create-walle 0.9.21 → 0.9.23

package/template/claude-task-manager/lib/microsoft-dev-tunnel-setup.js

@@ -19,6 +19,8 @@ const HOST_READY_TIMEOUT_MS = 45000;
 const WATCHDOG_CHECK_INTERVAL_MS = 30000;
 const WATCHDOG_WAKE_DRIFT_MS = 90000;
 const PUBLIC_PROBE_TIMEOUT_MS = 6000;
+const DEVTUNNEL_MAX_EXPIRATION = '30d';
+const DEVTUNNEL_RENEWAL_INTERVAL_MS = 25 * 24 * 60 * 60 * 1000;
 const HOST_HEADER_MODE_PASSTHROUGH = 'passthrough';
 const HOST_HEADER_MODE_DEFAULT = 'default';
 
@@ -68,6 +70,58 @@ function loginProviderLabel(provider) {
   return provider === 'github' ? 'GitHub' : 'Microsoft';
 }
 
+// Host-event diagnostics: classify devtunnel host output so the Access page can
+// show WHY the phone link dropped (credential expiry vs relay disconnect vs
+// recovery) instead of a generic failure.
+const HOST_EVENT_LIMIT = 30;
+const HOST_EVENT_REPEAT_SUPPRESS_MS = 30 * 1000;
+
+function classifyDevTunnelHostEventText(text) {
+  const t = String(text || '');
+  if (!t.trim()) return null;
+  if (/unauthoriz|forbidden|authentication failed|login\s+required|token[^\n]{0,60}(expired|invalid|refresh)/i.test(t)) {
+    return 'auth_failure';
+  }
+  if (/connection\s*lost|session closed/i.test(t)) return 'connection_lost';
+  if (/relay restored|reconnected/i.test(t)) return 'reconnected';
+  return null;
+}
+
+function appendManagedTunnelHostEvent(event, options = {}) {
+  if (!event || !event.type) return null;
+  try {
+    const state = loadManagedTunnelState(options);
+    if (!state || !state.tunnel_id) return null;
+    const events = Array.isArray(state.host_events) ? state.host_events : [];
+    const at = new Date().toISOString();
+    const last = events.length ? events[events.length - 1] : null;
+    const suppressMs = Number(options.hostEventRepeatSuppressMs || HOST_EVENT_REPEAT_SUPPRESS_MS);
+    if (last && last.type === event.type && (Date.parse(at) - (Date.parse(last.at) || 0)) < suppressMs) {
+      return null;
+    }
+    const entry = { at, type: String(event.type), detail: String(event.detail || '').slice(0, 240) };
+    state.host_events = [...events, entry].slice(-HOST_EVENT_LIMIT);
+    writeManagedTunnelState(state, options);
+    return entry;
+  } catch {
+    return null;
+  }
+}
+
+// Only the CTM process that spawned the host sees its pipes; after a CTM restart
+// the re-adopted host runs unobserved until its next (re)start.
+function watchDevTunnelHostOutput(child, options = {}) {
+  let carry = '';
+  function scan(chunk) {
+    const text = carry + String(chunk || '');
+    carry = text.slice(-200);
+    const type = classifyDevTunnelHostEventText(text);
+    if (type) appendManagedTunnelHostEvent({ type, detail: text.trim().slice(-240) }, options);
+  }
+  if (child && child.stdout) child.stdout.on('data', scan);
+  if (child && child.stderr) child.stderr.on('data', scan);
+}
+
 function setupDir(options = {}) {
   const configDir = path.resolve(options.configDir || path.join(process.env.HOME || process.cwd(), '.walle', 'data'));
   return path.join(configDir, 'microsoft-dev-tunnel');
@@ -231,10 +285,32 @@ function devTunnelAccessListArgs(tunnelId, options = {}) {
   return ['access', 'list', tunnelId, '-p', String(options.port || 3456), '-j'];
 }
 
+function devTunnelUpdateArgs(tunnelId, options = {}) {
+  return ['update', tunnelId, '--expiration', String(options.tunnelExpiration || options.tunnel_expiration || DEVTUNNEL_MAX_EXPIRATION)];
+}
+
 function devTunnelPrivateAccessResetArgs(tunnelId, options = {}) {
   return ['access', 'reset', tunnelId, '-p', String(options.port || 3456), '-j'];
 }
 
+function devTunnelAccessDeleteArgs(tunnelId, index, options = {}) {
+  return ['access', 'delete', tunnelId, '-p', String(options.port || 3456), '-i', String(index), '-j'];
+}
+
+function devTunnelAnonymousConnectAccessArgs(tunnelId, options = {}) {
+  const expiration = String(options.anonymousAccessExpiration || options.anonymous_access_expiration || DEVTUNNEL_MAX_EXPIRATION);
+  return [
+    'access',
+    'create',
+    tunnelId,
+    '-p', String(options.port || 3456),
+    '--anonymous',
+    '--scopes', 'connect',
+    '-e', expiration,
+    '-j',
+  ];
+}
+
 function caffeinateArgs(options = {}) {
   const parentPid = Number(options.parentPid || process.pid);
   const args = ['-i', '-m'];
@@ -243,6 +319,42 @@ function caffeinateArgs(options = {}) {
   return args;
 }
 
+function isoAfter(timestamp, ms) {
+  const base = Date.parse(timestamp || '');
+  const at = Number.isFinite(base) ? base : Date.now();
+  return new Date(at + ms).toISOString();
+}
+
+function ageMs(timestamp) {
+  const at = Date.parse(timestamp || '');
+  if (!Number.isFinite(at)) return Infinity;
+  return Date.now() - at;
+}
+
+function renewalDueFrom(timestamp, options = {}) {
+  const intervalMs = Number(options.renewalIntervalMs || options.renewal_interval_ms || DEVTUNNEL_RENEWAL_INTERVAL_MS);
+  if (!Number.isFinite(intervalMs) || intervalMs <= 0) return false;
+  return ageMs(timestamp) >= intervalMs;
+}
+
+function microsoftTunnelTunnelRenewalDue(state = {}, options = {}) {
+  if (!state || typeof state !== 'object') return true;
+  return renewalDueFrom(state.last_tunnel_renewed_at || state.tunnel_renewed_at || state.started_at, options);
+}
+
+function microsoftTunnelAccessRenewalDue(state = {}, options = {}) {
+  const mode = normalizeMicrosoftTunnelAccessMode(state.access_mode || state.access?.mode || options.accessMode || options.access_mode);
+  if (mode !== 'ctm_authenticated') return false;
+  return renewalDueFrom(state.last_access_renewed_at || state.access?.renewed_at || state.access?.created_at, options);
+}
+
+function microsoftTunnelRenewalDue(state = {}, options = {}) {
+  return {
+    tunnel: microsoftTunnelTunnelRenewalDue(state, options),
+    access: microsoftTunnelAccessRenewalDue(state, options),
+  };
+}
+
 async function inspectManagedTunnelProcess(state = {}, options = {}) {
   const pid = Number(state && state.pid);
   const pidRunning = pidIsRunning(pid);
@@ -482,31 +594,110 @@ async function annotateWatchdogState(partial, options = {}) {
 
