Address Cloudflare adapter review feedback

Author: caydyan

packages/cloud/cloudflare/README.md

@@ -11,6 +11,8 @@ Provides the Cloudflare (R2 / D1 / Queues / Tunnels) cloud provider adapter for
 
 Set `resourceType` to one of `r2-bucket`, `d1-database`, `queue`, or `tunnel` when provisioning a specific resource. Without `resourceType`, `object-storage` specs create R2 buckets and `managed-db` specs create D1 databases.
 
+Tunnel provisioning requires `tunnelSecret` in the Cloudflare cloud config. The adapter sends that caller-owned secret to Cloudflare and does not generate or return connector credentials.
+
 ## Package
 
 - Name: `@profullstack/sh1pt-cloud-cloudflare`

packages/cloud/cloudflare/src/index.test.ts

@@ -92,7 +92,7 @@ describe('Cloudflare cloud adapter', () => {
   it('lists supported Cloudflare resources', async () => {
     vi.stubGlobal('fetch', vi.fn(async (url: string) => {
       const { pathname } = new URL(url);
-      if (pathname.endsWith('/r2/buckets')) return ok([{ name: 'assets', creation_date: '2026-06-14T00:00:00Z' }]);
+      if (pathname.endsWith('/r2/buckets')) return ok({ buckets: [{ name: 'assets', creation_date: '2026-06-14T00:00:00Z' }] });
       if (pathname.endsWith('/d1/database')) return ok([{ uuid: 'db-1', name: 'main', created_at: '2026-06-14T00:00:00Z' }]);
       if (pathname.endsWith('/queues')) return ok([{ queue_id: 'queue-1', queue_name: 'jobs', created_on: '2026-06-14T00:00:00Z' }]);
       if (pathname.endsWith('/cfd_tunnel')) return ok([{ id: 'tun-1', name: 'edge', status: 'healthy', created_at: '2026-06-14T00:00:00Z' }]);
@@ -107,6 +107,8 @@ describe('Cloudflare cloud adapter', () => {
       'r2:assets',
       'tunnel:tun-1',
     ]);
+    expect(instances.find((instance) => instance.id === 'queue:queue-1')?.kind).toBe('object-storage');
+    expect(instances.find((instance) => instance.id === 'tunnel:tun-1')?.kind).toBe('object-storage');
     expect(instances.find((instance) => instance.id === 'tunnel:tun-1')?.status).toBe('running');
   });
 
@@ -122,6 +124,45 @@ describe('Cloudflare cloud adapter', () => {
     expect(instance).toMatchObject({ id: 'queue:queue-1', status: 'running', sku: 'queue' });
   });
 
+  it('requires a caller-supplied tunnel secret when creating a tunnel', async () => {
+    const fetchMock = vi.fn();
+    vi.stubGlobal('fetch', fetchMock);
+
+    await expect(adapter.provision(
+      provisionCtx(),
+      { kind: 'object-storage', region: 'auto' },
+      { accountId: 'acct-1', resourceType: 'tunnel', name: 'edge' },
+    )).rejects.toThrow('Cloudflare tunnel provisioning requires config.tunnelSecret');
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  it('creates a tunnel with a caller-supplied tunnel secret', async () => {
+    const fetchMock = vi.fn(async (url: string, init: RequestInit) => {
+      expect(url).toBe(`${API}/accounts/acct-1/cfd_tunnel`);
+      expect(init.method).toBe('POST');
+      expect(JSON.parse(String(init.body))).toEqual({
+        name: 'edge',
+        config_src: 'cloudflare',
+        tunnel_secret: 'known-secret',
+      });
+      return ok({ id: 'tun-1', name: 'edge', status: 'healthy', created_at: '2026-06-14T00:00:00Z' });
+    });
+    vi.stubGlobal('fetch', fetchMock);
+
+    const instance = await adapter.provision(
+      provisionCtx(),
+      { kind: 'managed-db', region: 'auto' },
+      { accountId: 'acct-1', resourceType: 'tunnel', name: 'edge', tunnelSecret: 'known-secret' },
+    );
+
+    expect(instance).toMatchObject({
+      id: 'tunnel:tun-1',
+      kind: 'object-storage',
+      status: 'running',
+      sku: 'tunnel',
+    });
+  });
+
   it('deletes the prefixed resource id', async () => {
     const fetchMock = vi.fn(async (url: string, init: RequestInit) => {
       expect(url).toBe(`${API}/accounts/acct-1/cfd_tunnel/tun-1`);

packages/cloud/cloudflare/src/index.ts

@@ -1,4 +1,3 @@
-import { randomBytes } from 'node:crypto';
 import {
   defineCloud,
   tokenSetup,
@@ -109,7 +108,8 @@ export default defineCloud<Config>({
     }
 
     const name = safeName(config.name ?? `sh1pt-${resourceType}-${Date.now().toString(36)}`);
-    if (ctx.dryRun) return dryRunInstance(resourceType, name, spec.kind, quote, spec.region);
+    const kind = kindForResource(resourceType);
+    if (ctx.dryRun) return dryRunInstance(resourceType, name, kind, quote, spec.region);
 
     const accountId = await resolveAccountId(ctx, config);
 
