anyagent-bridge 0.5.0

package/server/safety/sandbox.js

@@ -0,0 +1,130 @@
+/**
+ * AnyAgent Bridge — Docker sandbox argv/env builder (Stage 4)
+ *
+ * Pure, stateless, unit-testable. Builds the `docker run …` argument vector and the
+ * MINIMAL environment handed to the docker client process. No shell string is ever
+ * constructed — pty.spawn receives an args ARRAY, so there is no interpolation /
+ * injection surface (same discipline as the tunnel base-adapter).
+ *
+ * Secret handling (critical): the docker CLIENT env is a small allowlist (PATH /
+ * HOME / DOCKER_* + the explicitly passed-through names) — NEVER the bridge's full
+ * process.env, which would leak BRIDGE_AUTH_TOKEN / BRIDGE_SESSION_SECRET into the
+ * container's reach. Passed-through secrets use the `-e NAME` (value-from-client-env)
+ * form so their VALUES never land in argv / the process table.
+ */
+
+'use strict';
+
+const path = require('path');
+const { findOnPath } = require('../tunnel/detect');
+
+// Never forward the bridge's own secrets into a container, even if an operator
+// lists them in envPassthrough.
+const ENV_DENYLIST = /^(BRIDGE_|AAB_)/i;
+const ENV_DENY_EXACT = new Set(['AUTH_TOKEN', 'SESSION_SECRET', 'BRIDGE_AUTH_TOKEN', 'BRIDGE_SESSION_SECRET']);
+
+function detectDocker() {
+  try { return findOnPath('docker'); } catch (e) { return null; }
+}
+
+/** A `docker run -v` host path. On Windows, map `C:\foo` → `//c/foo` for Docker Desktop. */
+function dockerMountPath(p) {
+  const resolved = path.resolve(p);
+  if (process.platform === 'win32') {
+    const m = /^([A-Za-z]):[\\/](.*)$/.exec(resolved);
+    if (m) return `//${m[1].toLowerCase()}/${m[2].replace(/\\/g, '/')}`;
+    return resolved.replace(/\\/g, '/');
+  }
+  return resolved;
+}
+
+/** Filter an envPassthrough list down to names that are safe and present in env. */
+function resolvePassthrough(names, env) {
+  const e = env || process.env;
+  const out = [];
+  const seen = new Set();
+  for (const name of Array.isArray(names) ? names : []) {
+    if (typeof name !== 'string' || !name) continue;
+    if (ENV_DENYLIST.test(name) || ENV_DENY_EXACT.has(name)) continue;
+    if (e[name] === undefined) continue;
+    if (seen.has(name)) continue;
+    seen.add(name);
+    out.push(name);
+  }
+  return out;
+}
+
+/** Minimal environment for the docker CLIENT process (NOT the container). */
+function buildClientEnv(passthroughNames, env) {
+  const e = env || process.env;
+  const out = {};
+  const base = ['PATH', 'Path', 'HOME', 'USERPROFILE', 'SystemRoot', 'TEMP', 'TMP',
+    'DOCKER_HOST', 'DOCKER_CONTEXT', 'DOCKER_CONFIG', 'DOCKER_TLS_VERIFY', 'DOCKER_CERT_PATH'];
+  for (const k of base) if (e[k] !== undefined) out[k] = e[k];
+  for (const name of passthroughNames) if (e[name] !== undefined) out[name] = e[name];
+  return out;
+}
+
+/**
+ * Whether a resolved working dir may be bind-mounted. Refuses HOME and any
+ * configured allowed-base root — never mount a whole home directory into a
+ * container (too broad / surprising). `blocked` is a list of absolute paths.
+ */
+function isSandboxableDir(dir, blocked) {
+  if (!dir) return false;
+  const resolved = path.resolve(dir);
+  return !(blocked || []).some(b => {
+    try { return path.resolve(b) === resolved; } catch (e) { return false; }
+  });
+}
+
+/**
+ * Build the `docker run` argv. Caller supplies the already-resolved image and the
+ * already-filtered passthrough names.
+ *   opts = { containerName, hostProjectDir, image, passthroughNames, cfg }
+ */
+function buildDockerArgs(opts) {
+  const { containerName, hostProjectDir, image, passthroughNames, cfg } = opts;
+  const workdir = cfg.workdir || '/workspace';
+  const args = ['run', '--rm', '-it', '--name', containerName, '--hostname', 'aab'];
+
+  const mount = `${dockerMountPath(hostProjectDir)}:${workdir}${cfg.mountMode === 'ro' ? ':ro' : ''}`;
+  args.push('-v', mount, '-w', workdir);
+
+  args.push('--network', cfg.network || 'bridge');
+
+  if (cfg.memory) { args.push('--memory', String(cfg.memory), '--memory-swap', String(cfg.memory)); }
+  if (cfg.cpus) args.push('--cpus', String(cfg.cpus));
+  if (cfg.pidsLimit) args.push('--pids-limit', String(cfg.pidsLimit));
+
+  if (cfg.noNewPrivileges !== false) args.push('--security-opt', 'no-new-privileges');
+  if (cfg.dropAllCaps) args.push('--cap-drop', 'ALL');
+  if (cfg.readOnlyRootfs) {
+    args.push('--read-only', '--tmpfs', '/tmp:rw,nosuid,size=256m', '--tmpfs', '/run:rw,nosuid,size=64m');
+  }
+  // --user maps host uid:gid so files on the bind mount are operator-owned. This is
+  // a Linux-native truth only; on Docker Desktop (mac/win) the VM remaps UIDs and a
+  // host uid here can make the mount unwritable — so gate strictly to linux.
+  if (cfg.runAsHostUser && process.platform === 'linux' && typeof process.getuid === 'function') {
+    args.push('--user', `${process.getuid()}:${process.getgid()}`);
+  }
+
+  args.push('-e', 'TERM=xterm-256color');
+  for (const name of passthroughNames || []) args.push('-e', name); // value-from-client-env
+
+  if (Array.isArray(cfg.extraArgs)) for (const a of cfg.extraArgs) if (typeof a === 'string' && a) args.push(a);
+
+  args.push(image);
+
+  const shellArgv = cfg.shell
+    ? (Array.isArray(cfg.shell) ? cfg.shell.slice() : [cfg.shell])
+    : ['/bin/sh', '-l'];
+  for (const s of shellArgv) args.push(String(s));
+
+  return args;
+}
+
+module.exports = {
+  detectDocker, dockerMountPath, resolvePassthrough, buildClientEnv,
+  isSandboxableDir, buildDockerArgs, ENV_DENYLIST
+};

