npm - @bitcall/webrtc-sip-gateway - Versions diffs - 0.2.8 → 0.3.1 - Mend

@bitcall/webrtc-sip-gateway 0.2.8 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -2,16 +2,24 @@
 Linux-only CLI to install and operate the Bitcall WebRTC-to-SIP gateway.
+Latest updates:
+- `init` and `reconfigure` stop an existing stack before preflight checks so
+  the gateway's own `:5060` listener does not trigger false port conflicts.
+- `update` now syncs `BITCALL_GATEWAY_IMAGE` to the CLI target image tag
+  before pulling and restarting.
+- Docker image includes `sngrep` and `tcpdump` for SIP troubleshooting.
+- `sip-trace` opens a live SIP message viewer using `sngrep` in the container.
 ## Install
 ```bash
-sudo npm i -g @bitcall/webrtc-sip-gateway@0.2.8
+sudo npm i -g @bitcall/webrtc-sip-gateway
 ```
 ## Main workflow
 ```bash
-sudo bitcall-gateway init --dev
+sudo bitcall-gateway init
 sudo bitcall-gateway status
 sudo bitcall-gateway logs -f
 sudo bitcall-gateway media status
@@ -22,14 +30,13 @@ ports only. Host IPv6 remains enabled for signaling and non-media traffic.
 Backend selection prefers nftables on non-UFW hosts and uses ip6tables when UFW
 is active.
-Default `init` and `init --dev` run in dev profile:
-- `BITCALL_ENV=dev`
+Default `init` runs in production profile with universal routing:
+- `BITCALL_ENV=production`
 - `ROUTING_MODE=universal`
-- provider allowlist/origin/source IPs are permissive by default (with warnings)
+- provider allowlist/origin/source IPs are permissive by default
-Use `sudo bitcall-gateway init --production` for strict input validation and
-hardening checks. Production universal routing requires explicit
-`ALLOWED_SIP_DOMAINS`.
+Use `sudo bitcall-gateway init --advanced` for full security/provider controls.
+Use `sudo bitcall-gateway init --dev` for local testing only.
 Use `--verbose` to stream apt/docker output during install. Default mode keeps
 console output concise and writes command details to
 `/var/log/bitcall-gateway-install.log`.
@@ -44,8 +51,14 @@ console output concise and writes command details to
 - `sudo bitcall-gateway up`
 - `sudo bitcall-gateway down`
 - `sudo bitcall-gateway restart`
+- `sudo bitcall-gateway pause`
+- `sudo bitcall-gateway resume`
+- `sudo bitcall-gateway enable`
+- `sudo bitcall-gateway disable`
+- `sudo bitcall-gateway reconfigure`
 - `sudo bitcall-gateway status`
 - `sudo bitcall-gateway logs [-f] [service]`
+- `sudo bitcall-gateway sip-trace`
 - `sudo bitcall-gateway cert status`
 - `sudo bitcall-gateway cert renew`
 - `sudo bitcall-gateway cert install --cert /path/cert.pem --key /path/key.pem`

package/lib/constants.js CHANGED Viewed

@@ -1,6 +1,7 @@
 "use strict";
 const path = require("path");
+const PKG_VERSION = require("../package.json").version;
 const GATEWAY_DIR = "/opt/bitcall-gateway";
 const SERVICE_NAME = "bitcall-gateway";
@@ -14,7 +15,7 @@ module.exports = {
   SSL_DIR: path.join(GATEWAY_DIR, "ssl"),
   ENV_PATH: path.join(GATEWAY_DIR, ".env"),
   COMPOSE_PATH: path.join(GATEWAY_DIR, "docker-compose.yml"),
-  DEFAULT_GATEWAY_IMAGE: "ghcr.io/bitcallio/webrtc-sip-gateway:0.2.8",
+  DEFAULT_GATEWAY_IMAGE: `ghcr.io/bitcallio/webrtc-sip-gateway:${PKG_VERSION}`,
   DEFAULT_PROVIDER_HOST: "sip.example.com",
   DEFAULT_WEBPHONE_ORIGIN: "*",
   RENEW_HOOK_PATH: "/etc/letsencrypt/renewal-hooks/deploy/bitcall-gateway.sh",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bitcall/webrtc-sip-gateway",
-  "version": "0.2.8",
+  "version": "0.3.1",
   "description": "Linux CLI for bootstrapping and managing the Bitcall WebRTC-to-SIP Gateway",
   "repository": {
     "type": "git",

package/src/index.js CHANGED Viewed

@@ -3,7 +3,6 @@
 const crypto = require("crypto");
 const fs = require("fs");
 const path = require("path");
-const { Command } = require("commander");
 const {
   GATEWAY_DIR,
@@ -40,15 +39,66 @@ const {
   isMediaIpv4OnlyRulesPresent,
 } = require("../lib/firewall");
-const PACKAGE_VERSION = "0.2.8";
+const PACKAGE_VERSION = require("../package.json").version;
+// -- ANSI color helpers (zero dependencies) --
+const _c = {
+  reset: "\x1b[0m",
+  bold: "\x1b[1m",
+  dim: "\x1b[2m",
+  red: "\x1b[31m",
+  green: "\x1b[32m",
+  yellow: "\x1b[33m",
+  cyan: "\x1b[36m",
+  white: "\x1b[37m",
+};
+const _color = process.stdout.isTTY && !process.env.NO_COLOR;
+function clr(style, text) {
+  return _color ? `${style}${text}${_c.reset}` : text;
+}
 const INSTALL_LOG_PATH = "/var/log/bitcall-gateway-install.log";
 function printBanner() {
-  console.log("========================================");
-  console.log("  BITCALL WEBRTC-SIP GATEWAY INSTALLER");
-  console.log(`  version ${PACKAGE_VERSION}`);
-  console.log("  one-line deploy for browser SIP");
-  console.log("========================================\n");
+  const v = `v${PACKAGE_VERSION}`;
+  if (!_color) {
+    console.log("\n  BITCALL\n  WebRTC → SIP Gateway  " + v);
+    console.log("  one-line deploy · any provider\n");
+    return;
+  }
