@calltelemetry/cli 0.6.12 → 0.6.13

package/dist/shell/network-onboarding.js

@@ -1,13 +1,14 @@
 /**
  * network-onboarding.ts — First-boot setup wizard for ct shell.
  *
- * Six-step wizard that collects all configuration atomically before applying:
+ * Seven-step wizard that collects all configuration atomically before applying:
  *   1. Network (IP/DHCP, DNS, search domain)
- *   2. System Identity (hostname, location)
- *   3. Admin Credentials (root password)
- *   4. Timezone
- *   5. NTP Time Servers
+ *   2. Timezone
+ *   3. NTP Time Servers
+ *   4. System Identity (hostname, location)
+ *   5. Admin Credentials (root password)
  *   6. Preferences (auto-update, IPv6, JTAPI)
+ *   7. Performance Profile (small/medium/large)
  *
  * After collection, shows a unified summary and offers Apply/Edit/Cancel.
  * Apply phase runs all changes sequentially with progress output.
@@ -15,12 +16,13 @@
  */
 import * as readline from 'node:readline';
 import { execSync, spawnSync } from 'node:child_process';
-import { writeFileSync } from 'node:fs';
+import { existsSync, writeFileSync } from 'node:fs';
 import chalk from 'chalk';
-import { savePrefs } from '../lib/prefs.js';
+import { loadPrefs, savePrefs } from '../lib/prefs.js';
 import { getHostname, isValidHostname, buildFqdn, applyHostname, applyAdminPassword, isStrongPassword, } from '../lib/identity.js';
 import { getSystemTimezone, TIMEZONE_REGIONS, searchTimezones, isValidTimezone, applyTimezone, applyNtpServers, checkNtpSync, DEFAULT_NTP, } from '../lib/time.js';
 import { generateSelfSignedCerts, getCertInfo } from '../lib/certs.js';
+import { PROFILES, getSystemRamMb, getSystemCpuCount, recommendedProfile, meetsRamRequirement, applyProfile, detectCurrentProfile, } from './commands/appliance-performance.js';
 export { buildFqdn } from '../lib/identity.js';
 export const NETWORK_SENTINEL = '/etc/ct-network-configured';
 const DEFAULT_DNS1 = '8.8.8.8';
@@ -99,13 +101,86 @@ export function pingGateway(gateway) {
         return null;
     }
 }
-/** Write the network sentinel (falls back to sudo touch). */
-export function writeSentinel() {
+/** Test if a DNS server can resolve a well-known domain. Returns true on success. */
+function testDnsServer(server) {
     try {
-        writeFileSync(NETWORK_SENTINEL, '');
+        const result = spawnSync('nslookup', ['google.com', server], {
+            encoding: 'utf-8',
+            timeout: 5000,
+        });
+        return result.status === 0;
+    }
+    catch {
+        return false;
+    }
+}
+/** Ask for a DNS server, test resolution, offer retry on failure. */
+async function askAndTestDns(ask, label, defaultValue) {
+    const padded = label.length < 13 ? label.padEnd(13) : label;
+    while (true) {
+        const raw = await ask(chalk.bold(`  ${padded} [${defaultValue}]             : `));
+        const server = parseDnsField(raw, defaultValue);
+        if (!isValidIp(server)) {
+            console.log(chalk.red(`    ✗ Invalid IP address`));
+            continue;
+        }
+        process.stdout.write(chalk.dim(`    Testing DNS resolution via ${server} ... `));
+        if (testDnsServer(server)) {
+            console.log(chalk.green('✓ working'));
+            return server;
+        }
+        else {
+            console.log(chalk.yellow('✗ resolution failed'));
+            const retry = (await ask(chalk.yellow('    Re-enter DNS server? [Y/n]: '))).trim().toLowerCase();
+            if (retry === 'n') {
+                console.log(chalk.dim('    Continuing with unresponsive DNS — may work after config is applied'));
+                return server;
+            }
+        }
+    }
+}
+/** Write the network sentinel with config state (no sensitive values). */
+export function writeSentinel(state) {
+    const sentinel = state ? {
