@lifeaitools/clauth 0.7.5 → 1.1.0

package/cli/commands/tunnel.js

@@ -0,0 +1,210 @@
+// cli/commands/tunnel.js
+// clauth tunnel setup — configures Cloudflare named tunnel for claude.ai web integration
+
+import { execSync, spawnSync } from "child_process";
+import os from "os";
+import path from "path";
+import fs from "fs";
+import readline from "readline";
+
+function ask(question) {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise(resolve => rl.question(question, ans => { rl.close(); resolve(ans.trim()); }));
+}
+
+async function actionTunnelSetup() {
+  console.log("\n  clauth tunnel setup\n");
+  console.log("  This wizard configures a Cloudflare named tunnel so claude.ai web");
+  console.log("  can connect to your local clauth daemon without exposing any ports.\n");
+
+  // Step 1: Check cloudflared is installed
+  try {
+    execSync("cloudflared --version", { stdio: "ignore" });
+    console.log("  ✓ cloudflared detected\n");
+  } catch {
+    console.log("  ✗ cloudflared not found.\n");
+    console.log("  Install it first:");
+    console.log("  Windows: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/");
+    console.log("  Or via winget: winget install Cloudflare.cloudflared\n");
+    process.exit(1);
+  }
+
+  // Step 2: Authenticate with Cloudflare
+  console.log("  Step 1/4 — Authenticate with Cloudflare");
+  console.log("  This will open your browser to log in.\n");
+  const doAuth = await ask("  Proceed? (y/n): ");
+  if (doAuth.toLowerCase() !== "y") { console.log("  Aborted."); process.exit(0); }
+
+  try {
+    spawnSync("cloudflared", ["tunnel", "login"], { stdio: "inherit" });
+    console.log("  ✓ Authenticated\n");
+  } catch (e) {
+    console.error("  ✗ Login failed:", e.message);
+    process.exit(1);
+  }
+
+  // Step 3: Create tunnel
+  console.log("  Step 2/4 — Create named tunnel");
+  const tunnelName = await ask("  Tunnel name (default: clauth): ") || "clauth";
+
+  let tunnelId;
+  try {
+    const result = execSync(`cloudflared tunnel create ${tunnelName}`, { encoding: "utf8" });
+    const match = result.match(/Created tunnel (.+) with id ([a-f0-9-]+)/i);
+    if (match) tunnelId = match[2];
+    console.log(`  ✓ Tunnel created: ${tunnelName} (${tunnelId || "see above"})\n`);
+  } catch (e) {
+    // Tunnel may already exist
+    console.log("  (Tunnel may already exist — continuing)\n");
+    try {
+      const listResult = execSync(`cloudflared tunnel list`, { encoding: "utf8" });
+      const lines = listResult.split("\n");
+      for (const line of lines) {
+        if (line.toLowerCase().includes(tunnelName.toLowerCase())) {
+          const parts = line.trim().split(/\s+/);
+          if (parts[0] && parts[0].includes("-")) tunnelId = parts[0];
+        }
+      }
+    } catch {
+      // ignore list errors
+    }
+  }
+
+  // Step 4: Configure hostname
+  console.log("  Step 3/4 — Set public hostname");
+  const hostname = await ask("  Public hostname (e.g. clauth.yourdomain.com): ");
+  if (!hostname) { console.log("  Hostname required."); process.exit(1); }
+
+  // Write config.yml
+  const cfDir = path.join(os.homedir(), ".cloudflared");
+  if (!fs.existsSync(cfDir)) fs.mkdirSync(cfDir, { recursive: true });
+
+  const configPath = path.join(cfDir, "config.yml");
+  const credFile = tunnelId ? path.join(cfDir, `${tunnelId}.json`) : `<tunnel-id>.json`;
+  const config = `tunnel: ${tunnelId || tunnelName}
+credentials-file: ${credFile}
+ingress:
+  - hostname: ${hostname}
+    service: http://127.0.0.1:52437
+  - service: http_status:404
+`;
+  fs.writeFileSync(configPath, config, "utf8");
+  console.log(`  ✓ Config written: ${configPath}\n`);
+
+  // Route DNS
+  console.log("  Step 4/4 — Configure DNS");
+  try {
+    execSync(`cloudflared tunnel route dns ${tunnelName} ${hostname}`, { stdio: "inherit" });
+    console.log(`  ✓ DNS configured: ${hostname}\n`);
+  } catch {
+    console.log(`  ⚠ DNS route failed — add manually in Cloudflare dashboard:`);