+  // Block-letter BITCALL — each line is one string, do not modify
+  const art = [
+    "██████  ██ ████████  ██████  █████  ██      ██",
+    "██   ██ ██    ██    ██      ██   ██ ██      ██",
+    "██████  ██    ██    ██      ███████ ██      ██",
+    "██   ██ ██    ██    ██      ██   ██ ██      ██",
+    "██████  ██    ██     ██████ ██   ██ ███████ ███████",
+  ];
+  const W = 55; // inner box width
+  const top = `  ${_c.cyan}╔${"═".repeat(W)}╗${_c.reset}`;
+  const bot = `  ${_c.cyan}╚${"═".repeat(W)}╝${_c.reset}`;
+  const blank = `  ${_c.cyan}║${_c.reset}${" ".repeat(W)}${_c.cyan}║${_c.reset}`;
+  function row(content, pad) {
+    const visible = content.replace(/\x1b\[[0-9;]*m/g, "");
+    const fill = Math.max(0, W - (pad || 0) - visible.length);
+    return `  ${_c.cyan}║${_c.reset}${"".padEnd(pad || 0)}${content}${" ".repeat(fill)}${_c.cyan}║${_c.reset}`;
+  }
+  console.log("");
+  console.log(top);
+  console.log(blank);
+  for (const line of art) {
+    console.log(row(`${_c.bold}${_c.white}${line}${_c.reset}`, 3));
+  }
+  console.log(blank);
+  console.log(row(`${_c.dim}WebRTC → SIP Gateway${_c.reset}`, 3));
+  console.log(row(`${_c.dim}one-line deploy · any provider${_c.reset}        ${_c.dim}${v}${_c.reset}`, 3));
+  console.log(blank);
+  console.log(bot);
+  console.log("");
 }
 function createInstallContext(options = {}) {
@@ -104,15 +154,15 @@ function createInstallContext(options = {}) {
   async function step(label, fn) {
     state.index += 1;
-    console.log(`[${state.index}/${steps.length}] ${label}...`);
+    console.log(`  ${clr(_c.dim, `[${state.index}/${steps.length}]`)} ${clr(_c.bold, label)}...`);
     const started = Date.now();
     try {
       const value = await fn();
       const elapsed = ((Date.now() - started) / 1000).toFixed(1);
-      console.log(`✓ ${label} (${elapsed}s)\n`);
+      console.log(`  ${clr(_c.green, "✓")} ${clr(_c.bold, label)} ${clr(_c.dim, `(${elapsed}s)`)}\n`);
       return value;
     } catch (error) {
-      console.error(`✗ ${label} failed: ${error.message}`);
+      console.error(`  ${clr(_c.red, "✗")} ${clr(_c.bold + _c.red, label + " failed:")} ${error.message}`);
       if (!verbose) {
         console.error(`Install log: ${INSTALL_LOG_PATH}`);
       }
@@ -327,36 +377,35 @@ function isOriginWildcard(originPattern) {
 }
 function validateProductionConfig(config) {
-  const hasAllowedDomains = countAllowedDomains(config.allowedDomains) > 0;
-  const hasSingleProvider = isSingleProviderConfigured(config);
-  if (!hasAllowedDomains && !hasSingleProvider) {
-    throw new Error(
-      "Production requires ALLOWED_SIP_DOMAINS or single-provider routing with SIP_PROVIDER_URI. Re-run: bitcall-gateway init --advanced --production"
-    );
+  // In production, validate that the config is internally consistent.
+  // Universal mode (open domains, open origin) is a valid production config.
+  // Single-provider mode requires a valid SIP_PROVIDER_URI
+  if (config.routingMode === "single-provider") {
+    if (!(config.sipProviderUri || "").trim()) {
+      throw new Error(
+        "Single-provider mode requires SIP_PROVIDER_URI. " +
+          "Re-run: bitcall-gateway init --advanced --production"
+      );
+    }
   }
-  const originPattern = toOriginPattern(config.webphoneOrigin);
-  const hasStrictOrigin = !isOriginWildcard(originPattern);
-  const hasTurnToken = Boolean((config.turnApiToken || "").trim());
-  if (!hasStrictOrigin && !hasTurnToken) {
-    throw new Error(
-      "Production requires a strict WEBPHONE_ORIGIN_PATTERN or TURN_API_TOKEN. Re-run: bitcall-gateway init --advanced --production"
-    );
-  }
+  // If custom cert mode, paths are required (already validated elsewhere)
+  // No other hard requirements for production.
 }
-function buildDevWarnings(config) {
-  const warnings = [];
+function buildSecurityNotes(config) {
+  const notes = [];
   if (countAllowedDomains(config.allowedDomains) === 0) {
-    warnings.push("Provider allowlist: any (DEV mode)");
+    notes.push("SIP domains: unrestricted (universal mode)");
   }
   if (isOriginWildcard(toOriginPattern(config.webphoneOrigin))) {
-    warnings.push("Webphone origin: any (DEV mode)");
+    notes.push("Webphone origin: unrestricted");
   }
   if (!(config.sipTrustedIps || "").trim()) {
-    warnings.push("Trusted SIP source IPs: any (DEV mode)");
+    notes.push("SIP source IPs: unrestricted");
   }
-  return warnings;
+  return notes;
 }
 function buildQuickFlowDefaults(initProfile, existing = {}) {
@@ -371,12 +420,15 @@ function buildQuickFlowDefaults(initProfile, existing = {}) {
     sipTrustedIps: existing.SIP_TRUSTED_IPS || "",
   };
+  // Dev mode: explicitly open everything (ignore existing restrictions)
   if (initProfile === "dev") {
     defaults.allowedDomains = "";
     defaults.webphoneOrigin = "*";
     defaults.sipTrustedIps = "";
   }
+  // Production mode: use existing values or defaults (already universal)
+  // Do not force restrictions here.
