@lifeaitools/clauth 0.7.6 → 1.1.0

package/cli/commands/serve.js

@@ -13,11 +13,50 @@ import { fileURLToPath } from "url";
 import { getMachineHash, deriveToken, deriveSeedHash } from "../fingerprint.js";
 import * as api from "../api.js";
 import chalk from "chalk";
+import ora from "ora";
+import { execSync as execSyncTop } from "child_process";
+import Conf from "conf";
+import { getConfOptions } from "../conf-path.js";
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, "../../package.json"), "utf8"));
 const VERSION = pkg.version;
 
+// ── Embedded migrations ─────────────────────────────────────────
+// All SQL must be idempotent (IF NOT EXISTS, etc.)
+// type: "safe" = auto-apply | "breaking" = requires user confirmation in UI
+const MIGRATIONS = [
+  {
+    version: 1,
+    name: "001_clauth_schema",
+    description: "Initial schema (clauth_services, clauth_machines, clauth_audit)",
+    type: "safe",
+    sql: null, // pre-existing, skip if schema_version >= 1
+  },
+  {
+    version: 2,
+    name: "002_lockout",
+    description: "Machine lockout (fail_count, locked columns on clauth_machines)",
+    type: "safe",
+    sql: `ALTER TABLE clauth_machines ADD COLUMN IF NOT EXISTS fail_count integer NOT NULL DEFAULT 0;
+ALTER TABLE clauth_machines ADD COLUMN IF NOT EXISTS locked boolean NOT NULL DEFAULT false;`,
+  },
+  {
+    version: 3,
+    name: "003_clauth_config",
+    description: "Daemon config store — tunnel hostname and schema versioning",
+    type: "safe",
+    sql: `CREATE TABLE IF NOT EXISTS clauth_config (
+  key        text PRIMARY KEY,
+  value      jsonb NOT NULL,
+  updated_at timestamptz DEFAULT now()
+);
+ALTER TABLE clauth_config ENABLE ROW LEVEL SECURITY;`,
+  },
+];
+
+const CURRENT_SCHEMA_VERSION = 3;
+
 const PID_FILE = path.join(os.tmpdir(), "clauth-serve.pid");
 const LOG_FILE = path.join(os.tmpdir(), "clauth-serve.log");
 
@@ -47,7 +86,7 @@ function openBrowser(url) {
     const cmd = os.platform() === "win32" ? `start "" "${url}"`
       : os.platform() === "darwin" ? `open "${url}"`
       : `xdg-open "${url}"`;
-    execSync(cmd, { stdio: "ignore" });
+    execSyncTop(cmd, { stdio: "ignore" });
   } catch {}
 }
 
@@ -190,6 +229,22 @@ function dashboardHtml(port, whitelist) {
   .add-foot{display:flex;gap:8px;align-items:center}
   .add-msg{font-size:.82rem}
   .add-msg.ok{color:#4ade80} .add-msg.fail{color:#f87171}
+  .project-tabs{display:flex;gap:0;margin-bottom:1rem;border-bottom:1px solid #1e293b;overflow-x:auto}
+  .project-tab{background:none;border:none;border-bottom:2px solid transparent;color:#64748b;padding:8px 16px;font-size:.82rem;font-weight:500;cursor:pointer;white-space:nowrap;transition:all .15s}
+  .project-tab:hover{color:#94a3b8;background:rgba(59,130,246,.05)}
+  .project-tab.active{color:#60a5fa;border-bottom-color:#3b82f6;background:rgba(59,130,246,.08)}
+  .project-tab .tab-count{font-size:.7rem;color:#475569;margin-left:4px;font-weight:400}
+  .project-tab.active .tab-count{color:#3b82f6}
+  .project-edit{display:none;margin-top:8px;padding:8px 10px;background:#0f172a;border:1px solid #334155;border-radius:6px}
+  .project-edit.open{display:flex;gap:6px;align-items:center}
+  .project-edit input{background:#1e293b;border:1px solid #334155;border-radius:4px;color:#e2e8f0;font-size:.78rem;padding:4px 8px;outline:none;flex:1;font-family:'Courier New',monospace;transition:border-color .15s}
+  .project-edit input:focus{border-color:#3b82f6}
+  .project-edit button{font-size:.72rem;padding:4px 8px;border-radius:4px;cursor:pointer;border:1px solid #334155;background:#1a1f2e;color:#94a3b8;transition:all .15s}
+  .project-edit button:hover{border-color:#60a5fa;color:#60a5fa}
+  .project-edit .pe-msg{font-size:.72rem;color:#4ade80}
+  .btn-project{font-size:.68rem;color:#64748b;background:none;border:1px solid #1e293b;border-radius:3px;padding:2px 6px;cursor:pointer;transition:all .15s}
+  .btn-project:hover{color:#3b82f6;border-color:#3b82f6}
+  .btn-mcp-setup.open{border-color:#f59e0b;color:#f59e0b;background:#1a1500}
   .footer{margin-top:2rem;font-size:.75rem;color:#475569;text-align:center}
   .oauth-fields{display:flex;flex-direction:column;gap:8px;margin-bottom:8px}
   .oauth-field{display:flex;flex-direction:column;gap:3px}
@@ -197,6 +252,34 @@ function dashboardHtml(port, whitelist) {
   .oauth-hint{font-size:.71rem;color:#475569;font-style:italic}
   .oauth-input{width:100%;background:#0a0f1a;border:1px solid #1e3a5f;border-radius:4px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.85rem;padding:7px 10px;outline:none;transition:border-color .2s}
   .oauth-input:focus{border-color:#3b82f6}
+  .upgrade-banner {
+    background: linear-gradient(135deg, rgba(0,200,100,0.12), rgba(0,150,80,0.08));
+    border: 1px solid rgba(0,200,100,0.3);
+    border-radius: 6px;
+    padding: 10px 16px;
+    margin-bottom: 12px;
+    font-size: 13px;
+  }
+  .upgrade-banner .upgrade-content {
+    display: flex;
+    align-items: center;
+    gap: 12px;
+    flex-wrap: wrap;
+  }
+  .upgrade-banner button {
+    margin-left: auto;
+    background: none;
+    border: 1px solid rgba(0,200,100,0.4);
+    color: #0c6;
+    border-radius: 4px;
+    padding: 2px 8px;
+    cursor: pointer;
+    font-size: 12px;
+  }
+  .upgrade-details-list {
+    color: rgba(255,255,255,0.6);
+    font-size: 12px;
+  }
 </style>
 </head>
 <body>
@@ -215,6 +298,13 @@ function dashboardHtml(port, whitelist) {
 
 <!-- ── Main view (shown after unlock) ──────── -->
 <div id="main-view">
+  <div id="upgrade-banner" style="display:none" class="upgrade-banner">
+    <div class="upgrade-content">
+      <strong>⬆ clauth upgraded to v<span id="upgrade-to-version"></span></strong>
+      <span id="upgrade-details"></span>
+      <button onclick="dismissUpgrade()">Dismiss ✕</button>
+    </div>
+  </div>
   <div class="header">
     <div class="dot" id="dot"></div>
     <h1>🔐 clauth vault <span style="font-size:0.55em;opacity:0.45;font-weight:400">v${VERSION}</span></h1>
@@ -256,6 +346,10 @@ function dashboardHtml(port, whitelist) {
           <option value="">Loading…</option>
         </select>
       </div>
+      <div class="add-field">
+        <label>Project <span style="color:#475569;font-weight:400">(optional)</span></label>
+        <input class="add-input" id="add-project" type="text" placeholder="e.g. marketing-engine" autocomplete="off" spellcheck="false">
+      </div>
     </div>
     <div class="add-foot">
       <button class="btn-chpw-save" onclick="addService()">Create Service</button>
@@ -284,15 +378,45 @@ function dashboardHtml(port, whitelist) {
   </div>
 
   <div class="tunnel-panel" id="tunnel-panel">
-    <div class="tunnel-dot off" id="tunnel-dot"></div>
-    <div class="tunnel-label" id="tunnel-label">
-      <strong>claude.ai MCP</strong> — checking tunnel…
+    <!-- not_configured -->
+    <div class="tunnel-state not-configured" style="display:none;align-items:center;gap:10px;width:100%;flex-wrap:wrap">
+      <div class="tunnel-dot off"></div>
+      <div class="tunnel-label"><strong>claude.ai MCP</strong> — No tunnel configured</div>
+      <button class="btn-tunnel-stop" onclick="runTunnelSetup()">Setup Tunnel</button>
+    </div>
+    <!-- missing_cloudflared -->
+    <div class="tunnel-state missing-cloudflared" style="display:none;align-items:center;gap:10px;width:100%;flex-wrap:wrap">
+      <div class="tunnel-dot err"></div>
+      <div class="tunnel-label"><strong>claude.ai MCP</strong> — cloudflared not installed</div>
+      <a href="https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/" target="_blank" style="color:#60a5fa;font-size:.8rem">Download cloudflared ↗</a>
+      <span class="tunnel-err" style="display:inline;font-size:.78rem;color:#94a3b8">Then run: clauth tunnel setup</span>
+    </div>
+    <!-- starting -->
+    <div class="tunnel-state starting" style="display:none;align-items:center;gap:10px;width:100%;flex-wrap:wrap">
+      <div class="tunnel-dot starting"></div>
+      <div class="tunnel-label"><strong>claude.ai MCP</strong> — Tunnel starting…</div>
+    </div>
+    <!-- live -->
+    <div class="tunnel-state live" style="display:none;align-items:center;gap:10px;width:100%;flex-wrap:wrap">
+      <div class="tunnel-dot on"></div>
+      <div class="tunnel-label"><strong>claude.ai MCP</strong> — <span class="tunnel-url"><a href="" target="_blank" id="tunnel-live-url"></a></span></div>
+      <button class="btn-check" style="padding:6px 12px;font-size:.8rem" onclick="testTunnel()">Test</button>
+      <button class="btn-claude" onclick="openClaude()">Connect claude.ai</button>
+      <button class="btn-mcp-setup" id="btn-mcp-setup" onclick="toggleMcpSetup()">Setup MCP</button>
+      <button class="btn-tunnel-stop" onclick="toggleTunnel('stop')">Stop</button>
+    </div>
+    <!-- error -->
+    <div class="tunnel-state error" style="display:none;align-items:center;gap:10px;width:100%;flex-wrap:wrap">
+      <div class="tunnel-dot err"></div>
+      <div class="tunnel-label"><strong>claude.ai MCP</strong> — Tunnel error — check cloudflared config</div>
+      <button class="btn-tunnel-stop" onclick="toggleTunnel('start')">Retry</button>
+    </div>
+    <!-- not_started -->
+    <div class="tunnel-state not-started" style="display:flex;align-items:center;gap:10px;width:100%;flex-wrap:wrap">
+      <div class="tunnel-dot off"></div>
+      <div class="tunnel-label"><strong>claude.ai MCP</strong> — checking tunnel…</div>
+      <button class="btn-tunnel-stop" onclick="toggleTunnel('start')">Start Tunnel</button>
     </div>
-    <button class="btn-check" id="btn-tunnel-test" style="display:none;padding:6px 12px;font-size:.8rem" onclick="testTunnel()">Test</button>
-    <button class="btn-claude" id="btn-claude" disabled onclick="openClaude()">Connect claude.ai</button>
-    <button class="btn-tunnel-stop" id="btn-tunnel-toggle" style="display:none" onclick="toggleTunnel()">Stop</button>
-    <button class="btn-mcp-setup" id="btn-mcp-setup" style="display:none" onclick="toggleMcpSetup()">Setup MCP</button>
-    <div class="tunnel-err" id="tunnel-err" style="display:none"></div>
   </div>
 
