@rubytech/create-realagent 1.0.614 → 1.0.616

package/payload/platform/plugins/cloudflare/mcp/dist/lib/cloudflared.js

@@ -17,12 +17,35 @@ export function loadBrand() {
         throw new Error(`brand.json not found at ${brandPath} — PLATFORM_ROOT may be incorrect`);
     }
     const parsed = JSON.parse(readFileSync(brandPath, "utf-8"));
+    // configDir/productName fall back to Maxy values for forward compat with
+    // older manifests; cloudflare.zones does NOT — its absence is an
+    // authoritative-scope problem the bundler should have caught.
+    if (!parsed.cloudflare ||
+        !Array.isArray(parsed.cloudflare.zones) ||
+        parsed.cloudflare.zones.length === 0) {
+        throw new Error(`brand.json at ${brandPath} is missing a non-empty cloudflare.zones array. ` +
+            `The Cloudflare plugin refuses to start without an explicit zone declaration. ` +
+            `Add cloudflare.zones to brands/<name>/brand.json and republish the brand package.`);
+    }
+    for (const zone of parsed.cloudflare.zones) {
+        if (typeof zone !== "string" || zone.length === 0) {
+            throw new Error(`brand.json at ${brandPath} has invalid cloudflare.zones entry: ${JSON.stringify(zone)}`);
+        }
+    }
     cachedBrand = {
         configDir: parsed.configDir ?? ".maxy",
         productName: parsed.productName ?? "Maxy",
+        cloudflare: { zones: parsed.cloudflare.zones.slice() },
     };
     return cachedBrand;
 }
+/**
+ * Test-only: reset the cached brand so a subsequent loadBrand() re-reads
+ * the manifest. Production code never calls this.
+ */
+export function _resetBrandCache() {
+    cachedBrand = null;
+}
 // ---------------------------------------------------------------------------
 // Binary detection (unchanged — cloudflared binary still needed for daemon)
 // ---------------------------------------------------------------------------
@@ -73,74 +96,130 @@ export function version() {
         return null;
     }
 }
-// ---------------------------------------------------------------------------
-// API token storage
-//
-// Stored under ~/{configDir}/cloudflare/ so each brand has its own token.
-// Functions (not consts) because loadBrand() requires PLATFORM_ROOT at runtime.
-// ---------------------------------------------------------------------------
-function tokenDir() {
+function bindingDir() {
     return join(homedir(), loadBrand().configDir, "cloudflare");
 }
-function tokenFile() {
-    return join(tokenDir(), "api-token");
+function bindingFile() {
+    return join(bindingDir(), "account-binding.json");
 }
-export function readToken() {
+export function readAccountBinding() {
     try {
-        const path = tokenFile();
+        const path = bindingFile();
         if (!existsSync(path))
             return null;
-        return JSON.parse(readFileSync(path, "utf-8"));
+        const parsed = JSON.parse(readFileSync(path, "utf-8"));
+        if (typeof parsed?.accountId !== "string" || typeof parsed?.boundAt !== "string") {
+            console.error(`[cloudflare:binding] malformed account-binding.json at ${path} — treating as absent`);
+            return null;
+        }
+        return { accountId: parsed.accountId, boundAt: parsed.boundAt };
     }
-    catch {
+    catch (err) {
+        console.error(`[cloudflare:binding] failed to read ${bindingFile()}: ${err}`);
         return null;
     }
 }
-export function writeToken(apiToken, accountId) {
-    const dir = tokenDir();
-    mkdirSync(dir, { recursive: true });
-    const data = { apiToken, accountId };
-    writeFileSync(join(dir, "api-token"), JSON.stringify(data), { mode: 0o600 });
-}
-export function hasToken() {
-    return readToken() !== null;
-}
 /**
- * Returns the prefix of the stored API token (e.g. "cfut_" for cert-derived
- * tokens), or null if no token is stored. Used to distinguish cert-derived
- * tokens (limited scope) from user-created API tokens.
+ * @internal — production code MUST go through `materializeBinding` so the
+ * source-of-truth lifecycle (fresh-login vs migration) is preserved and
+ * logged. This function is exported only so unit tests can pre-seed
+ * bindings without re-implementing the file format. A new tool handler
+ * that calls `writeAccountBinding` directly is a code-review block —
+ * silent overwrites mask account drift, defeating the four-step guard.
  */
-export function getTokenPrefix() {
-    const token = readToken();
-    if (!token)
-        return null;
-    // cfut_ is 5 chars; return up to 8 chars for other token prefixes
-    const prefix = token.apiToken.slice(0, 8);
-    return prefix || null;
+export function writeAccountBinding(accountId) {
+    const dir = bindingDir();
+    mkdirSync(dir, { recursive: true });
+    const binding = { accountId, boundAt: new Date().toISOString() };
+    writeFileSync(bindingFile(), JSON.stringify(binding, null, 2), { mode: 0o600 });
+    return binding;
 }
 /**
- * Delete the stored API token and cert.pem, enabling a fresh authentication
- * flow. Handles missing files (no-op) and permission errors (log + continue)
- * gracefully. Used by tunnel-login --force to break out of the dead-end
- * when the stored token has insufficient permissions.
+ * Reset the binding by unlinking the file. Only force-reset paths
+ * (tunnel-login force=true, cf-rebuild after wrong-account detection)
+ * call this. Tools must never overwrite the binding on a write path —
+ * an overwrite would mask account drift, defeating the guard.
