openclaw-cloudflare 0.2.1 → 0.3.0

package/src/tunnel/cloudflared.test.ts

@@ -1,324 +0,0 @@
-import type { ChildProcess } from "node:child_process";
-import type { Readable } from "node:stream";
-import { afterEach, describe, expect, it, vi, beforeEach } from "vitest";
-
-// Mock spawn and execFile (promisified via util.promisify)
-const spawnMock = vi.fn();
-const execFileMock = vi.fn();
-vi.mock("node:child_process", () => ({
-  execFile: (...args: unknown[]) => execFileMock(...args),
-  spawn: (...args: unknown[]) => spawnMock(...args),
-}));
-
-// Mock existsSync
-const existsSyncMock = vi.fn<(p: string) => boolean>(() => true);
-vi.mock("node:fs", () => ({
-  existsSync: (p: string) => existsSyncMock(p),
-}));
-
-// Mock fs/promises
-const mkdirMock = vi.fn().mockResolvedValue(undefined);
-const writeFileMock = vi.fn().mockResolvedValue(undefined);
-const chmodMock = vi.fn().mockResolvedValue(undefined);
-const unlinkMock = vi.fn().mockResolvedValue(undefined);
-vi.mock("node:fs/promises", () => ({
-  mkdir: (...args: unknown[]) => mkdirMock(...args),
-  writeFile: (...args: unknown[]) => writeFileMock(...args),
-  chmod: (...args: unknown[]) => chmodMock(...args),
-  unlink: (...args: unknown[]) => unlinkMock(...args),
-}));
-
-// Mock os.homedir
-const homedirMock = vi.fn(() => "/home/testuser");
-vi.mock("node:os", () => ({
-  default: { homedir: () => homedirMock() },
-  homedir: () => homedirMock(),
-}));
-
-// Shared exec mock for findCloudflaredBinary
-const execMock = vi.fn();
-
-describe("findCloudflaredBinary", () => {
-  beforeEach(() => {
-    vi.resetModules();
-    vi.restoreAllMocks();
-    delete process.env.OPENCLAW_TEST_CLOUDFLARED_BINARY;
-  });
-
-  it("returns environment override when set", async () => {
-    process.env.OPENCLAW_TEST_CLOUDFLARED_BINARY = "/custom/cloudflared";
-    const { findCloudflaredBinary } = await import("./cloudflared.js");
-    const result = await findCloudflaredBinary(execMock);
-    expect(result).toBe("/custom/cloudflared");
-  });
-
-  it("finds cloudflared via which", async () => {
-    execMock.mockImplementation((cmd: string, _args: string[]) => {
-      if (cmd === "which") {
-        return Promise.resolve({ stdout: "/usr/local/bin/cloudflared\n", stderr: "" });
-      }
-      // --version check
-      return Promise.resolve({ stdout: "cloudflared version 2024.1.0\n", stderr: "" });
-    });
-    existsSyncMock.mockReturnValue(true);
-
-    const { findCloudflaredBinary } = await import("./cloudflared.js");
-    const result = await findCloudflaredBinary(execMock);
-    expect(result).toBe("/usr/local/bin/cloudflared");
-  });
-
-  it("falls back to known paths when which fails", async () => {
-    execMock.mockImplementation((cmd: string, _args: string[]) => {
-      if (cmd === "which") {
-        return Promise.reject(new Error("not found"));
-      }
-      // --version check for known path
-      return Promise.resolve({ stdout: "cloudflared version 2024.1.0\n", stderr: "" });
-    });
-    existsSyncMock.mockImplementation((p: string) => p === "/usr/local/bin/cloudflared");
-
-    const { findCloudflaredBinary } = await import("./cloudflared.js");
-    const result = await findCloudflaredBinary(execMock);
-    expect(result).toBe("/usr/local/bin/cloudflared");
-  });
-
-  it("returns null when binary is not found", async () => {
-    execMock.mockRejectedValue(new Error("not found"));
-    existsSyncMock.mockReturnValue(false);
-
-    const { findCloudflaredBinary } = await import("./cloudflared.js");
-    const result = await findCloudflaredBinary(execMock);
-    expect(result).toBeNull();
-  });
-
-  it("finds cloudflared in ~/.openclaw/bin", async () => {
-    const openclawBinPath = "/home/testuser/.openclaw/bin/cloudflared";
-    execMock.mockImplementation((cmd: string, _args: string[]) => {
