@lifeaitools/clauth 0.7.6 → 1.2.3

package/cli/commands/serve.js

@@ -13,11 +13,50 @@ import { fileURLToPath } from "url";
 import { getMachineHash, deriveToken, deriveSeedHash } from "../fingerprint.js";
 import * as api from "../api.js";
 import chalk from "chalk";
+import ora from "ora";
+import { execSync as execSyncTop } from "child_process";
+import Conf from "conf";
+import { getConfOptions } from "../conf-path.js";
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, "../../package.json"), "utf8"));
 const VERSION = pkg.version;
 
+// ── Embedded migrations ─────────────────────────────────────────
+// All SQL must be idempotent (IF NOT EXISTS, etc.)
+// type: "safe" = auto-apply | "breaking" = requires user confirmation in UI
+const MIGRATIONS = [
+  {
+    version: 1,
+    name: "001_clauth_schema",
+    description: "Initial schema (clauth_services, clauth_machines, clauth_audit)",
+    type: "safe",
+    sql: null, // pre-existing, skip if schema_version >= 1
+  },
+  {
+    version: 2,
+    name: "002_lockout",
+    description: "Machine lockout (fail_count, locked columns on clauth_machines)",
+    type: "safe",
+    sql: `ALTER TABLE clauth_machines ADD COLUMN IF NOT EXISTS fail_count integer NOT NULL DEFAULT 0;
+ALTER TABLE clauth_machines ADD COLUMN IF NOT EXISTS locked boolean NOT NULL DEFAULT false;`,
+  },
+  {
+    version: 3,
+    name: "003_clauth_config",
+    description: "Daemon config store — tunnel hostname and schema versioning",
+    type: "safe",
+    sql: `CREATE TABLE IF NOT EXISTS clauth_config (
+  key        text PRIMARY KEY,
+  value      jsonb NOT NULL,
+  updated_at timestamptz DEFAULT now()
+);
+ALTER TABLE clauth_config ENABLE ROW LEVEL SECURITY;`,
+  },
+];
+
+const CURRENT_SCHEMA_VERSION = 3;
+
 const PID_FILE = path.join(os.tmpdir(), "clauth-serve.pid");
 const LOG_FILE = path.join(os.tmpdir(), "clauth-serve.log");
 
@@ -47,7 +86,7 @@ function openBrowser(url) {
     const cmd = os.platform() === "win32" ? `start "" "${url}"`
       : os.platform() === "darwin" ? `open "${url}"`
       : `xdg-open "${url}"`;
-    execSync(cmd, { stdio: "ignore" });
+    execSyncTop(cmd, { stdio: "ignore" });
   } catch {}
 }
 
@@ -190,6 +229,22 @@ function dashboardHtml(port, whitelist) {
   .add-foot{display:flex;gap:8px;align-items:center}
   .add-msg{font-size:.82rem}
   .add-msg.ok{color:#4ade80} .add-msg.fail{color:#f87171}
+  .project-tabs{display:flex;gap:0;margin-bottom:1rem;border-bottom:1px solid #1e293b;overflow-x:auto}
+  .project-tab{background:none;border:none;border-bottom:2px solid transparent;color:#64748b;padding:8px 16px;font-size:.82rem;font-weight:500;cursor:pointer;white-space:nowrap;transition:all .15s}
+  .project-tab:hover{color:#94a3b8;background:rgba(59,130,246,.05)}
+  .project-tab.active{color:#60a5fa;border-bottom-color:#3b82f6;background:rgba(59,130,246,.08)}
+  .project-tab .tab-count{font-size:.7rem;color:#475569;margin-left:4px;font-weight:400}
+  .project-tab.active .tab-count{color:#3b82f6}
+  .project-edit{display:none;margin-top:8px;padding:8px 10px;background:#0f172a;border:1px solid #334155;border-radius:6px}
+  .project-edit.open{display:flex;gap:6px;align-items:center}
+  .project-edit input{background:#1e293b;border:1px solid #334155;border-radius:4px;color:#e2e8f0;font-size:.78rem;padding:4px 8px;outline:none;flex:1;font-family:'Courier New',monospace;transition:border-color .15s}
+  .project-edit input:focus{border-color:#3b82f6}
+  .project-edit button{font-size:.72rem;padding:4px 8px;border-radius:4px;cursor:pointer;border:1px solid #334155;background:#1a1f2e;color:#94a3b8;transition:all .15s}
+  .project-edit button:hover{border-color:#60a5fa;color:#60a5fa}
+  .project-edit .pe-msg{font-size:.72rem;color:#4ade80}
+  .btn-project{font-size:.68rem;color:#64748b;background:none;border:1px solid #1e293b;border-radius:3px;padding:2px 6px;cursor:pointer;transition:all .15s}
+  .btn-project:hover{color:#3b82f6;border-color:#3b82f6}
+  .btn-mcp-setup.open{border-color:#f59e0b;color:#f59e0b;background:#1a1500}
   .footer{margin-top:2rem;font-size:.75rem;color:#475569;text-align:center}
   .oauth-fields{display:flex;flex-direction:column;gap:8px;margin-bottom:8px}
   .oauth-field{display:flex;flex-direction:column;gap:3px}
@@ -197,6 +252,68 @@ function dashboardHtml(port, whitelist) {
   .oauth-hint{font-size:.71rem;color:#475569;font-style:italic}
   .oauth-input{width:100%;background:#0a0f1a;border:1px solid #1e3a5f;border-radius:4px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.85rem;padding:7px 10px;outline:none;transition:border-color .2s}
   .oauth-input:focus{border-color:#3b82f6}
+  .upgrade-banner {
+    background: linear-gradient(135deg, rgba(0,200,100,0.12), rgba(0,150,80,0.08));
+    border: 1px solid rgba(0,200,100,0.3);
+    border-radius: 6px;
+    padding: 10px 16px;
+    margin-bottom: 12px;
+    font-size: 13px;
+  }
+  .upgrade-banner .upgrade-content {
+    display: flex;
+    align-items: center;
+    gap: 12px;
+    flex-wrap: wrap;
+  }
+  .upgrade-banner button {
+    margin-left: auto;
+    background: none;
+    border: 1px solid rgba(0,200,100,0.4);
+    color: #0c6;
+    border-radius: 4px;
+    padding: 2px 8px;
+    cursor: pointer;
+    font-size: 12px;
+  }
+  .upgrade-details-list {
+    color: rgba(255,255,255,0.6);
+    font-size: 12px;
+  }
+  /* Tunnel setup wizard */
+  .wizard-panel{background:#0a1628;border:1px solid #1e3a5f;border-radius:10px;padding:1.5rem;margin-bottom:1.25rem;display:none}
+  .wizard-panel.open{display:block}
+  .wizard-header{display:flex;align-items:center;gap:10px;margin-bottom:1.25rem}
+  .wizard-title{font-size:1rem;font-weight:600;color:#f8fafc;flex:1}
+  .wizard-steps{display:flex;gap:6px;margin-bottom:1.5rem;flex-wrap:wrap}
+  .wstep{padding:4px 10px;border-radius:20px;font-size:.72rem;font-weight:600;border:1px solid #1e3a5f;color:#475569;background:#0f172a}
+  .wstep.active{border-color:#3b82f6;color:#60a5fa;background:rgba(59,130,246,.1)}
+  .wstep.done{border-color:#166534;color:#4ade80;background:rgba(74,222,128,.08)}
+  .wizard-body{min-height:80px}
+  .wizard-foot{display:flex;gap:8px;margin-top:1.25rem;align-items:center}
+  .btn-wiz-primary{background:#3b82f6;color:#fff;padding:8px 20px;font-size:.875rem;border-radius:7px;border:none;cursor:pointer;font-weight:600}
+  .btn-wiz-primary:hover{background:#2563eb}
+  .btn-wiz-primary:disabled{opacity:.4;cursor:not-allowed}
+  .btn-wiz-secondary{background:#1e293b;color:#94a3b8;padding:8px 16px;font-size:.875rem;border-radius:7px;border:1px solid #334155;cursor:pointer}
+  .btn-wiz-secondary:hover{color:#e2e8f0}
+  .wiz-input{width:100%;background:#0f172a;border:1px solid #334155;border-radius:6px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.9rem;padding:9px 12px;outline:none;margin-top:8px;transition:border-color .2s}
+  .wiz-input:focus{border-color:#3b82f6}
+  .wiz-label{font-size:.8rem;color:#64748b;margin-bottom:4px}
+  .wiz-msg{font-size:.82rem;margin-left:auto}
+  .wiz-msg.ok{color:#4ade80}.wiz-msg.fail{color:#f87171}
+  .wiz-log{background:#030712;border:1px solid #1e293b;border-radius:6px;padding:10px;font-family:'Courier New',monospace;font-size:.75rem;color:#6ee7b7;max-height:160px;overflow-y:auto;margin-top:10px;white-space:pre-wrap}
+  .wiz-tunnel-list{display:flex;flex-direction:column;gap:8px;margin-top:10px}
+  .wiz-tunnel-item{display:flex;align-items:center;gap:10px;padding:10px 12px;background:#0f172a;border:1px solid #1e3a5f;border-radius:6px;cursor:pointer;transition:border-color .15s}
+  .wiz-tunnel-item:hover,.wiz-tunnel-item.selected{border-color:#3b82f6;background:rgba(59,130,246,.08)}
+  .wiz-tunnel-name{font-weight:600;color:#f8fafc;font-size:.9rem;flex:1}
+  .wiz-tunnel-id{font-family:'Courier New',monospace;font-size:.72rem;color:#475569}
+  .wiz-tunnel-status{font-size:.72rem;padding:2px 7px;border-radius:4px;background:rgba(74,222,128,.1);color:#4ade80;border:1px solid rgba(74,222,128,.2)}
+  .wiz-desc{font-size:.85rem;color:#94a3b8;line-height:1.6;margin-bottom:.75rem}
+  .wiz-link{color:#60a5fa;text-decoration:none;font-size:.82rem}
+  .wiz-link:hover{text-decoration:underline}
+  .wiz-test-result{padding:12px 14px;border-radius:8px;font-size:.85rem;margin-top:10px;display:none}
+  .wiz-test-result.ok{background:rgba(74,222,128,.08);border:1px solid rgba(74,222,128,.2);color:#4ade80}
+  .wiz-test-result.fail{background:rgba(248,113,113,.08);border:1px solid rgba(248,113,113,.2);color:#f87171}
 </style>
 </head>
 <body>
@@ -215,6 +332,13 @@ function dashboardHtml(port, whitelist) {
 
 <!-- ── Main view (shown after unlock) ──────── -->
 <div id="main-view">
+  <div id="upgrade-banner" style="display:none" class="upgrade-banner">
+    <div class="upgrade-content">
+      <strong>⬆ clauth upgraded to v<span id="upgrade-to-version"></span></strong>
+      <span id="upgrade-details"></span>
+      <button onclick="dismissUpgrade()">Dismiss ✕</button>
+    </div>
+  </div>
   <div class="header">
     <div class="dot" id="dot"></div>
     <h1>🔐 clauth vault <span style="font-size:0.55em;opacity:0.45;font-weight:400">v${VERSION}</span></h1>
@@ -256,6 +380,10 @@ function dashboardHtml(port, whitelist) {
           <option value="">Loading…</option>
         </select>
       </div>
+      <div class="add-field">
+        <label>Project <span style="color:#475569;font-weight:400">(optional)</span></label>
+        <input class="add-input" id="add-project" type="text" placeholder="e.g. marketing-engine" autocomplete="off" spellcheck="false">
+      </div>
     </div>
     <div class="add-foot">
       <button class="btn-chpw-save" onclick="addService()">Create Service</button>
@@ -284,15 +412,45 @@ function dashboardHtml(port, whitelist) {
   </div>
 
