@bitcall/webrtc-sip-gateway 0.3.0 → 0.3.3

package/README.md

@@ -2,12 +2,28 @@
 
 Linux-only CLI to install and operate the Bitcall WebRTC-to-SIP gateway.
 
+Latest updates:
+- Gateway container now renders Kamailio `#!substdef` defaults from `.env` at
+  startup, so advertise/origin/SIP transport values are runtime-accurate.
+- `init` and `reconfigure` stop an existing stack before preflight checks so
+  the gateway's own `:5060` listener does not trigger false port conflicts.
+- `update` now syncs `BITCALL_GATEWAY_IMAGE` to the CLI target image tag
+  before pulling and restarting.
+- Docker image includes `sngrep` and `tcpdump` for SIP troubleshooting.
+- `sip-trace` opens a live SIP message viewer using `sngrep` in the container.
+- `TURN_MODE=coturn` now generates a compose stack with a dedicated coturn
+  container.
+
 ## Install
 
 ```bash
 sudo npm i -g @bitcall/webrtc-sip-gateway
 ```
 
+Host requirement:
+- Use Docker Engine with `docker compose` plugin.
+- Snap `docker-compose` is not supported (cannot access `/opt/bitcall-gateway`).
+
 ## Main workflow
 
 ```bash
@@ -50,6 +66,7 @@ console output concise and writes command details to
 - `sudo bitcall-gateway reconfigure`
 - `sudo bitcall-gateway status`
 - `sudo bitcall-gateway logs [-f] [service]`
+- `sudo bitcall-gateway sip-trace`
 - `sudo bitcall-gateway cert status`
 - `sudo bitcall-gateway cert renew`
 - `sudo bitcall-gateway cert install --cert /path/cert.pem --key /path/key.pem`

package/lib/firewall.js

@@ -107,11 +107,18 @@ function buildNftRuleset(options = {}) {
 }
 
 function persistIp6tables(d) {
+  const aptEnv = {
+    ...process.env,
+    DEBIAN_FRONTEND: "noninteractive",
+    NEEDRESTART_MODE: "a",
+  };
+
   if (!d.commandExists("netfilter-persistent")) {
-    d.run("apt-get", ["update"], { stdio: "inherit" });
+    d.run("apt-get", ["update"], { stdio: "inherit", env: aptEnv });
     d.run("apt-get", ["install", "-y", "netfilter-persistent", "iptables-persistent"], {
       check: false,
       stdio: "inherit",
+      env: aptEnv,
     });
   }
 

package/lib/system.js

@@ -129,8 +129,17 @@ function portInUse(port) {
 function ensureDockerInstalled(options = {}) {
   const exec = pickExec(options);
   const shell = pickShell(options);
+  const dockerPath = commandExists("docker")
+    ? output("sh", ["-lc", "command -v docker || true"]).trim()
+    : "";
 
   if (commandExists("docker") && run("docker", ["info"], { check: false }).status === 0) {
+    if (dockerPath.startsWith("/snap/")) {
+      throw new Error(
+        "Detected Docker installed via snap. This setup is not supported for Bitcall gateway. " +
+          "Install Docker Engine (docker-ce) with compose plugin (`docker compose`) and retry."
+      );
+    }
     return;
   }
 
@@ -144,13 +153,45 @@ function ensureDockerInstalled(options = {}) {
 
 function ensureComposePlugin(options = {}) {
   const exec = pickExec(options);
+  const dockerComposePath = commandExists("docker-compose")
+    ? output("sh", ["-lc", "command -v docker-compose || true"]).trim()
+    : "";
+  const snapDockerCompose = dockerComposePath.startsWith("/snap/");
 
   if (run("docker", ["compose", "version"], { check: false }).status === 0) {
     return;
   }
 
-  exec("apt-get", ["update"]);
-  exec("apt-get", ["install", "-y", "docker-compose-plugin"]);
+  if (commandExists("docker-compose") && run("docker-compose", ["version"], { check: false }).status === 0) {
+    if (snapDockerCompose) {
+      try {
+        exec("apt-get", ["update"]);
+        exec("apt-get", ["install", "-y", "docker-compose-plugin"]);
+      } catch (_error) {
+        // Fall through to explicit compatibility error below.
+      }
+
+      if (run("docker", ["compose", "version"], { check: false }).status === 0) {
+        return;
+      }
+
+      throw new Error(
+        "Detected snap docker-compose only. It cannot access /opt/bitcall-gateway due snap confinement. " +
+          "Install Docker's compose plugin (`docker compose`) and retry."