 function managedTunnelAccessSummary(partial = {}, options = {}) {
   const port = Number(options.port || 3456);
+  const mode = normalizeMicrosoftTunnelAccessMode(partial.mode || options.accessMode || options.access_mode);
+  const anonymousConnect = Object.prototype.hasOwnProperty.call(partial, 'anonymous_connect')
+    ? !!partial.anonymous_connect
+    : mode === 'ctm_authenticated';
+  const staleAnonymous = !!partial.stale_anonymous_access
+    || !!partial.has_stale_anonymous_access
+    || (mode === 'private_microsoft' && anonymousConnect && !partial.reset);
+  const error = partial.error || '';
   return {
-    mode: 'private_microsoft',
-    anonymous_connect: false,
+    mode,
+    status: error ? 'error' : (staleAnonymous ? 'stale_anonymous' : mode),
+    anonymous_connect: anonymousConnect,
+    stale_anonymous_access: staleAnonymous,
+    needs_private_reset: staleAnonymous,
     port,
     checked_at: partial.checked_at || new Date().toISOString(),
     already_configured: !!partial.already_configured,
+    created: !!partial.created,
+    renewed: !!partial.renewed,
+    renewed_at: partial.renewed_at || '',
+    expiration: partial.expiration || '',
+    next_renewal_at: partial.next_renewal_at || '',
+    renewal_due: !!partial.renewal_due,
     reset: !!partial.reset,
     anonymous_removed: !!partial.anonymous_removed,
     list_error: partial.list_error || '',
-    error: partial.error || '',
+    error,
   };
 }
 
+function normalizeMicrosoftTunnelAccessMode(value) {
+  const raw = String(value || '').trim().toLowerCase().replace(/[-\s]+/g, '_');
+  if (raw === 'private' || raw === 'microsoft' || raw === 'private_microsoft') return 'private_microsoft';
+  if (raw === 'anonymous' || raw === 'public' || raw === 'ctm_auth' || raw === 'ctm_authenticated') return 'ctm_authenticated';
+  // Default is app-gated (ctm_authenticated): reachable URL + CTM passkey/device
+  // auth. It is the only PWA/WebSocket-compatible mode; private is an opt-in.
+  return 'ctm_authenticated';
+}
+
+// SECURITY / REACHABILITY: the Dev Tunnel default is "ctm_authenticated" — the
+// tunnel transport is reachable by URL, and CTM's own app-layer auth (per-origin
+// passkey + revocable device token + step-up, behind an unguessable random tunnel
+// URL) is the gate. This is the ONLY mode compatible with the phone client, which
+// is a PWA that talks to CTM via fetch() + a WebSocket: Dev Tunnels "private" mode
+// enforces auth by redirecting the *initial request* to an interactive
+// Microsoft/GitHub login page, and programmatic XHR/fetch/WebSocket cannot follow
+// that cross-origin redirect — so private silently bricks remote access.
+//
+// "private_microsoft" therefore is an explicit, deliberate opt-in only. It is
+// honored when it comes from a fresh user selection (input.access_mode), the env
+// (CTM_MS_TUNNEL_ACCESS_MODE), or options.allowPrivateAccess — but NOT when a
+// private value arrives only from restored/persisted state. A persisted private
+// value is treated as stale (it predates this policy) and migrated back to the
+// app-gated default, so the phone keeps working across headless restarts.
+function microsoftTunnelPrivateAccessForced(options = {}) {
+  if (options.allowPrivateAccess === true) return true;
+  const envMode = String(process.env.CTM_MS_TUNNEL_ACCESS_MODE || '').trim();
+  return envMode !== '' && normalizeMicrosoftTunnelAccessMode(envMode) === 'private_microsoft';
+}
+
+function resolveMicrosoftTunnelAccessMode(input = {}, options = {}) {
+  const fromInput = normalizeMicrosoftTunnelAccessMode(input.access_mode || input.accessMode);
+  const inputIsExplicit = !!(input.access_mode || input.accessMode);
+  const requested = inputIsExplicit ? fromInput : normalizeMicrosoftTunnelAccessMode(
+    options.accessMode
+    || options.access_mode
+    || process.env.CTM_MS_TUNNEL_ACCESS_MODE
+  );
+  if (requested === 'private_microsoft') {
+    const deliberate = (inputIsExplicit && fromInput === 'private_microsoft')
+      || microsoftTunnelPrivateAccessForced(options);
+    if (!deliberate) return 'ctm_authenticated';
+  }
+  return requested;
+}
+
 function persistManagedTunnelAccess(tunnelId, access, options = {}) {
   const state = loadManagedTunnelState(options);
   if (!state || normalizeTunnelId(state.tunnel_id || '') !== normalizeTunnelId(tunnelId || '')) return;
+  const renewedAt = access.renewed_at || (access.created ? access.checked_at : '') || '';
   writeManagedTunnelState({
     ...state,
     access_mode: access.mode || 'private_microsoft',
     access,
     last_access_check_at: access.checked_at || new Date().toISOString(),
+    last_access_renewed_at: renewedAt || state.last_access_renewed_at || '',
+    next_access_renewal_at: access.next_renewal_at || (renewedAt ? isoAfter(renewedAt, DEVTUNNEL_RENEWAL_INTERVAL_MS) : state.next_access_renewal_at || ''),
+    access_expiration: access.expiration || state.access_expiration || '',
     access_error: access.error || '',
   }, options);
 }
 
