wrangler 4.90.1 → 4.91.0

package/wrangler-dist/cli.js

@@ -30381,7 +30381,9 @@ function normalizeAndValidateEnvironment(diagnostics, configPath, rawEnv, isDisp
     "Removed",
     "error"
   );
-  experimental(diagnostics, rawEnv, "unsafe");
+  if (topLevelEnv === void 0 || rawConfig?.unsafe === void 0) {
+    experimental(diagnostics, rawEnv, "unsafe");
+  }
   const route = normalizeAndValidateRoute(diagnostics, topLevelEnv, rawEnv);
   const account_id = inheritableInWranglerEnvironments(
     diagnostics,
@@ -32262,17 +32264,14 @@ function startTunnel(options) {
   const timeoutMs = options.timeoutMs ?? TUNNEL_STARTUP_TIMEOUT_MS;
   const reminderIntervalMs = options.reminderIntervalMs ?? DEFAULT_TUNNEL_REMINDER_INTERVAL_MS;
   const defaultExpiryMs = options.expiryMs ?? DEFAULT_TUNNEL_EXPIRY_MS;
+  const isNamedTunnel = options.token !== void 0;
   const timeFormatter = new Intl.DateTimeFormat(void 0, {
     timeStyle: "short"
   });
-  const cloudflaredArgs = [
-    "tunnel",
-    "--no-autoupdate",
-    "--url",
-    options.origin.href
-  ];
+  const cloudflaredArgs = isNamedTunnel ? ["tunnel", "--no-autoupdate", "run"] : ["tunnel", "--no-autoupdate", "--url", options.origin.href];
   const cloudflaredPromise = spawnCloudflared(cloudflaredArgs, {
     stdio: "pipe",
+    env: options.token ? { TUNNEL_TOKEN: options.token } : void 0,
     skipVersionCheck: true,
     logger: logger4
   }).then((process22) => {
@@ -32282,15 +32281,20 @@ function startTunnel(options) {
     }
     return process22;
   });
-  const readyPromise = cloudflaredPromise.then(
-    (process22) => waitForQuickTunnelReady(process22, timeoutMs, {
+  const readyPromise = cloudflaredPromise.then((process22) => {
+    if (isNamedTunnel) {
+      return { mode: "named" };
+    }
+    return waitForQuickTunnelReady(process22, timeoutMs, {
       logger: logger4,
       origin: options.origin
-    })
-  ).then((result) => {
+    });
+  }).then((result) => {
     expiresAt = Date.now() + defaultExpiryMs;
     scheduleExpiryTimeout();
-    scheduleReminder(result.publicUrl.origin);
+    scheduleReminder(
+      result.mode === "quick" ? result.publicUrl.origin : void 0
+    );
     return result;
   });
   function disposeTunnel() {
@@ -32325,7 +32329,7 @@ function startTunnel(options) {
           return;
         }
         logger4?.log(
-          `The tunnel is still open at ${publicURL}. It expires in ${formatTunnelDuration(remainingMs)}. ${options.extendHint ?? ""}`
+          `${publicURL ? `The tunnel is still open at ${publicURL}.` : "The tunnel is still open."} It expires in ${formatTunnelDuration(remainingMs)}. ${options.extendHint ?? ""}`
         );
       }, reminderIntervalMs);
       reminderInterval.unref?.();
@@ -32381,6 +32385,7 @@ function startTunnel(options) {
   __name2(extendExpiry, "extendExpiry");
   return {
     ready: /* @__PURE__ */ __name2(() => readyPromise, "ready"),
+    isOpen: /* @__PURE__ */ __name2(() => !disposed, "isOpen"),
     dispose: disposeTunnel,
     extendExpiry
   };
@@ -32439,7 +32444,7 @@ function waitForQuickTunnelReady(cloudflared, timeoutMs, options) {
         if (match3 && !resolved) {
           resolved = true;
           clearTimeout(timeoutId);
-          resolve32({ publicUrl: new URL(match3[0]) });
+          resolve32({ mode: "quick", publicUrl: new URL(match3[0]) });
         }
       });
     }
@@ -38028,14 +38033,16 @@ var init_dist = __esm({
       if (configDefines.length > 0) {
         if (typeof value === "object" && value !== null) {
           const configEnvDefines = config === void 0 ? [] : Object.keys(value);
-          for (const varName of configDefines) {
-            if (!(varName in value)) {
-              diagnostics.warnings.push(
-                `"define.${varName}" exists at the top level, but not on "${fieldPath}".
-This is not what you probably want, since "define" configuration is not inherited by environments.
-Please add "define.${varName}" to "env.${envName}".`
-              );
-            }
+          const missingDefines = configDefines.filter(
+            (varName) => !(varName in value)
+          );
+          if (missingDefines.length > 0) {
+            diagnostics.warnings.push(
+              `The following define entries exist at the top level, but not on "${fieldPath}".
+This is probably not what you want, since "define" configuration is not inherited by environments.
+Please add these entries to "env.${envName}.define":
+` + missingDefines.map((varName) => `- ${varName}`).join("\n")
+            );
           }
           for (const varName of configEnvDefines) {
             if (!configDefines.includes(varName)) {
@@ -38076,14 +38083,14 @@ Please remove "${fieldPath}.${varName}", or add "define.${varName}".`
       const configVars = Object.keys(config?.vars ?? {});
       if (configVars.length > 0) {
         if (typeof value === "object" && value !== null) {
-          for (const varName of configVars) {
-            if (!(varName in value)) {
-              diagnostics.warnings.push(
-                `"vars.${varName}" exists at the top level, but not on "${fieldPath}".
-This is not what you probably want, since "vars" configuration is not inherited by environments.
