@rubytech/create-realagent 1.0.616 → 1.0.618

package/payload/platform/plugins/cloudflare/mcp/dist/lib/cloudflared.js

@@ -17,25 +17,9 @@ export function loadBrand() {
         throw new Error(`brand.json not found at ${brandPath} — PLATFORM_ROOT may be incorrect`);
     }
     const parsed = JSON.parse(readFileSync(brandPath, "utf-8"));
-    // configDir/productName fall back to Maxy values for forward compat with
-    // older manifests; cloudflare.zones does NOT — its absence is an
-    // authoritative-scope problem the bundler should have caught.
-    if (!parsed.cloudflare ||
-        !Array.isArray(parsed.cloudflare.zones) ||
-        parsed.cloudflare.zones.length === 0) {
-        throw new Error(`brand.json at ${brandPath} is missing a non-empty cloudflare.zones array. ` +
-            `The Cloudflare plugin refuses to start without an explicit zone declaration. ` +
-            `Add cloudflare.zones to brands/<name>/brand.json and republish the brand package.`);
-    }
-    for (const zone of parsed.cloudflare.zones) {
-        if (typeof zone !== "string" || zone.length === 0) {
-            throw new Error(`brand.json at ${brandPath} has invalid cloudflare.zones entry: ${JSON.stringify(zone)}`);
-        }
-    }
     cachedBrand = {
         configDir: parsed.configDir ?? ".maxy",
         productName: parsed.productName ?? "Maxy",
-        cloudflare: { zones: parsed.cloudflare.zones.slice() },
     };
     return cachedBrand;
 }
@@ -155,14 +139,15 @@ function resetAccountBinding() {
         return false;
     }
 }
-export function matchManifestZone(hostname, declaredZones) {
+export function matchAccountZone(hostname, accountZones) {
+    const active = accountZones.filter((z) => z.status === "active").map((z) => z.name);
     const lc = hostname.toLowerCase();
-    const candidates = declaredZones.filter((z) => lc === z.toLowerCase() || lc.endsWith("." + z.toLowerCase()));
+    const candidates = active.filter((z) => lc === z.toLowerCase() || lc.endsWith("." + z.toLowerCase()));
     if (candidates.length === 0) {
-        return { ok: false, matchedZone: null, declaredZones: declaredZones.slice() };
+        return { ok: false, matchedZone: null, accountZones: active };
     }
     candidates.sort((a, b) => b.length - a.length);
-    return { ok: true, matchedZone: candidates[0], declaredZones: declaredZones.slice() };
+    return { ok: true, matchedZone: candidates[0], accountZones: active };
 }
 export function logRefuse(detail) {
     const brand = (() => {
@@ -173,30 +158,29 @@ export function logRefuse(detail) {
             return null;
         }
     })();
+    const f = detail.fields ?? {};
     const fields = {
         reason: detail.reason,
         brand: brand?.productName ?? "unknown",
-        manifestZones: detail.fields.manifestZones ?? brand?.cloudflare.zones ?? null,
-        boundAccountId: detail.fields.boundAccountId ?? null,
-        certAccountId: detail.fields.certAccountId ?? null,
-        requestedDomain: detail.fields.requestedDomain ?? null,
-        requestedHostname: detail.fields.requestedHostname ?? null,
-        actualFqdn: detail.fields.actualFqdn ?? null,
-        tunnelId: detail.fields.tunnelId ?? null,
+        accountZones: f.accountZones ?? null,
+        boundAccountId: f.boundAccountId ?? null,
+        certAccountId: f.certAccountId ?? null,
+        requestedDomain: f.requestedDomain ?? null,
+        requestedHostname: f.requestedHostname ?? null,
+        actualFqdn: f.actualFqdn ?? null,
+        tunnelId: f.tunnelId ?? null,
     };
     console.error(`[cloudflare:refuse] ${JSON.stringify(fields)}`);
 }
 /**
- * Emit a single recovery instruction. Every refusal instructs the same path:
- * tunnel-login under the account that owns the brand's declared zones.
- * No alternative auth path exists.
+ * Single recovery instruction. Every refusal instructs the same path:
+ * tunnel-login under the Cloudflare account that owns the target zone.
  */
 export function recoveryMessage() {
-    const brand = loadBrand();
     return (`Recovery: run tunnel-login while signed into the Cloudflare account that owns ` +
-        `the declared zones for this brand: ${brand.cloudflare.zones.join(", ")}. ` +
-        `If you recently rotated the cert under a different account, pass force=true ` +
-        `to clear the existing cert.pem and account binding before re-authenticating.`);
+        `the target zone. If you recently rotated the cert under a different account, ` +
+        `pass force=true to clear the existing cert.pem and account binding before ` +
+        `re-authenticating.`);
 }
 // ---------------------------------------------------------------------------
 // Reset auth — unlinks cert.pem (both paths) and the account binding
@@ -468,17 +452,6 @@ export async function listZones() {
     }
     return zones;
 }
-export function checkDeclaredZonesOnAccount(declaredZones, accountZones) {
-    return declaredZones.map((zone) => {
-        const lc = zone.toLowerCase();
-        const match = accountZones.find((z) => z.name.toLowerCase() === lc);
-        return {
-            zone,
-            presentOnAccount: !!match,
-            activeOnAccount: match?.status === "active",
-        };
-    });
-}
 export async function getZoneId(domain) {
     const { client } = getClient();
     const zones = await client.zones.list({ name: domain });
@@ -902,47 +875,39 @@ export function writeLocalConfig(tunnelId, credentialsPath, hostnames, port) {
     return configPath;
 }
 // ---------------------------------------------------------------------------
-// CLI-based DNS routing — guarded by manifest scope + post-flight FQDN check
+// CLI-based DNS routing — guarded by live account-zone check + post-flight
 //
 // `cloudflared tunnel route dns` resolves the target zone from cert.pem's
-// account. If the hostname's registrable parent zone is not on that
-// account, cloudflared silently writes a CNAME under a different zone on
-// the bound account (e.g. admin.example.com.othersite.example when the
-// account holds othersite.example but not example.com). Two layers stop
-// this:
+// account. If the hostname's registrable parent zone is not on that account,
+// cloudflared silently writes a CNAME under a different zone (the original
+// joelsmalley.xyz wrong-routing bug). Defence in depth:
 //
-//   (1) Manifest-scope pre-flight: refuse before invoking the CLI when the
-//       hostname's registrable parent is not in `brand.cloudflare.zones`.