+function persistManagedTunnelRenewal(tunnelId, renewal, options = {}) {
+  const state = loadManagedTunnelState(options);
+  if (!state || normalizeTunnelId(state.tunnel_id || '') !== normalizeTunnelId(tunnelId || '')) return;
+  writeManagedTunnelState({
+    ...state,
+    last_tunnel_renewed_at: renewal.renewed_at || state.last_tunnel_renewed_at || '',
+    next_tunnel_renewal_at: renewal.next_renewal_at || state.next_tunnel_renewal_at || '',
+    tunnel_expiration: renewal.expiration || state.tunnel_expiration || DEVTUNNEL_MAX_EXPIRATION,
+    tunnel_renewal_error: renewal.error || '',
+  }, options);
+}
+
 function parseDevTunnelAccessEntries(stdout) {
   const text = String(stdout || '').trim();
   if (!text) return [];
@@ -544,6 +735,47 @@ function hasAnonymousConnectAccess(stdout) {
   return parseDevTunnelAccessEntries(stdout).some(accessEntryAllowsAnonymousConnect);
 }
 
+function anonymousConnectAccessIndices(stdout) {
+  return parseDevTunnelAccessEntries(stdout)
+    .map((entry, index) => (accessEntryAllowsAnonymousConnect(entry) ? index : -1))
+    .filter((index) => index >= 0);
+}
+
+async function inspectMicrosoftTunnelAccess(tunnelId, options = {}) {
+  const id = normalizeTunnelId(tunnelId);
+  const checkedAt = new Date().toISOString();
+  if (!id) {
+    return managedTunnelAccessSummary({
+      checked_at: checkedAt,
+      error: 'Microsoft tunnel id is missing.',
+    }, options);
+  }
+
+  try {
+    const list = await execDevTunnel(devTunnelAccessListArgs(id, options), options);
+    const body = list?.stdout || list?.stderr || '';
+    const hasAnonymous = hasAnonymousConnectAccess(body);
+    const mode = resolveMicrosoftTunnelAccessMode({}, options);
+    const access = managedTunnelAccessSummary({
+      mode,
+      anonymous_connect: hasAnonymous,
+      already_configured: mode === 'ctm_authenticated' ? hasAnonymous : !hasAnonymous,
+      checked_at: checkedAt,
+    }, options);
+    persistManagedTunnelAccess(id, access, options);
+    return access;
+  } catch (err) {
+    const message = String(err?.stderr || err?.message || err || 'Could not list Microsoft tunnel access.').slice(0, 800);
+    const access = managedTunnelAccessSummary({
+      checked_at: checkedAt,
+      list_error: message,
+      error: message,
+    }, options);
+    persistManagedTunnelAccess(id, access, options);
+    return access;
+  }
+}
+
 function normalizeTunnelId(value) {
   const id = String(value || '').trim().toLowerCase();
   return /^[a-z0-9][a-z0-9-]{2,59}$/.test(id) ? id : '';
@@ -559,6 +791,14 @@ function parseDevTunnelUserShow(stdout, stderr) {
   if (/not\s+(logged|signed)\s+in|no\s+user|login\s+required/i.test(text)) {
     return { signed_in: false, account: null, raw: text.slice(0, 800) };
   }
+  if (/(?:github|microsoft|entra|oauth|auth(?:entication)?|token|credential)[^\n]*(?:refresh|expired|invalid|failed|unauthori[sz]ed)|(?:refresh|expired|invalid|failed|unauthori[sz]ed)[^\n]*(?:github|microsoft|entra|oauth|auth(?:entication)?|token|credential)|invalid_grant|interaction_required|AADSTS/i.test(text)) {
+    return {
+      signed_in: false,
+      account: null,
+      raw: text.slice(0, 800),
+      error: text.slice(0, 800),
+    };
+  }
   let parsed = null;
   try { parsed = JSON.parse(text); } catch {}
   if (parsed && typeof parsed === 'object') {
@@ -705,6 +945,60 @@ async function detectLoginStatus(options = {}) {
   }
 }
 
+async function checkMicrosoftDevTunnelLoginStatus(options = {}) {
+  const previous = loadLoginProcessState(options) || {};
+  const checkedAt = new Date().toISOString();
+  const login = await detectLoginStatus(options);
+  const provider = previous.provider || normalizeLoginProvider(options);
+  const signedIn = !!login.signed_in;
+  const account = login.account || null;
+  const nextState = {
+    ...previous,
+    provider,
+    provider_label: previous.provider_label || loginProviderLabel(provider),
+    installed: login.installed !== false,
+    signed_in: signedIn,
+    account,
+    account_display: account && account.display ? String(account.display) : '',
+    login_checked_at: checkedAt,
+    login_check_error: signedIn ? '' : String(login.error || '').slice(0, 800),
+  };
+  if (signedIn) {
+    nextState.running = false;
+    nextState.finished_at = nextState.finished_at || checkedAt;
+    nextState.error = '';
+    nextState.error_code = '';
+    nextState.verified_at = checkedAt;
+  } else if (login.installed === false) {
+    nextState.running = false;
+    nextState.error_code = 'devtunnel_cli_missing';
+    nextState.error = login.error || 'devtunnel CLI is not installed or not on PATH.';
+  }
+  if (previous.signed_in === true && !signedIn && login.installed !== false) {
+    appendManagedTunnelHostEvent({
+      type: 'credential_expired',
+      detail: nextState.login_check_error || `${loginProviderLabel(provider)} sign-in is no longer valid.`,
+    }, options);
+  } else if (previous.signed_in === false && signedIn) {
+    appendManagedTunnelHostEvent({ type: 'signed_in', detail: nextState.account_display || '' }, options);
+  }
+  writeLoginProcessState(nextState, options);
+  const progress = getMicrosoftDevTunnelProgress(options);
+  const setup = options.includeSetup === false
+    ? null
+    : await detectMicrosoftDevTunnelSetup(options).catch(() => null);
+  return {
+    ok: signedIn,
+    signed_in: signedIn,
+    account,
+    login: progress.login,
+    setup,
+    microsoft_dev_tunnel: setup,
+    progress,
+    error: signedIn ? '' : (login.error || 'Dev Tunnels is not signed in yet. Finish the browser sign-in, then check again.'),
+  };
+}
+
 async function detectManagedMicrosoftDevTunnel(options = {}) {
   const state = loadManagedTunnelState(options);
   if (!state) return { configured: false, running: false };
@@ -743,7 +1037,15 @@ async function detectManagedMicrosoftDevTunnel(options = {}) {
     access_mode: state.access_mode || (state.access && state.access.mode) || '',
     access: state.access || null,
     last_access_check_at: state.last_access_check_at || (state.access && state.access.checked_at) || '',
+    last_access_renewed_at: state.last_access_renewed_at || (state.access && state.access.renewed_at) || '',
+    next_access_renewal_at: state.next_access_renewal_at || (state.access && state.access.next_renewal_at) || '',
+    access_expiration: state.access_expiration || (state.access && state.access.expiration) || '',
     access_error: state.access_error || (state.access && state.access.error) || '',
+    last_tunnel_renewed_at: state.last_tunnel_renewed_at || '',
+    next_tunnel_renewal_at: state.next_tunnel_renewal_at || '',
+    tunnel_expiration: state.tunnel_expiration || '',
+    tunnel_renewal_error: state.tunnel_renewal_error || '',
+    host_events: Array.isArray(state.host_events) ? state.host_events : [],
     state_path: managedStatePath(options),
   };
 }
@@ -978,12 +1280,26 @@ async function detectMicrosoftDevTunnelSetup(options = {}) {
   }
 