package/server/tunnel/adapters/cloudflare-quick.js

@@ -0,0 +1,40 @@
+/**
+ * Cloudflare Quick Tunnel adapter (ephemeral, no account).
+ *
+ *   cloudflared tunnel --no-autoupdate --url http://127.0.0.1:<PORT>
+ *
+ * No login required. A random *.trycloudflare.com URL is printed to STDERR
+ * (verified: stdout is empty) and rotates on every run. Testing-grade only
+ * (~200 concurrent request cap, no SSE).
+ */
+
+const BaseAdapter = require('../base-adapter');
+
+const URL_RE = /(https:\/\/[a-z0-9-]+\.trycloudflare\.com)/i;
+const FAIL_RE = /Failed to request quick Tunnel/i;
+
+class CloudflareQuickAdapter extends BaseAdapter {
+  static get id() { return 'cloudflare-quick'; }
+  static get label() { return 'Cloudflare Quick Tunnel'; }
+  static get binaryName() { return 'cloudflared'; }
+  static get stableUrl() { return false; }
+  static get requiresAccount() { return false; }
+  static get installHint() {
+    return 'Install cloudflared: macOS `brew install cloudflared`; Windows `winget install --id Cloudflare.cloudflared`; '
+      + 'Linux: github.com/cloudflare/cloudflared/releases.';
+  }
+
+  buildArgs() {
+    return ['tunnel', '--no-autoupdate', '--url', `http://127.0.0.1:${this.port}`];
+  }
+
+  parseLine(line) {
+    const m = line.match(URL_RE);
+    if (m) return { url: m[1] };
+    // A hard failure to create the quick tunnel — let the manager retry/back off.
+    if (FAIL_RE.test(line)) return { error: { code: 'EXIT_BEFORE_URL', message: line.trim() } };
+    return null;
+  }
+}
+
+module.exports = CloudflareQuickAdapter;