  */
-export function resetAuth() {
-    const result = { deletedToken: false, deletedCert: false };
-    const tf = tokenFile();
+function resetAccountBinding() {
+    const path = bindingFile();
     try {
-        unlinkSync(tf);
-        result.deletedToken = true;
-        console.error(`[tunnel-login] deleted: ${tf}`);
+        unlinkSync(path);
+        console.error(`[cloudflare:binding] reset ${path}`);
+        return true;
     }
     catch (err) {
         const code = err.code;
-        if (code === "ENOENT") {
-            // File already gone — no-op
+        if (code === "ENOENT")
+            return false;
+        console.error(`[cloudflare:binding] failed to reset ${path}: ${err}`);
+        return false;
+    }
+}
+export function matchManifestZone(hostname, declaredZones) {
+    const lc = hostname.toLowerCase();
+    const candidates = declaredZones.filter((z) => lc === z.toLowerCase() || lc.endsWith("." + z.toLowerCase()));
+    if (candidates.length === 0) {
+        return { ok: false, matchedZone: null, declaredZones: declaredZones.slice() };
+    }
+    candidates.sort((a, b) => b.length - a.length);
+    return { ok: true, matchedZone: candidates[0], declaredZones: declaredZones.slice() };
+}
+export function logRefuse(detail) {
+    const brand = (() => {
+        try {
+            return loadBrand();
         }
-        else {
-            console.error(`[tunnel-login] failed to delete token file ${tf}: ${err}`);
+        catch {
+            return null;
+        }
+    })();
+    const fields = {
+        reason: detail.reason,
+        brand: brand?.productName ?? "unknown",
+        manifestZones: detail.fields.manifestZones ?? brand?.cloudflare.zones ?? null,
+        boundAccountId: detail.fields.boundAccountId ?? null,
+        certAccountId: detail.fields.certAccountId ?? null,
+        requestedDomain: detail.fields.requestedDomain ?? null,
+        requestedHostname: detail.fields.requestedHostname ?? null,
+        actualFqdn: detail.fields.actualFqdn ?? null,
+        tunnelId: detail.fields.tunnelId ?? null,
+    };
+    console.error(`[cloudflare:refuse] ${JSON.stringify(fields)}`);
+}
+/**
+ * Emit a single recovery instruction. Every refusal instructs the same path:
+ * tunnel-login under the account that owns the brand's declared zones.
+ * No alternative auth path exists.
+ */
+export function recoveryMessage() {
+    const brand = loadBrand();
+    return (`Recovery: run tunnel-login while signed into the Cloudflare account that owns ` +
+        `the declared zones for this brand: ${brand.cloudflare.zones.join(", ")}. ` +
+        `If you recently rotated the cert under a different account, pass force=true ` +
+        `to clear the existing cert.pem and account binding before re-authenticating.`);
+}
+// ---------------------------------------------------------------------------
+// Reset auth — unlinks cert.pem (both paths) and the account binding
+//
+// Kill order matters: terminate any in-flight `cloudflared tunnel login`
+// process BEFORE deleting cert state, otherwise its browser handshake can
+// complete between our unlink and return, writing a fresh cert.pem to the
+// legacy path that findCert() would silently re-import on the next read.
+// Same pattern Task 531 closed; preserved here.
+// ---------------------------------------------------------------------------
+export function resetAuth() {
+    const result = { deletedCert: false, deletedBinding: false };
+    const loginState = readLoginState();
+    if (loginState?.pid && isProcessAlive(loginState.pid)) {
+        try {
+            process.kill(loginState.pid, "SIGTERM");
+            console.error(`[tunnel-login] killed stale login process PID ${loginState.pid}`);
+        }
+        catch {
+            // Process may have exited between check and kill
         }
     }
+    clearLoginState();
     const cp = certPath();
     try {
         unlinkSync(cp);
@@ -156,19 +235,21 @@ export function resetAuth() {
             console.error(`[tunnel-login] failed to delete cert.pem ${cp}: ${err}`);
         }
     }
-    // Kill any running login process before clearing state — prevents a stale
-    // cloudflared from writing a new cert.pem after we just deleted it.
-    const loginState = readLoginState();
-    if (loginState?.pid && isProcessAlive(loginState.pid)) {
-        try {
-            process.kill(loginState.pid, "SIGTERM");
-            console.error(`[tunnel-login] killed stale login process PID ${loginState.pid}`);
+    const legacyCp = legacyCertPath();
+    try {
+        unlinkSync(legacyCp);
+        console.error(`[tunnel-login] deleted legacy cert.pem: ${legacyCp}`);
+    }
+    catch (err) {
+        const code = err.code;
+        if (code === "ENOENT") {
+            console.error(`[tunnel-login] legacy cert.pem absent: ${legacyCp}`);
         }
-        catch {
-            // Process may have exited between check and kill
+        else {
+            console.error(`[tunnel-login] failed to delete legacy cert.pem ${legacyCp}: ${err}`);
         }
     }
-    clearLoginState();
+    result.deletedBinding = resetAccountBinding();
     return result;
 }
 // ---------------------------------------------------------------------------
@@ -180,22 +261,43 @@ export function resetAuth() {
 function certPath() {
     return join(homedir(), loadBrand().configDir, "cloudflared/cert.pem");
 }
+// cloudflared tunnel login always writes here regardless of --origincert.
+// Same literal lives in the installer's cloudflared migration block.
+function legacyCertPath() {
+    return join(homedir(), ".cloudflared", "cert.pem");
+}
 /**
  * Find cert.pem, checking the brand-specific path first, then cloudflared's
- * default location (~/.cloudflared/cert.pem). cloudflared tunnel login ALWAYS
- * writes to ~/.cloudflared/cert.pem regardless of --origincert, so we must
- * check there as a fallback and copy to the brand-specific path when found.
+ * default location. cloudflared tunnel login ALWAYS writes to
+ * ~/.cloudflared/cert.pem regardless of --origincert, so we must check
+ * there as a fallback.
+ *
+ * Move-on-read: when the cert is found at the legacy path, copy it to the
+ * brand path AND unlink the legacy file. Without the unlink, the legacy
+ * file would survive `tunnel-login force=true` (which only deletes brand
+ * paths) and silently re-import on the next read — defeating the recovery
+ * path operators rely on after switching Cloudflare accounts.
+ *
+ * Failure to unlink the legacy file after a successful copy is non-fatal:
+ * the read still succeeds against the brand path, and the warning surfaces
+ * the residual stale file.
  */
 function findCert() {
     const brandPath = certPath();
     if (existsSync(brandPath))
         return brandPath;
-    const defaultPath = join(homedir(), ".cloudflared", "cert.pem");
+    const defaultPath = legacyCertPath();
     if (existsSync(defaultPath)) {
         const dir = join(homedir(), loadBrand().configDir, "cloudflared");
         mkdirSync(dir, { recursive: true });
         copyFileSync(defaultPath, brandPath);
-        console.error(`[tunnel-login] cert.pem found at ${defaultPath}, copied to ${brandPath}`);
+        try {
+            unlinkSync(defaultPath);
+            console.error(`[tunnel-login] cert.pem migrated from ${defaultPath} to ${brandPath}`);
+        }
+        catch (err) {
+            console.error(`[tunnel-login] WARNING: cert.pem migrated to ${brandPath} but legacy ${defaultPath} could not be removed: ${err}`);
+        }
         return brandPath;
     }
     return null;
@@ -237,80 +339,117 @@ export function parseCertPem() {
 }
 // ---------------------------------------------------------------------------
 // SDK client
+//
+// Two entry points: getClient() for mutating operations enforces the auth
+// pre-conditions (cert present, binding present, accountId-from-cert
+// matches binding) — uncircumventable for any code path that needs an SDK
+// instance. getReadOnlyClient() for cf-verify allows operating on an
+// unbound device so the audit can report MISSING artefacts without
+// throwing. Both rely on cert.pem as the single account identity source.
