refactor: enhance Cloudflare outbound proxy with improved request patching, robust header handling, and secure environment configuration.

Dockerfile

@@ -45,8 +45,8 @@ USER node
 
 EXPOSE 7861
 
-HEALTHCHECK --interval=30s --timeout=5s --start-period=60s \
-  CMD curl -f http://localhost:7861/health || exit 1
+HEALTHCHECK --interval=30s --timeout=5s --start-period=90s \
+  CMD curl -fsS http://localhost:7861/health || exit 1
 
 ENTRYPOINT ["/usr/bin/tini", "--"]
 CMD ["/home/node/app/start.sh"]

cloudflare-proxy-setup.py

@@ -154,6 +154,12 @@ def write_env(proxy_url: str, proxy_secret: str) -> None:
         + "\n",
         encoding="utf-8",
     )
+    # Belt-and-suspenders: even with umask 0077 on the parent shell, force
+    # 0600 since the file holds the worker shared secret.
+    try:
+        ENV_FILE.chmod(0o600)
+    except OSError:
+        pass
 
 
 def main() -> int:
@@ -165,9 +171,19 @@ def main() -> int:
     )
 
     if existing_url:
-        if existing_secret:
-            write_env(existing_url, existing_secret)
-        print(f"☁️ Using configured Cloudflare proxy: {existing_url}")
+        # Always write the env file so downstream `. $CF_PROXY_ENV_FILE` in
+        # start.sh has CLOUDFLARE_PROXY_URL set even when no secret was
+        # supplied. Empty secret means we send no x-proxy-key header — that
+        # only works if the deployed worker also has no secret baked in.
+        write_env(existing_url, existing_secret)
+        if not existing_secret:
+            print(
+                "Warning: CLOUDFLARE_PROXY_URL is set but CLOUDFLARE_PROXY_SECRET "
+                "is empty. Requests will succeed only if the deployed worker "
+                "was built without PROXY_SHARED_SECRET; otherwise you'll see "
+                "401 Unauthorized."
+            )
+        print(f"Using configured Cloudflare proxy: {existing_url}")
         return 0
 
     if not workers_token:
@@ -217,22 +233,22 @@ def main() -> int:
 
         proxy_url = f"https://{worker_name}.{subdomain}.workers.dev"
         write_env(proxy_url, proxy_secret)
-        print(f"☁️ Cloudflare proxy ready: {proxy_url}")
+        print(f"Cloudflare proxy ready: {proxy_url}")
         return 0
     except urllib.error.HTTPError as error:
         detail = error.read().decode("utf-8", errors="replace")
         if error.code == 403 and '"code":9109' in detail:
             print(
-                "☁️ Cloudflare proxy setup failed: invalid Workers token. "
+                "Cloudflare proxy setup failed: invalid Workers token. "
                 "Use a Cloudflare API Token in CLOUDFLARE_WORKERS_TOKEN "
                 "(not a Global API Key, tunnel token, or worker secret). "
                 "For auto-setup, it should have account-level 'Workers Scripts: Edit'. "
                 "The setup can auto-discover your account; CLOUDFLARE_ACCOUNT_ID is not required."
             )
-        print(f"☁️ Cloudflare proxy setup failed: HTTP {error.code} {detail}")
+        print(f"Cloudflare proxy setup failed: HTTP {error.code} {detail}")
         return 1
     except Exception as error:
-        print(f"☁️ Cloudflare proxy setup failed: {error}")
+        print(f"Cloudflare proxy setup failed: {error}")
         return 1
 
 

cloudflare-proxy.js

@@ -1,14 +1,17 @@
 /**
  * Cloudflare Proxy: Transparent Fix for Blocked Domains
  *
- * Patches https.request/http.request/fetch to redirect traffic for blocked
- * hosts through a Cloudflare Worker proxy.
+ * Patches https.request/http.request/fetch and undici to redirect traffic 
+ * for blocked hosts through a Cloudflare Worker proxy.
  */
 "use strict";
 
 const https = require("https");
 const http = require("http");
 