   const login = await detectLoginStatus(options);
-  const managed = await detectManagedMicrosoftDevTunnel(options);
+  let managed = await detectManagedMicrosoftDevTunnel(options);
+  if (login.signed_in && managed.tunnel_id) {
+    const access = await inspectMicrosoftTunnelAccess(managed.tunnel_id, {
+      ...options,
+      accessMode: managed.access_mode || managed.access?.mode || options.accessMode || options.access_mode,
+    });
+    managed = {
+      ...managed,
+      access,
+      access_mode: access.mode,
+      last_access_check_at: access.checked_at,
+      access_error: access.error || '',
+    };
+  }
   return {
     installed: login.installed !== false,
     available: login.installed !== false && !!login.signed_in,
     signed_in: !!login.signed_in,
     account: login.account || null,
+    login_provider: loginStateProvider(loadLoginProcessState(options) || {}),
     version,
     origin: managed.origin || '',
     mobile_url: managed.mobile_url || '',
@@ -1129,12 +1445,15 @@ function microsoftDevTunnelCommands(options = {}) {
     login: command('devtunnel', ['user', 'login', '-g']),
     device_login: command('devtunnel', ['user', 'login', '-g', '-d']),
     microsoft_device_login: command('devtunnel', ['user', 'login', '-e', '-d']),
+    logout: command('devtunnel', ['user', 'logout']),
     access_private_reset: command('devtunnel', devTunnelPrivateAccessResetArgs('TUNNELID', { port })),
+    access_ctm_authenticated: command('devtunnel', devTunnelAnonymousConnectAccessArgs('TUNNELID', { port })),
+    renew_tunnel: command('devtunnel', devTunnelUpdateArgs('TUNNELID', { port })),
     host_temporary: command('devtunnel', [
       'host',
       '-p', String(port),
       '--protocol', 'http',
-      '--expiration', '30d',
+      '--expiration', DEVTUNNEL_MAX_EXPIRATION,
       '--host-header', 'unchanged',
       '--origin-header', 'unchanged',
     ]),
@@ -1142,7 +1461,7 @@ function microsoftDevTunnelCommands(options = {}) {
       'host',
       '-p', String(port),
       '--protocol', 'http',
-      '--expiration', '30d',
+      '--expiration', DEVTUNNEL_MAX_EXPIRATION,
     ]),
   };
 }
@@ -1204,12 +1523,215 @@ async function ensurePrivateConnectAccess(tunnelId, options = {}) {
   }
 }
 
