@zeroexcore/tuna 0.1.0

package/src/lib/cloudflared.ts

@@ -0,0 +1,279 @@
+/**
+ * Cloudflared binary management - detection, download, and execution
+ */
+
+import { execa, type ExecaError } from 'execa';
+import { existsSync, mkdirSync, chmodSync, createWriteStream } from 'fs';
+import { homedir, platform, arch } from 'os';
+import { join } from 'path';
+
+const TUNA_DIR = join(homedir(), '.tuna');
+const BIN_DIR = join(TUNA_DIR, 'bin');
+const TUNNELS_DIR = join(TUNA_DIR, 'tunnels');
+
+// GitHub release download URLs
+const DOWNLOAD_BASE = 'https://github.com/cloudflare/cloudflared/releases/latest/download';
+
+interface ExecResult {
+  stdout: string;
+  stderr: string;
+  exitCode: number;
+}
+
+/**
+ * Get the download URL for cloudflared based on platform and architecture
+ */
+function getDownloadUrl(): string {
+  const os = platform();
+  const architecture = arch();
+
+  if (os === 'darwin') {
+    if (architecture === 'arm64') {
+      return `${DOWNLOAD_BASE}/cloudflared-darwin-arm64.tgz`;
+    }
+    return `${DOWNLOAD_BASE}/cloudflared-darwin-amd64.tgz`;
+  }
+
+  if (os === 'linux') {
+    if (architecture === 'arm64') {
+      return `${DOWNLOAD_BASE}/cloudflared-linux-arm64`;
+    }
+    if (architecture === 'arm') {
+      return `${DOWNLOAD_BASE}/cloudflared-linux-arm`;
+    }
+    return `${DOWNLOAD_BASE}/cloudflared-linux-amd64`;
+  }
+
+  if (os === 'win32') {
+    if (architecture === 'x64') {
+      return `${DOWNLOAD_BASE}/cloudflared-windows-amd64.exe`;
+    }
+    return `${DOWNLOAD_BASE}/cloudflared-windows-386.exe`;
+  }
+
+  throw new Error(`Unsupported platform: ${os} ${architecture}`);
+}
+
+/**
+ * Get the path to the cloudflared binary (either in PATH or downloaded)
+ */
+export function getExecutablePath(): string {
+  // First check if cloudflared is in PATH
+  const systemPath = getSystemCloudflaredPath();
+  if (systemPath) {
+    return systemPath;
+  }
+
+  // Fall back to downloaded binary
+  const os = platform();
+  const binaryName = os === 'win32' ? 'cloudflared.exe' : 'cloudflared';
+  return join(BIN_DIR, binaryName);
+}
+
+/**
+ * Check if cloudflared is available in system PATH
+ */
+function getSystemCloudflaredPath(): string | null {
+  try {
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { execSync } = require('child_process') as typeof import('child_process');
+    const stdout = execSync('which cloudflared 2>/dev/null || where cloudflared 2>nul', {
+      encoding: 'utf-8',
+      stdio: ['pipe', 'pipe', 'pipe']
+    });
+    const path = stdout.trim().split('\n')[0];
+    return path || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check if cloudflared is installed (either in PATH or downloaded)
+ */
+export function isInstalled(): boolean {
+  // Check system PATH first
+  if (getSystemCloudflaredPath()) {
+    return true;
+  }
+
+  // Check downloaded binary
+  const binaryPath = getExecutablePath();
+  return existsSync(binaryPath);
+}
+
+/**
+ * Get the installed cloudflared version
+ */
+export async function getVersion(): Promise<string> {
+  const result = await exec(['--version']);
+  // Output format: "cloudflared version 2024.1.0 (built 2024-01-15-1234 revision abcd1234)"
+  const match = result.stdout.match(/version\s+(\d+\.\d+\.\d+)/);
+  if (match) {
+    return match[1];
+  }
+  throw new Error('Could not parse cloudflared version');
+}
+
+/**
+ * Ensure the tuna directories exist