-//       The brand declared the zones; nothing else is routable.
-//   (2) Post-flight FQDN assertion: parse the actual FQDN from
-//       `cloudflared`'s INF line and refuse with a reverse-and-cleanup if
-//       it doesn't exactly equal the requested hostname — defence-in-depth
-//       against cloudflared writing under a sibling zone the manifest also
-//       declared but doesn't actually own on this account.
+//   (1) Live account-zone check: list the bound account's zones, refuse if
+//       hostname's registrable parent is not active on that account.
+//   (2) Post-flight FQDN assertion: the FQDN cloudflared wrote must equal
+//       the requested hostname. Mismatch → reverse-and-refuse.
 //
-// `getClient()` is invoked first to enforce auth pre-conditions
-// (cert+binding+accountId match) so account-drift refusals fire before any
-// CLI process spawns.
+// `getClient()` runs first to enforce auth pre-conditions.
 // ---------------------------------------------------------------------------
 export async function routeDnsCli(tunnelId, hostname) {
     const bin = findBinary();
     if (!bin)
         throw new Error("cloudflared is not installed");
-    // Auth pre-condition: cert + binding + accountId match. Throws
-    // CloudflareRefusalError on drift before any CLI call.
     const { client, accountId: boundAccountId } = getClient();
-    // (1) Manifest-scope pre-flight against brand.cloudflare.zones.
-    const brand = loadBrand();
-    const scope = matchManifestZone(hostname, brand.cloudflare.zones);
+    // (1) Live account-zone check.
+    const accountZones = await listZones();
+    const scope = matchAccountZone(hostname, accountZones);
     if (!scope.ok) {
         const detail = {
             reason: "scope-mismatch",
-            message: `Cannot route ${hostname} — its registrable parent is not in this brand's declared ` +
-                `Cloudflare zones (${brand.cloudflare.zones.join(", ")}). ` +
-                `Hostnames outside the declared scope are refused by design.`,
+            message: `Cannot route ${hostname} — no active zone on the bound Cloudflare account ` +
+                `owns this hostname's registrable parent. Active zones on this account: ` +
+                `${scope.accountZones.join(", ") || "none"}. Add the parent zone to the account ` +
+                `(cf-add-zone or via the Cloudflare dashboard), or pick a hostname under one ` +
+                `of the existing zones.`,
             fields: {
                 requestedHostname: hostname,
-                manifestZones: brand.cloudflare.zones,
+                accountZones: scope.accountZones,
             },
         };
         logRefuse(detail);
@@ -963,19 +928,10 @@ export async function routeDnsCli(tunnelId, hostname) {
         }
         throw new Error(`cloudflared tunnel route dns failed: ${msg}`);
     }
-    // (2) Post-flight FQDN assertion. Parse the CNAME name cloudflared
-    // actually created from its INF line:
-    //   "INF Added CNAME <fqdn> which will route to this tunnel ..."
+    // (2) Post-flight FQDN assertion.
     const fqdnMatch = output.match(/Added CNAME\s+(\S+?)\s+which will route/);
     if (!fqdnMatch) {
-        // Format drift — log loudly. We treat the absence of the parse as an
-        // observability gap rather than silent success because we can no
-        // longer assert wrong-zone safety.
         console.error(`[tunnel-route-dns] WARNING: could not parse CNAME FQDN from cloudflared output — format may have changed. Output: ${output.trim()}`);
-        // Surfacing as refusal would block correct flows when cloudflared
-        // changes its log line; surface as unverified-success with the
-        // requested hostname instead. Operators following [cloudflare:*]
-        // grep cadence will see the WARNING line.
         return {
             created: true,
             output: output.trim(),
@@ -985,45 +941,34 @@ export async function routeDnsCli(tunnelId, hostname) {
     }
     const actualFqdn = fqdnMatch[1];
     if (actualFqdn !== hostname) {
-        // Defence-in-depth: cloudflared wrote the CNAME under a different
-        // FQDN than requested. Log raw evidence first, attempt cleanup ONLY
-        // if the wrong zone is NOT in our declared scope (we never delete
-        // in-scope records as "cleanup"), then refuse.
+        // cloudflared wrote a CNAME under a different FQDN than requested —
+        // somehow the live-zone check passed but the routing landed elsewhere.
+        // Log evidence, attempt to delete the wrong CNAME, refuse.
         console.error(`[cloudflare:post-flight-mismatch] ${JSON.stringify({
             requestedHostname: hostname,
             actualFqdn,
             tunnelId,
             boundAccountId,
         })}`);
-        const actualScope = matchManifestZone(actualFqdn, brand.cloudflare.zones);
-        let cleanupResult = "skipped-in-scope";
-        if (!actualScope.ok) {
-            try {
-                // Find zone for actualFqdn on the bound account; if found, delete
-                // the CNAME we just inadvertently created.
