@elizaos/plugin-tailscale 2.0.0-beta.1 → 2.0.3-beta.3

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Shaw Walters and elizaOS Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -7,16 +7,18 @@ Tailscale-backed implementations:
   `tailscale` CLI (`tailscale serve` for tailnet-internal HTTPS, `tailscale
 funnel` for public Internet exposure). The user must already be authenticated
   to a tailnet.
-- **Cloud backend (`CloudTailscaleService`)** — calls
-  `POST /v1/apis/tunnels/tailscale/auth-key` on Eliza Cloud to mint a scoped
+- **Cloud backend (`CloudTailscaleService`)** — POSTs to
+  `apis/tunnels/tailscale/auth-key` (relative to `ELIZAOS_CLOUD_BASE_URL`,
+  default `https://api.elizacloud.ai/api/v1`) on Eliza Cloud to mint a scoped
   ephemeral auth key for the configured `tag:eliza-tunnel` ACL, then runs
   `tailscale up --auth-key=...` followed by `tailscale serve`/`funnel` against
-  the local port. The cloud holds the OAuth client credentials and Tailnet
-  identity.
+  the local port. The cloud holds the Headscale credential and returns a
+  `magicDnsName` the agent serves on. When the response includes a `billing`
+  payload it is retained and exposed via `getLastProvisioningBilling()`.
 
 Both backends register under `serviceType = "tunnel"` and implement the same
-`ITunnelService` shape, so consumers always go through
-`runtime.getService("tunnel")` and never reach for backend-specific APIs.
+`ITunnelService` shape, so consumers always go through `getTunnelService(runtime)`
+from `@elizaos/plugin-tunnel` and never reach for backend-specific APIs.
 
 > **Mutually exclusive with `@elizaos/plugin-ngrok`.** Both plugins register
 > under `serviceType = "tunnel"`. Enable only one at a time.
@@ -25,13 +27,11 @@ Both backends register under `serviceType = "tunnel"` and implement the same
 
 The plugin reads `TAILSCALE_BACKEND` from runtime settings:
 
-| Value            | Behavior                                                                                                                                                                     |
-| ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `local`          | Always register `LocalTailscaleService`.                                                                                                                                     |
-| `cloud`          | Always register `CloudTailscaleService`.                                                                                                                                     |
-| `auto` (default) | Register `CloudTailscaleService` when Eliza Cloud is connected (`ELIZAOS_CLOUD_API_KEY` set + `ELIZAOS_CLOUD_ENABLED=true`); otherwise fall back to `LocalTailscaleService`. |
-
-`isCloudConnected` from `@elizaos/cloud-routing` is the source of truth.
+| Value            | Behavior                                                                                                                          |
+| ---------------- | --------------------------------------------------------------------------------------------------------------------------------- |
+| `local`          | Always register `LocalTailscaleService`.                                                                                          |
+| `cloud`          | Always register `CloudTailscaleService`.                                                                                          |
+| `auto` (default) | Register `CloudTailscaleService` when `isCloudConnected(runtime)` from `@elizaos/cloud-routing` returns true; otherwise `LocalTailscaleService`. |
 
 ## Settings
 
@@ -44,35 +44,46 @@ The plugin reads `TAILSCALE_BACKEND` from runtime settings:
 | `TAILSCALE_DEFAULT_PORT`            | `3000`                             | Used when no port is extracted from the user message.                                                                   |
 | `TAILSCALE_AUTH_KEY_EXPIRY_SECONDS` | `3600`                             | Expiry hint passed to the cloud auth-key minter.                                                                        |
 | `ELIZAOS_CLOUD_API_KEY`             | —                                  | Required for the cloud backend.                                                                                         |
-| `ELIZAOS_CLOUD_BASE_URL`            | `https://www.elizacloud.ai/api/v1` | Cloud base URL override.                                                                                                |
-| `ELIZAOS_CLOUD_ENABLED`             | `false`                            | Required (truthy) for `auto` mode to pick the cloud backend.                                                            |
+| `ELIZAOS_CLOUD_BASE_URL`            | `https://api.elizacloud.ai/api/v1` | Cloud base URL override.                                                                                                |
 
-## Actions
+Billing is owned by Eliza Cloud, not this plugin. The auth-key mint response
+may carry a `billing` object (`model: "on_demand"`, `unit`, `charged`,
+`amountUsd`, `subscription`); the plugin only records it for
+`getLastProvisioningBilling()`.
 