   <div class="mcp-setup" id="mcp-setup-panel">
@@ -317,6 +441,7 @@ function dashboardHtml(port, whitelist) {
     <div style="font-size:.72rem;color:#64748b;margin-top:4px">Paste these into <a href="https://claude.ai/settings/integrations" target="_blank" style="color:#60a5fa">claude.ai Settings → Integrations</a></div>
   </div>
 
+  <div id="project-tabs" class="project-tabs" style="display:none"></div>
   <div id="grid" class="grid"><p class="loading">Loading services…</p></div>
   <div class="footer">localhost:${port} · 127.0.0.1 only · 10-strike lockout</div>
 </div>
@@ -346,6 +471,19 @@ const KEY_URLS = {
   "neo4j":           "https://console.neo4j.io/",
   "npm":             "https://www.npmjs.com/settings/~/tokens",
   "gmail":           "https://console.cloud.google.com/apis/credentials",
+  "gcal":            "https://console.cloud.google.com/apis/credentials",
+};
+
+// Extra links shown below the primary KEY_URLS link
+const EXTRA_LINKS = {
+  "gmail": [
+    { label: "↗ OAuth Playground (get refresh token)", url: "https://developers.google.com/oauthplayground/" },
+    { label: "↗ Enable Gmail API", url: "https://console.cloud.google.com/apis/library/gmail.googleapis.com" },
+  ],
+  "gcal": [
+    { label: "↗ OAuth Playground (get refresh token)", url: "https://developers.google.com/oauthplayground/" },
+    { label: "↗ Enable Calendar API", url: "https://console.cloud.google.com/apis/library/calendar-json.googleapis.com" },
+  ],
 };
 
 // ── OAuth import config ─────────────────────
@@ -355,7 +493,11 @@ const KEY_URLS = {
 const OAUTH_IMPORT = {
   "gmail": {
     jsonFields: ["client_id", "client_secret"],
-    extra: [{ key: "refresh_token", label: "Refresh Token", hint: "From Google OAuth Playground or your app's auth callback" }]
+    extra: [{ key: "refresh_token", label: "Refresh Token", hint: "From Google OAuth Playground — select Gmail API scopes, authorize, then exchange for tokens" }]
+  },
+  "gcal": {
+    jsonFields: ["client_id", "client_secret"],
+    extra: [{ key: "refresh_token", label: "Refresh Token", hint: "From Google OAuth Playground — select Calendar API scopes, authorize, then exchange for tokens" }]
   }
 };
 
@@ -423,7 +565,40 @@ function showLockScreen() {
   setTimeout(() => document.getElementById("lock-input").focus(), 50);
 }
 
+// ── Upgrade detection ────────────────────────────────────────────
+function checkUpgrade(ping) {
+  const currentVersion = ping.app_version || ping.version;
+  if (!currentVersion) return;
+
+  const lastVersion = localStorage.getItem('clauth_last_version');
+
+  if (lastVersion && lastVersion !== currentVersion) {
+    // Version changed — show upgrade banner
+    document.getElementById('upgrade-to-version').textContent = currentVersion;
+
+    // Build details from migration result if available
+    let details = '';
+    if (ping.last_migrations?.applied?.length > 0) {
+      details = '· Migrations: ' + ping.last_migrations.applied.map(m => m.description).join(' · ');
+    }
+    // Show breaking migration warning if any pending
+    if (ping.pending_breaking?.length > 0) {
+      details += ' ⚠ Breaking migrations require confirmation — see below.';
+    }
+    document.getElementById('upgrade-details').textContent = details;
+    document.getElementById('upgrade-banner').style.display = 'block';
+  }
+
+  // Always update stored version
+  localStorage.setItem('clauth_last_version', currentVersion);
+}
+
+function dismissUpgrade() {
+  document.getElementById('upgrade-banner').style.display = 'none';
+}
+
 function showMain(ping) {
+  checkUpgrade(ping);
   document.getElementById("lock-screen").style.display = "none";
   document.getElementById("main-view").style.display = "block";
   if (ping) {
@@ -476,6 +651,82 @@ async function lockVault() {
 }
 
 // ── Load services ───────────────────────────
+let allServices = [];
+let activeProjectTab = "all";
+
+function renderProjectTabs(services) {
+  const tabsEl = document.getElementById("project-tabs");
+  const projects = new Map(); // project -> count
+  let unassigned = 0;
+  for (const s of services) {
+    if (s.project) {
+      projects.set(s.project, (projects.get(s.project) || 0) + 1);
+    } else {
+      unassigned++;
+    }
+  }
+  // Only show tabs if there's at least one project
+  if (projects.size === 0) { tabsEl.style.display = "none"; return; }
+  tabsEl.style.display = "flex";
+  const tabs = [
+    { key: "all", label: "All", count: services.length },
+    ...Array.from(projects.entries()).map(([name, count]) => ({ key: name, label: name, count })),
+    { key: "unassigned", label: "Global", count: unassigned },
+  ];
+  tabsEl.innerHTML = tabs.map(t =>
+    \`<button class="project-tab \${activeProjectTab === t.key ? "active" : ""}" onclick="switchProjectTab('\${t.key}')">\${t.label}<span class="tab-count">(\${t.count})</span></button>\`
+  ).join("");
+}
+
+function switchProjectTab(key) {
+  activeProjectTab = key;
+  renderProjectTabs(allServices);
+  renderServiceGrid(allServices);
+}
+
+function renderServiceGrid(services) {
+  const grid = document.getElementById("grid");
+  let filtered = services;
+  if (activeProjectTab === "unassigned") {
+    filtered = services.filter(s => !s.project);
+  } else if (activeProjectTab !== "all") {
+    filtered = services.filter(s => s.project === activeProjectTab);
+  }
+  if (!filtered.length) { grid.innerHTML = '<p class="loading">No services in this group.</p>'; return; }
+  grid.innerHTML = filtered.map(s => \`
+    <div class="card">
+      <div style="display:flex;align-items:flex-start;justify-content:space-between">
+        <div>
+          <div class="card-name">\${s.name}</div>
+          <div style="display:flex;align-items:center;gap:6px;margin-top:2px">
+            <div class="card-type">\${s.key_type || "secret"}</div>
+            <span class="svc-badge \${s.enabled === false ? "off" : "on"}" id="badge-\${s.name}">\${s.enabled === false ? "disabled" : "enabled"}</span>
+            \${s.project ? \`<span style="font-size:.68rem;color:#3b82f6;background:rgba(59,130,246,.1);border:1px solid rgba(59,130,246,.2);border-radius:3px;padding:1px 6px">\${s.project}</span>\` : ""}
+          </div>
+          \${KEY_URLS[s.name] ? \`<a class="card-getkey" href="\${KEY_URLS[s.name]}" target="_blank" rel="noopener">↗ Get / rotate key</a>\` : ""}
+          \${(EXTRA_LINKS[s.name] || []).map(l => \`<a class="card-getkey" href="\${l.url}" target="_blank" rel="noopener" style="margin-left:0">\${l.label}</a>\`).join("")}
+        </div>
+        <div class="status-dot" id="sdot-\${s.name}" title=""></div>
+      </div>
+      <div class="card-value" id="val-\${s.name}"></div>
+      <div class="card-actions">
+        <button class="btn btn-reveal" onclick="reveal('\${s.name}', this)">Reveal</button>
+        <button class="btn btn-copy" id="copybtn-\${s.name}" style="display:none" onclick="copyKey('\${s.name}')">Copy</button>
+        <button class="btn btn-set" onclick="toggleSet('\${s.name}')">Set</button>
+        <button class="btn-project" onclick="toggleProjectEdit('\${s.name}')">\${s.project ? "✎ Project" : "+ Project"}</button>
+        <button class="btn \${s.enabled === false ? "btn-enable" : "btn-disable"}" id="togbtn-\${s.name}" onclick="toggleService('\${s.name}')">\${s.enabled === false ? "Enable" : "Disable"}</button>
+      </div>
+      <div class="project-edit" id="pe-\${s.name}">
+        <input type="text" id="pe-input-\${s.name}" value="\${s.project || ""}" placeholder="Project name…" spellcheck="false" autocomplete="off">
+        <button onclick="saveProject('\${s.name}')">Save</button>
+        <button onclick="clearProject('\${s.name}')">Clear</button>
+        <span class="pe-msg" id="pe-msg-\${s.name}"></span>
+      </div>
+      \${renderSetPanel(s.name)}
+    </div>
+  \`).join("");
+}
+
 async function loadServices() {
   const grid = document.getElementById("grid");
   const err  = document.getElementById("error-bar");
@@ -487,32 +738,11 @@ async function loadServices() {
     if (status.locked) { showLockScreen(); return; }
     if (status.error) throw new Error(status.error);
 