-                const allZones = await listZones();
-                const owningZone = allZones.find((z) => actualFqdn === z.name || actualFqdn.endsWith("." + z.name));
-                if (owningZone) {
-                    const records = await client.dns.records.list({
-                        zone_id: owningZone.id,
-                        name: { exact: actualFqdn },
-                        type: "CNAME",
-                    });
-                    for (const r of records.result ?? []) {
-                        if (r.id)
-                            await client.dns.records.delete(r.id, { zone_id: owningZone.id });
-                    }
-                    cleanupResult = "ok";
-                }
-                else {
-                    cleanupResult = "failed"; // nothing to delete — surface as informational
+        let cleanupResult = "failed";
+        try {
+            const owningZone = accountZones.find((z) => actualFqdn === z.name || actualFqdn.endsWith("." + z.name));
+            if (owningZone) {
+                const records = await client.dns.records.list({
+                    zone_id: owningZone.id,
+                    name: { exact: actualFqdn },
+                    type: "CNAME",
+                });
+                for (const r of records.result ?? []) {
+                    if (r.id)
+                        await client.dns.records.delete(r.id, { zone_id: owningZone.id });
                 }
-            }
-            catch (cleanupErr) {
-                cleanupResult = "failed";
-                console.error(`[cloudflare:post-flight-cleanup] error: ${cleanupErr instanceof Error ? cleanupErr.message : String(cleanupErr)}`);
+                cleanupResult = "ok";
             }
         }
+        catch (cleanupErr) {
+            console.error(`[cloudflare:post-flight-cleanup] error: ${cleanupErr instanceof Error ? cleanupErr.message : String(cleanupErr)}`);
+        }
         console.error(`[cloudflare:post-flight-cleanup] ${JSON.stringify({
             requestedHostname: hostname,
             actualFqdn,
@@ -1032,24 +977,18 @@ export async function routeDnsCli(tunnelId, hostname) {
         const detail = {
             reason: "post-flight-fqdn-mismatch",
             message: `cloudflared wrote the CNAME under ${actualFqdn} instead of the requested ${hostname}. ` +
-                `This indicates cert.pem's account does not own the zone for ${hostname} despite ` +
-                `passing manifest scope. ` +
-                recoveryMessage(),
+                `Cleanup ${cleanupResult === "ok" ? "succeeded" : "failed"}. Re-run cf-rebuild to reconcile.`,
             fields: {
                 requestedHostname: hostname,
                 actualFqdn,
                 tunnelId,
                 boundAccountId,
-                manifestZones: brand.cloudflare.zones,
             },
         };
         logRefuse(detail);
         throw new CloudflareRefusalError(detail);
     }
     console.error(`[tunnel-route-dns] CLI: routed ${hostname} → tunnel ${tunnelId} (overwrite) fqdn=${actualFqdn} zone=${scope.matchedZone}`);
-    if (process.env.CLOUDFLARE_DEBUG === "1") {
-        console.error(`[cloudflare:guard-pass] ${JSON.stringify({ op: "routeDnsCli", requestedHostname: hostname, zone: scope.matchedZone })}`);
-    }
     return { created: true, output: output.trim(), fqdn: actualFqdn, zone: scope.matchedZone };
 }
 // ---------------------------------------------------------------------------
@@ -1376,237 +1315,109 @@ export function stopTunnel() {
     writeState({ ...state, pid: null, startedAt: null });
 }
 /**
- * Resolve the live ScopeContext from the brand manifest + binding +
- * read-only SDK client. Used by tools; tests bypass with their own
- * ScopeContext.
+ * cf-verify: read everything, tag nothing as good or bad. The bound
+ * Cloudflare account is the universe; the agent decides what is pollution
+ * from the operator's stated intent in the current conversation.
+ *
+ * The `pollution` field returned here is the default no-intent view —
+ * account artefacts the device's persisted `tunnel.state` + `alias-domains.json`
+ * don't reference. The orchestrator recomputes against explicit intent
+ * when the operator picks a zone.
  */
-export function liveScopeContext() {
+export async function cfVerifyCore() {
     const brand = loadBrand();
+    console.error(`[cloudflare:verify-start] ${JSON.stringify({ brand: brand.productName })}`);
+    const device = readDeviceSnapshot();
     const ro = getReadOnlyClient();
-    return {
-        declaredZones: brand.cloudflare.zones,
-        binding: readAccountBinding(),
-        client: ro.client,
-    };
-}
-/**
- * cf-verify implementation. Pure-ish: only reads (account state via SDK,
- * device state via fs). Never mutates. Always returns a structured report
- * even when cert/binding/account state is absent — fresh-install devices
- * get a report with everything tagged MISSING.
- */
-export async function cfVerifyCore(ctx = liveScopeContext()) {
-    const brand = loadBrand();
-    const artefacts = [];
-    console.error(`[cloudflare:verify-start] ${JSON.stringify({
-        brand: brand.productName,
-        declaredZones: ctx.declaredZones,
-        bindingPresent: !!ctx.binding,
-    })}`);
-    // --- Local artefact: cert.pem ---
-    const certCreds = parseCertPem();
-    if (!certCreds) {
-        artefacts.push({ type: "cert.pem", id: certPath(), tag: "missing" });
-    }
-    else if (ctx.binding && certCreds.accountId !== ctx.binding.accountId) {
-        artefacts.push({
-            type: "cert.pem",
-            id: certPath(),
-            tag: "out-of-scope",
-            reason: `cert account ${certCreds.accountId} != binding account ${ctx.binding.accountId}`,
-            detail: { certAccountId: certCreds.accountId, boundAccountId: ctx.binding.accountId },
-        });
-    }
-    else {
-        artefacts.push({ type: "cert.pem", id: certPath(), tag: "in-scope" });
-    }
-    // --- Local artefact: binding ---
-    if (!ctx.binding) {
-        artefacts.push({ type: "binding", id: bindingFile(), tag: "missing" });
-    }
-    else {
-        artefacts.push({
-            type: "binding",
-            id: bindingFile(),
-            tag: "in-scope",
-            detail: { accountId: ctx.binding.accountId, boundAt: ctx.binding.boundAt },
-        });
-    }
-    // --- Account artefacts (only readable when bound and cert valid) ---
-    // Determine if we can call the SDK at all. cfVerify must never fail on
-    // unbound devices — it just reports everything as missing.