-- `START_TAILSCALE` (similes: `START_TUNNEL`, `OPEN_TUNNEL`, `CREATE_TUNNEL`, `TAILSCALE_UP`)
-- `STOP_TAILSCALE` (similes: `STOP_TUNNEL`, `CLOSE_TUNNEL`, `TAILSCALE_DOWN`)
-- `GET_TAILSCALE_STATUS` (similes: `TAILSCALE_STATUS`, `CHECK_TUNNEL`, `TUNNEL_INFO`)
+## Actions
 
-All three resolve the active backend through `runtime.getService("tunnel")`, so
-they behave identically across local and cloud modes.
+This package does not expose provider-specific actions. It only registers a
+Tailscale-backed `serviceType = "tunnel"` implementation. User-facing tunnel
+operations go through the canonical `TUNNEL` action with
+`action=start | stop | status`.
 
 ## Cloud backend wire format
 
-`POST /v1/apis/tunnels/tailscale/auth-key`:
+Request — `POST <ELIZAOS_CLOUD_BASE_URL>/apis/tunnels/tailscale/auth-key`
+(`Authorization: Bearer <ELIZAOS_CLOUD_API_KEY>`):
 
 ```json
 { "tags": ["tag:eliza-tunnel"], "expirySeconds": 3600 }
 ```
 
-Response:
+Response (`authKey`, `tailnet`, `magicDnsName` required; `loginServer`,
+`hostname`, `billing` optional):
 
 ```json
 {
-  "authKey": "tskey-auth-...",
+  "authKey": "hskey-auth-...",
   "tailnet": "https://headscale.elizacloud.ai",
   "loginServer": "https://headscale.elizacloud.ai",
-  "hostname": "eliza-org-session",
-  "magicDnsName": "eliza-agent-1234.tunnel.elizacloud.ai"
+  "hostname": "eliza-test-session",
+  "magicDnsName": "eliza-test-session.tunnel.elizacloud.ai",
+  "billing": {
+    "model": "on_demand",
+    "unit": "tunnel_auth_key",
+    "charged": true,
+    "amountUsd": 0.01,
+    "subscription": false
+  }
 }
 ```
 
@@ -80,7 +91,7 @@ The plugin then runs locally, in this order:
 
 ```bash
 tailscale up --auth-key=<authKey> --login-server=<loginServer> --hostname=<hostname>
-tailscale serve --bg --https=443 localhost:<port>     # or `tailscale funnel <port>`
+tailscale serve --bg --https=443 localhost:<port>     # or `tailscale funnel --bg <port>`
 ```
 