   <div class="tunnel-panel" id="tunnel-panel">
-    <div class="tunnel-dot off" id="tunnel-dot"></div>
-    <div class="tunnel-label" id="tunnel-label">
-      <strong>claude.ai MCP</strong> — checking tunnel…
+    <!-- not_configured -->
+    <div class="tunnel-state not-configured" style="display:none;align-items:center;gap:10px;width:100%;flex-wrap:wrap">
+      <div class="tunnel-dot off"></div>
+      <div class="tunnel-label"><strong>claude.ai MCP</strong> — No tunnel configured</div>
+      <button class="btn-tunnel-stop" onclick="runTunnelSetup()">Setup Tunnel</button>
+    </div>
+    <!-- missing_cloudflared -->
+    <div class="tunnel-state missing-cloudflared" style="display:none;align-items:center;gap:10px;width:100%;flex-wrap:wrap">
+      <div class="tunnel-dot err"></div>
+      <div class="tunnel-label"><strong>claude.ai MCP</strong> — cloudflared not installed</div>
+      <a href="https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/" target="_blank" style="color:#60a5fa;font-size:.8rem">Download cloudflared ↗</a>
+      <span class="tunnel-err" style="display:inline;font-size:.78rem;color:#94a3b8">Then run: clauth tunnel setup</span>
+    </div>
+    <!-- starting -->
+    <div class="tunnel-state starting" style="display:none;align-items:center;gap:10px;width:100%;flex-wrap:wrap">
+      <div class="tunnel-dot starting"></div>
+      <div class="tunnel-label"><strong>claude.ai MCP</strong> — Tunnel starting…</div>
+    </div>
+    <!-- live -->
+    <div class="tunnel-state live" style="display:none;align-items:center;gap:10px;width:100%;flex-wrap:wrap">
+      <div class="tunnel-dot on"></div>
+      <div class="tunnel-label"><strong>claude.ai MCP</strong> — <span class="tunnel-url"><a href="" target="_blank" id="tunnel-live-url"></a></span></div>
+      <button class="btn-check" style="padding:6px 12px;font-size:.8rem" onclick="testTunnel()">Test</button>
+      <button class="btn-claude" onclick="openClaude()">Connect claude.ai</button>
+      <button class="btn-mcp-setup" id="btn-mcp-setup" onclick="toggleMcpSetup()">Setup MCP</button>
+      <button class="btn-tunnel-stop" onclick="toggleTunnel('stop')">Stop</button>
+    </div>
+    <!-- error -->
+    <div class="tunnel-state error" style="display:none;align-items:center;gap:10px;width:100%;flex-wrap:wrap">
+      <div class="tunnel-dot err"></div>
+      <div class="tunnel-label"><strong>claude.ai MCP</strong> — Tunnel error — check cloudflared config</div>
+      <button class="btn-tunnel-stop" onclick="toggleTunnel('start')">Retry</button>
+    </div>
+    <!-- not_started -->
+    <div class="tunnel-state not-started" style="display:flex;align-items:center;gap:10px;width:100%;flex-wrap:wrap">
+      <div class="tunnel-dot off"></div>
+      <div class="tunnel-label"><strong>claude.ai MCP</strong> — checking tunnel…</div>
+      <button class="btn-tunnel-stop" onclick="toggleTunnel('start')">Start Tunnel</button>
     </div>
-    <button class="btn-check" id="btn-tunnel-test" style="display:none;padding:6px 12px;font-size:.8rem" onclick="testTunnel()">Test</button>
-    <button class="btn-claude" id="btn-claude" disabled onclick="openClaude()">Connect claude.ai</button>
-    <button class="btn-tunnel-stop" id="btn-tunnel-toggle" style="display:none" onclick="toggleTunnel()">Stop</button>
-    <button class="btn-mcp-setup" id="btn-mcp-setup" style="display:none" onclick="toggleMcpSetup()">Setup MCP</button>
-    <div class="tunnel-err" id="tunnel-err" style="display:none"></div>
   </div>
 
   <div class="mcp-setup" id="mcp-setup-panel">
@@ -317,6 +475,18 @@ function dashboardHtml(port, whitelist) {
     <div style="font-size:.72rem;color:#64748b;margin-top:4px">Paste these into <a href="https://claude.ai/settings/integrations" target="_blank" style="color:#60a5fa">claude.ai Settings → Integrations</a></div>
   </div>
 
+  <div class="wizard-panel" id="wizard-panel">
+    <div class="wizard-header">
+      <div class="tunnel-dot off" id="wiz-dot" style="width:10px;height:10px;border-radius:50%"></div>
+      <div class="wizard-title">claude.ai Tunnel Setup</div>
+      <button class="btn-cancel" onclick="closeSetupWizard()">✕ Dismiss</button>
+    </div>
+    <div class="wizard-steps" id="wizard-steps"></div>
+    <div class="wizard-body" id="wizard-body"><p class="loading">Checking setup state…</p></div>
+    <div class="wizard-foot" id="wizard-foot"></div>
+  </div>
+
+  <div id="project-tabs" class="project-tabs" style="display:none"></div>
   <div id="grid" class="grid"><p class="loading">Loading services…</p></div>
   <div class="footer">localhost:${port} · 127.0.0.1 only · 10-strike lockout</div>
 </div>
@@ -346,6 +516,19 @@ const KEY_URLS = {
   "neo4j":           "https://console.neo4j.io/",
   "npm":             "https://www.npmjs.com/settings/~/tokens",
   "gmail":           "https://console.cloud.google.com/apis/credentials",
+  "gcal":            "https://console.cloud.google.com/apis/credentials",
+};
+
+// Extra links shown below the primary KEY_URLS link
+const EXTRA_LINKS = {
+  "gmail": [
+    { label: "↗ OAuth Playground (get refresh token)", url: "https://developers.google.com/oauthplayground/" },
+    { label: "↗ Enable Gmail API", url: "https://console.cloud.google.com/apis/library/gmail.googleapis.com" },
+  ],
+  "gcal": [
+    { label: "↗ OAuth Playground (get refresh token)", url: "https://developers.google.com/oauthplayground/" },
+    { label: "↗ Enable Calendar API", url: "https://console.cloud.google.com/apis/library/calendar-json.googleapis.com" },
+  ],
 };
 
 // ── OAuth import config ─────────────────────
@@ -355,7 +538,11 @@ const KEY_URLS = {
 const OAUTH_IMPORT = {
   "gmail": {
     jsonFields: ["client_id", "client_secret"],
-    extra: [{ key: "refresh_token", label: "Refresh Token", hint: "From Google OAuth Playground or your app's auth callback" }]
+    extra: [{ key: "refresh_token", label: "Refresh Token", hint: "From Google OAuth Playground — select Gmail API scopes, authorize, then exchange for tokens" }]
+  },
+  "gcal": {
+    jsonFields: ["client_id", "client_secret"],
+    extra: [{ key: "refresh_token", label: "Refresh Token", hint: "From Google OAuth Playground — select Calendar API scopes, authorize, then exchange for tokens" }]
   }
 };
 
@@ -423,7 +610,40 @@ function showLockScreen() {
   setTimeout(() => document.getElementById("lock-input").focus(), 50);
 }
 
+// ── Upgrade detection ────────────────────────────────────────────
+function checkUpgrade(ping) {
+  const currentVersion = ping.app_version || ping.version;
+  if (!currentVersion) return;
+
+  const lastVersion = localStorage.getItem('clauth_last_version');
+
+  if (lastVersion && lastVersion !== currentVersion) {
+    // Version changed — show upgrade banner
+    document.getElementById('upgrade-to-version').textContent = currentVersion;
+
+    // Build details from migration result if available
+    let details = '';
+    if (ping.last_migrations?.applied?.length > 0) {
+      details = '· Migrations: ' + ping.last_migrations.applied.map(m => m.description).join(' · ');
+    }
+    // Show breaking migration warning if any pending
+    if (ping.pending_breaking?.length > 0) {
+      details += ' ⚠ Breaking migrations require confirmation — see below.';
+    }
+    document.getElementById('upgrade-details').textContent = details;
+    document.getElementById('upgrade-banner').style.display = 'block';
+  }
+
+  // Always update stored version
+  localStorage.setItem('clauth_last_version', currentVersion);
+}
+
+function dismissUpgrade() {
+  document.getElementById('upgrade-banner').style.display = 'none';
+}
+
 function showMain(ping) {
+  checkUpgrade(ping);
   document.getElementById("lock-screen").style.display = "none";
   document.getElementById("main-view").style.display = "block";
   if (ping) {
@@ -476,6 +696,82 @@ async function lockVault() {
 }
 
 // ── Load services ───────────────────────────
+let allServices = [];
+let activeProjectTab = "all";
+
+function renderProjectTabs(services) {
+  const tabsEl = document.getElementById("project-tabs");
+  const projects = new Map(); // project -> count
+  let unassigned = 0;
+  for (const s of services) {
+    if (s.project) {
+      projects.set(s.project, (projects.get(s.project) || 0) + 1);
+    } else {
+      unassigned++;
+    }
+  }
+  // Only show tabs if there's at least one project
+  if (projects.size === 0) { tabsEl.style.display = "none"; return; }
+  tabsEl.style.display = "flex";
+  const tabs = [
+    { key: "all", label: "All", count: services.length },
+    ...Array.from(projects.entries()).map(([name, count]) => ({ key: name, label: name, count })),
+    { key: "unassigned", label: "Global", count: unassigned },
+  ];
+  tabsEl.innerHTML = tabs.map(t =>
+    \`<button class="project-tab \${activeProjectTab === t.key ? "active" : ""}" onclick="switchProjectTab('\${t.key}')">\${t.label}<span class="tab-count">(\${t.count})</span></button>\`
+  ).join("");
+}
+
+function switchProjectTab(key) {
+  activeProjectTab = key;
+  renderProjectTabs(allServices);
+  renderServiceGrid(allServices);
+}
+
+function renderServiceGrid(services) {
+  const grid = document.getElementById("grid");
+  let filtered = services;
+  if (activeProjectTab === "unassigned") {
+    filtered = services.filter(s => !s.project);
+  } else if (activeProjectTab !== "all") {
+    filtered = services.filter(s => s.project === activeProjectTab);
+  }
+  if (!filtered.length) { grid.innerHTML = '<p class="loading">No services in this group.</p>'; return; }
+  grid.innerHTML = filtered.map(s => \`
+    <div class="card">
+      <div style="display:flex;align-items:flex-start;justify-content:space-between">
+        <div>
+          <div class="card-name">\${s.name}</div>
+          <div style="display:flex;align-items:center;gap:6px;margin-top:2px">
+            <div class="card-type">\${s.key_type || "secret"}</div>
+            <span class="svc-badge \${s.enabled === false ? "off" : "on"}" id="badge-\${s.name}">\${s.enabled === false ? "disabled" : "enabled"}</span>
+            \${s.project ? \`<span style="font-size:.68rem;color:#3b82f6;background:rgba(59,130,246,.1);border:1px solid rgba(59,130,246,.2);border-radius:3px;padding:1px 6px">\${s.project}</span>\` : ""}
+          </div>
+          \${KEY_URLS[s.name] ? \`<a class="card-getkey" href="\${KEY_URLS[s.name]}" target="_blank" rel="noopener">↗ Get / rotate key</a>\` : ""}
+          \${(EXTRA_LINKS[s.name] || []).map(l => \`<a class="card-getkey" href="\${l.url}" target="_blank" rel="noopener" style="margin-left:0">\${l.label}</a>\`).join("")}
+        </div>
+        <div class="status-dot" id="sdot-\${s.name}" title=""></div>
+      </div>
+      <div class="card-value" id="val-\${s.name}"></div>
+      <div class="card-actions">
+        <button class="btn btn-reveal" onclick="reveal('\${s.name}', this)">Reveal</button>
+        <button class="btn btn-copy" id="copybtn-\${s.name}" style="display:none" onclick="copyKey('\${s.name}')">Copy</button>
+        <button class="btn btn-set" onclick="toggleSet('\${s.name}')">Set</button>
+        <button class="btn-project" onclick="toggleProjectEdit('\${s.name}')">\${s.project ? "✎ Project" : "+ Project"}</button>
+        <button class="btn \${s.enabled === false ? "btn-enable" : "btn-disable"}" id="togbtn-\${s.name}" onclick="toggleService('\${s.name}')">\${s.enabled === false ? "Enable" : "Disable"}</button>
+      </div>
+      <div class="project-edit" id="pe-\${s.name}">
+        <input type="text" id="pe-input-\${s.name}" value="\${s.project || ""}" placeholder="Project name…" spellcheck="false" autocomplete="off">
+        <button onclick="saveProject('\${s.name}')">Save</button>
+        <button onclick="clearProject('\${s.name}')">Clear</button>
+        <span class="pe-msg" id="pe-msg-\${s.name}"></span>
+      </div>
+      \${renderSetPanel(s.name)}
+    </div>
+  \`).join("");
+}
+
 async function loadServices() {
   const grid = document.getElementById("grid");
   const err  = document.getElementById("error-bar");
@@ -487,32 +783,11 @@ async function loadServices() {
     if (status.locked) { showLockScreen(); return; }
     if (status.error) throw new Error(status.error);
 
