@rubytech/create-realagent 1.0.618 → 1.0.620

package/payload/platform/plugins/cloudflare/mcp/dist/lib/cloudflared.js

@@ -1,9 +1,8 @@
 import { execFileSync, spawn } from "node:child_process";
 import { existsSync, readFileSync, writeFileSync, mkdirSync, openSync, unlinkSync, copyFileSync, } from "node:fs";
-import { randomBytes } from "node:crypto";
 import { join } from "node:path";
 import { homedir } from "node:os";
-import Cloudflare from "cloudflare";
+import { Resolver } from "node:dns/promises";
 let cachedBrand = null;
 export function loadBrand() {
     if (cachedBrand)
@@ -31,7 +30,7 @@ export function _resetBrandCache() {
     cachedBrand = null;
 }
 // ---------------------------------------------------------------------------
-// Binary detection (unchanged — cloudflared binary still needed for daemon)
+// Binary detection
 // ---------------------------------------------------------------------------
 let cachedBinaryPath = null;
 const SEARCH_PATHS = [
@@ -42,7 +41,6 @@ const SEARCH_PATHS = [
 export function findBinary() {
     if (cachedBinaryPath)
         return cachedBinaryPath;
-    // Try `which` first
     try {
         cachedBinaryPath = execFileSync("which", ["cloudflared"], {
             encoding: "utf-8",
@@ -106,10 +104,8 @@ export function readAccountBinding() {
 /**
  * @internal — production code MUST go through `materializeBinding` so the
  * source-of-truth lifecycle (fresh-login vs migration) is preserved and
- * logged. This function is exported only so unit tests can pre-seed
- * bindings without re-implementing the file format. A new tool handler
- * that calls `writeAccountBinding` directly is a code-review block —
- * silent overwrites mask account drift, defeating the four-step guard.
+ * logged. Exported only so unit tests can pre-seed bindings without
+ * re-implementing the file format.
  */
 export function writeAccountBinding(accountId) {
     const dir = bindingDir();
@@ -118,12 +114,6 @@ export function writeAccountBinding(accountId) {
     writeFileSync(bindingFile(), JSON.stringify(binding, null, 2), { mode: 0o600 });
     return binding;
 }
-/**
- * Reset the binding by unlinking the file. Only force-reset paths
- * (tunnel-login force=true, cf-rebuild after wrong-account detection)
- * call this. Tools must never overwrite the binding on a write path —
- * an overwrite would mask account drift, defeating the guard.
- */
 function resetAccountBinding() {
     const path = bindingFile();
     try {
@@ -139,16 +129,6 @@ function resetAccountBinding() {
         return false;
     }
 }
-export function matchAccountZone(hostname, accountZones) {
-    const active = accountZones.filter((z) => z.status === "active").map((z) => z.name);
-    const lc = hostname.toLowerCase();
-    const candidates = active.filter((z) => lc === z.toLowerCase() || lc.endsWith("." + z.toLowerCase()));
-    if (candidates.length === 0) {
-        return { ok: false, matchedZone: null, accountZones: active };
-    }
-    candidates.sort((a, b) => b.length - a.length);
-    return { ok: true, matchedZone: candidates[0], accountZones: active };
-}
 export function logRefuse(detail) {
     const brand = (() => {
         try {
@@ -162,7 +142,6 @@ export function logRefuse(detail) {
     const fields = {
         reason: detail.reason,
         brand: brand?.productName ?? "unknown",
-        accountZones: f.accountZones ?? null,
         boundAccountId: f.boundAccountId ?? null,
         certAccountId: f.certAccountId ?? null,
         requestedDomain: f.requestedDomain ?? null,
@@ -173,14 +152,21 @@ export function logRefuse(detail) {
     console.error(`[cloudflare:refuse] ${JSON.stringify(fields)}`);
 }
 /**
- * Single recovery instruction. Every refusal instructs the same path:
- * tunnel-login under the Cloudflare account that owns the target zone.
+ * The only recovery instruction — every refusal that involves the wrong
+ * Cloudflare account points here. Single source of truth so the four
+ * surfaces that quote it (tunnel-status, tunnel-add-hostname, personal
+ * assistant template, setup-tunnel skill) cannot drift.
  */
+export const DASHBOARD_SWITCH_ACCOUNTS_INSTRUCTION = "Open Cloudflare in your browser. Look at the name in the top-left — " +
+    "that is the Cloudflare account this laptop will talk to. If it is not " +
+    "the account that owns the domain you want to use, switch accounts using " +
+    "the top-left dropdown. Once the correct account is showing, tell me and " +
+    "I will start the sign-in again.";
 export function recoveryMessage() {
-    return (`Recovery: run tunnel-login while signed into the Cloudflare account that owns ` +
-        `the target zone. If you recently rotated the cert under a different account, ` +
-        `pass force=true to clear the existing cert.pem and account binding before ` +
-        `re-authenticating.`);
+    return ("Recovery: confirm you are signed into the correct Cloudflare account " +
+        "in your browser, then ask me to run tunnel-login. If you recently switched " +
+        "accounts, ask me to run tunnel-login with force=true so the current sign-in " +
+        "is cleared before the new one starts.");
 }
 // ---------------------------------------------------------------------------
 // Reset auth — unlinks cert.pem (both paths) and the account binding
@@ -261,10 +247,6 @@ function legacyCertPath() {
  * file would survive `tunnel-login force=true` (which only deletes brand
  * paths) and silently re-import on the next read — defeating the recovery
  * path operators rely on after switching Cloudflare accounts.
- *
- * Failure to unlink the legacy file after a successful copy is non-fatal:
- * the read still succeeds against the brand path, and the warning surfaces
- * the residual stale file.
  */
 function findCert() {
     const brandPath = certPath();
@@ -290,9 +272,10 @@ export function hasCert() {
     return findCert() !== null;
 }
 /**
- * Parse the ARGO TUNNEL TOKEN PEM block from cert.pem to extract
- * APIToken and AccountTag. Returns null if cert.pem is missing,
- * the token block is absent, or the format is unexpected.
+ * Parse the ARGO TUNNEL TOKEN PEM block from cert.pem to extract the
+ * AccountTag. Only the account ID is returned — nothing else in cert.pem
+ * is used by this codebase. The cert itself stays on disk; `cloudflared`
+ * shell-outs read it via `--origincert` for tunnel CRUD and DNS routing.
  */
 export function parseCertPem() {
     try {
@@ -311,26 +294,15 @@ export function parseCertPem() {
             .replace(/\s+/g, "");
         const json = Buffer.from(b64, "base64").toString("utf-8");
         const data = JSON.parse(json);
-        const apiToken = data.APIToken ?? data.apiToken;
         const accountId = data.AccountTag ?? data.accountTag ?? data.AccountID ?? data.accountID ?? data.accountId;
-        if (!apiToken || !accountId)
+        if (!accountId)
             return null;
-        return { apiToken, accountId };
+        return { accountId };
     }
     catch {
         return null;
     }
 }
-// ---------------------------------------------------------------------------
-// SDK client
-//
-// Two entry points: getClient() for mutating operations enforces the auth
-// pre-conditions (cert present, binding present, accountId-from-cert
-// matches binding) — uncircumventable for any code path that needs an SDK
-// instance. getReadOnlyClient() for cf-verify allows operating on an
-// unbound device so the audit can report MISSING artefacts without
-// throwing. Both rely on cert.pem as the single account identity source.
-// ---------------------------------------------------------------------------
 /** Wraps a structured RefusalDetail so call sites can branch on `reason`. */
 export class CloudflareRefusalError extends Error {
     refusal;
@@ -340,70 +312,6 @@ export class CloudflareRefusalError extends Error {
         this.refusal = detail;
     }
 }
-/**
- * Build an SDK client for mutating operations. Throws CloudflareRefusalError
- * with a structured `refusal` field if any auth pre-condition fails:
- *   - cert.pem absent or unparseable                → unbound-device
- *   - account-binding.json absent                   → unbound-device
- *   - cert.pem accountId !== binding.accountId      → account-drift
- *
- * The refusal is logged with [cloudflare:refuse] before the throw, so the
- * single greppable signal exists regardless of how the caller handles the
- * exception.