-    let accountSummary = null;
-    if (ctx.client && certCreds) {
+    let account = null;
+    if (ro.client && ro.certAccountId) {
         try {
-            const [tunnels, zones] = await Promise.all([
-                listTunnelsViaClient(ctx.client, certCreds.accountId),
-                listZonesViaClient(ctx.client),
+            const [zones, tunnels] = await Promise.all([
+                listZonesViaClient(ro.client),
+                listTunnelsViaClient(ro.client, ro.certAccountId),
             ]);
-            accountSummary = { tunnels, zones };
-        }
-        catch (err) {
-            console.error(`[cloudflare:verify] account read failed: ${err instanceof Error ? err.message : String(err)}`);
-        }
-    }
-    // --- Declared zones: present + active on account? ---
-    if (accountSummary) {
-        const visibility = checkDeclaredZonesOnAccount(ctx.declaredZones, accountSummary.zones);
-        for (const v of visibility) {
-            if (!v.presentOnAccount) {
-                artefacts.push({
-                    type: "declared-zone",
-                    id: v.zone,
-                    tag: "missing",
-                    reason: "declared in brand.json but absent from bound account",
-                });
-            }
-            else if (!v.activeOnAccount) {
-                artefacts.push({
-                    type: "declared-zone",
-                    id: v.zone,
-                    tag: "out-of-scope",
-                    reason: "present on bound account but not active (likely awaiting nameservers)",
-                });
-            }
-            else {
-                artefacts.push({ type: "declared-zone", id: v.zone, tag: "in-scope" });
-            }
-        }
-        // Zones on the account NOT in the declared scope — informational tag,
-        // out-of-scope, no action required by rebuild (we never delete zones).
-        for (const z of accountSummary.zones) {
-            if (!ctx.declaredZones.some((d) => d.toLowerCase() === z.name.toLowerCase())) {
-                artefacts.push({
-                    type: "declared-zone",
-                    id: z.name,
-                    tag: "out-of-scope",
-                    reason: "zone on bound account but not in brand.cloudflare.zones",
-                });
-            }
-        }
-        // --- Tunnels on account ---
-        const persistedTunnelId = readState()?.tunnelId ?? null;
-        for (const t of accountSummary.tunnels) {
-            const isOurs = t.id === persistedTunnelId;
-            artefacts.push({
-                type: "tunnel",
-                id: `${t.name} (${t.id})`,
-                tag: isOurs ? "in-scope" : "out-of-scope",
-                reason: isOurs ? undefined : "tunnel on account but not in this brand's persisted state",
-                detail: { tunnelId: t.id, tunnelName: t.name },
-            });
-        }
-        // --- DNS CNAMEs under declared zones ---
-        if (ctx.client) {
-            for (const declared of ctx.declaredZones) {
-                const zone = accountSummary.zones.find((z) => z.name.toLowerCase() === declared.toLowerCase() && z.status === "active");
-                if (!zone)
+            const cnames = [];
+            for (const z of zones) {
+                if (z.status !== "active")
                     continue;
                 try {
-                    const records = await listCnamesUnderZone(ctx.client, zone.id);
-                    for (const rec of records) {
-                        const ourTunnelTarget = persistedTunnelId
-                            ? `${persistedTunnelId}.cfargotunnel.com`
-                            : null;
-                        const isOurs = ourTunnelTarget !== null && rec.content === ourTunnelTarget;
-                        artefacts.push({
-                            type: "dns-cname",
-                            id: rec.name,
-                            tag: isOurs ? "in-scope" : "out-of-scope",
-                            reason: isOurs ? undefined : `CNAME → ${rec.content} (not this brand's tunnel)`,
-                            detail: { zoneId: zone.id, recordId: rec.id, content: rec.content },
-                        });
+                    const recs = await listCnamesUnderZone(ro.client, z.id);
+                    for (const r of recs) {
+                        cnames.push({ zone: z.name, recordId: r.id, name: r.name, content: r.content });
                     }
                 }
                 catch (err) {
-                    console.error(`[cloudflare:verify] failed to list CNAMEs under ${declared}: ${err instanceof Error ? err.message : String(err)}`);
+                    console.error(`[cloudflare:verify] failed to list CNAMEs under ${z.name}: ${err instanceof Error ? err.message : String(err)}`);
                 }
             }
+            account = {
+                accountId: ro.certAccountId,
+                zones: zones.map((z) => ({ id: z.id, name: z.name, status: z.status })),
+                tunnels: tunnels.map((t) => ({ id: t.id, name: t.name })),
+                cnames,
+            };
         }
-    }
-    else {
-        // Without an SDK client we cannot enumerate account state — surface
-        // each declared zone as MISSING.
-        for (const zone of ctx.declaredZones) {
-            artefacts.push({
-                type: "declared-zone",
-                id: zone,
-                tag: "missing",
-                reason: "cannot read bound account (no cert or no client)",
-            });
-        }
-    }
-    // --- Local artefacts: tunnel.state, config.yml, alias-domains.json ---
-    const persisted = readState();
-    if (!persisted) {
-        artefacts.push({ type: "tunnel.state", id: statePath(), tag: "missing" });
-    }
-    else {
-        // tunnel.state is in-scope when its tunnelId is present on the bound
-        // account AND its hostnames are all in declared scope.
