Documentation

Source-of-truth docs, references, plans, and product material across Harbor surfaces.

Docs / Connector References
Connector References

Cloudflare Port

This is the reference integration for Harbor `http_api` Action Model authoring for Cloudflare.

Cloudflareconnectorreference
Source: PortsReference/CLOUDFLARE_PORT.md

Cloudflare Port

Purpose

This is the reference integration for Harbor http_api Action Model authoring for Cloudflare.

Use it when:

  • building Cloudflare actions in Harbor
  • extending the Dock / Hub Cloudflare entry
  • teaching Codex or OpenClaw how to map a zone-scoped infrastructure API into Harbor Ports and Harbor Actions

Harbor Port worksheet

Product

  • Product: Cloudflare API
  • Publisher slug: cloudflare
  • Publisher name: Cloudflare
  • Category: Infrastructure
  • Tags: cloudflare, dns, infrastructure, domains, edge

Safe Harbor Port metadata

  • Kind: http_api
  • Label: Cloudflare API
  • Description: Cloudflare API connection managed locally through Harbor.
  • Base URL: https://api.cloudflare.com/client/v4/
  • Auth mode: header_token
  • Auth header name: Authorization
  • Auth token prefix: Bearer

Hidden local config

  • authToken

Harbor stores the token locally only. Dock / Hub manifests must never contain it.

Integration scope

This Cloudflare integration is now a full zone-scoped control-plane pass rather than a starter set.

Covered families:

  • zones and activation checks
  • zone settings, holds, subscriptions, available plans, and rate plans
  • DNS records, DNSSEC, DNS scans, DNS settings, and DNS analytics
  • secondary DNS incoming and outgoing configuration
  • cache purge, Cache Reserve, Smart Tiered Cache, cache variants, and Regional Tiered Cache
  • zone tags and security.txt

Deferred families:

  • account-scoped DNS admin surfaces such as ACLs, TSIGs, views, peers, and account DNS settings
  • Workers, Pages, R2, Stream, Images, Zero Trust, Access, Magic, billing, and org-wide administration

Platform-limited families:

  • DNS export because Cloudflare returns raw text rather than JSON
  • DNS import because Cloudflare expects multipart upload

See apps/hub/catalog/integrations/cloudflare/ActionMap.md for the action inventory and apps/hub/catalog/integrations/cloudflare/TechnicalLimitations.md for exact Harbor platform gaps.

Harbor action design notes

Cloudflare is a good Harbor fit when we stay on explicit zone-scoped routes with bounded path parameters, typed query filters, and JSON request bodies for writes.

Good Harbor Cloudflare actions:

  • fixed GET list/read routes like /zones
  • bounded path templates like /zones/{zone_id}/dns_records/{dns_record_id}
  • requestBodyMode: "none" for reads and delete-style actions
  • requestBodyMode: "json" for reviewed write actions
  • resultMode: "json_summary" for the supported zone-scoped surface

Guardrails that remain important:

  • keep all mutating actions on require_approval by default
  • do not widen this manifest into a generic Cloudflare proxy
  • do not mix account-scoped administration into the zone-scoped control plane without a separate completeness pass

Current Cloudflare actions

Automatic read actions

  • list-zones
  • get-zone
  • list-zone-settings
  • get-zone-setting
  • get-zone-hold
  • get-zone-subscription
  • list-available-plans
  • get-available-plan
  • list-available-rate-plans
  • get-dnssec
  • list-dns-records
  • get-dns-record
  • list-scanned-dns-records
  • get-zone-dns-settings
  • get-dns-analytics-report
  • get-dns-analytics-report-bytime
  • get-secondary-dns-incoming
  • get-secondary-dns-outgoing
  • get-secondary-dns-outgoing-status
  • get-cache-reserve
  • get-cache-reserve-clear-status
  • get-smart-tiered-cache
  • get-cache-variants
  • get-regional-tiered-cache
  • get-zone-tags
  • get-security-txt

Approval-friendly write actions

  • create-zone
  • update-zone
  • delete-zone
  • trigger-zone-activation-check
  • update-zone-setting
  • bulk-update-zone-settings
  • create-zone-hold
  • update-zone-hold
  • delete-zone-hold
  • create-zone-subscription
  • update-zone-subscription
  • update-dnssec
  • delete-dnssec
  • create-dns-record
  • overwrite-dns-record
  • update-dns-record
  • delete-dns-record
  • trigger-dns-record-scan
  • review-scanned-dns-records
  • batch-dns-records
  • update-zone-dns-settings
  • force-axfr
  • create-secondary-dns-incoming
  • update-secondary-dns-incoming
  • delete-secondary-dns-incoming
  • create-secondary-dns-outgoing
  • update-secondary-dns-outgoing
  • delete-secondary-dns-outgoing
  • disable-secondary-dns-outgoing
  • enable-secondary-dns-outgoing
  • force-secondary-dns-notify
  • purge-cache
  • update-cache-reserve
  • start-cache-reserve-clear
  • update-smart-tiered-cache
  • delete-smart-tiered-cache
  • update-cache-variants
  • delete-cache-variants
  • update-regional-tiered-cache
  • update-zone-tags
  • delete-zone-tags
  • update-security-txt
  • delete-security-txt

Suggested operator workflow

  1. Import the Cloudflare Dock entry from Dock / Hub.
  2. Configure the local Cloudflare API token in Harbor Node.
  3. Validate list-zones and get-zone first to confirm local auth and scope coverage.
  4. Use list-dns-records, get-zone-dns-settings, and get-dnssec to inspect current state.
  5. Keep zone, DNS, secondary DNS, cache, and tagging writes on require_approval unless your Harbor Guard policy deliberately allows an exact subset.

Suggested agent workflow

  1. Inspect the existing Cloudflare Harbor Port.
  2. Inspect live actions and drafts.
  3. Stay inside this manifest's zone-scoped control plane unless the task explicitly starts a new Cloudflare surface.
  4. Validate and test drafts.
  5. Request publish instead of self-publishing unless Harbor explicitly allows it.

Agents should never:

  • ask Harbor for the stored API token
  • widen Cloudflare into a generic arbitrary HTTP proxy
  • bypass review for DNS, cache, or zone writes

Current update strategy

For now, Cloudflare updates are manual:

  • update the Dock / Hub integration document in apps/hub/catalog/integrations/cloudflare/cloudflare-api.json
  • update apps/hub/catalog/integrations/cloudflare/ActionMap.md when the action set changes materially
  • update apps/hub/catalog/integrations/cloudflare/TechnicalLimitations.md when a Harbor platform limit blocks a Cloudflare route
  • re-import into Harbor or create new drafts from the updated Dock entry

Official reference starting points

  • Cloudflare API overview: https://developers.cloudflare.com/api/overview/
  • Cloudflare zones API: https://developers.cloudflare.com/api/resources/zones/
  • Cloudflare DNS records API: https://developers.cloudflare.com/api/resources/dns/subresources/records/
  • Cloudflare cache API: https://developers.cloudflare.com/api/resources/cache/
  • Cloudflare resource tags API: https://developers.cloudflare.com/api/resources/zones/subresources/tags/