+      );
+    }
+    return;
+  }
+
+  try {
+    exec("apt-get", ["update"]);
+    exec("apt-get", ["install", "-y", "docker-compose-plugin"]);
+  } catch (error) {
+    if (commandExists("docker-compose") && run("docker-compose", ["version"], { check: false }).status === 0) {
+      return;
+    }
+    throw error;
+  }
 }
 
 module.exports = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bitcall/webrtc-sip-gateway",
-  "version": "0.3.0",
+  "version": "0.3.3",
   "description": "Linux CLI for bootstrapping and managing the Bitcall WebRTC-to-SIP Gateway",
   "repository": {
     "type": "git",

package/src/index.js

@@ -3,7 +3,6 @@
 const crypto = require("crypto");
 const fs = require("fs");
 const path = require("path");
-const { Command } = require("commander");
 
 const {
   GATEWAY_DIR,
@@ -41,14 +40,65 @@ const {
 } = require("../lib/firewall");
 
 const PACKAGE_VERSION = require("../package.json").version;
+// -- ANSI color helpers (zero dependencies) --
+const _c = {
+  reset: "\x1b[0m",
+  bold: "\x1b[1m",
+  dim: "\x1b[2m",
+  red: "\x1b[31m",
+  green: "\x1b[32m",
+  yellow: "\x1b[33m",
+  cyan: "\x1b[36m",
+  white: "\x1b[37m",
+};
+const _color = process.stdout.isTTY && !process.env.NO_COLOR;
+function clr(style, text) {
+  return _color ? `${style}${text}${_c.reset}` : text;
+}
+
 const INSTALL_LOG_PATH = "/var/log/bitcall-gateway-install.log";
 
 function printBanner() {
-  console.log("========================================");
-  console.log("  BITCALL WEBRTC-SIP GATEWAY INSTALLER");
-  console.log(`  version ${PACKAGE_VERSION}`);
-  console.log("  one-line deploy for browser SIP");
-  console.log("========================================\n");
+  const v = `v${PACKAGE_VERSION}`;
+
+  if (!_color) {
+    console.log("\n  BITCALL\n  WebRTC → SIP Gateway  " + v);
+    console.log("  one-line deploy · any provider\n");
+    return;
+  }
+
+  // Block-letter BITCALL — each line is one string, do not modify
+  const art = [
+    "██████  ██ ████████  ██████  █████  ██      ██",
+    "██   ██ ██    ██    ██      ██   ██ ██      ██",
+    "██████  ██    ██    ██      ███████ ██      ██",
+    "██   ██ ██    ██    ██      ██   ██ ██      ██",
+    "██████  ██    ██     ██████ ██   ██ ███████ ███████",
+  ];
+
+  const W = 55; // inner box width
+  const top = `  ${_c.cyan}╔${"═".repeat(W)}╗${_c.reset}`;
+  const bot = `  ${_c.cyan}╚${"═".repeat(W)}╝${_c.reset}`;
+  const blank = `  ${_c.cyan}║${_c.reset}${" ".repeat(W)}${_c.cyan}║${_c.reset}`;
+
+  function row(content, pad) {
+    const visible = content.replace(/\x1b\[[0-9;]*m/g, "");
+    const fill = Math.max(0, W - (pad || 0) - visible.length);
+    return `  ${_c.cyan}║${_c.reset}${"".padEnd(pad || 0)}${content}${" ".repeat(fill)}${_c.cyan}║${_c.reset}`;
+  }
+
+  console.log("");
+  console.log(top);
+  console.log(blank);
+  for (const line of art) {
+    console.log(row(`${_c.bold}${_c.white}${line}${_c.reset}`, 3));
+  }
+  console.log(blank);
+  console.log(row(`${_c.dim}WebRTC → SIP Gateway${_c.reset}`, 3));
+  console.log(row(`${_c.dim}one-line deploy · any provider${_c.reset}        ${_c.dim}${v}${_c.reset}`, 3));
+  console.log(blank);
+  console.log(bot);
+  console.log("");
 }
 
 function createInstallContext(options = {}) {
@@ -104,15 +154,15 @@ function createInstallContext(options = {}) {
 
   async function step(label, fn) {
     state.index += 1;
-    console.log(`[${state.index}/${steps.length}] ${label}...`);
+    console.log(`  ${clr(_c.dim, `[${state.index}/${steps.length}]`)} ${clr(_c.bold, label)}...`);
     const started = Date.now();
     try {
       const value = await fn();
       const elapsed = ((Date.now() - started) / 1000).toFixed(1);
-      console.log(`✓ ${label} (${elapsed}s)\n`);
+      console.log(`  ${clr(_c.green, "✓")} ${clr(_c.bold, label)} ${clr(_c.dim, `(${elapsed}s)`)}\n`);
       return value;
     } catch (error) {
-      console.error(`✗ ${label} failed: ${error.message}`);
+      console.error(`  ${clr(_c.red, "✗")} ${clr(_c.bold + _c.red, label + " failed:")} ${error.message}`);
       if (!verbose) {
         console.error(`Install log: ${INSTALL_LOG_PATH}`);
       }
@@ -135,6 +185,13 @@ function detectComposeCommand(exec = run) {
     return { command: "docker", prefixArgs: ["compose"] };
   }
   if (exec("docker-compose", ["version"], { check: false }).status === 0) {
+    const composePath = output("sh", ["-lc", "command -v docker-compose || true"]).trim();
+    if (composePath.startsWith("/snap/")) {
+      throw new Error(
+        "Detected snap docker-compose only. Install Docker compose plugin (`docker compose`) " +
+          "because snap docker-compose cannot access /opt/bitcall-gateway."