-    const services = status.services || [];
-    if (!services.length) { grid.innerHTML = '<p class="loading">No services registered.</p>'; return; }
-
-    grid.innerHTML = services.map(s => \`
-      <div class="card">
-        <div style="display:flex;align-items:flex-start;justify-content:space-between">
-          <div>
-            <div class="card-name">\${s.name}</div>
-            <div style="display:flex;align-items:center;gap:6px;margin-top:2px">
-              <div class="card-type">\${s.key_type || "secret"}</div>
-              <span class="svc-badge \${s.enabled === false ? "off" : "on"}" id="badge-\${s.name}">\${s.enabled === false ? "disabled" : "enabled"}</span>
-            </div>
-            \${KEY_URLS[s.name] ? \`<a class="card-getkey" href="\${KEY_URLS[s.name]}" target="_blank" rel="noopener">↗ Get / rotate key</a>\` : ""}
-          </div>
-          <div class="status-dot" id="sdot-\${s.name}" title=""></div>
-        </div>
-        <div class="card-value" id="val-\${s.name}"></div>
-        <div class="card-actions">
-          <button class="btn btn-reveal" onclick="reveal('\${s.name}', this)">Reveal</button>
-          <button class="btn btn-copy" id="copybtn-\${s.name}" style="display:none" onclick="copyKey('\${s.name}')">Copy</button>
-          <button class="btn btn-set" onclick="toggleSet('\${s.name}')">Set</button>
-          <button class="btn \${s.enabled === false ? "btn-enable" : "btn-disable"}" id="togbtn-\${s.name}" onclick="toggleService('\${s.name}')">\${s.enabled === false ? "Enable" : "Disable"}</button>
-        </div>
-        \${renderSetPanel(s.name)}
-      </div>
-    \`).join("");
+    allServices = status.services || [];
+    if (!allServices.length) { grid.innerHTML = '<p class="loading">No services registered.</p>'; return; }
+
+    renderProjectTabs(allServices);
+    renderServiceGrid(allServices);
   } catch (e) {
     err.textContent = "⚠ " + e.message;
     err.style.display = "block";
@@ -561,6 +791,47 @@ async function copyKey(name) {
   } catch {}
 }
 
+// ── Project edit ────────────────────────────
+function toggleProjectEdit(name) {
+  const panel = document.getElementById("pe-" + name);
+  const open = panel.classList.contains("open");
+  panel.classList.toggle("open");
+  if (!open) {
+    const svc = allServices.find(s => s.name === name);
+    document.getElementById("pe-input-" + name).value = svc ? (svc.project || "") : "";
+    document.getElementById("pe-msg-" + name).textContent = "";
+    document.getElementById("pe-input-" + name).focus();
+  }
+}
+
+async function saveProject(name) {
+  const input = document.getElementById("pe-input-" + name);
+  const msg = document.getElementById("pe-msg-" + name);
+  const project = input.value.trim();
+  msg.textContent = "Saving…"; msg.style.color = "#94a3b8";
+  try {
+    const r = await fetch(BASE + "/update-service", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ service: name, project: project || "" })
+    }).then(r => r.json());
+    if (r.locked) { showLockScreen(); return; }
+    if (r.error) throw new Error(r.error);
+    msg.style.color = "#4ade80"; msg.textContent = "✓ Saved";
+    // Update local state
+    const svc = allServices.find(s => s.name === name);
+    if (svc) svc.project = project || null;
+    setTimeout(() => { loadServices(); }, 800);
+  } catch (err) {
+    msg.style.color = "#f87171"; msg.textContent = err.message;
+  }
+}
+
+async function clearProject(name) {
+  document.getElementById("pe-input-" + name).value = "";
+  await saveProject(name);
+}
+
 // ── Set key ─────────────────────────────────
 function toggleSet(name) {
   const panel = document.getElementById("set-panel-" + name);
@@ -793,6 +1064,7 @@ async function toggleAddService() {
   panel.style.display = open ? "none" : "block";
   if (!open) {
     document.getElementById("add-name").value = "";
+    document.getElementById("add-project").value = "";
     document.getElementById("add-msg").textContent = "";
     // Fetch available key types from server
     const sel = document.getElementById("add-type");
@@ -815,6 +1087,7 @@ async function toggleAddService() {
 async function addService() {
   const name = document.getElementById("add-name").value.trim().toLowerCase();
   const type = document.getElementById("add-type").value;
+  const project = document.getElementById("add-project").value.trim();
   const msg  = document.getElementById("add-msg");
 
   if (!name) { msg.className = "add-msg fail"; msg.textContent = "Service name is required."; return; }
@@ -822,10 +1095,12 @@ async function addService() {
 
   msg.className = "add-msg"; msg.textContent = "Creating…";
   try {
+    const payload = { name, key_type: type, label: name };
+    if (project) payload.project = project;
     const r = await fetch(BASE + "/add-service", {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ name, key_type: type, label: name })
+      body: JSON.stringify(payload)
     }).then(r => r.json());
 
     if (r.locked) { showLockScreen(); return; }
@@ -852,143 +1127,111 @@ document.addEventListener("DOMContentLoaded", () => {
   });
 });
 
+// ── Shared fetch helper ─────────────────────
+async function apiFetch(path, opts) {
+  try {
+    return await fetch(BASE + path, opts).then(r => r.json());
+  } catch { return null; }
+}
+
 // ── Tunnel management ───────────────────────
 let tunnelPollTimer = null;
 
 async function pollTunnel() {
   if (tunnelPollTimer) clearInterval(tunnelPollTimer);
-  await updateTunnelUI();
-  // Poll every 3s until URL is found, then slow to 10s
+  const r = await apiFetch("/tunnel");
+  if (r) renderTunnelPanel(r.status, r.url, r.error);
+  // Poll every 3s; slow to 10s once live
   tunnelPollTimer = setInterval(async () => {
-    const state = await updateTunnelUI();
-    if (state === "connected") {
+    const r = await apiFetch("/tunnel");
+    if (!r) return;
+    renderTunnelPanel(r.status, r.url, r.error);
+    if (r.status === "live") {
       clearInterval(tunnelPollTimer);
-      tunnelPollTimer = setInterval(updateTunnelUI, 10000);
+      tunnelPollTimer = setInterval(async () => {
+        const r2 = await apiFetch("/tunnel");
+        if (r2) renderTunnelPanel(r2.status, r2.url, r2.error);
+      }, 10000);
     }
   }, 3000);
 }
 
-async function updateTunnelUI() {
-  const dot   = document.getElementById("tunnel-dot");
-  const label = document.getElementById("tunnel-label");
-  const btn   = document.getElementById("btn-claude");
-  const togBtn = document.getElementById("btn-tunnel-toggle");
-  const mcpBtn = document.getElementById("btn-mcp-setup");
-  const errEl = document.getElementById("tunnel-err");
-
-  try {
-    const t = await fetch(BASE + "/tunnel").then(r => r.json());
-
-    errEl.style.display = "none";
-
-    if (t.error) {
-      dot.className = "tunnel-dot err";
-      label.innerHTML = '<strong>claude.ai MCP</strong> — ' + t.error;
-      btn.disabled = true;
-      mcpBtn.style.display = "none";
-      togBtn.style.display = "none";
-      togBtn.textContent = "Start Tunnel";
-      togBtn.onclick = () => toggleTunnel("start");
-      togBtn.style.display = "inline-block";
-      document.getElementById("mcp-setup-panel").classList.remove("open");
-      return "error";
-    }
-
-    if (t.running && t.url && t.url.startsWith("http")) {
-      dot.className = "tunnel-dot on";
-      label.innerHTML = '<strong>claude.ai MCP</strong> — <span class="tunnel-url"><a href="' + t.sseUrl + '" target="_blank">' + t.sseUrl + '</a></span>';
-      btn.disabled = false;
-      document.getElementById("btn-tunnel-test").style.display = "inline-block";
-      togBtn.textContent = "Stop Tunnel";
-      togBtn.onclick = () => toggleTunnel("stop");
-      togBtn.style.display = "inline-block";
-      mcpBtn.style.display = "inline-block";
-      return "connected";
-    }
-
-    if (t.running) {
-      dot.className = "tunnel-dot starting";
-      label.innerHTML = '<strong>claude.ai MCP</strong> — starting tunnel…';
-      btn.disabled = true;
-      mcpBtn.style.display = "none";
-      togBtn.textContent = "Stop Tunnel";
-      togBtn.onclick = () => toggleTunnel("stop");
-      togBtn.style.display = "inline-block";
-      return "starting";
-    }
-
-    // Not running
-    dot.className = "tunnel-dot off";
-    label.innerHTML = '<strong>claude.ai MCP</strong> — tunnel not running';
-    btn.disabled = true;
-    mcpBtn.style.display = "none";
-    togBtn.textContent = "Start Tunnel";
-    togBtn.onclick = () => toggleTunnel("start");
-    togBtn.style.display = "inline-block";
-    document.getElementById("mcp-setup-panel").classList.remove("open");
-    return "stopped";
-
-  } catch {
-    dot.className = "tunnel-dot off";
-    label.innerHTML = '<strong>claude.ai MCP</strong> — unable to reach daemon';
-    btn.disabled = true;
-    mcpBtn.style.display = "none";
-    togBtn.style.display = "none";
+function renderTunnelPanel(status, url, error) {
+  const panel = document.getElementById("tunnel-panel");
+  if (!panel) return;
+  // Hide all state divs
+  panel.querySelectorAll(".tunnel-state").forEach(el => el.style.display = "none");
+  // Map status to CSS class (underscores → hyphens)
+  const cls = (status || "not-started").replace(/_/g, "-");
+  const active = panel.querySelector(".tunnel-state." + cls);
+  if (active) active.style.display = "flex";
+  // Update live URL
+  if (status === "live" && url) {
+    const sseUrl = url.startsWith("http") ? url + "/sse" : url;
+    const link = panel.querySelector(".tunnel-state.live a");
+    if (link) { link.href = sseUrl; link.textContent = sseUrl; }
+    const liveUrlEl = document.getElementById("tunnel-live-url");
+    if (liveUrlEl) { liveUrlEl.href = sseUrl; liveUrlEl.textContent = sseUrl; }
+  }
+  // Close MCP setup panel when not live
+  if (status !== "live") {
     document.getElementById("mcp-setup-panel").classList.remove("open");
-    return "error";
+    const mcpBtn = document.getElementById("btn-mcp-setup");
+    if (mcpBtn) mcpBtn.classList.remove("open");
   }
 }
 