+ */
+export function ensureDirectories(): void {
+  if (!existsSync(TUNA_DIR)) {
+    mkdirSync(TUNA_DIR, { recursive: true });
+  }
+  if (!existsSync(BIN_DIR)) {
+    mkdirSync(BIN_DIR, { recursive: true });
+  }
+  if (!existsSync(TUNNELS_DIR)) {
+    mkdirSync(TUNNELS_DIR, { recursive: true, mode: 0o700 });
+  }
+}
+
+/**
+ * Download cloudflared binary for the current platform
+ */
+export async function download(
+  onProgress?: (percent: number) => void
+): Promise<string> {
+  ensureDirectories();
+
+  const url = getDownloadUrl();
+  const isTarball = url.endsWith('.tgz');
+  const binaryPath = getExecutablePath();
+
+  // Download the file
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`Failed to download cloudflared: ${response.statusText}`);
+  }
+
+  const contentLength = response.headers.get('content-length');
+  const totalSize = contentLength ? parseInt(contentLength, 10) : 0;
+  let downloadedSize = 0;
+
+  if (isTarball) {
+    // For macOS, we need to extract from tarball
+    const tempTarPath = join(BIN_DIR, 'cloudflared.tgz');
+    const writeStream = createWriteStream(tempTarPath);
+
+    const reader = response.body?.getReader();
+    if (!reader) {
+      throw new Error('Failed to get response body reader');
+    }
+
+    // Download with progress
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+
+      writeStream.write(Buffer.from(value));
+      downloadedSize += value.length;
+
+      if (onProgress && totalSize > 0) {
+        onProgress(Math.round((downloadedSize / totalSize) * 100));
+      }
+    }
+
+    writeStream.end();
+    await new Promise((resolve) => writeStream.on('finish', resolve));
+
+    // Extract tarball using tar command
+    await execa('tar', ['-xzf', tempTarPath, '-C', BIN_DIR]);
+
+    // Remove tarball
+    const { unlinkSync } = await import('fs');
+    unlinkSync(tempTarPath);
+  } else {
+    // Direct binary download (Linux, Windows)
+    const writeStream = createWriteStream(binaryPath);
+    const reader = response.body?.getReader();
+    if (!reader) {
+      throw new Error('Failed to get response body reader');
+    }
+
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+
+      writeStream.write(Buffer.from(value));
+      downloadedSize += value.length;
+
+      if (onProgress && totalSize > 0) {
+        onProgress(Math.round((downloadedSize / totalSize) * 100));
+      }
+    }
+
+    writeStream.end();
+    await new Promise((resolve) => writeStream.on('finish', resolve));
+  }
+
+  // Make executable on Unix
+  if (platform() !== 'win32') {
+    chmodSync(binaryPath, 0o755);
+  }
+
+  return binaryPath;
+}
+
+/**
+ * Execute a cloudflared command
+ */
+export async function exec(args: string[]): Promise<ExecResult> {
+  const binaryPath = getExecutablePath();
+
+  if (!existsSync(binaryPath) && !getSystemCloudflaredPath()) {
+    throw new Error(
+      'cloudflared is not installed. Run `tuna` to auto-download, or install manually:\n' +
+      '  brew install cloudflared\n' +
+      '  https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/'
+    );
+  }
+
+  try {
+    const result = await execa(binaryPath, args);
+    return {
+      stdout: String(result.stdout ?? ''),
+      stderr: String(result.stderr ?? ''),
+      exitCode: result.exitCode ?? 0,
+    };
+  } catch (error) {
+    const execaError = error as ExecaError;
+    if (execaError.exitCode !== undefined) {