+      );
+    }
     return { command: "docker-compose", prefixArgs: [] };
   }
   throw new Error("docker compose not found. Install Docker compose plugin.");
@@ -142,7 +199,7 @@ function detectComposeCommand(exec = run) {
 
 function runCompose(args, options = {}, exec = run) {
   const compose = detectComposeCommand(exec);
-  return exec(compose.command, [...compose.prefixArgs, ...args], {
+  return exec(compose.command, [...compose.prefixArgs, "-f", COMPOSE_PATH, ...args], {
     cwd: GATEWAY_DIR,
     ...options,
   });
@@ -602,32 +659,27 @@ async function runPreflight(ctx) {
   };
 }
 
-function printSummary(config, securityNotes) {
+function printSummary(config, notes) {
   const allowedCount = countAllowedDomains(config.allowedDomains);
-  const providerAllowlistSummary =
-    allowedCount > 0
-      ? config.allowedDomains
-      : isSingleProviderConfigured(config)
-        ? "(single-provider mode)"
-        : "(any)";
-  console.log("\nSummary:");
-  console.log(`  Domain: ${config.domain}`);
-  console.log(`  Environment: ${config.bitcallEnv}`);
-  console.log(`  Routing: ${config.routingMode}`);
-  console.log(`  Provider allowlist: ${providerAllowlistSummary}`);
-  console.log(`  Webphone origin: ${config.webphoneOrigin === "*" ? "(any)" : config.webphoneOrigin}`);
-  console.log(`  SIP source IPs: ${(config.sipTrustedIps || "").trim() ? config.sipTrustedIps : "(any)"}`);
-  console.log(`  TLS: ${config.tlsMode === "letsencrypt" ? "Let's Encrypt" : config.tlsMode}`);
-  console.log(`  TURN: ${config.turnMode === "coturn" ? "enabled (coturn)" : config.turnMode}`);
-  console.log(
-    `  Media: ${config.mediaIpv4Only === "1" ? "IPv4-only (IPv6 media blocked)" : "dual-stack"}`
-  );
-  console.log(`  Firewall: ${config.configureUfw ? "UFW enabled" : "manual setup"}`);
-
-  if (securityNotes.length > 0) {
-    console.log("\nInfo:");
-    for (const note of securityNotes) {
-      console.log(`  ℹ ${note}`);
+  console.log(`\n${clr(_c.bold + _c.cyan, "  ┌─ Configuration ──────────────────────────────┐")}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "Domain:")}         ${config.domain}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "Environment:")}    ${config.bitcallEnv}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "Routing:")}        ${config.routingMode}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "Allowlist:")}      ${allowedCount > 0 ? config.allowedDomains : "(any)"}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "Origin:")}         ${config.webphoneOrigin === "*" ? "(any)" : config.webphoneOrigin}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "SIP source IPs:")} ${(config.sipTrustedIps || "").trim() ? config.sipTrustedIps : "(any)"}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "TLS:")}            ${config.tlsMode === "letsencrypt" ? "Let's Encrypt" : config.tlsMode}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "TURN:")}           ${config.turnMode === "coturn" ? "enabled (coturn)" : config.turnMode}`);
+  console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "Media:")}          ${config.mediaIpv4Only === "1" ? "IPv4-only (IPv6 media blocked)" : "dual-stack"}`);
+  if (config.configureUfw) {
+    console.log(`${clr(_c.cyan, "  │")}  ${clr(_c.dim, "Firewall:")}       UFW enabled`);
+  }
+  console.log(`${clr(_c.bold + _c.cyan, "  └─────────────────────────────────────────────┘")}`);
+
+  if (notes.length > 0) {
+    console.log("");
+    for (const note of notes) {
+      console.log(`  ${clr(_c.dim, "ℹ")} ${clr(_c.dim, note)}`);
     }
   }
 }
@@ -950,9 +1002,13 @@ function renderEnvContent(config, tlsCert, tlsKey) {
   return content + extra;
 }
 
-function writeComposeTemplate() {
-  const compose = readTemplate("docker-compose.yml.template");
-  writeFileWithMode(COMPOSE_PATH, compose, 0o644);
+function writeComposeTemplate(config = {}) {
+  let compose = readTemplate("docker-compose.yml.template").trimEnd();
+  if (config.turnMode === "coturn") {
+    const coturn = readTemplate("coturn-service.yml.template").trimEnd();
+    compose = `${compose}\n\n${coturn}`;
+  }
+  writeFileWithMode(COMPOSE_PATH, `${compose}\n`, 0o644);
 }
 
 function provisionCustomCert(config) {
@@ -1011,187 +1067,300 @@ function installGatewayService(exec = run) {
   exec("systemctl", ["enable", "--now", SERVICE_NAME]);
 }
 
+function backupExistingGatewayConfig() {
+  if (!fs.existsSync(ENV_PATH) || !fs.existsSync(COMPOSE_PATH)) {
+    return null;
+  }
+  return {
+    envContent: fs.readFileSync(ENV_PATH, "utf8"),
+    composeContent: fs.readFileSync(COMPOSE_PATH, "utf8"),
+  };
+}
+
+function restoreGatewayConfigFromBackup(backup, contextLabel = "Operation") {
+  if (!backup || backup.envContent == null || backup.composeContent == null) {
+    return;
+  }
+  try {
+    ensureInstallLayout();
+    writeFileWithMode(ENV_PATH, backup.envContent, 0o600);
+    writeFileWithMode(COMPOSE_PATH, backup.composeContent, 0o644);
+    runCompose(["up", "-d", "--remove-orphans"], { check: false, stdio: "pipe" });
+    console.error(`${contextLabel} failed. Restored previous gateway config and attempted restart.`);
+  } catch (restoreError) {
+    console.error(
+      `${contextLabel} failed and automatic restore also failed: ${restoreError.message}`
+    );
+  }
+}
+
 async function initCommand(initOptions = {}) {
   printBanner();
-  const ctx = createInstallContext(initOptions);
+  const previousConfig = backupExistingGatewayConfig();
 
-  let preflight;
-  await ctx.step("Checks", async () => {
-    preflight = await runPreflight(ctx);
-  });
-
-  let existingEnv = {};
-  if (fs.existsSync(ENV_PATH)) {
-    existingEnv = loadEnvFile(ENV_PATH);
+  // If re-running init on an existing installation, stop the current
+  // gateway so our own ports don't fail the preflight check.