 async function toggleTunnel(action) {
-  const togBtn = document.getElementById("btn-tunnel-toggle");
-  togBtn.disabled = true; togBtn.textContent = "…";
   try {
     await fetch(BASE + "/tunnel", {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ action })
     });
-    // Wait a beat for tunnel to start/stop, then refresh
-    setTimeout(updateTunnelUI, action === "start" ? 5000 : 500);
-  } catch {} finally {
-    togBtn.disabled = false;
-  }
+    // Re-poll after a beat
+    setTimeout(pollTunnel, action === "start" ? 2000 : 500);
+  } catch {}
+}
+
+function runTunnelSetup() {
+  alert("Run in your terminal:\\n\\n  clauth tunnel setup\\n\\nThis will guide you through Cloudflare authentication and tunnel creation.");
 }
 
 async function testTunnel() {
-  const btn = document.getElementById("btn-tunnel-test");
-  const dot = document.getElementById("tunnel-dot");
-  const label = document.getElementById("tunnel-label");
-  btn.disabled = true; btn.textContent = "Testing…";
-  dot.className = "tunnel-dot starting";
+  const liveState = document.querySelector("#tunnel-panel .tunnel-state.live");
+  const btn = liveState ? liveState.querySelector(".btn-check") : null;
+  const labelEl = liveState ? liveState.querySelector(".tunnel-label") : null;
+  if (btn) { btn.disabled = true; btn.textContent = "Testing…"; }
 
   try {
     const r = await fetch(BASE + "/tunnel/test").then(r => r.json());
-    if (r.ok) {
-      dot.className = "tunnel-dot on";
-      label.innerHTML = '<strong>claude.ai MCP</strong> — <span style="color:#4ade80">PASS</span> ' +
-        r.latencyMs + 'ms roundtrip · SSE ' + (r.sseReachable ? 'reachable' : 'unreachable') +
-        ' · <span class="tunnel-url"><a href="' + r.sseUrl + '" target="_blank">' + r.sseUrl + '</a></span>';
-    } else {
-      dot.className = "tunnel-dot err";
-      label.innerHTML = '<strong>claude.ai MCP</strong> — <span style="color:#f87171">FAIL</span> ' + (r.reason || "unknown error");
+    if (labelEl) {
+      if (r.ok) {
+        labelEl.innerHTML = '<strong>claude.ai MCP</strong> — <span style="color:#4ade80">PASS</span> ' +
+          r.latencyMs + 'ms · SSE ' + (r.sseReachable ? 'reachable' : 'unreachable') +
+          ' · <span class="tunnel-url"><a href="' + r.sseUrl + '" target="_blank">' + r.sseUrl + '</a></span>';
+      } else {
+        labelEl.innerHTML = '<strong>claude.ai MCP</strong> — <span style="color:#f87171">FAIL</span> ' + (r.reason || "unknown error");
+      }
     }
   } catch (e) {
-    dot.className = "tunnel-dot err";
-    label.innerHTML = '<strong>claude.ai MCP</strong> — <span style="color:#f87171">FAIL</span> ' + e.message;
+    if (labelEl) labelEl.innerHTML = '<strong>claude.ai MCP</strong> — <span style="color:#f87171">FAIL</span> ' + e.message;
   } finally {
-    btn.disabled = false; btn.textContent = "Test";
+    if (btn) { btn.disabled = false; btn.textContent = "Test"; }
   }
 }
 
 function openClaude() {
   // Copy the SSE URL to clipboard and open claude.ai settings
   fetch(BASE + "/tunnel").then(r => r.json()).then(t => {
-    if (t.sseUrl) {
-      navigator.clipboard.writeText(t.sseUrl).then(() => {
-        const btn = document.getElementById("btn-claude");
-        btn.textContent = "SSE URL copied!";
-        setTimeout(() => { btn.textContent = "Connect claude.ai"; }, 2000);
+    const sseUrl = t.sseUrl || (t.url && t.url.startsWith("http") ? t.url + "/sse" : null);
+    if (sseUrl) {
+      navigator.clipboard.writeText(sseUrl).then(() => {
+        const btn = document.querySelector("#tunnel-panel .tunnel-state.live .btn-claude");
+        if (btn) {
+          btn.textContent = "SSE URL copied!";
+          setTimeout(() => { btn.textContent = "Connect claude.ai"; }, 2000);
+        }
       }).catch(() => {});
       window.open("https://claude.ai/settings/integrations", "_blank");
     }
@@ -997,7 +1240,10 @@ function openClaude() {
 
 async function toggleMcpSetup() {
   const panel = document.getElementById("mcp-setup-panel");
+  const btn = document.getElementById("btn-mcp-setup");
   const isOpen = panel.classList.toggle("open");
+  btn.classList.toggle("open", isOpen);
+  btn.textContent = isOpen ? "Close MCP" : "Setup MCP";
   if (isOpen) {
     try {
       const m = await fetch(BASE + "/mcp-setup").then(r => r.json());
@@ -1074,7 +1320,10 @@ function readBody(req) {
 }
 
 // ── Server logic (shared by foreground + daemon) ─────────────
-function createServer(initPassword, whitelist, port, tunnelHostname = null) {
+function createServer(initPassword, whitelist, port, tunnelHostnameInit = null) {
+  // tunnelHostname may be updated at runtime (fetched from DB after unlock)
+  let tunnelHostname = tunnelHostnameInit;
+
   // Ensure Windows system tools are reachable (bash shells may lack these on PATH)
   if (os.platform() === "win32") {
     const sys32 = "C:\\Windows\\System32";
@@ -1106,6 +1355,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       get password() { return this._pw; },
       set password(v) { this._pw = v; },
       get machineHash() { return machineHash; },
+      get tunnelUrl() { return tunnelUrl; },
       whitelist,
       failCount,
       MAX_FAILS,
@@ -1120,6 +1370,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
   let tunnelProc = null;
   let tunnelUrl = null;
   let tunnelError = null;
+  let tunnelStatus = "not_started"; // "not_started" | "not_configured" | "starting" | "live" | "error" | "missing_cloudflared"
 
   // ── OAuth provider (self-contained for claude.ai MCP) ──────
   const oauthClients = new Map();   // client_id → { client_secret, redirect_uris, client_name }
@@ -1169,6 +1420,28 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
         }
       }
 
+      // If binary is still the default name, verify it's actually on PATH
+      if (cfBin === "cloudflared") {
+        try {
+          const { execSync } = await import("child_process");
+          execSync("cloudflared --version", { stdio: "ignore" });
+        } catch {
+          tunnelError = "cloudflared is not installed or not on PATH.";
+          tunnelStatus = "missing_cloudflared";
+          const installMsg = [
+            "",
+            "  \u2717 cloudflared not found.",
+            "  Download: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/",
+            "  Then run: clauth tunnel setup",
+            "",
+          ].join("\n");
+          console.error(installMsg);
+          try { fs.appendFileSync(LOG_FILE, `[${new Date().toISOString()}] ${tunnelError}\n`); } catch {}
+          tunnelProc = null;
+          return;
+        }
+      }
+
       // Named tunnel (fixed subdomain) or quick tunnel (random URL)
       let args;
       if (tunnelHostname) {
@@ -1196,6 +1469,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
           const match = stderrBuf.match(/https:\/\/[a-z0-9-]+\.trycloudflare\.com/);
           if (match) {
             tunnelUrl = match[0];
+            tunnelStatus = "live";
             const logLine = `[${new Date().toISOString()}] Tunnel started: ${tunnelUrl}\n`;
             try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
           }
@@ -1206,6 +1480,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
         tunnelError = err.code === "ENOENT"
           ? "cloudflared not found — install from https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/"
           : err.message;
+        tunnelStatus = "error";
         tunnelProc = null;
         const logLine = `[${new Date().toISOString()}] Tunnel error: ${tunnelError}\n`;
         try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
@@ -1215,6 +1490,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
         if (tunnelProc === proc) {
           tunnelProc = null;
           if (!tunnelError) tunnelError = `Tunnel exited with code ${code}`;
+          tunnelStatus = "error";
           const logLine = `[${new Date().toISOString()}] Tunnel exited: code ${code}\n`;
           try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
         }
@@ -1224,12 +1500,14 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       await new Promise(r => setTimeout(r, 4000));
 
       if (tunnelHostname && tunnelProc) {
+        tunnelStatus = "live";
         const logLine = `[${new Date().toISOString()}] Named tunnel started: ${tunnelUrl}\n`;
         try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
       }
 
     } catch (err) {
       tunnelError = err.message;
+      tunnelStatus = "error";
       tunnelProc = null;
     }
   }
@@ -1240,6 +1518,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       tunnelProc = null;
       tunnelUrl = null;
       tunnelError = null;
+      tunnelStatus = "not_started";
       const logLine = `[${new Date().toISOString()}] Tunnel stopped\n`;
       try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
     }
@@ -1308,6 +1587,108 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
   fetchBuildStatus();
   setInterval(fetchBuildStatus, 15000);
 