+    console.log(`    CNAME ${hostname} → ${tunnelId}.cfargotunnel.com\n`);
+  }
+
+  // Save hostname to clauth config via api module
+  try {
+    const apiMod = await import("../api.js").catch(() => null);
+    if (apiMod) {
+      const sbUrl = (apiMod.getBaseUrl?.() || "").replace("/functions/v1/auth-vault", "");
+      const sbKey = apiMod.getAnonKey?.();
+      if (sbUrl && sbKey) {
+        await fetch(
+          `${sbUrl}/rest/v1/clauth_config`,
+          {
+            method: "POST",
+            headers: {
+              apikey: sbKey,
+              Authorization: `Bearer ${sbKey}`,
+              "Content-Type": "application/json",
+              Prefer: "resolution=merge-duplicates",
+            },
+            body: JSON.stringify({ key: "tunnel_hostname", value: hostname }),
+          }
+        );
+        console.log(`  ✓ Hostname saved to clauth config: ${hostname}`);
+      }
+    }
+  } catch {
+    console.log(`  ⚠ Could not save to DB. Hostname is set in config.yml — 'clauth serve' will pick it up.`);
+  }
+
+  console.log("\n  Setup complete!");
+  console.log(`  Restart the daemon: clauth serve restart`);
+  console.log(`  Or use: npm run worker:restart (from clauth directory)\n`);
+}
+
+// clauth tunnel start — tells daemon to start the tunnel
+async function actionTunnelStart() {
+  try {
+    const r = await fetch("http://127.0.0.1:52437/tunnel/start", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      signal: AbortSignal.timeout(5000),
+    });
+    const data = await r.json().catch(() => ({}));
+    if (!r.ok) {
+      console.error(`  ✗ ${data.error || r.statusText}`);
+      if (r.status === 401) console.error("  Unlock the daemon first: http://127.0.0.1:52437");
+      process.exit(1);
+    }
+    console.log(`  ✓ ${data.message || "Tunnel starting — check status with: clauth tunnel status"}`);
+  } catch (e) {
+    console.error("  ✗ Daemon not running. Start it with: clauth serve");
+    process.exit(1);
+  }
+}
+
+// clauth tunnel stop — tells daemon to stop the tunnel
+async function actionTunnelStop() {
+  try {
+    const r = await fetch("http://127.0.0.1:52437/tunnel/stop", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      signal: AbortSignal.timeout(5000),
+    });
+    const data = await r.json().catch(() => ({}));
+    if (!r.ok) {
+      console.error(`  ✗ ${data.error || r.statusText}`);
+      process.exit(1);
+    }
+    console.log("  ✓ Tunnel stopped.");
+  } catch (e) {
+    console.error("  ✗ Daemon not running.");
+    process.exit(1);
+  }
+}
+
+// clauth tunnel status — shows current tunnel status from daemon
+async function actionTunnelStatus() {
+  try {
+    const r = await fetch("http://127.0.0.1:52437/tunnel", {
+      signal: AbortSignal.timeout(5000),
+    });
+    const data = await r.json().catch(() => ({}));
+
+    const icons = {
+      live:                "✓",
+      starting:            "◌",
+      not_configured:      "⚠",
+      not_started:         "○",
+      error:               "✗",
+      missing_cloudflared: "✗",
+    };
+    const labels = {
+      live:                `Live — ${data.url || ""}`,
+      starting:            "Starting...",
+      not_configured:      "Not configured — run: clauth tunnel setup",
+      not_started:         "Not started — run: clauth tunnel start",
+      error:               `Error${data.error ? ": " + data.error : ""} — check cloudflared config`,
+      missing_cloudflared: "cloudflared not installed — https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/",
+    };
+
+    const status = data.status || "unknown";
+    console.log(`\n  ${icons[status] || "?"} Tunnel: ${labels[status] || status}\n`);
+  } catch (e) {
+    console.error("  ✗ Daemon not running. Start it with: clauth serve");
+    process.exit(1);
+  }
+}
+
+export { actionTunnelSetup, actionTunnelStart, actionTunnelStop, actionTunnelStatus };

