mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-25 11:02:03 +00:00

feat(skills): add cloudflare-temporary-deploy optional skill (#50849 )

* chore: re-trigger CI (workflows did not dispatch on prior head)

* feat(skills): add cloudflare-temporary-deploy optional skill

Optional web-development skill teaching the agent to deploy a Worker to a
live workers.dev URL with no Cloudflare account via 'wrangler deploy
--temporary' (Wrangler 4.102.0+). Cloudflare provisions a throwaway,
claimable account valid for 60 minutes — ideal for an autonomous
write->deploy->verify loop with no OAuth/signup hard stop.

- SKILL.md: when/when-not, prereqs (unauth requirement, version floor),
  step-by-step deploy + verify flow, product limits table, pitfalls
  (hidden flag, stale global wrangler, auth-present error, rate limits,
  workers.dev edge cache), verification.
- scripts/parse_deploy_output.py: stdlib-only parser extracting live URL,
  claim URL, account name/state, expiry, deploy status from wrangler output.
- tests/skills/test_cloudflare_temporary_deploy_skill.py: 16 tests incl.
  a real-output regression case.

Verified live end-to-end: temporary account created with no creds,
deployed to a live URL, curl confirmed body, redeploy reused the account.

2026-06-22 12:14:30 -07:00

7.3 KiB

Raw Blame History

name

description

version

author

license

platforms

metadata

cloudflare-temporary-deploy

Deploy a Worker live, no account, via wrangler --temporary.

1.0.0

Hermes Agent

MIT

linux

macos

windows

hermes

Cloudflare Temporary Deploy Skill

Deploy a Cloudflare Worker to a live workers.dev URL with zero account setup, using wrangler deploy --temporary. Cloudflare provisions a throwaway account, deploys, and prints a claim URL valid for 60 minutes; unclaimed accounts auto-delete. This gives an agent a tight write → deploy → verify loop without any OAuth, signup, or token copy-paste.

This skill does NOT cover production deploys (use wrangler login + a permanent account for those), nor non-Worker Cloudflare products beyond the temporary-account limits below.

When to Use

Load this skill when the user wants to:

Ship agent-written code to a live URL without first creating a Cloudflare account — "deploy this and give me a link"
Iterate in a background/autonomous session where a browser OAuth step would be a hard stop
Prototype or evaluate Workers quickly with a throwaway, claimable target
Build a self-verifying deploy loop — deploy, curl the live URL, confirm output matches the code, redeploy

When NOT to Use

Production or CI/CD → use a permanent account (wrangler login or CLOUDFLARE_API_TOKEN). --temporary errors out if any credential is present.
Wrangler is already authenticated → --temporary returns an error by design. Run wrangler logout first only if the user explicitly wants a throwaway deploy.
Long-lived hosting → temporary deployments are deleted after 60 minutes unless claimed.

Prerequisites

Wrangler 4.102.0 or later. This is the version that introduced --temporary. Earlier versions do not have it. Verify with npx wrangler@latest --version.
Node 18+ / npm (or npx, yarn, pnpm). No global install needed — npx wrangler@latest works.
No Cloudflare credentials present. --temporary only works when Wrangler is unauthenticated: no OAuth login, no CLOUDFLARE_API_TOKEN / CLOUDFLARE_API_KEY env var, no ~/.wrangler / ~/.config/.wrangler cached OAuth. Use the terminal tool's environment as-is; do not set those vars.
Network egress to cloudflare.com and workers.dev.
Using --temporary accepts Cloudflare's Terms of Service and Privacy Policy.

How to Run

Use the terminal tool for every step. Always pin the version (wrangler@latest or wrangler@4.102.0 or newer) so you don't accidentally run an old global wrangler that lacks the flag.