-      if (cmd === "which") {
-        return Promise.reject(new Error("not found"));
-      }
-      return Promise.resolve({ stdout: "cloudflared version 2024.1.0\n", stderr: "" });
-    });
-    existsSyncMock.mockImplementation((p: string) => p === openclawBinPath);
-
-    const { findCloudflaredBinary } = await import("./cloudflared.js");
-    const result = await findCloudflaredBinary(execMock);
-    expect(result).toBe(openclawBinPath);
-  });
-});
-
-describe("installCloudflared", () => {
-  const originalPlatform = process.platform;
-  const originalArch = process.arch;
-
-  beforeEach(() => {
-    vi.resetModules();
-    vi.restoreAllMocks();
-    mkdirMock.mockResolvedValue(undefined);
-    writeFileMock.mockResolvedValue(undefined);
-    chmodMock.mockResolvedValue(undefined);
-    unlinkMock.mockResolvedValue(undefined);
-    homedirMock.mockReturnValue("/home/testuser");
-  });
-
-  afterEach(() => {
-    Object.defineProperty(process, "platform", { value: originalPlatform });
-    Object.defineProperty(process, "arch", { value: originalArch });
-  });
-
-  it("downloads and installs linux binary", async () => {
-    Object.defineProperty(process, "platform", { value: "linux" });
-    Object.defineProperty(process, "arch", { value: "x64" });
-
-    const binaryData = new Uint8Array([1, 2, 3]);
-    const fetchMock = vi.fn().mockResolvedValue({
-      ok: true,
-      arrayBuffer: () => Promise.resolve(binaryData.buffer),
-    });
-    vi.stubGlobal("fetch", fetchMock);
-
-    const { installCloudflared } = await import("./cloudflared.js");
-    const logger = { info: vi.fn() };
-    const result = await installCloudflared(logger);
-
-    expect(result).toBe("/home/testuser/.openclaw/bin/cloudflared");
-    expect(fetchMock).toHaveBeenCalledWith(
-      "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64",
-      { redirect: "follow" },
-    );
-    expect(mkdirMock).toHaveBeenCalledWith("/home/testuser/.openclaw/bin", { recursive: true });
-    expect(writeFileMock).toHaveBeenCalledWith(
-      "/home/testuser/.openclaw/bin/cloudflared",
-      expect.any(Uint8Array),
-    );
-    expect(chmodMock).toHaveBeenCalledWith("/home/testuser/.openclaw/bin/cloudflared", 0o755);
-    expect(logger.info).toHaveBeenCalledTimes(2);
-
-    vi.unstubAllGlobals();
-  });
-
-  it("downloads and extracts macOS tgz", async () => {
-    Object.defineProperty(process, "platform", { value: "darwin" });
-    Object.defineProperty(process, "arch", { value: "arm64" });
-
-    // Make execFile (used by promisify) call the callback immediately.
-    // promisify looks for the last function argument as the callback.
-    execFileMock.mockImplementation((...args: unknown[]) => {
-      const cb = args[args.length - 1];
-      if (typeof cb === "function") (cb as (err: Error | null, stdout: string, stderr: string) => void)(null, "", "");
-    });
-
-    const binaryData = new Uint8Array([1, 2, 3]);
-    const fetchMock = vi.fn().mockResolvedValue({
-      ok: true,
-      arrayBuffer: () => Promise.resolve(binaryData.buffer),
-    });
-    vi.stubGlobal("fetch", fetchMock);
-
-    const { installCloudflared } = await import("./cloudflared.js");
-    const logger = { info: vi.fn() };
-    const result = await installCloudflared(logger);
-
-    expect(result).toBe("/home/testuser/.openclaw/bin/cloudflared");
-    expect(fetchMock).toHaveBeenCalledWith(
-      "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-darwin-arm64.tgz",
-      { redirect: "follow" },
-    );
-    // tgz should be written, tar extracted, then tgz deleted
-    expect(writeFileMock).toHaveBeenCalledWith(
-      "/home/testuser/.openclaw/bin/cloudflared.tgz",
-      expect.any(Uint8Array),
-    );
-    expect(unlinkMock).toHaveBeenCalledWith("/home/testuser/.openclaw/bin/cloudflared.tgz");