   return defaults;
 }
@@ -545,7 +597,6 @@ function toOriginPattern(origin) {
 }
 function normalizeInitProfile(initOptions = {}, existing = {}) {
-  void existing;
   if (initOptions.dev && initOptions.production) {
     throw new Error("Use only one mode: --dev or --production.");
   }
@@ -555,7 +606,7 @@ function normalizeInitProfile(initOptions = {}, existing = {}) {
   if (initOptions.dev) {
     return "dev";
   }
-  return "dev";
+  return existing.BITCALL_ENV || "production";
 }
 async function runPreflight(ctx) {
@@ -601,45 +652,35 @@ async function runPreflight(ctx) {
   };
 }
-function printSummary(config, devWarnings) {
+function printSummary(config, notes) {
   const allowedCount = countAllowedDomains(config.allowedDomains);
-  const showDevWarnings = config.bitcallEnv === "dev";
-  const providerAllowlistSummary =
-    allowedCount > 0
-      ? config.allowedDomains
-      : config.bitcallEnv === "production"
-        ? isSingleProviderConfigured(config)
-          ? "(single-provider mode)"
-          : "(missing)"
-        : "(any)";
-  console.log("\nSummary:");
-  console.log(`  Domain: ${config.domain}`);
-  console.log(`  Environment: ${config.bitcallEnv}`);
-  console.log(`  Routing: ${config.routingMode}`);
-  console.log(
-    `  Provider allowlist: ${providerAllowlistSummary}${showDevWarnings && allowedCount === 0 ? " [DEV WARNING]" : ""}`
-  );
-  console.log(
-    `  Webphone origin: ${config.webphoneOrigin === "*" ? `(any)${showDevWarnings ? " [DEV WARNING]" : ""}` : config.webphoneOrigin}`
-  );
-  console.log(`  SIP source IPs: ${(config.sipTrustedIps || "").trim() ? config.sipTrustedIps : "(any)"}`);
-  console.log(`  TLS: ${config.tlsMode === "letsencrypt" ? "Let's Encrypt" : config.tlsMode}`);
-  console.log(`  TURN: ${config.turnMode === "coturn" ? "enabled (coturn)" : config.turnMode}`);
-  console.log(
-    `  Media: ${config.mediaIpv4Only === "1" ? "IPv4-only (IPv6 media blocked)" : "dual-stack"}`
-  );
-  console.log(`  Firewall: ${config.configureUfw ? "UFW enabled" : "manual setup"}`);
-  if (devWarnings.length > 0) {
-    console.log("\nWarnings:");
-    for (const warning of devWarnings) {
-      console.log(`  - ${warning}`);
+  console.log(`\n${clr(_c.bold + _c.cyan, "  ┌─ Configuration ──────────────────────────────┐")}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "Domain:")}         ${config.domain}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "Environment:")}    ${config.bitcallEnv}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "Routing:")}        ${config.routingMode}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "Allowlist:")}      ${allowedCount > 0 ? config.allowedDomains : "(any)"}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "Origin:")}         ${config.webphoneOrigin === "*" ? "(any)" : config.webphoneOrigin}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "SIP source IPs:")} ${(config.sipTrustedIps || "").trim() ? config.sipTrustedIps : "(any)"}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "TLS:")}            ${config.tlsMode === "letsencrypt" ? "Let's Encrypt" : config.tlsMode}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "TURN:")}           ${config.turnMode === "coturn" ? "enabled (coturn)" : config.turnMode}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "Media:")}          ${config.mediaIpv4Only === "1" ? "IPv4-only (IPv6 media blocked)" : "dual-stack"}`);
+  if (config.configureUfw) {
+    console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "Firewall:")}       UFW enabled`);
+  }
+  console.log(`${clr(_c.bold + _c.cyan, "  └─────────────────────────────────────────────┘")}`);
+  if (notes.length > 0) {
+    console.log("");
+    for (const note of notes) {
+      console.log(`  ${clr(_c.dim, "ℹ")} ${clr(_c.dim, note)}`);
     }
   }
 }
 function shouldRequireAllowlist(bitcallEnv, routingMode) {
-  return bitcallEnv === "production" && routingMode === "universal";
+  void bitcallEnv;
+  void routingMode;
+  return false;
 }
 function parseProviderFromUri(uri = "") {
@@ -662,12 +703,7 @@ async function runWizard(existing = {}, preflight = {}, initOptions = {}) {
   try {
     const initProfile = normalizeInitProfile(initOptions, existing);
-    let advanced = Boolean(initOptions.advanced);
-    if (initOptions.production && !initOptions.advanced) {
-      advanced = true;
-    } else if (!initOptions.dev && !initOptions.production && !initOptions.advanced) {
-      advanced = await prompt.askYesNo("Advanced setup", false);
-    }
+    const advanced = Boolean(initOptions.advanced);
     const detectedIp = detectPublicIp();
     const domainDefault = initOptions.domain || existing.DOMAIN || "";
@@ -680,45 +716,55 @@ async function runWizard(existing = {}, preflight = {}, initOptions = {}) {
     }
     const resolved = resolveDomainIpv4(domain);
-    if (resolved.length > 0 && !resolved.includes(publicIp)) {
+    if (initProfile !== "dev" && resolved.length > 0 && !resolved.includes(publicIp)) {
       console.log(`Warning: DNS for ${domain} resolves to ${resolved.join(", ")}, not ${publicIp}.`);
     }
-    const autoDeployMode =
+    const detectedDeployMode =
       (preflight.p80 && preflight.p80.inUse) || (preflight.p443 && preflight.p443.inUse)
         ? "reverse-proxy"
         : "standalone";
-    let deployMode = autoDeployMode;
+    const existingDeployMode =
+      existing.DEPLOY_MODE === "standalone" || existing.DEPLOY_MODE === "reverse-proxy"
+        ? existing.DEPLOY_MODE
+        : "";
+    let deployMode = existingDeployMode || detectedDeployMode;
     let tlsMode = "letsencrypt";
     let acmeEmail = initOptions.email || existing.ACME_EMAIL || "";
     let customCertPath = "";
     let customKeyPath = "";
-    let bitcallEnv = initProfile;
-    let routingMode = existing.ROUTING_MODE || "universal";
+    const quickDefaults = buildQuickFlowDefaults(initProfile, existing);
