Testing Bindings

Test Secrets Store the way Devflare expects it to run

Secrets Store bindings let Workers read account-level secrets without storing secret values in code.

Test Secrets Store by choosing the local harness that matches the product boundary instead of reaching for Cloudflare by default.

The first test should prove application control flow. Escalate to Wrangler remote binding or deployed tests only when the Cloudflare-hosted behavior is the thing under test.

Best for: shared account secrets that should be referenced by store id and secret name instead of copied into config
Default harness: or
Escalate when: The assertion depends on Cloudflare-hosted product behavior rather than the app calling the binding correctly

Start with the default test loop

Keep the first test small. Name the binding, call the one method your route uses, and assert the behavior your app owns.

When Cloudflare owns the interesting behavior, mark that as a remote/deployed lane instead of building a local fake that claims too much.

Fixture a Secrets Store value offline

import { expect, test } from 'bun:test'

import { createOfflineEnv } from 'devflare/test'

import config from '../devflare.config'

test('reads a fixed offline secret', async () => {

const env = createOfflineEnv(config, {

secretsStore: {

API_TOKEN: 'test-token'

}

})

expect(await env.API_TOKEN.get()).toBe('test-token')

})

The helper surface to remember

Use or for config-backed local worker tests.
Use / for pure unit tests.
Use or an explicit integration lane when the test needs Cloudflare credentials or a local Docker/Podman engine.

When to move beyond the default harness

Cloudflare owns remote account secret provisioning and sync; Devflare reads only project-local secret values unless you deploy or test against Cloudflare.
Do not let a low-fidelity mock become product documentation. Keep mocks framed as application-flow tools.
If a test would mutate paid or remote Cloudflare state, gate it separately from ordinary unit tests.

Local tests should be honest

For Secrets Store, passing locally means the Devflare contract and app flow are correct. It does not automatically prove every hosted Cloudflare behavior.

Secrets Store internals

Secrets Store compiles from to Wrangler , with local/test behavior called out explicitly.

Secrets Store example

A compact Secrets Store recipe with config and worker usage in one application path.