fix(setup): check cloudflared binary and validate tunnel token

[zmanian]

Summary

• Checks for cloudflared on PATH before accepting a tunnel token, with platform-specific install instructions if missing (user can continue anyway)
• Validates token format by base64-decoding and checking for expected JSON fields (a account tag, t tunnel ID), warning if malformed (user can override)
• Replaces misleading "will start automatically at boot" message with honest instructions for starting the tunnel and installing as a system service
• Reuses binary_exists() from skills::gating (promoted to pub(crate)) for cross-platform PATH lookup instead of inlining a unix-only which call

Closes #418

Test plan

• Verify cargo test -- setup::channels::tests passes (5 new token validation tests)
• Verify cargo clippy --all-features is clean
• Manual: run ironclaw onboard and select Cloudflare tunnel on a machine without cloudflared -- should see install instructions and confirmation prompt
• Manual: enter a garbage token -- should see format warning and confirmation prompt
• Manual: enter a valid Cloudflare tunnel token -- should see success message with service install instructions

Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the Cloudflare tunnel setup experience by introducing robust validation and clearer user guidance. It ensures that the necessary cloudflared binary is present or provides installation steps, validates the format of the provided tunnel token to prevent common errors, and offers precise instructions for tunnel operation and service installation. These changes aim to make the setup process more user-friendly and less prone to misconfiguration.

Highlights

• Cloudflared Binary Check: The setup process now checks for the cloudflared binary on the system's PATH. If it's not found, platform-specific installation instructions are provided, and the user is prompted to either install it or continue without it.
• Cloudflare Tunnel Token Validation: Cloudflare tunnel tokens are now validated for their format. The validation attempts to base64-decode the token and checks for the presence of expected JSON fields ('a' for account tag, 't' for tunnel ID). If the token is malformed, a warning is displayed, but the user can choose to proceed anyway.
• Improved User Guidance: The previous misleading message about the tunnel starting automatically at boot has been replaced. New, accurate instructions are provided for manually starting the tunnel and installing it as a system service, tailored to whether the cloudflared binary was found.
• Enhanced Code Reusability: The binary_exists() function, previously internal to the skills::gating module, has been made pub(crate) to allow its reuse across the crate, specifically for checking the cloudflared binary in the setup module.

Changelog

• src/setup/channels.rs
  • Imported base64::Engine for token encoding/decoding.
  • Added logic to check for the cloudflared binary on PATH, providing install instructions and a confirmation prompt if missing.
  • Implemented a new function validate_cloudflare_token_format to check if a token is a valid base64-encoded JSON with 'a' and 't' fields.
  • Integrated token format validation into the Cloudflare tunnel setup, warning users about malformed tokens.
  • Updated the success message and post-setup instructions to accurately guide users on starting the tunnel and installing it as a system service.
  • Added five new unit tests to thoroughly cover the validate_cloudflare_token_format function's behavior with valid, invalid, and malformed tokens.
• src/skills/gating.rs
  • Changed the visibility of the binary_exists function from private to pub(crate) to allow its use by other modules within the crate.

Activity

• The author has provided a detailed test plan, including unit tests, clippy checks, and manual verification steps for the new functionality.
• The pull request addresses and closes issue Cloudflare tunnel setup does not check for cloudflared binary or validate token #418.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request improves the Cloudflare tunnel setup flow by adding a check for the cloudflared binary's existence and validating the tunnel token's format. The user-facing messages are also improved to be more helpful. The implementation is solid and includes relevant tests for the new validation logic. I've identified a minor improvement to avoid a redundant function call, which has been kept as is.

[gemini-code-assist]

The binary_exists check is performed here again, but its result is already available in the cloudflared_found variable from the check at the beginning of the function. Reusing the variable avoids a redundant process call, improving efficiency and code clarity.

Suggested change

	if crate::skills::gating::binary_exists("cloudflared") {
	if cloudflared_found {

[zmanian]

Re: Gemini Code Assist review feedback

Verified false positive. Gemini claims there is a redundant binary_exists call. Only one call exists in the function; the cloudflared_found variable is computed once and reused at the end of the function. No redundancy.