 // ---------------------------------------------------------------------------
-export function getClient() {
-    const token = readToken();
-    if (!token) {
-        throw new Error("No API token configured. Run cf-set-token to set one.");
+/** Wraps a structured RefusalDetail so call sites can branch on `reason`. */
+export class CloudflareRefusalError extends Error {
+    refusal;
+    constructor(detail) {
+        super(detail.message);
+        this.name = "CloudflareRefusalError";
+        this.refusal = detail;
     }
-    return {
-        client: new Cloudflare({ apiToken: token.apiToken }),
-        accountId: token.accountId,
-    };
 }
-export async function validateToken(apiToken) {
-    const client = new Cloudflare({ apiToken });
-    try {
-        // Try zones first — most accounts have at least one zone
-        const zones = await client.zones.list({ per_page: 1 });
-        const zone = zones.result?.[0];
-        if (zone) {
-            return {
-                valid: true,
-                accountId: zone.account.id ?? null,
-                accountName: zone.account.name ?? null,
-            };
-        }
-        // No zones — discover account ID via accounts.list() (works for new accounts)
-        const accounts = await client.accounts.list({ per_page: 1 });
-        const account = accounts.result?.[0];
-        if (account) {
-            return {
-                valid: true,
-                accountId: account.id ?? null,
-                accountName: account.name ?? null,
-            };
-        }
-        // Token is valid but no zones and no accounts discoverable
-        return {
-            valid: true,
-            accountId: null,
-            accountName: null,
-            error: "Token is valid but could not discover account ID — no zones or accounts found.",
+/**
+ * Build an SDK client for mutating operations. Throws CloudflareRefusalError
+ * with a structured `refusal` field if any auth pre-condition fails:
+ *   - cert.pem absent or unparseable                → unbound-device
+ *   - account-binding.json absent                   → unbound-device
+ *   - cert.pem accountId !== binding.accountId      → account-drift
+ *
+ * The refusal is logged with [cloudflare:refuse] before the throw, so the
+ * single greppable signal exists regardless of how the caller handles the
+ * exception.
+ */
+export function getClient() {
+    const creds = parseCertPem();
+    if (!creds) {
+        const detail = {
+            reason: "unbound-device",
+            message: `No cert.pem found — this device has not completed Cloudflare authentication. ` +
+                recoveryMessage(),
+            fields: { boundAccountId: readAccountBinding()?.accountId ?? null },
         };
-    }
-    catch (err) {
-        const msg = err instanceof Error ? err.message : String(err);
-        if (msg.includes("Authentication")) {
-            return {
-                valid: false,
-                accountId: null,
-                accountName: null,
-                error: "Token rejected by Cloudflare — check that it is correct and has not expired.",
-            };
-        }
-        return {
-            valid: false,
-            accountId: null,
-            accountName: null,
-            error: msg,
+        logRefuse(detail);
+        throw new CloudflareRefusalError(detail);
+    }
+    const binding = readAccountBinding();
+    if (!binding) {
+        const detail = {
+            reason: "unbound-device",
+            message: `No account binding recorded — tunnel-login must complete a fresh authentication ` +
+                `to bind this device to a Cloudflare account before any other tool can run. ` +
+                recoveryMessage(),
+            fields: { certAccountId: creds.accountId },
+        };
+        logRefuse(detail);
+        throw new CloudflareRefusalError(detail);
+    }
+    if (creds.accountId !== binding.accountId) {
+        const detail = {
+            reason: "account-drift",
+            message: `cert.pem is bound to account ${creds.accountId}, but this device's recorded ` +
+                `binding is account ${binding.accountId}. The cert was rotated under a different ` +
+                `Cloudflare account since the binding was established. ` +
+                recoveryMessage(),
+            fields: {
+                boundAccountId: binding.accountId,
+                certAccountId: creds.accountId,
+            },
         };
+        logRefuse(detail);
+        throw new CloudflareRefusalError(detail);
     }
+    return {
+        client: new Cloudflare({ apiToken: creds.apiToken }),
+        accountId: binding.accountId,
+    };
 }
-export async function validateAuth() {
-    const token = readToken();
-    if (!token) {
-        return { hasToken: false, tokenValid: false };
-    }
-    try {
-        const client = new Cloudflare({ apiToken: token.apiToken });
-        await client.zones.list({ per_page: 1 });
-        return { hasToken: true, tokenValid: true };
-    }
-    catch (err) {
-        const msg = err instanceof Error ? err.message : String(err);
-        return { hasToken: true, tokenValid: false, error: msg };
-    }
+export function getReadOnlyClient() {
+    const creds = parseCertPem();
+    const binding = readAccountBinding();
+    const certAccountId = creds?.accountId ?? null;
+    const boundAccountId = binding?.accountId ?? null;
+    const client = creds ? new Cloudflare({ apiToken: creds.apiToken }) : null;
+    const bindingMatches = !!(creds && binding && creds.accountId === binding.accountId);
+    return { client, certAccountId, boundAccountId, bindingMatches };
+}
+export function validateAuth() {
+    const creds = parseCertPem();
+    const binding = readAccountBinding();
+    return {
+        hasCert: !!creds,
+        hasBinding: !!binding,
+        bound: !!(creds && binding && creds.accountId === binding.accountId),
+        certAccountId: creds?.accountId ?? null,
+        boundAccountId: binding?.accountId ?? null,
+    };
+}
+/**
+ * Establish the device-local account binding from cert.pem. Used by:
+ *   (1) tunnel-login fresh-success path — first time creds are derived
+ *   (2) migration path — when cert.pem exists from a prior install but no
+ *       binding has yet been written (silent materialization, since the
+ *       cert was already trust-established by the operator's prior login)
+ *
+ * Caller is responsible for declared-zone visibility validation BEFORE
+ * calling this — bindings should never be written to an account that
+ * doesn't own the brand's declared zones (Task 201 write-after-confirm).