+      return {
+        stdout: String(execaError.stdout ?? ''),
+        stderr: String(execaError.stderr ?? ''),
+        exitCode: execaError.exitCode,
+      };
+    }
+    throw error;
+  }
+}
+
+/**
+ * Get the tuna directory path
+ */
+export function getTunaDir(): string {
+  return TUNA_DIR;
+}
+
+/**
+ * Get the tunnels directory path
+ */
+export function getTunnelsDir(): string {
+  return TUNNELS_DIR;
+}
+
+/**
+ * Get path for a tunnel credentials file
+ */
+export function getTunnelCredentialsPath(tunnelId: string): string {
+  return join(TUNNELS_DIR, `${tunnelId}.json`);
+}
+
+/**
+ * Get path for a tunnel config file
+ */
+export function getTunnelConfigPath(tunnelId: string): string {
+  return join(TUNA_DIR, `config-${tunnelId}.yml`);
+}

package/src/lib/config.ts

@@ -0,0 +1,125 @@
+/**
+ * Configuration management - reads package.json and interpolates environment variables
+ */
+
+import { findUp } from 'find-up';
+import { readFile } from 'fs/promises';
+import type { PackageJson, TunaConfig } from '../types/index.ts';
+
+/**
+ * Find package.json in current directory or parent directories
+ */
+export async function findPackageJson(): Promise<string | null> {
+  const found = await findUp('package.json');
+  return found || null;
+}
+
+/**
+ * Interpolate environment variables in a string
+ * Priority: $TUNA_USER > $USER > 'unknown'
+ */
+export function interpolateEnvVars(value: string): string {
+  const tunaUser = process.env.TUNA_USER;
+  const user = process.env.USER;
+  const home = process.env.HOME;
+  
+  let result = value;
+  
+  // Replace $TUNA_USER first (if set)
+  if (tunaUser) {
+    result = result.replace(/\$TUNA_USER/g, tunaUser);
+  }
+  
+  // Replace $USER with TUNA_USER if set, otherwise USER, otherwise 'unknown'
+  result = result.replace(/\$USER/g, tunaUser || user || 'unknown');
+  
+  // Replace $HOME
+  result = result.replace(/\$HOME/g, home || '~');
+  
+  return result;
+}
+
+/**
+ * Validate tuna configuration
+ */
+export function validateConfig(config: TunaConfig): void {
+  if (!config.forward) {
+    throw new Error('Missing "forward" in tuna config');
+  }
+
+  if (config.port === undefined || config.port === null) {
+    throw new Error('Missing "port" in tuna config');
+  }
+
+  if (typeof config.port !== 'number') {
+    throw new Error('"port" must be a number');
+  }
+
+  if (config.port < 1 || config.port > 65535) {
+    throw new Error('"port" must be between 1 and 65535');
+  }
+
+  // Ensure no unresolved variables remain (check this before domain validation)
+  if (config.forward.includes('$')) {
+    throw new Error(
+      `Unresolved environment variables in forward field: ${config.forward}\n` +
+      'Supported: $USER, $TUNA_USER, $HOME'
+    );
+  }
+
+  // Basic domain validation (after interpolation)
+  // Allow dots but not consecutive dots
+  const domainRegex = /^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)*\.[a-z]{2,}$/i;
+  if (!domainRegex.test(config.forward)) {
+    throw new Error(`Invalid domain format: ${config.forward}`);
+  }
+}
+
+/**
+ * Read and parse tuna configuration from package.json
+ */
+export async function readConfig(): Promise<TunaConfig> {
+  const pkgPath = await findPackageJson();
+
+  if (!pkgPath) {
+    throw new Error(
+      'No package.json found.\n' +
+      'Run this command from your project directory.'
