@openparachute/hub 0.3.0-rc.1 → 0.5.1

package/src/commands/expose-cloudflare.ts

@@ -1,11 +1,6 @@
 import { mkdirSync, openSync } from "node:fs";
-import { homedir } from "node:os";
-import { dirname, join } from "node:path";
-import {
-  CLOUDFLARED_CONFIG_PATH,
-  CLOUDFLARED_LOG_PATH,
-  writeConfig,
-} from "../cloudflare/config.ts";
+import { dirname } from "node:path";
+import { DEFAULT_TUNNEL_NAME, cloudflaredPathsFor, writeConfig } from "../cloudflare/config.ts";
 import {
   DEFAULT_CLOUDFLARED_HOME,
   cloudflaredInstallHint,
@@ -14,9 +9,13 @@ import {
 } from "../cloudflare/detect.ts";
 import {
   CLOUDFLARED_STATE_PATH,
-  type CloudflaredState,
+  type CloudflaredTunnelRecord,
   clearCloudflaredState,
+  findTunnelRecord,
+  listTunnelRecords,
   readCloudflaredState,
+  withTunnelRecord,
+  withoutTunnelRecord,
   writeCloudflaredState,
 } from "../cloudflare/state.ts";
 import {
@@ -32,19 +31,21 @@ import { type AliveFn, defaultAlive } from "../process-state.ts";
 import { readManifest } from "../services-manifest.ts";
 import { type Runner, defaultRunner } from "../tailscale/run.ts";
 
-/**
- * Single canonical tunnel name reused across runs. Creating fresh tunnels
- * per invocation would leave orphaned tunnels in the user's Cloudflare
- * account every time they rotated hostnames; re-use keeps that clean.
- *
- * If someone needs multiple tunnels on one box (dev + prod, two domains),
- * we'll add `--tunnel-name` later. Single-tunnel covers the launch use case.
- */
-const TUNNEL_NAME = "parachute";
-
 const AUTH_DOC_URL =
   "https://github.com/ParachuteComputer/parachute-vault/blob/main/docs/auth-model.md";
 
+/**
+ * Tunnel-name validation. We mirror the conservative shape Cloudflare itself
+ * uses for tunnel identifiers — alphanumerics, hyphens, underscores — and
+ * keep it short enough to fit in a path segment without surprising the
+ * filesystem (e.g. macOS encoded NFC quirks). Anything more permissive would
+ * just push validation work onto the cloudflared binary.
+ */
+export function isValidTunnelName(name: string): boolean {
+  if (name.length === 0 || name.length > 64) return false;
+  return /^[A-Za-z0-9][A-Za-z0-9_-]*$/.test(name);
+}
+
 /**
  * Hostname validation — permissive by design. We reject the obviously broken
  * shapes (empty, missing dot, label containing `/` or whitespace) and let
@@ -86,9 +87,21 @@ export interface ExposeCloudflareOpts {
   log?: (line: string) => void;
   manifestPath?: string;
   statePath?: string;
-  /** Path to the cloudflared config.yml this invocation writes. */
+  /**
+   * Tunnel name targeted by this invocation. Defaults to `parachute` —
+   * the canonical single-tunnel name. Override to run multiple tunnels on
+   * one box (#32).
+   */
+  tunnelName?: string;
+  /**
+   * Path to the cloudflared config.yml this invocation writes. Defaults to
+   * the per-tunnel layout `~/.parachute/cloudflared/<tunnelName>/config.yml`.
+   */
   configPath?: string;
-  /** Path to the log file the spawned cloudflared appends to. */
+  /**
+   * Path to the log file the spawned cloudflared appends to. Defaults to
+   * the per-tunnel layout `~/.parachute/cloudflared/<tunnelName>/cloudflared.log`.
+   */
   logPath?: string;
   /** Override `~/.cloudflared` for tests and `$HOME`-free environments. */
   cloudflaredHome?: string;
@@ -103,6 +116,7 @@ interface Resolved {
   log: (line: string) => void;
   manifestPath: string;
   statePath: string;
+  tunnelName: string;
   configPath: string;
   logPath: string;
   cloudflaredHome: string;
@@ -110,6 +124,8 @@ interface Resolved {
 }
 