+        mode: state.mode ?? 'dhcp',
+        ip: state.ip,
+        prefix: state.prefix,
+        gateway: state.gateway,
+        dns1: state.dns1,
+        dns2: state.dns2,
+        searchDomain: state.searchDomain,
+        iface: state.iface,
+        hostname: state.hostname,
+        location: state.location,
+        timezone: state.timezone,
+        ntp1: state.ntp1,
+        ntp2: state.ntp2,
+        configuredAt: new Date().toISOString(),
+    } : { mode: 'dhcp', configuredAt: new Date().toISOString() };
+    const content = JSON.stringify(sentinel, null, 2);
+    try {
+        writeFileSync(NETWORK_SENTINEL, content);
     }
     catch {
-        spawnSync('sudo', ['touch', NETWORK_SENTINEL]);
+        // Fall back to sudo write via temp file
+        const tmp = `/tmp/ct-sentinel-${Date.now()}.json`;
+        writeFileSync(tmp, content);
+        spawnSync('sudo', ['mv', tmp, NETWORK_SENTINEL]);
+    }
+}
+/** Read saved sentinel state, or null if not configured / empty. */
+export function readSentinel() {
+    try {
+        if (!existsSync(NETWORK_SENTINEL))
+            return null;
+        const { readFileSync } = require('node:fs');
+        const raw = readFileSync(NETWORK_SENTINEL, 'utf-8').trim();
+        if (!raw || raw.length < 2)
+            return null;
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
     }
 }
 /** Apply static IP via nmcli. Returns true on success. */
@@ -149,6 +224,44 @@ export function applyDhcp(iface) {
 function makeAsker(rl) {
     return (question) => new Promise((resolve) => rl.question(question, resolve));
 }
+/** Prompt for password with masked input (shows * for each character) */
+function askMasked(prompt) {
+    return new Promise(resolve => {
+        const { stdin, stdout } = process;
+        stdout.write(prompt);
+        const chars = [];
+        const wasRaw = stdin.isRaw;
+        stdin.setRawMode?.(true);
+        stdin.resume();
+        const onData = (buf) => {
+            const ch = buf.toString('utf8');
+            if (ch === '\r' || ch === '\n') {
+                stdin.removeListener('data', onData);
+                stdin.setRawMode?.(wasRaw ?? false);
+                stdout.write('\n');
+                resolve(chars.join(''));
+            }
+            else if (ch === '\x7f' || ch === '\b') {
+                if (chars.length > 0) {
+                    chars.pop();
+                    stdout.write('\b \b');
+                }
+            }
+            else if (ch === '\x03') {
+                // Ctrl+C
+                stdin.removeListener('data', onData);
+                stdin.setRawMode?.(wasRaw ?? false);
+                stdout.write('\n');
+                resolve('');
+            }
+            else if (ch >= ' ') {
+                chars.push(ch);
+                stdout.write('*');
+            }
+        };
+        stdin.on('data', onData);
+    });
+}
 // ── Step progress helper ─────────────────────────────────────────────────────
 function stepProgress(label, ok) {
     if (ok) {
@@ -161,7 +274,7 @@ function stepProgress(label, ok) {
 // ── Step 1: Network ──────────────────────────────────────────────────────────
 async function stepNetwork(ask, state) {
     console.log('');
-    console.log(chalk.bold.cyan('  Step 1 of 6 — Network'));
+    console.log(chalk.bold.cyan('  Step 1 of 7 — Network'));
     console.log(chalk.dim('  ────────────────────────────────────────'));
     const iface = detectIface();
     state.iface = iface;
@@ -179,8 +292,11 @@ async function stepNetwork(ask, state) {
         console.log(chalk.cyan('  Network mode:'));
         console.log(chalk.dim('    1  Keep current DHCP configuration'));
         console.log(chalk.dim('    2  Configure static IP'));
+        console.log(chalk.dim('    3  Skip setup and exit to shell'));