+    );
+  }
+
+  const content = await readFile(pkgPath, 'utf-8');
+  const pkg: PackageJson = JSON.parse(content);
+
+  if (!pkg.tuna) {
+    throw new Error(
+      'No "tuna" config in package.json.\n' +
+      'Add to package.json:\n' +
+      '{\n' +
+      '  "tuna": {\n' +
+      '    "forward": "my-app.example.com",\n' +
+      '    "port": 3000\n' +
+      '  }\n' +
+      '}'
+    );
+  }
+
+  // Interpolate environment variables in forward field
+  const interpolatedConfig: TunaConfig = {
+    ...pkg.tuna,
+    forward: interpolateEnvVars(pkg.tuna.forward),
+  };
+
+  validateConfig(interpolatedConfig);
+  return interpolatedConfig;
+}
+
+/**
+ * Generate tunnel name from forward domain
+ * Format: tuna-{sanitized-forward}
+ */
+export function generateTunnelName(forward: string): string {
+  // Sanitize: replace non-alphanumeric with -, lowercase
+  const sanitized = forward.replace(/[^a-z0-9]/gi, '-').toLowerCase();
+  return `tuna-${sanitized}`;
+}

package/src/lib/credentials.ts

@@ -0,0 +1,67 @@
+/**
+ * Credential management - secure storage in macOS Keychain
+ */
+
+import keytar from 'keytar';
+import type { Credentials } from '../types/index.ts';
+
+// Use a single service name so findCredentials works correctly
+const SERVICE_NAME = 'tuna';
+
+/**
+ * Store credentials in macOS Keychain
+ */
+export async function storeCredentials(
+  domain: string,
+  creds: Credentials
+): Promise<void> {
+  const password = JSON.stringify(creds);
+  await keytar.setPassword(SERVICE_NAME, domain, password);
+}
+
+/**
+ * Retrieve credentials from macOS Keychain
+ * Triggers biometric authentication
+ */
+export async function getCredentials(
+  domain: string
+): Promise<Credentials | null> {
+  const password = await keytar.getPassword(SERVICE_NAME, domain);
+
+  if (!password) {
+    return null;
+  }
+
+  try {
+    return JSON.parse(password) as Credentials;
+  } catch {
+    throw new Error(`Failed to parse credentials for ${domain}`);
+  }
+}
+
+/**
+ * Delete credentials from macOS Keychain
+ */
+export async function deleteCredentials(domain: string): Promise<boolean> {
+  return await keytar.deletePassword(SERVICE_NAME, domain);
+}
+
+/**
+ * List all configured domains
+ */
+export async function listDomains(): Promise<string[]> {
+  const credentials = await keytar.findCredentials(SERVICE_NAME);
+  return credentials.map((c) => c.account);
+}
+
+/**
+ * Extract root domain from subdomain
+ * e.g., "my-app.example.com" → "example.com"
+ */
+export function getRootDomain(forward: string): string {
+  const parts = forward.split('.');
+  if (parts.length < 2) {
+    throw new Error(`Invalid domain: ${forward}`);
+  }
+  return parts.slice(-2).join('.');
+}

package/src/lib/dns.ts

@@ -0,0 +1,164 @@
+/**
+ * DNS management - higher-level DNS operations built on top of API client
+ */
+
+import { CloudflareAPI } from './api.ts';
+import { getRootDomain } from './credentials.ts';
+import type { Credentials } from '../types/index.ts';
+
+/**
+ * Get the CNAME target for a tunnel
+ * Format: {tunnel-id}.cfargotunnel.com
+ */
+export function getTunnelCnameTarget(tunnelId: string): string {
+  return `${tunnelId}.cfargotunnel.com`;
+}
+
+/**
+ * Ensure a DNS CNAME record exists pointing to the tunnel
+ * Creates the record if it doesn't exist, updates if it points to wrong target
+ */
+export async function ensureDnsRecord(
+  credentials: Credentials,
+  forward: string,
+  tunnelId: string
+): Promise<void> {
+  const api = new CloudflareAPI(credentials);
+  const rootDomain = getRootDomain(forward);
+  const cnameTarget = getTunnelCnameTarget(tunnelId);
+
+  // Get the zone
