{"id":46683942,"url":"https://github.com/wiedymi/swift-cloudflared","last_synced_at":"2026-03-09T01:02:46.832Z","repository":{"id":337223360,"uuid":"1152764163","full_name":"wiedymi/swift-cloudflared","owner":"wiedymi","description":"Pure Swift Cloudflare Access TCP tunnel SDK for SSH clients on Apple platforms (iOS/macOS).","archived":false,"fork":false,"pushed_at":"2026-02-20T14:05:45.000Z","size":106,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-20T18:19:24.426Z","etag":null,"topics":["cloudflare","cloudflare-access","ios","libssh2","macos","networking","ssh","swift","swift-package-manager"],"latest_commit_sha":null,"homepage":null,"language":"Swift","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wiedymi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-08T11:55:40.000Z","updated_at":"2026-02-20T14:04:47.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/wiedymi/swift-cloudflared","commit_stats":null,"previous_names":["wiedymi/swift-cloudflared"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/wiedymi/swift-cloudflared","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wiedymi%2Fswift-cloudflared","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wiedymi%2Fswift-cloudflared/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wiedymi%2Fswift-cloudflared/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wiedymi%2Fswift-cloudflared/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wiedymi","download_url":"https://codeload.github.com/wiedymi/swift-cloudflared/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wiedymi%2Fswift-cloudflared/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30279765,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-08T20:45:49.896Z","status":"ssl_error","status_checked_at":"2026-03-08T20:45:49.525Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloudflare","cloudflare-access","ios","libssh2","macos","networking","ssh","swift","swift-package-manager"],"created_at":"2026-03-09T01:02:42.521Z","updated_at":"2026-03-09T01:02:46.794Z","avatar_url":"https://github.com/wiedymi.png","language":"Swift","funding_links":["https://github.com/sponsors/vivy-company"],"categories":[],"sub_categories":[],"readme":"# swift-cloudflared\n\n[![GitHub](https://img.shields.io/badge/-GitHub-181717?style=flat-square\u0026logo=github\u0026logoColor=white)](https://github.com/wiedymi)\n[![Twitter](https://img.shields.io/badge/-Twitter-1DA1F2?style=flat-square\u0026logo=twitter\u0026logoColor=white)](https://x.com/wiedymi)\n[![Email](https://img.shields.io/badge/-Email-EA4335?style=flat-square\u0026logo=gmail\u0026logoColor=white)](mailto:contact@wiedymi.com)\n[![Discord](https://img.shields.io/badge/-Discord-5865F2?style=flat-square\u0026logo=discord\u0026logoColor=white)](https://discord.gg/zemMZtrkSb)\n[![Support me](https://img.shields.io/badge/-Support%20me-ff69b4?style=flat-square\u0026logo=githubsponsors\u0026logoColor=white)](https://github.com/sponsors/vivy-company)\n\nPure Swift Cloudflare Access TCP tunnel SDK for SSH clients on Apple platforms.\n\nUse it to open an Access-authenticated local endpoint (`127.0.0.1:\u003cport\u003e`) and connect your SSH stack (for example `libssh2`) through it.\n\n## Features\n\n- OAuth and Service Token auth method support\n- Async session API with connection state stream\n- Local loopback tunnel endpoint for SSH client libraries\n- Secure default local listener policy:\n  - one active local client by default\n  - listener closes after first accepted client by default\n- Pluggable auth, token storage, and tunnel layers\n- Built-in keychain token store on `macOS`, `iOS`, `tvOS`, `watchOS`\n\n## Platforms\n\n- iOS 16+\n- macOS 13+\n- Swift tools 6.0+\n\n## Installation\n\nAdd to your `Package.swift`:\n\n```swift\ndependencies: [\n    .package(url: \"https://github.com/wiedymi/swift-cloudflared.git\", from: \"0.1.0\")\n]\n```\n\nThen add the library target:\n\n```swift\n.target(\n    name: \"YourApp\",\n    dependencies: [\n        .product(name: \"Cloudflared\", package: \"swift-cloudflared\")\n    ]\n)\n```\n\n## Quick Start (Service Token)\n\n```swift\nimport Cloudflared\n\nlet session = SessionActor(\n    authProvider: ServiceTokenProvider(),\n    tunnelProvider: CloudflareTunnelProvider(),\n    retryPolicy: RetryPolicy(maxReconnectAttempts: 2, baseDelayNanoseconds: 500_000_000),\n    oauthFallback: nil,\n    sleep: { delay in try? await Task.sleep(nanoseconds: delay) }\n)\n\nlet