package/cli/index.js

@@ -10,9 +10,10 @@ import { getConfOptions } from "./conf-path.js";
 import { getMachineHash, deriveToken, deriveSeedHash } from "./fingerprint.js";
 import * as api from "./api.js";
 import os from "os";
+import fs from "fs";
 
 const config = new Conf(getConfOptions());
-const VERSION = "0.7.0";
+const VERSION = JSON.parse(fs.readFileSync(new URL('../package.json', import.meta.url), 'utf8')).version;
 
 // ============================================================
 // Password prompt helper
@@ -128,6 +129,7 @@ program
       const result = await api.registerMachine(machineHash, seedHash, answers.label, answers.adminTk);
       if (result.error) throw new Error(result.error);
       spinner.succeed(chalk.green(`Machine registered: ${machineHash.slice(0,12)}...`));
+
       console.log(chalk.green("\n✓ clauth is ready.\n"));
       console.log(chalk.cyan("  clauth test     — verify connection"));
       console.log(chalk.cyan("  clauth status   — see all services\n"));
@@ -144,22 +146,24 @@ program
   .command("status")
   .description("Show all services and their state")
   .option("-p, --pw <password>", "Password (or will prompt)")
+  .option("--project <name>", "Filter by project scope")
   .action(async (opts) => {
     const auth = await getAuth(opts.pw);
     const spinner = ora("Fetching service status...").start();
     try {
-      const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp);
+      const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp, opts.project);
       spinner.stop();
       if (result.error) { console.log(chalk.red(`Error: ${result.error}`)); return; }
 
-      console.log(chalk.cyan("\n🔐 clauth service status\n"));
+      const heading = opts.project ? `clauth service status (project: ${opts.project})` : "clauth service status";
+      console.log(chalk.cyan(`\n🔐 ${heading}\n`));
       console.log(
         chalk.bold(
-          "  " + "SERVICE".padEnd(20) + "TYPE".padEnd(12) + "STATUS".padEnd(12) +
+          "  " + "SERVICE".padEnd(24) + "TYPE".padEnd(12) + "PROJECT".padEnd(22) + "STATUS".padEnd(12) +
           "KEY STORED".padEnd(12) + "LAST RETRIEVED"
         )
       );
-      console.log("  " + "─".repeat(72));
+      console.log("  " + "─".repeat(90));
 
       for (const s of result.services || []) {
         const status = s.enabled
@@ -171,8 +175,9 @@ program
         const lastGet = s.last_retrieved
           ? new Date(s.last_retrieved).toLocaleDateString()
           : chalk.gray("never");
+        const proj = s.project ? chalk.blue(s.project.padEnd(22)) : chalk.gray("—".padEnd(22));
 
-        console.log(`  ${s.name.padEnd(20)}${s.key_type.padEnd(12)}${status}${hasKey}${lastGet}`);
+        console.log(`  ${s.name.padEnd(24)}${s.key_type.padEnd(12)}${proj}${status}${hasKey}${lastGet}`);
       }
       console.log();
     } catch (err) {
@@ -296,6 +301,7 @@ addCmd
   .option("--type <type>", "Key type: token | keypair | connstring | oauth")
   .option("--label <label>", "Human-readable label")
   .option("--description <desc>", "Description")
+  .option("--project <project>", "Project scope (groups related services)")
   .option("-p, --pw <password>")
   .action(async (name, opts) => {
     const auth = await getAuth(opts.pw);
@@ -310,14 +316,14 @@ addCmd
         { type: "input",  name: "desc",  message: "Description (optional):", default: opts.description || "" }
       ]);
     }
-    const spinner = ora(`Adding service: ${name}...`).start();
+    const spinner = ora(`Adding service: ${name}${opts.project ? ` (project: ${opts.project})` : ""}...`).start();
     try {
       const result = await api.addService(
         auth.password, auth.machineHash, auth.token, auth.timestamp,
-        name, answers.label, answers.key_type, answers.desc
+        name, answers.label, answers.key_type, answers.desc, opts.project
       );
       if (result.error) throw new Error(result.error);
-      spinner.succeed(chalk.green(`Service added: ${name} (${answers.key_type})`));
+      spinner.succeed(chalk.green(`Service added: ${name} (${answers.key_type})${opts.project ? chalk.blue(` [${opts.project}]`) : ""}`));
       console.log(chalk.gray(`  Next: clauth write key ${name}`));
     } catch (err) { spinner.fail(chalk.red(err.message)); }
   });
@@ -346,13 +352,22 @@ program
   .command("list")
   .description("List all registered services")
   .option("-p, --pw <password>")
+  .option("--project <name>", "Filter by project scope")
   .action(async (opts) => {
     const auth = await getAuth(opts.pw);
-    const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp);
+    const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp, opts.project);
     if (result.error) { console.log(chalk.red(result.error)); return; }
-    console.log(chalk.cyan("\n Registered services:\n"));
+    const heading = opts.project ? `Registered services (project: ${opts.project})` : "Registered services";
+    console.log(chalk.cyan(`\n ${heading}:\n`));
+    let lastProject = undefined;
     for (const s of result.services || []) {
-      console.log(`  ${chalk.bold(s.name.padEnd(20))} ${chalk.gray(s.key_type.padEnd(12))} ${chalk.gray(s.description || "")}`);
+      const proj = s.project || null;
+      if (proj !== lastProject) {
+        if (lastProject !== undefined) console.log();
+        console.log(chalk.gray(`  [${proj || "global"}]`));
+        lastProject = proj;
+      }
+      console.log(`  ${chalk.bold(s.name.padEnd(24))} ${chalk.gray(s.key_type.padEnd(12))} ${chalk.gray(s.label || "")}`);
     }
     console.log();
   });
@@ -446,6 +461,113 @@ Examples:
     await runScrub(target, opts);
   });
 