-    const services = status.services || [];
-    if (!services.length) { grid.innerHTML = '<p class="loading">No services registered.</p>'; return; }
-
-    grid.innerHTML = services.map(s => \`
-      <div class="card">
-        <div style="display:flex;align-items:flex-start;justify-content:space-between">
-          <div>
-            <div class="card-name">\${s.name}</div>
-            <div style="display:flex;align-items:center;gap:6px;margin-top:2px">
-              <div class="card-type">\${s.key_type || "secret"}</div>
-              <span class="svc-badge \${s.enabled === false ? "off" : "on"}" id="badge-\${s.name}">\${s.enabled === false ? "disabled" : "enabled"}</span>
-            </div>
-            \${KEY_URLS[s.name] ? \`<a class="card-getkey" href="\${KEY_URLS[s.name]}" target="_blank" rel="noopener">↗ Get / rotate key</a>\` : ""}
-          </div>
-          <div class="status-dot" id="sdot-\${s.name}" title=""></div>
-        </div>
-        <div class="card-value" id="val-\${s.name}"></div>
-        <div class="card-actions">
-          <button class="btn btn-reveal" onclick="reveal('\${s.name}', this)">Reveal</button>
-          <button class="btn btn-copy" id="copybtn-\${s.name}" style="display:none" onclick="copyKey('\${s.name}')">Copy</button>
-          <button class="btn btn-set" onclick="toggleSet('\${s.name}')">Set</button>
-          <button class="btn \${s.enabled === false ? "btn-enable" : "btn-disable"}" id="togbtn-\${s.name}" onclick="toggleService('\${s.name}')">\${s.enabled === false ? "Enable" : "Disable"}</button>
-        </div>
-        \${renderSetPanel(s.name)}
-      </div>
-    \`).join("");
+    allServices = status.services || [];
+    if (!allServices.length) { grid.innerHTML = '<p class="loading">No services registered.</p>'; return; }
+
+    renderProjectTabs(allServices);
+    renderServiceGrid(allServices);
   } catch (e) {
     err.textContent = "⚠ " + e.message;
     err.style.display = "block";
@@ -561,6 +836,47 @@ async function copyKey(name) {
   } catch {}
 }
 
+// ── Project edit ────────────────────────────
+function toggleProjectEdit(name) {
+  const panel = document.getElementById("pe-" + name);
+  const open = panel.classList.contains("open");
+  panel.classList.toggle("open");
+  if (!open) {
+    const svc = allServices.find(s => s.name === name);
+    document.getElementById("pe-input-" + name).value = svc ? (svc.project || "") : "";
+    document.getElementById("pe-msg-" + name).textContent = "";
+    document.getElementById("pe-input-" + name).focus();
+  }
+}
+
+async function saveProject(name) {
+  const input = document.getElementById("pe-input-" + name);
+  const msg = document.getElementById("pe-msg-" + name);
+  const project = input.value.trim();
+  msg.textContent = "Saving…"; msg.style.color = "#94a3b8";
+  try {
+    const r = await fetch(BASE + "/update-service", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ service: name, project: project || "" })
+    }).then(r => r.json());
+    if (r.locked) { showLockScreen(); return; }
+    if (r.error) throw new Error(r.error);
+    msg.style.color = "#4ade80"; msg.textContent = "✓ Saved";
+    // Update local state
+    const svc = allServices.find(s => s.name === name);
+    if (svc) svc.project = project || null;
+    setTimeout(() => { loadServices(); }, 800);
+  } catch (err) {
+    msg.style.color = "#f87171"; msg.textContent = err.message;
+  }
+}
+
+async function clearProject(name) {
+  document.getElementById("pe-input-" + name).value = "";
+  await saveProject(name);
+}
+
 // ── Set key ─────────────────────────────────
 function toggleSet(name) {
   const panel = document.getElementById("set-panel-" + name);
@@ -793,6 +1109,7 @@ async function toggleAddService() {
   panel.style.display = open ? "none" : "block";
   if (!open) {
     document.getElementById("add-name").value = "";
+    document.getElementById("add-project").value = "";
     document.getElementById("add-msg").textContent = "";
     // Fetch available key types from server
     const sel = document.getElementById("add-type");
@@ -815,6 +1132,7 @@ async function toggleAddService() {
 async function addService() {
   const name = document.getElementById("add-name").value.trim().toLowerCase();
   const type = document.getElementById("add-type").value;
+  const project = document.getElementById("add-project").value.trim();
   const msg  = document.getElementById("add-msg");
 
   if (!name) { msg.className = "add-msg fail"; msg.textContent = "Service name is required."; return; }
@@ -822,10 +1140,12 @@ async function addService() {
 
   msg.className = "add-msg"; msg.textContent = "Creating…";
   try {
+    const payload = { name, key_type: type, label: name };
+    if (project) payload.project = project;
     const r = await fetch(BASE + "/add-service", {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ name, key_type: type, label: name })
+      body: JSON.stringify(payload)
     }).then(r => r.json());
 
     if (r.locked) { showLockScreen(); return; }
@@ -852,143 +1172,109 @@ document.addEventListener("DOMContentLoaded", () => {
   });
 });
 
+// ── Shared fetch helper ─────────────────────
+async function apiFetch(path, opts) {
+  try {
+    return await fetch(BASE + path, opts).then(r => r.json());
+  } catch { return null; }
+}
+
 // ── Tunnel management ───────────────────────
 let tunnelPollTimer = null;
 
 async function pollTunnel() {
   if (tunnelPollTimer) clearInterval(tunnelPollTimer);
-  await updateTunnelUI();
-  // Poll every 3s until URL is found, then slow to 10s
+  const r = await apiFetch("/tunnel");
+  if (r) renderTunnelPanel(r.status, r.url, r.error);
+  // Poll every 3s; slow to 10s once live
   tunnelPollTimer = setInterval(async () => {
-    const state = await updateTunnelUI();
-    if (state === "connected") {
+    const r = await apiFetch("/tunnel");
+    if (!r) return;
+    renderTunnelPanel(r.status, r.url, r.error);
+    if (r.status === "live") {
       clearInterval(tunnelPollTimer);
-      tunnelPollTimer = setInterval(updateTunnelUI, 10000);
+      tunnelPollTimer = setInterval(async () => {
+        const r2 = await apiFetch("/tunnel");
+        if (r2) renderTunnelPanel(r2.status, r2.url, r2.error);
+      }, 10000);
     }
   }, 3000);
 }
 
-async function updateTunnelUI() {
-  const dot   = document.getElementById("tunnel-dot");
-  const label = document.getElementById("tunnel-label");
-  const btn   = document.getElementById("btn-claude");
-  const togBtn = document.getElementById("btn-tunnel-toggle");
-  const mcpBtn = document.getElementById("btn-mcp-setup");
-  const errEl = document.getElementById("tunnel-err");
-
-  try {
-    const t = await fetch(BASE + "/tunnel").then(r => r.json());
-
-    errEl.style.display = "none";
-
-    if (t.error) {
-      dot.className = "tunnel-dot err";
-      label.innerHTML = '<strong>claude.ai MCP</strong> — ' + t.error;
-      btn.disabled = true;
-      mcpBtn.style.display = "none";
-      togBtn.style.display = "none";
-      togBtn.textContent = "Start Tunnel";
-      togBtn.onclick = () => toggleTunnel("start");
-      togBtn.style.display = "inline-block";
-      document.getElementById("mcp-setup-panel").classList.remove("open");
-      return "error";
-    }
-
-    if (t.running && t.url && t.url.startsWith("http")) {
-      dot.className = "tunnel-dot on";
-      label.innerHTML = '<strong>claude.ai MCP</strong> — <span class="tunnel-url"><a href="' + t.sseUrl + '" target="_blank">' + t.sseUrl + '</a></span>';
-      btn.disabled = false;
-      document.getElementById("btn-tunnel-test").style.display = "inline-block";
-      togBtn.textContent = "Stop Tunnel";
-      togBtn.onclick = () => toggleTunnel("stop");
-      togBtn.style.display = "inline-block";
-      mcpBtn.style.display = "inline-block";
-      return "connected";
-    }
-
-    if (t.running) {
-      dot.className = "tunnel-dot starting";
-      label.innerHTML = '<strong>claude.ai MCP</strong> — starting tunnel…';
-      btn.disabled = true;
-      mcpBtn.style.display = "none";
-      togBtn.textContent = "Stop Tunnel";
-      togBtn.onclick = () => toggleTunnel("stop");
-      togBtn.style.display = "inline-block";
-      return "starting";
-    }
-
-    // Not running
-    dot.className = "tunnel-dot off";
-    label.innerHTML = '<strong>claude.ai MCP</strong> — tunnel not running';
-    btn.disabled = true;
-    mcpBtn.style.display = "none";
-    togBtn.textContent = "Start Tunnel";
-    togBtn.onclick = () => toggleTunnel("start");
-    togBtn.style.display = "inline-block";
-    document.getElementById("mcp-setup-panel").classList.remove("open");
-    return "stopped";
-
-  } catch {
-    dot.className = "tunnel-dot off";
-    label.innerHTML = '<strong>claude.ai MCP</strong> — unable to reach daemon';
-    btn.disabled = true;
-    mcpBtn.style.display = "none";
-    togBtn.style.display = "none";
+function renderTunnelPanel(status, url, error) {
+  const panel = document.getElementById("tunnel-panel");
+  if (!panel) return;
+  // Hide all state divs
+  panel.querySelectorAll(".tunnel-state").forEach(el => el.style.display = "none");
+  // Map status to CSS class (underscores → hyphens)
+  const cls = (status || "not-started").replace(/_/g, "-");
+  const active = panel.querySelector(".tunnel-state." + cls);
+  if (active) active.style.display = "flex";
+  // Update live URL
+  if (status === "live" && url) {
+    const sseUrl = url.startsWith("http") ? url + "/sse" : url;
+    const link = panel.querySelector(".tunnel-state.live a");
+    if (link) { link.href = sseUrl; link.textContent = sseUrl; }
+    const liveUrlEl = document.getElementById("tunnel-live-url");
+    if (liveUrlEl) { liveUrlEl.href = sseUrl; liveUrlEl.textContent = sseUrl; }
+  }
+  // Close MCP setup panel when not live
+  if (status !== "live") {
     document.getElementById("mcp-setup-panel").classList.remove("open");
-    return "error";
+    const mcpBtn = document.getElementById("btn-mcp-setup");
+    if (mcpBtn) mcpBtn.classList.remove("open");
   }
 }
 