 function resolve(opts: ExposeCloudflareOpts): Resolved {
+  const tunnelName = opts.tunnelName ?? DEFAULT_TUNNEL_NAME;
+  const paths = cloudflaredPathsFor(tunnelName);
   return {
     runner: opts.runner ?? defaultRunner,
     spawner: opts.spawner ?? defaultCloudflaredSpawner,
@@ -118,8 +134,9 @@ function resolve(opts: ExposeCloudflareOpts): Resolved {
     log: opts.log ?? ((line) => console.log(line)),
     manifestPath: opts.manifestPath ?? SERVICES_MANIFEST_PATH,
     statePath: opts.statePath ?? CLOUDFLARED_STATE_PATH,
-    configPath: opts.configPath ?? CLOUDFLARED_CONFIG_PATH,
-    logPath: opts.logPath ?? CLOUDFLARED_LOG_PATH,
+    tunnelName,
+    configPath: opts.configPath ?? paths.configPath,
+    logPath: opts.logPath ?? paths.logPath,
     cloudflaredHome: opts.cloudflaredHome ?? DEFAULT_CLOUDFLARED_HOME,
     now: opts.now ?? (() => new Date()),
   };
@@ -153,6 +170,13 @@ export async function exposeCloudflareUp(
 ): Promise<number> {
   const r = resolve(opts);
 
+  if (!isValidTunnelName(r.tunnelName)) {
+    r.log(
+      `parachute expose public --cloudflare: --tunnel-name must be alphanumeric with -/_ (got "${r.tunnelName}").`,
+    );
+    return 1;
+  }
+
   if (!isValidHostname(hostname)) {
     r.log(
       `parachute expose public --cloudflare: --domain must be a valid hostname (got "${hostname}").`,
@@ -194,25 +218,25 @@ export async function exposeCloudflareUp(
 
   let tunnel: Tunnel | undefined;
   try {
-    tunnel = await findTunnelByName(r.runner, TUNNEL_NAME);
+    tunnel = await findTunnelByName(r.runner, r.tunnelName);
   } catch (err) {
     return reportCloudflaredError(err, r.log);
   }
   if (!tunnel) {
-    r.log(`Creating Cloudflare tunnel "${TUNNEL_NAME}"…`);
+    r.log(`Creating Cloudflare tunnel "${r.tunnelName}"…`);
     try {
-      tunnel = await createTunnel(r.runner, TUNNEL_NAME);
+      tunnel = await createTunnel(r.runner, r.tunnelName);
     } catch (err) {
       return reportCloudflaredError(err, r.log);
     }
     r.log(`✓ Created tunnel ${tunnel.id}`);
   } else {
-    r.log(`✓ Reusing existing tunnel "${TUNNEL_NAME}" (${tunnel.id})`);
+    r.log(`✓ Reusing existing tunnel "${r.tunnelName}" (${tunnel.id})`);
   }
 
   r.log(`Routing DNS: ${hostname} → tunnel ${tunnel.id}…`);
   try {
-    await routeDns(r.runner, TUNNEL_NAME, hostname);
+    await routeDns(r.runner, r.tunnelName, hostname);
   } catch (err) {
     if (err instanceof CloudflaredError) {
       r.log("");
@@ -241,32 +265,31 @@ export async function exposeCloudflareUp(
   );
   r.log(`✓ Wrote ${r.configPath}`);
 
-  const prior = readCloudflaredState(r.statePath);
+  const stateBefore = readCloudflaredState(r.statePath);
+  const prior = findTunnelRecord(stateBefore, r.tunnelName);
   if (prior && r.alive(prior.pid)) {
     try {
       r.kill(prior.pid, "SIGTERM");
       r.log(`Stopped prior cloudflared (pid ${prior.pid}).`);
     } catch {
-      // Process is already gone — safe to ignore; clearCloudflaredState drops the state file below.
+      // Process is already gone — safe to ignore; we replace the record below.
     }
   }
-  if (prior) clearCloudflaredState(r.statePath);
 
   const pid = r.spawner.spawn(
     ["cloudflared", "tunnel", "--config", r.configPath, "run"],
     r.logPath,
   );
 