+  applyPendingMigrations().then(result => {
+    lastMigrationResult = result;
+    if (result.applied?.length > 0) {
+      const log = `[${new Date().toISOString()}] Migrations applied: ${result.applied.map(m => m.name).join(", ")}\n`;
+      try { fs.appendFileSync(LOG_FILE, log); } catch {}
+    }
+  }).catch(() => {});
+
+  // ── Tunnel config (fetched from DB after unlock) ────────────
+  async function fetchTunnelConfig() {
+    try {
+      const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+      const sbKey = api.getAnonKey();
+      if (!sbUrl || !sbKey) return null;
+
+      const r = await fetch(
+        `${sbUrl}/rest/v1/clauth_config?key=eq.tunnel_hostname&select=value`,
+        {
+          headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` },
+          signal: AbortSignal.timeout(5000),
+        }
+      );
+      if (!r.ok) return null;
+      const rows = await r.json();
+      if (rows.length > 0 && rows[0].value && rows[0].value !== "null") {
+        return typeof rows[0].value === "string" ? JSON.parse(rows[0].value) : rows[0].value;
+      }
+      return null;
+    } catch {
+      return null;
+    }
+  }
+
+  // ── Auto-migration ────────────────────────────────────────────
+  let pendingBreakingMigrations = [];
+  let lastMigrationResult = null;
+
+  async function applyPendingMigrations() {
+    try {
+      const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+      const sbKey = api.getAnonKey();
+      if (!sbUrl || !sbKey) return { applied: [], errors: [] };
+
+      // Read current schema version (may not exist yet)
+      let currentVersion = 0;
+      try {
+        const r = await fetch(
+          `${sbUrl}/rest/v1/clauth_config?key=eq.schema_version&select=value`,
+          { headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` }, signal: AbortSignal.timeout(5000) }
+        );
+        if (r.ok) {
+          const rows = await r.json();
+          if (rows.length > 0) currentVersion = Number(rows[0].value) || 0;
+        }
+      } catch {}
+
+      if (currentVersion >= CURRENT_SCHEMA_VERSION) return { applied: [], errors: [], currentVersion };
+
+      const applied = [];
+      const errors = [];
+
+      for (const m of MIGRATIONS) {
+        if (m.version <= currentVersion || !m.sql) continue;
+        if (m.type === "breaking") {
+          // Queue for UI confirmation — do not auto-apply
+          pendingBreakingMigrations.push(m);
+          continue;
+        }
+        try {
+          // Apply via Edge Function proxy (anon key can't do DDL directly)
+          const r = await fetch(`${(api.getBaseUrl() || "")}/run-migration`, {
+            method: "POST",
+            headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json" },
+            body: JSON.stringify({ sql: m.sql, version: m.version }),
+            signal: AbortSignal.timeout(15000),
+          });
+          if (r.ok) {
+            applied.push(m);
+            currentVersion = m.version;
+            // Update schema_version in clauth_config
+            await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+              method: "POST",
+              headers: {
+                apikey: sbKey, Authorization: `Bearer ${sbKey}`,
+                "Content-Type": "application/json", Prefer: "resolution=merge-duplicates",
+              },
+              body: JSON.stringify({ key: "schema_version", value: m.version }),
+            });
+          } else {
+            errors.push({ migration: m.name, error: await r.text() });
+          }
+        } catch (e) {
+          errors.push({ migration: m.name, error: e.message });
+        }
+      }
+
+      return { applied, errors, currentVersion };
+    } catch (e) {
+      return { applied: [], errors: [{ migration: "init", error: e.message }] };
+    }
+  }
+
   const server = http.createServer(async (req, res) => {
     const remote = req.socket.remoteAddress;
     const isLocal = remote === "127.0.0.1" || remote === "::1" || remote === "::ffff:127.0.0.1";
@@ -1667,17 +2048,22 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
         failures: failCount,
         failures_remaining: MAX_FAILS - failCount,
         services: whitelist || "all",
-        port
+        port,
+        tunnel_status: tunnelStatus,
+        tunnel_url: tunnelUrl || null,
+        app_version: VERSION,
+        schema_version: CURRENT_SCHEMA_VERSION,
       });
     }
 
     // GET /tunnel — tunnel status (for dashboard polling)
     if (method === "GET" && reqPath === "/tunnel") {
       return ok(res, {
+        status: tunnelStatus,
         running: !!tunnelProc,
-        url: tunnelUrl,
+        url: tunnelUrl || null,
         sseUrl: tunnelUrl && tunnelUrl.startsWith("http") ? `${tunnelUrl}/sse` : null,
-        error: tunnelError,
+        error: tunnelError || null,
       });
     }
 
@@ -1686,6 +2072,15 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       return ok(res, buildStatus);
     }
 
+    // GET /migrations — migration registry and last run result
+    if (method === "GET" && reqPath === "/migrations") {
+      return ok(res, {
+        schema_version: CURRENT_SCHEMA_VERSION,
+        last_result: lastMigrationResult,
+        pending_breaking: pendingBreakingMigrations,
+      });
+    }
+
     // GET /mcp-setup — OAuth credentials for claude.ai MCP setup (localhost only)
     if (method === "GET" && reqPath === "/mcp-setup") {
       return ok(res, {
@@ -1695,7 +2090,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       });
     }
 
-    // POST /tunnel — start or stop tunnel manually
+    // POST /tunnel — start or stop tunnel manually (action in body)
     if (method === "POST" && reqPath === "/tunnel") {
       if (lockedGuard(res)) return;
       let body;
@@ -1705,11 +2100,27 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       }
       if (body.action === "stop") {
         stopTunnel();
-        return ok(res, { ok: true, running: false });
+        return ok(res, { status: tunnelStatus, running: false });
       }
       // start
       await startTunnel();
-      return ok(res, { ok: true, running: !!tunnelProc, url: tunnelUrl, error: tunnelError });
+      return ok(res, { status: tunnelStatus, running: !!tunnelProc, url: tunnelUrl, error: tunnelError });
+    }
+
+    // POST /tunnel/start — explicit start endpoint
+    if (method === "POST" && reqPath === "/tunnel/start") {
+      if (lockedGuard(res)) return;
+      if (tunnelProc) return ok(res, { status: tunnelStatus, message: "already running" });
+      tunnelStatus = "starting";
+      startTunnel().catch(() => {});
+      return ok(res, { status: "starting" });
+    }
+
+    // POST /tunnel/stop — explicit stop endpoint
+    if (method === "POST" && reqPath === "/tunnel/stop") {
+      if (lockedGuard(res)) return;
+      stopTunnel();
+      return ok(res, { status: tunnelStatus });
     }
 
     // GET /shutdown (for daemon stop)
@@ -1756,12 +2167,14 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       }
     }
 
-    // GET /status
+    // GET /status?project=xxx
     if (method === "GET" && reqPath === "/status") {
       if (lockedGuard(res)) return;
       try {
+        const parsedUrl = new URL(req.url, `http://127.0.0.1:${port}`);
+        const projectFilter = parsedUrl.searchParams.get("project") || undefined;
         const { token, timestamp } = deriveToken(password, machineHash);
-        const result = await api.status(password, machineHash, token, timestamp);
+        const result = await api.status(password, machineHash, token, timestamp, projectFilter);
         if (result.error) return strike(res, 502, result.error);
         if (whitelist) {
           result.services = (result.services || []).filter(
@@ -1815,8 +2228,32 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
         password = pw;   // unlock — store in process memory only
         const logLine = `[${new Date().toISOString()}] Vault unlocked\n`;
         try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
-        // Auto-start Cloudflare Tunnel for claude.ai MCP
-        startTunnel().catch(() => {});
+        // Auto-start tunnel: --tunnel flag takes priority, otherwise fetch from DB
+        if (!tunnelHostname) {
+          fetchTunnelConfig().then(configured => {
+            if (configured) {
+              tunnelHostname = configured;
+              tunnelStatus = "starting";
+              startTunnel().catch(() => {});
+            } else {
+              // No tunnel configured in DB and no --tunnel flag
+              tunnelStatus = "not_configured";
+              const msg = [
+                `[${new Date().toISOString()}] No tunnel configured.`,
+                "  claude.ai web integration is inactive.",
+                "  To enable: run 'clauth tunnel setup'",
+              ].join("\n");
+              try { fs.appendFileSync(LOG_FILE, msg + "\n"); } catch {}
+              console.log("\n  ⚠  No tunnel configured — claude.ai web integration inactive.");
+              console.log("     Run: clauth tunnel setup\n");
+            }
+          }).catch(() => {
+            tunnelStatus = "error";
+          });
+        } else {
+          tunnelStatus = "starting";
+          startTunnel().catch(() => {});
+        }
         return ok(res, { ok: true, locked: false });
       } catch {
         // Wrong password — not a lockout strike, just a UI auth attempt
@@ -2014,7 +2451,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
         return res.end(JSON.stringify({ error: "Invalid JSON body" }));
       }
 
-      const { name, label, key_type, description } = body;
+      const { name, label, key_type, description, project } = body;
       if (!name || typeof name !== "string" || !name.trim()) {
         res.writeHead(400, { "Content-Type": "application/json", ...CORS });
         return res.end(JSON.stringify({ error: "name is required" }));
@@ -2028,7 +2465,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
 
       try {
         const { token, timestamp } = deriveToken(password, machineHash);
-        const result = await api.addService(password, machineHash, token, timestamp, name.trim().toLowerCase(), label || name.trim(), type, description || "");
+        const result = await api.addService(password, machineHash, token, timestamp, name.trim().toLowerCase(), label || name.trim(), type, description || "", project || undefined);
         if (result.error) return strike(res, 502, result.error);
         return ok(res, { ok: true, service: name.trim().toLowerCase() });
       } catch (err) {
@@ -2036,6 +2473,42 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       }
     }
 
+    // POST /update-service — update service metadata (project, label, description)
+    if (method === "POST" && reqPath === "/update-service") {
+      if (lockedGuard(res)) return;
+
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
+      }
+
+      const { service, project, label, description } = body;
+      if (!service || typeof service !== "string") {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "service is required" }));
+      }
+
+      const updates = {};
+      if (project !== undefined) updates.project = project;
+      if (label !== undefined) updates.label = label;
+      if (description !== undefined) updates.description = description;
+
+      if (Object.keys(updates).length === 0) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "At least one field to update is required (project, label, description)" }));
+      }
+
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.updateService(password, machineHash, token, timestamp, service.toLowerCase(), updates);
+        if (result.error) return strike(res, 502, result.error);
+        return ok(res, { ok: true, service: service.toLowerCase(), ...updates });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
     // Unknown route — don't count browser/MCP noise as auth failures
     // Don't count browser noise, MCP discovery probes, or OAuth probes as auth failures
     const isBenign = reqPath.startsWith("/.well-known/") || [
@@ -2412,6 +2885,24 @@ const MCP_TOOLS = [
       additionalProperties: false
     }
   },
+  {
+    name: "clauth_set_project",
+    description: "Set or clear the project scope on a service. Pass empty string to clear.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        service: { type: "string", description: "Service name (e.g. gmail, github)" },
+        project: { type: "string", description: "Project name to assign (empty string to clear)" }
+      },
+      required: ["service", "project"],
+      additionalProperties: false
+    }
+  },
+  {
+    name: "clauth_self_check",
+    description: "Test whether the clauth MCP connector is reachable via the Cloudflare tunnel. Returns connectivity status and tunnel URL.",
+    inputSchema: { type: "object", properties: {}, additionalProperties: false }
+  },
 ];
 