+async function renewCtmAuthenticatedConnectAccess(tunnelId, accessListBody, options = {}) {
+  const checkedAt = new Date().toISOString();
+  const indices = anonymousConnectAccessIndices(accessListBody);
+  // Delete descending so the CLI's zero-based indices do not shift underneath us.
+  for (const index of indices.slice().sort((a, b) => b - a)) {
+    await execDevTunnel(devTunnelAccessDeleteArgs(tunnelId, index, options), options);
+  }
+  await execDevTunnel(devTunnelAnonymousConnectAccessArgs(tunnelId, options), options);
+  const access = managedTunnelAccessSummary({
+    mode: 'ctm_authenticated',
+    renewed: true,
+    renewed_at: checkedAt,
+    expiration: String(options.anonymousAccessExpiration || options.anonymous_access_expiration || DEVTUNNEL_MAX_EXPIRATION),
+    next_renewal_at: isoAfter(checkedAt, DEVTUNNEL_RENEWAL_INTERVAL_MS),
+    checked_at: checkedAt,
+  }, options);
+  persistManagedTunnelAccess(tunnelId, access, options);
+  return access;
+}
+
+async function ensureCtmAuthenticatedConnectAccess(tunnelId, options = {}) {
+  const checkedAt = new Date().toISOString();
+  const listArgs = devTunnelAccessListArgs(tunnelId, options);
+  let listError = '';
+  let body = '';
+  try {
+    const list = await execDevTunnel(listArgs, options);
+    body = list?.stdout || list?.stderr || '';
+  } catch (err) {
+    listError = String(err?.stderr || err?.message || err || 'Could not list Microsoft tunnel access.').slice(0, 500);
+    // Listing can fail on older CLI builds or transient service errors. Try to
+    // establish the narrow connect-only rule; CTM still owns application auth.
+  }
+  const hasAnonymous = hasAnonymousConnectAccess(body);
+  if (hasAnonymous) {
+    const state = loadManagedTunnelState(options) || {};
+    const renewalDue = options.renewAccess === true || options.renew_access === true || microsoftTunnelAccessRenewalDue(state, options);
+    if (renewalDue) {
+      return await renewCtmAuthenticatedConnectAccess(tunnelId, body, options);
+    }
+    const access = managedTunnelAccessSummary({
+      mode: 'ctm_authenticated',
+      already_configured: true,
+      renewal_due: false,
+      checked_at: checkedAt,
+    }, options);
+    persistManagedTunnelAccess(tunnelId, access, options);
+    return access;
+  }
+
+  try {
+    await execDevTunnel(devTunnelAnonymousConnectAccessArgs(tunnelId, options), options);
+    const access = managedTunnelAccessSummary({
+      mode: 'ctm_authenticated',
+      created: true,
+      renewed_at: checkedAt,
+      expiration: String(options.anonymousAccessExpiration || options.anonymous_access_expiration || DEVTUNNEL_MAX_EXPIRATION),
+      next_renewal_at: isoAfter(checkedAt, DEVTUNNEL_RENEWAL_INTERVAL_MS),
+      list_error: listError,
+      checked_at: checkedAt,
+    }, options);
+    persistManagedTunnelAccess(tunnelId, access, options);
+    return access;
+  } catch (err) {
+    if (ignoreAlreadyExists(err)) {
+      const access = managedTunnelAccessSummary({
+        mode: 'ctm_authenticated',
+        already_configured: true,
+        renewal_due: false,
+        list_error: listError,
+        checked_at: checkedAt,
+      }, options);
+      persistManagedTunnelAccess(tunnelId, access, options);
+      return access;
+    }
+    const message = String(err?.stderr || err?.message || err || 'Could not enable CTM-authenticated Microsoft tunnel access.').slice(0, 800);
+    const access = managedTunnelAccessSummary({
+      mode: 'ctm_authenticated',
+      checked_at: checkedAt,
+      list_error: listError,
+      error: message,
+    }, options);
+    persistManagedTunnelAccess(tunnelId, access, options);
+    throw err;
+  }
+}
+
+async function ensureMicrosoftTunnelConnectAccess(tunnelId, options = {}) {
+  const accessMode = resolveMicrosoftTunnelAccessMode(options.input || {}, options);
+  // Default is the app-gated (ctm_authenticated) anonymous-connect ACE so the
+  // phone PWA + WebSocket can reach CTM; CTM's own passkey/device-token auth is
+  // the gate. Only take the private path when private was a deliberate opt-in
+  // (resolveMicrosoftTunnelAccessMode already migrated stale persisted private
+  // back to ctm_authenticated).
+  if (accessMode === 'private_microsoft') {
+    return ensurePrivateConnectAccess(tunnelId, { ...options, accessMode: 'private_microsoft' });
+  }
+  return ensureCtmAuthenticatedConnectAccess(tunnelId, { ...options, accessMode: 'ctm_authenticated' });
+}
+
+async function resetMicrosoftDevTunnelPrivateAccess(input = {}, options = {}) {
+  // This is the explicit, deliberate "switch to private" action, so it carries the
+  // private opt-in flag — otherwise the follow-up detect/inspect would resolve the
+  // mode without it and migrate the just-set private back to the app-gated default.
+  const mergedOptions = {
+    ...options,
+    accessMode: 'private_microsoft',
+    allowPrivateAccess: true,
+    input: { ...(options.input || {}), ...(input || {}), access_mode: 'private_microsoft' },
+  };
+  const state = loadManagedTunnelState(mergedOptions) || {};
+  const tunnelId = normalizeTunnelId(input.tunnel_id || input.tunnelId || state.tunnel_id || '');
+  if (!tunnelId) {
+    return {
+      ok: false,
+      error_code: 'microsoft_tunnel_missing',
+      error: 'No managed Microsoft Dev Tunnel exists yet.',
+      setup: await detectMicrosoftDevTunnelSetup(mergedOptions).catch(() => null),
+    };
+  }
+  const login = await detectLoginStatus(mergedOptions);
+  if (login.installed === false || !login.signed_in) {
+    return {
+      ok: false,
+      error_code: login.installed === false ? 'devtunnel_cli_missing' : 'microsoft_tunnel_sign_in_required',
+      error: login.installed === false
+        ? 'Microsoft devtunnel CLI is not installed or not on PATH.'
+        : 'Sign in to Microsoft Dev Tunnels on this Mac before resetting tunnel access.',
+      setup: await detectMicrosoftDevTunnelSetup(mergedOptions).catch(() => null),
+    };
+  }
+  try {
+    const access = await ensurePrivateConnectAccess(tunnelId, mergedOptions);
+    const managed = await detectManagedMicrosoftDevTunnel(mergedOptions);
+    return {
+      ok: true,
+      tunnel_id: tunnelId,
+      access,
+      managed_tunnel: { ...managed, access },
+      setup: await detectMicrosoftDevTunnelSetup(mergedOptions),
+    };
+  } catch (err) {
+    return {
+      ok: false,
+      error_code: 'microsoft_tunnel_private_reset_failed',
+      error: String(err?.stderr || err?.message || err || 'Could not reset Microsoft tunnel access to private.').slice(0, 800),
+      setup: await detectMicrosoftDevTunnelSetup(mergedOptions).catch(() => null),
+    };
+  }
+}
+
+async function renewPersistentTunnelExpiration(tunnelId, options = {}) {
+  const checkedAt = new Date().toISOString();
+  try {
+    await execDevTunnel(devTunnelUpdateArgs(tunnelId, options), options);
+    const renewal = {
+      ok: true,
+      renewed: true,
+      renewed_at: checkedAt,
+      expiration: String(options.tunnelExpiration || options.tunnel_expiration || DEVTUNNEL_MAX_EXPIRATION),
+      next_renewal_at: isoAfter(checkedAt, DEVTUNNEL_RENEWAL_INTERVAL_MS),
+      error: '',
+    };
+    persistManagedTunnelRenewal(tunnelId, renewal, options);
+    return renewal;
+  } catch (err) {
+    const renewal = {
+      ok: false,
+      renewed: false,
+      checked_at: checkedAt,
+      expiration: String(options.tunnelExpiration || options.tunnel_expiration || DEVTUNNEL_MAX_EXPIRATION),
+      error: String(err?.stderr || err?.message || err || 'Could not renew Microsoft tunnel expiration.').slice(0, 800),
+    };
+    persistManagedTunnelRenewal(tunnelId, renewal, options);
+    return renewal;
+  }
+}
+
+function createdTunnelRenewal(options = {}) {
+  const checkedAt = new Date().toISOString();
+  return {
+    ok: true,
+    created: true,
+    renewed: true,
+    renewed_at: checkedAt,
+    expiration: String(options.tunnelExpiration || options.tunnel_expiration || DEVTUNNEL_MAX_EXPIRATION),
+    next_renewal_at: isoAfter(checkedAt, DEVTUNNEL_RENEWAL_INTERVAL_MS),
+    error: '',
+  };
+}
+
 async function ensurePersistentTunnel(tunnelId, options = {}) {
+  const previousState = loadManagedTunnelState(options) || {};
+  let created = false;
   try {
-    await execDevTunnel(['create', tunnelId, '--expiration', '30d'], options);
+    await execDevTunnel(['create', tunnelId, '--expiration', String(options.tunnelExpiration || options.tunnel_expiration || DEVTUNNEL_MAX_EXPIRATION)], options);
+    created = true;
   } catch (err) {
     if (!ignoreAlreadyExists(err)) throw err;
   }
+  const renewalDue = options.renewTunnel === true || options.renew_tunnel === true || microsoftTunnelTunnelRenewalDue(previousState, options);
+  const tunnelRenewal = created ? createdTunnelRenewal(options) : (renewalDue ? await renewPersistentTunnelExpiration(tunnelId, options) : {
+    ok: true,
+    renewed: false,
+    expiration: previousState.tunnel_expiration || String(options.tunnelExpiration || options.tunnel_expiration || DEVTUNNEL_MAX_EXPIRATION),
+    renewed_at: previousState.last_tunnel_renewed_at || '',
+    next_renewal_at: previousState.next_tunnel_renewal_at || '',
+    error: previousState.tunnel_renewal_error || '',
+  });
   try {
     await execDevTunnel(['port', 'create', tunnelId, '-p', String(options.port || 3456), '--protocol', 'http'], options);
   } catch (err) {
@@ -1221,8 +1743,22 @@ async function ensurePersistentTunnel(tunnelId, options = {}) {
       }
     }
   }
-  const access = await ensurePrivateConnectAccess(tunnelId, options);
-  return { access };
+  // Fault-isolate access configuration from tunnel exposure. A transient
+  // `devtunnel access` failure must NOT abort hosting the tunnel — CTM's app-layer
+  // auth still gates every request, and a missing ACE at worst costs a one-time
+  // sign-in, never a full outage. Surface the error in the access summary instead.
+  let access;
+  try {
+    const accessRenewalDue = options.renewAccess === true || options.renew_access === true || microsoftTunnelAccessRenewalDue(previousState, options);
+    access = await ensureMicrosoftTunnelConnectAccess(tunnelId, { ...options, renewAccess: accessRenewalDue });
+  } catch (err) {
+    access = managedTunnelAccessSummary({
+      mode: resolveMicrosoftTunnelAccessMode(options.input || {}, options),
+      checked_at: new Date().toISOString(),
+      error: String(err?.stderr || err?.message || err || 'tunnel access configuration failed').slice(0, 800),
+    }, options);
+  }
+  return { access, tunnel_renewal: tunnelRenewal };
 }
 