- */
-export function getClient() {
-    const creds = parseCertPem();
-    if (!creds) {
-        const detail = {
-            reason: "unbound-device",
-            message: `No cert.pem found — this device has not completed Cloudflare authentication. ` +
-                recoveryMessage(),
-            fields: { boundAccountId: readAccountBinding()?.accountId ?? null },
-        };
-        logRefuse(detail);
-        throw new CloudflareRefusalError(detail);
-    }
-    const binding = readAccountBinding();
-    if (!binding) {
-        const detail = {
-            reason: "unbound-device",
-            message: `No account binding recorded — tunnel-login must complete a fresh authentication ` +
-                `to bind this device to a Cloudflare account before any other tool can run. ` +
-                recoveryMessage(),
-            fields: { certAccountId: creds.accountId },
-        };
-        logRefuse(detail);
-        throw new CloudflareRefusalError(detail);
-    }
-    if (creds.accountId !== binding.accountId) {
-        const detail = {
-            reason: "account-drift",
-            message: `cert.pem is bound to account ${creds.accountId}, but this device's recorded ` +
-                `binding is account ${binding.accountId}. The cert was rotated under a different ` +
-                `Cloudflare account since the binding was established. ` +
-                recoveryMessage(),
-            fields: {
-                boundAccountId: binding.accountId,
-                certAccountId: creds.accountId,
-            },
-        };
-        logRefuse(detail);
-        throw new CloudflareRefusalError(detail);
-    }
-    return {
-        client: new Cloudflare({ apiToken: creds.apiToken }),
-        accountId: binding.accountId,
-    };
-}
-export function getReadOnlyClient() {
-    const creds = parseCertPem();
-    const binding = readAccountBinding();
-    const certAccountId = creds?.accountId ?? null;
-    const boundAccountId = binding?.accountId ?? null;
-    const client = creds ? new Cloudflare({ apiToken: creds.apiToken }) : null;
-    const bindingMatches = !!(creds && binding && creds.accountId === binding.accountId);
-    return { client, certAccountId, boundAccountId, bindingMatches };
-}
 export function validateAuth() {
     const creds = parseCertPem();
     const binding = readAccountBinding();
@@ -417,14 +325,10 @@ export function validateAuth() {
 }
 /**
  * Establish the device-local account binding from cert.pem. Used by:
- *   (1) tunnel-login fresh-success path — first time creds are derived
+ *   (1) tunnel-login fresh-success path — first time creds are derived.
  *   (2) migration path — when cert.pem exists from a prior install but no
  *       binding has yet been written (silent materialization, since the
- *       cert was already trust-established by the operator's prior login)
- *
- * Caller is responsible for declared-zone visibility validation BEFORE
- * calling this — bindings should never be written to an account that
- * doesn't own the brand's declared zones (Task 201 write-after-confirm).
+ *       cert was already trust-established by the operator's prior login).
  */
 export function materializeBinding(source) {
     const creds = parseCertPem();
@@ -435,228 +339,6 @@ export function materializeBinding(source) {
     console.error(`[cloudflare:binding-materialized] source=${source} accountId=${creds.accountId} boundAt=${binding.boundAt}`);
     return binding;
 }
-export async function listZones() {
-    const { client } = getClient();
-    const zones = [];
-    for await (const zone of client.zones.list()) {
-        zones.push({
-            id: zone.id,
-            name: zone.name,
-            status: zone.status ?? "unknown",
-            nameservers: zone.name_servers ?? [],
-            account: {
-                id: zone.account.id ?? "",
-                name: zone.account.name ?? "",
-            },
-        });
-    }
-    return zones;
-}
-export async function getZoneId(domain) {
-    const { client } = getClient();
-    const zones = await client.zones.list({ name: domain });
-    const zone = zones.result?.[0];
-    if (!zone) {
-        const all = await listZones();
-        const available = all.map((z) => z.name).join(", ");
-        throw new Error(`Zone "${domain}" not found on this account. Available zones: ${available || "none"}`);
-    }
-    return zone.id;
-}
-export async function createZone(domain) {
-    const { client, accountId } = getClient();
-    // Idempotent — check if zone already exists on this account
-    const existing = await client.zones.list({ name: domain });
-    const match = existing.result?.[0];
-    if (match) {
-        return {
-            id: match.id,
-            name: match.name,
-            status: match.status ?? "unknown",
-            nameservers: match.name_servers ?? [],
-            existing: true,
-        };
-    }
-    const zone = await client.zones.create({
-        name: domain,
-        type: "full",
-        account: { id: accountId },
-    });
-    return {
-        id: zone.id,
-        name: zone.name,
-        status: zone.status ?? "pending",
-        nameservers: zone.name_servers ?? [],
-        existing: false,
-    };
-}
-export async function createTunnel(name) {
-    const { client, accountId } = getClient();
-    // Check for existing tunnel with this name
-    const existing = await client.zeroTrust.tunnels.cloudflared.list({
-        account_id: accountId,
-        name,
-        is_deleted: false,
-    });
-    const match = existing.result?.find((t) => t.name === name);
-    if (match?.id) {
-        return { tunnelId: match.id, tunnelName: match.name ?? name };
-    }
-    // Create new tunnel — config_src: "cloudflare" means remotely-managed
-    const tunnel = await client.zeroTrust.tunnels.cloudflared.create({
-        account_id: accountId,
-        name,
-        config_src: "cloudflare",
-        tunnel_secret: generateTunnelSecret(),
-    });
-    if (!tunnel.id) {
-        throw new Error("Tunnel created but no ID returned from Cloudflare API");
-    }
-    return { tunnelId: tunnel.id, tunnelName: tunnel.name ?? name };
-}
-function generateTunnelSecret() {
-    return randomBytes(32).toString("base64");
-}
-export async function listTunnelsOnAccount() {
-    const { client, accountId } = getClient();
-    const summaries = [];
-    const result = await client.zeroTrust.tunnels.cloudflared.list({
-        account_id: accountId,
-        is_deleted: false,
-    });
-    for (const t of result.result ?? []) {
-        if (!t.id || !t.name)
-            continue;
-        summaries.push({ id: t.id, name: t.name, createdAt: t.created_at ?? null });
-    }
-    return summaries;
-}
-/**
- * Find a zone whose existing CNAME records already point to the given tunnel.
- * Used when the user selects an existing tunnel — we reuse the zone context
- * rather than asking them to pick a zone again.
- *
- * Returns null when no zone routes to this tunnel. This is a legitimate
- * outcome (e.g. tunnel created but never routed) — caller must handle it
- * explicitly and fall back to zone selection, never substitute a default.
- */
-export async function findZoneHostingTunnel(tunnelId) {
-    const { client } = getClient();
-    const expectedTarget = `${tunnelId}.cfargotunnel.com`;
-    const zones = await listZones();
-    for (const zone of zones) {
-        if (zone.status !== "active")
-            continue;
-        for await (const record of client.dns.records.list({
-            zone_id: zone.id,
-            type: "CNAME",
-        })) {
-            const content = record.content ?? "";
-            if (content === expectedTarget)
-                return zone.name;
-        }
-    }
-    return null;
-}
-export async function configureTunnel(tunnelId, hostnames, port) {
-    const { client, accountId } = getClient();
-    const ingress = [
-        ...hostnames.map((h) => ({ hostname: h, service: `http://localhost:${port}` })),
-        { hostname: "", service: "http_status:404" },
-    ];
-    await client.zeroTrust.tunnels.cloudflared.configurations.update(tunnelId, {
-        account_id: accountId,
-        config: { ingress },
-    });
-}
-export async function getTunnelIngress(tunnelId) {
-    const { client, accountId } = getClient();
-    const config = await client.zeroTrust.tunnels.cloudflared.configurations.get(tunnelId, { account_id: accountId });
-    const ingress = config?.config?.ingress;
-    if (!Array.isArray(ingress))
-        return [];
-    return ingress.map((r) => ({
-        hostname: r.hostname ?? "",
-        service: r.service ?? "",
-    }));
-}
-export async function addHostnameToIngress(tunnelId, hostname, port) {
-    const effectivePort = port ?? parseInt(process.env.PLATFORM_PORT ?? "19200", 10);
-    const rules = await getTunnelIngress(tunnelId);
-    // Idempotent — skip if hostname already has an ingress rule
-    if (rules.some((r) => r.hostname === hostname)) {
-        return { added: false, alreadyPresent: true };
-    }
-    // Separate catch-all (hostname empty or missing) from named rules
-    const namedRules = rules
-        .filter((r) => r.hostname)
-        .map((r) => ({ hostname: r.hostname, service: r.service }));
-    // Rebuild: existing named rules + new rule + catch-all
-    const { client, accountId } = getClient();
-    await client.zeroTrust.tunnels.cloudflared.configurations.update(tunnelId, {
-        account_id: accountId,
-        config: {
-            ingress: [
-                ...namedRules,
-                { hostname, service: `http://localhost:${effectivePort}` },
-                { hostname: "", service: "http_status:404" },
-            ],
-        },
-    });
-    return { added: true, alreadyPresent: false };
-}
-// ---------------------------------------------------------------------------
-// Ingress port verification — read-modify-write (preserves all hostnames)
-//
-// Reads current ingress rules, checks if any named rule's service port
-// differs from expectedPort, and rewrites all rules with the correct port.