+    let bitcallEnv = quickDefaults.bitcallEnv;
+    let routingMode = "universal";
     const providerFromEnv = parseProviderFromUri(existing.SIP_PROVIDER_URI || "");
     let sipProviderHost = providerFromEnv.host || DEFAULT_PROVIDER_HOST;
-    let sipTransport = providerFromEnv.transport || "udp";
-    let sipPort = providerFromEnv.port || "5060";
+    let sipTransport = "udp";
+    let sipPort = "5060";
     let sipProviderUri = "";
-    let allowedDomains = existing.ALLOWED_SIP_DOMAINS || "";
-    let sipTrustedIps = existing.SIP_TRUSTED_IPS || "";
+    let allowedDomains = "";
+    let sipTrustedIps = "";
     let turnMode = "coturn";
     let turnSecret = "";
     let turnTtl = existing.TURN_TTL || "86400";
-    let turnApiToken = existing.TURN_API_TOKEN || "";
+    let turnApiToken = "";
     let turnExternalUrls = "";
     let turnExternalUsername = "";
     let turnExternalCredential = "";
-    let webphoneOrigin = existing.WEBPHONE_ORIGIN || DEFAULT_WEBPHONE_ORIGIN;
-    let configureUfw = await prompt.askYesNo("Configure UFW firewall rules now?", true);
+    let webphoneOrigin = "*";
+    let configureUfw = true;
     let mediaIpv4Only = existing.MEDIA_IPV4_ONLY ? existing.MEDIA_IPV4_ONLY === "1" : true;
-    if (!advanced) {
-      acmeEmail = acmeEmail || (await prompt.askText("Let's Encrypt email", "", { required: true }));
-      turnMode = await prompt.askYesNo("Enable built-in TURN (coturn)?", true) ? "coturn" : "none";
-      const quickDefaults = buildQuickFlowDefaults(initProfile, existing);
-      bitcallEnv = quickDefaults.bitcallEnv;
+    let rtpMin = existing.RTPENGINE_MIN_PORT || "10000";
+    let rtpMax = existing.RTPENGINE_MAX_PORT || "20000";
+    let turnUdpPort = existing.TURN_UDP_PORT || "3478";
+    let turnsTcpPort = existing.TURNS_TCP_PORT || "5349";
+    let turnRelayMinPort = existing.TURN_RELAY_MIN_PORT || "49152";
+    let turnRelayMaxPort = existing.TURN_RELAY_MAX_PORT || "49252";
+    if (initProfile === "dev") {
+      tlsMode = "dev-self-signed";
+      acmeEmail = "";
+      turnMode = "coturn";
       routingMode = quickDefaults.routingMode;
       sipProviderUri = quickDefaults.sipProviderUri;
       sipTransport = quickDefaults.sipTransport;
@@ -726,17 +772,13 @@ async function runWizard(existing = {}, preflight = {}, initOptions = {}) {
       allowedDomains = quickDefaults.allowedDomains;
       webphoneOrigin = quickDefaults.webphoneOrigin;
       sipTrustedIps = quickDefaults.sipTrustedIps;
+      configureUfw = true;
+      mediaIpv4Only = true;
     } else {
-      deployMode = await prompt.askChoice(
-        "Deployment mode",
-        ["standalone", "reverse-proxy"],
-        autoDeployMode === "reverse-proxy" ? 1 : 0
-      );
       tlsMode = await prompt.askChoice(
         "TLS certificate mode",
-        ["letsencrypt", "custom", "dev-self-signed"],
-        0
+        ["letsencrypt", "custom"],
+        existing.TLS_MODE === "custom" ? 1 : 0
       );
       if (tlsMode === "custom") {
@@ -746,104 +788,79 @@ async function runWizard(existing = {}, preflight = {}, initOptions = {}) {
         customKeyPath = await prompt.askText("Path to TLS private key (PEM)", existing.TLS_KEY || "", {
           required: true,
         });
-      }
-      if (tlsMode === "letsencrypt") {
-        acmeEmail = await prompt.askText("Let's Encrypt email", acmeEmail, { required: true });
-      } else {
         acmeEmail = "";
+      } else {
+        acmeEmail = await prompt.askText("Let's Encrypt email", acmeEmail, { required: true });
       }
-      if (!initOptions.dev && !initOptions.production) {
-        bitcallEnv = await prompt.askChoice("Environment", ["production", "dev"], bitcallEnv === "dev" ? 1 : 0);
-      }
-      routingMode = await prompt.askChoice(
-        "Routing mode",
-        ["universal", "single-provider"],
-        routingMode === "single-provider" ? 1 : 0
-      );
-      if (routingMode === "single-provider") {
-        sipProviderHost = await prompt.askText(
-          "SIP provider host",
-          existing.SIP_PROVIDER_URI
-            ? existing.SIP_PROVIDER_URI.replace(/^sip:/, "").split(":")[0]
-            : DEFAULT_PROVIDER_HOST,
-          { required: true }
-        );
-        const sipTransportChoice = await prompt.askChoice(
-          "SIP provider transport",
-          ["udp", "tcp", "tls", "custom"],
-          0
+      turnMode = await prompt.askYesNo("Enable built-in TURN (coturn)?", true) ? "coturn" : "none";
+      routingMode = "universal";
+      sipProviderUri = "";
+      sipTransport = "udp";
+      sipPort = "5060";
+      allowedDomains = "";
+      webphoneOrigin = "*";
+      sipTrustedIps = "";
+      turnApiToken = "";
+      if (advanced) {
+        const restrictToSingleProvider = await prompt.askYesNo(
+          "Restrict to single SIP provider?",
+          existing.ROUTING_MODE === "single-provider"
         );
-        sipTransport = sipTransportChoice;
-        if (sipTransportChoice === "tcp" || sipTransportChoice === "udp") {
-          sipPort = "5060";
-        } else if (sipTransportChoice === "tls") {
-          sipPort = "5061";
-        } else {
-          sipTransport = await prompt.askChoice("Custom transport", ["udp", "tcp", "tls"], 0);
-          sipPort = await prompt.askText(
-            "Custom SIP port",
-            sipTransport === "tls" ? "5061" : "5060",
+        if (restrictToSingleProvider) {
+          routingMode = "single-provider";
+          sipProviderHost = await prompt.askText(
+            "SIP provider host",
+            providerFromEnv.host || DEFAULT_PROVIDER_HOST,
             { required: true }
           );
+          sipTransport = await prompt.askChoice(
+            "SIP provider transport",
+            ["udp", "tcp", "tls"],
+            providerFromEnv.transport === "tcp" ? 1 : providerFromEnv.transport === "tls" ? 2 : 0
