opentunnel-cli 1.0.22 → 1.0.25

package/dist/cli/index.js

@@ -42,6 +42,8 @@ const chalk_1 = __importDefault(require("chalk"));
 const ora_1 = __importDefault(require("ora"));
 const TunnelClient_1 = require("../client/TunnelClient");
 const NgrokClient_1 = require("../client/NgrokClient");
+const CloudflareTunnelClient_1 = require("../client/CloudflareTunnelClient");
+const credentials_1 = require("../shared/credentials");
 const utils_1 = require("../shared/utils");
 const yaml_1 = require("yaml");
 const fs = __importStar(require("fs"));
@@ -220,8 +222,8 @@ const program = new commander_1.Command();
 program
     .name("opentunnel")
     .alias("ot")
-    .description("Expose local ports to the internet via custom domains or ngrok")
-    .version("1.0.22");
+    .description("Expose local ports to the internet via custom domains, ngrok, or Cloudflare Tunnel")
+    .version("1.0.25");
 // Helper function to build WebSocket URL from domain
 // User only provides base domain (e.g., fjrg2007.com), system handles the rest
 // Note: --insecure flag only affects certificate verification, not the protocol
@@ -618,8 +620,28 @@ program
     .option("--insecure", "Skip SSL verification (for self-signed certs)")
     .option("--ngrok", "Use ngrok instead of OpenTunnel server")
     .option("--region <region>", "Ngrok region (us, eu, ap, au, sa, jp, in)", "us")
+    .option("--cloudflare, --cf", "Use Cloudflare Tunnel instead of OpenTunnel server")
+    .option("--cf-hostname <hostname>", "Custom hostname for Cloudflare Tunnel")
+    .option("--provider <provider>", "Tunnel provider (opentunnel, ngrok, cloudflare)")
     .action(async (port, options) => {
-    if (options.ngrok || options.domain === "ngrok") {
+    // Determine provider
+    const provider = options.provider?.toLowerCase() ||
+        (options.cloudflare || options.cf ? "cloudflare" : null) ||
+        (options.ngrok ? "ngrok" : null);
+    // Cloudflare Tunnel
+    if (provider === "cloudflare" || provider === "cf") {
+        await createCloudflareTunnel({
+            protocol: options.https ? "https" : "http",
+            localHost: options.host,
+            localPort: parseInt(port),
+            hostname: options.cfHostname,
+            tunnelName: options.subdomain, // -n works as tunnel name for CF
+            noTlsVerify: options.insecure,
+        });
+        return;
+    }
+    // ngrok
+    if (provider === "ngrok") {
         await createNgrokTunnel({
             protocol: options.https ? "https" : "http",
             localHost: options.host,
@@ -630,8 +652,8 @@ program
         });
         return;
     }
-    // If remote server domain provided, just connect to it
-    if (options.domain) {
+    // If remote server domain provided, connect to OpenTunnel server
+    if (options.domain && options.domain !== "cloudflare" && options.domain !== "ngrok") {
         const { url: serverUrl } = buildServerUrl(options.domain, options.basePath);
         await createTunnel({
             protocol: options.https ? "https" : "http",
@@ -649,6 +671,8 @@ program
     console.log(chalk_1.default.gray("\nExamples:"));
     console.log(chalk_1.default.cyan("  opentunnel http 3000 -s example.com"));
     console.log(chalk_1.default.cyan("  opentunnel http 3000 --domain example.com -n myapp"));
+    console.log(chalk_1.default.cyan("  opentunnel http 3000 --cloudflare"));
+    console.log(chalk_1.default.cyan("  opentunnel http 3000 --ngrok"));
     process.exit(1);
 });
 // TCP tunnel command
@@ -664,8 +688,33 @@ program
     .option("--insecure", "Skip SSL verification (for self-signed certs)")
     .option("--ngrok", "Use ngrok instead of OpenTunnel server")
     .option("--region <region>", "Ngrok region (us, eu, ap, au, sa, jp, in)", "us")
+    .option("--cloudflare, --cf", "Use Cloudflare Tunnel (TCP requires named tunnel)")
+    .option("--cf-hostname <hostname>", "Custom hostname for Cloudflare Tunnel")
+    .option("--provider <provider>", "Tunnel provider (opentunnel, ngrok, cloudflare)")
     .action(async (port, options) => {
-    if (options.ngrok || options.domain === "ngrok") {
+    // Determine provider
+    const provider = options.provider?.toLowerCase() ||
+        (options.cloudflare || options.cf ? "cloudflare" : null) ||
+        (options.ngrok ? "ngrok" : null);
+    // Cloudflare Tunnel - Note: TCP requires named tunnel
+    if (provider === "cloudflare" || provider === "cf") {
+        if (!options.subdomain) {
+            console.log(chalk_1.default.yellow("Note: Cloudflare TCP tunnels require a named tunnel."));
+            console.log(chalk_1.default.gray("Use -n <tunnel-name> to specify a named tunnel."));
+            console.log(chalk_1.default.gray("\nExample: opentunnel tcp 5432 --cf -n my-tunnel"));
+        }
+        await createCloudflareTunnel({
+            protocol: "tcp",
+            localHost: options.host,
+            localPort: parseInt(port),
+            hostname: options.cfHostname,
+            tunnelName: options.subdomain,
+            noTlsVerify: options.insecure,
+        });
+        return;
+    }
+    // ngrok
+    if (provider === "ngrok") {
         await createNgrokTunnel({
             protocol: "tcp",
             localHost: options.host,
@@ -676,8 +725,8 @@ program
         });
         return;
     }
-    // If remote server domain provided, just connect to it
-    if (options.domain) {
+    // If remote server domain provided, connect to OpenTunnel server
+    if (options.domain && options.domain !== "cloudflare" && options.domain !== "ngrok") {
         const { url: serverUrl } = buildServerUrl(options.domain, options.basePath);
         await createTunnel({