-// Preserves all hostnames including aliases — unlike configureTunnel()
-// which destructively sets only admin/public.
-// ---------------------------------------------------------------------------
-function extractPort(serviceUrl) {
-    try {
-        const url = new URL(serviceUrl);
-        return url.port ? parseInt(url.port, 10) : null;
-    }
-    catch {
-        return null;
-    }
-}
-export async function fixIngressPort(tunnelId, expectedPort) {
-    const rules = await getTunnelIngress(tunnelId);
-    const namedRules = rules.filter((r) => r.hostname);
-    if (namedRules.length === 0) {
-        return { corrected: false };
-    }
-    // Check if any named rule has a mismatched port
-    let mismatchPort = null;
-    for (const rule of namedRules) {
-        const port = extractPort(rule.service);
-        if (port !== null && port !== expectedPort) {
-            mismatchPort = port;
-            break;
-        }
-    }
-    if (mismatchPort === null) {
-        return { corrected: false };
-    }
-    // Rewrite all named rules with the correct port, preserving hostnames
-    const correctedRules = namedRules.map((r) => ({
-        hostname: r.hostname,
-        service: `http://localhost:${expectedPort}`,
-    }));
-    const { client, accountId } = getClient();
-    await client.zeroTrust.tunnels.cloudflared.configurations.update(tunnelId, {
-        account_id: accountId,
-        config: {
-            ingress: [
-                ...correctedRules,
-                { hostname: "", service: "http_status:404" },
-            ],
-        },
-    });
-    return { corrected: true, fromPort: mismatchPort };
-}
 // ---------------------------------------------------------------------------
 // Alias domain persistence — ~/{configDir}/alias-domains.json
 // ---------------------------------------------------------------------------
@@ -689,98 +371,13 @@ export function saveAliasDomain(hostname) {
     mkdirSync(dir, { recursive: true });
     writeFileSync(aliasDomainPath(), JSON.stringify([...existing], null, 2), "utf-8");
 }
-export async function getConnectorToken(tunnelId) {
-    const { client, accountId } = getClient();
-    const response = await client.zeroTrust.tunnels.cloudflared.token.get(tunnelId, { account_id: accountId });
-    // Response is the token string directly
-    const token = typeof response === "string" ? response : String(response);
-    if (!token) {
-        throw new Error("Received empty connector token from Cloudflare API");
-    }
-    return token;
-}
-/**
- * Check whether a hostname's CNAME points to a different tunnel.
- * Returns collision=true if the CNAME target is *.cfargotunnel.com but
- * for a different tunnel ID. Returns collision=false if:
- * - No CNAME exists (NXDOMAIN/ENODATA)
- * - CNAME points to the same tunnel (idempotent)
- * - DNS lookup fails (can't prove collision — proceed with caution)
- */
-export async function checkDnsCollision(hostname, tunnelId) {
-    const dns = await import("node:dns/promises");
-    const resolver = new dns.Resolver();
-    resolver.setServers(["8.8.8.8", "1.1.1.1"]);
-    try {
-        const cnames = await resolver.resolveCname(hostname);
-        if (cnames.length === 0) {
-            return { hostname, collision: false, existingTunnelId: null, error: null };
-        }
-        const cname = cnames[0];
-        const cfTunnelMatch = cname.match(/^([0-9a-f-]+)\.cfargotunnel\.com$/i);
-        if (!cfTunnelMatch) {
-            // CNAME exists but doesn't point to a Cloudflare tunnel — not our concern
-            return { hostname, collision: false, existingTunnelId: null, error: null };
-        }
-        const existingTunnelId = cfTunnelMatch[1];
-        if (existingTunnelId === tunnelId) {
-            // Same tunnel — idempotent, no collision
-            return { hostname, collision: false, existingTunnelId, error: null };
-        }
-        // Different tunnel — collision
-        console.error(`[tunnel-create] collision hostname=${hostname} existingTunnel=${existingTunnelId} requestedTunnel=${tunnelId}`);
-        return { hostname, collision: true, existingTunnelId, error: null };
-    }
-    catch (err) {
-        const code = err.code;
-        if (code === "ENODATA" || code === "ENOTFOUND") {
-            // No CNAME record exists — safe to create
-            return { hostname, collision: false, existingTunnelId: null, error: null };
-        }
-        // DNS lookup failed for other reasons — can't prove collision, proceed
-        const msg = err instanceof Error ? err.message : String(err);
-        console.error(`[tunnel-create] DNS collision check failed for ${hostname}: ${msg} — proceeding (cannot confirm collision)`);
-        return { hostname, collision: false, existingTunnelId: null, error: msg };
-    }
-}
-// ---------------------------------------------------------------------------
-// DNS record management via SDK
-// ---------------------------------------------------------------------------
-export async function createDnsRecord(zoneId, subdomain, tunnelId) {
-    const { client } = getClient();
-    const cnameTarget = `${tunnelId}.cfargotunnel.com`;
-    // Check if record already exists
-    const existing = await client.dns.records.list({
-        zone_id: zoneId,
-        name: { exact: subdomain },
-        type: "CNAME",
-    });
-    if (existing.result?.length && existing.result.length > 0) {
-        const record = existing.result[0];
-        if (record.content === cnameTarget) {
-            return { created: false, existing: true, updated: false };
-        }
-        // CNAME points to a different tunnel — refuse to overwrite (collision guard)
-        const existingTarget = record.content ?? "(unknown)";
-        throw new Error(`DNS collision: ${subdomain} already has a CNAME pointing to ${existingTarget}, which belongs to a different tunnel. ` +
-            `Refusing to overwrite. To reclaim this hostname, delete the existing CNAME record first.`);
-    }
-    await client.dns.records.create({
-        zone_id: zoneId,
-        name: subdomain,
-        type: "CNAME",
-        content: cnameTarget,
-        proxied: true,
-        ttl: 1, // 1 = automatic
-    });
-    return { created: true, existing: false, updated: false };
-}
 // ---------------------------------------------------------------------------
 // CLI-based tunnel operations
 //
-// `cloudflared` CLI uses cert.pem directly for tunnel CRUD and DNS management.
-// We use it (rather than the SDK) for tunnel-create / route-dns because the
-// cert-bound credential carries the Argo Tunnel permissions needed in one step.
+// `cloudflared` CLI uses cert.pem directly for tunnel CRUD and DNS routing.
+// Shelling out to the CLI is architecturally indistinguishable from the
+// operator clicking the same action in the dashboard — both use the
+// operator's OAuth-bound cert, nothing more.