Scaffold a minimal Worker (skip if the project already exists). A Worker needs a wrangler.toml (or wrangler.jsonc) and an entry script. Minimal TypeScript example — write these with write_file:

wrangler.jsonc:

{
  "name": "hello-agent",
  "main": "src/index.ts",
  "compatibility_date": "2025-01-01"
}

src/index.ts:

export default {
  async fetch(): Promise<Response> {
    return new Response("hello cloudflare");
  },
};

Deploy with --temporary from the project directory:
```
npx wrangler@latest deploy --temporary
```
The proof-of-work check adds a short automatic delay. On success Wrangler prints an Account: <name> (created) (or (reused)) line, a Claim URL, and the live https://<worker>.<account>.workers.dev URL.
Parse the URLs from that output. Run the helper to extract them reliably instead of eyeballing:
```
npx wrangler@latest deploy --temporary 2>&1 | python3 scripts/parse_deploy_output.py
```
(Resolve scripts/parse_deploy_output.py to this skill's absolute path.) It prints JSON: {"live_url", "claim_url", "account", "account_state", "expires_minutes", "deployed"}.
Verify the deploy is actually live — do not trust the deploy log alone. curl the live URL and confirm the body matches what the code returns:
```
curl -sS <live_url>
```
Iterate. Edit the code, redeploy with the same npx wrangler@latest deploy --temporary. Within the 60-minute window Wrangler reuses the cached temporary account (Account: <name> (reused)), so the URL stays stable. curl again to confirm the change.
Hand the claim URL to the user. Tell them: open it within 60 minutes to keep the deployment and any resources; if they don't claim it, everything auto-deletes. Treat the claim URL as a secret — it grants ownership of the account.

Quick Reference

Step	Command
Check version (need 4.102.0+)	`npx wrangler@latest --version`
Deploy (no account)	`npx wrangler@latest deploy --temporary`
Deploy + parse URLs	`npx wrangler@latest deploy --temporary 2>&1 \| python3 scripts/parse_deploy_output.py`
Verify live	`curl -sS <live_url>`
Clear cached temp account	`npx wrangler@latest logout`

Temporary account product limits

Product	Limit on a temporary account
Workers	Deploys to `workers.dev`
Static Assets	Up to 1,000 files, 5 MiB each
KV	Allowed
D1	1 database, 100 MB per DB / 100 MB total
Durable Objects	Allowed
Hyperdrive	2 configs, 10 connections
Queues	Up to 10
SSL/TLS certs	Allowed

Pitfalls

--temporary is not in wrangler deploy --help and is not a global flag. It is intentionally hidden and surfaced dynamically: when an unauthenticated wrangler deploy fails, Wrangler prints "rerun with --temporary". Don't conclude the flag is missing just because --help omits it — check the version instead.
Old global wrangler. A stale globally-installed wrangler (< 4.102.0) silently lacks the flag. Always invoke npx wrangler@latest (or a pinned >=4.102.0) so you control the version.
Auth present → hard error. If wrangler login was ever run, or CLOUDFLARE_API_TOKEN/CLOUDFLARE_API_KEY is set, --temporary errors. Either unset the var for this shell or wrangler logout. Never strip a user's real credentials without telling them.
Rate limiting. Creating temporary accounts too fast fails. Reuse the cached account (just redeploy) within the 60-minute window instead of forcing a new one; if rate-limited, wait or use a permanent account.
60-minute hard expiry, not extendable. If the deploy must outlive an hour, the user must claim it. Surface this clearly.
curl may briefly serve the old body after a redeploy. workers.dev has a short edge cache; the (reused) line plus a new Current Version ID confirm the deploy succeeded even if curl shows stale content for a few seconds. Re-curl, or add a cache-busting query string, before concluding a redeploy failed.
Don't log the claim URL into shared transcripts as "just a link." It is credential-equivalent.

Verification

npx wrangler@latest --version returns >= 4.102.0.
npx wrangler@latest deploy --temporary prints a workers.dev live URL and a claim-preview?claimToken= claim URL.
curl -sS <live_url> returns the exact body the Worker code produces.
A second deploy reports Account: <name> (reused) and the live URL is unchanged.
The parser script's self-test passes: python3 scripts/parse_deploy_output.py --selftest.

7.3 KiB Raw Blame History