-    expect(chmodMock).toHaveBeenCalledWith("/home/testuser/.openclaw/bin/cloudflared", 0o755);
-
-    vi.unstubAllGlobals();
-  });
-
-  it("throws on unsupported platform", async () => {
-    Object.defineProperty(process, "platform", { value: "win32" });
-    Object.defineProperty(process, "arch", { value: "x64" });
-
-    const { installCloudflared } = await import("./cloudflared.js");
-    await expect(installCloudflared()).rejects.toThrow(/Unsupported platform/);
-  });
-
-  it("throws on download failure", async () => {
-    Object.defineProperty(process, "platform", { value: "linux" });
-    Object.defineProperty(process, "arch", { value: "x64" });
-
-    const fetchMock = vi.fn().mockResolvedValue({
-      ok: false,
-      status: 404,
-    });
-    vi.stubGlobal("fetch", fetchMock);
-
-    const { installCloudflared } = await import("./cloudflared.js");
-    await expect(installCloudflared()).rejects.toThrow(/Failed to download cloudflared: HTTP 404/);
-
-    vi.unstubAllGlobals();
-  });
-});
-
-describe("startCloudflaredTunnel", () => {
-  beforeEach(() => {
-    vi.resetModules();
-    vi.restoreAllMocks();
-    delete process.env.OPENCLAW_TEST_CLOUDFLARED_BINARY;
-  });
-
-  function createMockProcess(): ChildProcess & {
-    _emit: (event: string, ...args: unknown[]) => void;
-    _emitStderr: (data: string) => void;
-  } {
-    const events: Record<string, Array<(...args: unknown[]) => void>> = {};
-    const stdoutEvents: Record<string, Array<(...args: unknown[]) => void>> = {};
-    const stderrEvents: Record<string, Array<(...args: unknown[]) => void>> = {};
-
-    const mockStdout = {
-      setEncoding: vi.fn(),
-      on: vi.fn((event: string, cb: (...args: unknown[]) => void) => {
-        stdoutEvents[event] = stdoutEvents[event] ?? [];
-        stdoutEvents[event].push(cb);
-      }),
-    };
-    const mockStderr = {
-      setEncoding: vi.fn(),
-      on: vi.fn((event: string, cb: (...args: unknown[]) => void) => {
-        stderrEvents[event] = stderrEvents[event] ?? [];
-        stderrEvents[event].push(cb);
-      }),
-    };
-
-    return {
-      pid: 12345,
-      killed: false,
-      stdout: mockStdout as unknown as Readable,
-      stderr: mockStderr as unknown as Readable,
-      kill: vi.fn(),
-      on: vi.fn((event: string, cb: (...args: unknown[]) => void) => {
-        events[event] = events[event] ?? [];
-        events[event].push(cb);
-      }),
-      once: vi.fn((event: string, cb: (...args: unknown[]) => void) => {
-        events[event] = events[event] ?? [];
-        events[event].push(cb);
-      }),
-      _emit: (event: string, ...args: unknown[]) => {
-        for (const cb of events[event] ?? []) {
-          cb(...args);
-        }
-      },
-      _emitStderr: (data: string) => {
-        for (const cb of stderrEvents.data ?? []) {
-          cb(data);
-        }
-      },
-    } as unknown as ChildProcess & {
-      _emit: (event: string, ...args: unknown[]) => void;
-      _emitStderr: (data: string) => void;
-    };
-  }
-
-  it("starts tunnel and parses connector ID", async () => {
-    const mockChild = createMockProcess();
-
-    spawnMock.mockReturnValue(mockChild);
-    process.env.OPENCLAW_TEST_CLOUDFLARED_BINARY = "/usr/local/bin/cloudflared";
-
-    const { startCloudflaredTunnel } = await import("./cloudflared.js");
-
-    const tunnelPromise = startCloudflaredTunnel({
-      token: "test-token",
-      timeoutMs: 5000,
-    });
-
-    // Simulate cloudflared registering a connection
-    await new Promise((r) => setTimeout(r, 50));
-    mockChild._emitStderr("INF Registered tunnel connection connectorID=abc123-def456");
-
-    const tunnel = await tunnelPromise;
-    expect(tunnel.connectorId).toBe("abc123-def456");
-    expect(tunnel.pid).toBe(12345);