 ## Development
@@ -91,7 +102,3 @@ bun run typecheck
 bun run lint
 bun run test
 ```
-
-## License
-
-MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elizaos/plugin-tailscale",
-  "version": "2.0.0-beta.1",
+  "version": "2.0.3-beta.3",
   "description": "Tunnel plugin for elizaOS — local Tailscale serve/funnel or Eliza Cloud-routed Tailscale auth-key minter",
   "type": "module",
   "main": "dist/index.js",
@@ -9,18 +9,35 @@
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
+      "eliza-source": {
+        "types": "./src/index.ts",
+        "import": "./src/index.ts",
+        "default": "./src/index.ts"
+      },
       "import": "./dist/index.js",
       "default": "./dist/index.js"
     },
-    "./package.json": "./package.json"
+    "./package.json": "./package.json",
+    "./*.css": "./dist/*.css",
+    "./*": {
+      "types": "./dist/*.d.ts",
+      "eliza-source": {
+        "types": "./src/*.ts",
+        "import": "./src/*.ts",
+        "default": "./src/*.ts"
+      },
+      "import": "./dist/*.js",
+      "default": "./dist/*.js"
+    }
   },
   "files": [
+    "registry-entry.json",
     "dist"
   ],
   "scripts": {
     "build": "tsup src/index.ts --format esm --dts",
-    "typecheck": "tsc --noEmit",
-    "test": "bun run --cwd ../../packages/cloud-routing build && vitest run",
+    "typecheck": "tsgo --noEmit",
+    "test": "vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
     "clean": "rm -rf dist coverage",
@@ -30,13 +47,13 @@
     "format:check": "bunx @biomejs/biome format ."
   },
   "peerDependencies": {
-    "@elizaos/core": "2.0.0-beta.1",
-    "@elizaos/plugin-tunnel": "2.0.0-beta.1"
+    "@elizaos/core": "2.0.3-beta.3",
+    "@elizaos/plugin-tunnel": "2.0.3-beta.3"
   },
   "dependencies": {
-    "@elizaos/cloud-routing": "2.0.0-beta.1",
-    "@elizaos/core": "2.0.0-beta.1",
-    "@elizaos/plugin-tunnel": "2.0.0-beta.1",
+    "@elizaos/cloud-routing": "2.0.3-beta.3",
+    "@elizaos/core": "2.0.3-beta.3",
+    "@elizaos/plugin-tunnel": "2.0.3-beta.3",
     "zod": "^4.4.3"
   },
   "devDependencies": {
@@ -48,5 +65,6 @@
   },
   "publishConfig": {
     "access": "public"
-  }
+  },
+  "gitHead": "f54b0f4eaed317d59fa7dbcdce20f4cdb0734420"
 }

package/registry-entry.json

@@ -0,0 +1,81 @@
+{
+  "id": "tailscale",
+  "name": "Tailscale",
+  "description": "Tunnel plugin — local Tailscale serve/funnel or Eliza Cloud-routed Tailscale auth-key minter. Mutually exclusive with the ngrok tunnel plugin.",
+  "npmName": "@elizaos/plugin-tailscale",
+  "version": "2.0.0-beta.0",
+  "source": "bundled",
+  "tags": ["tunnel", "tailscale", "networking"],
+  "config": {
+    "TAILSCALE_BACKEND": {
+      "type": "string",
+      "required": false,
+      "sensitive": false,
+      "default": "auto",
+      "label": "Backend",
+      "help": "Backend to use: 'local' (tailscale CLI), 'cloud' (Eliza Cloud-minted ephemeral auth key), or 'auto' (cloud when Eliza Cloud is connected, else local).",
+      "advanced": false
+    },
+    "TAILSCALE_AUTH_KEY": {
+      "type": "secret",
+      "required": false,
+      "sensitive": true,
+      "label": "Auth Key",
+      "help": "Optional pre-minted Tailscale auth key for the local backend. Most users authenticate once via 'tailscale up' and never set this.",
+      "advanced": true
+    },
+    "TAILSCALE_TAGS": {
+      "type": "string",
+      "required": false,
+      "sensitive": false,
+      "default": "tag:eliza-tunnel",
+      "label": "Tags",
+      "help": "Comma-separated ACL tags applied to the cloud-minted ephemeral key.",
+      "advanced": true
+    },
+    "TAILSCALE_FUNNEL": {
+      "type": "boolean",
+      "required": false,
+      "sensitive": false,