+// Use stderr for logs to avoid breaking child processes that communicate via stdout JSON
+const log = (...args) => console.error(...args);
+
 let PROXY_URL = process.env.CLOUDFLARE_PROXY_URL;
 if (
   PROXY_URL &&
@@ -41,61 +44,64 @@ if (PROXY_URL) {
       const isInternal =
         normalized === "localhost" ||
         normalized === "127.0.0.1" ||
+        normalized === "::1" ||
+        normalized === "0.0.0.0" ||
+        normalized === proxy.hostname ||
         normalized.endsWith(".hf.space") ||
         normalized.endsWith(".huggingface.co") ||
         normalized === "huggingface.co";
 
-      if (PROXY_ALL) {
-        return !isInternal;
-      }
-
-      return BLOCKED_DOMAINS.some(
+      const should = PROXY_ALL ? !isInternal : BLOCKED_DOMAINS.some(
         (domain) =>
           normalized === domain || normalized.endsWith(`.${domain}`),
       );
+
+      return should;
     };
 
     const patch = (original, originalModuleName) => {
-      return function patchedRequest(options, callback) {
-        let hostname = "";
-        let path = "";
-        let headers = {};
-
-        if (typeof options === "string") {
-          const parsed = new URL(options);
-          hostname = parsed.hostname;
-          path = parsed.pathname + parsed.search;
-        } else if (options instanceof URL) {
-          hostname = options.hostname;
-          path = options.pathname + options.search;
-          headers = options.headers || {};
+      return function patchedRequest(arg1, arg2, arg3) {
+        let options = {};
+        let callback;
+
+        if (typeof arg1 === "string" || arg1 instanceof URL) {
+          const url = typeof arg1 === "string" ? new URL(arg1) : arg1;
+          options = {
+            protocol: url.protocol,
+            hostname: url.hostname,
+            port: url.port,
+            path: url.pathname + url.search,
+          };
+          if (typeof arg2 === "object" && arg2 !== null) {
+            options = { ...options, ...arg2 };
+            callback = arg3;
+          } else {
+            callback = arg2;
+          }
         } else {
-          hostname =
-            options.hostname ||
-            (options.host ? String(options.host).split(":")[0] : "");
-          path = options.path || "/";
-          headers = options.headers || {};
+          options = { ...arg1 };
+          callback = arg2;
         }
 
+        const hostname =
+          options.hostname ||
+          (options.host ? String(options.host).split(":")[0] : "");
+        const path = options.path || "/";
+        const headers = options.headers || {};
+
         const shouldProxy = shouldProxyHost(hostname);
-        const alreadyProxied =
-          options && typeof options === "object" && options._proxied;
+        const alreadyProxied = options._proxied;
         const hasTargetHeader =
-          headers &&
-          (headers["x-target-host"] || headers["X-Target-Host"]);
+          headers["x-target-host"] || headers["X-Target-Host"];
 
         if (shouldProxy && !alreadyProxied && !hasTargetHeader) {
           if (DEBUG) {
-            console.log(
+            log(
               `[cloudflare-proxy] Redirecting ${originalModuleName}://${hostname}${path} -> ${proxy.hostname}`,
             );
           }
 
-          const newOptions =
-            typeof options === "string" || options instanceof URL
-              ? { protocol: "https:", path }
-              : { ...options };
-
+          const newOptions = { ...options };
           newOptions._proxied = true;
           newOptions.protocol = "https:";
           newOptions.hostname = proxy.hostname;
@@ -105,7 +111,7 @@ if (PROXY_URL) {
           delete newOptions.agent;
 
           newOptions.headers = {
-            ...(newOptions.headers || {}),
+            ...(options.headers || {}),
             host: proxy.host,
             "x-target-host": hostname,
           };
@@ -117,7 +123,7 @@ if (PROXY_URL) {
           return originalHttpsRequest.call(https, newOptions, callback);
         }
 
-        return original.call(this, options, callback);
+        return original.call(this, arg1, arg2, arg3);
       };
     };
 
@@ -127,72 +133,243 @@ if (PROXY_URL) {
     if (originalFetch) {
       globalThis.fetch = async function patchedFetch(input, init) {
         const request = input instanceof Request ? input : null;
-        const url =
-          request
-            ? new URL(request.url)
-            : input instanceof URL
-              ? input
-              : new URL(String(input));
+        const urlStr = request ? request.url : String(input);
+        
+        let url;
+        try {
+          url = new URL(urlStr);
+        } catch (e) {
+          return originalFetch(input, init);
+        }
 