 async function toggleTunnel(action) {
-  const togBtn = document.getElementById("btn-tunnel-toggle");
-  togBtn.disabled = true; togBtn.textContent = "…";
   try {
     await fetch(BASE + "/tunnel", {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ action })
     });
-    // Wait a beat for tunnel to start/stop, then refresh
-    setTimeout(updateTunnelUI, action === "start" ? 5000 : 500);
-  } catch {} finally {
-    togBtn.disabled = false;
-  }
+    // Re-poll after a beat
+    setTimeout(pollTunnel, action === "start" ? 2000 : 500);
+  } catch {}
 }
 
+function runTunnelSetup() { openSetupWizard(); }
+
 async function testTunnel() {
-  const btn = document.getElementById("btn-tunnel-test");
-  const dot = document.getElementById("tunnel-dot");
-  const label = document.getElementById("tunnel-label");
-  btn.disabled = true; btn.textContent = "Testing…";
-  dot.className = "tunnel-dot starting";
+  const liveState = document.querySelector("#tunnel-panel .tunnel-state.live");
+  const btn = liveState ? liveState.querySelector(".btn-check") : null;
+  const labelEl = liveState ? liveState.querySelector(".tunnel-label") : null;
+  if (btn) { btn.disabled = true; btn.textContent = "Testing…"; }
 
   try {
     const r = await fetch(BASE + "/tunnel/test").then(r => r.json());
-    if (r.ok) {
-      dot.className = "tunnel-dot on";
-      label.innerHTML = '<strong>claude.ai MCP</strong> — <span style="color:#4ade80">PASS</span> ' +
-        r.latencyMs + 'ms roundtrip · SSE ' + (r.sseReachable ? 'reachable' : 'unreachable') +
-        ' · <span class="tunnel-url"><a href="' + r.sseUrl + '" target="_blank">' + r.sseUrl + '</a></span>';
-    } else {
-      dot.className = "tunnel-dot err";
-      label.innerHTML = '<strong>claude.ai MCP</strong> — <span style="color:#f87171">FAIL</span> ' + (r.reason || "unknown error");
+    if (labelEl) {
+      if (r.ok) {
+        labelEl.innerHTML = '<strong>claude.ai MCP</strong> — <span style="color:#4ade80">PASS</span> ' +
+          r.latencyMs + 'ms · SSE ' + (r.sseReachable ? 'reachable' : 'unreachable') +
+          ' · <span class="tunnel-url"><a href="' + r.sseUrl + '" target="_blank">' + r.sseUrl + '</a></span>';
+      } else {
+        labelEl.innerHTML = '<strong>claude.ai MCP</strong> — <span style="color:#f87171">FAIL</span> ' + (r.reason || "unknown error");
+      }
     }
   } catch (e) {
-    dot.className = "tunnel-dot err";
-    label.innerHTML = '<strong>claude.ai MCP</strong> — <span style="color:#f87171">FAIL</span> ' + e.message;
+    if (labelEl) labelEl.innerHTML = '<strong>claude.ai MCP</strong> — <span style="color:#f87171">FAIL</span> ' + e.message;
   } finally {
-    btn.disabled = false; btn.textContent = "Test";
+    if (btn) { btn.disabled = false; btn.textContent = "Test"; }
   }
 }
 
 function openClaude() {
   // Copy the SSE URL to clipboard and open claude.ai settings
   fetch(BASE + "/tunnel").then(r => r.json()).then(t => {
-    if (t.sseUrl) {
-      navigator.clipboard.writeText(t.sseUrl).then(() => {
-        const btn = document.getElementById("btn-claude");
-        btn.textContent = "SSE URL copied!";
-        setTimeout(() => { btn.textContent = "Connect claude.ai"; }, 2000);
+    const sseUrl = t.sseUrl || (t.url && t.url.startsWith("http") ? t.url + "/sse" : null);
+    if (sseUrl) {
+      navigator.clipboard.writeText(sseUrl).then(() => {
+        const btn = document.querySelector("#tunnel-panel .tunnel-state.live .btn-claude");
+        if (btn) {
+          btn.textContent = "SSE URL copied!";
+          setTimeout(() => { btn.textContent = "Connect claude.ai"; }, 2000);
+        }
       }).catch(() => {});
       window.open("https://claude.ai/settings/integrations", "_blank");
     }
@@ -997,7 +1283,10 @@ function openClaude() {
 
 async function toggleMcpSetup() {
   const panel = document.getElementById("mcp-setup-panel");
+  const btn = document.getElementById("btn-mcp-setup");
   const isOpen = panel.classList.toggle("open");
+  btn.classList.toggle("open", isOpen);
+  btn.textContent = isOpen ? "Close MCP" : "Setup MCP";
   if (isOpen) {
     try {
       const m = await fetch(BASE + "/mcp-setup").then(r => r.json());
@@ -1021,6 +1310,423 @@ function copyMcp(elId) {
   }).catch(() => {});
 }
 