-  const state: CloudflaredState = {
-    version: 1,
+  const record: CloudflaredTunnelRecord = {
     pid,
     tunnelUuid: tunnel.id,
-    tunnelName: TUNNEL_NAME,
+    tunnelName: r.tunnelName,
     hostname,
     startedAt: r.now().toISOString(),
     configPath: r.configPath,
   };
-  writeCloudflaredState(state, r.statePath);
+  writeCloudflaredState(withTunnelRecord(stateBefore, record), r.statePath);
 
   const baseUrl = `https://${hostname}`;
   // A well-formed vault manifest always lists at least one mount path. If
@@ -295,28 +318,45 @@ export async function exposeCloudflareUp(
 
 export async function exposeCloudflareOff(opts: ExposeCloudflareOpts = {}): Promise<number> {
   const r = resolve(opts);
-  const state = readCloudflaredState(r.statePath);
-  if (!state) {
-    r.log("No Cloudflare exposure recorded. Nothing to tear down.");
+  const stateBefore = readCloudflaredState(r.statePath);
+  const record = findTunnelRecord(stateBefore, r.tunnelName);
+  if (!record) {
+    if (stateBefore && Object.keys(stateBefore.tunnels).length > 0) {
+      const others = listTunnelRecords(stateBefore)
+        .map((t) => t.tunnelName)
+        .join(", ");
+      r.log(
+        `No Cloudflare exposure recorded for tunnel "${r.tunnelName}". Other tunnels: ${others}.`,
+      );
+    } else {
+      r.log("No Cloudflare exposure recorded. Nothing to tear down.");
+    }
     return 0;
   }
-  if (r.alive(state.pid)) {
+  if (r.alive(record.pid)) {
     try {
-      r.kill(state.pid, "SIGTERM");
-      r.log(`✓ Stopped cloudflared (pid ${state.pid}).`);
+      r.kill(record.pid, "SIGTERM");
+      r.log(`✓ Stopped cloudflared (pid ${record.pid}).`);
     } catch (err) {
       r.log(`✗ Failed to stop cloudflared: ${err instanceof Error ? err.message : String(err)}`);
       return 1;
     }
   } else {
-    r.log(`cloudflared (pid ${state.pid}) wasn't running; clearing stale state.`);
+    r.log(`cloudflared (pid ${record.pid}) wasn't running; clearing stale state.`);
   }
-  clearCloudflaredState(r.statePath);
-  r.log(`  ${state.hostname} is no longer reachable through this machine.`);
+  const stateAfter = withoutTunnelRecord(stateBefore, r.tunnelName);
+  if (stateAfter) {
+    writeCloudflaredState(stateAfter, r.statePath);
+  } else {
+    clearCloudflaredState(r.statePath);
+  }
+  r.log(`  ${record.hostname} is no longer reachable through this machine.`);
+  r.log(
+    `  Tunnel "${record.tunnelName}" (${record.tunnelUuid}) remains defined in Cloudflare; re-running`,
+  );
   r.log(
-    `  Tunnel "${state.tunnelName}" (${state.tunnelUuid}) remains defined in Cloudflare; re-running`,
+    `  \`parachute expose public --cloudflare --domain ${record.hostname}${record.tunnelName === DEFAULT_TUNNEL_NAME ? "" : ` --tunnel-name ${record.tunnelName}`}\` reuses it.`,
   );
-  r.log(`  \`parachute expose public --cloudflare --domain ${state.hostname}\` reuses it.`);
   return 0;
 }
 

package/src/commands/expose-interactive.ts

@@ -22,7 +22,12 @@ import {
   readLastProvider,
   writeLastProvider,
 } from "../expose-last-provider.ts";
-import { getTailscaleStatus, isTailscaleInstalled } from "../tailscale/detect.ts";
+import {
+  type ProviderAvailability,
+  detectProviders,
+  isCloudflareReady,
+  isTailnetReady,
+} from "../providers/detect.ts";
 import { type Runner, defaultRunner } from "../tailscale/run.ts";
 import { type AuthPreflightOpts, runAuthPreflight } from "./expose-auth-preflight.ts";
 import {
@@ -130,40 +135,8 @@ function resolve(opts: ExposeInteractiveOpts): Resolved {
   };
 }
 