         const hostname = url.hostname;
         const shouldProxy = shouldProxyHost(hostname);
-        const headers = new Headers(request ? request.headers : init?.headers || {});
+        
+        let mergedHeaders;
+        if (request) {
+            mergedHeaders = new Headers(request.headers);
+        } else {
+            mergedHeaders = new Headers(init?.headers || {});
+        }
+
         const alreadyProxied =
-          headers.has("x-target-host") || headers.has("X-Target-Host");
+          mergedHeaders.has("x-target-host") || mergedHeaders.has("X-Target-Host");
 
         if (!shouldProxy || alreadyProxied) {
           return originalFetch(input, init);
         }
 
         if (DEBUG) {
-          console.log(
+          log(
             `[cloudflare-proxy] Redirecting fetch://${hostname}${url.pathname}${url.search} -> ${proxy.hostname}`,
           );
         }
 
-        headers.set("x-target-host", hostname);
+        mergedHeaders.set("x-target-host", hostname);
         if (PROXY_SHARED_SECRET) {
-          headers.set("x-proxy-key", PROXY_SHARED_SECRET);
+          mergedHeaders.set("x-proxy-key", PROXY_SHARED_SECRET);
         }
 
         const proxiedUrl = new URL(url.pathname + url.search, proxy);
 
+        const logProxyError = (promise, debugInfo) => {
+          promise
+            .then(r => {
+              if (DEBUG && !r.ok) {
+                log(`[cloudflare-proxy] Proxy HTTP ${r.status} for ${hostname}: ${r.statusText}`);
+              }
+            })
+            .catch(err => {
+              const cause = err?.cause;
+              const causeStr = cause
+                ? ` | cause: ${cause?.code || cause?.message || String(cause)}`
+                : "";
+              log(`[cloudflare-proxy] Proxy FAILED ${hostname}: ${err?.message}${causeStr}`);
+              if (DEBUG && debugInfo) {
+                log(`[cloudflare-proxy] Debug: ${debugInfo}`);
+              }
+            });
+          return promise;
+        };
+
         if (request) {
-          return originalFetch(
-            new Request(proxiedUrl, {
-              method: request.method,
-              headers,
-              body: request.body,
-              redirect: request.redirect,
-              duplex: "half",
-            }),
+          const fetchOpts = {
+            method: request.method,
+            headers: mergedHeaders,
+            redirect: request.redirect,
+          };
+          if (request.body) {
+            fetchOpts.body = request.body;
+            fetchOpts.duplex = "half";
+          }
+          return logProxyError(
+            originalFetch(String(proxiedUrl), fetchOpts),
+            `request-mode method=${request.method} hasBody=${!!request.body}`,
           );
         }
 
-        return originalFetch(proxiedUrl, {
-          ...init,
-          headers,
-        });
+        // Build a fresh init: do NOT spread `init` because it may carry a
+        // `dispatcher`/`client` pinned to the original target's connection
+        // pool, which causes undici to throw UND_ERR_INVALID_ARG when we
+        // change the origin. Forward only well-known fetch options.
+        const newInit = {
+          method: init?.method || "GET",
+          headers: mergedHeaders,
+        };
+        if (init?.body != null) {
+          newInit.body = init.body;
+          if (init.body instanceof ReadableStream) {
+            newInit.duplex = init.duplex || "half";
+          }
+        }
+        if (init?.signal) newInit.signal = init.signal;
+        if (init?.redirect) newInit.redirect = init.redirect;
+        if (init?.credentials) newInit.credentials = init.credentials;
+        if (init?.cache) newInit.cache = init.cache;
+        if (init?.mode) newInit.mode = init.mode;
+        if (init?.referrer) newInit.referrer = init.referrer;
+        if (init?.referrerPolicy) newInit.referrerPolicy = init.referrerPolicy;
+        if (init?.integrity) newInit.integrity = init.integrity;
+        if (init?.keepalive != null) newInit.keepalive = init.keepalive;
+
+        const bodyType = init?.body == null
+          ? "none"
+          : init.body instanceof ReadableStream
+            ? "ReadableStream"
+            : (init.body?.constructor?.name || typeof init.body);
+
+        return logProxyError(
+          originalFetch(String(proxiedUrl), newInit),
+          `init-mode method=${newInit.method} body=${bodyType} initKeys=${Object.keys(init || {}).join(",")}`,
+        );
       };
     }
 