+// ── Tunnel Setup Wizard ─────────────────────
+let wizStep = null;
+let wizData = {};
+
+async function openSetupWizard() {
+  const panel = document.getElementById("wizard-panel");
+  panel.classList.add("open");
+  panel.scrollIntoView({ behavior: "smooth", block: "start" });
+  wizStep = "loading";
+  renderWizBody('<p class="loading">Checking setup state…</p>', [], []);
+
+  const state = await apiFetch("/tunnel/setup-state");
+  if (!state) {
+    renderWizBody('<p class="wiz-desc" style="color:#f87171">Could not reach daemon.</p>', [], []);
+    return;
+  }
+
+  if (state.step === "ready") {
+    await apiFetch("/tunnel/start", { method: "POST" });
+    closeSetupWizard();
+    return;
+  }
+
+  wizData = state;
+
+  if (state.step === "need_cf_token") wizShowCfToken();
+  else if (state.step === "pick_tunnel") wizShowPickTunnel(state.tunnels);
+  else if (state.step === "no_tunnels") wizShowCreateViaCfApi(state.accountId);
+  else wizShowInstallCheck(); // no CF token — needs cloudflared login
+}
+
+function closeSetupWizard() {
+  document.getElementById("wizard-panel").classList.remove("open");
+  wizStep = null; wizData = {};
+}
+
+function renderWizBody(html, steps, footHtml) {
+  document.getElementById("wizard-body").innerHTML = html;
+
+  const stepLabels = ["CF Token","Tunnel","cloudflared","MCP Setup","Test"];
+  const stepsEl = document.getElementById("wizard-steps");
+  stepsEl.innerHTML = stepLabels.map((label, i) => {
+    const stepKeys = ["need_cf_token","pick_tunnel","check_cf","mcp_setup","test"];
+    const currentIdx = stepKeys.indexOf(wizStep);
+    let cls = "wstep";
+    if (i < currentIdx) cls += " done";
+    else if (i === currentIdx) cls += " active";
+    return \`<div class="\${cls}">\${i < currentIdx ? "✓ " : ""}\${label}</div>\`;
+  }).join("");
+
+  document.getElementById("wizard-foot").innerHTML = footHtml.join("");
+}
+
+// Step: Enter CF API token
+function wizShowCfToken() {
+  wizStep = "need_cf_token";
+  renderWizBody(\`
+    <div class="wiz-desc">A Cloudflare API token is needed to check for existing tunnels and configure new ones.</div>
+    <div class="wiz-label">Cloudflare API Token</div>
+    <input class="wiz-input" id="wiz-cf-token-input" type="password" placeholder="Paste your CF API token…" autocomplete="off" spellcheck="false">
+    <div style="margin-top:8px">
+      <a class="wiz-link" href="https://dash.cloudflare.com/profile/api-tokens" target="_blank">↗ Create token at Cloudflare Dashboard</a>
+      <span style="color:#475569;font-size:.78rem;margin-left:8px">(needs Cloudflare Tunnel: Edit permission)</span>
+    </div>
+    <div class="wiz-msg fail" id="wiz-cf-err" style="display:none;margin-top:8px"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" id="wiz-cf-btn" onclick="wizSubmitCfToken()">Verify &amp; Save Token</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`,
+    \`<span class="wiz-msg" id="wiz-cf-msg"></span>\`
+  ]);
+
+  document.getElementById("wiz-cf-token-input").addEventListener("keydown", e => {
+    if (e.key === "Enter") wizSubmitCfToken();
+  });
+}
+
+async function wizSubmitCfToken() {
+  const input = document.getElementById("wiz-cf-token-input");
+  const btn = document.getElementById("wiz-cf-btn");
+  const errEl = document.getElementById("wiz-cf-err");
+  const token = input.value.trim();
+  if (!token) return;
+
+  btn.disabled = true; btn.textContent = "Verifying…";
+  if (errEl) errEl.style.display = "none";
+
+  const r = await fetch(BASE + "/tunnel/setup/cf-token", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ token }),
+  }).then(r => r.json()).catch(() => null);
+
+  btn.disabled = false; btn.textContent = "Verify & Save Token";
+
+  if (!r || r.error) {
+    if (errEl) { errEl.textContent = r?.error || "Request failed"; errEl.style.display = "block"; }
+    return;
+  }
+
+  wizData.accountId = r.accountId;
+  const tunnelState = await apiFetch("/tunnel/setup-state");
+  if (tunnelState?.step === "pick_tunnel") wizShowPickTunnel(tunnelState.tunnels);
+  else wizShowInstallCheck();
+}
+
+// Step: Pick existing tunnel
+function wizShowPickTunnel(tunnels) {
+  wizStep = "pick_tunnel";
+
+  const listHtml = tunnels.map(t => \`
+    <div class="wiz-tunnel-item" id="wti-\${t.id}" onclick="wizSelectTunnel('\${t.id}','\${t.name}',this)">
+      <div style="flex:1">
+        <div class="wiz-tunnel-name">\${t.name}</div>
+        <div class="wiz-tunnel-id">\${t.id}</div>
+      </div>
+      <div class="wiz-tunnel-status">\${t.status || "active"}</div>
+    </div>
+  \`).join("");
+
+  renderWizBody(\`
+    <div class="wiz-desc">Found \${tunnels.length} existing Cloudflare tunnel\${tunnels.length !== 1 ? "s" : ""}. Select one to use, or create a new one.</div>
+    <div class="wiz-tunnel-list">\${listHtml}</div>
+    <div style="margin-top:12px">
+      <div class="wiz-label">Public hostname for selected tunnel (e.g. clauth.yourdomain.com)</div>
+      <input class="wiz-input" id="wiz-hostname-input" type="text" placeholder="clauth.yourdomain.com" spellcheck="false" autocomplete="off">
+    </div>
+    <div class="wiz-msg fail" id="wiz-pick-err" style="display:none;margin-top:8px"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" id="wiz-pick-btn" onclick="wizSaveTunnel()">Use Selected Tunnel</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="wizShowInstallCheck()">Create New Tunnel Instead</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`
+  ]);
+
+  window._wizSelectedTunnel = null;
+}
+
+function wizSelectTunnel(id, name, el) {
+  document.querySelectorAll(".wiz-tunnel-item").forEach(e => e.classList.remove("selected"));
+  el.classList.add("selected");
+  window._wizSelectedTunnel = { id, name };
+}
+
+async function wizSaveTunnel() {
+  const sel = window._wizSelectedTunnel;
+  const hostname = document.getElementById("wiz-hostname-input")?.value.trim();
+  const errEl = document.getElementById("wiz-pick-err");
+  const btn = document.getElementById("wiz-pick-btn");
+
+  if (!sel) { if (errEl) { errEl.textContent = "Select a tunnel first"; errEl.style.display="block"; } return; }
+  if (!hostname) { if (errEl) { errEl.textContent = "Enter a public hostname"; errEl.style.display="block"; } return; }
+
+  btn.disabled = true; btn.textContent = "Saving…";
+
+  const r = await fetch(BASE + "/tunnel/setup/cf-save", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ tunnelId: sel.id, tunnelName: sel.name, hostname }),
+  }).then(r => r.json()).catch(() => null);
+
+  btn.disabled = false; btn.textContent = "Use Selected Tunnel";
+
+  if (!r?.ok) {
+    if (errEl) { errEl.textContent = r?.error || "Save failed"; errEl.style.display="block"; }
+    return;
+  }
+
+  await apiFetch("/tunnel/start", { method: "POST" });
+  wizShowMcpSetup(hostname);
+}
+
+// Step: Create tunnel via CF API (CF token already in vault — no cloudflared login needed)
+function wizShowCreateViaCfApi(accountId) {
+  wizStep = "pick_tunnel";
+  wizData.accountId = accountId;
+  renderWizBody(\`
+    <div class="wiz-desc">No existing tunnels found. Create a new one using your Cloudflare API token.</div>
+    <div class="wiz-label">Tunnel name</div>
+    <input class="wiz-input" id="wiz-api-tname" type="text" value="clauth" spellcheck="false">
+    <div class="wiz-label" style="margin-top:10px">Public hostname (e.g. clauth.yourdomain.com)</div>
+    <input class="wiz-input" id="wiz-api-hostname" type="text" placeholder="clauth.yourdomain.com" spellcheck="false">
+    <div class="wiz-msg fail" id="wiz-api-err" style="display:none;margin-top:8px"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" id="wiz-api-btn" onclick="wizRunCreateViaCfApi()">Create Tunnel</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`,
+    \`<span class="wiz-msg" id="wiz-api-msg"></span>\`
+  ]);
+}
+
+async function wizRunCreateViaCfApi() {
+  const name = document.getElementById("wiz-api-tname")?.value.trim();
+  const hostname = document.getElementById("wiz-api-hostname")?.value.trim();
+  const btn = document.getElementById("wiz-api-btn");
+  const err = document.getElementById("wiz-api-err");
+  const msg = document.getElementById("wiz-api-msg");
+  if (!name || !hostname) { if(err){err.textContent="Name and hostname required";err.style.display="block";} return; }
+  btn.disabled=true; btn.textContent="Creating…"; if(err) err.style.display="none";
+  if(msg) msg.textContent="Calling Cloudflare API…";
+  const r = await fetch(BASE + "/tunnel/setup/cf-create-api", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ name, hostname, accountId: wizData.accountId }),
+  }).then(r => r.json()).catch(() => null);
+  btn.disabled=false; btn.textContent="Create Tunnel";
+  if (!r?.ok) {
+    if(err){err.textContent = r?.error || "Creation failed"; err.style.display="block";}
+    if(msg) msg.textContent="";
+    return;
+  }
+  await apiFetch("/tunnel/start", { method: "POST" });
+  wizShowMcpSetup(hostname);
+}
+
+// Step: cloudflared install check (for new tunnel creation flow)
+async function wizShowInstallCheck() {
+  wizStep = "check_cf";
+  renderWizBody('<p class="loading">Checking cloudflared…</p>', [], []);
+
+  const r = await apiFetch("/tunnel/setup/check-cloudflared");
+
+  if (r?.installed) {
+    wizShowCfLogin();
+  } else {
+    renderWizBody(\`
+      <div class="wiz-desc">cloudflared is required to create and run Cloudflare tunnels. It is not currently installed.</div>
+      <div style="display:flex;gap:12px;margin-top:12px;flex-wrap:wrap">
+        <a class="btn-wiz-secondary" href="https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/" target="_blank" style="text-decoration:none">↗ Download cloudflared</a>
+        <span style="color:#475569;font-size:.8rem;align-self:center">or: <code style="color:#60a5fa">winget install Cloudflare.cloudflared</code></span>
+      </div>
+      <div class="wiz-desc" style="margin-top:12px;font-size:.78rem;color:#475569">After installing, click "Check Again".</div>
+    \`, [], [
+      \`<button class="btn-wiz-primary" onclick="wizShowInstallCheck()">Check Again</button>\`,
+      \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`
+    ]);
+  }
+}
+
+// Step: cloudflared login (Cloudflare auth via browser)
+function wizShowCfLogin() {
+  wizStep = "check_cf";
+  renderWizBody(\`
+    <div class="wiz-desc">Authenticate cloudflared with your Cloudflare account. This opens a browser window.</div>
+    <div class="wiz-log" id="wiz-login-log" style="display:none"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" id="wiz-login-btn" onclick="wizRunCfLogin()">Open Browser to Authenticate</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`
+  ]);
+}
+
+async function wizRunCfLogin() {
+  const btn = document.getElementById("wiz-login-btn");
+  const log = document.getElementById("wiz-login-log");
+  btn.disabled = true; btn.textContent = "Authenticating…";
+  log.style.display = "block";
+
+  try {
+    const resp = await fetch(BASE + "/tunnel/setup/cf-login", { method: "POST" });
+    const reader = resp.body.getReader();
+    const dec = new TextDecoder();
+    let buf = "";
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      buf += dec.decode(value, { stream: true });
+      const lines = buf.split("\\n");
+      buf = lines.pop();
+      for (const line of lines) {
+        if (!line.startsWith("data:")) continue;
+        try {
+          const d = JSON.parse(line.slice(5).trim());
+          if (d.line !== undefined) { log.textContent += d.line + "\\n"; log.scrollTop = log.scrollHeight; }
+          if (d.done) {
+            if (d.code === 0) wizShowCreateTunnel();
+            else { btn.disabled=false; btn.textContent="Retry"; }
+            return;
+          }
+        } catch {}
+      }
+    }
+  } catch(e) {
+    log.textContent += "Error: " + e.message;
+    btn.disabled = false; btn.textContent = "Retry";
+  }
+}
+
+// Step: Create new tunnel
+function wizShowCreateTunnel() {
+  wizStep = "check_cf";
+  renderWizBody(\`
+    <div class="wiz-desc">Create a new named Cloudflare tunnel. Give it a name and a public hostname.</div>
+    <div class="wiz-label">Tunnel name (e.g. clauth)</div>
+    <input class="wiz-input" id="wiz-tname" type="text" value="clauth" spellcheck="false">
+    <div class="wiz-label" style="margin-top:10px">Public hostname (e.g. clauth.yourdomain.com)</div>
+    <input class="wiz-input" id="wiz-thostname" type="text" placeholder="clauth.yourdomain.com" spellcheck="false">
+    <div class="wiz-log" id="wiz-create-log" style="display:none;margin-top:10px"></div>
+    <div class="wiz-msg fail" id="wiz-create-err" style="display:none;margin-top:8px"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" id="wiz-create-btn" onclick="wizRunCreateTunnel()">Create Tunnel</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`
+  ]);
+}
+
+async function wizRunCreateTunnel() {
+  const name = document.getElementById("wiz-tname")?.value.trim();
+  const hostname = document.getElementById("wiz-thostname")?.value.trim();
+  const btn = document.getElementById("wiz-create-btn");
+  const log = document.getElementById("wiz-create-log");
+  const err = document.getElementById("wiz-create-err");
+
+  if (!name || !hostname) { if(err){err.textContent="Name and hostname required";err.style.display="block";} return; }
+
+  btn.disabled=true; btn.textContent="Creating…";
+  log.style.display="block"; err.style.display="none";
+
+  try {
+    const resp = await fetch(BASE + "/tunnel/setup/cf-create", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ name, hostname }),
+    });
+    const reader = resp.body.getReader();
+    const dec = new TextDecoder();
+    let buf = "";
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      buf += dec.decode(value, { stream: true });
+      const lines = buf.split("\\n");
+      buf = lines.pop();
+      for (const line of lines) {
+        if (!line.startsWith("data:")) continue;
+        try {
+          const d = JSON.parse(line.slice(5).trim());
+          if (d.line !== undefined) { log.textContent += d.line + "\\n"; log.scrollTop = log.scrollHeight; }
+          if (d.done && d.hostname) {
+            await apiFetch("/tunnel/start", { method: "POST" });
+            wizShowMcpSetup(d.hostname);
+            return;
+          }
+          if (d.error) { err.textContent = d.error; err.style.display="block"; btn.disabled=false; btn.textContent="Retry"; return; }
+        } catch {}
+      }
+    }
+  } catch(e) {
+    if(err){err.textContent=e.message;err.style.display="block";}
+    btn.disabled=false; btn.textContent="Retry";
+  }
+}
+
+// Step: MCP setup in claude.ai
+async function wizShowMcpSetup(hostname) {
+  wizStep = "mcp_setup";
+  const sseUrl = \`https://\${hostname}/sse\`;
+
+  const mcpData = await apiFetch("/mcp-setup");
+
+  renderWizBody(\`
+    <div class="wiz-desc">Add clauth as an MCP server in claude.ai settings. Paste these values:</div>
+    <div style="display:flex;flex-direction:column;gap:8px;margin-top:10px">
+      <div class="mcp-row">
+        <span class="mcp-label">URL</span>
+        <span class="mcp-val" id="wiz-mcp-url">\${sseUrl}</span>
+        <button class="mcp-copy" onclick="wizCopy('wiz-mcp-url',this)">copy</button>
+      </div>
+      <div class="mcp-row">
+        <span class="mcp-label">Client ID</span>
+        <span class="mcp-val" id="wiz-mcp-cid">\${mcpData?.clientId || '(unlock required)'}</span>
+        <button class="mcp-copy" onclick="wizCopy('wiz-mcp-cid',this)">copy</button>
+      </div>
+      <div class="mcp-row">
+        <span class="mcp-label">Secret</span>
+        <span class="mcp-val" id="wiz-mcp-sec">\${mcpData?.clientSecret || '(unlock required)'}</span>
+        <button class="mcp-copy" onclick="wizCopy('wiz-mcp-sec',this)">copy</button>
+      </div>
+    </div>
+    <div style="margin-top:10px;font-size:.78rem;color:#64748b">
+      Paste into <a class="wiz-link" href="https://claude.ai/settings/integrations" target="_blank">claude.ai → Settings → Integrations</a>
+    </div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" onclick="window.open('https://claude.ai/settings/integrations','_blank');wizShowTest()">I've Added It — Test Now</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="wizShowTest()">Skip Test</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Done</button>\`
+  ]);
+}
+
+function wizCopy(elId, btn) {
+  const val = document.getElementById(elId)?.textContent?.trim();
+  if (!val) return;
+  navigator.clipboard.writeText(val).then(() => {
+    const orig = btn.textContent;
+    btn.textContent = "✓"; btn.classList.add("ok");
+    setTimeout(() => { btn.textContent = orig; btn.classList.remove("ok"); }, 1500);
+  }).catch(() => {});
+}
+
+// Step: Test — verify MCP is working
+function wizShowTest() {
+  wizStep = "test";
+  renderWizBody(\`
+    <div class="wiz-desc">In a new claude.ai chat, ask Claude to run this MCP tool call to verify the connection:</div>
+    <div style="background:#030712;border:1px solid #1e293b;border-radius:6px;padding:12px;margin:10px 0;font-family:'Courier New',monospace;font-size:.82rem;color:#6ee7b7;user-select:all">
+      Use the clauth MCP tool: GET /ping — what is the response?
+    </div>
+    <div class="wiz-desc">Claude should report back: <code style="color:#4ade80">{"status":"ok","version":"..."}</code></div>
+    <div class="wiz-test-result" id="wiz-test-result"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" onclick="wizMarkTestDone()">✓ It Worked — Done</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Close</button>\`
+  ]);
+}
+
+function wizMarkTestDone() {
+  const r = document.getElementById("wiz-test-result");
+  r.className = "wiz-test-result ok"; r.style.display="block";
+  r.textContent = "✓ Tunnel and MCP are working. claude.ai can now access your vault.";
+  document.getElementById("wizard-foot").innerHTML = \`<button class="btn-wiz-primary" onclick="closeSetupWizard()">Close Setup</button>\`;
+}
+
 // ── Build Status ──────────────────────────────────
 async function updateBuildStatus() {
   try {
@@ -1074,7 +1780,10 @@ function readBody(req) {
 }
 