-interface Readiness {
-  tailscaleInstalled: boolean;
-  tailscaleLoggedIn: boolean;
-  tailscaleFunnelCap: boolean;
-  cloudflareInstalled: boolean;
-  cloudflareLoggedIn: boolean;
-}
-
-async function detectReadiness(r: Resolved): Promise<Readiness> {
-  const tailscaleInstalled = await isTailscaleInstalled(r.runner);
-  // One `tailscale status --json` covers both login state and Funnel cap.
-  // Skipped when the binary's missing — the call would just fail.
-  const { loggedIn: tailscaleLoggedIn, funnelCapable: tailscaleFunnelCap } = tailscaleInstalled
-    ? await getTailscaleStatus(r.runner)
-    : { loggedIn: false, funnelCapable: false };
-
-  const cloudflareInstalled = await isCloudflaredInstalled(r.runner);
-  const cloudflareLoggedIn = cloudflareInstalled ? isCloudflaredLoggedIn(r.cloudflaredHome) : false;
-
-  return {
-    tailscaleInstalled,
-    tailscaleLoggedIn,
-    tailscaleFunnelCap,
-    cloudflareInstalled,
-    cloudflareLoggedIn,
-  };
-}
-
-function isTailscaleReady(r: Readiness): boolean {
-  return r.tailscaleInstalled && r.tailscaleLoggedIn && r.tailscaleFunnelCap;
-}
-
-function isCloudflareReady(r: Readiness): boolean {
-  return r.cloudflareInstalled && r.cloudflareLoggedIn;
+async function probeReadiness(r: Resolved): Promise<ProviderAvailability> {
+  return detectProviders({ runner: r.runner, cloudflaredHome: r.cloudflaredHome });
 }
 
 type PickResult = ExposeProvider | "quit";
@@ -221,11 +194,11 @@ async function promptHostname(r: Resolved): Promise<string | undefined> {
  * an admin-console change scoped to the tailnet — the CLI impersonating
  * either would be presumptuous. User re-runs after fixing.
  */
-function printTailscaleSetupGuidance(r: Resolved, readiness: Readiness): void {
+function printTailscaleSetupGuidance(r: Resolved, readiness: ProviderAvailability): void {
   r.log("");
   r.log("Tailscale Funnel needs three things:");
   r.log("");
-  if (!readiness.tailscaleInstalled) {
+  if (!readiness.tailnet.available) {
     r.log("  1. Install Tailscale:");
     if (r.platform === "darwin") {
       r.log("       brew install tailscale");
@@ -235,13 +208,13 @@ function printTailscaleSetupGuidance(r: Resolved, readiness: Readiness): void {
   } else {
     r.log("  1. ✓ Tailscale is installed.");
   }
-  if (!readiness.tailscaleLoggedIn) {
+  if (!readiness.tailnet.loggedIn) {
     r.log("  2. Log this machine into your tailnet:");
     r.log("       tailscale up");
   } else {
     r.log("  2. ✓ This machine is logged in.");
   }
-  if (!readiness.tailscaleFunnelCap) {
+  if (!readiness.tailnet.funnelEnabled) {
     r.log("  3. Enable Funnel for this node in your tailnet ACLs:");
     r.log("       https://login.tailscale.com/admin/acls");
     r.log("     Add (or merge) this block under the ACL's top-level object:");
@@ -264,9 +237,12 @@ function printTailscaleSetupGuidance(r: Resolved, readiness: Readiness): void {
  * pointers and bail so the user can pick apt/dnf/tarball. Returns true only
  * when cloudflared is both present and logged in afterwards.
  */
-async function guideCloudflareSetup(r: Resolved, readiness: Readiness): Promise<boolean> {
-  let installed = readiness.cloudflareInstalled;
-  let loggedIn = readiness.cloudflareLoggedIn;
+async function guideCloudflareSetup(
+  r: Resolved,
+  readiness: ProviderAvailability,
+): Promise<boolean> {
+  let installed = readiness.cloudflare.available;
+  let loggedIn = readiness.cloudflare.loggedIn;
 
   if (!installed) {
     if (r.platform === "darwin") {
@@ -349,8 +325,8 @@ function defaultProviderFrom(lastPath: string): ExposeProvider {
 
 export async function exposePublicInteractive(opts: ExposeInteractiveOpts = {}): Promise<number> {
   const r = resolve(opts);
-  const readiness = await detectReadiness(r);
-  const tsReady = isTailscaleReady(readiness);
+  const readiness = await probeReadiness(r);
+  const tsReady = isTailnetReady(readiness);
   const cfReady = isCloudflareReady(readiness);
 
   let provider: ExposeProvider;