-    expect(typeof tunnel.stop).toBe("function");
-  });
-
-  it("throws when tunnel exits before registering", async () => {
-    const mockChild = createMockProcess();
-
-    spawnMock.mockReturnValue(mockChild);
-    process.env.OPENCLAW_TEST_CLOUDFLARED_BINARY = "/usr/local/bin/cloudflared";
-
-    const { startCloudflaredTunnel } = await import("./cloudflared.js");
-
-    const tunnelPromise = startCloudflaredTunnel({
-      token: "bad-token",
-      timeoutMs: 5000,
-    });
-
-    await new Promise((r) => setTimeout(r, 50));
-    mockChild._emit("exit", 1, null);
-
-    await expect(tunnelPromise).rejects.toThrow(/cloudflared exited/);
-  });
-});

package/src/tunnel/cloudflared.ts

@@ -1,273 +0,0 @@
-import { execFile, spawn, type ChildProcess } from "node:child_process";
-import { existsSync } from "node:fs";
-import { chmod, mkdir, unlink, writeFile } from "node:fs/promises";
-import os from "node:os";
-import path from "node:path";
-import { promisify } from "node:util";
-
-const execFilePromise = promisify(execFile);
-
-type ExecResult = { stdout: string; stderr: string };
-type ExecFn = (cmd: string, args: string[], opts?: { timeoutMs?: number }) => Promise<ExecResult>;
-
-/** Simple execFile wrapper to avoid depending on openclaw core's runExec. */
-function defaultExec(cmd: string, args: string[], opts?: { timeoutMs?: number }): Promise<ExecResult> {
-  return new Promise((resolve, reject) => {
-    execFile(cmd, args, { timeout: opts?.timeoutMs ?? 5000 }, (err, stdout, stderr) => {
-      if (err) {
-        reject(err);
-      } else {
-        resolve({ stdout, stderr });
-      }
-    });
-  });
-}
-
-/**
- * Locate the cloudflared binary using multiple strategies:
- * 1. Environment override (for testing)
- * 2. PATH lookup (via `which`)
- * 3. Known install paths
- */
-export async function findCloudflaredBinary(
-  exec: ExecFn = defaultExec,
-): Promise<string | null> {
-  const forced = process.env.OPENCLAW_TEST_CLOUDFLARED_BINARY?.trim();
-  if (forced) {
-    return forced;
-  }
-
-  const checkBinary = async (path: string): Promise<boolean> => {
-    if (!path || !existsSync(path)) {
-      return false;
-    }
-    try {
-      await exec(path, ["--version"], { timeoutMs: 3000 });
-      return true;
-    } catch {
-      return false;
-    }
-  };
-
-  // Strategy 1: which command
-  try {
-    const { stdout } = await exec("which", ["cloudflared"]);
-    const fromPath = stdout.trim();
-    if (fromPath && (await checkBinary(fromPath))) {
-      return fromPath;
-    }
-  } catch {
-    // which failed, continue
-  }
-
-  // Strategy 2: Known install paths
-  const knownPaths = [
-    path.join(os.homedir(), ".openclaw", "bin", "cloudflared"),
-    "/usr/local/bin/cloudflared",
-    "/usr/bin/cloudflared",
-    "/opt/homebrew/bin/cloudflared",
-  ];
-  for (const candidate of knownPaths) {
-    if (await checkBinary(candidate)) {
-      return candidate;
-    }
-  }
-
-  return null;
-}
-
-/**
- * Download and install the cloudflared binary from GitHub releases to ~/.openclaw/bin/.
- */
-export async function installCloudflared(logger?: {
-  info: (msg: string) => void;
-}): Promise<string> {
-  const platform = process.platform;
-  const arch = process.arch;
-
-  const archMap: Record<string, string> = {
-    x64: "amd64",
-    arm64: "arm64",
-    arm: "arm",
-    ia32: "386",
-  };
-  const cfArch = archMap[arch];
-  if (!cfArch) throw new Error(`Unsupported architecture: ${arch}`);
-
-  let filename: string;
-  if (platform === "linux") {
-    filename = `cloudflared-linux-${cfArch}`;
-  } else if (platform === "darwin") {
-    filename = `cloudflared-darwin-${cfArch}.tgz`;
-  } else {
-    throw new Error(`Unsupported platform for auto-install: ${platform}`);
-  }
-
-  const url = `https://github.com/cloudflare/cloudflared/releases/latest/download/${filename}`;