         console.log('');
         const mode = (await ask(chalk.bold('  Choice [1]: '))).trim() || '1';
+        if (mode === '3')
+            return 'skip';
         if (mode === '2') {
             state.mode = 'static';
         }
@@ -193,8 +309,11 @@ async function stepNetwork(ask, state) {
         console.log(chalk.cyan('  Network mode:'));
         console.log(chalk.dim('    1  Static IP'));
         console.log(chalk.dim('    2  DHCP (auto)'));
+        console.log(chalk.dim('    3  Skip setup and exit to shell'));
         console.log('');
         const mode = (await ask(chalk.bold('  Choice [1]: '))).trim() || '1';
+        if (mode === '3')
+            return 'skip';
         if (mode === '2') {
             state.mode = 'dhcp';
         }
@@ -243,55 +362,43 @@ async function stepNetwork(ask, state) {
             console.log(chalk.green(`    ✓ Subnet: /${prefix}`));
         }
         state.prefix = prefix;
-        let gateway = '';
-        while (!isValidGateway(gateway)) {
-            gateway = (await ask(chalk.bold('  Gateway      (e.g. 192.168.1.1)     : '))).trim();
-            if (!isValidGateway(gateway))
-                console.log(chalk.red('    ✗ Invalid gateway — enter a valid IPv4 address'));
-        }
-        state.gateway = gateway;
-    }
-    // DNS (applies to both modes)
-    const dns1Raw = await ask(chalk.bold(`  Primary DNS  [${DEFAULT_DNS1}]             : `));
-    state.dns1 = parseDnsField(dns1Raw, DEFAULT_DNS1);
-    const dns2Raw = await ask(chalk.bold(`  Secondary DNS [${DEFAULT_DNS2}]           : `));
-    state.dns2 = parseDnsField(dns2Raw, DEFAULT_DNS2);
+        // Gateway — validate format, then test reachability with retry option
+        while (true) {
+            let gateway = '';
+            while (!isValidGateway(gateway)) {
+                gateway = (await ask(chalk.bold('  Gateway      (e.g. 192.168.1.1)     : '))).trim();
+                if (!isValidGateway(gateway))
+                    console.log(chalk.red('    ✗ Invalid gateway — enter a valid IPv4 address'));
+            }
+            process.stdout.write(chalk.dim(`    Checking connectivity to ${gateway} ... `));
+            const latency = pingGateway(gateway);
+            if (latency !== null) {
+                console.log(chalk.green(`✓ reachable (${latency}ms)`));
+                state.gateway = gateway;
+                break;
+            }
+            else {
+                console.log(chalk.yellow(`✗ unreachable`));
+                const retry = (await ask(chalk.yellow('    Re-enter gateway? [Y/n]: '))).trim().toLowerCase();
+                if (retry === 'n') {
+                    console.log(chalk.dim('    Continuing with unreachable gateway — may work after config is applied'));
+                    state.gateway = gateway;
+                    break;
+                }
+            }
+        }
+    }
+    // DNS — validate each server can resolve, with retry option
+    state.dns1 = await askAndTestDns(ask, 'Primary DNS', DEFAULT_DNS1);
+    state.dns2 = await askAndTestDns(ask, 'Secondary DNS', DEFAULT_DNS2);
     // Search domain
     const domainRaw = await ask(chalk.bold(`  Search domain [${DEFAULT_SEARCH_DOMAIN}]            : `));
     state.searchDomain = parseDnsField(domainRaw, DEFAULT_SEARCH_DOMAIN);
-    // Quick connectivity check
-    console.log('');
-    console.log(chalk.dim('  Quick connectivity check...'));
-    if (state.mode === 'static' && state.gateway) {
-        const ms = pingGateway(state.gateway);
-        if (ms !== null) {
-            console.log(chalk.green(`  ✓ Gateway ${state.gateway} reachable (${ms}ms)`));
-        }
-        else {
-            console.log(chalk.yellow(`  ⚠ Gateway ${state.gateway} not reachable — may work after apply`));
