add Verify method for Cloudflare to prevent full resource fetch

[mkrs2404]

Summary by CodeRabbit

• New Features
  • Added Cloudflare credential verification that validates zone access and DNS service capability using minimal API calls, preventing misconfigured Cloudflare setups.
• Tests
  • Added coverage to ensure verification behavior and error reporting for zone access, disabled DNS service, and DNS probing failures.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a5aa411e-04a8-4995-a067-a38a66152ba3

📥 Commits

Reviewing files that changed from the base of the PR and between 29e6e82 and 69aa7db.

📒 Files selected for processing (2)

• pkg/providers/cloudflare/cloudflare.go
• pkg/providers/cloudflare/cloudflare_test.go

✅ Files skipped from review due to trivial changes (1)

• pkg/providers/cloudflare/cloudflare_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/providers/cloudflare/cloudflare.go

---

Walkthrough

Added Provider.Verify(ctx) to the Cloudflare provider: it lists zones and, if the provider includes the "dns" service, probes DNS records for the first accessible zone to validate credentials. Tests and a tracking test double were added to exercise success and failure paths.

Changes

Cohort / File(s)	Summary
Cloudflare Provider Verification pkg/providers/cloudflare/cloudflare.go	Added Verify(ctx context.Context) error to validate Cloudflare API access by calling ListZones and, when DNS is enabled, ListDNSRecords for the first zone. Added fmt import for contextual error wrapping.
Verification Tests pkg/providers/cloudflare/cloudflare_test.go	Added trackingClient test double and tests covering: zone-listing errors, no-accessible-zones behavior, no-op when DNS service disabled, single DNS probe with Page==1/PerPage==1, and DNS fetch failure error propagation including zone context.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped to check the Cloudflare gate,
Listed zones, then peered at a record's state,
One tiny probe, just page one per page,
Tracked each call like a rabbit on stage,
Success or error — I report with cheer.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a Verify method for Cloudflare provider that validates credentials with minimal API calls instead of performing full resource fetches.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-cf-verification

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/providers/cloudflare/cloudflare_test.go (1)

91-159: Add a Verify test for the non-DNS service path.

Please add a case where services does not include "dns" and assert Verify returns nil without zone/DNS calls. This protects service-filter behavior.

🧪 Suggested test extension

 type trackingClient struct {
 	zones            []cloudflare.Zone
+	listZonesCalls   int
 	listDNSCalls     int
 	lastZoneID       string
 	lastListDNSParam cloudflare.ListDNSRecordsParams
 }

 func (t *trackingClient) ListZones(context.Context, ...string) ([]cloudflare.Zone, error) {
+	t.listZonesCalls++
 	return t.zones, nil
 }
@@
+func TestProviderVerifySkipsWhenDNSServiceDisabled(t *testing.T) {
+	t.Parallel()
+
+	client := &trackingClient{}
+	p := &Provider{
+		id:       "test",
+		client:   client,
+		services: schema.ServiceMap{"workers": struct{}{}},
+	}
+
+	err := p.Verify(context.Background())
+	require.NoError(t, err)
+	require.Zero(t, client.listZonesCalls)
+	require.Zero(t, client.listDNSCalls)
+}

As per coding guidelines, "Respect service filtering: Services() must list supported services, and providers should honor -s filters when gathering resources".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/providers/cloudflare/cloudflare_test.go` around lines 91 - 159, Add a new
unit test that constructs a Provider with services NOT containing "dns" (e.g.,
services: schema.ServiceMap{}), a trackingClient that records calls, then calls
Provider.Verify(ctx) and asserts no error is returned and that the client's
zone/DNS call counters (e.g., trackingClient.listZonesCalls,
trackingClient.listDNSCalls) remain zero; this verifies Provider.Verify honors
the services filter and avoids contacting zones/records when DNS is not
requested.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/providers/cloudflare/cloudflare.go`:
- Around line 103-114: In Verify, avoid calling the Cloudflare API when DNS is
not requested: move the p.services.Has("dns") check to the start of the DNS
verification path so the method returns early when "dns" is not enabled;
specifically update the Verify function so it checks p.services.Has("dns")
before invoking p.client.ListZones(ctx) (and only call ListZones, inspect zones,
or return the "no accessible zones" error when the service filter includes
"dns").

---

Nitpick comments:
In `@pkg/providers/cloudflare/cloudflare_test.go`:
- Around line 91-159: Add a new unit test that constructs a Provider with
services NOT containing "dns" (e.g., services: schema.ServiceMap{}), a
trackingClient that records calls, then calls Provider.Verify(ctx) and asserts
no error is returned and that the client's zone/DNS call counters (e.g.,
trackingClient.listZonesCalls, trackingClient.listDNSCalls) remain zero; this
verifies Provider.Verify honors the services filter and avoids contacting
zones/records when DNS is not requested.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 86c62ec3-cef5-427b-9b21-9a8c9d0c8f89

📥 Commits

Reviewing files that changed from the base of the PR and between d88768a and 29e6e82.

📒 Files selected for processing (2)

• pkg/providers/cloudflare/cloudflare.go
• pkg/providers/cloudflare/cloudflare_test.go