-Please add "vars.${varName}" to "env.${envName}".`
-              );
-            }
+          const missingVars = configVars.filter((varName) => !(varName in value));
+          if (missingVars.length > 0) {
+            diagnostics.warnings.push(
+              `The following vars exist at the top level, but not on "${fieldPath}".
+This is probably not what you want, since "vars" configuration is not inherited by environments.
+Please add these vars to "env.${envName}.vars":
+` + missingVars.map((varName) => `- ${varName}`).join("\n")
+            );
           }
         }
       }
@@ -46851,18 +46858,18 @@ var require_async = __commonJS({
       ];
     }, "defaultPaths");
     var defaultIsFile = /* @__PURE__ */ __name(function isFile2(file3, cb2) {
-      fs33.stat(file3, function(err, stat9) {
+      fs33.stat(file3, function(err, stat10) {
         if (!err) {
-          return cb2(null, stat9.isFile() || stat9.isFIFO());
+          return cb2(null, stat10.isFile() || stat10.isFIFO());
         }
         if (err.code === "ENOENT" || err.code === "ENOTDIR") return cb2(null, false);
         return cb2(err);
       });
     }, "isFile");
     var defaultIsDir = /* @__PURE__ */ __name(function isDirectory3(dir2, cb2) {
-      fs33.stat(dir2, function(err, stat9) {
+      fs33.stat(dir2, function(err, stat10) {
         if (!err) {
-          return cb2(null, stat9.isDirectory());
+          return cb2(null, stat10.isDirectory());
         }
         if (err.code === "ENOENT" || err.code === "ENOTDIR") return cb2(null, false);
         return cb2(err);
@@ -47353,21 +47360,21 @@ var require_sync = __commonJS({
     }, "defaultPaths");
     var defaultIsFile = /* @__PURE__ */ __name(function isFile2(file3) {
       try {
-        var stat9 = fs33.statSync(file3, { throwIfNoEntry: false });
+        var stat10 = fs33.statSync(file3, { throwIfNoEntry: false });
       } catch (e10) {
         if (e10 && (e10.code === "ENOENT" || e10.code === "ENOTDIR")) return false;
         throw e10;
       }
-      return !!stat9 && (stat9.isFile() || stat9.isFIFO());
+      return !!stat10 && (stat10.isFile() || stat10.isFIFO());
     }, "isFile");
     var defaultIsDir = /* @__PURE__ */ __name(function isDirectory3(dir2) {
       try {
-        var stat9 = fs33.statSync(dir2, { throwIfNoEntry: false });
+        var stat10 = fs33.statSync(dir2, { throwIfNoEntry: false });
       } catch (e10) {
         if (e10 && (e10.code === "ENOENT" || e10.code === "ENOTDIR")) return false;
         throw e10;
       }
-      return !!stat9 && stat9.isDirectory();
+      return !!stat10 && stat10.isDirectory();
     }, "isDirectory");
     var defaultRealpathSync = /* @__PURE__ */ __name(function realpathSync4(x6) {
       try {
@@ -49650,7 +49657,40 @@ function getDebugFilepath() {
   const filepath = dir2.endsWith(".log") ? dir2 : path3__namespace.default.join(dir2, `wrangler-${date}.log`);
   return path3__namespace.default.resolve(filepath);
 }
+async function cleanupOldLogFiles(logsDir) {
+  if (!fs29.existsSync(logsDir)) {
+    return;
+  }
+  const maxAgeDays = 30;
+  const cutoffMs = maxAgeDays * 24 * 60 * 60 * 1e3;
+  try {
+    const files = await fs9.readdir(logsDir);
+    const now = Date.now();
+    for (const f7 of files.filter(
+      (filename) => filename.startsWith("wrangler-") && filename.endsWith(".log")
+    )) {
+      const filePath = path3__namespace.default.join(logsDir, f7);
+      try {
+        const fileStat = await fs9.stat(filePath);
+        if (now - fileStat.mtimeMs > cutoffMs) {
+          await fs9.unlink(filePath);
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+}
+function tryCleanupLogs() {
+  const debugFileDir = getDebugFileDir();
+  if (hasStartedLogCleanup || debugFileDir.endsWith(".log")) {
+    return;
+  }
+  hasStartedLogCleanup = true;
+  void cleanupOldLogFiles(debugFileDir);
+}
 async function appendToDebugLogFile(messageLevel, message) {
+  tryCleanupLogs();
   const entry = `
 --- ${(/* @__PURE__ */ new Date()).toISOString()} ${messageLevel}
 ${util4.stripVTControlCharacters(message)}
@@ -49684,7 +49724,7 @@ ${util4.stripVTControlCharacters(message)}
     }
   });
 }
-var import_signal_exit, getDebugFileDir, debugLogFilepath, mutex, hasLoggedLocation, hasLoggedError, hasSeenErrorMessage;
+var import_signal_exit, getDebugFileDir, debugLogFilepath, mutex, hasStartedLogCleanup, hasLoggedLocation, hasLoggedError, hasSeenErrorMessage;
 var init_log_file = __esm({
   "src/utils/log-file.ts"() {
     init_import_meta_url();
