#20782: feat(gateway): Cloudflare Tunnel & Access integration

## Summary OpenClaw can now integrate with Cloudflare Tunnel and Cloudflare Access to expose the Gateway securely over the internet with identity-aware authentication. Two modes are supported: - **managed**: OpenClaw spawns and manages a `cloudflared tunnel run` process using a tunnel token. Also verifies Cloudflare Access JWTs for authentication. - **access-only**: You run `cloudflared` externally. OpenClaw only verifies incoming Cloudflare Access JWT headers. JWT verification uses Node's built-in `crypto.subtle` WebCrypto API with JWKS fetching/caching from the Cloudflare Access certs endpoint — no external dependencies added. Tunnel token is passed via `TUNNEL_TOKEN` env var to avoid process-list exposure. ## Changes ### New files | File | Description | |------|-------------| | `src/infra/cloudflared.ts` | Binary detection (PATH + known paths) and tunnel process management (spawn, connector ID parsing, SIGTERM→SIGKILL stop) | | `src/infra/cloudflare-access.ts` | JWT verification using WebCrypto: JWKS fetching with 10-min cache, RS256/ES256 signature validation, key rotation support | | `src/gateway/server-cloudflare.ts` | Exposure lifecycle (mirrors `server-tailscale.ts` pattern) | | `docs/gateway/cloudflare.md` | Full documentation: setup for both modes, auth interaction, CLI examples, config reference, validation rules | ### Modified files | File | Change | |------|--------| | `src/config/types.gateway.ts` | Add `GatewayCloudflareMode`, `GatewayCloudflareConfig`, `allowCloudflareAccess` | | `src/config/zod-schema.ts` | Add cloudflare config schema with mode, tunnelToken (sensitive), teamDomain, audience | | `src/gateway/auth.ts` | Add Cloudflare Access auth flow (`Cf-Access-Jwt-Assertion` header), module-level verifier setter, `allowCloudflareAccess` resolution | | `src/gateway/server-runtime-config.ts` | Merge cloudflare config (base + overrides), validation rules (managed requires tunnelToken + teamDomain + loopback) | | `src/gateway/server.impl.ts` | Create verifier on startup, wire exposure and cleanup | | `src/gateway/server-close.ts` | Add cloudflare cleanup + clear global verifier | | `src/cli/gateway-cli/run.ts` | Add `--cloudflare`, `--cloudflare-tunnel-token`, `--cloudflare-team-domain`, `--cloudflare-audience` CLI options | ### Test files | File | Tests | |------|-------| | `src/infra/cloudflared.test.ts` | 6 tests: env override, which lookup, fallback paths, not found, tunnel start, exit before registration | | `src/infra/cloudflare-access.test.ts` | 9 tests: valid JWT, expired, wrong issuer/audience, malformed, unknown kid, tampered signature, no email — uses real RSA keypairs | | `src/gateway/auth.test.ts` | 4 new tests + updated existing: CF Access auth flow, fallthrough, mode resolution | | 3 existing test files | Added `allowCloudflareAccess: false` to inline auth objects | ## Test plan - [x] `tsc --noEmit` — 0 errors (excluding pre-existing upstream issue in `server.chat.gateway-server-chat-b.e2e.test.ts`) - [x] 57 tests pass across 5 test files - [x] ESLint clean via pre-commit hook - [x] Manual test with a real Cloudflare Tunnel in managed mode - [x] Manual test with access-only mode behind an external cloudflared ## AI Generated This pr was mostly ai generated, i did indeed test it locally in a docker container, it was able to successfully manage `cloudflared` and handle traffic via cloudflare 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds comprehensive Cloudflare Tunnel and Access integration with two operating modes: `managed` (OpenClaw spawns cloudflared) and `access-only` (external cloudflared with JWT-only verification). JWT verification is implemented using Node's built-in WebCrypto API with JWKS caching, RS256/ES256 support, and proper key rotation handling. The tunnel token is passed via environment variable to avoid process list exposure. Implementation follows existing patterns from Tailscale integration and includes extensive test coverage (19 new tests across 3 test suites) with proper validation rules enforced at runtime. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - High confidence due to: (1) comprehensive test coverage with 19 new tests including security-critical JWT verification scenarios, (2) proper security practices (WebCrypto-based JWT verification, token passed via env var, signature validation, expiry/issuer/audience checks), (3) well-structured implementation following existing patterns from Tailscale integration, (4) extensive validation rules at both config and runtime levels, (5) proper cleanup and lifecycle management including verifier reset on shutdown - No files require special attention _{Last reviewed commit: 390f92b} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->