 // ---------------------------------------------------------------------------
 export function createTunnelCli(name) {
     const bin = findBinary();
@@ -796,7 +393,6 @@ export function createTunnelCli(name) {
         const existing = tunnels.find((t) => t.name === name && !t.deleted_at);
         if (existing) {
             console.error(`[tunnel-create] CLI: tunnel "${name}" already exists (${existing.id})`);
-            // Credentials file may exist at either location
             const brandCredPath = join(homedir(), loadBrand().configDir, "cloudflared", `${existing.id}.json`);
             const defaultCredPath = join(homedir(), ".cloudflared", `${existing.id}.json`);
             if (!existsSync(brandCredPath) && existsSync(defaultCredPath)) {
@@ -875,39 +471,119 @@ export function writeLocalConfig(tunnelId, credentialsPath, hostnames, port) {
     return configPath;
 }
 // ---------------------------------------------------------------------------
-// CLI-based DNS routing — guarded by live account-zone check + post-flight
+// Parse configured hostnames from config.yml
 //
-// `cloudflared tunnel route dns` resolves the target zone from cert.pem's
-// account. If the hostname's registrable parent zone is not on that account,
-// cloudflared silently writes a CNAME under a different zone (the original
-// joelsmalley.xyz wrong-routing bug). Defence in depth:
+// `tunnel-status`'s end-to-end probe reads the hostnames from config.yml
+// rather than from tunnel.state — config.yml is the authoritative source
+// for what `cloudflared` is actually ingressing. State-file hostnames may
+// drift from on-disk config; the running tunnel only honours config.yml.
+// ---------------------------------------------------------------------------
+export function parseConfiguredHostnames(configYmlPath) {
+    try {
+        if (!existsSync(configYmlPath))
+            return [];
+        const yaml = readFileSync(configYmlPath, "utf-8");
+        const hostnames = [];
+        for (const line of yaml.split("\n")) {
+            const m = line.match(/^\s*-\s*hostname:\s*(\S+)\s*$/);
+            if (m)
+                hostnames.push(m[1]);
+        }
+        return hostnames;
+    }
+    catch (err) {
+        console.error(`[tunnel-status] failed to parse ${configYmlPath}: ${err}`);
+        return [];
+    }
+}
+// ---------------------------------------------------------------------------
+// Nameserver pre-flight — zone-parent routability without any API
+//
+// Before shelling `cloudflared tunnel route dns`, confirm the hostname's
+// registrable parent has its NS records pointing at Cloudflare. When they
+// don't, `cloudflared` silently falls through to whichever zone the cert's
+// account does own and creates a malformed CNAME (the historical
+// `admin.maxy.bot.joelsmalley.xyz` failure mode). Refusing pre-flight is
+// the only way to prevent that drift from inside this codebase.
+//
+// Heuristic for registrable parent: take the last two labels. This fails
+// for multi-label public suffixes (e.g. `.co.uk`, `.com.au`) — not worth
+// correctness here because Cloudflare's own sign-up flow rejects those
+// at zone-add time, so the NS lookup will also fail for them, giving the
+// same "not on Cloudflare yet" message.
+// ---------------------------------------------------------------------------
+function registrableParent(hostname) {
+    const labels = hostname.toLowerCase().split(".");
+    if (labels.length <= 2)
+        return hostname.toLowerCase();
+    return labels.slice(-2).join(".");
+}
+export async function checkZoneParentOnCloudflare(hostname) {
+    const zoneParent = registrableParent(hostname);
+    const resolver = new Resolver();
+    resolver.setServers(["1.1.1.1", "8.8.8.8"]);
+    try {
+        const ns = await resolver.resolveNs(zoneParent);
+        const onCloudflare = ns.some((n) => /\.ns\.cloudflare\.com\.?$/i.test(n));
+        return { zoneParent, nameservers: ns, onCloudflare };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return { zoneParent, nameservers: [], onCloudflare: false, error: msg };
+    }
+}
+// ---------------------------------------------------------------------------
+// CLI-based DNS routing — shells `cloudflared tunnel route dns` with defence
+// in depth against the known malformed-CNAME fall-through.
 //
-//   (1) Live account-zone check: list the bound account's zones, refuse if
-//       hostname's registrable parent is not active on that account.
-//   (2) Post-flight FQDN assertion: the FQDN cloudflared wrote must equal
-//       the requested hostname. Mismatch → reverse-and-refuse.
+//   (1) Pre-flight: zone-parent NS records must point to Cloudflare.
+//       Refusal reason `hostname-zone-not-routable` tells the operator
+//       to add the domain in the dashboard before coming back.
+//   (2) Post-flight: the FQDN `cloudflared` wrote must equal the requested
+//       hostname. A mismatch means `cloudflared` routed to a zone owned by
+//       the currently-bound account instead of the intended zone — usually
+//       because the device signed into the wrong Cloudflare account.
+//       Refusal reason `post-flight-fqdn-mismatch` tells the operator to
+//       check the dashboard account name and re-login if wrong.
 //
-// `getClient()` runs first to enforce auth pre-conditions.
+// Authentication pre-condition is just "cert.pem + binding + they agree" —
+// enforced by validateAuth().bound. No API client is constructed anywhere.
 // ---------------------------------------------------------------------------
 export async function routeDnsCli(tunnelId, hostname) {
     const bin = findBinary();
     if (!bin)
         throw new Error("cloudflared is not installed");
-    const { client, accountId: boundAccountId } = getClient();
-    // (1) Live account-zone check.
-    const accountZones = await listZones();
-    const scope = matchAccountZone(hostname, accountZones);
-    if (!scope.ok) {
+    const auth = validateAuth();
+    if (!auth.bound) {
+        const reason = auth.hasCert && auth.hasBinding
+            ? "account-drift"
+            : "unbound-device";
+        const detail = {
+            reason,
+            message: `This laptop is not signed into Cloudflare yet${auth.hasCert ? " (sign-in has drifted since it was set up)" : ""}. ` +
+                `${DASHBOARD_SWITCH_ACCOUNTS_INSTRUCTION}`,
+            fields: {
+                boundAccountId: auth.boundAccountId,
+                certAccountId: auth.certAccountId,
+                requestedHostname: hostname,
+            },
+        };
+        logRefuse(detail);
+        throw new CloudflareRefusalError(detail);
+    }
+    // (1) Pre-flight zone-parent routability.
+    console.error(`[cloudflare:tunnel-add-hostname:preflight] hostname=${hostname}`);
+    const preflight = await checkZoneParentOnCloudflare(hostname);
+    if (!preflight.onCloudflare) {
         const detail = {
-            reason: "scope-mismatch",
-            message: `Cannot route ${hostname} — no active zone on the bound Cloudflare account ` +
-                `owns this hostname's registrable parent. Active zones on this account: ` +
-                `${scope.accountZones.join(", ") || "none"}. Add the parent zone to the account ` +
-                `(cf-add-zone or via the Cloudflare dashboard), or pick a hostname under one ` +
-                `of the existing zones.`,
+            reason: "hostname-zone-not-routable",
+            message: `The domain ${preflight.zoneParent} is not on Cloudflare yet — this laptop cannot ` +
+                `reach it. Open Cloudflare in your browser and add ${preflight.zoneParent} under the ` +
+                `Cloudflare account you want to use (Websites → Add a site). When the domain shows as ` +
+                `Active, tell me and I will add the address again.`,
             fields: {
                 requestedHostname: hostname,
-                accountZones: scope.accountZones,
+                requestedDomain: preflight.zoneParent,
             },
         };
         logRefuse(detail);
@@ -915,16 +591,21 @@ export async function routeDnsCli(tunnelId, hostname) {
     }
     const cert = findCert();
     if (!cert)
-        throw new Error("No cert.pem found — getClient() should have refused first");
+        throw new Error("No cert.pem found — validateAuth() should have refused first");
     let output;
     try {
         output = execFileSync(bin, ["tunnel", "--origincert", cert, "route", "dns", "--overwrite-dns", tunnelId, hostname], { encoding: "utf-8", timeout: 30000 });
     }
     catch (err) {
-        const msg = err instanceof Error ? err.stderr ?? err.message : String(err);
-        if (typeof msg === "string" && msg.includes("already exists")) {
+        const errObj = err;
+        const rawStderr = errObj.stderr;
+        const stderrMsg = typeof rawStderr === "string"
+            ? rawStderr
+            : Buffer.isBuffer(rawStderr) ? rawStderr.toString("utf-8") : "";
+        const msg = stderrMsg || errObj.message || String(err);
+        if (msg.includes("already exists")) {
             console.error(`[tunnel-route-dns] WARNING: ${hostname} "already exists" despite --overwrite-dns: ${msg}`);
-            return { created: false, output: msg, fqdn: hostname, zone: scope.matchedZone };
+            return { created: false, output: msg, fqdn: hostname };
         }
         throw new Error(`cloudflared tunnel route dns failed: ${msg}`);
     }
@@ -932,74 +613,44 @@ export async function routeDnsCli(tunnelId, hostname) {
     const fqdnMatch = output.match(/Added CNAME\s+(\S+?)\s+which will route/);
     if (!fqdnMatch) {
         console.error(`[tunnel-route-dns] WARNING: could not parse CNAME FQDN from cloudflared output — format may have changed. Output: ${output.trim()}`);
-        return {
-            created: true,
-            output: output.trim(),
-            fqdn: hostname,
-            zone: scope.matchedZone,
-        };
+        return { created: true, output: output.trim(), fqdn: hostname };
     }
     const actualFqdn = fqdnMatch[1];
     if (actualFqdn !== hostname) {
-        // cloudflared wrote a CNAME under a different FQDN than requested —
-        // somehow the live-zone check passed but the routing landed elsewhere.