+  if (previousConfig) {
+    console.log("Existing gateway detected. Stopping for re-initialization...\n");
+    try {
+      runCompose(["down"], { stdio: "pipe" });
+    } catch (_e) {
+      // Ignore — gateway may already be stopped or config may be corrupted
+    }
   }
 
-  let config;
-  await ctx.step("Config", async () => {
-    config = await runWizard(existingEnv, preflight, initOptions);
-  });
+  const ctx = createInstallContext(initOptions);
+  try {
+    let preflight;
+    await ctx.step("Checks", async () => {
+      preflight = await runPreflight(ctx);
+    });
+
+    let existingEnv = {};
+    if (fs.existsSync(ENV_PATH)) {
+      existingEnv = loadEnvFile(ENV_PATH);
+    }
 
-  ensureInstallLayout();
+    let config;
+    await ctx.step("Config", async () => {
+      config = await runWizard(existingEnv, preflight, initOptions);
+    });
+
+    ensureInstallLayout();
 
-  let tlsCertPath;
-  let tlsKeyPath;
+    let tlsCertPath;
+    let tlsKeyPath;
 
-  await ctx.step("Firewall", async () => {
-    if (config.configureUfw) {
-      const ufwReady = await ensureUfwAvailable(ctx);
-      if (ufwReady) {
-        configureFirewall(config, ctx.exec);
+    await ctx.step("Firewall", async () => {
+      if (config.configureUfw) {
+        const ufwReady = await ensureUfwAvailable(ctx);
+        if (ufwReady) {
+          configureFirewall(config, ctx.exec);
+        } else {
+          console.log("Skipping UFW configuration by request.");
+          config.configureUfw = false;
+          printRequiredPorts(config);
+        }
       } else {
-        console.log("Skipping UFW configuration by request.");
-        config.configureUfw = false;
         printRequiredPorts(config);
       }
-    } else {
-      printRequiredPorts(config);
-    }
 
-    if (config.mediaIpv4Only === "1") {
-      try {
-        const applied = applyMediaIpv4OnlyRules(mediaFirewallOptionsFromConfig(config));
-        console.log(`Applied IPv6 media block rules (${applied.backend}).`);
-      } catch (error) {
-        console.error(`IPv6 media block setup failed: ${error.message}`);
-        const proceed = await confirmContinueWithoutMediaBlock();
-        if (!proceed) {
-          throw new Error("Initialization stopped because media IPv4-only firewall rules were not applied.");
+      if (config.mediaIpv4Only === "1") {
+        try {
+          const applied = applyMediaIpv4OnlyRules(mediaFirewallOptionsFromConfig(config));
+          console.log(`Applied IPv6 media block rules (${applied.backend}).`);
+        } catch (error) {
+          console.error(`IPv6 media block setup failed: ${error.message}`);
+          const proceed = await confirmContinueWithoutMediaBlock();
+          if (!proceed) {
+            throw new Error(
+              "Initialization stopped because media IPv4-only firewall rules were not applied."