+          );
+          const defaultProviderPort =
+            providerFromEnv.port || (sipTransport === "tls" ? "5061" : "5060");
+          sipPort = await prompt.askText("SIP provider port", defaultProviderPort, { required: true });
+          sipProviderUri = `sip:${sipProviderHost}:${sipPort};transport=${sipTransport}`;
         }
-        sipProviderUri = `sip:${sipProviderHost}:${sipPort};transport=${sipTransport}`;
-      }
-      const requireAllowlist = shouldRequireAllowlist(bitcallEnv, routingMode);
-      allowedDomains = await prompt.askText(
-        requireAllowlist
-          ? "Allowed SIP domains (comma-separated; required in production universal mode)"
-          : "Allowed SIP domains (comma-separated)",
-        allowedDomains,
-        { required: requireAllowlist }
-      );
-      sipTrustedIps = await prompt.askText(
-        "Trusted SIP source IPs (optional, comma-separated)",
-        sipTrustedIps
-      );
-      const existingTurn = existing.TURN_MODE || "coturn";
-      const turnDefaultIndex = existingTurn === "external" ? 2 : existingTurn === "coturn" ? 1 : 0;
-      turnMode = await prompt.askChoice("TURN mode", ["none", "coturn", "external"], turnDefaultIndex);
-      if (turnMode === "coturn") {
-        turnSecret = crypto.randomBytes(32).toString("hex");
-        turnTtl = await prompt.askText("TURN credential TTL seconds", turnTtl, { required: true });
-        turnApiToken = await prompt.askText("TURN API token (optional)", turnApiToken);
-      } else if (turnMode === "external") {
-        turnSecret = "";
-        turnApiToken = "";
-        turnExternalUrls = await prompt.askText("External TURN urls", existing.TURN_EXTERNAL_URLS || "", {
-          required: true,
-        });
-        turnExternalUsername = await prompt.askText(
-          "External TURN username",
-          existing.TURN_EXTERNAL_USERNAME || ""
+        allowedDomains = await prompt.askText(
+          "SIP domain allowlist (optional, comma-separated)",
+          existing.ALLOWED_SIP_DOMAINS || ""
         );
-        turnExternalCredential = await prompt.askText(
-          "External TURN credential",
-          existing.TURN_EXTERNAL_CREDENTIAL || ""
+        webphoneOrigin = await prompt.askText(
+          "Webphone origin restriction (optional, * for any)",
+          existing.WEBPHONE_ORIGIN || "*"
+        );
+        webphoneOrigin = webphoneOrigin.trim() ? webphoneOrigin : "*";
+        sipTrustedIps = await prompt.askText(
+          "SIP trusted source IPs (optional, comma-separated)",
+          existing.SIP_TRUSTED_IPS || ""
         );
-      } else {
-        turnSecret = "";
-        turnApiToken = "";
-      }
-      webphoneOrigin = await prompt.askText(
-        "Allowed webphone origin (* for any)",
-        webphoneOrigin
-      );
+        if (turnMode === "coturn") {
+          turnApiToken = await prompt.askText("TURN API token (optional)", existing.TURN_API_TOKEN || "");
+        }
-      mediaIpv4Only = await prompt.askYesNo(
-        "Media IPv4-only mode (block IPv6 RTP/TURN on host firewall)",
-        mediaIpv4Only
-      );
+        const customizePorts = await prompt.askYesNo("Customize RTP/TURN ports?", false);
+        if (customizePorts) {
+          rtpMin = await prompt.askText("RTP minimum port", rtpMin, { required: true });
+          rtpMax = await prompt.askText("RTP maximum port", rtpMax, { required: true });
+          if (turnMode === "coturn") {
+            turnUdpPort = await prompt.askText("TURN UDP/TCP port", turnUdpPort, { required: true });
+            turnsTcpPort = await prompt.askText("TURNS TCP port", turnsTcpPort, { required: true });
+            turnRelayMinPort = await prompt.askText("TURN relay minimum port", turnRelayMinPort, {
+              required: true,
+            });
+            turnRelayMaxPort = await prompt.askText("TURN relay maximum port", turnRelayMaxPort, {
+              required: true,
+            });
+          }
+        }
+      }
     }
     if (turnMode === "coturn") {
@@ -881,12 +898,12 @@ async function runWizard(existing = {}, preflight = {}, initOptions = {}) {
       turnExternalCredential,
       webphoneOrigin,
       mediaIpv4Only: mediaIpv4Only ? "1" : "0",
-      rtpMin: existing.RTPENGINE_MIN_PORT || "10000",
-      rtpMax: existing.RTPENGINE_MAX_PORT || "20000",
-      turnUdpPort: existing.TURN_UDP_PORT || "3478",
-      turnsTcpPort: existing.TURNS_TCP_PORT || "5349",
-      turnRelayMinPort: existing.TURN_RELAY_MIN_PORT || "49152",
-      turnRelayMaxPort: existing.TURN_RELAY_MAX_PORT || "49252",
+      rtpMin,
+      rtpMax,
+      turnUdpPort,
+      turnsTcpPort,
+      turnRelayMinPort,
+      turnRelayMaxPort,
       acmeListenPort: deployMode === "reverse-proxy" ? "8080" : "80",
       wssListenPort: deployMode === "reverse-proxy" ? "8443" : "443",
       internalWssPort: "8443",
@@ -898,12 +915,14 @@ async function runWizard(existing = {}, preflight = {}, initOptions = {}) {
       validateProductionConfig(config);
     }
-    const devWarnings = config.bitcallEnv === "dev" ? buildDevWarnings(config) : [];
-    printSummary(config, devWarnings);
+    const securityNotes = buildSecurityNotes(config);
+    printSummary(config, securityNotes);
-    const proceed = await prompt.askYesNo("Proceed with provisioning", true);
-    if (!proceed) {
-      throw new Error("Initialization canceled.");
+    if (initProfile !== "dev") {
+      const proceed = await prompt.askYesNo("Proceed with provisioning", true);
+      if (!proceed) {
+        throw new Error("Initialization canceled.");
+      }
     }
     return config;
@@ -1039,6 +1058,18 @@ function installGatewayService(exec = run) {
 async function initCommand(initOptions = {}) {
   printBanner();
+  // If re-running init on an existing installation, stop the current
+  // gateway so our own ports don't fail the preflight check.