-        // Log evidence, attempt to delete the wrong CNAME, refuse.
+        // cloudflared wrote the address under a different domain than requested.
+        // That means the laptop is signed into a Cloudflare account that does
+        // not own the target domain, and `cloudflared` fell through to whichever
+        // domain the signed-in account does own. The agent cannot clean this up
+        // (no API access by design) — the operator cleans it up in the dashboard.
         console.error(`[cloudflare:post-flight-mismatch] ${JSON.stringify({
             requestedHostname: hostname,
             actualFqdn,
             tunnelId,
-            boundAccountId,
-        })}`);
-        let cleanupResult = "failed";
-        try {
-            const owningZone = accountZones.find((z) => actualFqdn === z.name || actualFqdn.endsWith("." + z.name));
-            if (owningZone) {
-                const records = await client.dns.records.list({
-                    zone_id: owningZone.id,
-                    name: { exact: actualFqdn },
-                    type: "CNAME",
-                });
-                for (const r of records.result ?? []) {
-                    if (r.id)
-                        await client.dns.records.delete(r.id, { zone_id: owningZone.id });
-                }
-                cleanupResult = "ok";
-            }
-        }
-        catch (cleanupErr) {
-            console.error(`[cloudflare:post-flight-cleanup] error: ${cleanupErr instanceof Error ? cleanupErr.message : String(cleanupErr)}`);
-        }
-        console.error(`[cloudflare:post-flight-cleanup] ${JSON.stringify({
-            requestedHostname: hostname,
-            actualFqdn,
-            result: cleanupResult,
+            boundAccountId: auth.boundAccountId,
         })}`);
         const detail = {
             reason: "post-flight-fqdn-mismatch",
-            message: `cloudflared wrote the CNAME under ${actualFqdn} instead of the requested ${hostname}. ` +
-                `Cleanup ${cleanupResult === "ok" ? "succeeded" : "failed"}. Re-run cf-rebuild to reconcile.`,
+            message: `Cloudflare created the address under ${actualFqdn} instead of the requested ${hostname}. ` +
+                `This laptop is signed into a Cloudflare account that does not own ${registrableParent(hostname)}. ` +
+                `Two things to do: (a) open Cloudflare in your browser, sign into the account that does own ` +
+                `${registrableParent(hostname)}, and tell me so I can re-login; (b) in the same browser, delete the ` +
+                `stray record at ${actualFqdn} from the other account so it does not confuse anything.`,
             fields: {
                 requestedHostname: hostname,
                 actualFqdn,
                 tunnelId,
-                boundAccountId,
+                boundAccountId: auth.boundAccountId,
             },
         };
         logRefuse(detail);
         throw new CloudflareRefusalError(detail);
     }
-    console.error(`[tunnel-route-dns] CLI: routed ${hostname} → tunnel ${tunnelId} (overwrite) fqdn=${actualFqdn} zone=${scope.matchedZone}`);
-    return { created: true, output: output.trim(), fqdn: actualFqdn, zone: scope.matchedZone };
+    console.error(`[tunnel-route-dns] CLI: routed ${hostname} → tunnel ${tunnelId} (overwrite) fqdn=${actualFqdn}`);
+    return { created: true, output: output.trim(), fqdn: actualFqdn };
 }
 // ---------------------------------------------------------------------------
 // tunnel login — spawn `cloudflared tunnel login` and capture the auth URL
-//
-// Uses a log file fd (not pipes) for child stdio — eliminates SIGPIPE.
-// Polls the log file for the auth URL instead of streaming from pipes.
-// Tracks the login PID in a state file so subsequent calls detect an
-// existing process instead of spawning duplicates.
 // ---------------------------------------------------------------------------
-// Login state under ~/{configDir}/cloudflared/ — brand-isolated like tunnel state.
 function loginStatePath() {
     return join(homedir(), loadBrand().configDir, "cloudflared/login.state");
 }
@@ -1049,20 +700,15 @@ export function tunnelLogin() {
     const bin = findBinary();
     if (!bin)
         throw new Error("cloudflared is not installed");
-    // Check for an existing login process
     const existing = getActiveLogin();
     if (existing) {
         console.error(`[tunnel-login] login process already running (PID ${existing.pid}), returning existing auth URL`);
         return Promise.resolve({ authUrl: existing.authUrl, alreadyRunning: true });
     }
-    // Log to ~/{configDir}/logs/ — matches startTunnel() pattern
     const logDir = join(homedir(), loadBrand().configDir, "logs");
     mkdirSync(logDir, { recursive: true });
     const logPath = join(logDir, "cloudflared-login.log");
     const logFd = openSync(logPath, "a");
-    // Direct cert.pem output to the brand-specific cloudflared directory.
-    // Without --origincert, cloudflared writes to ~/.cloudflared/cert.pem —
-    // but hasCert()/parseCertPem() now look at ~/{configDir}/cloudflared/.
     const certDir = join(homedir(), loadBrand().configDir, "cloudflared");
     mkdirSync(certDir, { recursive: true });
     const originCert = join(certDir, "cert.pem");
@@ -1076,7 +722,6 @@ export function tunnelLogin() {
         throw new Error("Failed to spawn cloudflared tunnel login — no PID returned");
     }
     console.error(`[tunnel-login] spawned PID ${child.pid}`);
-    // Poll the log file for the auth URL
     const urlPattern = /https:\/\/dash\.cloudflare\.com[^\s]*/;
     return new Promise((resolve, reject) => {
         let elapsed = 0;
@@ -1084,7 +729,6 @@ export function tunnelLogin() {
         const timeout = 15000;
         const poller = setInterval(() => {
             elapsed += interval;
-            // Check if process died before producing a URL
             if (!isProcessAlive(child.pid)) {
                 clearInterval(poller);
                 console.error(`[tunnel-login] PID ${child.pid} exited before producing auth URL`);
@@ -1098,7 +742,6 @@ export function tunnelLogin() {
                 }
                 return;
             }
-            // Poll log file for the URL
             try {
                 const content = readFileSync(logPath, "utf-8");
                 const match = content.match(urlPattern);
@@ -1140,11 +783,7 @@ export function tunnelLogin() {
 }
 // ---------------------------------------------------------------------------
 // Process management — detached, survives MCP server exit
-//
-// Tunnel state stored at ~/{configDir}/cloudflared/tunnel.state so each
-// brand manages its own tunnel independently on multi-brand devices.
 // ---------------------------------------------------------------------------
-// Function (not const) because loadBrand() requires PLATFORM_ROOT at runtime.
 function statePath() {
     return join(homedir(), loadBrand().configDir, "cloudflared/tunnel.state");
 }
@@ -1184,10 +823,6 @@ export function getPersistedDomain() {
 export function getPersistedState() {
     return readState();
 }
-/**
- * Save tunnel identity to state file (pid/startedAt null until tunnel-enable).
- * Called by tunnel-create so tunnel-enable can find configPath and credentialsPath.