+// ──────────────────────────────────────────────
+// clauth doctor
+// ──────────────────────────────────────────────
+program
+  .command("doctor")
+  .description("Check all prerequisites and diagnose issues")
+  .action(async () => {
+    const { runDoctor } = await import("./commands/doctor.js");
+    await runDoctor();
+  });
+
+// ──────────────────────────────────────────────
+// clauth invite generate|list|revoke
+// ──────────────────────────────────────────────
+const invite = program.command("invite").description("Manage vault invites");
+
+invite
+  .command("generate")
+  .description("Generate an invite code for a friend")
+  .option("--uses <n>", "Max redemptions", "1")
+  .option("--expires <hours>", "Expiry in hours", "168")
+  .action(async (opts) => {
+    const { runInvite } = await import("./commands/invite.js");
+    await runInvite("generate", opts);
+  });
+
+invite
+  .command("list")
+  .description("List active invites")
+  .action(async () => {
+    const { runInvite } = await import("./commands/invite.js");
+    await runInvite("list", {});
+  });
+
+invite
+  .command("revoke <code>")
+  .description("Revoke an invite code")
+  .action(async (code) => {
+    const { runInvite } = await import("./commands/invite.js");
+    await runInvite("revoke", { code });
+  });
+
+// ──────────────────────────────────────────────
+// clauth join <invite-code>
+// ──────────────────────────────────────────────
+program
+  .command("join <invite-code>")
+  .description("Join a vault using an invite code from a friend")
+  .action(async (code) => {
+    const { runJoin } = await import("./commands/join.js");
+    await runJoin(code);
+  });
+
+// ──────────────────────────────────────────────
+// clauth update
+// ──────────────────────────────────────────────
+program
+  .command("update")
+  .description("Update clauth to the latest version")
+  .action(async () => {
+    const { execSync } = await import("child_process");
+    console.log(chalk.cyan("\n  Updating clauth...\n"));
+    try {
+      execSync("npm install -g @lifeaitools/clauth@latest", { stdio: "inherit" });
+      console.log(chalk.green("\n  Updated successfully.\n"));
+    } catch (err) {
+      console.log(chalk.red(`\n  Update failed: ${err.message}\n`));
+    }
+  });
+
+// ──────────────────────────────────────────────
+// clauth tunnel setup
+// ──────────────────────────────────────────────
+const tunnelCmd = program.command("tunnel").description("Manage Cloudflare tunnel for claude.ai web integration");
+
+tunnelCmd
+  .command("setup")
+  .description("Interactive wizard — configure cloudflared named tunnel")
+  .action(async () => {
+    const { actionTunnelSetup } = await import("./commands/tunnel.js");
+    await actionTunnelSetup();
+  });
+
+tunnelCmd
+  .command("start")
+  .description("Tell daemon to start the tunnel")
+  .action(async () => {
+    const { actionTunnelStart } = await import("./commands/tunnel.js");
+    await actionTunnelStart();
+  });
+
+tunnelCmd
+  .command("stop")
+  .description("Tell daemon to stop the tunnel")
+  .action(async () => {
+    const { actionTunnelStop } = await import("./commands/tunnel.js");
+    await actionTunnelStop();
+  });
+
+tunnelCmd
+  .command("status")
+  .description("Show current tunnel status")
+  .action(async () => {
+    const { actionTunnelStatus } = await import("./commands/tunnel.js");
+    await actionTunnelStatus();
+  });
+
 // ──────────────────────────────────────────────
 // clauth --help override banner
 // ──────────────────────────────────────────────
@@ -478,8 +600,9 @@ Actions:
   ping        Check if the daemon is running
   foreground  Run in foreground (Ctrl+C to stop) — default if no action given
   mcp         Run as MCP stdio server for Claude Code (JSON-RPC over stdin/stdout)
-  install     (Windows) Encrypt password with DPAPI + create Scheduled Task for auto-start on login
-  uninstall   (Windows) Remove Scheduled Task + delete boot.key
+  install     Store password securely + register auto-start service (cross-platform)
+              Windows: DPAPI + Scheduled Task | macOS: Keychain + LaunchAgent | Linux: libsecret/openssl + systemd
+  uninstall   Remove auto-start service + delete stored password
 