-        const allHostnames = getPersistedHostnames();
-        const allInScope = allHostnames.every((h) => matchManifestZone(h, ctx.declaredZones).ok);
-        const tunnelOnAccount = accountSummary?.tunnels.some((t) => t.id === persisted.tunnelId) ?? null;
-        if (allInScope && tunnelOnAccount !== false) {
-            artefacts.push({ type: "tunnel.state", id: statePath(), tag: "in-scope" });
-        }
-        else {
-            const reasons = [];
-            if (!allInScope)
-                reasons.push("contains hostnames outside declared scope");
-            if (tunnelOnAccount === false)
-                reasons.push("references tunnel absent from bound account");
-            artefacts.push({
-                type: "tunnel.state",
-                id: statePath(),
-                tag: "out-of-scope",
-                reason: reasons.join("; "),
-                detail: { tunnelId: persisted.tunnelId, hostnames: JSON.stringify(allHostnames) },
-            });
-        }
-        // config.yml mirrors tunnel.state in scope assessment.
-        if (existsSync(persisted.configPath)) {
-            artefacts.push({
-                type: "config.yml",
-                id: persisted.configPath,
-                tag: allInScope ? "in-scope" : "out-of-scope",
-            });
-        }
-        else {
-            artefacts.push({ type: "config.yml", id: persisted.configPath, tag: "missing" });
+        catch (err) {
+            console.error(`[cloudflare:verify] account read failed: ${err instanceof Error ? err.message : String(err)}`);
         }
     }
-    const aliases = loadAliasDomains();
-    for (const alias of aliases) {
-        const inScope = matchManifestZone(alias, ctx.declaredZones).ok;
-        artefacts.push({
-            type: "alias-domain",
-            id: alias,
-            tag: inScope ? "in-scope" : "out-of-scope",
-            reason: inScope ? undefined : "alias hostname outside brand.cloudflare.zones",
-        });
-    }
-    const counts = {
-        inScope: artefacts.filter((a) => a.tag === "in-scope").length,
-        outOfScope: artefacts.filter((a) => a.tag === "out-of-scope").length,
-        missing: artefacts.filter((a) => a.tag === "missing").length,
-    };
+    const pollution = computePollution(account, device);
     console.error(`[cloudflare:verify-complete] ${JSON.stringify({
         brand: brand.productName,
-        ...counts,
+        accountZones: account?.zones.length ?? 0,
+        accountTunnels: account?.tunnels.length ?? 0,
+        accountCnames: account?.cnames.length ?? 0,
+        pollutionTunnels: pollution.tunnels.length,
+        pollutionCnames: pollution.cnames.length,
+        pollutionZones: pollution.zones.length,
     })}`);
+    return { brand: brand.productName, device, account, pollution };
+}
+function readDeviceSnapshot() {
+    const auth = validateAuth();
+    const state = readState();
+    const aliases = [...loadAliasDomains()];
     return {
-        brand: brand.productName,
-        declaredZones: ctx.declaredZones,
-        bindingPresent: !!ctx.binding,
-        bindingMatchesCert: !!(certCreds && ctx.binding && certCreds.accountId === ctx.binding.accountId),
-        certPresent: !!certCreds,
-        artefacts,
-        counts,
+        certPath: certPath(),
+        certPresent: auth.hasCert,
+        bindingPath: bindingFile(),
+        bindingPresent: auth.hasBinding,
+        bindingMatchesCert: auth.bound,
+        certAccountId: auth.certAccountId,
+        boundAccountId: auth.boundAccountId,
+        tunnelStatePath: statePath(),
+        tunnelState: state,
+        configYmlPath: state?.configPath ?? null,
+        configYmlPresent: !!(state?.configPath && existsSync(state.configPath)),
+        aliasDomains: aliases,
     };
 }
-// Internal helpers — wrap SDK calls so the verify/rebuild cores don't
-// need to know about the SDK shape directly. Keeps mocks shallow.
+function computePollution(account, device) {
+    if (!account)
+        return { tunnels: [], cnames: [], zones: [] };
+    const intendedTunnelId = device.tunnelState?.tunnelId ?? null;
+    const intendedHostnames = new Set();
+    if (device.tunnelState?.adminHostname)
+        intendedHostnames.add(device.tunnelState.adminHostname.toLowerCase());
+    if (device.tunnelState?.publicHostname)
+        intendedHostnames.add(device.tunnelState.publicHostname.toLowerCase());
+    for (const a of device.aliasDomains)
+        intendedHostnames.add(a.toLowerCase());
+    // Zones the intended hostnames live under — those are "in use".
+    const inUseZones = new Set();
+    for (const h of intendedHostnames) {
+        for (const z of account.zones) {
+            if (h === z.name.toLowerCase() || h.endsWith("." + z.name.toLowerCase())) {
+                inUseZones.add(z.name.toLowerCase());
+                break;
+            }
+        }
+    }
+    const pollutionTunnels = account.tunnels.filter((t) => t.id !== intendedTunnelId);
+    const pollutionCnames = account.cnames.filter((c) => !intendedHostnames.has(c.name.toLowerCase()));
+    const pollutionZones = account.zones.filter((z) => !inUseZones.has(z.name.toLowerCase()));
+    return { tunnels: pollutionTunnels, cnames: pollutionCnames, zones: pollutionZones };
+}
 async function listZonesViaClient(client) {
     const zones = [];
     for await (const zone of client.zones.list()) {
@@ -1644,251 +1455,211 @@ async function listCnamesUnderZone(client, zoneId) {
 }
 export async function cfRebuildCore(opts = {}) {
     const dryRun = opts.dryRun ?? false;
-    const ctx = opts.ctx ?? liveScopeContext();
     const brand = loadBrand();
-    console.error(`[cloudflare:rebuild-start] ${JSON.stringify({
-        brand: brand.productName,
-        declaredZones: ctx.declaredZones,
-        dryRun,
-    })}`);
-    // Step 1: cert.pem account integrity. cf-rebuild refuses to delete a
-    // wrong-account cert.pem mid-flow — that would create a dead authoring
-    // window with no clear next step. Instead surface the discard intent
-    // and halt with an actionable instruction.