+  const zone = await api.getZoneByName(rootDomain);
+
+  // Check if record already exists
+  const existingRecords = await api.listDnsRecords(zone.id, forward);
+  const existingCname = existingRecords.find(
+    (r) => r.type === 'CNAME' && r.name === forward
+  );
+
+  if (existingCname) {
+    // Record exists - check if it points to correct target
+    if (existingCname.content === cnameTarget) {
+      // Already correct, nothing to do
+      return;
+    }
+
+    // Update to point to correct target
+    await api.updateDnsRecord(zone.id, existingCname.id!, {
+      type: 'CNAME',
+      name: forward,
+      content: cnameTarget,
+      proxied: true,
+      ttl: 1, // Auto
+    });
+    return;
+  }
+
+  // Check for conflicting A/AAAA records
+  const conflictingRecords = existingRecords.filter(
+    (r) => (r.type === 'A' || r.type === 'AAAA') && r.name === forward
+  );
+
+  if (conflictingRecords.length > 0) {
+    throw new Error(
+      `DNS conflict: ${forward} already has ${conflictingRecords[0].type} record(s).\n` +
+      `Delete them first or use a different subdomain.`
+    );
+  }
+
+  // Create new CNAME record
+  await api.createDnsRecord(zone.id, {
+    type: 'CNAME',
+    name: forward,
+    content: cnameTarget,
+    proxied: true,
+    ttl: 1, // Auto
+  });
+}
+
+/**
+ * Delete the DNS record for a domain
+ */
+export async function deleteDnsRecordForDomain(
+  credentials: Credentials,
+  forward: string
+): Promise<boolean> {
+  const api = new CloudflareAPI(credentials);
+  const rootDomain = getRootDomain(forward);
+
+  try {
+    const zone = await api.getZoneByName(rootDomain);
+    const records = await api.listDnsRecords(zone.id, forward);
+
+    // Find and delete CNAME record for this domain
+    const cnameRecord = records.find(
+      (r) => r.type === 'CNAME' && r.name === forward
+    );
+
+    if (cnameRecord && cnameRecord.id) {
+      await api.deleteDnsRecord(zone.id, cnameRecord.id);
+      return true;
+    }
+
+    return false;
+  } catch (error) {
+    // If zone not found, record doesn't exist
+    if ((error as Error).message.includes('Zone not found')) {
+      return false;
+    }
+    throw error;
+  }
+}
+
+/**
+ * List all DNS records pointing to a specific tunnel
+ */
+export async function listDnsRecordsForTunnel(
+  credentials: Credentials,
+  tunnelId: string,
+  domain: string
+): Promise<string[]> {
+  const api = new CloudflareAPI(credentials);
+  const cnameTarget = getTunnelCnameTarget(tunnelId);
+
+  try {
+    const zone = await api.getZoneByName(domain);
+    const allRecords = await api.listDnsRecords(zone.id);
+
+    // Find all CNAME records pointing to this tunnel
+    return allRecords
+      .filter((r) => r.type === 'CNAME' && r.content === cnameTarget)
+      .map((r) => r.name);
+  } catch (error) {
+    // If zone not found, return empty list
+    if ((error as Error).message.includes('Zone not found')) {
+      return [];
+    }
+    throw error;
+  }
+}
+
+/**
+ * Validate that the domain is properly configured
+ * Returns true if DNS record exists and points to the tunnel
+ */
+export async function validateDnsRecord(
+  credentials: Credentials,
+  forward: string,
+  tunnelId: string
+): Promise<boolean> {
+  const api = new CloudflareAPI(credentials);
+  const rootDomain = getRootDomain(forward);
+  const cnameTarget = getTunnelCnameTarget(tunnelId);
+
+  try {
+    const zone = await api.getZoneByName(rootDomain);
+    const records = await api.listDnsRecords(zone.id, forward);
+
+    return records.some(
+      (r) => r.type === 'CNAME' && r.name === forward && r.content === cnameTarget
+    );
+  } catch {
+    return false;
+  }
+}