             protocol: "tcp",
@@ -695,6 +744,7 @@ program
     console.log(chalk_1.default.gray("\nExamples:"));
     console.log(chalk_1.default.cyan("  opentunnel tcp 5432 -s example.com"));
     console.log(chalk_1.default.cyan("  opentunnel tcp 5432 --domain example.com -r 15432"));
+    console.log(chalk_1.default.cyan("  opentunnel tcp 5432 --ngrok"));
     process.exit(1);
 });
 // Quick expose command
@@ -709,6 +759,7 @@ program
     .option("--domain <domain>", "Server domain (e.g., domain.com)")
     .option("--insecure", "Skip SSL certificate verification (for self-signed certs)")
     .option("--ngrok", "Use ngrok instead of OpenTunnel server")
+    .option("--cloudflare, --cf", "Use Cloudflare Tunnel instead of OpenTunnel server")
     .action(async (port, options) => {
     const serverUrl = options.server || (options.domain
         ? `wss://${options.domain}/_tunnel`
@@ -717,26 +768,37 @@ program
         await runTunnelInBackground("expose", port, { ...options, server: serverUrl });
         return;
     }
-    if (options.ngrok || options.server === "ngrok") {
-        await createNgrokTunnel({
+    // Cloudflare Tunnel
+    if (options.cloudflare || options.cf || options.server === "cloudflare") {
+        await createCloudflareTunnel({
             protocol: options.protocol,
             localHost: "localhost",
             localPort: parseInt(port),
-            subdomain: options.subdomain,
-            authtoken: options.token
+            noTlsVerify: options.insecure,
         });
+        return;
     }
-    else {
-        await createTunnel({
+    // ngrok
+    if (options.ngrok || options.server === "ngrok") {
+        await createNgrokTunnel({
             protocol: options.protocol,
             localHost: "localhost",
             localPort: parseInt(port),
             subdomain: options.subdomain,
-            serverUrl,
-            token: options.token,
-            insecure: options.insecure
+            authtoken: options.token
         });
+        return;
     }
+    // OpenTunnel server
+    await createTunnel({
+        protocol: options.protocol,
+        localHost: "localhost",
+        localPort: parseInt(port),
+        subdomain: options.subdomain,
+        serverUrl,
+        token: options.token,
+        insecure: options.insecure
+    });
 });
 // Server command
 program
@@ -761,6 +823,12 @@ program
     .option("--ip-mode <mode>", "IP access mode: all, allowlist, denylist (default: all)")
     .option("--ip-allow <ips>", "Comma-separated IPs/CIDRs to allow (e.g., 192.168.1.0/24,10.0.0.1)")
     .option("--ip-deny <ips>", "Comma-separated IPs/CIDRs to deny")
+    .option("--dymo-api-key <key>", "Dymo API key for fraud detection (optional)")
+    .option("--no-dymo-block-bots", "Allow bot user agents (blocked by default when Dymo enabled)")
+    .option("--dymo-block-proxies", "Block proxy/VPN IPs")
+    .option("--dymo-block-hosting", "Block hosting/datacenter IPs")
+    .option("--no-dymo-cache", "Disable Dymo verification caching (sends API request for every HTTP request)")
+    .option("--dymo-cache-ttl <seconds>", "Dymo cache TTL in seconds (default: 300)")
     .option("-d, --detach", "Run server in background (detached mode)")
     .action(async (options) => {
     // Load config from opentunnel.yml if exists (with env variable substitution)
@@ -795,6 +863,12 @@ program
         ipMode: options.ipMode || fileConfig.ipAccess?.mode || "all",
         ipAllow: options.ipAllow || fileConfig.ipAccess?.allowList?.join(","),
         ipDeny: options.ipDeny || fileConfig.ipAccess?.denyList?.join(","),
+        dymoApiKey: options.dymoApiKey || fileConfig.dymo?.apiKey,
+        dymoBlockBots: options.dymoBlockBots ?? fileConfig.dymo?.blockBots ?? true,
+        dymoBlockProxies: options.dymoBlockProxies ?? fileConfig.dymo?.blockProxies ?? false,
+        dymoBlockHosting: options.dymoBlockHosting ?? fileConfig.dymo?.blockHosting ?? false,
+        dymoCache: options.dymoCache ?? fileConfig.dymo?.cacheResults ?? true,
+        dymoCacheTtl: options.dymoCacheTtl ? parseInt(options.dymoCacheTtl) : (fileConfig.dymo?.cacheTTL ?? 300),
         detach: options.detach,
     };
     // Detached mode - run in background
@@ -845,6 +919,14 @@ program
             args.push("--ip-allow", mergedOptions.ipAllow);
         if (mergedOptions.ipDeny)
             args.push("--ip-deny", mergedOptions.ipDeny);
+        if (mergedOptions.dymoApiKey)
+            args.push("--dymo-api-key", mergedOptions.dymoApiKey);
+        if (mergedOptions.dymoBlockBots === false)
+            args.push("--no-dymo-block-bots");
+        if (mergedOptions.dymoBlockProxies)
+            args.push("--dymo-block-proxies");
+        if (mergedOptions.dymoBlockHosting)
+            args.push("--dymo-block-hosting");
         const out = fsAsync.openSync(logFile, "a");
         const err = fsAsync.openSync(logFile, "a");
         const child = spawn(process.execPath, [process.argv[1], ...args], {
@@ -900,6 +982,15 @@ program
         allowList: mergedOptions.ipAllow ? mergedOptions.ipAllow.split(",").map((ip) => ip.trim()) : undefined,
         denyList: mergedOptions.ipDeny ? mergedOptions.ipDeny.split(",").map((ip) => ip.trim()) : undefined,
     } : undefined;
+    // Build Dymo API config (optional fraud detection)
+    const dymoConfig = mergedOptions.dymoApiKey ? {
+        apiKey: mergedOptions.dymoApiKey,
+        blockBots: mergedOptions.dymoBlockBots ?? true,
+        blockProxies: mergedOptions.dymoBlockProxies ?? false,
+        blockHosting: mergedOptions.dymoBlockHosting ?? false,
+        cacheResults: mergedOptions.dymoCache ?? true,
+        cacheTTL: mergedOptions.dymoCacheTtl ?? 300,
