emily-shen

This commit provides a **bug fix** for the **membership verification logic** within the **GitHub Actions workflows** `bonk-pr-review.yml` and `bonk.yml`. It addresses an issue where these workflows incorrectly relied on `author_association` for determining Cloudflare organization membership. The change involves **removing the unreliable `author_association` condition** and introducing a new, explicit step to verify Cloudflare organization membership for both PR authors and comment authors. This ensures that the "bonk" functionality correctly identifies internal contributors, improving the reliability of **automated workflow execution** and preventing erroneous behavior.

This commit introduces **full R2 support** to the **local explorer UI** and its underlying `miniflare` backend, providing a **new capability** for developers to manage Cloudflare R2 buckets and objects directly within their local development environment. The `local-explorer-ui` now features dedicated routes, components for object listing (`R2ObjectTable`) and uploading (`R2UploadDialog`), and sidebar navigation for R2 resources. Concurrently, `miniflare` integrates R2 API endpoints (list, get, put, delete) and resource handlers, along with updated OpenAPI definitions. This significantly enhances the developer experience by allowing visual interaction with R2 storage, complete with comprehensive testing and fixture updates for R2 functionality.

This commit **enables the local explorer feature by default** within the `wrangler dev` environment, removing the need for users to explicitly set an environment variable. Specifically, it modifies `packages/workers-utils` to change the default value of `X_LOCAL_EXPLORER` from `false` to `true`. The `packages/wrangler` hotkey logic is updated to reflect this always-on state, and several **test suites** in `fixtures/interactive-dev-tests` and `fixtures/worker-with-resources` are **refactored** to remove the now-redundant `X_LOCAL_EXPLORER=true` condition. This **feature enablement** streamlines the developer experience by making the local explorer readily accessible without additional configuration.

This commit implements a **critical security fix** for the **Miniflare local explorer**, specifically addressing **host and origin header validation**. It introduces new functions like `validateLocalExplorerRequest` and `isHostnameAllowed` within `packages/miniflare/src/workers/core/entry.worker.ts` to ensure these security checks are performed *before* any header rewriting. This **refactoring** relocates and enhances validation logic from `explorer.worker.ts` to the core entry point, preventing potential header spoofing or unauthorized access to the local explorer API. The **bug fix** significantly improves the **security and robustness** of the local development environment. Comprehensive new test cases were added to verify correct behavior across various host/routing configurations and subdomain blocking.

This commit **refactors** the **`local-explorer-ui`** package by **migrating its user interface components from the deprecated `@base-ui` library to the modern `@cloudflare/kumo` design system**. This involved updating numerous components such as `Button`, `Breadcrumbs`, `Menu`, and `Table` within files like `AddKVForm.tsx`, `KVTable.tsx`, and various route definitions. The change ensures the **Local Explorer UI** now leverages the latest Kumo components, improving consistency, maintainability, and aligning with current design standards. Additionally, the `TableSelect` component was extracted into a shared module for enhanced reusability across routes.

This commit **quarantines the end-to-end tests** for the **SolidJS framework** within the `create-cloudflare` project. It performs **test management** by modifying the `packages/create-cloudflare/e2e/tests/frameworks/test-config.ts` file to set `quarantine: true` for Solid's configuration in both `getFrameworkTestConfig` and `getExperimentalFrameworkTestConfig`. This **maintenance** change effectively **disables the execution of SolidJS E2E tests**, preventing them from running in standard and experimental test suites. The immediate impact is that these tests will no longer block CI/CD pipelines, allowing for further investigation or fixes to the SolidJS integration.

This commit introduces **cross-process support** to the **Miniflare local explorer**, a significant **new capability** that allows it to aggregate and display resources from multiple concurrently running Miniflare instances. It enables a unified view of **KV, D1, and Durable Object resources** across different workers, greatly enhancing the developer experience for multi-worker projects. The implementation involves adding a new `/core/dev-registry` endpoint for instance discovery, developing core aggregation logic in `packages/miniflare/src/workers/local-explorer/aggregation.ts`, and updating resource drivers (`d1.ts`, `do.ts`, `kv.ts`) to proxy and aggregate data. Additionally, it includes **refactoring** of D1 API calls, updating OpenAPI specifications to remove pagination, and adding comprehensive **new tests** to validate the cross-process functionality. This ensures that all simulated Cloudflare resources are discoverable and manageable from a single explorer interface, regardless of which Miniflare process they belong to.

This commit introduces **CORS and host header validation** to the **Miniflare local explorer API**, enhancing its security posture. It implements new middleware within `explorer.worker.ts` to restrict incoming requests, ensuring that only local origins are permitted and properly handling CORS preflight requests. This **new security feature** prevents unauthorized external access and mitigates potential DNS rebinding attacks, thereby safeguarding the local development environment. Comprehensive test cases have been added to verify the correct behavior, including local origin allowance, external origin blocking, and proper preflight response handling.

This commit introduces a **new automated code reviewer** named 'bonk' to the project, representing a **new capability** for code quality assurance. It adds new **GitHub Actions workflows** (`bonk-pr-review.yml`, `bonk.yml`) to automatically trigger 'bonk' for pull request reviews upon opening, and also via issue or pull request review comments. Additionally, documentation for the 'bonk' reviewer, outlining its restrictions and output rules, is included in `.github/bonk_reviewer.md`. This integration significantly enhances the project's **CI/CD and automated review processes** by providing an additional layer of automated feedback.

This commit refines the E2E testing infrastructure by skipping specific `create-cloudflare` tests on forks and improving R2 bucket cleanup. It's an isolated change to the testing environment with no production impact.

This commit introduces a new capability to the automated changeset review CI/CD workflow by integrating "opencode". This will alter how changesets are reviewed and processed within the repository.

This commit fixes the GitHub Actions workflow responsible for issue triaging. It ensures the internal automation for issue management functions as intended, with no direct impact on user-facing features.

This commit introduces a new `ask-bonk` automated process within the CI/CD workflows, adding a new capability for development automation. This change is isolated to CI/CD and has no direct impact on production code.

This change introduces a new `/query` endpoint to Miniflare's local explorer, enabling direct introspection of Durable Object SQLite databases. This provides a significant new capability for developers to debug and inspect their Durable Objects during local development.

This commit introduces initial DigitalOcean (DO) API support to the Miniflare local explorer, enhancing Miniflare's capabilities for local development and integrating with Wrangler's dev worker proxy.

This commit introduces a new KV prefix search capability within the local explorer UI, significantly improving the ability for users to manage and locate KV keys. This enhances the usability of the local development environment for KV store interactions.

This commit refactors the `local-explorer-ui` module to enhance its compatibility with the Kumo platform. This is an isolated internal change, preparing the UI for future integration or deployment without directly impacting current user functionality.

This commit introduces a new capability for Miniflare, enabling it to directly serve the local explorer UI. This significantly changes the deployment and access mechanism for the local explorer UI, integrating it more tightly with the Miniflare runtime.

This is an isolated visual change to the favicon of the local explorer UI; it has no functional impact on the application or downstream services.

This is an isolated maintenance fix for the `local-explorer-ui` package, correcting out-of-sync generated API and route definition files. It ensures the UI's internal code reflects the latest source, preventing potential inconsistencies.