+  if (fs.existsSync(ENV_PATH) && fs.existsSync(COMPOSE_PATH)) {
+    console.log("Existing gateway detected. Stopping for re-initialization...\n");
+    try {
+      runCompose(["down"], { stdio: "pipe" });
+    } catch (_e) {
+      // Ignore — gateway may already be stopped or config may be corrupted
+    }
+  }
   const ctx = createInstallContext(initOptions);
   let preflight;
@@ -1100,6 +1131,9 @@ async function initCommand(initOptions = {}) {
       tlsCertPath = path.join(SSL_DIR, "dev-fullchain.pem");
       tlsKeyPath = path.join(SSL_DIR, "dev-privkey.pem");
       generateSelfSigned(tlsCertPath, tlsKeyPath, config.domain, 30, ctx.exec);
+      console.log("WARNING: Self-signed certificates do not work with browsers.");
+      console.log("WebSocket connections will be rejected. Use --dev for local testing only.");
+      console.log("For browser access, re-run with Let's Encrypt: sudo bitcall-gateway init");
     } else {
       tlsCertPath = path.join(SSL_DIR, "bootstrap-fullchain.pem");
       tlsKeyPath = path.join(SSL_DIR, "bootstrap-privkey.pem");
@@ -1121,14 +1155,127 @@ async function initCommand(initOptions = {}) {
   await ctx.step("Done", async () => {});
-  console.log("\nGateway initialized.");
-  console.log(`WSS URL: wss://${config.domain}`);
+  console.log("");
+  console.log(clr(_c.bold + _c.green, "  ╔══════════════════════════════════════╗"));
+  console.log(clr(_c.bold + _c.green, "  ║") + "  Gateway is " + clr(_c.bold + _c.green, "READY") + "                  " + clr(_c.bold + _c.green, "║"));
+  console.log(clr(_c.bold + _c.green, "  ╚══════════════════════════════════════╝"));
+  console.log("");
+  console.log(`  ${clr(_c.bold, "WSS")}   ${clr(_c.cyan, `wss://${config.domain}`)}`);
+  if (config.turnMode !== "none") {
+    console.log(`  ${clr(_c.bold, "TURN")}  ${clr(_c.cyan, `https://${config.domain}/turn-credentials`)}`);
+  }
+  if (!ctx.verbose) {
+    console.log(`  ${clr(_c.dim, `Log:   ${ctx.logPath}`)}`);
+  }
+  console.log("");
+}
+async function reconfigureCommand(options) {
+  ensureInitialized();
+  printBanner();
+  // Stop the running gateway so ports are free for preflight.
+  if (fs.existsSync(ENV_PATH) && fs.existsSync(COMPOSE_PATH)) {
+    console.log("Stopping current gateway for reconfiguration...\n");
+    try {
+      runCompose(["down"], { stdio: "pipe" });
+    } catch (_e) {
+      // Ignore — gateway may already be stopped or config may be corrupted
+    }
+  }
+  const ctx = createInstallContext(options);
+  let preflight;
+  await ctx.step("Checks", async () => {
+    preflight = await runPreflight(ctx);
+  });
+  const existingEnv = fs.existsSync(ENV_PATH) ? loadEnvFile(ENV_PATH) : {};
+  let config;
+  await ctx.step("Config", async () => {
+    config = await runWizard(existingEnv, preflight, options);
+  });
+  ensureInstallLayout();
+  let tlsCertPath;
+  let tlsKeyPath;
+  await ctx.step("Firewall", async () => {
+    if (config.configureUfw) {
+      const ufwReady = await ensureUfwAvailable(ctx);
+      if (ufwReady) {
+        configureFirewall(config, ctx.exec);
+      } else {
+        config.configureUfw = false;
+        printRequiredPorts(config);
+      }
+    } else {
+      printRequiredPorts(config);
+    }
+    if (config.mediaIpv4Only === "1") {
+      try {
+        const applied = applyMediaIpv4OnlyRules(mediaFirewallOptionsFromConfig(config));
+        console.log(`Applied IPv6 media block rules (${applied.backend}).`);
+      } catch (error) {
+        console.error(`IPv6 media block setup failed: ${error.message}`);
+        config.mediaIpv4Only = "0";
+      }
+    }
+  });
+  await ctx.step("TLS", async () => {
+    if (config.tlsMode === "custom") {
+      const custom = provisionCustomCert(config);
+      tlsCertPath = custom.certPath;
+      tlsKeyPath = custom.keyPath;
+    } else if (config.tlsMode === "dev-self-signed") {
+      tlsCertPath = path.join(SSL_DIR, "dev-fullchain.pem");
+      tlsKeyPath = path.join(SSL_DIR, "dev-privkey.pem");
+      generateSelfSigned(tlsCertPath, tlsKeyPath, config.domain, 30, ctx.exec);
+    } else {
+      // Keep existing LE cert if domain matches, otherwise re-provision.