-        }
-    }
-    // DNS resolve test
-    try {
-        const result = spawnSync('nslookup', ['google.com', state.dns1], {
-            encoding: 'utf-8',
-            timeout: 5000,
-        });
-        if (result.status === 0) {
-            console.log(chalk.green(`  ✓ DNS resolution via ${state.dns1} working`));
-        }
-        else {
-            console.log(chalk.yellow(`  ⚠ DNS resolution via ${state.dns1} failed — may work after apply`));
-        }
-    }
-    catch {
-        console.log(chalk.yellow(`  ⚠ DNS check skipped — nslookup not available`));
-    }
 }
 // ── Step 2: System Identity ──────────────────────────────────────────────────
 async function stepIdentity(ask, state) {
     console.log('');
-    console.log(chalk.bold.cyan('  Step 4 of 6 — System Identity'));
+    console.log(chalk.bold.cyan('  Step 4 of 7 — System Identity'));
     console.log(chalk.dim('  ────────────────────────────────────────'));
     const currentHostname = getHostname();
     // Hostname
@@ -317,21 +424,21 @@ async function stepIdentity(ask, state) {
     console.log(chalk.dim('    config certs import <cert.pem> <key.pem>'));
 }
 // ── Step 3: Admin Credentials ────────────────────────────────────────────────
-async function stepAdmin(ask, state) {
+async function stepAdmin(_ask, state) {
     console.log('');
-    console.log(chalk.bold.cyan('  Step 5 of 6 — Admin Credentials'));
+    console.log(chalk.bold.cyan('  Step 5 of 7 — Admin Credentials'));
     console.log(chalk.dim('  ────────────────────────────────────────'));
     console.log(chalk.yellow('  Default passwords should be changed before production use.'));
     console.log(chalk.dim('  Minimum 8 characters.'));
     console.log('');
     while (true) {
-        const pw = (await ask(chalk.bold('  New admin password: '))).trim();
+        const pw = (await askMasked(chalk.bold('  New admin password: '))).trim();
         const check = isStrongPassword(pw);
         if (!check.valid) {
             console.log(chalk.red(`    ✗ ${check.reason}`));
             continue;
         }
-        const confirm = (await ask(chalk.bold('  Confirm password:   '))).trim();
+        const confirm = (await askMasked(chalk.bold('  Confirm password:   '))).trim();
         if (confirm !== pw) {
             console.log(chalk.red('    ✗ Passwords do not match'));
             continue;
@@ -344,7 +451,7 @@ async function stepAdmin(ask, state) {
 // ── Step 4: Timezone ─────────────────────────────────────────────────────────
 async function stepTimezone(ask, state) {
     console.log('');
-    console.log(chalk.bold.cyan('  Step 2 of 6 — Timezone'));
+    console.log(chalk.bold.cyan('  Step 2 of 7 — Timezone'));
     console.log(chalk.dim('  ────────────────────────────────────────'));
     const currentTz = getSystemTimezone();
     console.log(chalk.dim(`  Current timezone: ${currentTz}`));
@@ -436,7 +543,7 @@ async function stepTimezone(ask, state) {
 // ── Step 5: NTP ──────────────────────────────────────────────────────────────
 async function stepNtp(ask, state) {
     console.log('');
-    console.log(chalk.bold.cyan('  Step 3 of 6 — NTP Time Servers'));
+    console.log(chalk.bold.cyan('  Step 3 of 7 — NTP Time Servers'));
     console.log(chalk.dim('  ────────────────────────────────────────'));
     const ntp1Raw = await ask(chalk.bold(`  NTP Server 1 [${DEFAULT_NTP[0]}]: `));
     state.ntp1 = parseDnsField(ntp1Raw, DEFAULT_NTP[0]);
@@ -447,7 +554,7 @@ async function stepNtp(ask, state) {
 // ── Step 6: Preferences ──────────────────────────────────────────────────────
 async function stepPreferences(ask, state) {
     console.log('');
-    console.log(chalk.bold.cyan('  Step 6 of 6 — Preferences'));
+    console.log(chalk.bold.cyan('  Step 6 of 7 — Preferences'));