package/server/tunnel/adapters/cloudflared-named.js

@@ -0,0 +1,49 @@
+/**
+ * cloudflared NAMED tunnel adapter (stable custom hostname).
+ *
+ *   cloudflared tunnel --loglevel info run <tunnelName>
+ *
+ * Requires a Cloudflare account + zone with a pre-created tunnel and a DNS route
+ * (`cloudflared tunnel login` -> `tunnel create <name>` -> `tunnel route dns
+ * <name> <hostname>`). The public hostname is NOT printed by the CLI — it is the
+ * configured `hostname`. Readiness is detected from the stderr line
+ * "Registered tunnel connection"; the URL is then `https://<hostname>`.
+ *
+ * The local service the tunnel proxies to is defined by the `ingress:` rules in
+ * ~/.cloudflared/config.yml (not on the command line), so no port is passed.
+ */
+
+const BaseAdapter = require('../base-adapter');
+
+const READY_RE = /Registered tunnel connection/;
+const ERR_RE = /Cannot determine default origin certificate|credentials file not found|tunnel not found|failed to parse tunnel|Cannot find credentials/i;
+
+class CloudflaredNamedAdapter extends BaseAdapter {
+  static get id() { return 'cloudflared-named'; }
+  static get label() { return 'cloudflared named tunnel'; }
+  static get binaryName() { return 'cloudflared'; }
+  static get stableUrl() { return true; }
+  static get requiresAccount() { return true; }
+  static get installHint() {
+    return 'Pre-create a named tunnel: `cloudflared tunnel login` -> `tunnel create <name>` -> '
+      + '`tunnel route dns <name> <hostname>`. Set tunnel["cloudflared-named"].tunnelName and .hostname in config.';
+  }
+
+  buildArgs() {
+    const pc = this.providerConfig || {};
+    if (!pc.tunnelName) {
+      throw new Error('cloudflared-named requires tunnel["cloudflared-named"].tunnelName');
+    }
+    return ['tunnel', '--loglevel', 'info', 'run', String(pc.tunnelName)];
+  }
+
+  parseLine(line) {
+    if (ERR_RE.test(line)) {
+      return { error: { code: 'NOT_CONFIGURED', message: 'cloudflared named tunnel not set up (login / create / route dns)' } };
+    }
+    if (READY_RE.test(line)) return { ready: true };
+    return null;
+  }
+}
+
+module.exports = CloudflaredNamedAdapter;

package/server/tunnel/adapters/devtunnel.js

@@ -0,0 +1,54 @@
+/**
+ * Microsoft Dev Tunnels adapter (default provider).
+ *
+ *   devtunnel host -p <PORT> --allow-anonymous   (temporary tunnel; URL rotates)
+ *   devtunnel host <tunnelId> -p <PORT> ...       (reuse a pre-created tunnel)
+ *
+ * Requires a one-time `devtunnel user login`. `--allow-anonymous` lets browser
+ * visitors open the public URL without an MS login (only the bridge token gates
+ * access). The CLI prints a multi-line block; the public URL is on the line
+ * starting "Connect via browser:".
+ */
+
+const BaseAdapter = require('../base-adapter');
+
+// Anchor on the human label so we never grab the "Inspect network activity:" URL.
+// Captures the first https://<id>.<region>.devtunnels.ms[...] token, stopping at a comma.
+const URL_RE = /(?:Connect via browser:|Hosting port[^\n]*?\bat)\s+(https:\/\/[^\s,]+\.devtunnels\.ms[^\s,]*)/;
+const AUTH_ERR_RE = /not logged in|devtunnel user login|unauthorized|\b401\b/i;
+
+class DevtunnelAdapter extends BaseAdapter {
+  static get id() { return 'devtunnel'; }
+  static get label() { return 'Microsoft Dev Tunnels'; }
+  static get binaryName() { return 'devtunnel'; }
+  static get stableUrl() { return false; }
+  static get requiresAccount() { return true; }
+  static get installHint() {
+    return 'Install: macOS `brew install --cask devtunnel`; Windows `winget install Microsoft.devtunnel`; '
+      + 'Linux `curl -sL https://aka.ms/DevTunnelCliInstall | bash`. First run once: `devtunnel user login`.';
+  }
+
+  buildArgs() {
+    const pc = this.providerConfig || {};
+    const args = ['host'];
+    if (pc.tunnelId) args.push(String(pc.tunnelId));
+    args.push('-p', String(this.port));
+    // --allow-anonymous applies to ad-hoc (temporary) tunnels. A pre-created
+    // tunnel (tunnelId) carries its own access policy from `devtunnel access
+    // create`, so don't force the flag there unless the operator opts in.
+    const wantAnon = pc.tunnelId ? pc.allowAnonymous === true : pc.allowAnonymous !== false;
+    if (wantAnon) args.push('--allow-anonymous');
+    return args;
+  }
+
+  parseLine(line) {
+    const m = line.match(URL_RE);
+    if (m) return { url: m[1] };
+    if (AUTH_ERR_RE.test(line)) {
+      return { error: { code: 'LOGIN_REQUIRED', message: 'Dev Tunnels needs login — run: devtunnel user login' } };
+    }
+    return null;
+  }
+}
+
+module.exports = DevtunnelAdapter;