- */
 export function saveTunnelIdentity(params) {
     writeState({
         tunnelId: params.tunnelId,
@@ -1202,32 +837,162 @@ export function saveTunnelIdentity(params) {
     });
 }
 /**
- * Return the actual hostnames from persisted state.
- * Backward compat: old state files without hostname fields derive from domain.
+ * Return the actual hostnames from persisted state (or derive from domain
+ * for pre-521 state files).
  */
 export function getPersistedHostnames() {
     const state = readState();
     if (!state)
         return [];
-    // New state files have explicit hostname fields
     if (state.adminHostname) {
         return state.publicHostname
             ? [state.adminHostname, state.publicHostname]
             : [state.adminHostname];
     }
-    // Backward compat: pre-521 state files without hostname fields
     if (state.domain) {
         console.error(`[tunnel] backward-compat: deriving hostnames from domain=${state.domain} (no adminHostname in state)`);
         return [`admin.${state.domain}`, `public.${state.domain}`];
     }
     return [];
 }
-export function getStatus(domain) {
+export async function probeHostname(hostname, expectedTunnelId) {
+    const resolver = new Resolver();
+    resolver.setServers(["1.1.1.1", "8.8.8.8"]);
+    let cname = null;
+    try {
+        const cnames = await resolver.resolveCname(hostname);
+        cname = cnames[0] ?? null;
+    }
+    catch (err) {
+        const code = err.code;
+        if (code === "ENODATA") {
+            // Proxied records can flatten — try A records as a secondary signal
+            // that the name exists, but without a CNAME we cannot confirm this
+            // tunnel. Treat as cname-points-elsewhere (name exists but does not
+            // point here) only when an A record is present; otherwise dns-missing.
+            try {
+                await resolver.resolve4(hostname);
+                cname = null; // flattened — still need edge probe to confirm
+            }
+            catch {
+                return { hostname, resolves: false, cname: null, httpStatus: null, failureMode: "dns-missing" };
+            }
+        }
+        else if (code === "ENOTFOUND" || code === "ESERVFAIL") {
+            return { hostname, resolves: false, cname: null, httpStatus: null, failureMode: "dns-missing" };
+        }
+        else {
+            console.error(`[cloudflare:tunnel-status:probe] unexpected DNS error for ${hostname}: ${err}`);
+            return { hostname, resolves: false, cname: null, httpStatus: null, failureMode: "dns-missing" };
+        }
+    }
+    if (expectedTunnelId && cname) {
+        const cnameLc = cname.toLowerCase().replace(/\.$/, "");
+        const expected = `${expectedTunnelId}.cfargotunnel.com`.toLowerCase();
+        if (cnameLc !== expected) {
+            return { hostname, resolves: true, cname, httpStatus: null, failureMode: "cname-points-elsewhere" };
+        }
+    }
+    // HTTPS probe — any response proves edge routing is wired up.
+    let httpStatus = null;
+    try {
+        const controller = new AbortController();
+        const to = setTimeout(() => controller.abort(), 10000);
+        try {
+            const res = await fetch(`https://${hostname}/`, {
+                method: "GET",
+                redirect: "manual",
+                signal: controller.signal,
+            });
+            httpStatus = res.status;
+        }
+        finally {
+            clearTimeout(to);
+        }
+    }
+    catch (err) {
+        console.error(`[cloudflare:tunnel-status:probe] HTTPS probe failed for ${hostname}: ${err instanceof Error ? err.message : String(err)}`);
+        return { hostname, resolves: true, cname, httpStatus: null, failureMode: "edge-unreachable" };
+    }
+    // Cloudflare edge error page status codes that indicate the tunnel is
+    // either not connected (530) or the hostname is not served by any tunnel
+    // (1033/1016 surface as 530 or 502 at the HTTP layer; Cloudflare sometimes
+    // uses 502/503 for unreachable origins). Any 5xx from the edge with
+    // missing CNAME match means the tunnel-edge wiring is wrong.
+    if (httpStatus >= 500 && httpStatus < 600) {
+        return { hostname, resolves: true, cname, httpStatus, failureMode: "tunnel-not-matched" };
+    }
+    return { hostname, resolves: true, cname, httpStatus, failureMode: "ok" };
+}
+export async function getStatus(domain) {
     const auth = validateAuth();
     const state = readState();
     const running = state !== null && isProcessAlive(state.pid);
     const effectiveDomain = domain ?? state?.domain ?? null;
-    const hostnames = getPersistedHostnames();
+    const persistedHostnames = getPersistedHostnames();
+    const configuredHostnames = state?.configPath
+        ? parseConfiguredHostnames(state.configPath)
+        : [];
+    // Probe the authoritative set (config.yml). If config.yml is absent, fall
+    // back to persisted hostnames so partial-setup states still surface.
+    const hostnamesToProbe = configuredHostnames.length > 0
+        ? configuredHostnames
+        : persistedHostnames;
+    let probes = [];
+    let boundAccountOwnsHostnames = false;
+    let healthy = false;
+    let unhealthyReason = null;
+    if (!running || !state?.tunnelId || hostnamesToProbe.length === 0) {
+        unhealthyReason = !running
+            ? "not-running"
+            : "no-tunnel-configured";
+    }
+    else {
+        probes = await Promise.all(hostnamesToProbe.map((h) => probeHostname(h, state.tunnelId)));
+        // A probe reaching the edge with a non-5xx response proves the signed-in
+        // account owns the domain: the edge only routes to this tunnel's origin
+        // when the domain's DNS on this account points at this tunnel. The CNAME
+        // check inside probeHostname already short-circuits the "points to a
+        // different tunnel" case to `cname-points-elsewhere` — so here we trust
+        // `ok`. We do not gate on `p.cname !== null` because Cloudflare can flatten
+        // CNAMEs (zone-apex records, some proxy configurations) — in that case
+        // cname is null but the HTTPS response is still authoritative.
+        boundAccountOwnsHostnames = probes.some((p) => p.failureMode === "ok");
+        healthy = probes.every((p) => p.failureMode === "ok");
+        if (!healthy) {
+            // Distinguishing "wrong account" from "right account, tunnel broken":
+            // a probe that resolved DNS at all is evidence the domain lives on
+            // some Cloudflare account (the NS is Cloudflare's). A probe that
+            // resolved AND doesn't point elsewhere is evidence this laptop's
+            // account owns it — any other failure mode (edge-unreachable,
+            // tunnel-not-matched, or a healthy flattened probe) indicates the
+            // DNS points at *something* on the signed-in account, just not
+            // working. Only when every probe is `dns-missing` or
+            // `cname-points-elsewhere` do we conclude the bound account does
+            // not own the hostnames.
+            const anyCnamePointsHere = probes.some((p) => p.resolves &&
+                p.failureMode !== "cname-points-elsewhere" &&
+                p.failureMode !== "dns-missing");
+            unhealthyReason = anyCnamePointsHere
+                ? "hostname-probes-failed"
+                : "bound-account-does-not-own-hostname";
+        }
+    }
+    if (unhealthyReason === "bound-account-does-not-own-hostname") {
+        // Surface the structured refusal reason so the review-detector rule
+        // fires on the next admin turn — same channel the agent-facing text
+        // uses, but keyed on the enum.