 function writeTempSecret(service, value) {
@@ -2479,13 +2970,14 @@ async function handleMcpTool(vault, name, args) {
         if (vault.whitelist) {
           services = services.filter(s => vault.whitelist.includes(s.name.toLowerCase()));
         }
-        const lines = ["SERVICE              TYPE         STATUS       KEY    LAST RETRIEVED",
-                        "---              ----         ------       ---    --------------"];
+        const lines = ["SERVICE                  TYPE         PROJECT                STATUS       KEY    LAST RETRIEVED",
+                        "-------                  ----         -------                ------       ---    --------------"];
         for (const s of services) {
           const status = s.enabled ? "ACTIVE" : (s.vault_key ? "SUSPENDED" : "NO KEY");
           const hasKey = s.vault_key ? "yes" : "—";
           const lastGet = s.last_retrieved ? new Date(s.last_retrieved).toLocaleDateString() : "never";
-          lines.push(`${s.name.padEnd(20)} ${(s.key_type || "").padEnd(12)} ${status.padEnd(12)} ${hasKey.padEnd(6)} ${lastGet}`);
+          const proj = (s.project || "—").padEnd(22);
+          lines.push(`${s.name.padEnd(24)} ${(s.key_type || "").padEnd(12)} ${proj} ${status.padEnd(12)} ${hasKey.padEnd(6)} ${lastGet}`);
         }
         return mcpResult(lines.join("\n"));
       } catch (err) {
@@ -2652,6 +3144,57 @@ async function handleMcpTool(vault, name, args) {
       }
     }
 
+    case "clauth_set_project": {
+      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
+      const service = (args.service || "").toLowerCase();
+      const project = args.project;
+      if (!service) return mcpError("service is required");
+      if (project === undefined) return mcpError("project is required (empty string to clear)");
+      try {
+        const { token, timestamp } = deriveToken(vault.password, vault.machineHash);
+        const result = await api.updateService(vault.password, vault.machineHash, token, timestamp, service, { project: project || "" });
+        if (result.error) return mcpError(result.error);
+        return mcpResult(project ? `${service} → project: ${project}` : `${service} → project cleared`);
+      } catch (err) {
+        return mcpError(err.message);
+      }
+    }
+
+    case "clauth_self_check": {
+      // Test connectivity via the Cloudflare tunnel and/or localhost daemon
+      const tunnelUrl = vault.tunnelUrl;
+      const results = [];
+
+      // Check localhost daemon
+      try {
+        const r = await fetch("http://127.0.0.1:52437/ping", { signal: AbortSignal.timeout(3000) });
+        const data = await r.json();
+        results.push(`Local daemon: PASS (${data.locked ? "locked" : "unlocked"}, failures: ${data.failures ?? 0})`);
+      } catch (err) {
+        results.push(`Local daemon: FAIL — http://127.0.0.1:52437 not reachable (${err.message})`);
+      }
+
+      // Check tunnel
+      if (tunnelUrl) {
+        try {
+          const r = await fetch(`${tunnelUrl}/ping`, { signal: AbortSignal.timeout(5000) });
+          const data = await r.json();
+          results.push(`Tunnel: PASS — ${tunnelUrl} reachable (${data.locked ? "locked" : "unlocked"})`);
+          results.push(`claude.ai SSE endpoint: ${tunnelUrl}/sse`);
+          results.push(`claude.ai MCP endpoint: ${tunnelUrl}/mcp`);
+        } catch (err) {
+          results.push(`Tunnel: FAIL — ${tunnelUrl} not reachable (${err.message})`);
+          results.push("claude.ai MCP connector will not work until tunnel is restored.");
+          results.push("Fix: clauth serve start --tunnel clauth.prtrust.fund");
+        }
+      } else {
+        results.push("Tunnel: NOT RUNNING — claude.ai connector requires the tunnel.");
+        results.push("Start with: clauth serve start --tunnel clauth.prtrust.fund");
+      }
+
+      return mcpResult(results.join("\n"));
+    }
+
     default:
       return mcpError(`Unknown tool: ${name}`);
   }
@@ -2674,6 +3217,7 @@ function createMcpServer(initPassword, whitelist) {
   const vault = {
     password: initPassword || null,
     get machineHash() { return ensureMachineHash(); },
+    get tunnelUrl() { return null; }, // stdio server has no tunnel — self_check will try localhost daemon
     whitelist,
     failCount: 0,
     MAX_FAILS: 10,
@@ -2765,61 +3309,154 @@ async function actionMcp(opts) {
   createMcpServer(password, whitelist);
 }
 
-// ── DPAPI auto-start install / uninstall (Windows only) ──────
-const AUTOSTART_DIR  = path.join(os.homedir(), "AppData", "Roaming", "clauth");
-const BOOT_KEY_PATH  = path.join(AUTOSTART_DIR, "boot.key");
-const PS_SCRIPT_PATH = path.join(AUTOSTART_DIR, "autostart.ps1");
-const TASK_NAME      = "ClauthAutostart";
+// ── Cross-platform auto-start install / uninstall ────────────
+// Windows: DPAPI + Scheduled Task
+// macOS:   Keychain + LaunchAgent
+// Linux:   libsecret/encrypted file + systemd user service
+
+const TASK_NAME = "ClauthAutostart";
+
+function getAutostartDir() {
+  const platform = os.platform();
+  if (platform === "win32") {
+    return path.join(os.homedir(), "AppData", "Roaming", "clauth");
+  } else if (platform === "darwin") {
+    return path.join(os.homedir(), "Library", "LaunchAgents");
+  } else {
+    return path.join(os.homedir(), ".config", "systemd", "user");
+  }
+}
+
+function getBootKeyPath() {
+  if (os.platform() === "win32") {
+    return path.join(os.homedir(), "AppData", "Roaming", "clauth", "boot.key");
+  } else if (os.platform() === "darwin") {
+    return null; // stored in Keychain, not a file
+  } else {
+    return path.join(os.homedir(), ".config", "clauth", "boot.key");
+  }
+}
 
 async function actionInstall(opts) {
-  if (os.platform() !== "win32") {
-    console.log(chalk.red("\n  serve install is only supported on Windows\n"));
-    process.exit(1);
+  const platform = os.platform();
+  const { execSync } = await import("child_process");
+  const config = new Conf(getConfOptions());
+
+  const tunnelHostname = opts.tunnel || null;
+
+  // Persist tunnel hostname in config if provided
+  if (tunnelHostname) {
+    config.set("tunnel_hostname", tunnelHostname);
+    console.log(chalk.gray(`\n  Tunnel hostname saved: ${tunnelHostname}`));
   }
 
-  const { default: inquirer } = await import("inquirer");
-  const { pw } = await inquirer.prompt([{
-    type: "password", name: "pw",
-    message: "Enter clauth password to store for auto-start:", mask: "*"
-  }]);
+  // Check for cloudflared if tunnel is requested
+  if (tunnelHostname) {
+    try {
+      execSync("cloudflared --version", { encoding: "utf8", stdio: "pipe" });
+    } catch {
+      console.log(chalk.yellow("\n  cloudflared not found — required for tunnel support"));
+      console.log(chalk.gray("  Install: winget install Cloudflare.cloudflared"));
+      try {
+        const { installCloudflared } = await import("./doctor.js");
+        await installCloudflared();
+      } catch {
+        console.log(chalk.yellow("  Continuing without tunnel — install cloudflared manually later"));
+      }
+    }
+  }
 
-  fs.mkdirSync(AUTOSTART_DIR, { recursive: true });
+  // Two modes:
+  //   1. Password provided via -p flag → encrypt + install (non-interactive)
+  //   2. No password → install watchdog that starts daemon in locked mode
+  //      The browser dashboard opens, user enters password there.
+  //      For passwordless restart, user can later run: clauth serve seal
+  const pw = opts.pw || null;
 
-  // Encrypt password with Windows DPAPI (CurrentUser scope — machine+user bound)
-  const spinner = ora("Encrypting password with Windows DPAPI...").start();
-  let encrypted;
-  try {
-    const { execSync } = await import("child_process");
-    const pwEscaped = pw.replace(/'/g, "''");
-    const psExpr = `[Convert]::ToBase64String([Security.Cryptography.ProtectedData]::Protect([Text.Encoding]::UTF8.GetBytes('${pwEscaped}'),$null,'CurrentUser'))`;
-    encrypted = execSync(`powershell -NoProfile -Command "${psExpr}"`, { encoding: "utf8" }).trim();
-    fs.writeFileSync(BOOT_KEY_PATH, encrypted, "utf8");
-    spinner.succeed(chalk.green("Password encrypted → boot.key"));
-  } catch (err) {
-    spinner.fail(chalk.red(`DPAPI encryption failed: ${err.message}`));
-    process.exit(1);
+  if (platform === "win32") {
+    await installWindows(pw, tunnelHostname, execSync);
+  } else if (platform === "darwin") {
+    await installMacOS(pw, tunnelHostname, execSync);
+  } else {
+    await installLinux(pw, tunnelHostname, execSync);
   }
+}
 