+            );
+          }
+          config.mediaIpv4Only = "0";
+          console.log("Continuing without IPv6 media block rules.");
         }
-        config.mediaIpv4Only = "0";
-        console.log("Continuing without IPv6 media block rules.");
       }
-    }
-  });
+    });
 
-  await ctx.step("TLS", async () => {
-    if (config.tlsMode === "custom") {
-      const custom = provisionCustomCert(config);
-      tlsCertPath = custom.certPath;
-      tlsKeyPath = custom.keyPath;
-    } else if (config.tlsMode === "dev-self-signed") {
-      tlsCertPath = path.join(SSL_DIR, "dev-fullchain.pem");
-      tlsKeyPath = path.join(SSL_DIR, "dev-privkey.pem");
-      generateSelfSigned(tlsCertPath, tlsKeyPath, config.domain, 30, ctx.exec);
-      console.log("WARNING: Self-signed certificates do not work with browsers.");
-      console.log("WebSocket connections will be rejected. Use --dev for local testing only.");
-      console.log("For browser access, re-run with Let's Encrypt: sudo bitcall-gateway init");
-    } else {
-      tlsCertPath = path.join(SSL_DIR, "bootstrap-fullchain.pem");
-      tlsKeyPath = path.join(SSL_DIR, "bootstrap-privkey.pem");
-      generateSelfSigned(tlsCertPath, tlsKeyPath, config.domain, 1, ctx.exec);
-    }
+    await ctx.step("TLS", async () => {
+      if (config.tlsMode === "custom") {
+        const custom = provisionCustomCert(config);
+        tlsCertPath = custom.certPath;
+        tlsKeyPath = custom.keyPath;
+      } else if (config.tlsMode === "dev-self-signed") {
+        tlsCertPath = path.join(SSL_DIR, "dev-fullchain.pem");
+        tlsKeyPath = path.join(SSL_DIR, "dev-privkey.pem");
+        generateSelfSigned(tlsCertPath, tlsKeyPath, config.domain, 30, ctx.exec);
+        console.log("WARNING: Self-signed certificates do not work with browsers.");
+        console.log("WebSocket connections will be rejected. Use --dev for local testing only.");
+        console.log("For browser access, re-run with Let's Encrypt: sudo bitcall-gateway init");
+      } else {
+        tlsCertPath = path.join(SSL_DIR, "bootstrap-fullchain.pem");
+        tlsKeyPath = path.join(SSL_DIR, "bootstrap-privkey.pem");
+        generateSelfSigned(tlsCertPath, tlsKeyPath, config.domain, 1, ctx.exec);
+      }
 
-    const envContent = renderEnvContent(config, tlsCertPath, tlsKeyPath);
-    writeFileWithMode(ENV_PATH, envContent, 0o600);
-    writeComposeTemplate();
-  });
+      const envContent = renderEnvContent(config, tlsCertPath, tlsKeyPath);
+      writeFileWithMode(ENV_PATH, envContent, 0o600);
+      writeComposeTemplate(config);
+    });
 
-  await ctx.step("Start", async () => {
-    startGatewayStack(ctx.exec);
-    if (config.tlsMode === "letsencrypt") {
-      runLetsEncrypt(config, ctx.exec);
-    }
-    installGatewayService(ctx.exec);
-  });
+    await ctx.step("Start", async () => {
+      startGatewayStack(ctx.exec);
+      if (config.tlsMode === "letsencrypt") {
+        runLetsEncrypt(config, ctx.exec);
+      }
+      installGatewayService(ctx.exec);
+    });
 
-  await ctx.step("Done", async () => {});
+    await ctx.step("Done", async () => {});
 
-  console.log("\nGateway initialized.");
-  console.log(`WSS URL: wss://${config.domain}`);
-  if (config.turnMode !== "none") {
-    console.log(`TURN credentials URL: https://${config.domain}/turn-credentials`);
-  }
-  if (!ctx.verbose) {
-    console.log(`Install log: ${ctx.logPath}`);
+    console.log("");
+    console.log(clr(_c.bold + _c.green, "  ╔══════════════════════════════════════╗"));
+    console.log(
+      clr(_c.bold + _c.green, "  ║") +
+        "  Gateway is " +
+        clr(_c.bold + _c.green, "READY") +
+        "                  " +
+        clr(_c.bold + _c.green, "║")
+    );
+    console.log(clr(_c.bold + _c.green, "  ╚══════════════════════════════════════╝"));
+    console.log("");
+    console.log(`  ${clr(_c.bold, "WSS")}   ${clr(_c.cyan, `wss://${config.domain}`)}`);
+    if (config.turnMode === "coturn") {
+      console.log(`  ${clr(_c.bold, "TURN")}  ${clr(_c.cyan, `https://${config.domain}/turn-credentials`)}`);
+      console.log(`  ${clr(_c.bold, "STUN")}  ${clr(_c.cyan, `stun:${config.domain}:${config.turnUdpPort}`)}`);
+      console.log(`  ${clr(_c.bold, "TURN")}  ${clr(_c.cyan, `turn:${config.domain}:${config.turnUdpPort}`)}`);
+      console.log(
+        `  ${clr(_c.bold, "TURNS")} ${clr(_c.cyan, `turns:${config.domain}:${config.turnsTcpPort}`)}`
+      );
+    }
+    if (!ctx.verbose) {
+      console.log(`  ${clr(_c.dim, `Log:   ${ctx.logPath}`)}`);
+    }
+    console.log("");
+  } catch (error) {
+    if (previousConfig) {
+      restoreGatewayConfigFromBackup(previousConfig, "Initialization");
+    }
+    throw error;
   }
 }
 
 async function reconfigureCommand(options) {
   ensureInitialized();
   printBanner();
-  const ctx = createInstallContext(options);
+  const previousConfig = backupExistingGatewayConfig();
 
-  let preflight;
-  await ctx.step("Checks", async () => {
-    preflight = await runPreflight(ctx);
-  });
+  // Stop the running gateway so ports are free for preflight.