+      const envMap = loadEnvFile(ENV_PATH);
+      if (envMap.TLS_MODE === "letsencrypt" && envMap.TLS_CERT && fs.existsSync(envMap.TLS_CERT)) {
+        tlsCertPath = envMap.TLS_CERT;
+        tlsKeyPath = envMap.TLS_KEY;
+      } else {
+        tlsCertPath = path.join(SSL_DIR, "bootstrap-fullchain.pem");
+        tlsKeyPath = path.join(SSL_DIR, "bootstrap-privkey.pem");
+        generateSelfSigned(tlsCertPath, tlsKeyPath, config.domain, 1, ctx.exec);
+      }
+    }
+    const envContent = renderEnvContent(config, tlsCertPath, tlsKeyPath);
+    writeFileWithMode(ENV_PATH, envContent, 0o600);
+    writeComposeTemplate();
+  });
+  await ctx.step("Start", async () => {
+    startGatewayStack(ctx.exec);
+    if (config.tlsMode === "letsencrypt" && (!tlsCertPath || !tlsCertPath.includes("letsencrypt"))) {
+      runLetsEncrypt(config, ctx.exec);
+    }
+  });
+  await ctx.step("Done", async () => {});
+  console.log("");
+  console.log(clr(_c.bold + _c.green, "  ╔══════════════════════════════════════╗"));
+  console.log(clr(_c.bold + _c.green, "  ║") + "  Gateway is " + clr(_c.bold + _c.green, "READY") + "                  " + clr(_c.bold + _c.green, "║"));
+  console.log(clr(_c.bold + _c.green, "  ╚══════════════════════════════════════╝"));
+  console.log("");
+  console.log(`  ${clr(_c.bold, "WSS")}   ${clr(_c.cyan, `wss://${config.domain}`)}`);
   if (config.turnMode !== "none") {
-    console.log(`TURN credentials URL: https://${config.domain}/turn-credentials`);
+    console.log(`  ${clr(_c.bold, "TURN")}  ${clr(_c.cyan, `https://${config.domain}/turn-credentials`)}`);
   }
   if (!ctx.verbose) {
-    console.log(`Install log: ${ctx.logPath}`);
+    console.log(`  ${clr(_c.dim, `Log:   ${ctx.logPath}`)}`);
   }
+  console.log("");
 }
 function runSystemctl(args, fallbackComposeArgs) {
@@ -1154,6 +1301,30 @@ function restartCommand() {
   runSystemctl(["reload", SERVICE_NAME], ["restart"]);
 }
+function pauseCommand() {
+  ensureInitialized();
+  runCompose(["pause"], { stdio: "inherit" });
+  console.log("Gateway paused.");
+}
+function resumeCommand() {
+  ensureInitialized();
+  runCompose(["unpause"], { stdio: "inherit" });
+  console.log("Gateway resumed.");
+}
+function enableCommand() {
+  ensureInitialized();
+  run("systemctl", ["enable", SERVICE_NAME], { stdio: "inherit" });
+  console.log("Gateway will start on boot.");
+}
+function disableCommand() {
+  ensureInitialized();
+  run("systemctl", ["disable", SERVICE_NAME], { stdio: "inherit" });
+  console.log("Gateway will NOT start on boot.");
+}
 function logsCommand(service, options) {
   ensureInitialized();
   const args = ["logs", "--tail", String(options.tail || 200)];
@@ -1166,8 +1337,36 @@ function logsCommand(service, options) {
   runCompose(args, { stdio: "inherit" });
 }
+function sipTraceCommand() {
+  ensureInitialized();
+  const compose = detectComposeCommand();
+  const containerName = "bitcall-gateway";
+  // Check if sngrep is available in the container
+  const check = run(
+    compose.command,
+    [...compose.prefixArgs, "exec", "-T", containerName, "which", "sngrep"],
+    { cwd: GATEWAY_DIR, check: false, stdio: "pipe" }
+  );
+  if (check.status !== 0) {
+    console.error("sngrep is not available in this gateway image.");
+    console.error("Update to the latest image: sudo bitcall-gateway update");
+    process.exit(1);
+  }
+  // Run sngrep interactively inside the container
+  const result = run(
+    compose.command,
+    [...compose.prefixArgs, "exec", containerName, "sngrep"],
+    { cwd: GATEWAY_DIR, stdio: "inherit" }
+  );
+  process.exit(result.status || 0);
+}
 function formatMark(state) {
-  return state ? "✓" : "✗";
+  return state ? clr(_c.green, "✓") : clr(_c.red, "✗");
 }
 function statusCommand() {
@@ -1184,6 +1383,7 @@ function statusCommand() {
     "-lc",
     "docker ps --filter name=^bitcall-gateway$ --format '{{.Status}}'",
   ]);
+  const containerUp = Boolean(containerStatus);
   const p80 = portInUse(Number.parseInt(envMap.ACME_LISTEN_PORT || "80", 10));
   const p443 = portInUse(Number.parseInt(envMap.WSS_LISTEN_PORT || "443", 10));
@@ -1205,10 +1405,10 @@ function statusCommand() {
   const mediaStatus = isMediaIpv4OnlyRulesPresent();
-  console.log("Bitcall Gateway Status\n");
+  console.log(`\n${clr(_c.bold + _c.cyan, "  Bitcall Gateway Status")}\n`);
   console.log(`Gateway service: ${formatMark(active)} ${active ? "running" : "stopped"}`);
   console.log(`Auto-start: ${formatMark(enabled)} ${enabled ? "enabled" : "disabled"}`);
-  console.log(`Container: ${containerStatus || "not running"}`);
+  console.log(`Container: ${formatMark(containerUp)} ${containerStatus || "not running"}`);
   console.log("");
   console.log(`Port ${envMap.ACME_LISTEN_PORT || "80"}: ${formatMark(p80.inUse)} listening`);
   console.log(`Port ${envMap.WSS_LISTEN_PORT || "443"}: ${formatMark(p443.inUse)} listening`);
@@ -1238,7 +1438,7 @@ function statusCommand() {
   console.log("\nConfig summary:");
   console.log(`DOMAIN=${envMap.DOMAIN || ""}`);
-  console.log(`BITCALL_ENV=${envMap.BITCALL_ENV || "dev"}`);
+  console.log(`BITCALL_ENV=${envMap.BITCALL_ENV || "production"}`);
   console.log(`ROUTING_MODE=${envMap.ROUTING_MODE || "universal"}`);
