cloudflare

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Cloudflare Infrastructure Operations

Cloudflare基础设施操作

Manage Cloudflare services: Workers, KV, R2, D1, Hyperdrive, Observability, Builds, and Audit Logs.

MCP is optional. This skill works with MCP (auto), Wrangler CLI, or Dashboard. See BACKENDS.md for execution options.

管理Cloudflare服务：Workers、KV、R2、D1、Hyperdrive、可观测性、构建及审计日志。

MCP为可选组件。该技能可搭配MCP（自动模式）、Wrangler CLI或Dashboard使用。执行选项详情请参阅BACKENDS.md。

Permission Tiers

权限层级

Tier	Purpose	Scope	Risk Control
Diagnose	Read-only/query/troubleshoot	Observability, Builds, Audit	Default entry, no writes
Change	Create/modify/delete resources	KV, R2, D1, Hyperdrive	Requires confirmation + verification
Super Admin	Highest privileges	All + Container Sandbox	Only in isolated/test environments

层级	用途	范围	风险控制
诊断	只读/查询/故障排查	可观测性、构建、审计	默认入口，无写入权限
变更	创建/修改/删除资源	KV、R2、D1、Hyperdrive	需确认+验证
超级管理员	最高权限	所有服务 + 容器沙箱	仅用于隔离/测试环境

Security Rules

安全规则

Read Operations

读取操作

Define scope first — account / worker / resource ID
No account set? — List accounts first, then set active
Evidence required — Conclusions must have logs/screenshots/audit records

先定义范围 — 账户 / Worker / 资源ID
未设置账户？ — 先列出账户，再设置活跃账户
需提供证据 — 结论必须附带日志/截图/审计记录

Write Operations (Three-step Flow)

写入操作（三步流程）

1. Plan: Read current state first (list/get)
2. Confirm: Output precise change (name/ID/impact), await user confirmation
3. Execute: create/delete/update
4. Verify: audit logs + observability confirm no new errors

1. 规划：先读取当前状态（列出/获取）
2. 确认：输出精确变更内容（名称/ID/影响范围），等待用户确认
3. 执行：创建/删除/更新
4. 验证：通过审计日志 + 可观测性确认无新错误

Prohibited Actions

禁止操作

❌ Execute create/delete/update without confirmation
❌ Delete production resources (unless user explicitly says "delete production xxx")
❌ Use Super Admin privileges in non-isolated environments
❌ Use container sandbox as persistent environment

❌ 未确认就执行创建/删除/更新操作
❌ 删除生产环境资源（除非用户明确说明“删除生产环境xxx”）
❌ 在非隔离环境使用超级管理员权限
❌ 将容器沙箱用作持久化环境

Operation Categories

操作分类

Diagnose Tier (Read-only)

诊断层级（只读）

Category	What You Can Do
Observability	Query worker logs/metrics, discover fields, explore values
Builds	List build history, get build details, view build logs
Browser	Fetch page HTML, convert to markdown, take screenshots
Audit	Pull change history by time range
Workers	List workers, get details, view source code

分类	可执行操作
可观测性	查询Worker日志/指标、发现字段、探索数值
构建	列出构建历史、获取构建详情、查看构建日志
浏览器	获取页面HTML、转换为markdown、截图
审计	按时间范围拉取变更历史
Workers	列出Workers、获取详情、查看源代码

Change Tier (Write Operations)

变更层级（写入操作）

Resource	Operations
KV	List, get, create ⚠️, update ⚠️, delete ⚠️
R2	List, get, create ⚠️, delete ⚠️
D1	List, get, query, create ⚠️, delete ⚠️
Hyperdrive	List, get, create ⚠️, edit ⚠️, delete ⚠️

⚠️ = Requires confirmation

资源	可执行操作
KV	列出、获取、创建 ⚠️、更新 ⚠️、删除 ⚠️
R2	列出、获取、创建 ⚠️、删除 ⚠️
D1	列出、获取、查询、创建 ⚠️、删除 ⚠️
Hyperdrive	列出、获取、创建 ⚠️、编辑 ⚠️、删除 ⚠️

⚠️ = 需确认

Super Admin Tier (Container Sandbox)

超级管理员层级（容器沙箱）

Temporary container for isolated tasks (~10 min lifecycle):