+    // undici patching
+    const patchUndiciInstance = (exports) => {
+      if (!exports) return;
+
+      const patchDispatch = (proto, name) => {
+        if (proto && proto.dispatch && !proto.dispatch._patched) {
+          const origDispatch = proto.dispatch;
+          proto.dispatch = function(options, handler) {
+            let origin = options.origin || this.origin;
+            if (origin && typeof origin !== 'string') {
+              try { origin = origin.origin || origin.toString(); } catch (e) { origin = ""; }
+            }
+            
+            let hostname = "";
+            try {
+              hostname = new URL(String(origin)).hostname;
+            } catch(e) {
+              hostname = String(origin || "").split(':')[0];
+            }
+
+            if (hostname && shouldProxyHost(hostname)) {
+              if (DEBUG) log(`[cloudflare-proxy] Redirecting undici ${name}.dispatch: ${hostname}${options.path || ""} -> ${proxy.hostname}`);
+              
+              const targetHeader = "x-target-host";
+              const secretHeader = "x-proxy-key";
+
+              if (Array.isArray(options.headers)) {
+                let foundTarget = false;
+                for (let i = 0; i < options.headers.length; i += 2) {
+                  if (String(options.headers[i]).toLowerCase() === targetHeader) {
+                    foundTarget = true;
+                    break;
+                  }
+                }
+                if (!foundTarget) {
+                  options.headers.push(targetHeader, hostname);
+                  if (PROXY_SHARED_SECRET) options.headers.push(secretHeader, PROXY_SHARED_SECRET);
+                }
+              } else {
+                options.headers = options.headers || {};
+                if (options.headers instanceof Map || (typeof options.headers.set === 'function')) {
+                  options.headers.set(targetHeader, hostname);
+                  if (PROXY_SHARED_SECRET) options.headers.set(secretHeader, PROXY_SHARED_SECRET);
+                } else {
+                  options.headers[targetHeader] = hostname;
+                  if (PROXY_SHARED_SECRET) options.headers[secretHeader] = PROXY_SHARED_SECRET;
+                }
+              }
+              options.origin = `https://${proxy.hostname}`;
+            }
+            return origDispatch.call(this, options, handler);
+          };
+          proto.dispatch._patched = true;
+        }
+      };
+
+      for (const key in exports) {
+        if (exports[key] && exports[key].prototype && typeof exports[key].prototype.dispatch === 'function') {
+           patchDispatch(exports[key].prototype, key);
+        }
+      }
+
+      if (exports.getGlobalDispatcher) {
+        try {
+          const globalDispatcher = exports.getGlobalDispatcher();
+          if (globalDispatcher && globalDispatcher.dispatch && !globalDispatcher.dispatch._patched) {
+            patchDispatch(globalDispatcher, "GlobalDispatcherInstance");
+          }
+        } catch (e) {}
+      }
+
+      // Also patch Agent and other potentially unexported classes if they have dispatch
+      if (exports.Agent && exports.Agent.prototype) patchDispatch(exports.Agent.prototype, "Agent");
+      if (exports.Pool && exports.Pool.prototype) patchDispatch(exports.Pool.prototype, "Pool");
+      if (exports.Client && exports.Client.prototype) patchDispatch(exports.Client.prototype, "Client");
+
+      if (exports.fetch && !exports.fetch._patched) {
+        const origFetch = exports.fetch;
+        exports.fetch = async function (input, init) {
+          // If we are calling undici.fetch, it should use our globalThis.fetch which is patched
+          return globalThis.fetch(input, init);
+        };
+        exports.fetch._patched = true;
+      }
+    };
+
+    // Try to require undici immediately
+    try {
+      const undici = require("undici");
+      patchUndiciInstance(undici);
+    } catch (e) {}
+
+    // Hook require() to patch any undici instance the moment it loads.
+    // Match either the bare "undici" id or paths whose final package
+    // segment IS undici (e.g. "/foo/node_modules/undici/index.js"). The
+    // earlier substring check `id.includes("/undici/")` would also match
+    // unrelated packages like "super-undici-x".
+    const Module = require("module");
+    const originalRequire = Module.prototype.require;
+    const UNDICI_PATH_RE = /(?:^|\/)node_modules\/undici(?:\/|$)/;
+    Module.prototype.require = function (id) {
+      const exports = originalRequire.apply(this, arguments);
+      if (id === "undici" || UNDICI_PATH_RE.test(id)) {
+        try { patchUndiciInstance(exports); } catch (e) {}
+      }
+      return exports;
+    };
+
+    // Startup banner: print once across all Node spawns. Use a file marker
+    // because every Node process (health-server, gateway, sync subprocess)
+    // is spawned fresh from bash with NODE_OPTIONS=--require, so an env-var
+    // marker won't propagate. /tmp is per-container so it resets on rebuild.
     if (DEBUG) {
-      if (PROXY_ALL) {
-        console.log(
-          "[cloudflare-proxy] Transparent proxy active in wildcard mode",
-        );
-      } else {
-        console.log(
-          `[cloudflare-proxy] Transparent proxy active for: ${BLOCKED_DOMAINS.join(", ")}`,
+      try {
+        require("fs").writeFileSync("/tmp/.cf-proxy-banner-shown", "1", {
+          flag: "wx",
+        });
+        log(
+          `[cloudflare-proxy] active (${PROXY_ALL ? "wildcard" : "list"}) -> ${proxy.hostname}`,
         );
+      } catch (_) {
+        // marker exists — banner already shown by another process
       }
-      console.log(`[cloudflare-proxy] Target proxy: ${proxy.hostname}`);
     }
   } catch (error) {
-    if (DEBUG) {
-      console.error(
-        `[cloudflare-proxy] Failed to initialize: ${error.message}`,
-      );
-    }
+    log(`[cloudflare-proxy] Failed to initialize: ${error.message}`);
   }
 }