+        logRefuse({
+            reason: "bound-account-does-not-own-hostname",
+            message: "tunnel-status probe: no configured hostname's DNS lands on this tunnel. " +
+                `${DASHBOARD_SWITCH_ACCOUNTS_INSTRUCTION}`,
+            fields: {
+                boundAccountId: auth.boundAccountId,
+                certAccountId: auth.certAccountId,
+                tunnelId: state?.tunnelId ?? undefined,
+            },
+        });
+    }
     return {
         installed: isInstalled(),
         version: version(),
@@ -1240,11 +1005,15 @@ export function getStatus(domain) {
         pid: running ? state.pid : null,
         tunnelId: state?.tunnelId ?? null,
         domain: effectiveDomain,
-        hostnames,
+        configuredHostnames,
+        persistedHostnames,
         adminHostname: state?.adminHostname ?? (effectiveDomain ? `admin.${effectiveDomain}` : null),
         publicHostname: state?.publicHostname ?? (effectiveDomain ? `public.${effectiveDomain}` : null),
         upSince: running ? state.startedAt : null,
-        restartCount: 0,
+        probes,
+        boundAccountOwnsHostnames,
+        healthy,
+        unhealthyReason,
     };
 }
 export function startTunnel(params) {
@@ -1254,17 +1023,14 @@ export function startTunnel(params) {
     const cert = findCert();
     if (!cert)
         throw new Error("No cert.pem found — run tunnel-login first");
-    // Check if already running via state file
     const state = readState();
     if (state && isProcessAlive(state.pid)) {
         throw new Error(`Tunnel is already running (PID ${state.pid})`);
     }
-    // Log to ~/{configDir}/logs/ so crashes are diagnosable
     const logDir = join(homedir(), loadBrand().configDir, "logs");
     mkdirSync(logDir, { recursive: true });
     const logPath = join(logDir, "cloudflared.log");
     const logFd = openSync(logPath, "a");
-    // Single deterministic command: config.yml + cert.pem
     const child = spawn(bin, ["--origincert", cert, "--config", params.configPath, "tunnel", "run"], {
         stdio: ["ignore", logFd, logFd],
         detached: true,
@@ -1273,7 +1039,6 @@ export function startTunnel(params) {
     if (!child.pid)
         throw new Error("Failed to spawn tunnel process");
     console.error(`[tunnel-enable] started PID ${child.pid} with config ${params.configPath}`);
-    // Preserve hostname fields from existing state when starting the tunnel
     const existingState = readState();
     writeState({
         pid: child.pid,
@@ -1299,7 +1064,6 @@ export function stopTunnel() {
         catch {
             // process may have exited between check and kill
         }
-        // Force kill after 5 seconds
         setTimeout(() => {
             if (isProcessAlive(pid)) {
                 try {
@@ -1311,355 +1075,6 @@ export function stopTunnel() {
             }
         }, 5000);
     }
-    // Preserve tunnel identity, clear process lifecycle
     writeState({ ...state, pid: null, startedAt: null });
 }
-/**
- * cf-verify: read everything, tag nothing as good or bad. The bound
- * Cloudflare account is the universe; the agent decides what is pollution
- * from the operator's stated intent in the current conversation.
- *
- * The `pollution` field returned here is the default no-intent view —
- * account artefacts the device's persisted `tunnel.state` + `alias-domains.json`
- * don't reference. The orchestrator recomputes against explicit intent
- * when the operator picks a zone.
- */
-export async function cfVerifyCore() {
-    const brand = loadBrand();
-    console.error(`[cloudflare:verify-start] ${JSON.stringify({ brand: brand.productName })}`);
-    const device = readDeviceSnapshot();
-    const ro = getReadOnlyClient();
-    let account = null;
-    if (ro.client && ro.certAccountId) {
-        try {
-            const [zones, tunnels] = await Promise.all([
-                listZonesViaClient(ro.client),
-                listTunnelsViaClient(ro.client, ro.certAccountId),
-            ]);
-            const cnames = [];
-            for (const z of zones) {
-                if (z.status !== "active")
-                    continue;
-                try {
-                    const recs = await listCnamesUnderZone(ro.client, z.id);
-                    for (const r of recs) {
-                        cnames.push({ zone: z.name, recordId: r.id, name: r.name, content: r.content });
-                    }
-                }
-                catch (err) {
-                    console.error(`[cloudflare:verify] failed to list CNAMEs under ${z.name}: ${err instanceof Error ? err.message : String(err)}`);
-                }
-            }
-            account = {
-                accountId: ro.certAccountId,
-                zones: zones.map((z) => ({ id: z.id, name: z.name, status: z.status })),
-                tunnels: tunnels.map((t) => ({ id: t.id, name: t.name })),
-                cnames,
-            };
-        }
-        catch (err) {
-            console.error(`[cloudflare:verify] account read failed: ${err instanceof Error ? err.message : String(err)}`);
-        }
-    }
-    const pollution = computePollution(account, device);
-    console.error(`[cloudflare:verify-complete] ${JSON.stringify({
-        brand: brand.productName,
-        accountZones: account?.zones.length ?? 0,
-        accountTunnels: account?.tunnels.length ?? 0,
-        accountCnames: account?.cnames.length ?? 0,
-        pollutionTunnels: pollution.tunnels.length,
-        pollutionCnames: pollution.cnames.length,
-        pollutionZones: pollution.zones.length,
-    })}`);
-    return { brand: brand.productName, device, account, pollution };
-}
-function readDeviceSnapshot() {
-    const auth = validateAuth();
-    const state = readState();
-    const aliases = [...loadAliasDomains()];
-    return {
-        certPath: certPath(),
-        certPresent: auth.hasCert,
-        bindingPath: bindingFile(),
-        bindingPresent: auth.hasBinding,
-        bindingMatchesCert: auth.bound,
-        certAccountId: auth.certAccountId,
-        boundAccountId: auth.boundAccountId,
-        tunnelStatePath: statePath(),
-        tunnelState: state,
-        configYmlPath: state?.configPath ?? null,
-        configYmlPresent: !!(state?.configPath && existsSync(state.configPath)),
-        aliasDomains: aliases,
-    };
-}
-function computePollution(account, device) {
-    if (!account)
-        return { tunnels: [], cnames: [], zones: [] };
-    const intendedTunnelId = device.tunnelState?.tunnelId ?? null;
-    const intendedHostnames = new Set();
-    if (device.tunnelState?.adminHostname)
-        intendedHostnames.add(device.tunnelState.adminHostname.toLowerCase());
-    if (device.tunnelState?.publicHostname)
-        intendedHostnames.add(device.tunnelState.publicHostname.toLowerCase());
-    for (const a of device.aliasDomains)
-        intendedHostnames.add(a.toLowerCase());
-    // Zones the intended hostnames live under — those are "in use".
-    const inUseZones = new Set();
-    for (const h of intendedHostnames) {
-        for (const z of account.zones) {
-            if (h === z.name.toLowerCase() || h.endsWith("." + z.name.toLowerCase())) {
-                inUseZones.add(z.name.toLowerCase());
-                break;
-            }
-        }
-    }
-    const pollutionTunnels = account.tunnels.filter((t) => t.id !== intendedTunnelId);
-    const pollutionCnames = account.cnames.filter((c) => !intendedHostnames.has(c.name.toLowerCase()));
-    const pollutionZones = account.zones.filter((z) => !inUseZones.has(z.name.toLowerCase()));
-    return { tunnels: pollutionTunnels, cnames: pollutionCnames, zones: pollutionZones };
-}
-async function listZonesViaClient(client) {
-    const zones = [];
-    for await (const zone of client.zones.list()) {
-        zones.push({
-            id: zone.id,
-            name: zone.name,
-            status: zone.status ?? "unknown",
-            nameservers: zone.name_servers ?? [],
-            account: { id: zone.account.id ?? "", name: zone.account.name ?? "" },
-        });
-    }
-    return zones;
-}
-async function listTunnelsViaClient(client, accountId) {
-    const summaries = [];
-    const result = await client.zeroTrust.tunnels.cloudflared.list({
-        account_id: accountId,
-        is_deleted: false,
-    });
-    for (const t of result.result ?? []) {
-        if (!t.id || !t.name)
-            continue;
-        summaries.push({ id: t.id, name: t.name, createdAt: t.created_at ?? null });
-    }
-    return summaries;
-}
-async function listCnamesUnderZone(client, zoneId) {
-    const out = [];
-    for await (const rec of client.dns.records.list({ zone_id: zoneId, type: "CNAME" })) {
-        if (!rec.id || !rec.name)
-            continue;
-        out.push({ id: rec.id, name: rec.name, content: rec.content ?? "" });
-    }
-    return out;
-}
-export async function cfRebuildCore(opts = {}) {
-    const dryRun = opts.dryRun ?? false;
-    const brand = loadBrand();
-    console.error(`[cloudflare:rebuild-start] ${JSON.stringify({ brand: brand.productName, dryRun })}`);
-    // Auth gate. We need a client to mutate the account.