-
-  const installDir = path.join(os.homedir(), ".openclaw", "bin");
-  await mkdir(installDir, { recursive: true });
-  const installPath = path.join(installDir, "cloudflared");
-
-  logger?.info(`cloudflared not found, downloading from ${url}...`);
-
-  const res = await fetch(url, { redirect: "follow" });
-  if (!res.ok) throw new Error(`Failed to download cloudflared: HTTP ${res.status}`);
-  const data = new Uint8Array(await res.arrayBuffer());
-
-  if (platform === "darwin") {
-    const tgzPath = installPath + ".tgz";
-    await writeFile(tgzPath, data);
-    await execFilePromise("tar", ["-xzf", tgzPath, "-C", installDir]);
-    await unlink(tgzPath);
-  } else {
-    await writeFile(installPath, data);
-  }
-
-  await chmod(installPath, 0o755);
-  logger?.info(`cloudflared installed to ${installPath}`);
-  return installPath;
-}
-
-let cachedCloudflaredBinary: string | null = null;
-
-export async function getCloudflaredBinary(exec: ExecFn = defaultExec): Promise<string> {
-  const forced = process.env.OPENCLAW_TEST_CLOUDFLARED_BINARY?.trim();
-  if (forced) {
-    cachedCloudflaredBinary = forced;
-    return forced;
-  }
-  if (cachedCloudflaredBinary) {
-    return cachedCloudflaredBinary;
-  }
-  cachedCloudflaredBinary = await findCloudflaredBinary(exec);
-  return cachedCloudflaredBinary ?? "cloudflared";
-}
-
-export type CloudflaredTunnel = {
-  /** Connector ID parsed from cloudflared output, if available. */
-  connectorId: string | null;
-  pid: number | null;
-  stderr: string[];
-  stop: () => Promise<void>;
-};
-
-/**
- * Start a cloudflared tunnel process using a pre-configured tunnel token.
- *
- * The token encodes the tunnel UUID, account tag, and tunnel secret — cloudflared
- * connects to the Cloudflare edge and routes traffic to the local origin.
- */
-export async function startCloudflaredTunnel(opts: {
-  token: string;
-  timeoutMs?: number;
-  exec?: ExecFn;
-  logger?: { info: (msg: string) => void };
-}): Promise<CloudflaredTunnel> {
-  const exec = opts.exec ?? defaultExec;
-  let bin = await findCloudflaredBinary(exec);
-  if (!bin) {
-    bin = await installCloudflared(opts.logger);
-  }
-  const timeoutMs = opts.timeoutMs ?? 30_000;
-  const stderr: string[] = [];
-
-  // Pass the token via TUNNEL_TOKEN env var rather than --token CLI arg
-  // to avoid leaking the secret in `ps` output.
-  const args = ["tunnel", "run"];
-  const child: ChildProcess = spawn(bin, args, {
-    stdio: ["ignore", "pipe", "pipe"],
-    env: { ...process.env, TUNNEL_TOKEN: opts.token },
-  });
-
-  child.stdout?.setEncoding("utf8");
-  child.stderr?.setEncoding("utf8");
-
-  let connectorId: string | null = null;
-
-  const collectOutput = (stream: NodeJS.ReadableStream | null) => {
-    stream?.on("data", (chunk: string) => {
-      const lines = String(chunk)
-        .split("\n")
-        .map((l) => l.trim())
-        .filter(Boolean);
-      stderr.push(...lines);
-
-      // Parse connector ID from cloudflared output
-      for (const line of lines) {
-        const match = line.match(/Registered tunnel connection\s+connectorID=([a-f0-9-]+)/i);
-        if (match) {
-          connectorId = match[1];
-        }
-      }
-    });
-  };
-
-  collectOutput(child.stdout);
-  collectOutput(child.stderr);
-
-  const stop = async () => {
-    if (child.killed) {
-      return;
-    }
-    child.kill("SIGTERM");
-    await new Promise<void>((resolve) => {
-      const t = setTimeout(() => {
-        try {
-          child.kill("SIGKILL");
-        } finally {
-          resolve();
-        }
-      }, 1500);
-      child.once("exit", () => {
-        clearTimeout(t);
-        resolve();
-      });
-    });
-  };
-
-  // Wait for the tunnel to register at least one connection, or timeout.