n8n-sync.py

@@ -2,6 +2,7 @@
 
 import hashlib
 import json
+import logging
 import os
 import shutil
 import signal
@@ -13,13 +14,23 @@ import threading
 from pathlib import Path
 
 os.environ.setdefault("HF_HUB_DISABLE_PROGRESS_BARS", "1")
+# huggingface_hub reads HF_HUB_VERBOSITY at import time and overrides any
+# logging.getLogger().setLevel() we apply afterwards. Set it before import
+# to silence the "No files have been modified..." spam from
+# upload_large_folder workers (logger.warning level).
+os.environ.setdefault("HF_HUB_VERBOSITY", "error")
 
 from huggingface_hub import HfApi, snapshot_download, upload_folder
-from huggingface_hub.errors import RepositoryNotFoundError
+from huggingface_hub.errors import HfHubHTTPError, RepositoryNotFoundError
+
+# Belt-and-suspenders: also raise the level after import in case the env var
+# wasn't honored (older hub versions, or message logged via a sub-logger).
+logging.getLogger("huggingface_hub").setLevel(logging.ERROR)
 
 N8N_HOME = Path(os.environ.get("N8N_USER_FOLDER", "/home/node/.n8n"))
 STATUS_FILE = Path("/tmp/hugging8n-sync-status.json")
 INTERVAL = int(os.environ.get("SYNC_INTERVAL", "180"))
+INITIAL_DELAY = int(os.environ.get("SYNC_START_DELAY", "10"))
 HF_TOKEN = os.environ.get("HF_TOKEN", "").strip()
 HF_USERNAME = (
     os.environ.get("HF_USERNAME", "").strip()
@@ -28,6 +39,7 @@ HF_USERNAME = (
 BACKUP_DATASET_NAME = os.environ.get("BACKUP_DATASET_NAME", "hugging8n-backup").strip()
 HF_API = HfApi(token=HF_TOKEN) if HF_TOKEN else None
 STOP_EVENT = threading.Event()
+_REPO_ID_CACHE: str | None = None
 
 
 def write_status(status: str, message: str) -> None:
@@ -64,14 +76,29 @@ def metadata_marker(root: Path) -> tuple[int, int, int]:
     return (file_count, total_size, newest_mtime)
 
 
-def dataset_repo_id() -> str:
-    if not HF_USERNAME:
-        raise RuntimeError("HF_USERNAME or SPACE_AUTHOR_NAME is required for backup repo naming")
-    return f"{HF_USERNAME}/{BACKUP_DATASET_NAME}"
+def resolve_backup_namespace() -> str:
+    global _REPO_ID_CACHE
+    if _REPO_ID_CACHE:
+        return _REPO_ID_CACHE
+
+    namespace = HF_USERNAME
+    if not namespace and HF_API is not None:
+        whoami = HF_API.whoami()
+        namespace = whoami.get("name") or whoami.get("user") or ""
+
+    namespace = str(namespace).strip()
+    if not namespace:
+        raise RuntimeError(
+            "Could not determine the Hugging Face username for backups. "
+            "Set HF_USERNAME or use a token tied to your account."
+        )
+
+    _REPO_ID_CACHE = f"{namespace}/{BACKUP_DATASET_NAME}"
+    return _REPO_ID_CACHE
 