 // ── Server logic (shared by foreground + daemon) ─────────────
-function createServer(initPassword, whitelist, port, tunnelHostname = null) {
+function createServer(initPassword, whitelist, port, tunnelHostnameInit = null) {
+  // tunnelHostname may be updated at runtime (fetched from DB after unlock)
+  let tunnelHostname = tunnelHostnameInit;
+
   // Ensure Windows system tools are reachable (bash shells may lack these on PATH)
   if (os.platform() === "win32") {
     const sys32 = "C:\\Windows\\System32";
@@ -1106,6 +1815,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       get password() { return this._pw; },
       set password(v) { this._pw = v; },
       get machineHash() { return machineHash; },
+      get tunnelUrl() { return tunnelUrl; },
       whitelist,
       failCount,
       MAX_FAILS,
@@ -1120,6 +1830,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
   let tunnelProc = null;
   let tunnelUrl = null;
   let tunnelError = null;
+  let tunnelStatus = "not_started"; // "not_started" | "not_configured" | "starting" | "live" | "error" | "missing_cloudflared"
 
   // ── OAuth provider (self-contained for claude.ai MCP) ──────
   const oauthClients = new Map();   // client_id → { client_secret, redirect_uris, client_name }
@@ -1169,6 +1880,28 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
         }
       }
 
+      // If binary is still the default name, verify it's actually on PATH
+      if (cfBin === "cloudflared") {
+        try {
+          const { execSync } = await import("child_process");
+          execSync("cloudflared --version", { stdio: "ignore" });
+        } catch {
+          tunnelError = "cloudflared is not installed or not on PATH.";
+          tunnelStatus = "missing_cloudflared";
+          const installMsg = [
+            "",
+            "  \u2717 cloudflared not found.",
+            "  Download: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/",
+            "  Then run: clauth tunnel setup",
+            "",
+          ].join("\n");
+          console.error(installMsg);
+          try { fs.appendFileSync(LOG_FILE, `[${new Date().toISOString()}] ${tunnelError}\n`); } catch {}
+          tunnelProc = null;
+          return;
+        }
+      }
+
       // Named tunnel (fixed subdomain) or quick tunnel (random URL)
       let args;
       if (tunnelHostname) {
@@ -1196,6 +1929,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
           const match = stderrBuf.match(/https:\/\/[a-z0-9-]+\.trycloudflare\.com/);
           if (match) {
             tunnelUrl = match[0];
+            tunnelStatus = "live";
             const logLine = `[${new Date().toISOString()}] Tunnel started: ${tunnelUrl}\n`;
             try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
           }
@@ -1206,6 +1940,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
         tunnelError = err.code === "ENOENT"
           ? "cloudflared not found — install from https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/"
           : err.message;
+        tunnelStatus = "error";
         tunnelProc = null;
         const logLine = `[${new Date().toISOString()}] Tunnel error: ${tunnelError}\n`;
         try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
@@ -1215,6 +1950,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
         if (tunnelProc === proc) {
           tunnelProc = null;
           if (!tunnelError) tunnelError = `Tunnel exited with code ${code}`;
+          tunnelStatus = "error";
           const logLine = `[${new Date().toISOString()}] Tunnel exited: code ${code}\n`;
           try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
         }
@@ -1224,12 +1960,14 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       await new Promise(r => setTimeout(r, 4000));
 
       if (tunnelHostname && tunnelProc) {
+        tunnelStatus = "live";
         const logLine = `[${new Date().toISOString()}] Named tunnel started: ${tunnelUrl}\n`;
         try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
       }
 
     } catch (err) {
       tunnelError = err.message;
+      tunnelStatus = "error";
       tunnelProc = null;
     }
   }
@@ -1240,6 +1978,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       tunnelProc = null;
       tunnelUrl = null;
       tunnelError = null;
+      tunnelStatus = "not_started";
       const logLine = `[${new Date().toISOString()}] Tunnel stopped\n`;
       try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
     }
@@ -1308,6 +2047,128 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
   fetchBuildStatus();
   setInterval(fetchBuildStatus, 15000);
 
+  applyPendingMigrations().then(result => {
+    lastMigrationResult = result;
+    if (result.applied?.length > 0) {
+      const log = `[${new Date().toISOString()}] Migrations applied: ${result.applied.map(m => m.name).join(", ")}\n`;
+      try { fs.appendFileSync(LOG_FILE, log); } catch {}
+    }
+  }).catch(() => {});
+
+  // ── Tunnel config (fetched from DB after unlock) ────────────
+  async function fetchTunnelConfig() {
+    try {
+      const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+      const sbKey = api.getAnonKey();
+      if (!sbUrl || !sbKey) return null;
+
+      const r = await fetch(
+        `${sbUrl}/rest/v1/clauth_config?key=eq.tunnel_hostname&select=value`,
+        {
+          headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` },
+          signal: AbortSignal.timeout(5000),
+        }
+      );
+      if (!r.ok) return null;
+      const rows = await r.json();
+      if (rows.length > 0 && rows[0].value && rows[0].value !== "null") {
+        return typeof rows[0].value === "string" ? JSON.parse(rows[0].value) : rows[0].value;
+      }
+
+      // DB has no hostname — check ~/.cloudflared/config.yml
+      try {
+        const cfConfig = path.join(os.homedir(), ".cloudflared", "config.yml");
+        if (fs.existsSync(cfConfig)) {
+          const yml = fs.readFileSync(cfConfig, "utf8");
+          const hostMatch = yml.match(/^\s*-\s*hostname:\s*(\S+)/m);
+          if (hostMatch) {
+            const hostname = hostMatch[1];
+            // Save to DB so future loads skip this
+            await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+              method: "POST",
+              headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+              body: JSON.stringify({ key: "tunnel_hostname", value: JSON.stringify(hostname) }),
+            }).catch(() => {});
+            return hostname;
+          }
+        }
+      } catch {}
+
+      return null;
+    } catch {
+      return null;
+    }
+  }
+
+  // ── Auto-migration ────────────────────────────────────────────
+  let pendingBreakingMigrations = [];
+  let lastMigrationResult = null;
+
+  async function applyPendingMigrations() {
+    try {
+      const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+      const sbKey = api.getAnonKey();
+      if (!sbUrl || !sbKey) return { applied: [], errors: [] };
+
+      // Read current schema version (may not exist yet)
+      let currentVersion = 0;
+      try {
+        const r = await fetch(
+          `${sbUrl}/rest/v1/clauth_config?key=eq.schema_version&select=value`,
+          { headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` }, signal: AbortSignal.timeout(5000) }
+        );
+        if (r.ok) {
+          const rows = await r.json();
+          if (rows.length > 0) currentVersion = Number(rows[0].value) || 0;
+        }
+      } catch {}
+
+      if (currentVersion >= CURRENT_SCHEMA_VERSION) return { applied: [], errors: [], currentVersion };
+
+      const applied = [];
+      const errors = [];
+
+      for (const m of MIGRATIONS) {
+        if (m.version <= currentVersion || !m.sql) continue;
+        if (m.type === "breaking") {
+          // Queue for UI confirmation — do not auto-apply
+          pendingBreakingMigrations.push(m);
+          continue;
+        }
+        try {
+          // Apply via Edge Function proxy (anon key can't do DDL directly)
+          const r = await fetch(`${(api.getBaseUrl() || "")}/run-migration`, {
+            method: "POST",
+            headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json" },
+            body: JSON.stringify({ sql: m.sql, version: m.version }),
+            signal: AbortSignal.timeout(15000),
+          });
+          if (r.ok) {
+            applied.push(m);
+            currentVersion = m.version;
+            // Update schema_version in clauth_config
+            await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+              method: "POST",
+              headers: {
+                apikey: sbKey, Authorization: `Bearer ${sbKey}`,
+                "Content-Type": "application/json", Prefer: "resolution=merge-duplicates",
+              },
+              body: JSON.stringify({ key: "schema_version", value: m.version }),
+            });
+          } else {
+            errors.push({ migration: m.name, error: await r.text() });
+          }
+        } catch (e) {
+          errors.push({ migration: m.name, error: e.message });
+        }
+      }
+
+      return { applied, errors, currentVersion };
+    } catch (e) {
+      return { applied: [], errors: [{ migration: "init", error: e.message }] };
+    }
+  }
+
   const server = http.createServer(async (req, res) => {
     const remote = req.socket.remoteAddress;
     const isLocal = remote === "127.0.0.1" || remote === "::1" || remote === "::ffff:127.0.0.1";
@@ -1667,17 +2528,22 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
         failures: failCount,
         failures_remaining: MAX_FAILS - failCount,
         services: whitelist || "all",
-        port
+        port,
+        tunnel_status: tunnelStatus,
+        tunnel_url: tunnelUrl || null,
+        app_version: VERSION,
+        schema_version: CURRENT_SCHEMA_VERSION,
       });
     }
 