@@ -49700,8 +49740,11 @@ var init_log_file = __esm({
       }
     });
     __name(getDebugFilepath, "getDebugFilepath");
+    __name(cleanupOldLogFiles, "cleanupOldLogFiles");
     debugLogFilepath = getDebugFilepath();
     mutex = new miniflare.Mutex();
+    hasStartedLogCleanup = false;
+    __name(tryCleanupLogs, "tryCleanupLogs");
     hasLoggedLocation = false;
     hasLoggedError = false;
     hasSeenErrorMessage = false;
@@ -49723,6 +49766,13 @@ function getLoggerLevel() {
   }
   return "log";
 }
+function shouldLogToDisk(isTestEnvironment = typeof vitest !== "undefined") {
+  if (isTestEnvironment) {
+    return false;
+  }
+  const setting = process.env.WRANGLER_WRITE_LOGS?.toLowerCase();
+  return setting !== "false" && setting !== "0";
+}
 function consoleMethodToLoggerLevel(method) {
   if (method in LOGGER_LEVELS) {
     return method;
@@ -49776,6 +49826,7 @@ var init_logger = __esm({
     __name(getLoggerLevel, "getLoggerLevel");
     overrideLoggerLevel = new async_hooks.AsyncLocalStorage();
     runWithLogLevel = /* @__PURE__ */ __name((overrideLogLevel, cb2) => overrideLoggerLevel.run({ logLevel: overrideLogLevel }, cb2), "runWithLogLevel");
+    __name(shouldLogToDisk, "shouldLogToDisk");
     __name(consoleMethodToLoggerLevel, "consoleMethodToLoggerLevel");
     Logger = class _Logger {
       static {
@@ -49865,8 +49916,7 @@ var init_logger = __esm({
       }
       doLog(messageLevel, args) {
         const message = Array.isArray(args) ? this.formatMessage(messageLevel, util4.format(...args)) : args;
-        const inUnitTests = typeof vitest !== "undefined";
-        if (!inUnitTests) {
+        if (shouldLogToDisk()) {
           void appendToDebugLogFile(messageLevel, message);
         }
         if (LOGGER_LEVELS[this.loggerLevel] >= LOGGER_LEVELS[messageLevel]) {
@@ -53968,16 +54018,16 @@ var require_windows = __commonJS({
       return false;
     }
     __name(checkPathExt, "checkPathExt");
-    function checkStat(stat9, path85, options) {
-      if (!stat9.isSymbolicLink() && !stat9.isFile()) {
+    function checkStat(stat10, path85, options) {
+      if (!stat10.isSymbolicLink() && !stat10.isFile()) {
         return false;
       }
       return checkPathExt(path85, options);
     }
     __name(checkStat, "checkStat");
     function isexe(path85, options, cb2) {
-      fs33.stat(path85, function(er2, stat9) {
-        cb2(er2, er2 ? false : checkStat(stat9, path85, options));
+      fs33.stat(path85, function(er2, stat10) {
+        cb2(er2, er2 ? false : checkStat(stat10, path85, options));
       });
     }
     __name(isexe, "isexe");
@@ -53996,8 +54046,8 @@ var require_mode = __commonJS({
     isexe.sync = sync;
     var fs33 = __require("fs");
     function isexe(path85, options, cb2) {
-      fs33.stat(path85, function(er2, stat9) {
-        cb2(er2, er2 ? false : checkStat(stat9, options));
+      fs33.stat(path85, function(er2, stat10) {
+        cb2(er2, er2 ? false : checkStat(stat10, options));
       });
     }
     __name(isexe, "isexe");
@@ -54005,14 +54055,14 @@ var require_mode = __commonJS({
       return checkStat(fs33.statSync(path85), options);
     }
     __name(sync, "sync");
-    function checkStat(stat9, options) {
-      return stat9.isFile() && checkMode(stat9, options);
+    function checkStat(stat10, options) {
+      return stat10.isFile() && checkMode(stat10, options);
     }
     __name(checkStat, "checkStat");
-    function checkMode(stat9, options) {
-      var mod = stat9.mode;
-      var uid = stat9.uid;
-      var gid = stat9.gid;
+    function checkMode(stat10, options) {
+      var mod = stat10.mode;
+      var uid = stat10.uid;
+      var gid = stat10.gid;
       var myUid = options.uid !== void 0 ? options.uid : process.getuid && process.getuid();
       var myGid = options.gid !== void 0 ? options.gid : process.getgid && process.getgid();
       var u8 = parseInt("100", 8);
@@ -55818,7 +55868,7 @@ var name, version;
 var init_package = __esm({
   "package.json"() {
     name = "wrangler";
-    version = "4.90.1";
+    version = "4.91.0";
   }
 });
 function getWranglerVersion() {
@@ -135822,8 +135872,8 @@ var init_esm6 = __esm({
         }
         return this._userIgnored(path85, stats);
       }
-      _isntIgnored(path85, stat9) {
-        return !this._isIgnored(path85, stat9);
+      _isntIgnored(path85, stat10) {
+        return !this._isIgnored(path85, stat10);
       }
       /**
        * Provides a set of common helpers and properties relating to symlink handling.