localPort = try await session.connect(\n    hostname: \"ssh.example.com\",\n    method: .serviceToken(\n        teamDomain: \"your-team.cloudflareaccess.com\",\n        clientID: \"\u003cCF_ACCESS_CLIENT_ID\u003e\",\n        clientSecret: \"\u003cCF_ACCESS_CLIENT_SECRET\u003e\"\n    )\n)\n\n// Use 127.0.0.1:localPort from libssh2\nprint(\"Tunnel endpoint: 127.0.0.1:\\(localPort)\")\n```\n\n## OAuth Flow Integration\n\nOAuth UI/token acquisition is app-owned via `OAuthFlow`:\n\n```swift\nimport Cloudflared\n\nstruct MyOAuthFlow: OAuthFlow {\n    func fetchToken(\n        teamDomain: String,\n        appDomain: String,\n        callbackScheme: String,\n        hostname: String\n    ) async throws -\u003e String {\n        // Implement your Access login UX (for example ASWebAuthenticationSession)\n        // and return CF_Authorization JWT.\n        throw Failure.auth(\"not implemented\")\n    }\n}\n\nlet oauthProvider = OAuthProvider(\n    flow: MyOAuthFlow(),\n    tokenStore: KeychainTokenStore()\n)\n```\n\nFor app metadata discovery (`authDomain`, `appDomain`, `appAUD`) you can use `AppInfoResolver`.\n\n## State Stream\n\nObserve state changes from the session:\n\n```swift\nTask {\n    for await state in session.state {\n        print(\"state:\", state)\n    }\n}\n```\n\nStates: `idle`, `authenticating`, `connecting`, `connected(localPort)`, `reconnecting(attempt)`, `disconnected`, `failed`.\n\n## libssh2 Integration\n\nOnce connected, point your SSH stack to loopback:\n\n```c\n// Connect libssh2 socket to 127.0.0.1:\u003clocalPort\u003e\n// then run regular libssh2 handshake/auth/channel flow.\n```\n\nExample runtime mapping:\n- Host: `127.0.0.1`\n- Port: `\u003clocalPort from session.connect(...)\u003e`\n\n## Token Storage Customization\n\nIf you need your own keychain layout or storage backend, implement `TokenStore`:\n\n```swift\nimport Cloudflared\n\nactor CustomTokenStore: TokenStore {\n    func readToken(for key: String) async throws -\u003e String? { nil }\n    func writeToken(_ token: String, for key: String) async throws {}\n    func removeToken(for key: String) async throws {}\n}\n```\n\nThen inject it into `OAuthProvider`.\n\n`KeychainTokenStore` defaults:\n- iOS/tvOS/watchOS: `kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly`\n- macOS: `kSecAttrAccessibleAfterFirstUnlock` + data-protection keychain mode\n\niCloud Keychain options:\n\n```swift\n// Option 1: explicit sync mode on the base store\nlet store = KeychainTokenStore(syncMode: .iCloud)\n\n// Option 2: dedicated convenience wrapper\nlet store = ICloudKeychainTokenStore()\n```\n\n## Local Security Defaults\n\n`CloudflareTunnelProvider` defaults to:\n- `maxConcurrentConnections = 1`\n- `stopAcceptingAfterFirstConnection = true`\n\nYou can override via:\n\n```swift\nlet tunnel = CloudflareTunnelProvider(\n    connectionLimits: .init(\n        maxConcurrentConnections: 2,\n        stopAcceptingAfterFirstConnection: false\n    )\n)\n```\n\n## Sandbox and Entitlements\n\n- iOS app sandbox: supported (foreground usage; OAuth flow is app-defined).\n- macOS App Sandbox: enable network client/server entitlements if sandboxed, because the SDK opens:\n  - outbound websocket connection to Cloudflare Access\n  - local loopback listener for SSH client connection\n\n## E2E Harness\n\nRun the local interactive harness:\n\n```bash\nswift run cloudflared-e2e\n```\n\nIt prints a local endpoint (`127.0.0.1:\u003cport\u003e`) you can test with SSH/libssh2.\n\n## Development\n\n```bash\nswift test\nswift build\n```\n\nOptional keychain integration test:\n\n```bash\nCLOUDFLARED_KEYCHAIN_TESTS=1 swift test --filter TokenStoreTests/testKeychainStoreRoundTrip\n```\n\n## Docs\n\n- `docs/SPEC.md` - requirements and acceptance criteria\n- `docs/ARCHITECTURE.md` - design and concurrency model\n- `docs/API.md` - API surface and compatibility notes\n- `docs/PROTOCOL_MAPPING.md` - upstream behavior mapping\n- `docs/TEST_COVERAGE.md` - test traceability/coverage gates\n\n## Repository Notes\n\n- `reference/cloudflared` is included as a git submodule for upstream reference.\n\n## License\n\n- Root project: MIT (`LICENSE`)\n- Third-party notices: `THIRD_PARTY_NOTICES.md`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwiedymi%2Fswift-cloudflared","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwiedymi%2Fswift-cloudflared","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwiedymi%2Fswift-cloudflared/lists"}