+ */
+export function materializeBinding(source) {
+    const creds = parseCertPem();
+    if (!creds) {
+        throw new Error("Cannot materialize binding — cert.pem absent or unparseable");
+    }
+    const binding = writeAccountBinding(creds.accountId);
+    console.error(`[cloudflare:binding-materialized] source=${source} accountId=${creds.accountId} boundAt=${binding.boundAt}`);
+    return binding;
 }
 export async function listZones() {
     const { client } = getClient();
@@ -329,6 +468,17 @@ export async function listZones() {
     }
     return zones;
 }
+export function checkDeclaredZonesOnAccount(declaredZones, accountZones) {
+    return declaredZones.map((zone) => {
+        const lc = zone.toLowerCase();
+        const match = accountZones.find((z) => z.name.toLowerCase() === lc);
+        return {
+            zone,
+            presentOnAccount: !!match,
+            activeOnAccount: match?.status === "active",
+        };
+    });
+}
 export async function getZoneId(domain) {
     const { client } = getClient();
     const zones = await client.zones.list({ name: domain });
@@ -342,9 +492,6 @@ export async function getZoneId(domain) {
 }
 export async function createZone(domain) {
     const { client, accountId } = getClient();
-    if (!accountId) {
-        throw new Error("No account ID available. Re-run cf-set-token — the token must be re-validated to discover the account ID.");
-    }
     // Idempotent — check if zone already exists on this account
     const existing = await client.zones.list({ name: domain });
     const match = existing.result?.[0];
@@ -656,11 +803,11 @@ export async function createDnsRecord(zoneId, subdomain, tunnelId) {
     return { created: true, existing: false, updated: false };
 }
 // ---------------------------------------------------------------------------
-// CLI-based tunnel operations — fallback for cert-derived tokens (cfut_*)
+// CLI-based tunnel operations
 //
-// cert-derived tokens may lack SDK-level permissions for tunnel CRUD and
-// DNS management. The cloudflared CLI uses cert.pem directly, which carries
-// Argo Tunnel permissions sufficient for these operations.
+// `cloudflared` CLI uses cert.pem directly for tunnel CRUD and DNS management.
+// We use it (rather than the SDK) for tunnel-create / route-dns because the
+// cert-bound credential carries the Argo Tunnel permissions needed in one step.
 // ---------------------------------------------------------------------------
 export function createTunnelCli(name) {
     const bin = findBinary();
@@ -755,35 +902,155 @@ export function writeLocalConfig(tunnelId, credentialsPath, hostnames, port) {
     return configPath;
 }
 // ---------------------------------------------------------------------------
-// CLI-based DNS routing
+// CLI-based DNS routing — guarded by manifest scope + post-flight FQDN check
+//
+// `cloudflared tunnel route dns` resolves the target zone from cert.pem's
+// account. If the hostname's registrable parent zone is not on that
+// account, cloudflared silently writes a CNAME under a different zone on
+// the bound account (e.g. admin.example.com.othersite.example when the
+// account holds othersite.example but not example.com). Two layers stop
+// this:
 //
-// cert-derived tokens lack Zone:DNS:Edit, so the SDK's createDnsRecord()
-// fails. `cloudflared tunnel route dns` uses the cert.pem directly, which
-// carries Argo Tunnel permissions sufficient for creating CNAME records
-// that point to the tunnel.
+//   (1) Manifest-scope pre-flight: refuse before invoking the CLI when the
+//       hostname's registrable parent is not in `brand.cloudflare.zones`.
+//       The brand declared the zones; nothing else is routable.
+//   (2) Post-flight FQDN assertion: parse the actual FQDN from
+//       `cloudflared`'s INF line and refuse with a reverse-and-cleanup if
+//       it doesn't exactly equal the requested hostname — defence-in-depth
+//       against cloudflared writing under a sibling zone the manifest also
+//       declared but doesn't actually own on this account.
+//
+// `getClient()` is invoked first to enforce auth pre-conditions
+// (cert+binding+accountId match) so account-drift refusals fire before any
+// CLI process spawns.
 // ---------------------------------------------------------------------------
-export function routeDnsCli(tunnelId, hostname) {
+export async function routeDnsCli(tunnelId, hostname) {
     const bin = findBinary();
     if (!bin)
         throw new Error("cloudflared is not installed");
+    // Auth pre-condition: cert + binding + accountId match. Throws
+    // CloudflareRefusalError on drift before any CLI call.
+    const { client, accountId: boundAccountId } = getClient();
+    // (1) Manifest-scope pre-flight against brand.cloudflare.zones.
+    const brand = loadBrand();
+    const scope = matchManifestZone(hostname, brand.cloudflare.zones);
+    if (!scope.ok) {
+        const detail = {
+            reason: "scope-mismatch",
+            message: `Cannot route ${hostname} — its registrable parent is not in this brand's declared ` +
+                `Cloudflare zones (${brand.cloudflare.zones.join(", ")}). ` +
+                `Hostnames outside the declared scope are refused by design.`,
+            fields: {
+                requestedHostname: hostname,
+                manifestZones: brand.cloudflare.zones,
+            },
+        };
+        logRefuse(detail);
+        throw new CloudflareRefusalError(detail);
+    }
     const cert = findCert();
     if (!cert)
-        throw new Error("No cert.pem found — run tunnel-login first");
+        throw new Error("No cert.pem found — getClient() should have refused first");
+    let output;
     try {
-        const output = execFileSync(bin, ["tunnel", "--origincert", cert, "route", "dns", "--overwrite-dns", tunnelId, hostname], { encoding: "utf-8", timeout: 30000 });
-        console.error(`[tunnel-route-dns] CLI: routed ${hostname} → tunnel ${tunnelId} (overwrite)`);
-        return { created: true, output: output.trim() };
+        output = execFileSync(bin, ["tunnel", "--origincert", cert, "route", "dns", "--overwrite-dns", tunnelId, hostname], { encoding: "utf-8", timeout: 30000 });
     }
     catch (err) {
         const msg = err instanceof Error ? err.stderr ?? err.message : String(err);
-        // With --overwrite-dns this path should not trigger for CNAME conflicts.