package/server/tunnel/adapters/tailscale.js

@@ -0,0 +1,42 @@
+/**
+ * Tailscale Funnel adapter (private mesh, stable public URL).
+ *
+ *   tailscale funnel <PORT>
+ *
+ * Requires a logged-in node (`tailscale up`) with Funnel enabled in the tailnet
+ * ACL. Prints "Available on the internet:" then the stable
+ * https://<machine>.<tailnet>.ts.net URL to STDOUT (source-confirmed). May need
+ * sudo depending on the platform.
+ */
+
+const BaseAdapter = require('../base-adapter');
+
+const URL_RE = /(https:\/\/[a-z0-9-]+(?:\.[a-z0-9-]+)+\.ts\.net[^\s]*)/i;
+const ERR_RE = /Funnel not available|Funnel is not enabled|NeedsLogin|logged out|invalid auth/i;
+
+class TailscaleAdapter extends BaseAdapter {
+  static get id() { return 'tailscale'; }
+  static get label() { return 'Tailscale Funnel'; }
+  static get binaryName() { return 'tailscale'; }
+  static get stableUrl() { return true; }
+  static get requiresAccount() { return true; }
+  static get installHint() {
+    return 'Install tailscale, run `tailscale up`, and enable Funnel in your tailnet ACL. '
+      + 'macOS `brew install tailscale`; Linux `curl -fsSL https://tailscale.com/install.sh | sh`.';
+  }
+
+  buildArgs() {
+    return ['funnel', String(this.port)];
+  }
+
+  parseLine(line) {
+    const m = line.match(URL_RE);
+    if (m) return { url: m[1] };
+    if (ERR_RE.test(line)) {
+      return { error: { code: 'NOT_IN_TAILNET', message: 'Run `tailscale up` and enable Funnel in your tailnet ACL' } };
+    }
+    return null;
+  }
+}
+
+module.exports = TailscaleAdapter;