@@ -139547,7 +139597,8 @@ function getInstanceTypeUsage(instanceType) {
 function inferInstanceType(config) {
   for (const [instanceType, configuration] of Object.entries(instanceTypes)) {
     if (config.vcpu === configuration.vcpu && config.memory_mib === configuration.memory_mib && config.disk?.size_mb === configuration.disk_mb) {
-      return instanceType;
+      const canonical = instanceType in LEGACY_TO_CANONICAL ? LEGACY_TO_CANONICAL[instanceType] : void 0;
+      return canonical ?? instanceType;
     }
   }
 }
@@ -139565,11 +139616,12 @@ function cleanForInstanceType(app) {
   delete app.configuration.vcpu;
   return app;
 }
-var instanceTypes, instanceTypeNames;
+var instanceTypes, instanceTypeNames, LEGACY_TO_CANONICAL;
 var init_instance_type = __esm({
   "src/cloudchamber/instance-type/instance-type.ts"() {
     init_import_meta_url();
     init_interactive();
+    init_containers_shared();
     init_dist();
     instanceTypes = {
       // lite is the default instance type when REQUIRE_INSTANCE_TYPE is set
@@ -139618,6 +139670,10 @@ var init_instance_type = __esm({
     __name(promptForInstanceType, "promptForInstanceType");
     __name(checkInstanceType, "checkInstanceType");
     __name(getInstanceTypeUsage, "getInstanceTypeUsage");
+    LEGACY_TO_CANONICAL = {
+      dev: "lite" /* LITE */,
+      standard: "standard-1" /* STANDARD_1 */
+    };
     __name(inferInstanceType, "inferInstanceType");
     __name(cleanForInstanceType, "cleanForInstanceType");
   }
@@ -179982,8 +180038,8 @@ function getLayerRoutePathString(isArray, lrp) {
   return lrp && lrp.toString();
 }
 function preventDuplicateSegments(originalUrl, reconstructedRoute, layerPath) {
-  const normalizeURL = stripUrlQueryAndFragment(originalUrl || "");
-  const originalUrlSplit = _optionalChain([normalizeURL, "optionalAccess", (_14) => _14.split, "call", (_15) => _15("/"), "access", (_16) => _16.filter, "call", (_17) => _17((v7) => !!v7)]);
+  const normalizeURL2 = stripUrlQueryAndFragment(originalUrl || "");
+  const originalUrlSplit = _optionalChain([normalizeURL2, "optionalAccess", (_14) => _14.split, "call", (_15) => _15("/"), "access", (_16) => _16.filter, "call", (_17) => _17((v7) => !!v7)]);
   let tempCounter = 0;
   const currentOffset = _optionalChain([reconstructedRoute, "optionalAccess", (_18) => _18.split, "call", (_19) => _19("/"), "access", (_20) => _20.filter, "call", (_21) => _21((v7) => !!v7), "access", (_22) => _22.length]) || 0;
   const result = _optionalChain([
@@ -233995,8 +234051,8 @@ async function locatePath(paths, {
   const statFunction = allowSymlinks ? fs29.promises.stat : fs29.promises.lstat;
   return pLocate(paths, async (path_) => {
     try {
-      const stat9 = await statFunction(path3__namespace.default.resolve(cwd2, path_));
-      return matchType(type, stat9);
+      const stat10 = await statFunction(path3__namespace.default.resolve(cwd2, path_));
+      return matchType(type, stat10);
     } catch {
       return false;
     }
@@ -234012,7 +234068,7 @@ var init_locate_path = __esm({
       file: "isFile"
     };
     __name(checkType, "checkType");
-    matchType = /* @__PURE__ */ __name((type, stat9) => stat9[typeMappings[type]](), "matchType");
+    matchType = /* @__PURE__ */ __name((type, stat10) => stat10[typeMappings[type]](), "matchType");
     toPath = /* @__PURE__ */ __name((urlOrPath) => urlOrPath instanceof URL ? Url.fileURLToPath(urlOrPath) : urlOrPath, "toPath");
     __name(locatePath, "locatePath");
   }
@@ -247848,6 +247904,7 @@ ${JSON.stringify(defaultRoutesJSONSpec, null, 2)}`
             tsconfig: void 0,
             minify: void 0,
             legacyEnv: void 0,
+            tunnelName: void 0,
             env: void 0,
             envFile: void 0,
             ip,
@@ -285502,6 +285559,8 @@ function getBindingValue(binding) {
   switch (binding.type) {
     case "plain_text":
       return `"${binding.text}"`;
+    case "json":
+      return JSON.stringify(binding.json);
     case "secret_text":
       return "********";
     case "kv_namespace":
@@ -285551,10 +285610,7 @@ function extractConfigBindings(config) {
   const env6 = {};
   const vars = previews?.vars ?? {};
   for (const [name2, value] of Object.entries(vars)) {
-    env6[name2] = {
-      type: "plain_text",
-      text: typeof value === "string" ? value : JSON.stringify(value)
-    };
+    env6[name2] = typeof value === "string" ? { type: "plain_text", text: value } : { type: "json", json: value };
   }
   for (const kv of previews?.kv_namespaces ?? []) {
     env6[kv.binding] = { type: "kv_namespace", namespace_id: kv.id };
@@ -285570,10 +285626,14 @@ function extractConfigBindings(config) {
     env6[r22.binding] = { type: "r2_bucket", bucket_name: r22.bucket_name };
   }
   for (const service of previews?.services ?? []) {
+    const crossAccountGrant = service.cross_account_grant;
     env6[service.binding] = {
       type: "service",
       service: service.service,
-      entrypoint: service.entrypoint
+      entrypoint: service.entrypoint,
+      ...crossAccountGrant !== void 0 && {
+        cross_account_grant: crossAccountGrant
+      }
     };
   }
   for (const doBinding of previews?.durable_objects?.bindings ?? []) {
@@ -285700,6 +285760,10 @@ function extractConfigBindings(config) {
   if (config.assets?.binding) {
     env6[config.assets.binding] = { type: "assets" };
   }
+  for (const binding of previews?.unsafe?.bindings ?? []) {
+    const { name: name2, type, ...rest } = binding;