package/src/commands/expose-off-auto.ts

@@ -15,6 +15,10 @@
  *   - Both live     → prompt (TTY) for which to tear down, or `both`;
  *                     non-TTY tears down both (off means off).
  *
+ * Since #32 the cloudflared-state.json holds a map of tunnels keyed by
+ * name, so "cloudflare is live" means any tunnel record exists; tearing
+ * down "cloudflare" iterates every recorded tunnel.
+ *
  * `--cloudflare` still works as an explicit override and skips this module
  * entirely (see cli.ts). Shape mirrors the other Layer-N modules — every
  * side-effectful edge is an injectable seam so the full decision tree is
@@ -25,6 +29,7 @@ import { createInterface } from "node:readline/promises";
 import {
   CLOUDFLARED_STATE_PATH,
   type CloudflaredState,
+  listTunnelRecords,
   readCloudflaredState,
 } from "../cloudflare/state.ts";
 import { EXPOSE_STATE_PATH, type ExposeState, readExposeState } from "../expose-state.ts";
@@ -50,7 +55,9 @@ export interface ExposePublicOffAutoOpts {
    */
   tailscaleOffOpts?: ExposeOpts;
   /**
-   * Forwarded to the cloudflare teardown. Tests use it the same way.
+   * Forwarded to the cloudflare teardown. Tests use it the same way. The
+   * wrapper sets `tunnelName` per record when iterating; callers don't need
+   * to provide it.
    */
   cloudflareOffOpts?: ExposeCloudflareOpts;
 
@@ -95,17 +102,13 @@ function tailscalePublicIsLive(state: ExposeState | undefined): state is ExposeS
 }
 
 function cloudflareIsLive(state: CloudflaredState | undefined): state is CloudflaredState {
-  return !!state;
+  return !!state && Object.keys(state.tunnels).length > 0;
 }
 
 function tailscaleUrl(state: ExposeState): string {
   return `https://${state.canonicalFqdn}`;
 }
 
-function cloudflareUrl(state: CloudflaredState): string {
-  return `https://${state.hostname}`;
-}
-
 type BothChoice = "tailscale" | "cloudflare" | "both" | "cancel";
 
 async function promptBothLive(
@@ -113,9 +116,14 @@ async function promptBothLive(
   tsState: ExposeState,
   cfState: CloudflaredState,
 ): Promise<BothChoice> {
+  const records = listTunnelRecords(cfState);
+  const cfSummary =
+    records.length === 1
+      ? `https://${records[0]?.hostname}`
+      : records.map((t) => `https://${t.hostname}`).join(", ");
   r.log("Two public exposures are currently live:");
   r.log(`  [1] Tailscale Funnel  — ${tailscaleUrl(tsState)}`);
-  r.log(`  [2] Cloudflare Tunnel — ${cloudflareUrl(cfState)}`);
+  r.log(`  [2] Cloudflare Tunnel — ${cfSummary}`);
   r.log("  [3] both");
   r.log("  [4] cancel");
   while (true) {
@@ -136,10 +144,18 @@ async function tearDownTailscale(r: Resolved, state: ExposeState): Promise<numbe
 }
 
 async function tearDownCloudflare(r: Resolved, state: CloudflaredState): Promise<number> {
-  const url = cloudflareUrl(state);
-  const code = await r.exposeCloudflareOffImpl(r.cloudflareOffOpts);
-  if (code === 0) r.log(`✓ Tore down Cloudflare Tunnel (was: ${url})`);
-  return code;
+  const records = listTunnelRecords(state);
+  let firstFailure = 0;
+  for (const record of records) {
+    const url = `https://${record.hostname}`;
+    const code = await r.exposeCloudflareOffImpl({
+      ...r.cloudflareOffOpts,
+      tunnelName: record.tunnelName,
+    });
+    if (code === 0) r.log(`✓ Tore down Cloudflare Tunnel (was: ${url})`);
+    if (code !== 0 && firstFailure === 0) firstFailure = code;
+  }
+  return firstFailure;
 }
 