     // GET /tunnel — tunnel status (for dashboard polling)
     if (method === "GET" && reqPath === "/tunnel") {
       return ok(res, {
+        status: tunnelStatus,
         running: !!tunnelProc,
-        url: tunnelUrl,
+        url: tunnelUrl || null,
         sseUrl: tunnelUrl && tunnelUrl.startsWith("http") ? `${tunnelUrl}/sse` : null,
-        error: tunnelError,
+        error: tunnelError || null,
       });
     }
 
@@ -1686,6 +2552,15 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       return ok(res, buildStatus);
     }
 
+    // GET /migrations — migration registry and last run result
+    if (method === "GET" && reqPath === "/migrations") {
+      return ok(res, {
+        schema_version: CURRENT_SCHEMA_VERSION,
+        last_result: lastMigrationResult,
+        pending_breaking: pendingBreakingMigrations,
+      });
+    }
+
     // GET /mcp-setup — OAuth credentials for claude.ai MCP setup (localhost only)
     if (method === "GET" && reqPath === "/mcp-setup") {
       return ok(res, {
@@ -1695,7 +2570,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       });
     }
 
-    // POST /tunnel — start or stop tunnel manually
+    // POST /tunnel — start or stop tunnel manually (action in body)
     if (method === "POST" && reqPath === "/tunnel") {
       if (lockedGuard(res)) return;
       let body;
@@ -1705,11 +2580,27 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       }
       if (body.action === "stop") {
         stopTunnel();
-        return ok(res, { ok: true, running: false });
+        return ok(res, { status: tunnelStatus, running: false });
       }
       // start
       await startTunnel();
-      return ok(res, { ok: true, running: !!tunnelProc, url: tunnelUrl, error: tunnelError });
+      return ok(res, { status: tunnelStatus, running: !!tunnelProc, url: tunnelUrl, error: tunnelError });
+    }
+
+    // POST /tunnel/start — explicit start endpoint
+    if (method === "POST" && reqPath === "/tunnel/start") {
+      if (lockedGuard(res)) return;
+      if (tunnelProc) return ok(res, { status: tunnelStatus, message: "already running" });
+      tunnelStatus = "starting";
+      startTunnel().catch(() => {});
+      return ok(res, { status: "starting" });
+    }
+
+    // POST /tunnel/stop — explicit stop endpoint
+    if (method === "POST" && reqPath === "/tunnel/stop") {
+      if (lockedGuard(res)) return;
+      stopTunnel();
+      return ok(res, { status: tunnelStatus });
     }
 
     // GET /shutdown (for daemon stop)
@@ -1756,12 +2647,14 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       }
     }
 
-    // GET /status
+    // GET /status?project=xxx
     if (method === "GET" && reqPath === "/status") {
       if (lockedGuard(res)) return;
       try {
+        const parsedUrl = new URL(req.url, `http://127.0.0.1:${port}`);
+        const projectFilter = parsedUrl.searchParams.get("project") || undefined;
         const { token, timestamp } = deriveToken(password, machineHash);
-        const result = await api.status(password, machineHash, token, timestamp);
+        const result = await api.status(password, machineHash, token, timestamp, projectFilter);
         if (result.error) return strike(res, 502, result.error);
         if (whitelist) {
           result.services = (result.services || []).filter(
@@ -1815,8 +2708,32 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
         password = pw;   // unlock — store in process memory only
         const logLine = `[${new Date().toISOString()}] Vault unlocked\n`;
         try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
-        // Auto-start Cloudflare Tunnel for claude.ai MCP
-        startTunnel().catch(() => {});
+        // Auto-start tunnel: --tunnel flag takes priority, otherwise fetch from DB
+        if (!tunnelHostname) {
+          fetchTunnelConfig().then(configured => {
+            if (configured) {
+              tunnelHostname = configured;
+              tunnelStatus = "starting";
+              startTunnel().catch(() => {});
+            } else {
+              // No tunnel configured in DB and no --tunnel flag
+              tunnelStatus = "not_configured";
+              const msg = [
+                `[${new Date().toISOString()}] No tunnel configured.`,
+                "  claude.ai web integration is inactive.",
+                "  To enable: run 'clauth tunnel setup'",
+              ].join("\n");
+              try { fs.appendFileSync(LOG_FILE, msg + "\n"); } catch {}
+              console.log("\n  ⚠  No tunnel configured — claude.ai web integration inactive.");
+              console.log("     Run: clauth tunnel setup\n");
+            }
+          }).catch(() => {
+            tunnelStatus = "error";
+          });
+        } else {
+          tunnelStatus = "starting";
+          startTunnel().catch(() => {});
+        }
         return ok(res, { ok: true, locked: false });
       } catch {
         // Wrong password — not a lockout strike, just a UI auth attempt
@@ -1942,6 +2859,415 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       }
     }
 
