feat: agnostic tunnel system — bring your own tunnel provider

New Tunnel trait + 5 implementations: - NoneTunnel: local-only, no external exposure (default) - CloudflareTunnel: wraps cloudflared binary, extracts public URL - TailscaleTunnel: tailscale serve (tailnet) or funnel (public) - NgrokTunnel: wraps ngrok binary, supports custom domains - CustomTunnel: user-provided command with {port}/{host} placeholders Config schema: - [tunnel] section with provider selector - Provider-specific sub-configs: cloudflare, tailscale, ngrok, custom - Backward compatible (serde default = "none") Gateway integration: - Tunnel starts automatically on 'zeroclaw gateway' - Prints public URL on success, falls back to local on failure 20 new tests (factory, constructors, NoneTunnel async start/health) 649 tests passing, 0 clippy warnings, cargo fmt clean
2026-02-13 16:25:01 -05:00 · 2026-02-13 16:25:01 -05:00 · 390cbc0a6c
commit 390cbc0a6c
parent bc31e4389b
12 changed files with 967 additions and 4 deletions
--- a/src/tunnel/ngrok.rs
+++ b/src/tunnel/ngrok.rs
@ -0,0 +1,121 @@
+use super::{kill_shared, new_shared_process, SharedProcess, Tunnel, TunnelProcess};
+use anyhow::{bail, Result};
+use tokio::io::AsyncBufReadExt;
+use tokio::process::Command;
+
+/// ngrok Tunnel — wraps the `ngrok` binary.
+///
+/// Requires `ngrok` installed. Optionally set a custom domain
+/// (requires ngrok paid plan).
+pub struct NgrokTunnel {
+    auth_token: String,
+    domain: Option<String>,
+    proc: SharedProcess,
+}
+
+impl NgrokTunnel {
+    pub fn new(auth_token: String, domain: Option<String>) -> Self {
+        Self {
+            auth_token,
+            domain,
+            proc: new_shared_process(),
+        }
+    }
+}
+
+#[async_trait::async_trait]
+impl Tunnel for NgrokTunnel {
+    fn name(&self) -> &str {
+        "ngrok"
+    }
+
+    async fn start(&self, _local_host: &str, local_port: u16) -> Result<String> {
+        // Set auth token
+        Command::new("ngrok")
+            .args(["config", "add-authtoken", &self.auth_token])
+            .output()
+            .await?;
+
+        // Build command: ngrok http <port> [--domain <domain>]
+        let mut args = vec!["http".to_string(), local_port.to_string()];
+        if let Some(ref domain) = self.domain {
+            args.push("--domain".into());
+            args.push(domain.clone());
+        }
+        // Output log to stdout for URL extraction
+        args.push("--log".into());
+        args.push("stdout".into());
+        args.push("--log-format".into());
+        args.push("logfmt".into());
+
+        let mut child = Command::new("ngrok")
+            .args(&args)
+            .stdout(std::process::Stdio::piped())
+            .stderr(std::process::Stdio::piped())
+            .kill_on_drop(true)
+            .spawn()?;
+
+        let stdout = child
+            .stdout
+            .take()
+            .ok_or_else(|| anyhow::anyhow!("Failed to capture ngrok stdout"))?;
+
+        let mut reader = tokio::io::BufReader::new(stdout).lines();
+        let mut public_url = String::new();
+
+        // Wait up to 15s for the tunnel URL
+        let deadline = tokio::time::Instant::now() + tokio::time::Duration::from_secs(15);
+        while tokio::time::Instant::now() < deadline {
+            let line =
+                tokio::time::timeout(tokio::time::Duration::from_secs(3), reader.next_line()).await;
+
+            match line {
+                Ok(Ok(Some(l))) => {
+                    tracing::debug!("ngrok: {l}");
+                    // ngrok logfmt: url=https://xxxx.ngrok-free.app
+                    if let Some(idx) = l.find("url=https://") {
+                        let url_start = idx + 4; // skip "url="
+                        let url_part = &l[url_start..];
+                        let end = url_part
+                            .find(|c: char| c.is_whitespace())
+                            .unwrap_or(url_part.len());
+                        public_url = url_part[..end].to_string();
+                        break;
+                    }
+                }
+                Ok(Ok(None)) => break,
+                Ok(Err(e)) => bail!("Error reading ngrok output: {e}"),
+                Err(_) => {}
+            }
+        }
+
+        if public_url.is_empty() {
+            child.kill().await.ok();
+            bail!("ngrok did not produce a public URL within 15s. Is the auth token valid?");
+        }
+
+        let mut guard = self.proc.lock().await;
+        *guard = Some(TunnelProcess {
+            child,
+            public_url: public_url.clone(),
+        });
+
+        Ok(public_url)
+    }
+
+    async fn stop(&self) -> Result<()> {
+        kill_shared(&self.proc).await
+    }
+
+    async fn health_check(&self) -> bool {
+        let guard = self.proc.lock().await;
+        guard.as_ref().is_some_and(|tp| tp.child.id().is_some())
+    }
+
+    fn public_url(&self) -> Option<String> {
+        self.proc
+            .try_lock()
+            .ok()
+            .and_then(|g| g.as_ref().map(|tp| tp.public_url.clone()))
+    }
+}