     console.log(chalk.dim('  ────────────────────────────────────────'));
     // Auto-updates
     const autoUpdate = (await ask(chalk.bold('  Enable automatic CLI updates?    [Y/n]: '))).trim().toLowerCase();
@@ -466,6 +573,67 @@ async function stepPreferences(ask, state) {
     state.jtapi = jtapi === 'y' || jtapi === 'yes';
     console.log(state.jtapi ? chalk.green('    ✓ JTAPI greeting injection enabled') : chalk.dim('    ○ JTAPI greeting injection disabled'));
 }
+// ── Step 7: Performance Profile ──────────────────────────────────────────
+const PROFILE_NAMES = ['small', 'medium', 'large'];
+async function stepPerformance(ask, state) {
+    console.log('');
+    console.log(chalk.bold.cyan('  Step 7 of 7 — Performance Profile'));
+    console.log(chalk.dim('  ────────────────────────────────────────'));
+    // Check if already configured
+    const existing = detectCurrentProfile();
+    if (existing) {
+        console.log(chalk.dim(`  Current profile: ${PROFILES[existing].description}`));
+    }
+    // Detect hardware
+    const ramMb = getSystemRamMb();
+    const cpus = getSystemCpuCount();
+    const ramStr = ramMb > 0 ? `${(ramMb / 1024).toFixed(0)} GB` : 'unknown';
+    const cpuStr = cpus > 0 ? `${cpus} vCPUs` : 'unknown';
+    console.log(chalk.dim(`  Detected: ${ramStr} RAM, ${cpuStr}`));
+    console.log('');
+    // Determine recommended profile
+    const rec = ramMb > 0 ? recommendedProfile(ramMb) : 'small';
+    console.log(chalk.cyan('  Choose a performance profile:'));
+    console.log('');
+    for (let i = 0; i < PROFILE_NAMES.length; i++) {
+        const name = PROFILE_NAMES[i];
+        const p = PROFILES[name];
+        const isRec = name === rec;
+        const label = isRec ? `${p.description}  (recommended for this hardware)` : p.description;
+        const marker = isRec ? chalk.green(`  > ${i + 1}  ${label}`) : chalk.dim(`    ${i + 1}  ${label}`);
+        console.log(marker);
+        console.log(chalk.dim(`       ${p.capacity}`));
+        console.log(chalk.dim(`       Minimum: ${p.hardware}`));
+        console.log('');
+    }
+    // Default to recommended
+    const recIdx = PROFILE_NAMES.indexOf(rec) + 1;
+    const choice = (await ask(chalk.bold(`  Choice [${recIdx}]: `))).trim() || String(recIdx);
+    const idx = parseInt(choice, 10) - 1;
+    if (isNaN(idx) || idx < 0 || idx >= PROFILE_NAMES.length) {
+        console.log(chalk.red('    ✗ Invalid selection — using recommended profile'));
+        state.performanceProfile = rec;
+    }
+    else {
+        state.performanceProfile = PROFILE_NAMES[idx];
+    }
+    const selected = state.performanceProfile;
+    const profile = PROFILES[selected];
+    // Warn if hardware doesn't meet requirements
+    if (ramMb > 0 && !meetsRamRequirement(ramMb, selected)) {
+        const ramGb = (ramMb / 1024).toFixed(1);
+        console.log('');
+        console.log(chalk.yellow(`  ⚠ Your system has ${ramGb} GB RAM but ${profile.description} requires ${profile.hardware}.`));
+        console.log(chalk.yellow('    Performance may suffer.'));
+        const confirm = (await ask(chalk.bold('    Continue anyway? [y/N]: '))).trim().toLowerCase();
+        if (confirm !== 'y' && confirm !== 'yes') {
+            console.log(chalk.dim('    Falling back to recommended profile.'));
+            state.performanceProfile = rec;
+        }
+    }
+    const final = PROFILES[state.performanceProfile];
+    console.log(chalk.green(`    ✓ Performance profile: ${final.description}`));
+}
 // ── Summary ──────────────────────────────────────────────────────────────────
 /** Render a full summary of the wizard state. Exported for testing. */
 export function renderSummary(state) {
@@ -512,6 +680,15 @@ export function renderSummary(state) {
     add(`  Auto-updates   : ${state.autoUpdate ? chalk.green('Yes') : chalk.dim('No')}`);