-    let client;
-    let accountId;
-    try {
-        const c = getClient();
-        client = c.client;
-        accountId = c.accountId;
-    }
-    catch (err) {
-        if (err instanceof CloudflareRefusalError) {
-            return {
-                brand: brand.productName,
-                dryRun,
-                preserve: { zones: [], tunnelIds: [], cnames: null },
-                actions: [],
-                halted: true,
-                haltReason: err.refusal.message,
-            };
-        }
-        throw err;
-    }
-    // Snapshot the account before mutating.
-    const verify = await cfVerifyCore();
-    if (!verify.account) {
-        return {
-            brand: brand.productName,
-            dryRun,
-            preserve: { zones: [], tunnelIds: [], cnames: null },
-            actions: [],
-            halted: true,
-            haltReason: "Could not read account state (cf-verify returned no account snapshot).",
-        };
-    }
-    // No-intent refusal. If the caller passed no preserve AND the device
-    // has no persisted intent (no tunnel.state, no alias domains), refuse
-    // rather than guess — an empty preserve set would nuke the account.
-    // An explicit `{ preserve: { zones: [], tunnelIds: [] } }` is valid
-    // stated intent ("nuke everything") and proceeds.
-    const deviceHasIntent = Boolean(verify.device.tunnelState || verify.device.aliasDomains.length > 0);
-    if (opts.preserve === undefined && !deviceHasIntent) {
-        logRefuse({
-            reason: "no-intent",
-            message: "cf-rebuild refused: no `preserve` was supplied and this device has no persisted tunnel.state or alias-domains. " +
-                "Stating explicit intent is required before destructive operations — " +
-                "pass `preserve: { zones: [...], tunnelIds: [...] }` (an empty array is a valid 'nuke everything' intent), " +
-                "or use `cloudflare-setup` which derives intent from the conversation.",
-        });
-        return {
-            brand: brand.productName,
-            dryRun,
-            preserve: { zones: [], tunnelIds: [], cnames: null },
-            actions: [],
-            halted: true,
-            haltReason: "no-intent",
-        };
-    }
-    // Resolve the preserve set. Defaults from the device's intended state.
-    const intendedTunnelId = verify.device.tunnelState?.tunnelId ?? null;
-    const intendedHostnames = [];
-    if (verify.device.tunnelState?.adminHostname)
-        intendedHostnames.push(verify.device.tunnelState.adminHostname);
-    if (verify.device.tunnelState?.publicHostname)
-        intendedHostnames.push(verify.device.tunnelState.publicHostname);
-    for (const a of verify.device.aliasDomains)
-        intendedHostnames.push(a);
-    const inferredZones = new Set();
-    for (const h of intendedHostnames) {
-        const lc = h.toLowerCase();
-        for (const z of verify.account.zones) {
-            if (lc === z.name.toLowerCase() || lc.endsWith("." + z.name.toLowerCase())) {
-                inferredZones.add(z.name);
-                break;
-            }
-        }
-    }
-    const preserveZones = (opts.preserve?.zones ?? [...inferredZones]).map((s) => s.toLowerCase());
-    const preserveTunnelIds = opts.preserve?.tunnelIds ?? (intendedTunnelId ? [intendedTunnelId] : []);
-    const preserveCnames = opts.preserve?.cnames
-        ? opts.preserve.cnames.map((c) => ({ zone: c.zone.toLowerCase(), name: c.name.toLowerCase() }))
-        : null;
-    // Identify tunnels that will be deleted — their `.cfargotunnel.com`
-    // CNAMEs on preserved zones must also be scrubbed (else the zone
-    // keeps a stale pointer to a dead tunnel).
-    const deletedTunnelIds = new Set(verify.account.tunnels.filter((t) => !preserveTunnelIds.includes(t.id)).map((t) => t.id));
-    const isStaleTunnelPointer = (content) => {
-        const lc = content.toLowerCase().trim();
-        const m = lc.match(/^([0-9a-f-]{36})\.cfargotunnel\.com\.?$/);
-        return m ? deletedTunnelIds.has(m[1]) : false;
-    };
-    const actions = [];
-    // (a) Delete tunnels not in preserve.
-    for (const t of verify.account.tunnels) {
-        if (preserveTunnelIds.includes(t.id))
-            continue;
-        const action = {
-            op: "delete-tunnel",
-            type: "tunnel",
-            id: t.id,
-            name: t.name,
-            result: dryRun ? "planned" : "ok",
-        };
-        if (!dryRun) {
-            try {
-                await client.zeroTrust.tunnels.cloudflared.delete(t.id, { account_id: accountId });
-            }
-            catch (err) {
-                action.result = "failed";
-                action.detail = err instanceof Error ? err.message : String(err);
-            }
-        }
-        console.error(`[cloudflare:rebuild-discard] ${JSON.stringify({ type: "tunnel", id: t.id, name: t.name, planned: dryRun, result: action.result })}`);
-        actions.push(action);
-    }
-    // (b) Delete CNAMEs not in preserve.
-    // If preserve.cnames is set, ONLY those exact records survive.
-    // Otherwise: CNAMEs on preserved zones survive, EXCEPT those pointing
-    // to a `<tunnelId>.cfargotunnel.com` target where the tunnel is being
-    // deleted (stale tunnel pointers on otherwise-preserved zones would
-    // resolve to dead DNS — always scrub).
-    for (const c of verify.account.cnames) {
-        const zoneLc = c.zone.toLowerCase();
-        const nameLc = c.name.toLowerCase();
-        let keep = false;
-        if (preserveCnames) {
-            keep = preserveCnames.some((p) => p.zone === zoneLc && p.name === nameLc);
-        }
-        else {
-            keep = preserveZones.includes(zoneLc) && !isStaleTunnelPointer(c.content);
-        }
-        if (keep)
-            continue;
-        const action = {
-            op: "delete-cname",
-            type: "cname",
-            id: c.recordId,
-            name: c.name,
-            result: dryRun ? "planned" : "ok",
-            detail: `${c.name} → ${c.content} under zone ${c.zone}`,
-        };
-        if (!dryRun) {
-            const zoneRec = verify.account.zones.find((z) => z.name.toLowerCase() === zoneLc);
-            if (!zoneRec) {
-                action.result = "failed";
-                action.detail = `zone ${c.zone} not found in snapshot`;
-            }
-            else {
-                try {
-                    await client.dns.records.delete(c.recordId, { zone_id: zoneRec.id });
-                }
-                catch (err) {
-                    action.result = "failed";
-                    action.detail = err instanceof Error ? err.message : String(err);
-                }
-            }
-        }
-        console.error(`[cloudflare:rebuild-discard] ${JSON.stringify({ type: "cname", id: c.recordId, name: c.name, zone: c.zone, planned: dryRun, result: action.result })}`);
-        actions.push(action);
-    }
-    // (c) Delete zones not in preserve.
-    for (const z of verify.account.zones) {
-        if (preserveZones.includes(z.name.toLowerCase()))
-            continue;
-        const action = {
-            op: "delete-zone",
-            type: "zone",
-            id: z.id,
-            name: z.name,
-            result: dryRun ? "planned" : "ok",
-        };
-        if (!dryRun) {
-            try {
-                await client.zones.delete({ zone_id: z.id });
-            }
-            catch (err) {
-                // Zone deletion may fail (permissions, registrar lock). Surface but
-                // do not halt — orphan zones are informational, not blocking.
-                action.result = "failed";
-                action.detail = err instanceof Error ? err.message : String(err);
-            }
-        }
-        console.error(`[cloudflare:rebuild-discard] ${JSON.stringify({ type: "zone", id: z.id, name: z.name, planned: dryRun, result: action.result })}`);
-        actions.push(action);
-    }
-    let finalVerify;
-    if (!dryRun) {
-        finalVerify = await cfVerifyCore();
-    }
-    console.error(`[cloudflare:rebuild-complete] ${JSON.stringify({
-        brand: brand.productName,
-        dryRun,
-        actionCount: actions.length,
-    })}`);
-    return {
-        brand: brand.productName,
-        dryRun,
-        preserve: {
-            zones: preserveZones,
-            tunnelIds: preserveTunnelIds,
-            cnames: preserveCnames,
-        },
-        actions,
-        finalVerify,
-        halted: false,
-    };
-}
 //# sourceMappingURL=cloudflared.js.map