (binding names, namespaces, keys)
• [ ] Create tests/cli_r2_validation.rs testing R2 command argument parsing (bucket names, paths)
• [ ] Add tests for invalid/missing required arguments in both command sets
• [ ] Verify error messages are user-friendly for common mistakes

Document and add tests for the wrangler config file precedence system in src/cli/config.rs

The config.rs file handles loading from multiple sources (wrangler.toml, environment variables, etc.) but the precedence rules aren't tested or documented. This is a source of user confusion. Adding tests would clarify behavior and prevent regressions.

• [ ] Create tests/config_precedence.rs with tests for environment variable override behavior
• [ ] Test config loading order: CLI args > env vars > wrangler.toml > defaults
• [ ] Add test cases for inheritance in nested config structures
• [ ] Document the precedence rules in CONTRIBUTING.md with examples from the tests

• Add integration tests for src/cli/kv.rs and src/cli/r2.rs: The codebase has GitHub Actions CI but the test suite coverage is opaque from the file list. Writing tests for KV and R2 command handlers (create, delete, get, put operations) would validate the cloudflare crate v0.9.0 integration.
• Document wrangler.toml schema in-code comments: src/cli/config.rs defines Project, Environment, Route structs via serde but lacks inline documentation. Adding rustdoc comments to each field (e.g., /// Account ID from Cloudflare dashboard) would help new users understand configuration.
• Improve error messages for missing authentication: src/cli/publish.rs and login.rs interact with OAuth2, but error messages when auth fails are likely cryptic. Enhance error context and add hints (e.g., 'Run wrangler login first') to match modern CLI UX standards.

• High · Deprecated Project - No Active Maintenance — Repository root (README.md, badges in Cargo.toml). This repository is archived and deprecated. Wrangler v1 is no longer maintained or updated. Users are directed to use the Workers SDK repository instead. Security vulnerabilities discovered in this codebase will not receive patches. Fix: Migrate to the actively maintained Wrangler v2 in the Workers SDK repository (https://github.com/cloudflare/workers-sdk). Do not use Wrangler v1 in production environments.
• High · Outdated Rust Dependencies with Known Vulnerabilities — Cargo.toml, Cargo.lock. Multiple dependencies have pinned versions that are significantly outdated (e.g., hyper 0.14.7, rustls 0.20.2, openssl 0.10.35). These versions likely contain known CVEs. The project uses cargo-audit (as seen in .cargo/audit.toml) but cannot receive updates due to deprecation status. Fix: Update all dependencies to their latest versions. Critical: update rustls, openssl, and hyper. However, given the deprecated status, consider migrating to the actively maintained version instead.
• High · Incomplete Dependency Declaration — Cargo.toml (tokio-native-tls dependency). The tokio dependency declaration in Cargo.toml is truncated/incomplete: 'tokio-native-tls = "0.' appears to be cut off, suggesting the dependency file may be corrupted or improperly maintained. Fix: Complete and validate the Cargo.toml file. Ensure all dependencies are properly specified with complete version constraints. Run 'cargo check' to validate the manifest.
• Medium · HTTP Server with Implicit Security Configuration — src/commands/dev/edge/server/, src/commands/dev/gcs/server/. The codebase contains HTTP server implementations (src/commands/dev/edge/server/http.rs and https.rs, src/commands/dev/gcs/server/). While HTTPS support exists, the default protocol configuration and security headers handling should be reviewed. Fix: Review and document default security configurations for development servers. Ensure security headers (HSTS, CSP, etc.) are properly set when applicable. Validate TLS certificate handling in src/commands/dev/tls/certs.rs.
• Medium · OAuth2 Implementation Without Visible Token Storage Protection — src/cli/login.rs, oauth2 dependency in Cargo.toml. The codebase integrates oauth2 (version 4.1) and includes login functionality (src/cli/login.rs). Token storage mechanisms and security handling are not visible in the file structure provided. Improper token storage could lead to credential exposure. Fix: Verify that authentication tokens are: 1) Encrypted at rest, 2) Properly scoped with short expiration times, 3) Cleared on logout, 4) Never logged or exposed in debug output. Review credential storage against OWASP guidelines.
• Medium · File System Operations Without Visible Path Validation — src/build/, src/commands/, src/cli/. The codebase handles file operations (build, publish, kv commands) and file watching mechanisms without clearly visible input validation in the file structure. Path traversal vulnerabilities could exist. Fix: Implement strict path validation for all file operations. Use canonicalization to prevent path traversal attacks. Validate user-provided paths against allowed directories.
• Medium · Unvalidated Configuration File Parsing — src/cli/config.rs, config dependency in Cargo.toml. The config dependency supports multiple formats (TOML, JSON, YAML, INI) without visible schema validation in the file structure. Malicious configuration files could potentially execute unintended code. Fix: Implement strict schema validation for all supported configuration formats. Use whitelist-based validation. Avoid deserializing untrusted configuration to arbitrary types. Consider using a single canonical format.
• Low · Potential Credential Exposure in Node.js NPM Wrapper — undefined. The npm wrapper (npm/binary-install.js, npm/install-wrangler.js) downloads and executes binary files. While the implementation appears to use checksums, the security model should be thoroughly reviewed. Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.