 export async function runExposePublicOffAutoDetect(

package/src/commands/expose-public-auto.ts

@@ -0,0 +1,179 @@
+/**
+ * `parachute expose public` (no provider flag, non-TTY) — auto-pick logic.
+ *
+ * The interactive picker (`expose-interactive.ts`) covers the TTY case end to
+ * end. Scripts and CI hit a different shape: they can't answer prompts, but
+ * they still benefit from "use what's set up rather than always defaulting to
+ * Tailscale and failing if Tailscale isn't logged in."
+ *
+ * Decision tree, deterministic:
+ *
+ *   - Both providers ready → ambiguous, can't prompt; fail with a hint at
+ *     `--tailnet` / `--cloudflare`. Better to refuse than silently bias.
+ *   - Exactly one ready → use it.
+ *       - Tailnet:    proceed to `exposePublic("up", …)`.
+ *       - Cloudflare: needs `--domain`; if missing, fail with the same
+ *                     usage hint the explicit `--cloudflare` path emits.
+ *   - Neither ready → fail with install pointers for both. The user almost
+ *     certainly meant "spin up the public layer" and we can't, so this is the
+ *     loud surface — not a silent default.
+ *
+ * The `--skip-provider-check` escape hatch bypasses everything and runs
+ * today's Tailscale Funnel path. CI that's already prepared its environment
+ * (or doesn't care about Cloudflare) can pin to the legacy behavior with a
+ * single flag.
+ *
+ * Shape mirrors the other expose modules — every side-effectful edge is an
+ * injectable seam so the decision tree is testable without spawning real
+ * tailscale/cloudflared.
+ */
+
+import { DEFAULT_CLOUDFLARED_HOME } from "../cloudflare/detect.ts";
+import {
+  type ProviderAvailability,
+  type DetectProvidersOpts,
+  detectProviders,
+  isCloudflareReady,
+  isTailnetReady,
+} from "../providers/detect.ts";
+import {
+  type ExposeCloudflareOpts,
+  exposeCloudflareUp as defaultExposeCloudflareUp,
+} from "./expose-cloudflare.ts";
+import { type ExposeOpts, exposePublic as defaultExposePublic } from "./expose.ts";
+
+export interface ExposePublicAutoOpts {
+  /** Hostname for the Cloudflare path. Required when Cloudflare ends up picked. */
+  domain?: string;
+  /** Tunnel name override for the Cloudflare path (#32). */
+  tunnelName?: string;
+  /** Forwarded to the Tailscale Funnel handoff. */
+  tailscaleOpts?: ExposeOpts;
+  /** Forwarded to the Cloudflare handoff. */
+  cloudflareOpts?: ExposeCloudflareOpts;
+  /** Override `~/.cloudflared` (parity with the interactive picker's seam). */
+  cloudflaredHome?: string;
+  log?: (line: string) => void;
+
+  /** Test seams. */
+  detectProvidersImpl?: (opts: DetectProvidersOpts) => Promise<ProviderAvailability>;
+  exposePublicImpl?: (action: "up", opts: ExposeOpts) => Promise<number>;
+  exposeCloudflareUpImpl?: (hostname: string, opts: ExposeCloudflareOpts) => Promise<number>;
+}
+
+interface Resolved {
+  domain: string | undefined;
+  tunnelName: string | undefined;
+  tailscaleOpts: ExposeOpts;
+  cloudflareOpts: ExposeCloudflareOpts;
+  cloudflaredHome: string;
+  log: (line: string) => void;
+  detectProvidersImpl: (opts: DetectProvidersOpts) => Promise<ProviderAvailability>;
+  exposePublicImpl: (action: "up", opts: ExposeOpts) => Promise<number>;
+  exposeCloudflareUpImpl: (hostname: string, opts: ExposeCloudflareOpts) => Promise<number>;
+}
+
+function resolve(opts: ExposePublicAutoOpts): Resolved {
+  return {
+    domain: opts.domain,
+    tunnelName: opts.tunnelName,
+    tailscaleOpts: opts.tailscaleOpts ?? {},
+    cloudflareOpts: opts.cloudflareOpts ?? {},
+    cloudflaredHome: opts.cloudflaredHome ?? DEFAULT_CLOUDFLARED_HOME,
+    log: opts.log ?? ((line) => console.log(line)),
+    detectProvidersImpl: opts.detectProvidersImpl ?? detectProviders,
+    exposePublicImpl: opts.exposePublicImpl ?? ((a, o) => defaultExposePublic(a, o)),
+    exposeCloudflareUpImpl: opts.exposeCloudflareUpImpl ?? defaultExposeCloudflareUp,
+  };
+}
+
