@zeroexcore/tuna 0.1.0

package/src/commands/login.ts

@@ -0,0 +1,133 @@
+/**
+ * Login command - setup Cloudflare credentials
+ */
+
+import inquirer from 'inquirer';
+import chalk from 'chalk';
+import ora from 'ora';
+import { storeCredentials } from '../lib/credentials.ts';
+import { CloudflareAPI } from '../lib/api.ts';
+import type { Credentials } from '../types/index.ts';
+
+/**
+ * Interactive login flow to setup Cloudflare credentials
+ */
+export async function loginCommand(): Promise<void> {
+  console.log(chalk.blue('\n🔐 Tuna Login\n'));
+  console.log(chalk.dim('Store your Cloudflare credentials securely in macOS Keychain.\n'));
+
+  // Prompt for API token
+  console.log(chalk.dim('Create a token at: https://dash.cloudflare.com/profile/api-tokens'));
+  console.log(chalk.dim('Required permissions:'));
+  console.log(chalk.dim('  • Account → Cloudflare Tunnel → Edit'));
+  console.log(chalk.dim('  • Account → Access: Apps and Policies → Edit'));
+  console.log(chalk.dim('  • Zone → DNS → Edit'));
+  console.log(chalk.dim('  • Account → Account Settings → Read\n'));
+
+  const { apiToken } = await inquirer.prompt([
+    {
+      type: 'password',
+      name: 'apiToken',
+      message: 'Enter your Cloudflare API token:',
+      mask: '*',
+      validate: (input: string) => {
+        if (!input || input.trim().length === 0) {
+          return 'API token is required';
+        }
+        return true;
+      },
+    },
+  ]);
+
+  // Validate token and get account ID
+  const spinner = ora('Validating token...').start();
+
+  let accountId: string;
+  try {
+    // Create a temporary API instance to validate
+    const tempApi = new CloudflareAPI({
+      apiToken: apiToken.trim(),
+      accountId: '', // Will be fetched
+      domain: '',
+    });
+
+    accountId = await tempApi.validateToken();
+    spinner.succeed('Token validated');
+  } catch (error) {
+    spinner.fail('Invalid token');
+    console.error(chalk.red(`\nError: ${(error as Error).message}`));
+    process.exit(1);
+  }
+
+  // Prompt for domain
+  const { domain } = await inquirer.prompt([
+    {
+      type: 'input',
+      name: 'domain',
+      message: 'Enter your root domain (e.g., example.com):',
+      validate: (input: string) => {
+        if (!input || input.trim().length === 0) {
+          return 'Domain is required';
+        }
+        // Basic domain validation
+        const domainRegex = /^[a-z0-9][a-z0-9-]*\.[a-z]{2,}$/i;
+        if (!domainRegex.test(input.trim())) {
+          return 'Invalid domain format. Enter just the root domain (e.g., example.com)';
+        }
+        return true;
+      },
+    },
+  ]);
+
+  // Verify domain access
+  const domainSpinner = ora('Verifying domain access...').start();
+
+  try {
+    const api = new CloudflareAPI({
+      apiToken: apiToken.trim(),
+      accountId,
+      domain: domain.trim(),
+    });
+
+    await api.getZoneByName(domain.trim());
+    domainSpinner.succeed('Domain verified');
+  } catch (error) {
+    domainSpinner.fail('Domain verification failed');
+    console.error(chalk.red(`\nError: ${(error as Error).message}`));
+    console.log(chalk.yellow('\nMake sure:'));
+    console.log(chalk.yellow('  1. The domain is added to your Cloudflare account'));
+    console.log(chalk.yellow('  2. Your API token has access to this domain'));
+    process.exit(1);
+  }
+
+  // Store credentials
+  const saveSpinner = ora('Saving credentials...').start();
+
+  try {
+    const credentials: Credentials = {
+      apiToken: apiToken.trim(),
+      accountId,
+      domain: domain.trim(),
+    };
+
+    await storeCredentials(domain.trim(), credentials);
+    saveSpinner.succeed('Credentials saved to macOS Keychain');
+  } catch (error) {
+    saveSpinner.fail('Failed to save credentials');
+    console.error(chalk.red(`\nError: ${(error as Error).message}`));
+    process.exit(1);
+  }
+
+  console.log(chalk.green('\n✓ Login successful!\n'));
+  console.log(chalk.dim('You can now use tuna to create tunnels for this domain.'));
+  console.log(chalk.dim('Example:\n'));
+  console.log(chalk.dim('  Add to your package.json:'));
+  console.log(chalk.cyan('  {'));
+  console.log(chalk.cyan('    "tuna": {'));
+  console.log(chalk.cyan(`      "forward": "my-app.${domain.trim()}",`));
+  console.log(chalk.cyan('      "port": 3000'));
+  console.log(chalk.cyan('    }'));
+  console.log(chalk.cyan('  }\n'));
+  console.log(chalk.dim('  Then run:'));
+  console.log(chalk.cyan('  tuna npm run dev\n'));
+}