-    const certCreds = parseCertPem();
-    const actions = [];
-    if (!certCreds) {
-        const msg = `cf-rebuild requires cert.pem before it can reconstruct state. ` + recoveryMessage();
+    console.error(`[cloudflare:rebuild-start] ${JSON.stringify({ brand: brand.productName, dryRun })}`);
+    // Auth gate. We need a client to mutate the account.
+    let client;
+    let accountId;
+    try {
+        const c = getClient();
+        client = c.client;
+        accountId = c.accountId;
+    }
+    catch (err) {
+        if (err instanceof CloudflareRefusalError) {
+            return {
+                brand: brand.productName,
+                dryRun,
+                preserve: { zones: [], tunnelIds: [], cnames: null },
+                actions: [],
+                halted: true,
+                haltReason: err.refusal.message,
+            };
+        }
+        throw err;
+    }
+    // Snapshot the account before mutating.
+    const verify = await cfVerifyCore();
+    if (!verify.account) {
         return {
             brand: brand.productName,
-            declaredZones: ctx.declaredZones,
             dryRun,
-            actions: [
-                {
-                    op: "skip-needs-operator",
-                    artefact: { type: "cert.pem", id: certPath(), tag: "missing" },
-                    planned: dryRun,
-                    resultDetail: msg,
-                },
-            ],
+            preserve: { zones: [], tunnelIds: [], cnames: null },
+            actions: [],
             halted: true,
-            haltReason: msg,
+            haltReason: "Could not read account state (cf-verify returned no account snapshot).",
         };
     }
-    if (ctx.binding && certCreds.accountId !== ctx.binding.accountId) {
-        const msg = `cert.pem is bound to account ${certCreds.accountId} but the recorded binding is ` +
-            `account ${ctx.binding.accountId}. cf-rebuild will not silently delete cert.pem — ` +
-            `re-run tunnel-login force=true to clear the wrong cert and binding, then re-run cf-rebuild. ` +
-            recoveryMessage();
-        actions.push({
-            op: "skip-needs-operator",
-            artefact: {
-                type: "cert.pem",
-                id: certPath(),
-                tag: "out-of-scope",
-                reason: "wrong-account",
-                detail: { certAccountId: certCreds.accountId, boundAccountId: ctx.binding.accountId },
-            },
-            planned: dryRun,
-            resultDetail: msg,
+    // No-intent refusal. If the caller passed no preserve AND the device
+    // has no persisted intent (no tunnel.state, no alias domains), refuse
+    // rather than guess — an empty preserve set would nuke the account.
+    // An explicit `{ preserve: { zones: [], tunnelIds: [] } }` is valid
+    // stated intent ("nuke everything") and proceeds.
+    const deviceHasIntent = Boolean(verify.device.tunnelState || verify.device.aliasDomains.length > 0);
+    if (opts.preserve === undefined && !deviceHasIntent) {
+        logRefuse({
+            reason: "no-intent",
+            message: "cf-rebuild refused: no `preserve` was supplied and this device has no persisted tunnel.state or alias-domains. " +
+                "Stating explicit intent is required before destructive operations — " +
+                "pass `preserve: { zones: [...], tunnelIds: [...] }` (an empty array is a valid 'nuke everything' intent), " +
+                "or use `cloudflare-setup` which derives intent from the conversation.",
         });
-        console.error(`[cloudflare:rebuild-discard] ${JSON.stringify({ type: "cert.pem", reason: "wrong-account", planned: true })}`);
         return {
             brand: brand.productName,
-            declaredZones: ctx.declaredZones,
             dryRun,
-            actions,
+            preserve: { zones: [], tunnelIds: [], cnames: null },
+            actions: [],
             halted: true,
-            haltReason: msg,
+            haltReason: "no-intent",
         };
     }
-    // Step 2: ensure binding is materialized. The fresh-install case passes
-    // through here — binding is established from the cert. cf-rebuild does
-    // NOT do declared-zone-visibility validation here because the operator
-    // may be in the middle of adding zones; visibility shows in the final
-    // verify report instead.
-    //
-    // materializeBinding can throw if cert.pem becomes unreadable between
-    // the parseCertPem above and this call (e.g. a concurrent
-    // tunnel-login force=true). Wrap in try/catch so the throw becomes a
-    // structured halted result, not a raw JS Error escaping past the MCP
-    // boundary.
-    if (!ctx.binding) {
+    // Resolve the preserve set. Defaults from the device's intended state.
