// Non-interactive wrangler OAuth login using playwriter to automate the Cloudflare consent flow in the user's browser. Use when wrangler auth is expired ("Failed to fetch auth token: 400 Bad Request") or when `wrangler whoami` fails. Delegate to a subagent Task to save context.
Tailwind CSS v4 conventions, dark mode with @variant dark, and CSS-based configuration (no tailwind.config.js). ALWAYS load this skill before editing any Tailwind styles, markup, or CSS in a Tailwind project.
Drizzle ORM conventions and best practices for TypeScript projects. Covers namespace imports, Prisma-like query API, object-style where filters, schema design (ULIDs, cascade deletes, indexes, enums over bools), Zod schema generation, type inference, transactions, migrations, and driver setup for Cloudflare Durable Objects (via sqlite-proxy), libSQL/Turso, Postgres via Hyperdrive, and Cloudflare D1. ALWAYS load this skill when a repo uses drizzle-orm.
Read tweets and threads from X (Twitter). Use when the user shares an x.com or twitter.com URL and wants to read a post or thread. Covers single-tweet extraction via oEmbed (no auth, instant) and full thread reading via Playwriter.
Best practices for generating JSON Schema from Zod v4 schemas using z.toJSONSchema(). Covers target versions, metadata registries, override callbacks, io modes, transform handling, regen-check tests, and serving schemas as HTTP routes. Load this skill when converting Zod schemas to JSON Schema or building schema generation scripts.
Authentication and authorization with better-auth in Spiceflow and TypeScript apps. Covers server config with Drizzle adapter (Postgres and SQLite), Spiceflow middleware for forwarding auth requests, client setup, session middleware, social and email/password auth, server-side session checks, and React client hooks (useSession, signIn, signOut, signUp). Also covers device authorization (CLI device flow), bearer token auth, and server actions with auth. ALWAYS load this skill when a project uses better-auth.
Cloudflare Workers and Durable Objects conventions for TypeScript projects. Covers wrangler.jsonc configuration, type-safe env via `wrangler types` and `import { env } from 'cloudflare:workers'`, secrets.required for typed secrets, custom_domain for routing, preview/production environments, deploy scripts, Durable Objects with SQLite, and Spiceflow as the web framework with Vite. ALWAYS load this skill when a project uses wrangler, Cloudflare Workers, Durable Objects, or deploys to Cloudflare. Load it before writing any wrangler config, worker code, or deploy scripts.
| name | wrangler-login |
| description | Non-interactive wrangler OAuth login using playwriter to automate the Cloudflare consent flow in the user's browser. Use when wrangler auth is expired ("Failed to fetch auth token: 400 Bad Request") or when `wrangler whoami` fails. Delegate to a subagent Task to save context. |
Automate wrangler login when the OAuth token is expired and the agent
cannot run interactive commands. Uses playwriter to click through the
Cloudflare consent page in the user's existing Chrome session.
The user must already be logged in to Cloudflare in their browser before you attempt this flow. The Cloudflare OAuth consent page is protected by a Turnstile captcha that agents cannot bypass. If the user is not logged in, Cloudflare will show a login page with Turnstile, and the automation will fail.
If Cloudflare is not already logged in: stop immediately and ask the
user to log in to https://dash.cloudflare.com in their browser first,
then retry.
wrangler whoami fails or returns an auth errorDelegate to a general subagent Task so the playwriter back-and-forth doesn't eat your main context. Pass this as the prompt:
Automate wrangler login via playwriter. Follow these steps exactly:
IMPORTANT: This only works if the user is already logged in to Cloudflare
in their browser. The consent page has a Turnstile captcha that agents
cannot solve. If at any point you see a Turnstile challenge, a login form,
or a CAPTCHA, STOP and tell the user to log in to https://dash.cloudflare.com
in their browser first, then retry.
1. Start wrangler login in a tuistory background session:
bunx tuistory launch "pnpm exec wrangler login" -s wrangler-login
bunx tuistory -s wrangler-login wait "/https:\/\/dash\.cloudflare\.com/i" --timeout 15000
bunx tuistory read -s wrangler-login
2. Copy the full OAuth URL from tuistory output.
3. Load the playwriter skill (run `playwriter skill`), then open a
playwriter session and navigate to that URL:
playwriter session new
playwriter -s <id> -e '
state.page = context.pages().find(p => p.url() === "about:blank") ?? (await context.newPage());
await state.page.goto("<OAUTH_URL>", { waitUntil: "domcontentloaded" });
await waitForPageLoad({ page: state.page, timeout: 8000 });
console.log("URL:", state.page.url());
await snapshot({ page: state.page, showDiffSinceLastCall: false }).then(console.log);
'
4. The consent page shows "Wrangler wants to access your account".
Click through in order:
a. Select the account button (e.g. "Beats.by.morse@gmail.com's Account")
b. Click "Review permissions"
c. Wait 2s for permissions list to load
d. Click the Authorize button: [data-test-id="oauth-consent-form-allow-button"]
5. After authorize, the page redirects to
https://welcome.developers.workers.dev/wrangler-oauth-consent-granted
and wrangler prints "Successfully logged in."
6. Verify: pnpm exec wrangler whoami
7. Clean up:
bunx tuistory -s wrangler-login close
playwriter -s <id> -e 'await state.page.close()'
Return the wrangler whoami output to confirm success.
wrangler login must be running before you navigate to the OAuth
URL. It starts a local HTTP server on port 8976 that receives the
callback. If you navigate first, the redirect to localhost will fail.
The consent page requires selecting an account before "Review permissions" becomes clickable. If you click Review without selecting, it shows "Select at least one account".
The Authorize button uses data-test-id, not role. Use
state.page.locator('[data-test-id="oauth-consent-form-allow-button"]')
instead of getByRole.
If the user has multiple Cloudflare accounts, the consent page shows multiple account buttons. Pick the one that owns the Workers/D1 resources.
The OAuth URL contains a code_challenge that is unique per
wrangler login invocation. Never reuse a URL from a previous run.