-        // If it fires, log the full error so the cause is diagnosable.
         if (typeof msg === "string" && msg.includes("already exists")) {
             console.error(`[tunnel-route-dns] WARNING: ${hostname} "already exists" despite --overwrite-dns: ${msg}`);
-            return { created: false, output: msg };
+            return { created: false, output: msg, fqdn: hostname, zone: scope.matchedZone };
         }
         throw new Error(`cloudflared tunnel route dns failed: ${msg}`);
     }
+    // (2) Post-flight FQDN assertion. Parse the CNAME name cloudflared
+    // actually created from its INF line:
+    //   "INF Added CNAME <fqdn> which will route to this tunnel ..."
+    const fqdnMatch = output.match(/Added CNAME\s+(\S+?)\s+which will route/);
+    if (!fqdnMatch) {
+        // Format drift — log loudly. We treat the absence of the parse as an
+        // observability gap rather than silent success because we can no
+        // longer assert wrong-zone safety.
+        console.error(`[tunnel-route-dns] WARNING: could not parse CNAME FQDN from cloudflared output — format may have changed. Output: ${output.trim()}`);
+        // Surfacing as refusal would block correct flows when cloudflared
+        // changes its log line; surface as unverified-success with the
+        // requested hostname instead. Operators following [cloudflare:*]
+        // grep cadence will see the WARNING line.
+        return {
+            created: true,
+            output: output.trim(),
+            fqdn: hostname,
+            zone: scope.matchedZone,
+        };
+    }
+    const actualFqdn = fqdnMatch[1];
+    if (actualFqdn !== hostname) {
+        // Defence-in-depth: cloudflared wrote the CNAME under a different
+        // FQDN than requested. Log raw evidence first, attempt cleanup ONLY
+        // if the wrong zone is NOT in our declared scope (we never delete
+        // in-scope records as "cleanup"), then refuse.
+        console.error(`[cloudflare:post-flight-mismatch] ${JSON.stringify({
+            requestedHostname: hostname,
+            actualFqdn,
+            tunnelId,
+            boundAccountId,
+        })}`);
+        const actualScope = matchManifestZone(actualFqdn, brand.cloudflare.zones);
+        let cleanupResult = "skipped-in-scope";
+        if (!actualScope.ok) {
+            try {
+                // Find zone for actualFqdn on the bound account; if found, delete
+                // the CNAME we just inadvertently created.
+                const allZones = await listZones();
+                const owningZone = allZones.find((z) => actualFqdn === z.name || actualFqdn.endsWith("." + z.name));
+                if (owningZone) {
+                    const records = await client.dns.records.list({
+                        zone_id: owningZone.id,
+                        name: { exact: actualFqdn },
+                        type: "CNAME",
+                    });
+                    for (const r of records.result ?? []) {
+                        if (r.id)
+                            await client.dns.records.delete(r.id, { zone_id: owningZone.id });
+                    }
+                    cleanupResult = "ok";
+                }
+                else {
+                    cleanupResult = "failed"; // nothing to delete — surface as informational
+                }
+            }
+            catch (cleanupErr) {
+                cleanupResult = "failed";
+                console.error(`[cloudflare:post-flight-cleanup] error: ${cleanupErr instanceof Error ? cleanupErr.message : String(cleanupErr)}`);
+            }
+        }
+        console.error(`[cloudflare:post-flight-cleanup] ${JSON.stringify({
+            requestedHostname: hostname,
+            actualFqdn,
+            result: cleanupResult,
+        })}`);
+        const detail = {
+            reason: "post-flight-fqdn-mismatch",
+            message: `cloudflared wrote the CNAME under ${actualFqdn} instead of the requested ${hostname}. ` +
+                `This indicates cert.pem's account does not own the zone for ${hostname} despite ` +
+                `passing manifest scope. ` +
+                recoveryMessage(),
+            fields: {
+                requestedHostname: hostname,
+                actualFqdn,
+                tunnelId,
+                boundAccountId,
+                manifestZones: brand.cloudflare.zones,
+            },
+        };
+        logRefuse(detail);
+        throw new CloudflareRefusalError(detail);
+    }
+    console.error(`[tunnel-route-dns] CLI: routed ${hostname} → tunnel ${tunnelId} (overwrite) fqdn=${actualFqdn} zone=${scope.matchedZone}`);
+    if (process.env.CLOUDFLARE_DEBUG === "1") {
+        console.error(`[cloudflare:guard-pass] ${JSON.stringify({ op: "routeDnsCli", requestedHostname: hostname, zone: scope.matchedZone })}`);
+    }
+    return { created: true, output: output.trim(), fqdn: actualFqdn, zone: scope.matchedZone };
 }
 // ---------------------------------------------------------------------------
 // tunnel login — spawn `cloudflared tunnel login` and capture the auth URL
@@ -1016,8 +1283,8 @@ export function getPersistedHostnames() {
     }
     return [];
 }
-export async function getStatus(domain) {
-    const auth = await validateAuth();
+export function getStatus(domain) {
+    const auth = validateAuth();
     const state = readState();
     const running = state !== null && isProcessAlive(state.pid);
     const effectiveDomain = domain ?? state?.domain ?? null;
@@ -1025,10 +1292,11 @@ export async function getStatus(domain) {
     return {
         installed: isInstalled(),
         version: version(),
-        hasCert: hasCert(),
-        hasToken: auth.hasToken,
-        tokenValid: auth.tokenValid,
-        authError: auth.error ?? null,
+        hasCert: auth.hasCert,
+        hasBinding: auth.hasBinding,
+        bound: auth.bound,
+        certAccountId: auth.certAccountId,
+        boundAccountId: auth.boundAccountId,
         running,
         pid: running ? state.pid : null,
         tunnelId: state?.tunnelId ?? null,
@@ -1107,4 +1375,520 @@ export function stopTunnel() {
     // Preserve tunnel identity, clear process lifecycle
     writeState({ ...state, pid: null, startedAt: null });
 }
+/**
+ * Resolve the live ScopeContext from the brand manifest + binding +
+ * read-only SDK client. Used by tools; tests bypass with their own
+ * ScopeContext.
+ */
+export function liveScopeContext() {
+    const brand = loadBrand();
+    const ro = getReadOnlyClient();
+    return {
+        declaredZones: brand.cloudflare.zones,
+        binding: readAccountBinding(),
+        client: ro.client,
+    };
+}
+/**
+ * cf-verify implementation. Pure-ish: only reads (account state via SDK,
+ * device state via fs). Never mutates. Always returns a structured report
+ * even when cert/binding/account state is absent — fresh-install devices
+ * get a report with everything tagged MISSING.