+    } : undefined;
     const server = new TunnelServer({
         port: parseInt(mergedOptions.port),
         publicPort: mergedOptions.publicPort ? parseInt(mergedOptions.publicPort) : undefined,
@@ -914,6 +1005,7 @@ program
             ? { required: true, tokens: mergedOptions.authTokens.split(",") }
             : undefined,
         ipAccess: ipAccessConfig,
+        dymo: dymoConfig,
         https: httpsConfig,
         selfSignedHttps: selfSignedHttpsConfig,
         autoHttps: autoHttpsConfig,
@@ -1583,7 +1675,7 @@ program
         console.log(chalk_1.default.cyan(`Connecting to ${remote}...\n`));
         console.log(chalk_1.default.cyan(`Starting ${tunnelsToStart.length} tunnel(s)...\n`));
         try {
-            await startTunnelsFromConfig(tunnelsToStart, serverUrl, config.server?.token, true);
+            await startTunnelsFromConfig(tunnelsToStart, serverUrl, config.server?.token, true, config);
             console.log(chalk_1.default.gray("\nPress Ctrl+C to stop"));
             // Keep running
             await new Promise(() => { });
@@ -1611,6 +1703,10 @@ program
                 max: tcpMax,
             },
             selfSignedHttps: useHttps ? { enabled: true } : undefined,
+            // In hybrid mode, auth is not needed for localhost. For remote clients, still require token.
+            auth: config.server?.token && !isHybridMode ? { required: true, tokens: [config.server.token] } : undefined,
+            dymo: config.server?.dymo,
+            ipAccess: config.server?.ipAccess,
         });
         try {
             await server.start();
@@ -1631,7 +1727,7 @@ program
                 const serverUrl = `${wsProtocol}://localhost:${port}/_tunnel`;
                 // Small delay to ensure server is fully ready
                 await new Promise(resolve => setTimeout(resolve, 500));
-                await startTunnelsFromConfig(tunnelsToStart, serverUrl, config.server?.token, true);
+                await startTunnelsFromConfig(tunnelsToStart, serverUrl, config.server?.token, true, config);
             }
             else if (isServerMode) {
                 console.log(chalk_1.default.gray("\nServer ready. Waiting for connections..."));
@@ -2267,79 +2363,175 @@ async function runTunnelInBackgroundFromConfig(name, protocol, port, options) {
     console.log(chalk_1.default.green(`  ✓ ${name}: started (PID: ${child.pid})`));
 }
 ;
-async function startTunnelsFromConfig(tunnels, serverUrl, token, insecure) {
-    const spinner = (0, ora_1.default)("Connecting to server...").start();
-    const client = new TunnelClient_1.TunnelClient({
-        serverUrl,
-        token,
-        reconnect: true,
-        silent: true,
-        rejectUnauthorized: !insecure,
-    });
-    try {
-        await client.connect();
-        spinner.succeed("Connected to server");
-        const activeTunnels = [];
-        for (const tunnel of tunnels) {
-            const tunnelSpinner = (0, ora_1.default)(`Creating tunnel: ${tunnel.name}...`).start();
-            try {
-                const { tunnelId, publicUrl } = await client.createTunnel({
-                    protocol: tunnel.protocol,
-                    localHost: tunnel.host || "localhost",
-                    localPort: tunnel.port,
-                    subdomain: tunnel.subdomain,
-                    remotePort: tunnel.remotePort,
-                });
-                activeTunnels.push({ name: tunnel.name, tunnelId, publicUrl });
-                tunnelSpinner.succeed(`${tunnel.name}: ${publicUrl}`);
-            }
-            catch (err) {
-                tunnelSpinner.fail(`${tunnel.name}: ${err.message}`);
-            }
+async function startTunnelsFromConfig(tunnels, serverUrl, token, insecure, globalConfig) {
+    // Determine global provider
+    const globalProvider = globalConfig?.provider || "opentunnel";
+    // Group tunnels by provider
+    const tunnelsByProvider = new Map();
+    for (const tunnel of tunnels) {
+        const provider = tunnel.provider || globalProvider;
+        if (!tunnelsByProvider.has(provider)) {
+            tunnelsByProvider.set(provider, []);
         }
-        if (activeTunnels.length === 0) {
-            console.log(chalk_1.default.red("\nNo tunnels created"));
-            process.exit(1);
+        tunnelsByProvider.get(provider).push(tunnel);
+    }
+    const activeTunnels = [];
+    const clients = [];
+    // Process OpenTunnel tunnels
+    const opentunnelTunnels = tunnelsByProvider.get("opentunnel") || [];
+    if (opentunnelTunnels.length > 0) {
+        const spinner = (0, ora_1.default)("Connecting to OpenTunnel server...").start();
+        const client = new TunnelClient_1.TunnelClient({
+            serverUrl,
+            token,
+            reconnect: true,
+            silent: true,
+            rejectUnauthorized: !insecure,
+        });
+        try {
+            await client.connect();
+            spinner.succeed("Connected to OpenTunnel server");
+            clients.push({ provider: "opentunnel", client });
+            for (const tunnel of opentunnelTunnels) {
+                const tunnelSpinner = (0, ora_1.default)(`Creating tunnel: ${tunnel.name}...`).start();
+                try {
+                    const { tunnelId, publicUrl } = await client.createTunnel({
+                        protocol: tunnel.protocol,
+                        localHost: tunnel.host || "localhost",
+                        localPort: tunnel.port,
+                        subdomain: tunnel.subdomain,
+                        remotePort: tunnel.remotePort,
+                    });
+                    activeTunnels.push({ name: tunnel.name, tunnelId, publicUrl, provider: "opentunnel", client });