     add(`  IPv6           : ${state.ipv6 ? chalk.green('Yes') : chalk.dim('No')}`);
     add(`  JTAPI Greetings: ${state.jtapi ? chalk.green('Yes') : chalk.dim('No')}`);
+    // PERFORMANCE
+    if (state.performanceProfile) {
+        const perf = PROFILES[state.performanceProfile];
+        add('');
+        add(chalk.cyan('  PERFORMANCE'));
+        add(chalk.dim('  ────────────────────────────────────────'));
+        add(`  Profile        : ${chalk.bold(perf.description)}`);
+        add(`  Capacity       : ${perf.capacity}`);
+    }
     add('');
     return lines.join('\n');
 }
@@ -563,7 +740,18 @@ async function applyWizardState(state) {
     stepProgress('Configure NTP servers', ntpOk);
     if (!ntpOk)
         allOk = false;
-    // 7. Save preferences + write sentinel BEFORE cert gen
+    // 7. Performance profile
+    if (state.performanceProfile) {
+        try {
+            await applyProfile(state.performanceProfile);
+            stepProgress('Apply performance profile', true);
+        }
+        catch {
+            stepProgress('Apply performance profile', false);
+            allOk = false;
+        }
+    }
+    // 8. Save preferences + write sentinel BEFORE cert gen
     //    (so wizard doesn't re-run even if cert generation fails)
     const prefs = {
         autoUpdate: state.autoUpdate,
@@ -682,6 +870,7 @@ const STEP_FUNCTIONS = [
     stepIdentity, // 4. Hostname + location
     stepAdmin, // 5. Admin password
     stepPreferences, // 6. Feature preferences
+    stepPerformance, // 7. Performance profile
 ];
 const STEP_NAMES = [
     'Network',
@@ -690,6 +879,7 @@ const STEP_NAMES = [
     'System Identity',
     'Admin Credentials',
     'Preferences',
+    'Performance Profile',
 ];
 // ── Main entry point ─────────────────────────────────────────────────────────
 /**
@@ -698,32 +888,91 @@ const STEP_NAMES = [
  * Collects all configuration, then applies atomically.
  */
 export async function runNetworkOnboarding() {
+    const saved = readSentinel();
+    const isReconfigure = saved !== null;
     console.log('');
-    console.log(chalk.bold.cyan('  Call Telemetry — First-Boot Setup'));
+    console.log(chalk.bold.cyan(isReconfigure
+        ? '  Call Telemetry — Reconfigure'
+        : '  Call Telemetry — First-Boot Setup'));
     console.log(chalk.dim('  ═══════════════════════════════════════'));
     const rl = readline.createInterface({ input: process.stdin, output: process.stdout, terminal: true });
     const ask = makeAsker(rl);
     try {
-        // Initialize state with defaults
+        // Initialize state — restore from sentinel if reconfiguring
+        const prefs = loadPrefs();
         const state = {
-            mode: 'dhcp',
-            dns1: DEFAULT_DNS1,
-            dns2: DEFAULT_DNS2,
-            searchDomain: DEFAULT_SEARCH_DOMAIN,
-            iface: 'eth0',
-            hostname: getHostname(),
-            location: '',
+            mode: saved?.mode ?? 'dhcp',
+            ip: saved?.ip,
+            prefix: saved?.prefix,
+            gateway: saved?.gateway,
+            dns1: saved?.dns1 ?? DEFAULT_DNS1,
+            dns2: saved?.dns2 ?? DEFAULT_DNS2,
+            searchDomain: saved?.searchDomain ?? DEFAULT_SEARCH_DOMAIN,
+            iface: saved?.iface ?? detectIface(),
+            hostname: saved?.hostname ?? getHostname(),
+            location: saved?.location ?? '',
             adminPassword: '',
-            timezone: getSystemTimezone(),
-            ntp1: DEFAULT_NTP[0],
-            ntp2: DEFAULT_NTP[1],
-            autoUpdate: true,
-            ipv6: false,
-            jtapi: false,
+            timezone: saved?.timezone ?? getSystemTimezone(),
+            ntp1: saved?.ntp1 ?? DEFAULT_NTP[0],
+            ntp2: saved?.ntp2 ?? DEFAULT_NTP[1],