package/server/tunnel/base-adapter.js

@@ -0,0 +1,185 @@
+/**
+ * AnyAgent Bridge — tunnel BaseAdapter (Stage 2)
+ *
+ * Shared plumbing every tunnel adapter reuses: detect the CLI, spawn it
+ * (no shell, child dies with the server), scan BOTH stdout and stderr
+ * line-by-line, and stop it cleanly (SIGTERM -> SIGKILL on POSIX; taskkill
+ * tree-kill on Windows). Concrete adapters override only the static metadata,
+ * buildArgs(), and parseLine(). Adapters never touch global state, the HTTP
+ * layer, or the banner — they talk to the manager purely through events.
+ *
+ * Events emitted:
+ *   'url'  (url)              first public URL parsed
+ *   'ready'()                 readiness reached but URL is known out-of-band (cloudflared-named)
+ *   'error'({code, message})  spawn failure or provider error
+ *   'exit' ({code, signal})   child process ended
+ *   'log'  (line)             passthrough of a CLI output line (diagnostics)
+ */
+
+const { EventEmitter } = require('events');
+const { spawn } = require('child_process');
+const { detect: detectBinary } = require('./detect');
+
+class BaseAdapter extends EventEmitter {
+  // Subclasses MUST override these static getters:
+  //   static get id()         provider id, e.g. 'devtunnel'
+  //   static get label()      human name
+  //   static get binaryName() CLI to probe/spawn
+  //   static get stableUrl()  boolean
+  //   static get requiresAccount() boolean
+  //   static get installHint() string
+
+  constructor({ host, port, providerConfig, killGraceMs, logger } = {}) {
+    super();
+    this.host = host || '127.0.0.1';
+    this.port = port;
+    this.providerConfig = providerConfig || {};
+    this.killGraceMs = killGraceMs || 4000;
+    this.logger = logger || console;
+
+    this.child = null;
+    this.binaryPath = null;
+    this._stdoutBuf = '';
+    this._stderrBuf = '';
+    this._urlEmitted = false;
+    this._killTimer = null;
+  }
+
+  get pid() { return this.child && this.child.pid ? this.child.pid : null; }
+  get stableUrl() { return this.constructor.stableUrl; }
+  get requiresAccount() { return this.constructor.requiresAccount; }
+
+  /** Delegate to detect.js. Never throws. */
+  async detect() {
+    const bin = this.constructor.binaryName;
+    const res = detectBinary(bin);
+    this.binaryPath = res.path;
+    return {
+      available: res.available,
+      path: res.path,
+      reason: res.available ? undefined : `${bin} not found on PATH`
+    };
+  }
+
+  /** Override: return string[] argv (after the binary). */
+  buildArgs() { return []; }
+
+  /** Override: return {url}|{ready:true}|{error:{code,message}}|null. */
+  parseLine(line, stream) { return null; }
+
+  /** Spawn the CLI. Idempotent (no-op if already running). */
+  start() {
+    if (this.child) return;
+    const bin = this.binaryPath || this.constructor.binaryName;
+
+    let args;
+    try {
+      args = this.buildArgs();
+    } catch (e) {
+      this.emit('error', { code: 'NOT_CONFIGURED', message: e.message });
+      return;
+    }
+    // extraArgs come from config.json (a local-operator trust boundary, as
+    // trusted as the code itself). spawn() uses array argv with shell:false, so
+    // there is no shell-injection surface; each entry is one literal CLI arg.
+    const extra = Array.isArray(this.providerConfig.extraArgs) ? this.providerConfig.extraArgs : [];
+    args = args.concat(extra);
+
+    try {
+      this.child = spawn(bin, args, {
+        stdio: ['ignore', 'pipe', 'pipe'],
+        detached: false,        // child stays in the server's process group
+        windowsHide: true
+      });
+    } catch (e) {
+      this.child = null;
+      this.emit('error', { code: 'SPAWN_FAILED', message: e.message });
+      return;
+    }
+
+    this.child.on('error', (err) => {
+      const code = (err && err.code === 'ENOENT') ? 'CLI_NOT_FOUND' : 'SPAWN_FAILED';
+      this.emit('error', { code, message: err.message });
+    });
+
+    if (this.child.stdout) this.child.stdout.on('data', (d) => this._onChunk('stdout', d));
+    if (this.child.stderr) this.child.stderr.on('data', (d) => this._onChunk('stderr', d));
+
+    this.child.on('exit', (code, signal) => {
+      this.child = null;
+      this.emit('exit', { code, signal });
+    });
+  }
+
+  _onChunk(stream, chunk) {
+    const key = stream === 'stdout' ? '_stdoutBuf' : '_stderrBuf';
+    this[key] += chunk.toString('utf8');
+    let idx;
+    while ((idx = this[key].indexOf('\n')) >= 0) {
+      const line = this[key].slice(0, idx).replace(/\r$/, '');
+      this[key] = this[key].slice(idx + 1);
+      this._handleLine(line, stream);
+    }
+  }
+
+  _handleLine(line, stream) {
+    if (!line) return;
+    this.emit('log', line);
+
+    let res = null;
+    try {
+      res = this.parseLine(line, stream);
+    } catch (e) {
+      return;
+    }
+    if (!res) return;
+
+    if (res.url && !this._urlEmitted) {
+      this._urlEmitted = true;
+      this.emit('url', res.url);
+    } else if (res.ready && !this._urlEmitted) {
+      this._urlEmitted = true;
+      this.emit('ready');
+    } else if (res.error && !this._urlEmitted) {
+      // Errors only matter before we have a URL. Once running, a transient error
+      // line is not fatal — actual death is reported via the child 'exit' event.
+      this.emit('error', res.error);
+    }
+  }
+
+  /** Stop the child. SIGTERM, then SIGKILL after killGraceMs. Idempotent. */
+  async stop() {
+    const child = this.child;
+    if (!child) return;
+    const grace = this.killGraceMs;
+    return new Promise((resolve) => {
+      let done = false;
+      const finish = () => {
+        if (done) return;
+        done = true;
+        if (this._killTimer) { clearTimeout(this._killTimer); this._killTimer = null; }
+        resolve();
+      };
+      child.once('exit', finish);
+      try {
+        if (process.platform === 'win32') {
+          // SIGTERM is unreliable on Windows and CLIs spawn grandchildren;
+          // taskkill /T kills the whole tree. Handle its 'error' so a missing
+          // taskkill.exe never becomes an unhandled event (the SIGKILL timer
+          // below is the backstop either way).
+          const tk = spawn('taskkill', ['/PID', String(child.pid), '/T', '/F'], { stdio: 'ignore', windowsHide: true });
+          tk.on('error', (e) => { try { this.logger.warn(`[Tunnel] taskkill failed: ${e.message}`); } catch (_) {} });
+        } else {
+          child.kill('SIGTERM');
+        }
+      } catch (e) { /* fall through to the hard-kill timer */ }
+      this._killTimer = setTimeout(() => {
+        try { child.kill('SIGKILL'); } catch (e) { /* already gone */ }
+        finish();
+      }, grace);
+      if (this._killTimer.unref) this._killTimer.unref();
+    });
+  }
+}
+
+module.exports = BaseAdapter;