@@ -122,7 +122,7 @@ export default defineCloud<Config>({
           `/accounts/${encodeURIComponent(accountId)}/r2/buckets`,
           { name },
         );
-        return bucketInstance(result, spec.kind, quote, spec.region);
+        return bucketInstance(result, kind, quote, spec.region);
       }
       case 'd1-database': {
         const { result } = await cfRequest<D1Database>(
@@ -135,7 +135,7 @@ export default defineCloud<Config>({
             primary_location_hint: spec.region ?? config.defaultRegion,
           },
         );
-        return d1Instance(result, spec.kind, quote, spec.region ?? config.defaultRegion);
+        return d1Instance(result, kind, quote, spec.region ?? config.defaultRegion);
       }
       case 'queue': {
         const { result } = await cfRequest<Queue>(
@@ -145,9 +145,12 @@ export default defineCloud<Config>({
           `/accounts/${encodeURIComponent(accountId)}/queues`,
           { queue_name: name },
         );
-        return queueInstance(result, spec.kind, quote, spec.region);
+        return queueInstance(result, kind, quote, spec.region);
       }
       case 'tunnel': {
+        if (!config.tunnelSecret) {
+          throw new Error('Cloudflare tunnel provisioning requires config.tunnelSecret so the connector secret is not generated and lost');
+        }
         const { result } = await cfRequest<Tunnel>(
           ctx,
           config,
@@ -156,10 +159,10 @@ export default defineCloud<Config>({
           {
             name,
             config_src: 'cloudflare',
-            tunnel_secret: config.tunnelSecret ?? randomBytes(32).toString('base64'),
+            tunnel_secret: config.tunnelSecret,
           },
         );
-        return tunnelInstance(result, spec.kind, quote, spec.region);
+        return tunnelInstance(result, kind, quote, spec.region);
       }
     }
   },
@@ -198,19 +201,19 @@ export default defineCloud<Config>({
     switch (resource.type) {
       case 'r2-bucket': {
         const { result } = await cfRequest<R2Bucket>(ctx, config, 'GET', `/accounts/${encodeURIComponent(accountId)}/r2/buckets/${encodeURIComponent(resource.nativeId)}`);
-        return bucketInstance(result, 'object-storage', quote);
+        return bucketInstance(result, kindForResource(resource.type), quote);
       }
       case 'd1-database': {
         const { result } = await cfRequest<D1Database>(ctx, config, 'GET', `/accounts/${encodeURIComponent(accountId)}/d1/database/${encodeURIComponent(resource.nativeId)}`);
-        return d1Instance(result, 'managed-db', quote);
+        return d1Instance(result, kindForResource(resource.type), quote);
       }
       case 'queue': {
         const { result } = await cfRequest<Queue>(ctx, config, 'GET', `/accounts/${encodeURIComponent(accountId)}/queues/${encodeURIComponent(resource.nativeId)}`);
-        return queueInstance(result, 'object-storage', quote);
+        return queueInstance(result, kindForResource(resource.type), quote);
       }
       case 'tunnel': {
         const { result } = await cfRequest<Tunnel>(ctx, config, 'GET', `/accounts/${encodeURIComponent(accountId)}/cfd_tunnel/${encodeURIComponent(resource.nativeId)}`);
-        return tunnelInstance(result, 'object-storage', quote);
+        return tunnelInstance(result, kindForResource(resource.type), quote);
       }
     }
   },
@@ -240,16 +243,16 @@ async function listResource(
   switch (resourceType) {
     case 'r2-bucket':
       return (await cfListAll<R2Bucket>(ctx, config, `/accounts/${account}/r2/buckets`, 'buckets'))
-        .map((bucket) => bucketInstance(bucket, 'object-storage', zeroQuote('r2-bucket')));
+        .map((bucket) => bucketInstance(bucket, kindForResource('r2-bucket'), zeroQuote('r2-bucket')));
     case 'd1-database':
       return (await cfListAll<D1Database>(ctx, config, `/accounts/${account}/d1/database`, 'databases'))
-        .map((db) => d1Instance(db, 'managed-db', zeroQuote('d1-database')));
+        .map((db) => d1Instance(db, kindForResource('d1-database'), zeroQuote('d1-database')));
     case 'queue':
       return (await cfListAll<Queue>(ctx, config, `/accounts/${account}/queues`, 'queues'))
-        .map((queue) => queueInstance(queue, 'object-storage', zeroQuote('queue')));
+        .map((queue) => queueInstance(queue, kindForResource('queue'), zeroQuote('queue')));
     case 'tunnel':
       return (await cfListAll<Tunnel>(ctx, config, `/accounts/${account}/cfd_tunnel`, 'tunnels'))
-        .map((tunnel) => tunnelInstance(tunnel, 'object-storage', zeroQuote('tunnel')));
+        .map((tunnel) => tunnelInstance(tunnel, kindForResource('tunnel'), zeroQuote('tunnel')));
   }
 }
 
@@ -345,6 +348,17 @@ function resourceTypeFor(spec: InstanceSpec, config: Config): ResourceType {
   throw new Error(`cloud-cloudflare supports object-storage and managed-db specs; got ${spec.kind}`);
 }
 
+function kindForResource(resourceType: ResourceType): InstanceKind {
+  switch (resourceType) {
+    case 'r2-bucket':
+    case 'queue':
+    case 'tunnel':
+      return 'object-storage';
+    case 'd1-database':
+      return 'managed-db';
+  }
+}
+
 function listResourceTypes(config: Config): ResourceType[] {
   if (config.resourceType === 'worker') {
     throw new Error('Cloudflare Workers scripts are handled by the deploy-workers target, not cloud-cloudflare');