Initialize, execute commands, read/write/delete files
Use for: running tests, reproducing issues, parsing data
NOT for: persistent state, production workloads

用于隔离任务的临时容器（生命周期约10分钟）：

初始化、执行命令、读写/删除文件
适用场景：运行测试、复现问题、解析数据
禁止场景：持久化状态、生产环境工作负载

Common Workflows

常见工作流

Troubleshooting Flow

故障排查流程

1. Clarify symptoms → worker name / time range / error type
2. Query observability to pull logs/metrics
3. If build-related → get build logs
4. If page-related → take screenshot to reproduce
5. Trace changes → pull audit logs
6. Summarize: root cause + evidence + fix recommendations

1. 明确症状 → Worker名称 / 时间范围 / 错误类型
2. 查询可观测性拉取日志/指标
3. 若与构建相关 → 获取构建日志
4. 若与页面相关 → 截图复现问题
5. 追踪变更 → 拉取审计日志
6. 总结：根因 + 证据 + 修复建议

Resource Management Flow

资源管理流程

1. List accounts → set active account
2. List resources (KV / R2 / D1)
3. Plan changes → present to user
4. Execute after confirmation
5. Verify: audit logs + observability shows no errors

1. 列出账户 → 设置活跃账户
2. 列出资源（KV / R2 / D1）
3. 规划变更内容 → 提交给用户
4. 确认后执行
5. 验证：审计日志 + 可观测性显示无错误

Output Format

输出格式

Language: English
Structure: Conclusion → Key data/evidence → Tool call summary → Next steps
Write operations: Must clearly list operations and impact scope

Example:

✅ Investigation complete: worker `api-gateway` experienced 5xx spike between 18:00-18:30

Root cause: New code deployed threw TypeError when processing /v2/users
Evidence:
- Logs: 18:02 first occurrence of "Cannot read property 'id' of undefined"
- Audit: 18:00 user dev@example.com deployed new version
- Metrics: error_rate jumped from 0.1% to 12%

Recommendation: Roll back to previous version, or fix /v2/users handler

语言：英文
结构：结论 → 关键数据/证据 → 工具调用摘要 → 下一步操作
写入操作：必须清晰列出操作内容及影响范围

示例：

✅ 排查完成：Worker `api-gateway`在18:00-18:30期间出现5xx错误峰值

根因：部署的新代码在处理/v2/users时抛出TypeError
证据：
- 日志：18:02首次出现“Cannot read property 'id' of undefined”
- 审计：18:00用户dev@example.com部署了新版本
- 指标：错误率从0.1%跃升至12%

建议：回滚到上一版本，或修复/v2/users处理逻辑

File-based Pipeline

基于文件的流水线

When integrating into multi-step workflows:

runs/<workflow>/active/<run_id>/
├── proposal.md                # Symptoms/objectives
├── context.json               # Account/worker/resource/time_range
├── tasks.md                   # Checklist + approval gate
├── evidence/observability.md
├── evidence/audit.md
├── evidence/screenshots/
├── evidence/change-plan.md    # Write operations written here first
├── evidence/report.md         # Conclusion + evidence + next steps
└── logs/events.jsonl          # Optional tool call summary

集成到多步骤工作流时：

runs/<workflow>/active/<run_id>/
├── proposal.md                # 症状/目标
├── context.json               # 账户/Worker/资源/时间范围
├── tasks.md                   # 检查清单 + 审批节点
├── evidence/observability.md
├── evidence/audit.md
├── evidence/screenshots/
├── evidence/change-plan.md    # 写入操作需先在此处记录
├── evidence/report.md         # 结论 + 证据 + 下一步操作
└── logs/events.jsonl          # 可选：工具调用摘要

Error Handling

错误处理

Situation	Action
Account not set	Run accounts_list → set_active_account first
Resource doesn't exist	Verify ID/name, list available resources
Insufficient permissions	Explain required permissions, check API token scope
Observability query too broad	Split into smaller time ranges

场景	操作
未设置账户	先执行accounts_list → 设置active_account
资源不存在	验证ID/名称，列出可用资源
权限不足	说明所需权限，检查API令牌范围
可观测性查询范围过广	拆分为更小的时间范围