+            autoUpdate: prefs?.autoUpdate ?? true,
+            ipv6: prefs?.ipv6 ?? false,
+            jtapi: prefs?.jtapi ?? false,
         };
-        // Run steps 1-6 sequentially
-        for (const stepFn of STEP_FUNCTIONS) {
-            await stepFn(ask, state);
+        if (isReconfigure) {
+            // Show current config and let user pick what to change
+            console.log(renderSummary(state));
+            console.log(chalk.bold('  Select a section to reconfigure, or press Enter to exit:'));
+            console.log('');
+            for (let i = 0; i < STEP_NAMES.length; i++) {
+                console.log(chalk.dim(`    ${i + 1}  ${STEP_NAMES[i]}`));
+            }
+            console.log(chalk.dim('    A  Reconfigure everything'));
+            console.log('');
+            const choice = (await ask(chalk.bold('  Choice [Enter=done]: '))).trim().toLowerCase();
+            if (choice === '') {
+                console.log(chalk.dim('\n  No changes. Current configuration retained.\n'));
+                return;
+            }
+            if (choice === 'a') {
+                // Run all steps
+                for (const stepFn of STEP_FUNCTIONS) {
+                    await stepFn(ask, state);
+                }
+            }
+            else {
+                const stepIdx = parseInt(choice, 10) - 1;
+                if (stepIdx >= 0 && stepIdx < STEP_FUNCTIONS.length) {
+                    await STEP_FUNCTIONS[stepIdx](ask, state);
+                }
+                else {
+                    console.log(chalk.red('    ✗ Invalid choice'));
+                    return;
+                }
+            }
+        }
+        else {
+            // First boot — run all steps sequentially
+            for (const stepFn of STEP_FUNCTIONS) {
+                const result = await stepFn(ask, state);
+                // Step 1 returns 'skip' if user chose to skip setup entirely
+                if (result === 'skip') {
+                    writeSentinel(state);
+                    if (!loadPrefs()) {
+                        savePrefs({
+                            autoUpdate: true,
+                            ipv6: false,
+                            otel: false,
+                            jtapi: false,
+                            deploymentMode: 'docker-compose',
+                            k8sNamespace: 'default',
+                            k8sEnvironment: 'ct-prod',
+                        });
+                    }
+                    console.log(chalk.green('\n  ✓ Setup skipped. Run "ct setup" anytime to configure.\n'));
+                    return;
+                }
+            }
         }
         // Show/edit/apply loop
         while (true) {
@@ -742,7 +991,7 @@ export async function runNetworkOnboarding() {
                     console.log(chalk.dim(`    ${i + 1}  ${STEP_NAMES[i]}`));
                 }
                 console.log('');
-                const stepChoice = (await ask(chalk.bold('  Which step? [1-6]: '))).trim();
+                const stepChoice = (await ask(chalk.bold('  Which step? [1-7]: '))).trim();
                 const stepIdx = parseInt(stepChoice, 10) - 1;
                 if (stepIdx >= 0 && stepIdx < STEP_FUNCTIONS.length) {
                     await STEP_FUNCTIONS[stepIdx](ask, state);
@@ -755,6 +1004,8 @@ export async function runNetworkOnboarding() {
             if (action === 'a' || action === '') {
                 // Apply all
                 const ok = await applyWizardState(state);
+                // Save config to sentinel (no sensitive values)
+                writeSentinel(state);
                 if (ok) {
                     console.log('');
                     console.log(chalk.green('  ✓ All configuration applied successfully'));