+ */
+export async function cfVerifyCore(ctx = liveScopeContext()) {
+    const brand = loadBrand();
+    const artefacts = [];
+    console.error(`[cloudflare:verify-start] ${JSON.stringify({
+        brand: brand.productName,
+        declaredZones: ctx.declaredZones,
+        bindingPresent: !!ctx.binding,
+    })}`);
+    // --- Local artefact: cert.pem ---
+    const certCreds = parseCertPem();
+    if (!certCreds) {
+        artefacts.push({ type: "cert.pem", id: certPath(), tag: "missing" });
+    }
+    else if (ctx.binding && certCreds.accountId !== ctx.binding.accountId) {
+        artefacts.push({
+            type: "cert.pem",
+            id: certPath(),
+            tag: "out-of-scope",
+            reason: `cert account ${certCreds.accountId} != binding account ${ctx.binding.accountId}`,
+            detail: { certAccountId: certCreds.accountId, boundAccountId: ctx.binding.accountId },
+        });
+    }
+    else {
+        artefacts.push({ type: "cert.pem", id: certPath(), tag: "in-scope" });
+    }
+    // --- Local artefact: binding ---
+    if (!ctx.binding) {
+        artefacts.push({ type: "binding", id: bindingFile(), tag: "missing" });
+    }
+    else {
+        artefacts.push({
+            type: "binding",
+            id: bindingFile(),
+            tag: "in-scope",
+            detail: { accountId: ctx.binding.accountId, boundAt: ctx.binding.boundAt },
+        });
+    }
+    // --- Account artefacts (only readable when bound and cert valid) ---
+    // Determine if we can call the SDK at all. cfVerify must never fail on
+    // unbound devices — it just reports everything as missing.
+    let accountSummary = null;
+    if (ctx.client && certCreds) {
+        try {
+            const [tunnels, zones] = await Promise.all([
+                listTunnelsViaClient(ctx.client, certCreds.accountId),
+                listZonesViaClient(ctx.client),
+            ]);
+            accountSummary = { tunnels, zones };
+        }
+        catch (err) {
+            console.error(`[cloudflare:verify] account read failed: ${err instanceof Error ? err.message : String(err)}`);
+        }
+    }
+    // --- Declared zones: present + active on account? ---
+    if (accountSummary) {
+        const visibility = checkDeclaredZonesOnAccount(ctx.declaredZones, accountSummary.zones);
+        for (const v of visibility) {
+            if (!v.presentOnAccount) {
+                artefacts.push({
+                    type: "declared-zone",
+                    id: v.zone,
+                    tag: "missing",
+                    reason: "declared in brand.json but absent from bound account",
+                });
+            }
+            else if (!v.activeOnAccount) {
+                artefacts.push({
+                    type: "declared-zone",
+                    id: v.zone,
+                    tag: "out-of-scope",
+                    reason: "present on bound account but not active (likely awaiting nameservers)",
+                });
+            }
+            else {
+                artefacts.push({ type: "declared-zone", id: v.zone, tag: "in-scope" });
+            }
+        }
+        // Zones on the account NOT in the declared scope — informational tag,
+        // out-of-scope, no action required by rebuild (we never delete zones).
+        for (const z of accountSummary.zones) {
+            if (!ctx.declaredZones.some((d) => d.toLowerCase() === z.name.toLowerCase())) {
+                artefacts.push({
+                    type: "declared-zone",
+                    id: z.name,
+                    tag: "out-of-scope",
+                    reason: "zone on bound account but not in brand.cloudflare.zones",
+                });
+            }
+        }
+        // --- Tunnels on account ---
+        const persistedTunnelId = readState()?.tunnelId ?? null;
+        for (const t of accountSummary.tunnels) {
+            const isOurs = t.id === persistedTunnelId;
+            artefacts.push({
+                type: "tunnel",
+                id: `${t.name} (${t.id})`,
+                tag: isOurs ? "in-scope" : "out-of-scope",
+                reason: isOurs ? undefined : "tunnel on account but not in this brand's persisted state",
+                detail: { tunnelId: t.id, tunnelName: t.name },
+            });
+        }
+        // --- DNS CNAMEs under declared zones ---
+        if (ctx.client) {
+            for (const declared of ctx.declaredZones) {
+                const zone = accountSummary.zones.find((z) => z.name.toLowerCase() === declared.toLowerCase() && z.status === "active");
+                if (!zone)
+                    continue;
+                try {
+                    const records = await listCnamesUnderZone(ctx.client, zone.id);
+                    for (const rec of records) {
+                        const ourTunnelTarget = persistedTunnelId
+                            ? `${persistedTunnelId}.cfargotunnel.com`
+                            : null;
+                        const isOurs = ourTunnelTarget !== null && rec.content === ourTunnelTarget;
+                        artefacts.push({
+                            type: "dns-cname",
+                            id: rec.name,
+                            tag: isOurs ? "in-scope" : "out-of-scope",
+                            reason: isOurs ? undefined : `CNAME → ${rec.content} (not this brand's tunnel)`,
+                            detail: { zoneId: zone.id, recordId: rec.id, content: rec.content },
+                        });
+                    }
+                }
+                catch (err) {
+                    console.error(`[cloudflare:verify] failed to list CNAMEs under ${declared}: ${err instanceof Error ? err.message : String(err)}`);
+                }
+            }
+        }
+    }
+    else {
+        // Without an SDK client we cannot enumerate account state — surface
+        // each declared zone as MISSING.
+        for (const zone of ctx.declaredZones) {
+            artefacts.push({
+                type: "declared-zone",
+                id: zone,
+                tag: "missing",
+                reason: "cannot read bound account (no cert or no client)",
+            });
+        }
+    }
+    // --- Local artefacts: tunnel.state, config.yml, alias-domains.json ---
+    const persisted = readState();
+    if (!persisted) {
+        artefacts.push({ type: "tunnel.state", id: statePath(), tag: "missing" });
+    }
+    else {
+        // tunnel.state is in-scope when its tunnelId is present on the bound
+        // account AND its hostnames are all in declared scope.