+                    tunnelSpinner.succeed(`${tunnel.name}: ${publicUrl}`);
+                }
+                catch (err) {
+                    tunnelSpinner.fail(`${tunnel.name}: ${err.message}`);
+                }
+            }
+            // Handle reconnection events
+            client.on("disconnected", () => {
+                console.log(chalk_1.default.yellow("\n  OpenTunnel disconnected, reconnecting..."));
+            });
+            client.on("connected", () => {
+                console.log(chalk_1.default.green("  OpenTunnel reconnected!"));
+            });
         }
-        console.log(chalk_1.default.cyan("\n─────────────────────────────────────────"));
-        console.log(chalk_1.default.green(`  ${activeTunnels.length} tunnel(s) active`));
-        console.log(chalk_1.default.cyan("─────────────────────────────────────────\n"));
-        for (const t of activeTunnels) {
-            console.log(`  ${chalk_1.default.white(t.name.padEnd(15))} ${chalk_1.default.green(t.publicUrl)}`);
+        catch (err) {
+            spinner.fail(`OpenTunnel connection failed: ${err.message}`);
         }
-        console.log(chalk_1.default.gray("\n  Press Ctrl+C to stop all tunnels\n"));
-        // Keep alive with uptime counter
-        const startTime = Date.now();
-        const statsInterval = setInterval(() => {
-            const uptime = (0, utils_1.formatDuration)(Date.now() - startTime);
-            process.stdout.write(`\r  ${chalk_1.default.gray(`Uptime: ${uptime}`)}`);
-        }, 1000);
-        // Handle exit
-        const cleanup = async () => {
-            clearInterval(statsInterval);
-            console.log("\n");
-            const closeSpinner = (0, ora_1.default)("Closing tunnels...").start();
-            for (const t of activeTunnels) {
-                await client.closeTunnel(t.tunnelId);
-            }
-            await client.disconnect();
-            closeSpinner.succeed("All tunnels closed");
-            process.exit(0);
-        };
-        process.on("SIGINT", cleanup);
-        process.on("SIGTERM", cleanup);
-        // Handle reconnection
-        client.on("disconnected", () => {
-            console.log(chalk_1.default.yellow("\n  Disconnected, reconnecting..."));
+    }
+    // Process ngrok tunnels (one at a time, ngrok limitation)
+    const ngrokTunnels = tunnelsByProvider.get("ngrok") || [];
+    for (const tunnel of ngrokTunnels) {
+        const spinner = (0, ora_1.default)(`Creating ngrok tunnel: ${tunnel.name}...`).start();
+        const ngrokToken = tunnel.ngrokToken || globalConfig?.ngrok?.token;
+        const ngrokRegion = tunnel.ngrokRegion || globalConfig?.ngrok?.region || "us";
+        // Merge IP access config: tunnel-specific > global security > none
+        const { IpFilter } = await Promise.resolve().then(() => __importStar(require("../shared/ip-filter")));
+        const ipAccess = IpFilter.mergeConfigs(globalConfig?.security?.ipAccess, tunnel.ipAccess);
+        const client = new NgrokClient_1.NgrokClient({
+            authtoken: ngrokToken,
+            region: ngrokRegion,
+            ipAccess,
         });
-        client.on("connected", () => {
-            console.log(chalk_1.default.green("  Reconnected!"));
+        try {
+            await client.connect();
+            const { tunnelId, publicUrl } = await client.createTunnel({
+                protocol: tunnel.protocol,
+                localHost: tunnel.host || "localhost",
+                localPort: tunnel.port,
+                subdomain: tunnel.subdomain,
+                remotePort: tunnel.remotePort,
+            });
+            activeTunnels.push({ name: tunnel.name, tunnelId, publicUrl, provider: "ngrok", client });
+            clients.push({ provider: "ngrok", client });
+            spinner.succeed(`${tunnel.name}: ${publicUrl} (ngrok)`);
+        }
+        catch (err) {
+            spinner.fail(`${tunnel.name}: ${err.message}`);
+            console.log(chalk_1.default.yellow("  Make sure ngrok is installed: https://ngrok.com/download"));
+        }
+    }
+    // Process Cloudflare tunnels (one at a time)
+    const cloudflareTunnels = tunnelsByProvider.get("cloudflare") || [];
+    for (const tunnel of cloudflareTunnels) {
+        const spinner = (0, ora_1.default)(`Creating Cloudflare tunnel: ${tunnel.name}...`).start();
+        const cfHostname = tunnel.cfHostname || globalConfig?.cloudflare?.hostname;
+        // For Cloudflare: subdomain = tunnel name
+        const cfTunnelName = tunnel.subdomain || globalConfig?.cloudflare?.tunnelName;
+        // Merge IP access config: tunnel-specific > global security > none
+        const { IpFilter } = await Promise.resolve().then(() => __importStar(require("../shared/ip-filter")));
+        const ipAccess = IpFilter.mergeConfigs(globalConfig?.security?.ipAccess, tunnel.ipAccess);
+        const client = new CloudflareTunnelClient_1.CloudflareTunnelClient({
+            hostname: cfHostname,
+            tunnelName: cfTunnelName,
+            protocol: tunnel.protocol === "https" ? "https" : "http",
+            ipAccess,
         });
+        try {
+            await client.connect();
+            const { tunnelId, publicUrl } = await client.createTunnel({
+                protocol: tunnel.protocol,
+                localHost: tunnel.host || "localhost",
+                localPort: tunnel.port,
+            });
+            activeTunnels.push({ name: tunnel.name, tunnelId, publicUrl, provider: "cloudflare", client });
+            clients.push({ provider: "cloudflare", client });
+            const tunnelMode = cfTunnelName ? ` [${cfTunnelName}]` : "";