-  // Write PowerShell autostart script — decrypts boot.key and pipes to clauth serve start
+// ── Windows: DPAPI + Scheduled Task ────────────────────────
+async function installWindows(pw, tunnelHostname, execSync) {
+  const autostartDir = path.join(os.homedir(), "AppData", "Roaming", "clauth");
+  const bootKeyPath  = path.join(autostartDir, "boot.key");
+  const psScriptPath = path.join(autostartDir, "autostart.ps1");
   const cliEntry = path.resolve(__dirname, "../index.js").replace(/\\/g, "\\\\");
   const nodeExe  = process.execPath.replace(/\\/g, "\\\\");
-  const bootKey  = BOOT_KEY_PATH.replace(/\\/g, "\\\\");
-  const psScript = [
-    "# clauth autostart — generated by clauth serve install",
-    `$enc = (Get-Content '${bootKey}' -Raw).Trim()`,
-    `$pw = [Text.Encoding]::UTF8.GetString([Security.Cryptography.ProtectedData]::Unprotect([Convert]::FromBase64String($enc),$null,'CurrentUser'))`,
-    `Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start -p $pw" -WindowStyle Hidden`,
-  ].join("\n");
-  fs.writeFileSync(PS_SCRIPT_PATH, psScript, "utf8");
+  const bootKey  = bootKeyPath.replace(/\\/g, "\\\\");
+  const tunnelArg = tunnelHostname ? ` --tunnel ${tunnelHostname}` : "";
+
+  fs.mkdirSync(autostartDir, { recursive: true });
+
+  if (pw) {
+    // ── Sealed mode: DPAPI-encrypt password for fully unattended restart ──
+    const spinner = ora("Encrypting password with Windows DPAPI...").start();
+    try {
+      const pwEscaped = pw.replace(/'/g, "''");
+      const psExpr = `[Convert]::ToBase64String([Security.Cryptography.ProtectedData]::Protect([Text.Encoding]::UTF8.GetBytes('${pwEscaped}'),$null,'CurrentUser'))`;
+      const encrypted = execSync(`powershell -NoProfile -Command "${psExpr}"`, { encoding: "utf8" }).trim();
+      fs.writeFileSync(bootKeyPath, encrypted, "utf8");
+      spinner.succeed(chalk.green("Password sealed via DPAPI → boot.key"));
+    } catch (err) {
+      spinner.fail(chalk.red(`DPAPI encryption failed: ${err.message}`));
+      process.exit(1);
+    }
+
+    // Watchdog script: decrypts password, starts daemon unlocked, monitors for crash
+    const psScript = [
+      "# clauth autostart + watchdog (sealed mode)",
+      "# Starts unlocked and restarts on crash every 15s",
+      "",
+      `$enc = (Get-Content '${bootKey}' -Raw).Trim()`,
+      `$pw = [Text.Encoding]::UTF8.GetString([Security.Cryptography.ProtectedData]::Unprotect([Convert]::FromBase64String($enc),$null,'CurrentUser'))`,
+      "",
+      "while ($true) {",
+      "  try {",
+      "    $ping = Invoke-RestMethod -Uri 'http://127.0.0.1:52437/ping' -TimeoutSec 3 -ErrorAction Stop",
+      "  } catch {",
+      `    Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start -p $pw${tunnelArg}" -WindowStyle Hidden`,
+      "    Start-Sleep -Seconds 5",
+      "  }",
+      "  Start-Sleep -Seconds 15",
+      "}",
+    ].join("\n");
+    fs.writeFileSync(psScriptPath, psScript, "utf8");
+  } else {
+    // ── First-run mode: no password yet — start locked, browser opens for setup ──
+    // Watchdog starts the daemon in locked mode; user enters password in the browser dashboard.
+    // After entering password in the browser, user can seal it for future unattended restarts
+    // by running: clauth serve seal
+    const psScript = [
+      "# clauth autostart + watchdog (locked mode — browser password entry)",
+      "# Starts daemon locked, opens browser for password. Restarts on crash every 15s.",
+      "",
+      "while ($true) {",
+      "  try {",
+      "    $ping = Invoke-RestMethod -Uri 'http://127.0.0.1:52437/ping' -TimeoutSec 3 -ErrorAction Stop",
+      "  } catch {",
+      `    Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start${tunnelArg}" -WindowStyle Hidden`,
+      "    Start-Sleep -Seconds 5",
+      "  }",
+      "  Start-Sleep -Seconds 15",
+      "}",
+    ].join("\n");
+    fs.writeFileSync(psScriptPath, psScript, "utf8");
+  }
 
   // Register Windows Scheduled Task — triggers on user logon
-  const spinner2 = ora("Registering Windows Scheduled Task...").start();
+  const mode = pw ? "sealed — fully unattended" : "locked — browser password entry";
+  const spinner2 = ora(`Registering Scheduled Task (${mode})...`).start();
   try {
-    const { execSync } = await import("child_process");
-    const psScriptEsc = PS_SCRIPT_PATH.replace(/\\/g, "\\\\");
+    const psScriptEsc = psScriptPath.replace(/\\/g, "\\\\");
     const args = `-NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File "${psScriptEsc}"`;
     execSync(
-      `schtasks /create /f /tn "${TASK_NAME}" /sc onlogon /tr "powershell.exe ${args}"`,
+      `${process.env.SystemRoot || "C:\\\\Windows"}\\\\System32\\\\schtasks.exe /create /f /tn "${TASK_NAME}" /sc onlogon /tr "powershell.exe ${args}"`,
       { encoding: "utf8", stdio: "pipe" }
     );
     spinner2.succeed(chalk.green(`Scheduled Task "${TASK_NAME}" registered`));
@@ -2828,33 +3465,327 @@ async function actionInstall(opts) {
     console.log(chalk.gray("  You can still start manually: clauth serve start"));
   }
 
-  console.log(chalk.cyan("\n  Auto-start installed:\n"));
-  console.log(chalk.gray(`  boot.key:  ${BOOT_KEY_PATH}`));
-  console.log(chalk.gray(`  script:    ${PS_SCRIPT_PATH}`));
-  console.log(chalk.gray(`  task:      ${TASK_NAME}\n`));
-  console.log(chalk.green("  Daemon will auto-start on next Windows login.\n"));
+  // Start the daemon now
+  const spinner3 = ora("Starting daemon...").start();
+  try {
+    if (pw) {
+      execSync(`"${nodeExe.replace(/\\\\/g, "\\")}" "${cliEntry.replace(/\\\\/g, "\\")}" serve start -p "${pw}"`, {
+        encoding: "utf8", stdio: "pipe", timeout: 10000,
+      });
+    } else {
+      execSync(`"${nodeExe.replace(/\\\\/g, "\\")}" "${cliEntry.replace(/\\\\/g, "\\")}" serve start`, {
+        encoding: "utf8", stdio: "pipe", timeout: 10000,
+      });
+    }
+    spinner3.succeed(chalk.green("Daemon started"));
+  } catch {
+    spinner3.succeed(chalk.green("Daemon starting..."));
+  }
+
+  // Open browser for first-run password setup (locked mode only)
+  if (!pw) {
+    try { openBrowser("http://127.0.0.1:52437"); } catch {}
+  }
+
+  console.log(chalk.cyan("\n  Auto-start installed (Windows):\n"));
+  if (pw) {
+    console.log(chalk.gray(`  mode:      sealed (DPAPI — fully unattended restart)`));
+    console.log(chalk.gray(`  boot.key:  ${bootKeyPath}`));
+  } else {
+    console.log(chalk.gray(`  mode:      locked (enter password in browser on restart)`));
+    console.log(chalk.gray(`  browser:   http://127.0.0.1:52437`));
+    console.log(chalk.gray(`  seal later: clauth serve seal  (enables unattended restart)`));
+  }
+  console.log(chalk.gray(`  watchdog:  ${psScriptPath}`));
+  console.log(chalk.gray(`  task:      ${TASK_NAME} (restarts every 15s on crash)`));
+  if (tunnelHostname) console.log(chalk.gray(`  tunnel:    ${tunnelHostname}`));
+  console.log(chalk.green("\n  Done. Daemon will auto-start on login and restart on crash.\n"));
 }
 