+  if (previousConfig) {
+    console.log("Stopping current gateway for reconfiguration...\n");
+    try {
+      runCompose(["down"], { stdio: "pipe" });
+    } catch (_e) {
+      // Ignore — gateway may already be stopped or config may be corrupted
+    }
+  }
 
-  const existingEnv = fs.existsSync(ENV_PATH) ? loadEnvFile(ENV_PATH) : {};
+  const ctx = createInstallContext(options);
+  try {
+    let preflight;
+    await ctx.step("Checks", async () => {
+      preflight = await runPreflight(ctx);
+    });
 
-  let config;
-  await ctx.step("Config", async () => {
-    config = await runWizard(existingEnv, preflight, options);
-  });
+    const existingEnv = fs.existsSync(ENV_PATH) ? loadEnvFile(ENV_PATH) : {};
 
-  ensureInstallLayout();
+    let config;
+    await ctx.step("Config", async () => {
+      config = await runWizard(existingEnv, preflight, options);
+    });
 
-  let tlsCertPath;
-  let tlsKeyPath;
+    ensureInstallLayout();
 
-  await ctx.step("Firewall", async () => {
-    if (config.configureUfw) {
-      const ufwReady = await ensureUfwAvailable(ctx);
-      if (ufwReady) {
-        configureFirewall(config, ctx.exec);
+    let tlsCertPath;
+    let tlsKeyPath;
+
+    await ctx.step("Firewall", async () => {
+      if (config.configureUfw) {
+        const ufwReady = await ensureUfwAvailable(ctx);
+        if (ufwReady) {
+          configureFirewall(config, ctx.exec);
+        } else {
+          config.configureUfw = false;
+          printRequiredPorts(config);
+        }
       } else {
-        config.configureUfw = false;
         printRequiredPorts(config);
       }
-    } else {
-      printRequiredPorts(config);
-    }
 
-    if (config.mediaIpv4Only === "1") {
-      try {
-        const applied = applyMediaIpv4OnlyRules(mediaFirewallOptionsFromConfig(config));
-        console.log(`Applied IPv6 media block rules (${applied.backend}).`);
-      } catch (error) {
-        console.error(`IPv6 media block setup failed: ${error.message}`);
-        config.mediaIpv4Only = "0";
+      if (config.mediaIpv4Only === "1") {
+        try {
+          const applied = applyMediaIpv4OnlyRules(mediaFirewallOptionsFromConfig(config));
+          console.log(`Applied IPv6 media block rules (${applied.backend}).`);
+        } catch (error) {
+          console.error(`IPv6 media block setup failed: ${error.message}`);
+          config.mediaIpv4Only = "0";
+        }
       }
-    }
-  });
+    });
 
-  await ctx.step("TLS", async () => {
-    if (config.tlsMode === "custom") {
-      const custom = provisionCustomCert(config);
-      tlsCertPath = custom.certPath;
-      tlsKeyPath = custom.keyPath;
-    } else if (config.tlsMode === "dev-self-signed") {
-      tlsCertPath = path.join(SSL_DIR, "dev-fullchain.pem");
-      tlsKeyPath = path.join(SSL_DIR, "dev-privkey.pem");
-      generateSelfSigned(tlsCertPath, tlsKeyPath, config.domain, 30, ctx.exec);
-    } else {
-      // Keep existing LE cert if domain matches, otherwise re-provision.
-      const envMap = loadEnvFile(ENV_PATH);
-      if (envMap.TLS_MODE === "letsencrypt" && envMap.TLS_CERT && fs.existsSync(envMap.TLS_CERT)) {
-        tlsCertPath = envMap.TLS_CERT;
-        tlsKeyPath = envMap.TLS_KEY;
+    await ctx.step("TLS", async () => {
+      if (config.tlsMode === "custom") {
+        const custom = provisionCustomCert(config);
+        tlsCertPath = custom.certPath;
+        tlsKeyPath = custom.keyPath;
+      } else if (config.tlsMode === "dev-self-signed") {
+        tlsCertPath = path.join(SSL_DIR, "dev-fullchain.pem");
+        tlsKeyPath = path.join(SSL_DIR, "dev-privkey.pem");
+        generateSelfSigned(tlsCertPath, tlsKeyPath, config.domain, 30, ctx.exec);
       } else {
-        tlsCertPath = path.join(SSL_DIR, "bootstrap-fullchain.pem");
-        tlsKeyPath = path.join(SSL_DIR, "bootstrap-privkey.pem");
-        generateSelfSigned(tlsCertPath, tlsKeyPath, config.domain, 1, ctx.exec);
+        // Keep existing LE cert only when domain is unchanged and cert files still exist.