+            spinner.succeed(`${tunnel.name}: ${publicUrl}${tunnelMode} (cloudflare)`);
+        }
+        catch (err) {
+            spinner.fail(`${tunnel.name}: ${err.message}`);
+            console.log(chalk_1.default.yellow("  cloudflared installs automatically. Check internet connection or try: npm rebuild cloudflared"));
+        }
     }
-    catch (err) {
-        spinner.fail(`Failed: ${err.message}`);
+    if (activeTunnels.length === 0) {
+        console.log(chalk_1.default.red("\nNo tunnels created"));
         process.exit(1);
     }
+    console.log(chalk_1.default.cyan("\n─────────────────────────────────────────"));
+    console.log(chalk_1.default.green(`  ${activeTunnels.length} tunnel(s) active`));
+    console.log(chalk_1.default.cyan("─────────────────────────────────────────\n"));
+    for (const t of activeTunnels) {
+        const providerTag = t.provider !== "opentunnel" ? chalk_1.default.gray(` (${t.provider})`) : "";
+        console.log(`  ${chalk_1.default.white(t.name.padEnd(15))} ${chalk_1.default.green(t.publicUrl)}${providerTag}`);
+    }
+    console.log(chalk_1.default.gray("\n  Press Ctrl+C to stop all tunnels\n"));
+    // Keep alive with uptime counter
+    const startTime = Date.now();
+    const statsInterval = setInterval(() => {
+        const uptime = (0, utils_1.formatDuration)(Date.now() - startTime);
+        process.stdout.write(`\r  ${chalk_1.default.gray(`Uptime: ${uptime}`)}`);
+    }, 1000);
+    // Handle exit
+    const cleanup = async () => {
+        clearInterval(statsInterval);
+        console.log("\n");
+        const closeSpinner = (0, ora_1.default)("Closing tunnels...").start();
+        for (const t of activeTunnels) {
+            try {
+                await t.client.closeTunnel(t.tunnelId);
+            }
+            catch {
+                // Ignore errors during cleanup
+            }
+        }
+        for (const { client } of clients) {
+            try {
+                await client.disconnect();
+            }
+            catch {
+                // Ignore errors during cleanup
+            }
+        }
+        closeSpinner.succeed("All tunnels closed");
+        process.exit(0);
+    };
+    process.on("SIGINT", cleanup);
+    process.on("SIGTERM", cleanup);
+    // Keep process alive
+    await new Promise(() => { });
 }
 ;
 async function runTunnelInBackground(command, port, options) {
@@ -2531,6 +2723,61 @@ async function createNgrokTunnel(options) {
     }
 }
 ;
+async function createCloudflareTunnel(options) {
+    const tunnelType = options.tunnelName ? `named tunnel '${options.tunnelName}'` : "quick tunnel";
+    const spinner = (0, ora_1.default)(`Starting Cloudflare ${tunnelType}...`).start();
+    const client = new CloudflareTunnelClient_1.CloudflareTunnelClient({
+        hostname: options.hostname,
+        tunnelName: options.tunnelName,
+        noTlsVerify: options.noTlsVerify,
+        protocol: options.protocol === "https" ? "https" : "http",
+    });
+    try {
+        await client.connect();
+        spinner.text = "Creating tunnel...";
+        const { tunnelId, publicUrl } = await client.createTunnel({
+            protocol: options.protocol,
+            localHost: options.localHost,
+            localPort: options.localPort,
+        });
+        spinner.succeed("Tunnel established!");
+        const providerInfo = options.tunnelName
+            ? `Cloudflare [${options.tunnelName}]`
+            : "Cloudflare";
+        printTunnelInfo({
+            status: "Online",
+            protocol: options.protocol,
+            localHost: options.localHost,
+            localPort: options.localPort,
+            publicUrl,
+            provider: providerInfo,
+        });
+        // Keep alive
+        const startTime = Date.now();
+        const statsInterval = setInterval(() => {
+            const uptime = (0, utils_1.formatDuration)(Date.now() - startTime);
+            process.stdout.write(`\r  ${chalk_1.default.gray(`Uptime: ${uptime}`)}`);
+        }, 1000);
+        // Handle exit
+        const cleanup = async () => {
+            clearInterval(statsInterval);
+            console.log("\n");
+            spinner.start("Closing tunnel...");
+            await client.closeTunnel(tunnelId);
+            await client.disconnect();
+            spinner.succeed("Tunnel closed");
+            process.exit(0);
+        };
+        process.on("SIGINT", cleanup);
+        process.on("SIGTERM", cleanup);
+    }
+    catch (err) {
+        spinner.fail(`Failed: ${err.message}`);
+        console.log(chalk_1.default.yellow("\ncloudflared installs automatically. Check your internet connection or try: npm rebuild cloudflared"));
+        process.exit(1);
+    }
+}
+;
 function printTunnelInfo(info) {
     console.log("");
     console.log(chalk_1.default.cyan(`  OpenTunnel ${chalk_1.default.gray(`(via ${info.provider})`)}`));
@@ -2545,5 +2792,386 @@ function printTunnelInfo(info) {
     console.log("");
 }
 ;
+// ============================================================================
+// Unified Provider Commands
+// ============================================================================
+// Login command - unified for all providers
+program
+    .command("login <provider>")
+    .description("Authenticate with a provider (cloudflare, ngrok)")
+    .option("-t, --token <token>", "Authentication token (required for ngrok)")
+    .action(async (provider, options) => {
+    const credManager = new credentials_1.CredentialsManager();
+    const normalizedProvider = provider.toLowerCase();
+    if (normalizedProvider === "cloudflare" || normalizedProvider === "cf") {