 
 def ensure_repo_exists() -> str:
-    repo_id = dataset_repo_id()
+    repo_id = resolve_backup_namespace()
     try:
         HF_API.repo_info(repo_id=repo_id, repo_type="dataset")
     except RepositoryNotFoundError:
@@ -138,7 +165,7 @@ def restore() -> bool:
         write_status("disabled", "HF_TOKEN is not configured.")
         return False
 
-    repo_id = dataset_repo_id()
+    repo_id = resolve_backup_namespace()
     write_status("restoring", f"Restoring state from {repo_id}")
 
     try:
@@ -178,6 +205,13 @@ def restore() -> bool:
     except RepositoryNotFoundError:
         write_status("fresh", f"Backup dataset {repo_id} does not exist yet.")
         return True
+    except HfHubHTTPError as exc:
+        if exc.response is not None and exc.response.status_code == 404:
+            write_status("fresh", f"Backup dataset {repo_id} does not exist yet.")
+            return True
+        write_status("error", f"Restore failed: {exc}")
+        print(f"Restore failed: {exc}", file=sys.stderr)
+        return False
     except Exception as exc:
         write_status("error", f"Restore failed: {exc}")
         print(f"Restore failed: {exc}", file=sys.stderr)
@@ -229,9 +263,19 @@ def loop() -> int:
     signal.signal(signal.SIGTERM, handle_signal)
     signal.signal(signal.SIGINT, handle_signal)
 
+    try:
+        repo_id = resolve_backup_namespace()
+        write_status("configured", f"Backup loop active for {repo_id} with {INTERVAL}s interval.")
+    except Exception as exc:
+        write_status("error", str(exc))
+        print(f"Sync error: {exc}")
+        return 1
+
     last_fingerprint = fingerprint_dir(N8N_HOME)
     last_marker = metadata_marker(N8N_HOME)
-    write_status("configured", f"Backup loop active with {INTERVAL}s interval.")
+
+    time.sleep(INITIAL_DELAY)
+    print(f"State sync started: every {INTERVAL}s -> {repo_id}")
 
     while not STOP_EVENT.is_set():
         try:
@@ -239,7 +283,7 @@ def loop() -> int:
         except Exception as exc:
             write_status("error", f"Sync failed: {exc}")
             print(f"Sync failed: {exc}", file=sys.stderr)
-        
+
         if STOP_EVENT.wait(INTERVAL):
             break
 
@@ -255,8 +299,13 @@ def main() -> int:
     if command == "restore":
         return 0 if restore() else 1
     if command == "sync-once":
-        sync_once(None, None)
-        return 0
+        try:
+            sync_once()
+            return 0
+        except Exception as exc:
+            write_status("error", f"Shutdown sync failed: {exc}")
+            print(f"State sync: shutdown sync failed: {exc}")
+            return 1
     if command == "loop":
         return loop()
 

start.sh

@@ -79,11 +79,11 @@ CF_PROXY_ENV_FILE="/tmp/hugging8n-cloudflare-proxy.env"
 if [ -n "${CLOUDFLARE_WORKERS_TOKEN:-}" ] || [ -n "${CLOUDFLARE_PROXY_URL:-}" ]; then
   export CLOUDFLARE_PROXY_DOMAINS="${CLOUDFLARE_PROXY_DOMAINS:-*}"
   export CLOUDFLARE_PROXY_DEBUG="${CLOUDFLARE_PROXY_DEBUG:-false}"
-  echo "☁️ Preparing Cloudflare outbound proxy..."
+  echo "Preparing Cloudflare outbound proxy..."
   python3 "$APP_DIR/cloudflare-proxy-setup.py" || true
   if [ -f "$CF_PROXY_ENV_FILE" ]; then
     . "$CF_PROXY_ENV_FILE"
-    echo "  ✅ Proxy environment loaded: ${CLOUDFLARE_PROXY_URL:-none}"
+    echo "  Proxy environment loaded: ${CLOUDFLARE_PROXY_URL:-none}"
   fi
 fi