 function waitForHostReady(child, logStreams, options = {}) {
@@ -1309,6 +1845,16 @@ async function startMicrosoftDevTunnelHostAttempt(tunnelId, options = {}) {
     throw hostErr;
   }
   const runCommand = command('devtunnel', args).display;
+  const tunnelRenewal = options.tunnelRenewal || options.tunnel_renewal || {};
+  const lastTunnelRenewedAt = tunnelRenewal.renewed_at || '';
+  const accessRenewedAt = options.access && (options.access.renewed_at || (options.access.created ? options.access.checked_at : '')) || '';
+  const previousEvents = (() => {
+    try {
+      const prev = loadManagedTunnelState(options);
+      return prev && Array.isArray(prev.host_events) ? prev.host_events : [];
+    } catch { return []; }
+  })();
+  const startedAtIso = new Date().toISOString();
   const state = {
     pid: child && child.pid ? child.pid : null,
     tunnel_id: tunnelId,
@@ -1323,16 +1869,25 @@ async function startMicrosoftDevTunnelHostAttempt(tunnelId, options = {}) {
     header_passthrough: hostHeaderMode === HOST_HEADER_MODE_PASSTHROUGH,
     header_passthrough_fallback: !!options.headerPassthroughFallback,
     header_passthrough_fallback_reason: options.headerPassthroughFallbackReason || '',
-    started_at: new Date().toISOString(),
+    started_at: startedAtIso,
     stopped_at: '',
     last_restore_failed_at: '',
     restore_error: '',
+    host_events: [...previousEvents, { at: startedAtIso, type: 'host_started', detail: urls.origin || '' }].slice(-HOST_EVENT_LIMIT),
     access_mode: options.access && options.access.mode || '',
     access: options.access || null,
     last_access_check_at: options.access && options.access.checked_at || '',
+    last_access_renewed_at: accessRenewedAt,
+    next_access_renewal_at: options.access && options.access.next_renewal_at || '',
+    access_expiration: options.access && options.access.expiration || '',
     access_error: options.access && options.access.error || '',
+    last_tunnel_renewed_at: lastTunnelRenewedAt,
+    next_tunnel_renewal_at: tunnelRenewal.next_renewal_at || '',
+    tunnel_expiration: tunnelRenewal.expiration || '',
+    tunnel_renewal_error: tunnelRenewal.error || '',
   };
   writeManagedTunnelState(state, options);
+  watchDevTunnelHostOutput(child, options);
   return { configured: true, running: !!state.pid, started: true, ...state, state_path: managedStatePath(options) };
 }
 
@@ -1366,9 +1921,9 @@ async function applyMicrosoftDevTunnelSetup(input = {}, options = {}) {
   const previous = loadManagedTunnelState(options) || {};
   const previousProcess = previous.pid ? await inspectManagedTunnelProcess(previous, options) : null;
   if (previousProcess && managedTunnelProcessUsable(previousProcess, previous) && previous.origin) {
-    let access = null;
+    let persistent = null;
     try {
-      access = await ensurePrivateConnectAccess(previous.tunnel_id, options);
+      persistent = await ensurePersistentTunnel(previous.tunnel_id, { ...options, input });
     } catch (err) {
       return {
         ok: false,
@@ -1377,6 +1932,7 @@ async function applyMicrosoftDevTunnelSetup(input = {}, options = {}) {
         setup: detected,
       };
     }
+    const access = persistent && persistent.access;
     const managed = await detectManagedMicrosoftDevTunnel(options);
     return {
       ok: true,
@@ -1385,7 +1941,14 @@ async function applyMicrosoftDevTunnelSetup(input = {}, options = {}) {
       origin: managed.origin,
       mobile_url: managed.mobile_url,
       inspect_url: managed.inspect_url,
-      managed_tunnel: { ...managed, access, access_mode: access.mode, last_access_check_at: access.checked_at, access_error: access.error || '' },
+      managed_tunnel: {
+        ...managed,
+        access,
+        access_mode: access.mode,
+        last_access_check_at: access.checked_at,
+        access_error: access.error || '',
+        tunnel_renewal: persistent.tunnel_renewal,
+      },
       traffic: getTrafficInspection(),
     };
   }
@@ -1396,8 +1959,12 @@ async function applyMicrosoftDevTunnelSetup(input = {}, options = {}) {
   const requestedTunnelId = normalizeTunnelId(input.tunnel_id || input.tunnelId || previous.tunnel_id || '');
   const tunnelId = requestedTunnelId || createTunnelId();
   try {
-    const persistent = await ensurePersistentTunnel(tunnelId, options);
-    const managed = await startMicrosoftDevTunnelHost(tunnelId, { ...options, access: persistent.access });
+    const persistent = await ensurePersistentTunnel(tunnelId, { ...options, input });
+    const managed = await startMicrosoftDevTunnelHost(tunnelId, {
+      ...options,
+      access: persistent.access,
+      tunnelRenewal: persistent.tunnel_renewal,
+    });
     return {
       ok: true,
       reused: false,
@@ -1428,16 +1995,31 @@ async function restoreMicrosoftDevTunnelHost(options = {}) {
   if (managed.running && options.forceRestart === true) {
     killProcessTree(state.pid, options);
   } else if (managedTunnelProcessUsable(managed, state)) {
-    let access = managed.access || null;
-    if (options.repairAccess === true) {
-      access = await ensurePrivateConnectAccess(state.tunnel_id, options);
+    const due = microsoftTunnelRenewalDue(state, options);
+    let persistent = null;
+    if (options.repairAccess === true || options.renewTunnel === true || options.renew_tunnel === true || options.renewAccess === true || options.renew_access === true || due.tunnel || due.access) {
+      persistent = await ensurePersistentTunnel(state.tunnel_id, {
+        ...options,
+        accessMode: state.access_mode || state.access?.mode || options.accessMode || options.access_mode,
+        renewTunnel: options.renewTunnel === true || options.renew_tunnel === true || due.tunnel,
+        renewAccess: options.renewAccess === true || options.renew_access === true || due.access,
+      });
     }
     const latest = await detectManagedMicrosoftDevTunnel(options);
     return {
       ok: true,
       restored: false,
       already_running: true,
-      managed_tunnel: access ? { ...latest, access, access_mode: access.mode, last_access_check_at: access.checked_at, access_error: access.error || '' } : latest,
+      managed_tunnel: persistent && persistent.access
+        ? {
+          ...latest,
+          access: persistent.access,
+          access_mode: persistent.access.mode,
+          last_access_check_at: persistent.access.checked_at,
+          access_error: persistent.access.error || '',
+          tunnel_renewal: persistent.tunnel_renewal,
+        }
+        : latest,
     };
   }
   if (managed.running && !managedTunnelProcessUsable(managed, state)) {
@@ -1475,8 +2057,15 @@ async function restoreMicrosoftDevTunnelHost(options = {}) {
   }
 