+    env6[name2] = { type, ...rest };
+  }
   return env6;
 }
 function assemblePreviewScriptSettings(config) {
@@ -294061,13 +294125,13 @@ function validateBulkPutFile(filename) {
         telemetryMessage: "r2 object bulk put entry file not found"
       });
     }
-    const stat9 = fs29__namespace.default.statSync(entry.file, { throwIfNoEntry: false });
-    if (!stat9?.isFile()) {
+    const stat10 = fs29__namespace.default.statSync(entry.file, { throwIfNoEntry: false });
+    if (!stat10?.isFile()) {
       throw new UserError(`The path "${entry.file}" is not a file.`, {
         telemetryMessage: "r2 object bulk put entry path not file"
       });
     }
-    if (stat9.size > MAX_UPLOAD_SIZE_BYTES) {
+    if (stat10.size > MAX_UPLOAD_SIZE_BYTES) {
       throw new UserError(
         `The file "${entry.file}" exceeds the maximum upload size of ${prettyBytes(
           MAX_UPLOAD_SIZE_BYTES,
@@ -294076,7 +294140,7 @@ function validateBulkPutFile(filename) {
         { telemetryMessage: "r2 object bulk put entry file too large" }
       );
     }
-    entry.size = stat9.size;
+    entry.size = stat10.size;
   }
   return entries2;
 }
@@ -296860,6 +296924,119 @@ async function getTunnelToken(sdk, accountId, tunnelId) {
     return String(response);
   });
 }
+async function resolveNamedTunnel(name2, origin, options) {
+  let accountId = options.accountId;
+  if (!accountId) {
+    accountId = await requireAuth({
+      account_id: options.accountId,
+      compliance_region: options.complianceRegion
+    });
+  }
+  const sdk = createCloudflareClient({
+    compliance_region: options.complianceRegion
+  });
+  const tunnel = await withTunnelErrorHandling(async () => {
+    for await (const item of sdk.zeroTrust.tunnels.cloudflared.list({
+      account_id: accountId,
+      name: name2,
+      is_deleted: false
+    })) {
+      if (item.name === name2) {
+        return normalizeTunnelResponse(item);
+      }
+    }
+    return null;
+  });
+  if (!tunnel) {
+    throw new UserError(
+      `No Cloudflare Tunnel named "${name2}" was found in this account. Use "wrangler tunnel list" to see available tunnels.`,
+      { telemetryMessage: "tunnel resolve named missing tunnel" }
+    );
+  }
+  const tunnelId = tunnel.id;
+  if (!tunnelId) {
+    throw new FatalError(
+      `Tunnel "${name2}" was found but has no ID. This is unexpected.`,
+      { telemetryMessage: "tunnel resolve named missing tunnel id" }
+    );
+  }
+  const configuration = await withTunnelErrorHandling(
+    () => sdk.zeroTrust.tunnels.cloudflared.configurations.get(tunnelId, {
+      account_id: accountId
+    })
+  );
+  const hostnames = getMatchingIngressHostnames(
+    origin,
+    configuration.config?.ingress ?? []
+  );
+  if (hostnames.length === 0) {
+    throw new UserError(
+      createMissingIngressMessage(
+        name2,
+        origin,
+        `https://dash.cloudflare.com/${accountId}/tunnels/${tunnelId}`,
+        configuration.config?.ingress ?? []
+      ),
+      { telemetryMessage: "tunnel resolve named ingress mismatch" }
+    );
+  }
+  const token = await getTunnelToken(sdk, accountId, tunnelId);
+  return { hostnames, token };
+}
+function getMatchingIngressHostnames(origin, ingressConfig) {
+  const hostnames = /* @__PURE__ */ new Set();
+  const originUrl = normalizeURL(origin);
+  for (const ingress of ingressConfig) {
+    try {
+      const serviceUrl = normalizeURL(ingress.service);
+      if (ingress.hostname && serviceUrl.toString() === originUrl.toString()) {
+        hostnames.add(ingress.hostname);
+      }
+    } catch {
+    }
+  }
+  return [...hostnames];
+}
+function normalizeURL(url4) {
+  const normalizedUrl = new URL(url4);
+  if (LOCAL_TUNNEL_HOSTNAMES.has(normalizedUrl.hostname)) {
+    normalizedUrl.hostname = "localhost";
+  }
+  if (!normalizedUrl.port) {
+    switch (normalizedUrl.protocol) {
+      case "http:":
+        normalizedUrl.port = "80";
+        break;
+      case "https:":
+        normalizedUrl.port = "443";
+        break;
+    }
+  }
+  return normalizedUrl;
+}
+function createMissingIngressMessage(name2, origin, dashboardUrl, ingress) {
+  if (ingress.length === 0) {
+    return [
+      `Tunnel "${name2}" has no routes configured.`,
+      "",
+      `Add a route for ${origin} in the Cloudflare dashboard:`,
+      dashboardUrl,
+      ""
+    ].join("\n");
+  }
+  return [
+    `Tunnel "${name2}" has no route for ${origin}`,
+    "",
+    "Resolved routes:",
+    ...ingress.map(
+      ({ hostname: hostname2, service }) => `  - ${hostname2 ?? "(no hostname)"} -> ${service}`
+    ),
+    "",
+    "Update your local server settings or the tunnel routes in the Cloudflare dashboard:",
+    dashboardUrl,
+    ""
+  ].join("\n");
+}
 function normalizeTunnelResponse(response) {
   return response;
 }
@@ -296902,12 +297079,21 @@ async function resolveTunnelId(sdk, accountId, input) {
   }
   return tunnelId;
 }
-var TUNNEL_PERMISSION_ERROR_MESSAGE, TUNNEL_ID_REGEX;
+var LOCAL_TUNNEL_HOSTNAMES, TUNNEL_PERMISSION_ERROR_MESSAGE, TUNNEL_ID_REGEX;
 var init_client12 = __esm({
   "src/tunnel/client.ts"() {
     init_import_meta_url();
     init_dist();
     init_cloudflare();
+    init_internal();
+    init_user3();
+    LOCAL_TUNNEL_HOSTNAMES = /* @__PURE__ */ new Set([
+      "localhost",
+      "127.0.0.1",
+      "::1",
+      "0.0.0.0",
+      "::"
+    ]);
     TUNNEL_PERMISSION_ERROR_MESSAGE = `
 Cloudflare Tunnel commands require API token authentication with tunnel permissions.