-  let timeoutHandle: ReturnType<typeof setTimeout> | undefined;
-  try {
-    await Promise.race([
-      new Promise<void>((resolve) => {
-        const check = setInterval(() => {
-          if (connectorId) {
-            clearInterval(check);
-            resolve();
-          }
-        }, 100);
-        // Clean up interval on process exit
-        child.once("exit", () => clearInterval(check));
-      }),
-      new Promise<void>((_, reject) => {
-        timeoutHandle = setTimeout(
-          () => reject(new Error("cloudflared tunnel did not register within timeout")),
-          timeoutMs,
-        );
-      }),
-      new Promise<void>((_, reject) => {
-        child.once("exit", (code, signal) => {
-          reject(
-            new Error(
-              `cloudflared exited before tunnel registered (${code ?? "null"}${signal ? `/${signal}` : ""})`,
-            ),
-          );
-        });
-      }),
-    ]);
-  } catch (err) {
-    await stop();
-    const suffix = stderr.length > 0 ? `\n${stderr.join("\n")}` : "";
-    throw new Error(`${err instanceof Error ? err.message : String(err)}${suffix}`, { cause: err });
-  } finally {
-    clearTimeout(timeoutHandle);
-  }
-
-  return {
-    connectorId,
-    pid: typeof child.pid === "number" ? child.pid : null,
-    stderr,
-    stop,
-  };
-}

package/src/tunnel/exposure.test.ts

@@ -1,113 +0,0 @@
-import { describe, expect, it, vi, beforeEach } from "vitest";
-
-const startCloudflaredTunnelMock = vi.fn();
-vi.mock("./cloudflared.js", () => ({
-  startCloudflaredTunnel: (...args: unknown[]) => startCloudflaredTunnelMock(...args),
-}));
-
-function createMockLogger() {
-  return {
-    info: vi.fn(),
-    warn: vi.fn(),
-    error: vi.fn(),
-  };
-}
-
-describe("startGatewayCloudflareExposure", () => {
-  beforeEach(() => {
-    vi.resetModules();
-    vi.restoreAllMocks();
-    startCloudflaredTunnelMock.mockReset();
-  });
-
-  it("returns null when mode is off", async () => {
-    const { startGatewayCloudflareExposure } = await import("./exposure.js");
-    const log = createMockLogger();
-
-    const result = await startGatewayCloudflareExposure({
-      cloudflareMode: "off",
-      logCloudflare: log,
-    });
-
-    expect(result).toBeNull();
-    expect(log.info).not.toHaveBeenCalled();
-    expect(log.error).not.toHaveBeenCalled();
-  });
-
-  it("returns null and logs info in access-only mode", async () => {
-    const { startGatewayCloudflareExposure } = await import("./exposure.js");
-    const log = createMockLogger();
-
-    const result = await startGatewayCloudflareExposure({
-      cloudflareMode: "access-only",
-      logCloudflare: log,
-    });
-
-    expect(result).toBeNull();
-    expect(log.info).toHaveBeenCalledWith(
-      expect.stringContaining("access-only mode"),
-    );
-  });
-
-  it("returns null and logs error in managed mode without token", async () => {
-    const { startGatewayCloudflareExposure } = await import("./exposure.js");
-    const log = createMockLogger();
-
-    const result = await startGatewayCloudflareExposure({
-      cloudflareMode: "managed",
-      logCloudflare: log,
-    });
-
-    expect(result).toBeNull();
-    expect(log.error).toHaveBeenCalledWith(
-      expect.stringContaining("no tunnel token provided"),
-    );
-  });
-
-  it("starts tunnel and returns stop function in managed mode", async () => {
-    const stopFn = vi.fn();
-    startCloudflaredTunnelMock.mockResolvedValue({
-      connectorId: "abc-123",
-      pid: 9999,
-      stderr: [],
-      stop: stopFn,
-    });
-
-    const { startGatewayCloudflareExposure } = await import("./exposure.js");
-    const log = createMockLogger();
-
-    const result = await startGatewayCloudflareExposure({
-      cloudflareMode: "managed",
-      tunnelToken: "test-token",
-      logCloudflare: log,
-    });
-
-    expect(result).toBe(stopFn);
-    expect(startCloudflaredTunnelMock).toHaveBeenCalledWith({
-      token: "test-token",
-      timeoutMs: 30_000,
-      logger: log,
-    });
-    expect(log.info).toHaveBeenCalledWith(
-      expect.stringContaining("connectorId=abc-123"),
-    );
-  });
-
-  it("returns null and logs error when tunnel start fails", async () => {
-    startCloudflaredTunnelMock.mockRejectedValue(new Error("connection refused"));
-
-    const { startGatewayCloudflareExposure } = await import("./exposure.js");
-    const log = createMockLogger();
-
-    const result = await startGatewayCloudflareExposure({
-      cloudflareMode: "managed",
-      tunnelToken: "bad-token",
-      logCloudflare: log,
-    });
-
-    expect(result).toBeNull();
-    expect(log.error).toHaveBeenCalledWith(
-      expect.stringContaining("connection refused"),
-    );
-  });
-});