   console.log(`SIP_PROVIDER_URI=${envMap.SIP_PROVIDER_URI || ""}`);
   console.log(`DEPLOY_MODE=${envMap.DEPLOY_MODE || ""}`);
@@ -1318,8 +1518,23 @@ async function certInstallCommand(options) {
 function updateCommand() {
   ensureInitialized();
+  const envMap = loadEnvFile(ENV_PATH);
+  const currentImage = envMap.BITCALL_GATEWAY_IMAGE || "";
+  const targetImage = DEFAULT_GATEWAY_IMAGE;
+  if (currentImage === targetImage) {
+    console.log(`${clr(_c.green, "✓")} Image is current: ${clr(_c.dim, targetImage)}`);
+    console.log("Checking for newer image layers...");
+  } else {
+    console.log(`${clr(_c.yellow, "→")} Updating: ${clr(_c.dim, currentImage || "(none)")} → ${clr(_c.bold, targetImage)}`);
+    updateGatewayEnv({ BITCALL_GATEWAY_IMAGE: targetImage });
+  }
   runCompose(["pull"], { stdio: "inherit" });
   runSystemctl(["reload", SERVICE_NAME], ["up", "-d", "--remove-orphans"]);
+  console.log(`\n${clr(_c.green, "✓")} Gateway updated to ${clr(_c.bold, PACKAGE_VERSION)}.`);
+  console.log(clr(_c.dim, "  To update the CLI: sudo npm i -g @bitcall/webrtc-sip-gateway@latest"));
 }
 function mediaStatusCommand() {
@@ -1402,11 +1617,40 @@ async function uninstallCommand(options) {
     fs.rmSync(RENEW_HOOK_PATH, { force: true });
   }
+  // Remove Bitcall-tagged UFW rules.
+  if (commandExists("ufw")) {
+    const ufwOutput = output("ufw", ["status", "numbered"]);
+    const lines = (ufwOutput || "").split("\n");
+    const ruleNumbers = [];
+    for (const line of lines) {
+      const match = line.match(/^\[\s*(\d+)\]/);
+      if (match && line.includes("Bitcall")) {
+        ruleNumbers.push(match[1]);
+      }
+    }
+    // Delete in reverse order so indices do not shift.
+    for (const num of ruleNumbers.reverse()) {
+      run("ufw", ["--force", "delete", num], { check: false, stdio: "inherit" });
+    }
+    if (ruleNumbers.length > 0) {
+      run("ufw", ["reload"], { check: false, stdio: "inherit" });
+      console.log(`Removed ${ruleNumbers.length} UFW rule(s).`);
+    }
+  }
   if (fs.existsSync(GATEWAY_DIR)) {
     fs.rmSync(GATEWAY_DIR, { recursive: true, force: true });
   }
-  console.log("Gateway uninstalled.");
+  console.log(`\n${clr(_c.green, "✓")} ${clr(_c.bold, "Gateway uninstalled.")}`);
+  const domain = uninstallEnv.DOMAIN || "";
+  console.log(`\n${clr(_c.dim, "To remove the CLI:")}`);
+  console.log("  sudo npm uninstall -g @bitcall/webrtc-sip-gateway");
+  if (domain && uninstallEnv.TLS_MODE === "letsencrypt") {
+    console.log(`\n${clr(_c.dim, "To remove Let's Encrypt certificate:")}`);
+    console.log(`  sudo certbot delete --cert-name ${domain}`);
+  }
 }
 function configCommand() {
@@ -1420,6 +1664,7 @@ function configCommand() {
 }
 function buildProgram() {
+  const { Command } = require("commander");
   const program = new Command();
   program
@@ -1432,7 +1677,7 @@ function buildProgram() {
     .description("Run setup wizard and provision gateway")
     .option("--advanced", "Show advanced configuration prompts")
     .option("--dev", "Quick dev setup (minimal prompts, permissive defaults)")
-    .option("--production", "Production setup (strict validation enabled)")
+    .option("--production", "Production setup profile")
     .option("--domain <domain>", "Gateway domain")
     .option("--email <email>", "Let's Encrypt email")
     .option("--verbose", "Stream full installer command output")
@@ -1450,6 +1695,10 @@ function buildProgram() {
     .option("--no-follow", "Print and exit")
     .option("--tail <lines>", "Number of lines", "200")
     .action(logsCommand);
+  program
+    .command("sip-trace")
+    .description("Live SIP message viewer (sngrep)")
+    .action(sipTraceCommand);
   const cert = program.command("cert").description("Certificate operations");
   cert.command("status").description("Show current certificate info").action(certStatusCommand);
@@ -1463,6 +1712,18 @@ function buildProgram() {
   program.command("update").description("Pull latest image and restart service").action(updateCommand);
   program.command("config").description("Print active configuration (secrets hidden)").action(configCommand);
+  program.command("pause").description("Pause gateway containers").action(pauseCommand);
+  program.command("resume").description("Resume paused gateway containers").action(resumeCommand);
+  program.command("enable").description("Enable auto-start on boot").action(enableCommand);
+  program.command("disable").description("Disable auto-start on boot").action(disableCommand);
+  program
+    .command("reconfigure")
+    .description("Re-run wizard with current values as defaults")
+    .option("--advanced", "Show advanced configuration prompts")
+    .option("--dev", "Dev mode")
+    .option("--production", "Production mode")
+    .option("--verbose", "Verbose output")
+    .action(reconfigureCommand);
   const media = program.command("media").description("Media firewall operations");
   media.command("status").description("Show media IPv4-only firewall state").action(mediaStatusCommand);
@@ -1488,7 +1749,7 @@ module.exports = {
   main,
   normalizeInitProfile,
   validateProductionConfig,
-  buildDevWarnings,
+  buildSecurityNotes,
   buildQuickFlowDefaults,
   shouldRequireAllowlist,
   isOriginWildcard,