 MCP SSE (built into start/foreground):
   The HTTP daemon also serves MCP SSE transport at GET /sse + POST /message.
@@ -494,8 +617,9 @@ Examples:
   clauth serve start --services github,vercel
   clauth serve mcp                       Start MCP server for Claude Code
   clauth serve mcp -p mypass             Start MCP server pre-unlocked
-  clauth serve install                   (Windows) Set up auto-start on login via DPAPI
-  clauth serve uninstall                 (Windows) Remove auto-start
+  clauth serve install                   Set up auto-start on login (DPAPI/Keychain/libsecret)
+  clauth serve install --tunnel host     Auto-start with Cloudflare Tunnel
+  clauth serve uninstall                 Remove auto-start
 `)
   .action(async (action, opts) => {
     const resolvedAction = opts.action || action || "foreground";

package/install.ps1

@@ -23,6 +23,13 @@ try { node --version | Out-Null } catch {
     exit 1
 }
 
+# Check cloudflared (soft warning — not required for install)
+if (-not (Get-Command cloudflared -ErrorAction SilentlyContinue)) {
+    Write-Host "  Note: cloudflared not found. Install after setup for claude.ai web integration." -ForegroundColor Yellow
+    Write-Host "        winget install Cloudflare.cloudflared" -ForegroundColor Gray
+    Write-Host ""
+}
+
 # Clone or update
 if (Test-Path "$DIR\.git") {
     Write-Host "  Updating clauth..."

package/install.sh

@@ -19,6 +19,17 @@ if ! command -v node &>/dev/null; then
   exit 1
 fi
 
+# Check cloudflared (soft warning)
+if ! command -v cloudflared &>/dev/null; then
+  echo "  Note: cloudflared not found. Install after setup for claude.ai web integration."
+  if [[ "$OSTYPE" == "darwin"* ]]; then
+    echo "        brew install cloudflare/cloudflare/cloudflared"
+  else
+    echo "        https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/"
+  fi
+  echo ""
+fi
+
 # Clone or update
 if [ -d "$DIR/.git" ]; then
   echo "  Updating clauth..."; cd "$DIR" && git pull --quiet

package/package.json

@@ -1,13 +1,17 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "0.7.5",
+  "version": "1.1.0",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {
     "clauth": "./cli/index.js"
   },
   "scripts": {
-    "build": "bash scripts/build.sh"
+    "build": "bash scripts/build.sh",
+    "postinstall": "node scripts/postinstall.js",
+    "worker:start": "node cli/index.js serve",
+    "worker:stop": "curl -s http://127.0.0.1:52437/shutdown 2>nul || taskkill /F /IM cloudflared.exe 2>nul & exit 0",
+    "worker:restart": "npm run worker:stop && timeout /t 3 /nobreak >nul && npm run worker:start"
   },
   "dependencies": {
     "chalk": "^5.3.0",
@@ -41,6 +45,7 @@
     "scripts/bin/",
     "scripts/bootstrap.cjs",
     "scripts/build.sh",
+    "scripts/postinstall.js",
     "supabase/",
     ".clauth-skill/",
     "install.sh",

package/scripts/bootstrap.cjs

@@ -38,6 +38,84 @@ if (lnk.status !== 0) {
 }
 console.log('  + clauth linked');
 