 
@@ -296930,6 +297116,10 @@ Then run your tunnel command again.
     __name(listTunnels, "listTunnels");
     __name(deleteTunnel, "deleteTunnel");
     __name(getTunnelToken, "getTunnelToken");
+    __name(resolveNamedTunnel, "resolveNamedTunnel");
+    __name(getMatchingIngressHostnames, "getMatchingIngressHostnames");
+    __name(normalizeURL, "normalizeURL");
+    __name(createMissingIngressMessage, "createMissingIngressMessage");
     __name(normalizeTunnelResponse, "normalizeTunnelResponse");
     TUNNEL_ID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
     __name(isTunnelId, "isTunnelId");
@@ -315072,8 +315262,12 @@ var init_dev2 = __esm({
           type: "boolean"
         },
         tunnel: {
-          describe: "Expose your local dev server via a Cloudflare Quick Tunnel (https://try.cloudflare.com)",
+          describe: "Expose your local dev server via a Cloudflare Tunnel. Use `--tunnel` for a Quick Tunnel and `--tunnel-name` with `--tunnel` for a named tunnel.",
           type: "boolean"
+        },
+        "tunnel-name": {
+          describe: "Use an existing named Cloudflare Tunnel when `--tunnel` is enabled.",
+          type: "string"
         }
       },
       async validateArgs(args) {
@@ -317002,7 +317196,7 @@ var init_ProxyController = __esm({
             logger.debug("[ProxyWorker]", ...message.args);
             break;
           case "sseResponseDetected":
-            if (this.latestConfig?.dev?.tunnel) {
+            if (this.latestConfig?.dev?.tunnel?.enabled && this.latestConfig.dev.tunnel.name === void 0) {
               logger.once.warn(
                 "Quick tunnels do not support Server-Sent Events (SSE). Use a named Cloudflare Tunnel if you need SSE over a public URL."
               );
@@ -319069,6 +319263,13 @@ function cli_hotkeys_default(options, render2 = true) {
 \u2570\u2500\u2500${"\u2500".repeat(maxLineLength)}\u2500\u2500\u256F`;
   }
   __name(formatInstructions, "formatInstructions");
+  function isKeyMatch(input, key) {
+    if (input === key) {
+      return true;
+    }
+    return /^[a-z]$/.test(key) && input === `shift+${key}`;
+  }
+  __name(isKeyMatch, "isKeyMatch");
   const unregisterKeyPress = onKeyPress(async (key) => {
     const entries2 = [];
     if (key.name) {
@@ -319088,7 +319289,7 @@ function cli_hotkeys_default(options, render2 = true) {
       if (unwrapHook(disabled)) {
         continue;
       }
-      if (keys.includes(char)) {
+      if (keys.some((registeredKey) => isKeyMatch(char, registeredKey))) {
         try {
           await handler();
         } catch {
@@ -319122,7 +319323,7 @@ var init_cli_hotkeys = __esm({
   }
 });
 function registerDevHotKeys(devEnvs, args, options = {}) {
-  const { render: render2 = true, getTunnel: getTunnel2 } = options;
+  const { render: render2 = true, tunnelManager } = options;
   const primaryDevEnv = devEnvs[0];
   const unregisterHotKeys = cli_hotkeys_default(
     [
@@ -319196,7 +319397,7 @@ function registerDevHotKeys(devEnvs, args, options = {}) {
       {
         keys: ["l"],
         // Remote mode is not supported when using tunnels
-        disabled: /* @__PURE__ */ __name(() => args.forceLocal || args.tunnel, "disabled"),
+        disabled: /* @__PURE__ */ __name(() => args.forceLocal || !!tunnelManager?.isOpen(), "disabled"),
         handler: /* @__PURE__ */ __name(async () => {
           await primaryDevEnv.config.patch({
             dev: {
@@ -319207,16 +319408,29 @@ function registerDevHotKeys(devEnvs, args, options = {}) {
         }, "handler")
       },
       {
-        // We remind users about the tunnel hotkey every 10mins
-        // Hiding this hotkey to reduce noise on startup
         keys: ["t"],
-        disabled: /* @__PURE__ */ __name(() => !args.tunnel, "disabled"),
+        label: /* @__PURE__ */ __name(() => tunnelManager?.isOpen() ? "close tunnel" : "start tunnel", "label"),
+        disabled: /* @__PURE__ */ __name(() => primaryDevEnv.config.latestConfig?.dev?.remote === true, "disabled"),
         handler: /* @__PURE__ */ __name(async () => {
-          const tunnel = getTunnel2?.();
-          if (!tunnel) {
-            return;
+          try {
+            if (!tunnelManager?.isOpen()) {
+              await tunnelManager?.start(true);
+              return;
+            }
+            await tunnelManager.stop();
+          } catch (error2) {
+            logger.error(
+              error2 instanceof Error ? error2.message : String(error2)
+            );
           }
-          tunnel.extendExpiry();
+        }, "handler")
+      },
+      {
+        keys: ["a"],
+        label: "extend tunnel by 1 hour",
+        disabled: /* @__PURE__ */ __name(() => !tunnelManager?.isOpen(), "disabled"),
+        handler: /* @__PURE__ */ __name(async () => {
+          tunnelManager?.getTunnel()?.extendExpiry();
         }, "handler")
       },
       {
@@ -319264,6 +319478,126 @@ var init_hotkeys = __esm({
     __name(registerDevHotKeys, "registerDevHotKeys");
   }
 });
+
+// src/tunnel/dev.ts
+var TunnelManager;
+var init_dev3 = __esm({
+  "src/tunnel/dev.ts"() {
+    init_import_meta_url();
+    init_colors();
+    init_dist();
+    init_source();