   try {
-    const persistent = await ensurePersistentTunnel(tunnelId, options);
-    const restored = await startMicrosoftDevTunnelHost(tunnelId, { ...options, access: persistent.access });
+    const persistent = await ensurePersistentTunnel(tunnelId, {
+      ...options,
+      accessMode: state.access_mode || state.access?.mode || options.accessMode || options.access_mode,
+    });
+    const restored = await startMicrosoftDevTunnelHost(tunnelId, {
+      ...options,
+      access: persistent.access,
+      tunnelRenewal: persistent.tunnel_renewal,
+    });
     return { ok: true, restored: true, managed_tunnel: restored };
   } catch (err) {
     const nextState = {
@@ -1521,11 +2110,25 @@ async function checkMicrosoftDevTunnelAvailability(options = {}) {
   await annotateWatchdogState({ last_watchdog_check_at: checkedAt, watchdog_error: '' }, options);
   if (managedTunnelProcessUsable(before, state)) {
     let managed = before;
-    if (options.repairAccess === true) {
+    const due = microsoftTunnelRenewalDue(state, options);
+    if (options.repairAccess === true || options.renewTunnel === true || options.renew_tunnel === true || options.renewAccess === true || options.renew_access === true || due.tunnel || due.access) {
       try {
-        const access = await ensurePrivateConnectAccess(state.tunnel_id, options);
+        const persistent = await ensurePersistentTunnel(state.tunnel_id, {
+          ...options,
+          accessMode: state.access_mode || state.access?.mode || options.accessMode || options.access_mode,
+          renewTunnel: options.renewTunnel === true || options.renew_tunnel === true || due.tunnel,
+          renewAccess: options.renewAccess === true || options.renew_access === true || due.access,
+        });
         const latest = await detectManagedMicrosoftDevTunnel(options);
-        managed = { ...latest, access, access_mode: access.mode, last_access_check_at: access.checked_at, access_error: access.error || '' };
+        const access = persistent.access;
+        managed = {
+          ...latest,
+          access,
+          access_mode: access.mode,
+          last_access_check_at: access.checked_at,
+          access_error: access.error || '',
+          tunnel_renewal: persistent.tunnel_renewal,
+        };
       } catch (err) {
         const error = String(err?.stderr || err?.message || err || 'Microsoft tunnel access repair failed.').slice(0, 800);
         await annotateWatchdogState({ last_watchdog_check_at: checkedAt, watchdog_error: error, access_error: error }, options);
@@ -1557,6 +2160,20 @@ async function checkMicrosoftDevTunnelAvailability(options = {}) {
         };
       }
       if (probe.blocked_by_tunnel_auth) {
+        if (managed.access?.mode === 'ctm_authenticated') {
+          const error = probe.message || 'Microsoft Dev Tunnels is still requiring provider sign-in even though CTM-authenticated tunnel access is configured.';
+          await annotateWatchdogState({ last_watchdog_check_at: checkedAt, watchdog_error: error }, options);
+          return {
+            ok: false,
+            checked: true,
+            recovered: false,
+            reason: 'unexpected_tunnel_auth_gate',
+            error,
+            public_probe: probe,
+            keep_awake: await getMicrosoftDevTunnelKeepAwakeStatus(options),
+            managed_tunnel: managed,
+          };
+        }
         await annotateWatchdogState({ last_watchdog_check_at: checkedAt, watchdog_error: '' }, options);
         return {
           ok: true,
@@ -1704,6 +2321,90 @@ function loginStateIsReusable(state, provider, options = {}) {
   return now - started < Number(options.loginReuseMs || LOGIN_REUSE_MS);
 }
 