package/server/tunnel/detect.js

@@ -0,0 +1,65 @@
+/**
+ * AnyAgent Bridge — tunnel CLI detection (Stage 2)
+ *
+ * Cross-platform "is this CLI on PATH, and where" probe. A pure fs scan of PATH
+ * (no shell spawned), so it behaves identically on macOS / Linux / Windows.
+ * On Windows it honors PATHEXT (.EXE/.CMD/.BAT/...). Never throws.
+ *
+ * Not cached: detect() runs only on tunnel start/restart (rare), and a fresh
+ * scan means a CLI installed (or removed) after boot is seen on the next
+ * /api/tunnel/restart rather than a stale result lingering for the process life.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+// Candidate filenames to look for in each PATH dir. On Windows a bare name is
+// not directly executable — it must carry a PATHEXT extension.
+function _candidates(bin) {
+  if (process.platform !== 'win32') return [bin];
+  const exts = (process.env.PATHEXT || '.COM;.EXE;.BAT;.CMD')
+    .split(';').map(e => e.trim()).filter(Boolean);
+  const names = [bin]; // in case the caller already supplied an extension
+  for (const ext of exts) {
+    names.push(bin + ext.toLowerCase());
+    names.push(bin + ext.toUpperCase());
+  }
+  return names;
+}
+
+function _isExecutableFile(p) {
+  try {
+    const st = fs.statSync(p);
+    if (!st.isFile()) return false;
+    if (process.platform === 'win32') return true; // PATHEXT already gates it
+    fs.accessSync(p, fs.constants.X_OK);
+    return true;
+  } catch (e) {
+    return false;
+  }
+}
+
+/** Resolve a binary name to an absolute path by scanning PATH. null if absent. */
+function findOnPath(bin) {
+  const dirs = (process.env.PATH || '').split(path.delimiter).filter(Boolean);
+  const names = _candidates(bin);
+  for (const dir of dirs) {
+    for (const name of names) {
+      const full = path.join(dir, name);
+      if (_isExecutableFile(full)) return full;
+    }
+  }
+  return null;
+}
+
+/** Detect a CLI binary. Returns { available, path }. Never throws. */
+function detect(binaryName) {
+  try {
+    const resolved = findOnPath(binaryName);
+    return { available: !!resolved, path: resolved };
+  } catch (e) {
+    return { available: false, path: null };
+  }
+}
+
+module.exports = { detect, findOnPath };

package/server/tunnel/index.js

@@ -0,0 +1,15 @@
+/**
+ * AnyAgent Bridge — tunnel subsystem entry (Stage 2)
+ *
+ * The only module server/index.js imports. Creates a TunnelManager and exposes
+ * the provider list for diagnostics.
+ */
+
+const TunnelManager = require('./manager');
+const { listProviders } = require('./registry');
+
+function createTunnelManager(tunnelConfig, logger) {
+  return new TunnelManager(tunnelConfig, logger);
+}
+
+module.exports = { createTunnelManager, listProviders };