+        const envMap = loadEnvFile(ENV_PATH);
+        const sameDomain =
+          (envMap.DOMAIN || "").trim().toLowerCase() === (config.domain || "").trim().toLowerCase();
+        if (
+          envMap.TLS_MODE === "letsencrypt" &&
+          sameDomain &&
+          envMap.TLS_CERT &&
+          envMap.TLS_KEY &&
+          fs.existsSync(envMap.TLS_CERT) &&
+          fs.existsSync(envMap.TLS_KEY)
+        ) {
+          tlsCertPath = envMap.TLS_CERT;
+          tlsKeyPath = envMap.TLS_KEY;
+        } else {
+          tlsCertPath = path.join(SSL_DIR, "bootstrap-fullchain.pem");
+          tlsKeyPath = path.join(SSL_DIR, "bootstrap-privkey.pem");
+          generateSelfSigned(tlsCertPath, tlsKeyPath, config.domain, 1, ctx.exec);
+        }
       }
-    }
 
-    const envContent = renderEnvContent(config, tlsCertPath, tlsKeyPath);
-    writeFileWithMode(ENV_PATH, envContent, 0o600);
-    writeComposeTemplate();
-  });
+      const envContent = renderEnvContent(config, tlsCertPath, tlsKeyPath);
+      writeFileWithMode(ENV_PATH, envContent, 0o600);
+      writeComposeTemplate(config);
+    });
 
-  await ctx.step("Start", async () => {
-    startGatewayStack(ctx.exec);
-    if (config.tlsMode === "letsencrypt" && (!tlsCertPath || !tlsCertPath.includes("letsencrypt"))) {
-      runLetsEncrypt(config, ctx.exec);
-    }
-  });
+    await ctx.step("Start", async () => {
+      startGatewayStack(ctx.exec);
+      if (config.tlsMode === "letsencrypt" && (!tlsCertPath || !tlsCertPath.includes("letsencrypt"))) {
+        runLetsEncrypt(config, ctx.exec);
+      }
+    });
 
-  await ctx.step("Done", async () => {});
+    await ctx.step("Done", async () => {});
 
-  console.log("\nGateway reconfigured.");
-  console.log(`WSS URL: wss://${config.domain}`);
+    console.log("");
+    console.log(clr(_c.bold + _c.green, "  ╔══════════════════════════════════════╗"));
+    console.log(
+      clr(_c.bold + _c.green, "  ║") +
+        "  Gateway is " +
+        clr(_c.bold + _c.green, "READY") +
+        "                  " +
+        clr(_c.bold + _c.green, "║")
+    );
+    console.log(clr(_c.bold + _c.green, "  ╚══════════════════════════════════════╝"));
+    console.log("");
+    console.log(`  ${clr(_c.bold, "WSS")}   ${clr(_c.cyan, `wss://${config.domain}`)}`);
+    if (config.turnMode === "coturn") {
+      console.log(`  ${clr(_c.bold, "TURN")}  ${clr(_c.cyan, `https://${config.domain}/turn-credentials`)}`);
+      console.log(`  ${clr(_c.bold, "STUN")}  ${clr(_c.cyan, `stun:${config.domain}:${config.turnUdpPort}`)}`);
+      console.log(`  ${clr(_c.bold, "TURN")}  ${clr(_c.cyan, `turn:${config.domain}:${config.turnUdpPort}`)}`);
+      console.log(
+        `  ${clr(_c.bold, "TURNS")} ${clr(_c.cyan, `turns:${config.domain}:${config.turnsTcpPort}`)}`
+      );
+    }
+    if (!ctx.verbose) {
+      console.log(`  ${clr(_c.dim, `Log:   ${ctx.logPath}`)}`);
+    }
+    console.log("");
+  } catch (error) {
+    if (previousConfig) {
+      restoreGatewayConfigFromBackup(previousConfig, "Reconfigure");
+    }
+    throw error;
+  }
 }
 
 function runSystemctl(args, fallbackComposeArgs) {
@@ -1253,8 +1422,36 @@ function logsCommand(service, options) {
   runCompose(args, { stdio: "inherit" });
 }
 
+function sipTraceCommand() {
+  ensureInitialized();
+  const compose = detectComposeCommand();
+  const containerName = "bitcall-gateway";
+
+  // Check if sngrep is available in the container
+  const check = run(
+    compose.command,
+    [...compose.prefixArgs, "exec", "-T", containerName, "which", "sngrep"],
+    { cwd: GATEWAY_DIR, check: false, stdio: "pipe" }
+  );
+
+  if (check.status !== 0) {
+    console.error("sngrep is not available in this gateway image.");
+    console.error("Update to the latest image: sudo bitcall-gateway update");
+    process.exit(1);
+  }
+
+  // Run sngrep interactively inside the container
+  const result = run(
+    compose.command,
+    [...compose.prefixArgs, "exec", containerName, "sngrep"],
+    { cwd: GATEWAY_DIR, stdio: "inherit" }
+  );
+
+  process.exit(result.status || 0);
+}
+
 function formatMark(state) {
-  return state ? "✓" : "✗";
+  return state ? clr(_c.green, "✓") : clr(_c.red, "✗");
 }
 
 function statusCommand() {
@@ -1271,6 +1468,12 @@ function statusCommand() {
     "-lc",
     "docker ps --filter name=^bitcall-gateway$ --format '{{.Status}}'",
   ]);
+  const containerUp = Boolean(containerStatus);
+  const coturnStatus = output("sh", [
+    "-lc",
+    "docker ps --filter name=^bitcall-coturn$ --format '{{.Status}}'",
+  ]);
+  const coturnUp = Boolean(coturnStatus);
 
   const p80 = portInUse(Number.parseInt(envMap.ACME_LISTEN_PORT || "80", 10));
   const p443 = portInUse(Number.parseInt(envMap.WSS_LISTEN_PORT || "443", 10));