+async function logoutMicrosoftDevTunnelUser(options = {}) {
+  const previous = loadLoginProcessState(options);
+  if (previous && previous.running && pidIsRunning(previous.pid)) {
+    stopLoginProcessState(previous, options);
+  }
+
+  const execFile = options.execFile || defaultExecFile;
+  const args = ['user', 'logout'];
+  // Keep the provider the user last signed in with so the next sign-in (and the
+  // one-click Reconnect action) defaults to the same account type.
+  const previousProvider = loginStateProvider(previous || {});
+  const baseState = {
+    ...(previous || {}),
+    running: false,
+    pid: null,
+    provider: previousProvider,
+    provider_label: loginProviderLabel(previousProvider),
+    command: command('devtunnel', args).display,
+    login_url: '',
+    device_code: '',
+    error: '',
+    error_code: '',
+    signed_out_at: new Date().toISOString(),
+  };
+  try {
+    const result = await execFile('devtunnel', args, {
+      encoding: 'utf8',
+      timeout: options.commandTimeoutMs || 15000,
+      maxBuffer: 512 * 1024,
+    });
+    const stoppedTunnel = options.stopTunnel === false ? null : await stopMicrosoftDevTunnel(options).catch((err) => ({
+      ok: false,
+      error: String(err?.message || err || 'Could not stop existing Microsoft tunnel').slice(0, 800),
+    }));
+    const nextState = {
+      ...baseState,
+      stdout: String(result?.stdout || '').trim().slice(0, 800),
+      stderr: String(result?.stderr || '').trim().slice(0, 800),
+    };
+    writeLoginProcessState(nextState, options);
+    return {
+      ok: true,
+      already_signed_out: false,
+      stopped_tunnel: stoppedTunnel,
+      logout: { ...nextState, state_path: loginStatePath(options) },
+      setup: await detectMicrosoftDevTunnelSetup(options),
+      progress: getMicrosoftDevTunnelProgress(options),
+    };
+  } catch (err) {
+    const text = String(`${err?.stdout || ''}\n${err?.stderr || ''}\n${err?.message || ''}`);
+    const alreadySignedOut = /not\s+(?:logged|signed)\s+in|no\s+user|login\s+required/i.test(text);
+    const nextState = {
+      ...baseState,
+      already_signed_out: alreadySignedOut,
+      error_code: alreadySignedOut ? '' : (err?.code === 'ENOENT' ? 'devtunnel_cli_missing' : 'devtunnel_logout_failed'),
+      error: alreadySignedOut ? '' : text.trim().slice(0, 800),
+    };
+    writeLoginProcessState(nextState, options);
+    if (alreadySignedOut) {
+      const stoppedTunnel = options.stopTunnel === false ? null : await stopMicrosoftDevTunnel(options).catch((stopErr) => ({
+        ok: false,
+        error: String(stopErr?.message || stopErr || 'Could not stop existing Microsoft tunnel').slice(0, 800),
+      }));
+      return {
+        ok: true,
+        already_signed_out: true,
+        stopped_tunnel: stoppedTunnel,
+        logout: { ...nextState, state_path: loginStatePath(options) },
+        setup: await detectMicrosoftDevTunnelSetup(options),
+        progress: getMicrosoftDevTunnelProgress(options),
+      };
+    }
+    return {
+      ok: false,
+      already_signed_out: false,
+      error_code: nextState.error_code,
+      error: nextState.error || 'Microsoft Dev Tunnels sign-out failed.',
+      logout: { ...nextState, state_path: loginStatePath(options) },
+      setup: await detectMicrosoftDevTunnelSetup(options).catch(() => null),
+      progress: getMicrosoftDevTunnelProgress(options),
+    };
+  }
+}
+
 function startMicrosoftDevTunnelLogin(input = {}, options = {}) {
   const fsImpl = options.fs || fs;
   fsImpl.mkdirSync(setupDir(options), { recursive: true, mode: 0o700 });
@@ -1711,9 +2412,15 @@ function startMicrosoftDevTunnelLogin(input = {}, options = {}) {
   fsImpl.mkdirSync(logDir, { recursive: true, mode: 0o700 });
   const logPath = path.join(logDir, 'devtunnel-login.log');
   const errorLogPath = path.join(logDir, 'devtunnel-login.err');
-  const provider = normalizeLoginProvider(input);
+  // No explicit provider (e.g. the one-click Reconnect health action) → stick to
+  // the last-used provider instead of silently switching account types.
+  const requestedProvider = String(input.provider || '').trim() || (input.github === true ? 'github' : '');
+  const provider = requestedProvider
+    ? normalizeLoginProvider({ provider: requestedProvider })
+    : loginStateProvider(loadLoginProcessState(options) || {});
+  const forceNew = input.force_new === true || input.forceNew === true || input.regenerate === true;
   const previous = loadLoginProcessState(options);
-  if (loginStateIsReusable(previous, provider, options)) {
+  if (!forceNew && loginStateIsReusable(previous, provider, options)) {
     const login = processProgressFromState(previous, options);
     return {
       ok: true,
@@ -1777,6 +2484,11 @@ function startMicrosoftDevTunnelLogin(input = {}, options = {}) {
     update({ running: false, exit_code: code, signal: signal || '', finished_at: new Date().toISOString() });
     try { if (out) out.end(); } catch {}
     try { if (err) err.end(); } catch {}
+    if (code === 0) {
+      checkMicrosoftDevTunnelLoginStatus({ ...options, includeSetup: false }).catch((loginErr) => {
+        update({ login_check_error: String(loginErr?.message || loginErr || 'Could not verify Dev Tunnels sign-in').slice(0, 800) });
+      });
+    }
   });
   return {
     ok: true,
@@ -1786,8 +2498,11 @@ function startMicrosoftDevTunnelLogin(input = {}, options = {}) {
 }
 
 module.exports = {
+  appendManagedTunnelHostEvent,
   applyMicrosoftDevTunnelSetup,
   checkMicrosoftDevTunnelAvailability,
+  checkMicrosoftDevTunnelLoginStatus,
+  classifyDevTunnelHostEventText,
   clearMicrosoftDevTunnelTraffic,
   command,
   detectManagedMicrosoftDevTunnel,
@@ -1798,15 +2513,23 @@ module.exports = {
   getMicrosoftDevTunnelProgress,
   getTrafficInspection,
   installMicrosoftDevTunnelCli,
+  inspectMicrosoftTunnelAccess,
   inspectKeepAwakeProcess,
   startMicrosoftDevTunnelInstall,
   inspectManagedTunnelProcess,
   loadKeepAwakeState,
   loadManagedTunnelState,
   loadLoginProcessState,
+  loginProviderArgs,
+  loginProviderLabel,
+  loginStateProvider,
+  logoutMicrosoftDevTunnelUser,
   managedTunnelDesiredRunning,
   microsoftDevTunnelCommands,
+  microsoftTunnelPrivateAccessForced,
+  normalizeMicrosoftTunnelAccessMode,
   normalizeTunnelId,
+  resolveMicrosoftTunnelAccessMode,
   parseDevTunnelAccessEntries,
   parseDevTunnelUrls,
   parseDevTunnelLoginHints,
@@ -1815,6 +2538,7 @@ module.exports = {
   pidIsRunning,
   probeMicrosoftDevTunnelPublicAccess,
   recordMicrosoftDevTunnelTraffic,
+  resetMicrosoftDevTunnelPrivateAccess,
   restoreMicrosoftDevTunnelHost,
   sanitizeRequestPath,
   setMicrosoftDevTunnelKeepAwake,