+    const intendedTunnelId = verify.device.tunnelState?.tunnelId ?? null;
+    const intendedHostnames = [];
+    if (verify.device.tunnelState?.adminHostname)
+        intendedHostnames.push(verify.device.tunnelState.adminHostname);
+    if (verify.device.tunnelState?.publicHostname)
+        intendedHostnames.push(verify.device.tunnelState.publicHostname);
+    for (const a of verify.device.aliasDomains)
+        intendedHostnames.push(a);
+    const inferredZones = new Set();
+    for (const h of intendedHostnames) {
+        const lc = h.toLowerCase();
+        for (const z of verify.account.zones) {
+            if (lc === z.name.toLowerCase() || lc.endsWith("." + z.name.toLowerCase())) {
+                inferredZones.add(z.name);
+                break;
+            }
+        }
+    }
+    const preserveZones = (opts.preserve?.zones ?? [...inferredZones]).map((s) => s.toLowerCase());
+    const preserveTunnelIds = opts.preserve?.tunnelIds ?? (intendedTunnelId ? [intendedTunnelId] : []);
+    const preserveCnames = opts.preserve?.cnames
+        ? opts.preserve.cnames.map((c) => ({ zone: c.zone.toLowerCase(), name: c.name.toLowerCase() }))
+        : null;
+    // Identify tunnels that will be deleted — their `.cfargotunnel.com`
+    // CNAMEs on preserved zones must also be scrubbed (else the zone
+    // keeps a stale pointer to a dead tunnel).
+    const deletedTunnelIds = new Set(verify.account.tunnels.filter((t) => !preserveTunnelIds.includes(t.id)).map((t) => t.id));
+    const isStaleTunnelPointer = (content) => {
+        const lc = content.toLowerCase().trim();
+        const m = lc.match(/^([0-9a-f-]{36})\.cfargotunnel\.com\.?$/);
+        return m ? deletedTunnelIds.has(m[1]) : false;
+    };
+    const actions = [];
+    // (a) Delete tunnels not in preserve.
+    for (const t of verify.account.tunnels) {
+        if (preserveTunnelIds.includes(t.id))
+            continue;
+        const action = {
+            op: "delete-tunnel",
+            type: "tunnel",
+            id: t.id,
+            name: t.name,
+            result: dryRun ? "planned" : "ok",
+        };
         if (!dryRun) {
             try {
-                materializeBinding("migration");
+                await client.zeroTrust.tunnels.cloudflared.delete(t.id, { account_id: accountId });
             }
             catch (err) {
-                const msg = err instanceof Error ? err.message : String(err);
-                const halt = `cf-rebuild could not establish account binding: ${msg}. ${recoveryMessage()}`;
-                actions.push({
-                    op: "skip-needs-operator",
-                    artefact: { type: "binding", id: bindingFile(), tag: "missing" },
-                    planned: dryRun,
-                    result: "failed",
-                    resultDetail: halt,
-                });
-                return {
-                    brand: brand.productName,
-                    declaredZones: ctx.declaredZones,
-                    dryRun,
-                    actions,
-                    halted: true,
-                    haltReason: halt,
-                };
+                action.result = "failed";
+                action.detail = err instanceof Error ? err.message : String(err);
             }
         }
-        actions.push({
-            op: "recreate",
-            artefact: {
-                type: "binding",
-                id: bindingFile(),
-                tag: "missing",
-            },
-            planned: dryRun,
-            result: "ok",
-        });
+        console.error(`[cloudflare:rebuild-discard] ${JSON.stringify({ type: "tunnel", id: t.id, name: t.name, planned: dryRun, result: action.result })}`);
+        actions.push(action);
     }
-    // Step 3: gather verify report so we have a plan.
-    const verify = await cfVerifyCore(ctx);
-    // Step 4: discard out-of-scope artefacts. Order matters: DNS records
-    // first (so the tunnel can be deleted afterwards without orphaning
-    // routes), then alias-domain entries, then tunnel.state, then config.yml.
-    // We never delete cert.pem, never delete declared zones (out-of-scope
-    // declared-zone entries are operator-action items, not rebuild work),
-    // never delete tunnels owned by the bound account that don't match our
-    // persisted state (those belong to other devices on the same account
-    // — Task 525's multi-device contention pattern).
-    const liveClient = ctx.client; // may be null in tests
-    for (const a of verify.artefacts) {
-        if (a.tag !== "out-of-scope")
+    // (b) Delete CNAMEs not in preserve.
+    // If preserve.cnames is set, ONLY those exact records survive.
+    // Otherwise: CNAMEs on preserved zones survive, EXCEPT those pointing
+    // to a `<tunnelId>.cfargotunnel.com` target where the tunnel is being
+    // deleted (stale tunnel pointers on otherwise-preserved zones would
+    // resolve to dead DNS — always scrub).
+    for (const c of verify.account.cnames) {
+        const zoneLc = c.zone.toLowerCase();
+        const nameLc = c.name.toLowerCase();
+        let keep = false;
+        if (preserveCnames) {
+            keep = preserveCnames.some((p) => p.zone === zoneLc && p.name === nameLc);
+        }
+        else {
+            keep = preserveZones.includes(zoneLc) && !isStaleTunnelPointer(c.content);
+        }
+        if (keep)
             continue;
-        const action = { op: "discard", artefact: a, planned: dryRun };
-        try {
-            switch (a.type) {
-                case "dns-cname": {
-                    if (!dryRun && liveClient) {
-                        const zoneId = String(a.detail?.zoneId ?? "");
-                        const recordId = String(a.detail?.recordId ?? "");
-                        if (zoneId && recordId) {
-                            await liveClient.dns.records.delete(recordId, { zone_id: zoneId });
-                        }
-                    }
-                    action.result = "ok";
-                    break;
-                }
-                case "alias-domain": {
-                    if (!dryRun) {
-                        const aliases = loadAliasDomains();
-                        aliases.delete(a.id);
-                        const path = aliasDomainPath();
-                        mkdirSync(join(homedir(), loadBrand().configDir), { recursive: true });
-                        writeFileSync(path, JSON.stringify([...aliases], null, 2), "utf-8");
-                    }
-                    action.result = "ok";
-                    break;
-                }
-                case "tunnel.state":
-                case "config.yml": {
-                    if (!dryRun) {
-                        try {
-                            unlinkSync(a.id);
-                        }
-                        catch (err) {
-                            const code = err.code;
-                            if (code !== "ENOENT")
-                                throw err;
-                        }
-                    }
-                    action.result = "ok";
-                    break;
-                }
-                case "tunnel": {
-                    // Out-of-scope tunnels are siblings on the same account — leave
-                    // them alone. Other devices may rely on them. Surface as
-                    // discard intent but skip without mutating.