+        const allHostnames = getPersistedHostnames();
+        const allInScope = allHostnames.every((h) => matchManifestZone(h, ctx.declaredZones).ok);
+        const tunnelOnAccount = accountSummary?.tunnels.some((t) => t.id === persisted.tunnelId) ?? null;
+        if (allInScope && tunnelOnAccount !== false) {
+            artefacts.push({ type: "tunnel.state", id: statePath(), tag: "in-scope" });
+        }
+        else {
+            const reasons = [];
+            if (!allInScope)
+                reasons.push("contains hostnames outside declared scope");
+            if (tunnelOnAccount === false)
+                reasons.push("references tunnel absent from bound account");
+            artefacts.push({
+                type: "tunnel.state",
+                id: statePath(),
+                tag: "out-of-scope",
+                reason: reasons.join("; "),
+                detail: { tunnelId: persisted.tunnelId, hostnames: JSON.stringify(allHostnames) },
+            });
+        }
+        // config.yml mirrors tunnel.state in scope assessment.
+        if (existsSync(persisted.configPath)) {
+            artefacts.push({
+                type: "config.yml",
+                id: persisted.configPath,
+                tag: allInScope ? "in-scope" : "out-of-scope",
+            });
+        }
+        else {
+            artefacts.push({ type: "config.yml", id: persisted.configPath, tag: "missing" });
+        }
+    }
+    const aliases = loadAliasDomains();
+    for (const alias of aliases) {
+        const inScope = matchManifestZone(alias, ctx.declaredZones).ok;
+        artefacts.push({
+            type: "alias-domain",
+            id: alias,
+            tag: inScope ? "in-scope" : "out-of-scope",
+            reason: inScope ? undefined : "alias hostname outside brand.cloudflare.zones",
+        });
+    }
+    const counts = {
+        inScope: artefacts.filter((a) => a.tag === "in-scope").length,
+        outOfScope: artefacts.filter((a) => a.tag === "out-of-scope").length,
+        missing: artefacts.filter((a) => a.tag === "missing").length,
+    };
+    console.error(`[cloudflare:verify-complete] ${JSON.stringify({
+        brand: brand.productName,
+        ...counts,
+    })}`);
+    return {
+        brand: brand.productName,
+        declaredZones: ctx.declaredZones,
+        bindingPresent: !!ctx.binding,
+        bindingMatchesCert: !!(certCreds && ctx.binding && certCreds.accountId === ctx.binding.accountId),
+        certPresent: !!certCreds,
+        artefacts,
+        counts,
+    };
+}
+// Internal helpers — wrap SDK calls so the verify/rebuild cores don't
+// need to know about the SDK shape directly. Keeps mocks shallow.
+async function listZonesViaClient(client) {
+    const zones = [];
+    for await (const zone of client.zones.list()) {
+        zones.push({
+            id: zone.id,
+            name: zone.name,
+            status: zone.status ?? "unknown",
+            nameservers: zone.name_servers ?? [],
+            account: { id: zone.account.id ?? "", name: zone.account.name ?? "" },
+        });
+    }
+    return zones;
+}
+async function listTunnelsViaClient(client, accountId) {
+    const summaries = [];
+    const result = await client.zeroTrust.tunnels.cloudflared.list({
+        account_id: accountId,
+        is_deleted: false,
+    });
+    for (const t of result.result ?? []) {
+        if (!t.id || !t.name)
+            continue;
+        summaries.push({ id: t.id, name: t.name, createdAt: t.created_at ?? null });
+    }
+    return summaries;
+}
+async function listCnamesUnderZone(client, zoneId) {
+    const out = [];
+    for await (const rec of client.dns.records.list({ zone_id: zoneId, type: "CNAME" })) {
+        if (!rec.id || !rec.name)
+            continue;
+        out.push({ id: rec.id, name: rec.name, content: rec.content ?? "" });
+    }
+    return out;
+}
+export async function cfRebuildCore(opts = {}) {
+    const dryRun = opts.dryRun ?? false;
+    const ctx = opts.ctx ?? liveScopeContext();
+    const brand = loadBrand();
+    console.error(`[cloudflare:rebuild-start] ${JSON.stringify({
+        brand: brand.productName,
+        declaredZones: ctx.declaredZones,
+        dryRun,
+    })}`);
+    // Step 1: cert.pem account integrity. cf-rebuild refuses to delete a
+    // wrong-account cert.pem mid-flow — that would create a dead authoring
+    // window with no clear next step. Instead surface the discard intent
+    // and halt with an actionable instruction.
+    const certCreds = parseCertPem();
+    const actions = [];
+    if (!certCreds) {
+        const msg = `cf-rebuild requires cert.pem before it can reconstruct state. ` + recoveryMessage();
+        return {
+            brand: brand.productName,
+            declaredZones: ctx.declaredZones,
+            dryRun,
+            actions: [
+                {
+                    op: "skip-needs-operator",
+                    artefact: { type: "cert.pem", id: certPath(), tag: "missing" },
+                    planned: dryRun,
+                    resultDetail: msg,
+                },
+            ],
+            halted: true,
+            haltReason: msg,
+        };
+    }
+    if (ctx.binding && certCreds.accountId !== ctx.binding.accountId) {
+        const msg = `cert.pem is bound to account ${certCreds.accountId} but the recorded binding is ` +
+            `account ${ctx.binding.accountId}. cf-rebuild will not silently delete cert.pem — ` +
+            `re-run tunnel-login force=true to clear the wrong cert and binding, then re-run cf-rebuild. ` +
+            recoveryMessage();
+        actions.push({
+            op: "skip-needs-operator",
+            artefact: {
+                type: "cert.pem",
+                id: certPath(),
+                tag: "out-of-scope",
+                reason: "wrong-account",
+                detail: { certAccountId: certCreds.accountId, boundAccountId: ctx.binding.accountId },
+            },
+            planned: dryRun,
+            resultDetail: msg,
+        });
+        console.error(`[cloudflare:rebuild-discard] ${JSON.stringify({ type: "cert.pem", reason: "wrong-account", planned: true })}`);
+        return {
+            brand: brand.productName,
+            declaredZones: ctx.declaredZones,
+            dryRun,
+            actions,
+            halted: true,
+            haltReason: msg,
+        };
+    }
+    // Step 2: ensure binding is materialized. The fresh-install case passes
+    // through here — binding is established from the cert. cf-rebuild does
+    // NOT do declared-zone-visibility validation here because the operator
+    // may be in the middle of adding zones; visibility shows in the final
+    // verify report instead.
+    //
+    // materializeBinding can throw if cert.pem becomes unreadable between
+    // the parseCertPem above and this call (e.g. a concurrent
+    // tunnel-login force=true). Wrap in try/catch so the throw becomes a
+    // structured halted result, not a raw JS Error escaping past the MCP
+    // boundary.