package/src/commands/run.ts

@@ -0,0 +1,241 @@
+/**
+ * Run command - main wrapper that sets up tunnel and runs the child command
+ */
+
+import chalk from 'chalk';
+import ora from 'ora';
+import { execa, type ExecaError } from 'execa';
+import { randomBytes } from 'crypto';
+import { readConfig, generateTunnelName } from '../lib/config.ts';
+import { getCredentials, getRootDomain } from '../lib/credentials.ts';
+import { CloudflareAPI } from '../lib/api.ts';
+import {
+  isInstalled,
+  download,
+  ensureDirectories,
+} from '../lib/cloudflared.ts';
+import {
+  generateIngressConfig,
+  writeIngressConfig,
+  saveTunnelCredentials,
+  tunnelCredentialsExist,
+  installService,
+  isServiceInstalled,
+  restartService,
+} from '../lib/service.ts';
+import { ensureDnsRecord } from '../lib/dns.ts';
+import { ensureAccess, getAccessDescription } from '../lib/access.ts';
+import type { Tunnel, AccessConfig } from '../types/index.ts';
+
+/**
+ * Main run command - sets up tunnel and executes wrapped command
+ */
+export async function runCommand(args: string[]): Promise<void> {
+  // Read config from package.json
+  let config: { forward: string; port: number; access?: AccessConfig };
+  try {
+    config = await readConfig();
+  } catch (error) {
+    console.error(chalk.red(`Error: ${(error as Error).message}`));
+    process.exit(1);
+  }
+
+  const { forward, port, access } = config;
+  const rootDomain = getRootDomain(forward);
+  const tunnelName = generateTunnelName(forward);
+
+  // Get credentials
+  const spinner = ora('Authenticating...').start();
+
+  const credentials = await getCredentials(rootDomain);
+  if (!credentials) {
+    spinner.fail('Not logged in');
+    console.error(chalk.red(`\nNo credentials found for ${rootDomain}`));
+    console.log(chalk.yellow('Run: tuna --login'));
+    process.exit(1);
+  }
+
+  spinner.text = 'Checking cloudflared...';
+
+  // Ensure cloudflared is installed
+  if (!isInstalled()) {
+    spinner.text = 'Downloading cloudflared...';
+    try {
+      await download((percent) => {
+        spinner.text = `Downloading cloudflared... ${percent}%`;
+      });
+      spinner.succeed('cloudflared downloaded');
+      spinner.start('Setting up tunnel...');
+    } catch (error) {
+      spinner.fail('Failed to download cloudflared');
+      console.error(chalk.red(`\nError: ${(error as Error).message}`));
+      console.log(chalk.yellow('\nYou can install manually:'));
+      console.log(chalk.yellow('  brew install cloudflared'));
+      process.exit(1);
+    }
+  }
+
+  ensureDirectories();
+
+  // Initialize API client
+  const api = new CloudflareAPI(credentials);
+
+  // Check if tunnel exists
+  spinner.text = 'Checking tunnel...';
+  let tunnel: Tunnel | undefined;
+
+  try {
+    const tunnels = await api.listTunnels();
+    tunnel = tunnels.find((t) => t.name === tunnelName && !t.deleted_at);
+  } catch (error) {
+    spinner.fail('Failed to check tunnels');
+    console.error(chalk.red(`\nError: ${(error as Error).message}`));
+    process.exit(1);
+  }
+
+  // Create tunnel if it doesn't exist
+  if (!tunnel) {
+    spinner.text = 'Creating tunnel...';
+    try {
+      // Generate tunnel secret (32 bytes, base64 encoded)
+      const tunnelSecret = randomBytes(32).toString('base64');
+
+      tunnel = await api.createTunnel(tunnelName, tunnelSecret);
+
+      // Save tunnel credentials
+      saveTunnelCredentials(tunnel.id, credentials.accountId, tunnelSecret);
+
+      spinner.succeed(`Tunnel created: ${tunnelName}`);
+      spinner.start('Setting up DNS...');
+    } catch (error) {
+      spinner.fail('Failed to create tunnel');
+      console.error(chalk.red(`\nError: ${(error as Error).message}`));
+      process.exit(1);
+    }
+  } else {
+    // Check if we have local credentials
+    if (!tunnelCredentialsExist(tunnel.id)) {
+      spinner.fail('Tunnel exists but local credentials missing');
+      console.error(chalk.red('\nThe tunnel exists on Cloudflare but local credentials are missing.'));
+      console.log(chalk.yellow('Options:'));