+// Check if cloudflared is installed
+var cfFound = false;
+try {
+  execSync('cloudflared --version', { stdio: 'ignore' });
+  cfFound = true;
+} catch {}
+
+if (!cfFound) {
+  console.log('\n  cloudflared not found — needed for claude.ai web integration (tunnel).');
+
+  var platform = process.platform;
+  var installCmd = null;
+  var installLabel = null;
+
+  if (platform === 'win32') {
+    try {
+      execSync('winget --version', { stdio: 'ignore' });
+      installCmd = 'winget install Cloudflare.cloudflared --silent --accept-package-agreements --accept-source-agreements';
+      installLabel = 'winget';
+    } catch {}
+  } else if (platform === 'darwin') {
+    try {
+      execSync('brew --version', { stdio: 'ignore' });
+      installCmd = 'brew install cloudflare/cloudflare/cloudflared';
+      installLabel = 'Homebrew';
+    } catch {}
+  }
+  // Linux: no auto-install — falls through to manual instructions
+
+  if (installCmd) {
+    process.stdout.write('  Install now via ' + installLabel + '? (y/n): ');
+    var answer = (function () {
+      try {
+        var buf = Buffer.alloc(3);
+        var fd = require('fs').openSync('/dev/tty', 'r');
+        require('fs').readSync(fd, buf, 0, 3);
+        require('fs').closeSync(fd);
+        return buf.toString().trim().toLowerCase();
+      } catch {
+        try {
+          var result = require('child_process').spawnSync(
+            'powershell',
+            ['-Command', "$k = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); $k.Character"],
+            { encoding: 'utf8' }
+          );
+          return (result.stdout || '').trim().toLowerCase();
+        } catch { return 'n'; }
+      }
+    })();
+
+    if (answer === 'y') {
+      console.log('  Installing cloudflared via ' + installLabel + '...');
+      try {
+        execSync(installCmd, { stdio: 'inherit' });
+        console.log('  + cloudflared installed.');
+      } catch (e) {
+        console.log('  x Auto-install failed. Install manually:');
+        console.log('    https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/');
+      }
+    } else {
+      console.log('  Skipped. Install later and run: clauth tunnel setup');
+    }
+  } else {
+    console.log('  Install manually:');
+    if (platform === 'win32') {
+      console.log('    winget install Cloudflare.cloudflared');
+      console.log('    or: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/');
+    } else if (platform === 'darwin') {
+      console.log('    brew install cloudflare/cloudflare/cloudflared');
+      console.log('    or: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/');
+    } else {
+      console.log('    https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/');
+    }
+    console.log('  Then run: clauth tunnel setup');
+  }
+  console.log('');
+}
+
 console.log('\n  -> Launching clauth install...\n');
 var r = run('clauth install');
 process.exit(r.status || 0);

package/scripts/postinstall.js

@@ -0,0 +1,52 @@
+#!/usr/bin/env node
+// scripts/postinstall.js
+// Runs after npm install -g @lifeaitools/clauth
+// Detects fresh install vs upgrade and acts accordingly
+
+import fs from "fs";
+import path from "path";
+import os from "os";
+import { fileURLToPath } from "url";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+const CONFIG_DIR = os.platform() === "win32"
+  ? path.join(process.env.APPDATA || path.join(os.homedir(), "AppData", "Roaming"), "clauth-nodejs", "Config")
+  : path.join(os.homedir(), ".config", "clauth-nodejs");
+
+let version = "1.0.0";
+try {
+  const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, "..", "package.json"), "utf8"));
+  version = pkg.version;
+} catch {}
+
+async function main() {
+  const configPath = path.join(CONFIG_DIR, "config.json");
+  const isUpgrade = fs.existsSync(configPath);
+
+  if (isUpgrade) {
+    console.log(`\n  \u2713 clauth upgraded to v${version}`);
+    console.log(`  \u2713 Config preserved at ${CONFIG_DIR}`);
+
+    // Try to detect running daemon
+    try {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), 2000);
+      const res = await fetch("http://127.0.0.1:52437/ping", { signal: controller.signal });
+      clearTimeout(timeout);
+      if (res.ok) {
+        console.log("  \u21BB Daemon is running \u2014 restart it with: clauth serve restart");
+      }
+    } catch {
+      console.log("  \u25CB Daemon not running");
+    }
+
+    console.log("  Run 'clauth doctor' to verify installation\n");
+  } else {
+    console.log(`\n  Welcome to clauth v${version}!`);
+    console.log("  Run 'clauth install' to set up your vault");
+    console.log("  Run 'clauth doctor' to check prerequisites\n");
+  }
+}
+
+main().catch(() => {});