+    init_start_dev();
+    init_logger();
+    init_client12();
+    TunnelManager = class {
+      static {
+        __name(this, "TunnelManager");
+      }
+      primaryDevEnv;
+      args;
+      tunnel;
+      constructor(primaryDevEnv, args) {
+        this.primaryDevEnv = primaryDevEnv;
+        this.args = args;
+      }
+      getTunnel() {
+        return this.tunnel;
+      }
+      isOpen() {
+        return this.tunnel !== void 0;
+      }
+      async start(shortcutPressed = false) {
+        if (this.tunnel) {
+          return;
+        }
+        logger.log(dim("\u2394 Starting tunnel (usually takes a few seconds)..."));
+        const origin = this.getTunnelOrigin();
+        const tunnelConfig = this.getCurrentTunnelConfig();
+        const isQuickTunnel = tunnelConfig?.name === void 0;
+        logger.warn(
+          (isQuickTunnel ? source_default.dim("Once connected, this tunnel will be ") + "publicly accessible" : source_default.dim(
+            "Once connected, this tunnel may be reachable from the Internet"
+          )) + source_default.dim(". Anyone who can reach it can:\n") + source_default.dim(
+            "- Call ungated endpoints\n- Trigger logic that uses remote bindings\n- Reach internal services if your Worker proxies requests\n\n" + (isQuickTunnel ? "Consider using a named tunnel with Cloudflare Access to restrict access.\n" : "Consider using Cloudflare Access to restrict access.\n")
+          ) + (shortcutPressed ? "\nPress [t] again to close the tunnel." : "")
+        );
+        const namedTunnel = tunnelConfig?.name !== void 0 ? await resolveNamedTunnel(tunnelConfig.name, origin, {
+          accountId: this.args.accountId,
+          complianceRegion: this.primaryDevEnv.config.latestConfig?.complianceRegion
+        }) : void 0;
+        const nextTunnel = startTunnel({
+          origin,
+          token: namedTunnel?.token,
+          extendHint: "Press [a] to extend by 1 hour.",
+          logger
+        });
+        this.tunnel = nextTunnel;
+        try {
+          const result = await nextTunnel.ready();
+          if (this.tunnel !== nextTunnel) {
+            return;
+          }
+          await this.syncTunnelState(true);
+          this.logTunnelDetails(result, namedTunnel);
+        } catch (error2) {
+          if (this.tunnel === nextTunnel) {
+            this.tunnel = void 0;
+            await this.syncTunnelState(false);
+          }
+          throw error2;
+        }
+      }
+      async stop() {
+        if (!this.tunnel) {
+          return;
+        }
+        logger.log(dim("\u2394 Closing tunnel..."));
+        this.tunnel.dispose();
+        this.tunnel = void 0;
+        await this.syncTunnelState(false);
+        logger.log("\u2B23 Tunnel closed");
+      }
+      getCurrentTunnelConfig() {
+        return this.primaryDevEnv.config.latestConfig?.dev?.tunnel;
+      }
+      getTunnelOrigin() {
+        const config = this.primaryDevEnv.config.latestConfig;
+        const protocol = config?.dev?.server?.secure ? "https" : "http";
+        const hostname2 = config?.dev?.server?.hostname ?? "localhost";
+        const port = config?.dev?.server?.port ?? 8787;
+        return new URL(`${protocol}://${formatHostname(hostname2)}:${port}`);
+      }
+      async syncTunnelState(enabled) {
+        const latestDevConfig = this.primaryDevEnv.config.latestConfig?.dev;
+        if (!latestDevConfig?.tunnel || latestDevConfig.tunnel.enabled === enabled) {
+          return;
+        }
+        await this.primaryDevEnv.config.patch({
+          dev: {
+            ...latestDevConfig,
+            tunnel: {
+              ...latestDevConfig.tunnel,
+              enabled
+            }
+          }
+        });
+      }
+      logTunnelDetails(result, namedTunnel) {
+        const publicUrls = result.mode === "quick" ? [result.publicUrl.toString()] : namedTunnel ? namedTunnel.hostnames.map((hostname2) => `https://${hostname2}`) : [];
+        if (publicUrls.length === 1) {
+          logger.log(
+            `\u2B23 Sharing via Cloudflare Tunnel: ${source_default.green(publicUrls[0])}`
+          );
+        } else if (publicUrls.length > 1) {
+          logger.log(
+            "\u2B23 Sharing via Cloudflare Tunnel:\n" + publicUrls.map((url4) => `   ${source_default.green(url4)}`).join("\n")
+          );
+        }
+      }
+    };
+  }
+});
 function constructRedirects({
   redirects,
   redirectsFile,
@@ -321545,7 +321879,7 @@ var init_assets6 = __esm({
 });
 async function startDev(args) {
   let devEnv;
-  let tunnel;
+  let tunnelManager;
   let unregisterHotKeys;
   try {
     if (args.logLevel) {
@@ -321562,7 +321896,10 @@ async function startDev(args) {
           unregisterHotKeys = registerDevHotKeys(
             Array.isArray(devEnv) ? devEnv : [devEnv],
             args,
-            { getTunnel: /* @__PURE__ */ __name(() => tunnel, "getTunnel"), render: false }
+            {
+              tunnelManager,
+              render: false
+            }
           );
         }
       }
@@ -321610,21 +321947,19 @@ async function startDev(args) {
           })
         )
       );
-      if (isInteractive3() && args.showInteractiveDevSession !== false) {