-async function actionUninstall() {
-  if (os.platform() !== "win32") {
-    console.log(chalk.red("\n  serve uninstall is only supported on Windows\n"));
+// ── macOS: Keychain + LaunchAgent ──────────────────────────
+async function installMacOS(pw, tunnelHostname, execSync) {
+  const launchAgentsDir = path.join(os.homedir(), "Library", "LaunchAgents");
+  const plistPath = path.join(launchAgentsDir, "com.lifeai.clauth.plist");
+  const keychainService = "com.lifeai.clauth";
+  const keychainAccount = "clauth-daemon";
+
+  fs.mkdirSync(launchAgentsDir, { recursive: true });
+
+  // Store password in macOS Keychain
+  const spinner = ora("Storing password in macOS Keychain...").start();
+  try {
+    // Delete existing entry if present (ignore errors)
+    try {
+      execSync(
+        `security delete-generic-password -s "${keychainService}" -a "${keychainAccount}"`,
+        { encoding: "utf8", stdio: "pipe" }
+      );
+    } catch {}
+
+    execSync(
+      `security add-generic-password -s "${keychainService}" -a "${keychainAccount}" -w "${pw.replace(/"/g, '\\"')}" -U`,
+      { encoding: "utf8", stdio: "pipe" }
+    );
+    spinner.succeed(chalk.green("Password stored in Keychain"));
+  } catch (err) {
+    spinner.fail(chalk.red(`Keychain storage failed: ${err.message}`));
     process.exit(1);
   }
+
+  // Find the node executable and cli entry
+  const cliEntry = path.resolve(__dirname, "../index.js");
+  const nodeExe = process.execPath;
+
+  // Build shell command that reads from Keychain and starts clauth
+  const tunnelArg = tunnelHostname ? ` --tunnel ${tunnelHostname}` : "";
+  const shellCmd = `PW=$(security find-generic-password -s "${keychainService}" -a "${keychainAccount}" -w) && exec "${nodeExe}" "${cliEntry}" serve start -p "$PW"${tunnelArg}`;
+
+  // Create LaunchAgent plist
+  const plistContent = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>com.lifeai.clauth</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>/bin/sh</string>
+    <string>-c</string>
+    <string>${shellCmd.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;")}</string>
+  </array>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>KeepAlive</key>
+  <true/>
+  <key>StandardOutPath</key>
+  <string>/tmp/clauth-serve.log</string>
+  <key>StandardErrorPath</key>
+  <string>/tmp/clauth-serve.log</string>
+</dict>
+</plist>`;
+
+  fs.writeFileSync(plistPath, plistContent, "utf8");
+
+  // Load the LaunchAgent
+  const spinner2 = ora("Loading LaunchAgent...").start();
+  try {
+    // Unload first in case it's already loaded (ignore errors)
+    try { execSync(`launchctl unload "${plistPath}"`, { stdio: "pipe" }); } catch {}
+    execSync(`launchctl load "${plistPath}"`, { stdio: "pipe" });
+    spinner2.succeed(chalk.green("LaunchAgent loaded"));
+  } catch (err) {
+    spinner2.fail(chalk.yellow(`LaunchAgent load failed (non-fatal): ${err.message}`));
+    console.log(chalk.gray("  You can still start manually: clauth serve start"));
+  }
+
+  console.log(chalk.cyan("\n  Auto-start installed (macOS):\n"));
+  console.log(chalk.gray(`  plist:     ${plistPath}`));
+  console.log(chalk.gray(`  keychain:  ${keychainService}`));
+  if (tunnelHostname) console.log(chalk.gray(`  tunnel:    ${tunnelHostname}`));
+  console.log(chalk.green("\n  Daemon will auto-start on login and restart on crash.\n"));
+}
+
+// ── Linux: encrypted file + systemd user service ───────────
+async function installLinux(pw, tunnelHostname, execSync) {
+  const configDir = path.join(os.homedir(), ".config", "clauth");
+  const bootKeyPath = path.join(configDir, "boot.key");
+  const systemdDir = path.join(os.homedir(), ".config", "systemd", "user");
+  const serviceFile = path.join(systemdDir, "clauth.service");
+
+  fs.mkdirSync(configDir, { recursive: true });
+  fs.mkdirSync(systemdDir, { recursive: true });
+
+  // Try to store password using secret-tool (libsecret/GNOME Keyring)
+  let useSecretTool = false;
+  const spinner = ora("Storing password securely...").start();
+
+  try {
+    execSync("which secret-tool", { encoding: "utf8", stdio: "pipe" });
+    execSync(
+      `echo -n "${pw.replace(/"/g, '\\"')}" | secret-tool store --label="clauth daemon password" service clauth account daemon`,
+      { encoding: "utf8", stdio: "pipe" }
+    );
+    useSecretTool = true;
+    spinner.succeed(chalk.green("Password stored via secret-tool (GNOME Keyring)"));
+  } catch {
+    // Fallback: encrypt with openssl and store in file
+    // Uses a key derived from machine-id for basic protection at rest
+    try {
+      const machineId = fs.readFileSync("/etc/machine-id", "utf8").trim();
+      const encrypted = execSync(
+        `echo -n "${pw.replace(/"/g, '\\"')}" | openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -pass pass:"${machineId}" -base64`,
+        { encoding: "utf8", stdio: "pipe" }
+      ).trim();
+      fs.writeFileSync(bootKeyPath, encrypted, { mode: 0o600 });
+      spinner.succeed(chalk.green("Password encrypted -> boot.key (openssl fallback)"));
+    } catch (err) {
+      spinner.fail(chalk.red(`Password storage failed: ${err.message}`));
+      process.exit(1);
+    }
+  }
+
+  // Find the node executable and cli entry
+  const cliEntry = path.resolve(__dirname, "../index.js");
+  const nodeExe = process.execPath;
+
+  // Build the ExecStart command
+  const tunnelArg = tunnelHostname ? ` --tunnel ${tunnelHostname}` : "";
+  let execStart;
+  if (useSecretTool) {
+    // Create a wrapper script that reads from secret-tool
+    const wrapperPath = path.join(configDir, "start.sh");
+    const wrapperContent = [
+      "#!/bin/sh",
+      `PW=$(secret-tool lookup service clauth account daemon)`,
+      `exec "${nodeExe}" "${cliEntry}" serve start -p "$PW"${tunnelArg}`,
+    ].join("\n");
+    fs.writeFileSync(wrapperPath, wrapperContent, { mode: 0o700 });
+    execStart = `/bin/sh ${wrapperPath}`;
+  } else {
+    // Create a wrapper script that decrypts boot.key
+    const wrapperPath = path.join(configDir, "start.sh");
+    const wrapperContent = [
+      "#!/bin/sh",
+      `MACHINE_ID=$(cat /etc/machine-id)`,
+      `PW=$(openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -pass pass:"$MACHINE_ID" -base64 -d < "${bootKeyPath}")`,
+      `exec "${nodeExe}" "${cliEntry}" serve start -p "$PW"${tunnelArg}`,
+    ].join("\n");
+    fs.writeFileSync(wrapperPath, wrapperContent, { mode: 0o700 });
+    execStart = `/bin/sh ${wrapperPath}`;
+  }
+
+  // Create systemd user service
+  const serviceContent = `[Unit]
+Description=clauth credential daemon
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=${execStart}
+Restart=always
+RestartSec=5
+Environment=NODE_ENV=production
+
+[Install]
+WantedBy=default.target
+`;
+
+  fs.writeFileSync(serviceFile, serviceContent, "utf8");
+
+  // Enable and start the service
+  const spinner2 = ora("Enabling systemd user service...").start();
+  try {
+    execSync("systemctl --user daemon-reload", { stdio: "pipe" });
+    execSync("systemctl --user enable clauth", { stdio: "pipe" });
+    execSync("systemctl --user start clauth", { stdio: "pipe" });
+    spinner2.succeed(chalk.green("systemd user service enabled and started"));
+  } catch (err) {
+    spinner2.fail(chalk.yellow(`systemd setup failed (non-fatal): ${err.message}`));
+    console.log(chalk.gray("  You can still start manually: clauth serve start"));
+  }
+
+  console.log(chalk.cyan("\n  Auto-start installed (Linux):\n"));
+  console.log(chalk.gray(`  service:   ${serviceFile}`));
+  console.log(chalk.gray(`  password:  ${useSecretTool ? "GNOME Keyring" : bootKeyPath}`));
+  if (tunnelHostname) console.log(chalk.gray(`  tunnel:    ${tunnelHostname}`));
+  console.log(chalk.green("\n  Daemon will auto-start on login and restart on crash.\n"));
+}
+
+// ── Cross-platform uninstall ───────────────────────────────
+async function actionUninstall() {
+  const platform = os.platform();
   const { execSync } = await import("child_process");
 
+  if (platform === "win32") {
+    await uninstallWindows(execSync);
+  } else if (platform === "darwin") {
+    await uninstallMacOS(execSync);
+  } else {
+    await uninstallLinux(execSync);
+  }
+}
+
+async function uninstallWindows(execSync) {
+  const autostartDir = path.join(os.homedir(), "AppData", "Roaming", "clauth");
+  const bootKeyPath  = path.join(autostartDir, "boot.key");
+  const psScriptPath = path.join(autostartDir, "autostart.ps1");
+
   // Remove scheduled task
   try {
-    execSync(`schtasks /delete /f /tn "${TASK_NAME}"`, { encoding: "utf8", stdio: "pipe" });
+    execSync(`${process.env.SystemRoot || "C:\\\\Windows"}\\\\System32\\\\schtasks.exe /delete /f /tn "${TASK_NAME}"`, { encoding: "utf8", stdio: "pipe" });
     console.log(chalk.green(`  Removed Scheduled Task: ${TASK_NAME}`));
   } catch { console.log(chalk.gray(`  Task not found (already removed): ${TASK_NAME}`)); }
 
   // Remove boot.key and autostart script
-  for (const f of [BOOT_KEY_PATH, PS_SCRIPT_PATH]) {
+  for (const f of [bootKeyPath, psScriptPath]) {
     try { fs.unlinkSync(f); console.log(chalk.green(`  Deleted: ${f}`)); }
     catch { console.log(chalk.gray(`  Not found (skipped): ${f}`)); }
   }
 
-  console.log(chalk.cyan("\n  Auto-start uninstalled.\n"));
+  console.log(chalk.cyan("\n  Auto-start uninstalled (Windows).\n"));
+}
+
+async function uninstallMacOS(execSync) {
+  const plistPath = path.join(os.homedir(), "Library", "LaunchAgents", "com.lifeai.clauth.plist");
+  const keychainService = "com.lifeai.clauth";
+  const keychainAccount = "clauth-daemon";
+
+  // Unload LaunchAgent
+  try {
+    execSync(`launchctl unload "${plistPath}"`, { stdio: "pipe" });
+    console.log(chalk.green("  Unloaded LaunchAgent"));
+  } catch { console.log(chalk.gray("  LaunchAgent not loaded (already removed)")); }
+
+  // Remove plist
+  try { fs.unlinkSync(plistPath); console.log(chalk.green(`  Deleted: ${plistPath}`)); }
+  catch { console.log(chalk.gray(`  Not found (skipped): ${plistPath}`)); }
+
+  // Remove Keychain entry
+  try {
+    execSync(
+      `security delete-generic-password -s "${keychainService}" -a "${keychainAccount}"`,
+      { encoding: "utf8", stdio: "pipe" }
+    );
+    console.log(chalk.green("  Removed Keychain entry"));
+  } catch { console.log(chalk.gray("  Keychain entry not found (already removed)")); }
+
+  console.log(chalk.cyan("\n  Auto-start uninstalled (macOS).\n"));
+}
+
+async function uninstallLinux(execSync) {
+  const configDir = path.join(os.homedir(), ".config", "clauth");
+  const bootKeyPath = path.join(configDir, "boot.key");
+  const wrapperPath = path.join(configDir, "start.sh");
+  const serviceFile = path.join(os.homedir(), ".config", "systemd", "user", "clauth.service");
+
+  // Stop and disable systemd service
+  try {
+    execSync("systemctl --user stop clauth", { stdio: "pipe" });
+    execSync("systemctl --user disable clauth", { stdio: "pipe" });
+    console.log(chalk.green("  Stopped and disabled systemd service"));
+  } catch { console.log(chalk.gray("  systemd service not running (already removed)")); }
+
+  // Remove service file
+  try { fs.unlinkSync(serviceFile); console.log(chalk.green(`  Deleted: ${serviceFile}`)); }
+  catch { console.log(chalk.gray(`  Not found (skipped): ${serviceFile}`)); }
+
+  // Reload systemd
+  try { execSync("systemctl --user daemon-reload", { stdio: "pipe" }); } catch {}
+
+  // Remove boot.key and wrapper script
+  for (const f of [bootKeyPath, wrapperPath]) {
+    try { fs.unlinkSync(f); console.log(chalk.green(`  Deleted: ${f}`)); }
+    catch { console.log(chalk.gray(`  Not found (skipped): ${f}`)); }
+  }
+
+  // Try to remove secret-tool entry
+  try {
+    execSync("secret-tool clear service clauth account daemon", { stdio: "pipe" });
+    console.log(chalk.green("  Removed secret-tool entry"));
+  } catch { /* secret-tool may not be installed */ }
+
+  console.log(chalk.cyan("\n  Auto-start uninstalled (Linux).\n"));
 }
 
 // ── Export ────────────────────────────────────────────────────