+        const spinner = (0, ora_1.default)("Running cloudflared login...").start();
+        try {
+            const binPath = await CloudflareTunnelClient_1.CloudflareTunnelClient.ensureInstalled();
+            const { spawn } = await Promise.resolve().then(() => __importStar(require("child_process")));
+            spinner.stop();
+            console.log(chalk_1.default.cyan("\n  Opening browser for Cloudflare authentication...\n"));
+            const proc = spawn(binPath, ["login"], {
+                stdio: "inherit",
+                shell: process.platform === "win32",
+            });
+            await new Promise((resolve, reject) => {
+                proc.on("close", (code) => {
+                    if (code === 0) {
+                        const os = require("os");
+                        const defaultCertPath = path.join(os.homedir(), ".cloudflared", "cert.pem");
+                        credManager.setCloudflare({ certPath: defaultCertPath });
+                        console.log(chalk_1.default.green("\n  Cloudflare credentials saved"));
+                        console.log(chalk_1.default.gray(`  Cert path: ${defaultCertPath}`));
+                        resolve();
+                    }
+                    else {
+                        reject(new Error(`cloudflared login exited with code ${code}`));
+                    }
+                });
+                proc.on("error", reject);
+            });
+        }
+        catch (err) {
+            spinner.fail(`Login failed: ${err.message}`);
+            process.exit(1);
+        }
+    }
+    else if (normalizedProvider === "ngrok") {
+        if (!options.token) {
+            console.log(chalk_1.default.red("Error: ngrok requires --token <token>"));
+            console.log(chalk_1.default.gray("\nGet your token from: https://dashboard.ngrok.com/get-started/your-authtoken"));
+            console.log(chalk_1.default.cyan("\nUsage: opentunnel login ngrok --token <your-token>"));
+            process.exit(1);
+        }
+        credManager.setNgrok({ token: options.token });
+        console.log(chalk_1.default.green("\n  ngrok credentials saved"));
+        console.log(chalk_1.default.gray(`  Token: ${options.token.slice(0, 8)}...`));
+        console.log(chalk_1.default.gray(`  Stored at: ${credentials_1.CredentialsManager.getCredentialsFile()}\n`));
+    }
+    else {
+        console.log(chalk_1.default.red(`Unknown provider: ${provider}`));
+        console.log(chalk_1.default.gray("\nSupported providers: cloudflare (cf), ngrok"));
+        process.exit(1);
+    }
+});
+// Logout command - unified for all providers
+program
+    .command("logout <provider>")
+    .description("Remove stored credentials for a provider")
+    .action(async (provider) => {
+    const credManager = new credentials_1.CredentialsManager();
+    const normalizedProvider = provider.toLowerCase();
+    if (normalizedProvider === "cloudflare" || normalizedProvider === "cf") {
+        const removed = credManager.removeProvider("cloudflare");
+        if (removed) {
+            console.log(chalk_1.default.green("\n  Cloudflare credentials removed\n"));
+        }
+        else {
+            console.log(chalk_1.default.yellow("\n  No Cloudflare credentials found\n"));
+        }
+    }
+    else if (normalizedProvider === "ngrok") {
+        const removed = credManager.removeProvider("ngrok");
+        if (removed) {
+            console.log(chalk_1.default.green("\n  ngrok credentials removed\n"));
+        }
+        else {
+            console.log(chalk_1.default.yellow("\n  No ngrok credentials found\n"));
+        }
+    }
+    else {
+        console.log(chalk_1.default.red(`Unknown provider: ${provider}`));
+        console.log(chalk_1.default.gray("\nSupported providers: cloudflare (cf), ngrok"));
+        process.exit(1);
+    }
+});
+// Create tunnel command (for named tunnels)
+program
+    .command("create <name>")
+    .description("Create a named tunnel")
+    .option("--cf, --cloudflare", "Create Cloudflare named tunnel")
+    .option("--provider <provider>", "Provider (cloudflare)")
+    .action(async (name, options) => {
+    const provider = options.provider?.toLowerCase() ||
+        (options.cloudflare || options.cf ? "cloudflare" : null);
+    if (!provider) {
+        console.log(chalk_1.default.red("Error: Provider required"));
+        console.log(chalk_1.default.gray("\nUsage: opentunnel create <name> --cf"));
+        console.log(chalk_1.default.gray("       opentunnel create <name> --provider cloudflare"));
+        process.exit(1);
+    }
+    if (provider === "cloudflare" || provider === "cf") {
+        const spinner = (0, ora_1.default)(`Creating Cloudflare tunnel '${name}'...`).start();
+        try {
+            const binPath = await CloudflareTunnelClient_1.CloudflareTunnelClient.ensureInstalled();
+            const { spawn } = await Promise.resolve().then(() => __importStar(require("child_process")));
+            const proc = spawn(binPath, ["tunnel", "create", name], {
+                stdio: ["ignore", "pipe", "pipe"],
+                shell: process.platform === "win32",
+            });
+            let output = "";
+            let errorOutput = "";
+            proc.stdout?.on("data", (data) => { output += data.toString(); });
+            proc.stderr?.on("data", (data) => { errorOutput += data.toString(); });
+            await new Promise((resolve, reject) => {
+                proc.on("close", (code) => {
+                    if (code === 0) {
+                        spinner.succeed(`Tunnel '${name}' created`);
+                        if (output)
+                            console.log(chalk_1.default.gray(output.trim()));