+    if (!ctx.binding) {
+        if (!dryRun) {
+            try {
+                materializeBinding("migration");
+            }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : String(err);
+                const halt = `cf-rebuild could not establish account binding: ${msg}. ${recoveryMessage()}`;
+                actions.push({
+                    op: "skip-needs-operator",
+                    artefact: { type: "binding", id: bindingFile(), tag: "missing" },
+                    planned: dryRun,
+                    result: "failed",
+                    resultDetail: halt,
+                });
+                return {
+                    brand: brand.productName,
+                    declaredZones: ctx.declaredZones,
+                    dryRun,
+                    actions,
+                    halted: true,
+                    haltReason: halt,
+                };
+            }
+        }
+        actions.push({
+            op: "recreate",
+            artefact: {
+                type: "binding",
+                id: bindingFile(),
+                tag: "missing",
+            },
+            planned: dryRun,
+            result: "ok",
+        });
+    }
+    // Step 3: gather verify report so we have a plan.
+    const verify = await cfVerifyCore(ctx);
+    // Step 4: discard out-of-scope artefacts. Order matters: DNS records
+    // first (so the tunnel can be deleted afterwards without orphaning
+    // routes), then alias-domain entries, then tunnel.state, then config.yml.
+    // We never delete cert.pem, never delete declared zones (out-of-scope
+    // declared-zone entries are operator-action items, not rebuild work),
+    // never delete tunnels owned by the bound account that don't match our
+    // persisted state (those belong to other devices on the same account
+    // — Task 525's multi-device contention pattern).
+    const liveClient = ctx.client; // may be null in tests
+    for (const a of verify.artefacts) {
+        if (a.tag !== "out-of-scope")
+            continue;
+        const action = { op: "discard", artefact: a, planned: dryRun };
+        try {
+            switch (a.type) {
+                case "dns-cname": {
+                    if (!dryRun && liveClient) {
+                        const zoneId = String(a.detail?.zoneId ?? "");
+                        const recordId = String(a.detail?.recordId ?? "");
+                        if (zoneId && recordId) {
+                            await liveClient.dns.records.delete(recordId, { zone_id: zoneId });
+                        }
+                    }
+                    action.result = "ok";
+                    break;
+                }
+                case "alias-domain": {
+                    if (!dryRun) {
+                        const aliases = loadAliasDomains();
+                        aliases.delete(a.id);
+                        const path = aliasDomainPath();
+                        mkdirSync(join(homedir(), loadBrand().configDir), { recursive: true });
+                        writeFileSync(path, JSON.stringify([...aliases], null, 2), "utf-8");
+                    }
+                    action.result = "ok";
+                    break;
+                }
+                case "tunnel.state":
+                case "config.yml": {
+                    if (!dryRun) {
+                        try {
+                            unlinkSync(a.id);
+                        }
+                        catch (err) {
+                            const code = err.code;
+                            if (code !== "ENOENT")
+                                throw err;
+                        }
+                    }
+                    action.result = "ok";
+                    break;
+                }
+                case "tunnel": {
+                    // Out-of-scope tunnels are siblings on the same account — leave
+                    // them alone. Other devices may rely on them. Surface as
+                    // discard intent but skip without mutating.
+                    action.op = "skip-needs-operator";
+                    action.result = "ok";
+                    action.resultDetail = "tunnel on bound account but not this brand's — left untouched";
+                    break;
+                }
+                case "declared-zone": {
+                    // Out-of-scope declared-zones are zones on the bound account that
+                    // aren't in the manifest. Informational; never deleted.
+                    action.op = "skip-needs-operator";
+                    action.result = "ok";
+                    action.resultDetail = "zone on bound account outside brand scope — informational";
+                    break;
+                }
+                case "cert.pem":
+                case "binding":
+                    // Handled above (refuse-to-delete cert; binding mutated by force-reset path only)
+                    action.op = "skip-needs-operator";
+                    action.result = "ok";
+                    break;
+                default:
+                    action.result = "failed";
+                    action.resultDetail = `unknown artefact type ${a.type}`;
+            }
+        }
+        catch (err) {
+            action.result = "failed";
+            action.resultDetail = err instanceof Error ? err.message : String(err);
+        }
+        if (action.op === "discard") {
+            console.error(`[cloudflare:rebuild-discard] ${JSON.stringify({ type: a.type, id: a.id, planned: dryRun, result: action.result ?? null })}`);
+        }
+        actions.push(action);
+    }
+    // Step 5: create missing in-scope artefacts. We cannot create CF-side
+    // missing zones (operator must add zones at cloudflare.com) — surface as
+    // skip-needs-operator. We can re-create local state if the tunnel
+    // exists on the account but local state is missing; that's a Task 521
+    // scenario (re-attaching a tunnel) and is out of scope here. v1 of
+    // cf-rebuild surfaces missing local artefacts as informational.
+    for (const a of verify.artefacts) {
+        if (a.tag !== "missing")
+            continue;
+        if (a.type === "declared-zone") {
+            actions.push({
+                op: "skip-needs-operator",
+                artefact: a,
+                planned: dryRun,
+                result: "ok",
+                resultDetail: `declared zone "${a.id}" must be added to the bound Cloudflare account before tunnel-create can route to it`,
+            });
+        }
+        else if (a.type === "binding" || a.type === "cert.pem") {
+            // Already handled above
+        }
+        else {
+            actions.push({
+                op: "skip-needs-operator",
+                artefact: a,
+                planned: dryRun,
+                result: "ok",
+                resultDetail: `missing local artefact — run cloudflare-setup or tunnel-create to create`,
+            });
+        }
+    }
+    // Step 6: rerun verify (unless dry-run) to capture final state.
+    let finalVerify;
+    if (!dryRun) {
+        finalVerify = await cfVerifyCore(ctx);
+    }
+    console.error(`[cloudflare:rebuild-complete] ${JSON.stringify({
+        brand: brand.productName,
+        dryRun,
+        actionCount: actions.length,
+        finalCounts: finalVerify?.counts ?? null,
+    })}`);
+    return {
+        brand: brand.productName,
+        declaredZones: ctx.declaredZones,
+        dryRun,
+        actions,
+        halted: false,
+        finalVerify,
+    };
+}
 //# sourceMappingURL=cloudflared.js.map