-                    action.op = "skip-needs-operator";
-                    action.result = "ok";
-                    action.resultDetail = "tunnel on bound account but not this brand's — left untouched";
-                    break;
-                }
-                case "declared-zone": {
-                    // Out-of-scope declared-zones are zones on the bound account that
-                    // aren't in the manifest. Informational; never deleted.
-                    action.op = "skip-needs-operator";
-                    action.result = "ok";
-                    action.resultDetail = "zone on bound account outside brand scope — informational";
-                    break;
+        const action = {
+            op: "delete-cname",
+            type: "cname",
+            id: c.recordId,
+            name: c.name,
+            result: dryRun ? "planned" : "ok",
+            detail: `${c.name} → ${c.content} under zone ${c.zone}`,
+        };
+        if (!dryRun) {
+            const zoneRec = verify.account.zones.find((z) => z.name.toLowerCase() === zoneLc);
+            if (!zoneRec) {
+                action.result = "failed";
+                action.detail = `zone ${c.zone} not found in snapshot`;
+            }
+            else {
+                try {
+                    await client.dns.records.delete(c.recordId, { zone_id: zoneRec.id });
                 }
-                case "cert.pem":
-                case "binding":
-                    // Handled above (refuse-to-delete cert; binding mutated by force-reset path only)
-                    action.op = "skip-needs-operator";
-                    action.result = "ok";
-                    break;
-                default:
+                catch (err) {
                     action.result = "failed";
-                    action.resultDetail = `unknown artefact type ${a.type}`;
+                    action.detail = err instanceof Error ? err.message : String(err);
+                }
             }
         }
-        catch (err) {
-            action.result = "failed";
-            action.resultDetail = err instanceof Error ? err.message : String(err);
-        }
-        if (action.op === "discard") {
-            console.error(`[cloudflare:rebuild-discard] ${JSON.stringify({ type: a.type, id: a.id, planned: dryRun, result: action.result ?? null })}`);
-        }
+        console.error(`[cloudflare:rebuild-discard] ${JSON.stringify({ type: "cname", id: c.recordId, name: c.name, zone: c.zone, planned: dryRun, result: action.result })}`);
         actions.push(action);
     }
-    // Step 5: create missing in-scope artefacts. We cannot create CF-side
-    // missing zones (operator must add zones at cloudflare.com) — surface as
-    // skip-needs-operator. We can re-create local state if the tunnel
-    // exists on the account but local state is missing; that's a Task 521
-    // scenario (re-attaching a tunnel) and is out of scope here. v1 of
-    // cf-rebuild surfaces missing local artefacts as informational.
-    for (const a of verify.artefacts) {
-        if (a.tag !== "missing")
+    // (c) Delete zones not in preserve.
+    for (const z of verify.account.zones) {
+        if (preserveZones.includes(z.name.toLowerCase()))
             continue;
-        if (a.type === "declared-zone") {
-            actions.push({
-                op: "skip-needs-operator",
-                artefact: a,
-                planned: dryRun,
-                result: "ok",
-                resultDetail: `declared zone "${a.id}" must be added to the bound Cloudflare account before tunnel-create can route to it`,
-            });
-        }
-        else if (a.type === "binding" || a.type === "cert.pem") {
-            // Already handled above
-        }
-        else {
-            actions.push({
-                op: "skip-needs-operator",
-                artefact: a,
-                planned: dryRun,
-                result: "ok",
-                resultDetail: `missing local artefact — run cloudflare-setup or tunnel-create to create`,
-            });
+        const action = {
+            op: "delete-zone",
+            type: "zone",
+            id: z.id,
+            name: z.name,
+            result: dryRun ? "planned" : "ok",
+        };
+        if (!dryRun) {
+            try {
+                await client.zones.delete({ zone_id: z.id });
+            }
+            catch (err) {
+                // Zone deletion may fail (permissions, registrar lock). Surface but
+                // do not halt — orphan zones are informational, not blocking.
+                action.result = "failed";
+                action.detail = err instanceof Error ? err.message : String(err);
+            }
         }
+        console.error(`[cloudflare:rebuild-discard] ${JSON.stringify({ type: "zone", id: z.id, name: z.name, planned: dryRun, result: action.result })}`);
+        actions.push(action);
     }
-    // Step 6: rerun verify (unless dry-run) to capture final state.
     let finalVerify;
     if (!dryRun) {
-        finalVerify = await cfVerifyCore(ctx);
+        finalVerify = await cfVerifyCore();
     }
     console.error(`[cloudflare:rebuild-complete] ${JSON.stringify({
         brand: brand.productName,
         dryRun,
         actionCount: actions.length,
-        finalCounts: finalVerify?.counts ?? null,
     })}`);
     return {
         brand: brand.productName,
-        declaredZones: ctx.declaredZones,
         dryRun,
+        preserve: {
+            zones: preserveZones,
+            tunnelIds: preserveTunnelIds,
+            cnames: preserveCnames,
+        },
         actions,
-        halted: false,
         finalVerify,
+        halted: false,
     };
 }
 //# sourceMappingURL=cloudflared.js.map