+      console.log(chalk.yellow('  1. Delete the tunnel and let tuna recreate it:'));
+      console.log(chalk.cyan(`     tuna --delete ${tunnelName}`));
+      console.log(chalk.yellow('  2. Manually recreate the credentials file'));
+      process.exit(1);
+    }
+    spinner.succeed(`Using existing tunnel: ${tunnelName}`);
+    spinner.start('Setting up DNS...');
+  }
+
+  // Ensure DNS record
+  try {
+    await ensureDnsRecord(credentials, forward, tunnel.id);
+    spinner.succeed('DNS configured');
+    spinner.start('Starting service...');
+  } catch (error) {
+    spinner.fail('Failed to configure DNS');
+    console.error(chalk.red(`\nError: ${(error as Error).message}`));
+    process.exit(1);
+  }
+
+  // Generate and write ingress config
+  const ingressConfig = generateIngressConfig(tunnel.id, forward, port);
+  writeIngressConfig(tunnel.id, ingressConfig);
+
+  // Install or update service - always restart to pick up config changes
+  try {
+    if (!isServiceInstalled()) {
+      await installService(tunnel.id);
+      spinner.succeed('Service installed');
+    } else {
+      // Always restart to ensure config changes (port, hostname) are picked up
+      await restartService();
+      spinner.succeed('Service restarted');
+    }
+  } catch (error) {
+    spinner.fail('Failed to start service');
+    console.error(chalk.red(`\nError: ${(error as Error).message}`));
+    process.exit(1);
+  }
+
+  // Setup Zero Trust Access if configured
+  let accessConfigured = false;
+  if (access && access.length > 0) {
+    spinner.start('Configuring access control...');
+    try {
+      await ensureAccess(credentials, forward, access);
+      accessConfigured = true;
+      spinner.succeed('Access control configured');
+    } catch (error) {
+      spinner.fail('Failed to configure access control');
+      console.error(chalk.red(`\nError: ${(error as Error).message}`));
+      console.log(chalk.yellow('\nTunnel is active but without access control.'));
+      console.log(chalk.yellow('Your API token may need additional permissions:'));
+      console.log(chalk.yellow('  - Account → Access: Apps and Policies → Edit'));
+    }
+  } else {
+    // No access config - remove any existing Access app
+    try {
+      await ensureAccess(credentials, forward, undefined);
+    } catch {
+      // Ignore errors when removing - may not have permissions or app doesn't exist
+    }
+  }
+
+  // Display tunnel info
+  console.log('');
+  console.log(chalk.green('✓ Tunnel active'));
+  console.log(chalk.cyan(`  https://${forward}`), chalk.dim(`→ localhost:${port}`));
+  if (accessConfigured && access) {
+    console.log(chalk.dim(`  Access: ${getAccessDescription(access)}`));
+  }
+  console.log('');
+
+  // Execute wrapped command
+  if (args.length === 0) {
+    // No command to run, just setup tunnel
+    console.log(chalk.dim('Tunnel is running. Press Ctrl+C to exit.'));
+
+    // Keep process alive
+    await new Promise(() => {}); // Never resolves
+    return;
+  }
+
+  const [command, ...commandArgs] = args;
+
+  console.log(chalk.dim(`Running: ${command} ${commandArgs.join(' ')}\n`));
+
+  try {
+    // Spawn child process with stdio inheritance
+    const childProcess = execa(command, commandArgs, {
+      stdio: 'inherit',
+      env: {
+        ...process.env,
+        TUNA_TUNNEL_URL: `https://${forward}`,
+        TUNA_TUNNEL_ID: tunnel.id,
+      },
+    });
+
+    // Forward signals to child
+    const signals: NodeJS.Signals[] = ['SIGINT', 'SIGTERM', 'SIGHUP'];
+    for (const signal of signals) {
+      process.on(signal, () => {
+        childProcess.kill(signal);
+      });
+    }
+
+    const result = await childProcess;
+    process.exit(result.exitCode ?? 0);
+  } catch (error) {
+    const execaError = error as ExecaError;
+
+    // If command not found
+    if (execaError.code === 'ENOENT') {
+      console.error(chalk.red(`\nCommand not found: ${command}`));
+      process.exit(127);
+    }
+
+    // Exit with child's exit code
+    process.exit(execaError.exitCode ?? 1);
+  }
+}