+                        resolve();
+                    }
+                    else {
+                        reject(new Error(errorOutput || `Exit code ${code}`));
+                    }
+                });
+                proc.on("error", reject);
+            });
+        }
+        catch (err) {
+            spinner.fail(`Failed to create tunnel: ${err.message}`);
+            if (err.message.includes("login")) {
+                console.log(chalk_1.default.yellow("\nRun 'opentunnel login cloudflare' first"));
+            }
+            process.exit(1);
+        }
+    }
+    else {
+        console.log(chalk_1.default.red(`Provider '${provider}' doesn't support named tunnels`));
+        process.exit(1);
+    }
+});
+// Delete tunnel command
+program
+    .command("delete <name>")
+    .description("Delete a named tunnel")
+    .option("--cf, --cloudflare", "Delete Cloudflare named tunnel")
+    .option("--provider <provider>", "Provider (cloudflare)")
+    .option("-f, --force", "Force deletion without confirmation")
+    .action(async (name, options) => {
+    const provider = options.provider?.toLowerCase() ||
+        (options.cloudflare || options.cf ? "cloudflare" : null);
+    if (!provider) {
+        console.log(chalk_1.default.red("Error: Provider required"));
+        console.log(chalk_1.default.gray("\nUsage: opentunnel delete <name> --cf"));
+        process.exit(1);
+    }
+    if (provider === "cloudflare" || provider === "cf") {
+        if (!options.force) {
+            console.log(chalk_1.default.yellow(`\n  This will delete tunnel '${name}' permanently.`));
+            console.log(chalk_1.default.gray("  Use --force to skip this confirmation.\n"));
+            const readline = await Promise.resolve().then(() => __importStar(require("readline")));
+            const rl = readline.createInterface({
+                input: process.stdin,
+                output: process.stdout,
+            });
+            const answer = await new Promise((resolve) => {
+                rl.question("  Type the tunnel name to confirm: ", resolve);
+            });
+            rl.close();
+            if (answer !== name) {
+                console.log(chalk_1.default.red("\n  Cancelled: name didn't match\n"));
+                return;
+            }
+        }
+        const spinner = (0, ora_1.default)(`Deleting tunnel '${name}'...`).start();
+        try {
+            const binPath = await CloudflareTunnelClient_1.CloudflareTunnelClient.ensureInstalled();
+            const { spawn } = await Promise.resolve().then(() => __importStar(require("child_process")));
+            const proc = spawn(binPath, ["tunnel", "delete", name], {
+                stdio: ["ignore", "pipe", "pipe"],
+                shell: process.platform === "win32",
+            });
+            let errorOutput = "";
+            proc.stderr?.on("data", (data) => { errorOutput += data.toString(); });
+            await new Promise((resolve, reject) => {
+                proc.on("close", (code) => {
+                    if (code === 0) {
+                        spinner.succeed(`Tunnel '${name}' deleted`);
+                        resolve();
+                    }
+                    else {
+                        reject(new Error(errorOutput || `Exit code ${code}`));
+                    }
+                });
+                proc.on("error", reject);
+            });
+        }
+        catch (err) {
+            spinner.fail(`Failed to delete tunnel: ${err.message}`);
+            process.exit(1);
+        }
+    }
+});
+// Route DNS command (Cloudflare specific)
+program
+    .command("route <name> <hostname>")
+    .description("Route a hostname to a tunnel (Cloudflare DNS)")
+    .option("--cf, --cloudflare", "Route via Cloudflare")
+    .option("--provider <provider>", "Provider (cloudflare)")
+    .action(async (name, hostname, options) => {
+    const provider = options.provider?.toLowerCase() ||
+        (options.cloudflare || options.cf ? "cloudflare" : "cloudflare"); // Default to cloudflare
+    if (provider === "cloudflare" || provider === "cf") {
+        const spinner = (0, ora_1.default)(`Routing ${hostname} to tunnel '${name}'...`).start();
+        try {
+            const binPath = await CloudflareTunnelClient_1.CloudflareTunnelClient.ensureInstalled();
+            const { spawn } = await Promise.resolve().then(() => __importStar(require("child_process")));
+            const proc = spawn(binPath, ["tunnel", "route", "dns", name, hostname], {
+                stdio: ["ignore", "pipe", "pipe"],
+                shell: process.platform === "win32",
+            });
+            let output = "";
+            let errorOutput = "";
+            proc.stdout?.on("data", (data) => { output += data.toString(); });
+            proc.stderr?.on("data", (data) => { errorOutput += data.toString(); });
+            await new Promise((resolve, reject) => {
+                proc.on("close", (code) => {
+                    if (code === 0) {
+                        spinner.succeed(`DNS route created: ${hostname} -> ${name}`);
+                        if (output)
+                            console.log(chalk_1.default.gray(output.trim()));
+                        resolve();
+                    }
+                    else {
+                        reject(new Error(errorOutput || `Exit code ${code}`));
+                    }
+                });
+                proc.on("error", reject);
+            });
+        }
+        catch (err) {
+            spinner.fail(`Failed to create route: ${err.message}`);
+            process.exit(1);
+        }
+    }
+});