+function reportNeitherReady(r: Resolved, p: ProviderAvailability): number {
+  r.log("parachute expose public: no exposure provider is set up on this machine.");
+  r.log("");
+  r.log("Pick one and finish setting it up, then re-run.");
+  r.log("");
+  r.log("  Option A — Tailscale Funnel (free, *.ts.net URL, no domain needed):");
+  if (!p.tailnet.available) {
+    r.log("    1. Install:           https://tailscale.com/download");
+    r.log("    2. Log in:            tailscale up");
+    r.log("    3. Enable Funnel:     https://login.tailscale.com/admin/acls");
+  } else if (!p.tailnet.loggedIn) {
+    r.log("    1. ✓ tailscale installed");
+    r.log("    2. Log in:            tailscale up");
+    r.log("    3. Enable Funnel:     https://login.tailscale.com/admin/acls");
+  } else {
+    r.log("    1. ✓ tailscale installed");
+    r.log("    2. ✓ logged in");
+    r.log("    3. Enable Funnel:     https://login.tailscale.com/admin/acls");
+  }
+  r.log("");
+  r.log("  Option B — Cloudflare Tunnel (your own domain, Cloudflare DNS):");
+  if (!p.cloudflare.available) {
+    r.log(
+      "    1. Install cloudflared: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/",
+    );
+    r.log("    2. Log in:              cloudflared tunnel login");
+    r.log("    3. Re-run with --domain: parachute expose public --cloudflare --domain <hostname>");
+  } else {
+    r.log("    1. ✓ cloudflared installed");
+    r.log("    2. Log in:              cloudflared tunnel login");
+    r.log("    3. Re-run with --domain: parachute expose public --cloudflare --domain <hostname>");
+  }
+  r.log("");
+  r.log("To bypass this check (e.g., CI scripts pinning to today's Tailscale default):");
+  r.log("  parachute expose public --skip-provider-check");
+  return 1;
+}
+
+function reportBothReadyAmbiguous(r: Resolved): number {
+  r.log("parachute expose public: both Tailscale Funnel and Cloudflare Tunnel are configured.");
+  r.log("");
+  r.log("Without a TTY there's no way to ask which one — pick explicitly:");
+  r.log("  parachute expose public --tailnet");
+  r.log("  parachute expose public --cloudflare --domain <hostname>");
+  r.log("");
+  r.log("Or pin to today's Tailscale-Funnel default with --skip-provider-check.");
+  return 1;
+}
+
+function reportCloudflareNeedsDomain(r: Resolved): number {
+  r.log("parachute expose public: Cloudflare Tunnel is the only configured provider,");
+  r.log("but `--domain <hostname>` is required to route DNS through it.");
+  r.log("");
+  r.log("Re-run with the hostname:");
+  r.log("  parachute expose public --cloudflare --domain vault.example.com");
+  r.log("");
+  r.log(
+    "The hostname's apex domain must already be a zone on your Cloudflare account.",
+  );
+  return 1;
+}
+
+/**
+ * Auto-pick entry point — call from `cli.ts` only when neither provider flag
+ * (`--tailnet` / `--cloudflare`) was supplied AND we're not in a TTY (the TTY
+ * path runs `expose-interactive.ts` instead).
+ */
+export async function exposePublicAutoPick(
+  opts: ExposePublicAutoOpts = {},
+): Promise<number> {
+  const r = resolve(opts);
+  const availability = await r.detectProvidersImpl({ cloudflaredHome: r.cloudflaredHome });
+  const tsReady = isTailnetReady(availability);
+  const cfReady = isCloudflareReady(availability);
+
+  if (tsReady && cfReady) return reportBothReadyAmbiguous(r);
+  if (!tsReady && !cfReady) return reportNeitherReady(r, availability);
+
+  if (tsReady) {
+    r.log("Auto-detected Tailscale Funnel as the only configured provider.");
+    return r.exposePublicImpl("up", r.tailscaleOpts);
+  }
+
+  // cfReady
+  if (!r.domain) return reportCloudflareNeedsDomain(r);
+  r.log("Auto-detected Cloudflare Tunnel as the only configured provider.");
+  const cfOpts: ExposeCloudflareOpts = { ...r.cloudflareOpts };
+  if (r.tunnelName !== undefined) cfOpts.tunnelName = r.tunnelName;
+  return r.exposeCloudflareUpImpl(r.domain, cfOpts);
+}