fix: address Cloudflare review comments (DDoS, pagination, validation, tests)

tools/src/aden_tools/credentials/health_check.py

@@ -1307,6 +1307,11 @@ class YouTubeHealthChecker(BaseHttpHealthChecker):
     AUTH_QUERY_PARAM_NAME = "key"
 
 
+class CloudflareHealthChecker(BaseHttpHealthChecker):
+    ENDPOINT = "https://api.cloudflare.com/client/v4/user/tokens/verify"
+    SERVICE_NAME = "Cloudflare"
+
+
 # Registry of health checkers
 HEALTH_CHECKERS: dict[str, CredentialHealthChecker] = {
     "apify": ApifyHealthChecker(),
@@ -1317,6 +1322,7 @@ HEALTH_CHECKERS: dict[str, CredentialHealthChecker] = {
     "brevo": BrevoHealthChecker(),
     "calcom": CalcomHealthChecker(),
     "calendly_pat": CalendlyHealthChecker(),
+    "cloudflare": CloudflareHealthChecker(),
     "discord": DiscordHealthChecker(),
     "docker_hub": DockerHubHealthChecker(),
     "exa_search": ExaSearchHealthChecker(),

tools/src/aden_tools/tools/cloudflare_tool/cloudflare_tool.py

@@ -1272,16 +1272,8 @@ def register_tools(mcp, credentials=None):
         if validation_error:
             return validation_error
 
-        # Note: DDoS settings are usually under rulesets with phase
-        # 'http_ratelimit' or 'http_request_late_transform'. A general
-        # config endpoint exists but may be limited.
-        _make_request(
-            "GET",
-            f"/zones/{zone_id}/settings/automatic_https_rewrites",
-            token,
-        )
-
-        return {"ddos_summary": "DDoS protection is on by default; see WAF rulesets for details."}
+        result = _make_request("GET", f"/zones/{zone_id}/ddos_protection/settings", token)
+        return {"ddos_protection": result}
 
     @mcp.tool("cloudflare_create_firewall_rule")
     def cloudflare_create_firewall_rule(
@@ -1538,6 +1530,10 @@ def register_tools(mcp, credentials=None):
         if isinstance(token, dict):
             return token
 
+        validation_error = _validate_zone_id(zone_id)
+        if validation_error:
+            return validation_error
+
         # Note: Workers and Load Balancers often require account-level access
         # but can be filtered by zone. Basic implementation here.
         workers = _make_request("GET", f"/zones/{zone_id}/workers/scripts", token)
@@ -1568,18 +1564,23 @@ def register_tools(mcp, credentials=None):
             return token
 
         params = {"page": page, "per_page": min(per_page, 50)}
-        result = _make_request("GET", "/accounts", token, params=params)
+        response = _make_request("GET", "/accounts", token, params=params, full_response=True)
 
-        if "error" in result:
-            return result
+        if "error" in response:
+            return response
 
+        result = response.get("result", [])
+        result_info = response.get("result_info", {})
         accounts = result if isinstance(result, list) else result.get("accounts", [])
+
         return {
             "accounts": [
                 {"id": a.get("id"), "name": a.get("name"), "status": a.get("status")}
                 for a in accounts
             ],
-            "total": len(accounts),
+            "total": result_info.get("total_count", result_info.get("count", len(accounts))),
+            "page": page,
+            "per_page": per_page,
         }
 
     @mcp.tool("cloudflare_get_account_details")
@@ -1681,6 +1682,10 @@ def register_tools(mcp, credentials=None):
         if isinstance(token, dict):
             return token
 
+        validation_error = _validate_zone_id(zone_id)
+        if validation_error:
+            return validation_error
+
         result = _make_request("GET", f"/zones/{zone_id}/custom_hostnames", token)
         if "error" in result:
             return result
@@ -1726,6 +1731,10 @@ def register_tools(mcp, credentials=None):
         if isinstance(token, dict):
             return token
 
+        validation_error = _validate_zone_id(zone_id)
+        if validation_error:
+            return validation_error
+
         result = _make_request(
             "GET",
             f"/zones/{zone_id}/rulesets/phases/http_request_firewall_custom/entrypoint",

tools/tests/test_credential_registry.py

@@ -22,14 +22,12 @@ class TestRegistryCompleteness:
     #   which the single-value health check dispatcher can't support
     # - plaid_client_id/plaid_secret: requires POST with both client_id and
     #   secret in JSON body, can't validate with a single credential value
-    # - cloudflare: shares cloudflare_token checker (same credential_group)
     KNOWN_EXCEPTIONS = {
         "google_cse",
         "razorpay",
         "razorpay_secret",
         "plaid_client_id",
         "plaid_secret",
-        "cloudflare",
     }
 
     def test_specs_with_endpoint_have_checkers(self):

tools/tests/test_health_checks.py

@@ -66,6 +66,7 @@ class TestHealthCheckerRegistry:
             "brevo",
             "calcom",
             "calendly_pat",
+            "cloudflare",
             "discord",
             "docker_hub",
             "exa_search",