+// List tunnels command - extend existing list command
+program
+    .command("tunnels")
+    .description("List named tunnels")
+    .option("--cf, --cloudflare", "List Cloudflare tunnels")
+    .option("--provider <provider>", "Provider (cloudflare)")
+    .action(async (options) => {
+    const provider = options.provider?.toLowerCase() ||
+        (options.cloudflare || options.cf ? "cloudflare" : null);
+    if (!provider) {
+        console.log(chalk_1.default.red("Error: Provider required"));
+        console.log(chalk_1.default.gray("\nUsage: opentunnel tunnels --cf"));
+        process.exit(1);
+    }
+    if (provider === "cloudflare" || provider === "cf") {
+        const spinner = (0, ora_1.default)("Listing Cloudflare tunnels...").start();
+        try {
+            const binPath = await CloudflareTunnelClient_1.CloudflareTunnelClient.ensureInstalled();
+            const { spawn } = await Promise.resolve().then(() => __importStar(require("child_process")));
+            const proc = spawn(binPath, ["tunnel", "list"], {
+                stdio: ["ignore", "pipe", "pipe"],
+                shell: process.platform === "win32",
+            });
+            let output = "";
+            let errorOutput = "";
+            proc.stdout?.on("data", (data) => { output += data.toString(); });
+            proc.stderr?.on("data", (data) => { errorOutput += data.toString(); });
+            await new Promise((resolve, reject) => {
+                proc.on("close", (code) => {
+                    if (code === 0) {
+                        spinner.stop();
+                        console.log(chalk_1.default.cyan("\n  Cloudflare Tunnels"));
+                        console.log(chalk_1.default.gray("  " + "─".repeat(60)));
+                        if (output.trim()) {
+                            console.log(output);
+                        }
+                        else {
+                            console.log(chalk_1.default.yellow("  No tunnels found"));
+                            console.log(chalk_1.default.gray("\n  Create one with: opentunnel create <name> --cf"));
+                        }
+                        resolve();
+                    }
+                    else {
+                        reject(new Error(errorOutput || `Exit code ${code}`));
+                    }
+                });
+                proc.on("error", reject);
+            });
+        }
+        catch (err) {
+            spinner.fail(`Failed to list tunnels: ${err.message}`);
+            if (err.message.includes("login")) {
+                console.log(chalk_1.default.yellow("\nRun 'opentunnel login cloudflare' first"));
+            }
+            process.exit(1);
+        }
+    }
+});
+// ============================================================================
+// Config Commands
+// ============================================================================
+const configCommand = program
+    .command("config")
+    .description("Manage OpenTunnel configuration");
+configCommand
+    .command("set <key> <value>")
+    .description("Set a configuration value (e.g., ngrok.token, cloudflare.accountId)")
+    .action(async (key, value) => {
+    const credManager = new credentials_1.CredentialsManager();
+    const validKeys = [
+        "ngrok.token",
+        "cloudflare.accountId",
+        "cloudflare.tunnelToken",
+        "cloudflare.certPath",
+    ];
+    if (!validKeys.includes(key)) {
+        console.log(chalk_1.default.red(`Invalid key: ${key}`));
+        console.log(chalk_1.default.gray("\nValid keys:"));
+        for (const k of validKeys) {
+            console.log(chalk_1.default.cyan(`  ${k}`));
+        }
+        process.exit(1);
+    }
+    credManager.set(key, value);
+    console.log(chalk_1.default.green(`\n  ${key} = ${value.slice(0, 20)}${value.length > 20 ? "..." : ""}\n`));
+});
+configCommand
+    .command("get <key>")
+    .description("Get a configuration value")
+    .action(async (key) => {
+    const credManager = new credentials_1.CredentialsManager();
+    const value = credManager.get(key);
+    if (value) {
+        // Mask sensitive values
+        const masked = key.includes("token") || key.includes("Token")
+            ? value.slice(0, 8) + "..." + value.slice(-4)
+            : value;
+        console.log(chalk_1.default.cyan(`\n  ${key} = ${masked}\n`));
+    }
+    else {
+        console.log(chalk_1.default.yellow(`\n  ${key} is not set\n`));
+    }
+});
+configCommand
+    .command("list")
+    .description("List all stored configuration")
+    .action(async () => {
+    const credManager = new credentials_1.CredentialsManager();
+    const keys = credManager.listKeys();
+    console.log(chalk_1.default.cyan("\n  Stored Configuration"));
+    console.log(chalk_1.default.gray("  " + "─".repeat(40)));
+    if (keys.length === 0) {
+        console.log(chalk_1.default.yellow("  No configuration stored"));
+        console.log(chalk_1.default.gray("\n  Use 'opentunnel login' or 'opentunnel config set' to add credentials"));
+    }
+    else {
+        for (const key of keys) {
+            const value = credManager.get(key);
+            const masked = (key.includes("token") || key.includes("Token")) && value
+                ? value.slice(0, 8) + "..." + value.slice(-4)
+                : value;
+            console.log(`  ${chalk_1.default.white(key.padEnd(25))} ${chalk_1.default.gray(masked || "")}`);
+        }
+    }
+    console.log(chalk_1.default.gray("  " + "─".repeat(40)));
+    console.log(chalk_1.default.gray(`\n  Config file: ${credentials_1.CredentialsManager.getCredentialsFile()}\n`));
+});
 program.parse();
 //# sourceMappingURL=index.js.map