@@ -1292,10 +1495,13 @@ function statusCommand() {
 
   const mediaStatus = isMediaIpv4OnlyRulesPresent();
 
-  console.log("Bitcall Gateway Status\n");
+  console.log(`\n${clr(_c.bold + _c.cyan, "  Bitcall Gateway Status")}\n`);
   console.log(`Gateway service: ${formatMark(active)} ${active ? "running" : "stopped"}`);
   console.log(`Auto-start: ${formatMark(enabled)} ${enabled ? "enabled" : "disabled"}`);
-  console.log(`Container: ${containerStatus || "not running"}`);
+  console.log(`Container: ${formatMark(containerUp)} ${containerStatus || "not running"}`);
+  if (envMap.TURN_MODE === "coturn") {
+    console.log(`Coturn container: ${formatMark(coturnUp)} ${coturnStatus || "not running"}`);
+  }
   console.log("");
   console.log(`Port ${envMap.ACME_LISTEN_PORT || "80"}: ${formatMark(p80.inUse)} listening`);
   console.log(`Port ${envMap.WSS_LISTEN_PORT || "443"}: ${formatMark(p443.inUse)} listening`);
@@ -1410,19 +1616,18 @@ function updateCommand() {
   const targetImage = DEFAULT_GATEWAY_IMAGE;
 
   if (currentImage === targetImage) {
-    console.log(`Image is current: ${targetImage}`);
+    console.log(`${clr(_c.green, "✓")} Image is current: ${clr(_c.dim, targetImage)}`);
     console.log("Checking for newer image layers...");
   } else {
-    console.log(`Updating image: ${currentImage || "(none)"} → ${targetImage}`);
+    console.log(`${clr(_c.yellow, "→")} Updating: ${clr(_c.dim, currentImage || "(none)")} → ${clr(_c.bold, targetImage)}`);
     updateGatewayEnv({ BITCALL_GATEWAY_IMAGE: targetImage });
   }
 
   runCompose(["pull"], { stdio: "inherit" });
   runSystemctl(["reload", SERVICE_NAME], ["up", "-d", "--remove-orphans"]);
 
-  console.log(`\nGateway updated to ${PACKAGE_VERSION}.`);
-  console.log("To update the CLI itself:");
-  console.log("  sudo npm i -g @bitcall/webrtc-sip-gateway@latest");
+  console.log(`\n${clr(_c.green, "✓")} Gateway updated to ${clr(_c.bold, PACKAGE_VERSION)}.`);
+  console.log(clr(_c.dim, "  To update the CLI: sudo npm i -g @bitcall/webrtc-sip-gateway@latest"));
 }
 
 function mediaStatusCommand() {
@@ -1531,12 +1736,12 @@ async function uninstallCommand(options) {
     fs.rmSync(GATEWAY_DIR, { recursive: true, force: true });
   }
 
-  console.log("Gateway uninstalled.");
+  console.log(`\n${clr(_c.green, "✓")} ${clr(_c.bold, "Gateway uninstalled.")}`);
   const domain = uninstallEnv.DOMAIN || "";
-  console.log("\nTo remove the CLI:");
+  console.log(`\n${clr(_c.dim, "To remove the CLI:")}`);
   console.log("  sudo npm uninstall -g @bitcall/webrtc-sip-gateway");
   if (domain && uninstallEnv.TLS_MODE === "letsencrypt") {
-    console.log("\nTo remove Let's Encrypt certificate:");
+    console.log(`\n${clr(_c.dim, "To remove Let's Encrypt certificate:")}`);
     console.log(`  sudo certbot delete --cert-name ${domain}`);
   }
 }
@@ -1552,6 +1757,7 @@ function configCommand() {
 }
 
 function buildProgram() {
+  const { Command } = require("commander");
   const program = new Command();
 
   program
@@ -1582,6 +1788,10 @@ function buildProgram() {
     .option("--no-follow", "Print and exit")
     .option("--tail <lines>", "Number of lines", "200")
     .action(logsCommand);
+  program
+    .command("sip-trace")
+    .description("Live SIP message viewer (sngrep)")
+    .action(sipTraceCommand);
 
   const cert = program.command("cert").description("Certificate operations");
   cert.command("status").description("Show current certificate info").action(certStatusCommand);

package/templates/coturn-service.yml.template

@@ -0,0 +1,39 @@
+  coturn:
+    image: coturn/coturn:latest
+    container_name: bitcall-coturn
+    network_mode: host
+    read_only: true
+    tmpfs:
+      - /tmp:rw,nosuid,nodev
+    security_opt:
+      - no-new-privileges:true
+    volumes:
+      - ${TLS_CERT}:/etc/ssl/cert.pem:ro
+      - ${TLS_KEY}:/etc/ssl/key.pem:ro
+    command: >
+      -n
+      --realm=${DOMAIN}
+      --external-ip=${PUBLIC_IP}
+      --listening-port=${TURN_UDP_PORT:-3478}
+      --tls-listening-port=${TURNS_TCP_PORT:-5349}
+      --cert=/etc/ssl/cert.pem
+      --pkey=/etc/ssl/key.pem
+      --use-auth-secret
+      --static-auth-secret=${TURN_SECRET}
+      --min-port=${TURN_RELAY_MIN_PORT:-49152}
+      --max-port=${TURN_RELAY_MAX_PORT:-49252}
+      --no-cli
+      --denied-peer-ip=0.0.0.0-0.255.255.255
+      --denied-peer-ip=10.0.0.0-10.255.255.255
+      --denied-peer-ip=127.0.0.0-127.255.255.255
+      --denied-peer-ip=172.16.0.0-172.31.255.255
+      --denied-peer-ip=192.168.0.0-192.168.255.255
+      --channel-lifetime=600
+      --permission-lifetime=300
+      --stale-nonce=600
+    restart: always
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"