+      "default": "False",
+      "label": "Use Funnel",
+      "help": "When true, use 'tailscale funnel' to expose to the public Internet. When false, use 'tailscale serve' (tailnet-internal only).",
+      "advanced": false
+    },
+    "TAILSCALE_DEFAULT_PORT": {
+      "type": "number",
+      "required": false,
+      "sensitive": false,
+      "default": "3000",
+      "label": "Default Port",
+      "help": "Used when no port is extracted from the user message.",
+      "advanced": false
+    },
+    "TAILSCALE_AUTH_KEY_EXPIRY_SECONDS": {
+      "type": "number",
+      "required": false,
+      "sensitive": false,
+      "default": "3600",
+      "label": "Auth Key Expiry (seconds)",
+      "help": "Expiry hint passed to the cloud auth-key minter.",
+      "advanced": true
+    }
+  },
+  "render": {
+    "visible": true,
+    "pinTo": [],
+    "style": "card",
+    "icon": "Network",
+    "group": "devtools",
+    "groupOrder": 6,
+    "actions": ["enable", "configure"]
+  },
+  "resources": {
+    "homepage": "https://github.com/eliza-ai/eliza/tree/develop/plugins/plugin-tailscale#readme",
+    "repository": "https://github.com/eliza-ai/eliza"
+  },
+  "dependsOn": [],
+  "kind": "plugin",
+  "subtype": "devtools",
+  "cloudBacked": true
+}

package/dist/index.d.ts

@@ -1,147 +0,0 @@
-import { IAgentRuntime, ConnectorAccountProvider, Service, Plugin } from '@elizaos/core';
-import { ITunnelService, TunnelStatus } from '@elizaos/plugin-tunnel';
-export { ITunnelService, TunnelProvider, TunnelStatus } from '@elizaos/plugin-tunnel';
-
-declare const DEFAULT_TAILSCALE_ACCOUNT_ID = "default";
-interface TailscaleAccountConfig {
-    accountId: string;
-    authKey?: string;
-    tags?: string | string[];
-    funnel?: string | boolean;
-    defaultPort?: string | number;
-    backend?: "local" | "cloud" | "auto";
-    authKeyExpirySeconds?: string | number;
-    cloudApiKey?: string;
-    cloudBaseUrl?: string;
-    label?: string;
-}
-declare function normalizeTailscaleAccountId(value: unknown): string;
-declare function resolveTailscaleAccountId(runtime: IAgentRuntime, options?: Record<string, unknown>): string;
-declare function readTailscaleAccounts(runtime: IAgentRuntime): TailscaleAccountConfig[];
-declare function resolveTailscaleAccount(accounts: readonly TailscaleAccountConfig[], accountId: string): TailscaleAccountConfig | null;
-
-/**
- * Tailscale ConnectorAccountManager provider.
- *
- * Adapts the existing multi-account resolver in `accounts.ts` to the
- * ConnectorAccountManager CRUD surface. Legacy single-account env/settings
- * are surfaced as the default OWNER account; additional accounts can be
- * declared through character.settings.tailscale.accounts or TAILSCALE_ACCOUNTS.
- *
- * Tailscale does not use an OAuth redirect flow here. Local CLI login and
- * cloud auth-key/API-key provisioning remain owned by the backend services.
- */
-
-declare function createTailscaleConnectorAccountProvider(runtime: IAgentRuntime): ConnectorAccountProvider;
-
-/**
- * Tailscale plugin re-exports the canonical tunnel-service contract from
- * `@elizaos/plugin-tunnel`. Both backends (local CLI, cloud auth-key minter)
- * register under `serviceType="tunnel"`. Consumers should call
- * `getTunnelService(runtime)` from `@elizaos/plugin-tunnel` to stay
- * backend-agnostic.
- */
-
-type TailscaleBackendMode = "local" | "cloud" | "auto";
-
-interface CloudFetchInit {
-    method: "POST";
-    headers: Record<string, string>;
-    body: string;
-}
-interface CloudFetchResponse {
-    ok: boolean;
-    status: number;
-    statusText: string;
-    json(): Promise<unknown>;
-    text(): Promise<string>;
-}
-type CloudFetch = (url: string, init: CloudFetchInit) => Promise<CloudFetchResponse>;
