fix(cloudflare): harden varlock-wrangler FIFO server against CI races

[theoephraim]

Summary

Adds a readiness handshake to the FIFO server child used by varlock-wrangler deploy / versions upload / dev / types so the parent doesn't spawn the downstream consumer (wrangler) before the child is actually serving content. Closes the most likely cause of #739.

The reported symptom in Linux/Docker CI is:

The contents of "/tmp/varlock-secrets-..." is not valid.

That error fires in wrangler's parseBulkInputToObject (in secret/index.ts) only when readFileSync returns content that is neither valid JSON nor parseable as a non-empty dotenv file — i.e. empty or truncated. The most plausible path to that under our FIFO-based flow is a race where wrangler opens the FIFO before the FIFO server child has even reached its first writeFileSync call.

Changes

• Readiness handshake. The child now opens fd 3 as a control pipe and writes ready\n after buffering content and immediately before its first (blocking) writeFileSync. startServing() returns a promise that resolves on that signal. handleDeploy, handleTypes, and handleDev await it before spawning wrangler. handle.update() in dev mode also awaits, so wrangler restarts don't race against the new FIFO server.
• Stop swallowing child errors. Previously the child did catch { process.exit(); } on write failure, hiding any EPIPE/ENXIO/etc. Now write errors are sent back to the parent over fd 3 (with iteration number + error code) and written to the child's stderr, which is forwarded to the parent's stderr.
• Fix latent UTF-8 corruption. content += d on a Buffer calls toString() per chunk; if a chunk boundary splits a multi-byte character, the result is silently corrupted. Switched to Buffer.concat(chunks).toString('utf8').

Why this is probably it (without a local repro)

I tried to reproduce on agent-ci with the same overlay-FS environment the reporter uses — 64KB payload, 13 chunks, repeated runs — and could not. The race condition this PR fixes is timing-sensitive and depends on factors that can vary between CI environments (CPU pressure, container scheduling, base image). The child error surfacing is just as important as the handshake: if this PR doesn't fully resolve the issue, the reporter's next failure will now produce a usable error log instead of silently bad data.

Test plan

• bun run --filter @varlock/cloudflare-integration build passes (DTS clean)
• bun run test:cloudflare in framework-tests: 66/66 passing (includes wrangler dev path which exercises the FIFO+update flow)
• bun run lint clean
• Manual smoke test: varlock-wrangler deploy --dry-run with a 13-chunk (~65KB) __VARLOCK_ENV payload completes cleanly. New FIFO serve ready debug log appears at the expected point.
• Reporter from @varlock/cloudflare-integration: varlock-wrangler deploy can pass invalid --secrets-file contents when using FIFO in CI #739 to try the preview build

[github-actions]

The changes in this PR will be included in the next version bump.

Patch releases

• @varlock/cloudflare-integration 1.1.4 → 1.1.5

Bump files in this PR

• cloudflare-wrangler-fifo-readiness.md (view diff) (edit)

Click here if you want to add another bump file to this PR

---

This comment is maintained by bumpy.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/varlock@743

npm i https://pkg.pr.new/@varlock/cloudflare-integration@743

npm i https://pkg.pr.new/@varlock/vite-integration@743

commit: 998fb48