-        unregisterHotKeys = registerDevHotKeys(devEnv, args, {
-          getTunnel: /* @__PURE__ */ __name(() => tunnel, "getTunnel")
-        });
-      }
     } else {
       devEnv = new exports.unstable_DevEnv();
       await setupDevEnv(devEnv, args.config, authHook, args);
-      if (isInteractive3() && args.showInteractiveDevSession !== false) {
-        unregisterHotKeys = registerDevHotKeys([devEnv], args, {
-          getTunnel: /* @__PURE__ */ __name(() => tunnel, "getTunnel")
-        });
-      }
     }
-    const [primaryDevEnv, ...secondary] = Array.isArray(devEnv) ? devEnv : [devEnv];
+    const devEnvs = Array.isArray(devEnv) ? devEnv : [devEnv];
+    const [primaryDevEnv, ...secondary] = devEnvs;
+    tunnelManager = new TunnelManager(primaryDevEnv, args);
+    primaryDevEnv.on("teardown", () => {
+      tunnelManager?.getTunnel()?.dispose();
+    });
+    if (isInteractive3() && args.showInteractiveDevSession !== false) {
+      unregisterHotKeys = registerDevHotKeys(devEnvs, args, { tunnelManager });
+    }
     void primaryDevEnv.proxy.ready.promise.then(({ url: url4 }) => {
       if (args.onReady) {
         args.onReady(url4.hostname, parseInt(url4.port));
@@ -321645,32 +321980,7 @@ async function startDev(args) {
       maybePrintScheduledWorkerWarning(hasCrons, !!args.testScheduled, url4);
     });
     if (args.tunnel) {
-      const config = primaryDevEnv.config.latestConfig;
-      const protocol = config?.dev?.server?.secure ? "https" : "http";
-      const hostname2 = config?.dev?.server?.hostname ?? "localhost";
-      const port = config?.dev?.server?.port ?? 8787;
-      const origin = new URL(
-        `${protocol}://${formatHostname(hostname2)}:${port}`
-      );
-      logger.log(dim("\u2394 Starting tunnel (usually takes a few seconds)..."));
-      tunnel = startTunnel({
-        origin,
-        extendHint: "Press [t] to extend by 1 hour.",
-        logger
-      });
-      primaryDevEnv.on("teardown", () => {
-        tunnel?.dispose();
-      });
-      const { publicUrl } = await tunnel.ready();
-      logger.log(
-        `\u2B23 Sharing via Cloudflare Tunnel: ${source_default.green(publicUrl.origin)}
-`
-      );
-      logger.warn(
-        source_default.dim("This URL is ") + "publicly accessible" + source_default.dim(". Anyone with it can:\n") + source_default.dim(
-          "- Call ungated endpoints\n- Trigger logic that uses remote bindings\n- Reach internal services if your Worker proxies requests\n\nConsider using a named tunnel with Cloudflare Access to restrict access."
-        )
-      );
+      await tunnelManager.start();
     }
     return {
       devEnv: primaryDevEnv,
@@ -321684,7 +321994,7 @@ async function startDev(args) {
         unregisterHotKeys?.();
       })(),
       (async () => {
-        tunnel?.dispose();
+        tunnelManager?.getTunnel()?.dispose();
       })()
     ]);
     throw e10;
@@ -321763,7 +322073,10 @@ async function setupDevEnv(devEnv, configPath, auth, args) {
         // initialise with a random id
         containerBuildId: generateContainerBuildId(),
         generateTypes: args.types,
-        tunnel: args.tunnel
+        tunnel: {
+          enabled: args.tunnel ?? false,
+          name: args.tunnelName
+        }
       },
       legacy: {
         site: /* @__PURE__ */ __name((configParam) => {
@@ -321832,7 +322145,6 @@ var init_start_dev = __esm({
     init_colors();
     init_containers_shared();
     init_dist();
-    init_source();
     init_esm2();
     init_api4();
     init_MultiworkerRuntimeController();
@@ -321843,6 +322155,7 @@ var init_start_dev = __esm({
     init_is_interactive();
     init_logger();
     init_sites2();
+    init_dev3();
     init_user3();
     init_collectKeyValues();
     __name(startDev, "startDev");
@@ -321967,7 +322280,8 @@ unstable_dev()'s behaviour will likely change in future releases`
     dockerPath,
     containerEngine: options?.experimental?.containerEngine,
     types: false,
-    tunnel: void 0
+    tunnel: void 0,
+    tunnelName: void 0
   };
   const devServer = await run(
     {
@@ -322013,7 +322327,7 @@ function parseRequestInput(readyAddress, readyPort, input = "/", init4, protocol
   return [url4, forward];
 }
 var import_undici31;
-var init_dev3 = __esm({
+var init_dev4 = __esm({
   "src/api/dev.ts"() {
     init_import_meta_url();
     init_dist();
@@ -322372,7 +322686,7 @@ var init_integrations6 = __esm({
 var init_api4 = __esm({
   "src/api/index.ts"() {
     init_import_meta_url();
-    init_dev3();
+    init_dev4();
     init_pages4();
     init_generate_types();
     init_mtls_certificate();
@@ -322489,6 +322803,7 @@ init_esm();
 init_api4();
 init_src3();
 init_print_bindings();
+init_client12();
 init_splitter();
 init_dist();
 init_dist();
@@ -323178,5 +323493,6 @@ exports.unstable_getVarsForDev = getVarsForDev;
 exports.unstable_getWorkerNameFromProject = getWorkerNameFromProject;
 exports.unstable_printBindings = printBindings;
 exports.unstable_readConfig = readConfig;
+exports.unstable_resolveNamedTunnel = resolveNamedTunnel;
 exports.unstable_splitSqlQuery = splitSqlQuery;
 exports.unstable_startWorker = startWorker;