-interface CloudTailscaleServiceOptions {
-    /** Override fetch impl for tests. */
-    fetch?: CloudFetch;
-    /** Override CLI runner for tests. */
-    cliRunner?: (cmd: string, args: string[]) => Promise<{
-        code: number | null;
-        stdout: string;
-        stderr: string;
-    }>;
-}
-declare class CloudTailscaleService extends Service implements ITunnelService {
-    static serviceType: string;
-    readonly capabilityDescription = "Provides Tailscale tunnel functionality via Eliza Cloud \u2014 auth keys are minted server-side and the local CLI joins the tailnet.";
-    private readonly fetchImpl;
-    private readonly cliRunner;
-    private tunnelUrl;
-    private tunnelPort;
-    private startedAt;
-    private isShuttingDown;
-    private joinedTailnet;
-    constructor(runtime?: IAgentRuntime, options?: CloudTailscaleServiceOptions);
-    static start(runtime: IAgentRuntime): Promise<Service>;
-    start(): Promise<void>;
-    stop(): Promise<void>;
-    startTunnel(port?: number, options?: {
-        accountId?: string;
-    }): Promise<string | undefined>;
-    stopTunnel(_options?: {
-        accountId?: string;
-    }): Promise<void>;
-    getUrl(): string | null;
-    isActive(): boolean;
-    getStatus(): TunnelStatus;
-    private joinTailnet;
-    private runServe;
-    private resolveCloudCredentials;
-    private cleanup;
-}
-
-declare class LocalTailscaleService extends Service implements ITunnelService {
-    static serviceType: string;
-    readonly capabilityDescription = "Provides secure tunnel functionality via the locally-installed `tailscale` CLI (serve / funnel).";
-    private tunnelUrl;
-    private tunnelPort;
-    private startedAt;
-    private isShuttingDown;
-    private useFunnel;
-    static start(runtime: IAgentRuntime): Promise<Service>;
-    start(): Promise<void>;
-    stop(): Promise<void>;
-    startTunnel(port?: number, options?: {
-        accountId?: string;
-    }): Promise<string | undefined>;
-    stopTunnel(_options?: {
-        accountId?: string;
-    }): Promise<void>;
-    getUrl(): string | null;
-    isActive(): boolean;
-    getStatus(): TunnelStatus;
-    private fetchSelfDnsName;
-    private cleanup;
-}
-
-type TunnelBackendCtor = typeof LocalTailscaleService | typeof CloudTailscaleService;
-interface BackendDecision {
-    backend: TunnelBackendCtor;
-    mode: TailscaleBackendMode;
-    reason: string;
-}
-declare function readBackendMode(runtime: IAgentRuntime): TailscaleBackendMode;
-declare function selectTunnelBackend(runtime: IAgentRuntime): BackendDecision;
-
-/**
- * Plugin doesn't list any services upfront. The selector runs in `init()` and
- * registers exactly one Tailscale backend (local or cloud) under the canonical
- * `serviceType="tunnel"` slot from `@elizaos/plugin-tunnel`. Coordination with
- * other tunnel providers (ngrok, plugin-tunnel's local CLI, plugin-elizacloud's
- * cloud tunnel) is first-active-wins via `tunnelSlotIsFree(runtime)`.
- *
- * Consumers should stay backend-agnostic via `getTunnelService(runtime)` from
- * `@elizaos/plugin-tunnel`.
- *
- * The canonical TUNNEL action from `@elizaos/plugin-tunnel` handles start,
- * stop, and status. This plugin only contributes a provider/backend.
- */
-declare const tailscalePlugin: Plugin;
-
-export { type BackendDecision, CloudTailscaleService, DEFAULT_TAILSCALE_ACCOUNT_ID, LocalTailscaleService, type TailscaleAccountConfig, type TailscaleBackendMode, createTailscaleConnectorAccountProvider, tailscalePlugin as default, normalizeTailscaleAccountId, readBackendMode, readTailscaleAccounts, resolveTailscaleAccount, resolveTailscaleAccountId, selectTunnelBackend, tailscalePlugin };