package/src/commands/stop.ts

@@ -0,0 +1,44 @@
+/**
+ * Stop command - stop the cloudflared service
+ */
+
+import chalk from 'chalk';
+import ora from 'ora';
+import { stopService, getServiceStatus, isServiceInstalled } from '../lib/service.ts';
+
+/**
+ * Stop the cloudflared service
+ */
+export async function stopCommand(): Promise<void> {
+  console.log('');
+
+  // Check if service is installed
+  if (!isServiceInstalled()) {
+    console.log(chalk.yellow('Cloudflared service is not installed.'));
+    console.log(chalk.dim('Run tuna with a command to set up a tunnel first.\n'));
+    return;
+  }
+
+  // Check current status
+  const status = await getServiceStatus();
+
+  if (!status.running) {
+    console.log(chalk.yellow('Cloudflared service is not running.\n'));
+    return;
+  }
+
+  // Stop the service
+  const spinner = ora('Stopping cloudflared service...').start();
+
+  try {
+    await stopService();
+    spinner.succeed('Cloudflared service stopped');
+    console.log('');
+    console.log(chalk.dim('Your tunnels are no longer active.'));
+    console.log(chalk.dim('Run tuna with a command to start them again.\n'));
+  } catch (error) {
+    spinner.fail('Failed to stop service');
+    console.error(chalk.red(`\nError: ${(error as Error).message}\n`));
+    process.exit(1);
+  }
+}

package/src/index.ts

@@ -0,0 +1,129 @@
+#!/usr/bin/env -S npx tsx
+/**
+ * Tuna - Cloudflare Tunnel Wrapper for Development Servers
+ * CLI entry point
+ */
+
+import chalk from 'chalk';
+import { loginCommand } from './commands/login.ts';
+import { initCommand } from './commands/init.ts';
+import { runCommand } from './commands/run.ts';
+import { listCommand } from './commands/list.ts';
+import { stopCommand } from './commands/stop.ts';
+import { deleteCommand } from './commands/delete.ts';
+
+const version = '0.1.0';
+
+function showHelp(): void {
+  console.log(`
+${chalk.bold('tuna')} - Cloudflare Tunnel Wrapper for Development Servers
+
+${chalk.dim('Usage:')}
+  tuna [options]
+  tuna <command> [args...]
+
+${chalk.dim('Options:')}
+  --init           Interactive project setup
+  --login          Setup Cloudflare credentials
+  --list           List all tunnels
+  --stop           Stop cloudflared service
+  --delete [name]  Delete tunnel (from config or by name)
+  --version, -V    Show version
+  --help, -h       Show this help
+
+${chalk.dim('Examples:')}
+  $ tuna --init                     Interactive project setup
+  $ tuna --login                    Setup Cloudflare credentials
+  $ tuna npm run dev                Run dev server with tunnel
+  $ tuna vite dev --port 3000       Run vite with tunnel
+  $ tuna --list                     List all tunnels
+  $ tuna --stop                     Stop cloudflared service
+  $ tuna --delete                   Delete tunnel from package.json
+  $ tuna --delete my-tunnel         Delete specific tunnel
+
+${chalk.dim('Configuration:')}
+  Add to your package.json:
+  {
+    "tuna": {
+      "forward": "my-app.example.com",
+      "port": 3000
+    }
+  }
+
+  For team collaboration (unique subdomains per user):
+  {
+    "tuna": {
+      "forward": "$USER-api.example.com",
+      "port": 3000
+    }
+  }
+`);
+}
+
+async function main(): Promise<void> {
+  const args = process.argv.slice(2);
+
+  // No arguments - show help
+  if (args.length === 0) {
+    showHelp();
+    return;
+  }
+
+  const firstArg = args[0];
+
+  try {
+    // Handle management commands (flags)
+    if (firstArg === '--help' || firstArg === '-h') {
+      showHelp();
+      return;
+    }
+
+    if (firstArg === '--version' || firstArg === '-V') {
+      console.log(version);
+      return;
+    }
+
+    if (firstArg === '--init') {
+      await initCommand();
+      return;
+    }
+
+    if (firstArg === '--login') {
+      await loginCommand();
+      return;
+    }
+
+    if (firstArg === '--list') {
+      await listCommand();
+      return;
+    }
+
+    if (firstArg === '--stop') {
+      await stopCommand();
+      return;
+    }
+
+    if (firstArg === '--delete') {
+      // Optional tunnel name as second argument
+      const tunnelName = args[1];
+      await deleteCommand(tunnelName);
+      return;
+    }
+
+    // Check for unknown flags
+    if (firstArg.startsWith('--')) {
+      console.error(chalk.red(`Unknown option: ${firstArg}`));
+      console.log(chalk.dim('Run: tuna --help'));
+      process.exit(1);
+    }
+
+    // Default: wrapper command
+    // All arguments are passed to the wrapped command
+    await runCommand(args);
+  } catch (error) {
+    console.error(chalk.red('Error:'), (error as Error).message);
+    process.exit(1);
+  }
+}
+
+main();