+    // GET /tunnel/setup-state
+    if (method === "GET" && reqPath === "/tunnel/setup-state") {
+      if (lockedGuard(res)) return;
+      try {
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+
+        // Check for existing hostname in DB
+        const hostnameResp = await fetch(
+          `${sbUrl}/rest/v1/clauth_config?key=eq.tunnel_hostname&select=value`,
+          { headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` }, signal: AbortSignal.timeout(5000) }
+        );
+        if (hostnameResp.ok) {
+          const rows = await hostnameResp.json();
+          if (rows.length > 0 && rows[0].value && rows[0].value !== "null" && rows[0].value !== '""') {
+            const hn = typeof rows[0].value === "string" ? JSON.parse(rows[0].value) : rows[0].value;
+            if (hn) return ok(res, { step: "ready", hostname: hn });
+          }
+        }
+
+        // Check ~/.cloudflared/config.yml for a previously configured tunnel
+        try {
+          const cfConfig = path.join(os.homedir(), ".cloudflared", "config.yml");
+          if (fs.existsSync(cfConfig)) {
+            const cfYml = fs.readFileSync(cfConfig, "utf8");
+            // Parse hostname from ingress block: "  - hostname: <hostname>"
+            const hostMatch = cfYml.match(/^\s*-\s*hostname:\s*(\S+)/m);
+            const tunnelMatch = cfYml.match(/^tunnel:\s*(\S+)/m);
+            if (hostMatch && tunnelMatch) {
+              const localHostname = hostMatch[1];
+              const localTunnelId = tunnelMatch[1];
+              // Save to DB so next load skips this check
+              await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+                method: "POST",
+                headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+                body: JSON.stringify({ key: "tunnel_hostname", value: JSON.stringify(localHostname) }),
+              });
+              tunnelHostname = localHostname;
+              return ok(res, { step: "ready", hostname: localHostname, tunnelId: localTunnelId, source: "local_config" });
+            }
+          }
+        } catch {}
+
+        // Check for CF token in vault
+        let cfToken = null;
+        try {
+          const { token: t, timestamp } = deriveToken(password, machineHash);
+          const cr = await api.retrieve(password, machineHash, t, timestamp, "cloudflare");
+          if (cr?.value) cfToken = cr.value;
+        } catch {}
+
+        if (!cfToken) return ok(res, { step: "need_cf_token" });
+
+        // Get or fetch account ID
+        let accountId = null;
+        try {
+          const acctResp = await fetch(
+            `${sbUrl}/rest/v1/clauth_config?key=eq.cf_account_id&select=value`,
+            { headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` }, signal: AbortSignal.timeout(5000) }
+          );
+          if (acctResp.ok) {
+            const rows = await acctResp.json();
+            if (rows.length > 0 && rows[0].value) {
+              accountId = typeof rows[0].value === "string" ? JSON.parse(rows[0].value) : rows[0].value;
+            }
+          }
+        } catch {}
+
+        if (!accountId) {
+          try {
+            const ar = await fetch("https://api.cloudflare.com/client/v4/accounts", {
+              headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000)
+            });
+            const ad = await ar.json();
+            accountId = ad?.result?.[0]?.id;
+            if (accountId) {
+              await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+                method: "POST",
+                headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+                body: JSON.stringify({ key: "cf_account_id", value: accountId }),
+              });
+            }
+          } catch {}
+        }
+
+        if (!accountId) return ok(res, { step: "setup_wizard", error: "Could not get Cloudflare account ID" });
+
+        // List tunnels
+        try {
+          const tr = await fetch(
+            `https://api.cloudflare.com/client/v4/accounts/${accountId}/cfd_tunnel?is_deleted=false`,
+            { headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000) }
+          );
+          const td = await tr.json();
+          const tunnels = (td?.result || []).map(t => ({ id: t.id, name: t.name, status: t.status }));
+          if (tunnels.length > 0) return ok(res, { step: "pick_tunnel", tunnels, accountId });
+          // CF token exists but no tunnels — create via API (no cloudflared login needed)
+          return ok(res, { step: "no_tunnels", accountId });
+        } catch {}
+
+        return ok(res, { step: "setup_wizard" });
+      } catch (err) {
+        return ok(res, { step: "setup_wizard", error: err.message });
+      }
+    }
+
+    // POST /tunnel/setup/cf-token
+    if (method === "POST" && reqPath === "/tunnel/setup/cf-token") {
+      if (lockedGuard(res)) return;
+      let body;
+      try { body = await readBody(req); } catch { return strike(res, 400, "Invalid JSON"); }
+      const { token: cfToken } = body;
+      if (!cfToken) return strike(res, 400, "token required");
+
+      try {
+        const vr = await fetch("https://api.cloudflare.com/client/v4/user/tokens/verify", {
+          headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000)
+        });
+        const vd = await vr.json();
+        if (!vd?.success) return strike(res, 400, "Invalid Cloudflare API token");
+
+        const ar = await fetch("https://api.cloudflare.com/client/v4/accounts", {
+          headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000)
+        });
+        const ad = await ar.json();
+        const accountId = ad?.result?.[0]?.id;
+        const accountName = ad?.result?.[0]?.name;
+
+        // Save token to vault using api.write (same as /set/:service)
+        const { token: t, timestamp } = deriveToken(password, machineHash);
+        await api.write(password, machineHash, t, timestamp, "cloudflare", cfToken);
+
+        // Save accountId to clauth_config
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        if (accountId) {
+          await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+            method: "POST",
+            headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+            body: JSON.stringify({ key: "cf_account_id", value: accountId }),
+          });
+        }
+
+        return ok(res, { ok: true, accountId, accountName });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
+    // GET /tunnel/setup/cf-tunnels
+    if (method === "GET" && reqPath === "/tunnel/setup/cf-tunnels") {
+      if (lockedGuard(res)) return;
+      try {
+        const { token: t, timestamp } = deriveToken(password, machineHash);
+        const cr = await api.retrieve(password, machineHash, t, timestamp, "cloudflare");
+        const cfToken = cr?.value;
+        if (!cfToken) return strike(res, 400, "No cloudflare token in vault");
+
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        const acctResp = await fetch(
+          `${sbUrl}/rest/v1/clauth_config?key=eq.cf_account_id&select=value`,
+          { headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` }, signal: AbortSignal.timeout(5000) }
+        );
+        const acctRows = await acctResp.json();
+        const accountId = acctRows?.[0]?.value ? JSON.parse(acctRows[0].value) : null;
+        if (!accountId) return strike(res, 400, "No account ID — run cf-token first");
+
+        const tr = await fetch(
+          `https://api.cloudflare.com/client/v4/accounts/${accountId}/cfd_tunnel?is_deleted=false`,
+          { headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000) }
+        );
+        const td = await tr.json();
+        return ok(res, { tunnels: (td?.result || []).map(t => ({ id: t.id, name: t.name, status: t.status, created_at: t.created_at })) });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
+    // POST /tunnel/setup/cf-save
+    if (method === "POST" && reqPath === "/tunnel/setup/cf-save") {
+      if (lockedGuard(res)) return;
+      let body;
+      try { body = await readBody(req); } catch { return strike(res, 400, "Invalid JSON"); }
+      const { tunnelId, tunnelName, hostname } = body;
+      if (!hostname) return strike(res, 400, "hostname required");
+
+      try {
+        const cfDir = path.join(os.homedir(), ".cloudflared");
+        if (!fs.existsSync(cfDir)) fs.mkdirSync(cfDir, { recursive: true });
+        const credFile = tunnelId ? path.join(cfDir, `${tunnelId}.json`) : path.join(cfDir, "tunnel.json");
+        const configContent = `tunnel: ${tunnelId || tunnelName || "clauth"}\ncredentials-file: ${credFile}\ningress:\n  - hostname: ${hostname}\n    service: http://127.0.0.1:${port}\n  - service: http_status:404\n`;
+        fs.writeFileSync(path.join(cfDir, "config.yml"), configContent, "utf8");
+
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+          method: "POST",
+          headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+          body: JSON.stringify({ key: "tunnel_hostname", value: JSON.stringify(hostname) }),
+        });
+
+        tunnelHostname = hostname;
+        tunnelUrl = `https://${hostname}`;
+
+        return ok(res, { ok: true, hostname });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
+    // POST /tunnel/setup/cf-create-api — create tunnel via CF API (no cloudflared login needed)
+    if (method === "POST" && reqPath === "/tunnel/setup/cf-create-api") {
+      if (lockedGuard(res)) return;
+      let body;
+      try { body = await readBody(req); } catch { return strike(res, 400, "Invalid JSON"); }
+      const { name, hostname, accountId: bodyAccountId } = body;
+      if (!name || !hostname) return strike(res, 400, "name and hostname required");
+      try {
+        const { token: t, timestamp } = deriveToken(password, machineHash);
+        const cr = await api.retrieve(password, machineHash, t, timestamp, "cloudflare");
+        const cfToken = cr?.value;
+        if (!cfToken) return strike(res, 400, "No cloudflare token in vault");
+
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+
+        // Get accountId
+        let accountId = bodyAccountId;
+        if (!accountId) {
+          const acctResp = await fetch(`${sbUrl}/rest/v1/clauth_config?key=eq.cf_account_id&select=value`,
+            { headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` }, signal: AbortSignal.timeout(5000) });
+          const rows = await acctResp.json();
+          accountId = rows?.[0]?.value ? JSON.parse(rows[0].value) : null;
+        }
+        if (!accountId) return strike(res, 400, "No account ID — verify CF token first");
+
+        // Generate tunnel secret (32 random bytes base64)
+        const { randomBytes } = await import("crypto");
+        const tunnelSecret = randomBytes(32).toString("base64");
+
+        // Create tunnel via CF API
+        const createResp = await fetch(`https://api.cloudflare.com/client/v4/accounts/${accountId}/cfd_tunnel`, {
+          method: "POST",
+          headers: { Authorization: `Bearer ${cfToken}`, "Content-Type": "application/json" },
+          body: JSON.stringify({ name, tunnel_secret: tunnelSecret }),
+          signal: AbortSignal.timeout(10000),
+        });
+        const createData = await createResp.json();
+        if (!createData?.success) return strike(res, 400, createData?.errors?.[0]?.message || "Tunnel creation failed");
+        const tunnelId = createData.result.id;
+
+        // Write credentials file
+        const cfDir = path.join(os.homedir(), ".cloudflared");
+        if (!fs.existsSync(cfDir)) fs.mkdirSync(cfDir, { recursive: true });
+        const credFile = path.join(cfDir, `${tunnelId}.json`);
+        fs.writeFileSync(credFile, JSON.stringify({ AccountTag: accountId, TunnelID: tunnelId, TunnelName: name, TunnelSecret: tunnelSecret }), "utf8");
+
+        // Write config.yml
+        const configContent = `tunnel: ${tunnelId}\ncredentials-file: ${credFile}\ningress:\n  - hostname: ${hostname}\n    service: http://127.0.0.1:${port}\n  - service: http_status:404\n`;
+        fs.writeFileSync(path.join(cfDir, "config.yml"), configContent, "utf8");
+
+        // Route DNS via CF API — find zone for hostname
+        const domain = hostname.split(".").slice(-2).join(".");
+        const zoneResp = await fetch(`https://api.cloudflare.com/client/v4/zones?name=${domain}`,
+          { headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000) });
+        const zoneData = await zoneResp.json();
+        const zoneId = zoneData?.result?.[0]?.id;
+        if (zoneId) {
+          await fetch(`https://api.cloudflare.com/client/v4/zones/${zoneId}/dns_records`, {
+            method: "POST",
+            headers: { Authorization: `Bearer ${cfToken}`, "Content-Type": "application/json" },
+            body: JSON.stringify({ type: "CNAME", name: hostname, content: `${tunnelId}.cfargotunnel.com`, proxied: false, ttl: 1 }),
+            signal: AbortSignal.timeout(8000),
+          });
+        }
+
+        // Save hostname to DB and in-process
+        await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+          method: "POST",
+          headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+          body: JSON.stringify({ key: "tunnel_hostname", value: JSON.stringify(hostname) }),
+        });
+        tunnelHostname = hostname;
+        tunnelUrl = `https://${hostname}`;
+
+        return ok(res, { ok: true, tunnelId, hostname });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
+    // GET /tunnel/setup/check-cloudflared
+    if (method === "GET" && reqPath === "/tunnel/setup/check-cloudflared") {
+      let cfBin = "cloudflared";
+      let installed = false;
+      if (os.platform() === "win32") {
+        const candidates = [
+          "cloudflared",
+          path.join(process.env.ProgramFiles || "", "cloudflared", "cloudflared.exe"),
+          path.join(process.env["ProgramFiles(x86)"] || "C:\\Program Files (x86)", "cloudflared", "cloudflared.exe"),
+          path.join(os.homedir(), "scoop", "shims", "cloudflared.exe"),
+          "C:\\ProgramData\\chocolatey\\bin\\cloudflared.exe",
+        ];
+        for (const c of candidates) {
+          try { if (fs.statSync(c).isFile()) { cfBin = c; installed = true; break; } } catch {}
+        }
+      }
+      if (!installed) {
+        try {
+          const { execSync: es } = await import("child_process");
+          es("cloudflared --version", { stdio: "ignore" });
+          installed = true; cfBin = "cloudflared";
+        } catch {}
+      }
+      return ok(res, { installed, path: installed ? cfBin : null });
+    }
+
+    // POST /tunnel/setup/cf-login — SSE stream of cloudflared tunnel login
+    if (method === "POST" && reqPath === "/tunnel/setup/cf-login") {
+      if (lockedGuard(res)) return;
+      res.writeHead(200, { "Content-Type": "text/event-stream", "Cache-Control": "no-cache", "Connection": "keep-alive", ...CORS });
+      const sendEvt = (data) => res.write(`data: ${JSON.stringify(data)}\n\n`);
+      try {
+        const { spawn } = await import("child_process");
+        const proc = spawn("cloudflared", ["tunnel", "login"], { stdio: ["ignore","pipe","pipe"] });
+        proc.stdout.on("data", d => d.toString().split("\n").forEach(l => l.trim() && sendEvt({ line: l })));
+        proc.stderr.on("data", d => d.toString().split("\n").forEach(l => l.trim() && sendEvt({ line: l })));
+        proc.on("close", code => { sendEvt({ done: true, code }); res.end(); });
+        req.on("close", () => { try { proc.kill(); } catch {} });
+      } catch (err) {
+        sendEvt({ done: true, code: 1, error: err.message });
+        res.end();
+      }
+    }
+
+    // POST /tunnel/setup/cf-create — SSE stream create + route DNS + save
+    if (method === "POST" && reqPath === "/tunnel/setup/cf-create") {
+      if (lockedGuard(res)) return;
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON" }));
+      }
+      const { name, hostname } = body;
+      if (!name || !hostname) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "name and hostname required" }));
+      }
+      res.writeHead(200, { "Content-Type": "text/event-stream", "Cache-Control": "no-cache", "Connection": "keep-alive", ...CORS });
+      const sendEvt = (data) => res.write(`data: ${JSON.stringify(data)}\n\n`);
+      try {
+        const { spawn } = await import("child_process");
+
+        // Step 1: create tunnel
+        sendEvt({ line: `Creating tunnel "${name}"…`, step: 1 });
+        let tunnelId = null;
+        await new Promise((resolve, reject) => {
+          const proc = spawn("cloudflared", ["tunnel", "create", name], { stdio: ["ignore","pipe","pipe"] });
+          let output = "";
+          proc.stdout.on("data", d => { const s = d.toString(); output += s; s.split("\n").forEach(l => l.trim() && sendEvt({ line: l, step: 1 })); });
+          proc.stderr.on("data", d => { const s = d.toString(); output += s; s.split("\n").forEach(l => l.trim() && sendEvt({ line: l, step: 1 })); });
+          proc.on("close", code => {
+            const m = output.match(/Created tunnel .+ with id ([a-f0-9-]{36})/i);
+            if (m) tunnelId = m[1];
+            if (code !== 0 && !tunnelId) reject(new Error(`create failed (exit ${code})`));
+            else resolve();
+          });
+        });
+
+        if (!tunnelId) {
+          sendEvt({ error: "Could not parse tunnel ID from cloudflared output" });
+          return res.end();
+        }
+
+        // Step 2: route DNS
+        sendEvt({ line: `Routing DNS: ${hostname}…`, step: 2 });
+        await new Promise((resolve) => {
+          const proc = spawn("cloudflared", ["tunnel", "route", "dns", name, hostname], { stdio: ["ignore","pipe","pipe"] });
+          proc.stdout.on("data", d => d.toString().split("\n").forEach(l => l.trim() && sendEvt({ line: l, step: 2 })));
+          proc.stderr.on("data", d => d.toString().split("\n").forEach(l => l.trim() && sendEvt({ line: l, step: 2 })));
+          proc.on("close", () => resolve());
+        });
+
+        // Step 3: save config
+        const cfDir = path.join(os.homedir(), ".cloudflared");
+        if (!fs.existsSync(cfDir)) fs.mkdirSync(cfDir, { recursive: true });
+        const credFile = path.join(cfDir, `${tunnelId}.json`);
+        const configContent = `tunnel: ${tunnelId}\ncredentials-file: ${credFile}\ningress:\n  - hostname: ${hostname}\n    service: http://127.0.0.1:${port}\n  - service: http_status:404\n`;
+        fs.writeFileSync(path.join(cfDir, "config.yml"), configContent, "utf8");
+
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+          method: "POST",
+          headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+          body: JSON.stringify({ key: "tunnel_hostname", value: JSON.stringify(hostname) }),
+        });
+        tunnelHostname = hostname;
+        tunnelUrl = `https://${hostname}`;
+
+        sendEvt({ done: true, tunnelId, hostname });
+        res.end();
+      } catch (err) {
+        sendEvt({ error: err.message, done: true });
+        res.end();
+      }
+    }
+
     // POST /change-pw — change master password (must be unlocked)
     if (method === "POST" && reqPath === "/change-pw") {
       if (lockedGuard(res)) return;
@@ -2014,7 +3340,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
         return res.end(JSON.stringify({ error: "Invalid JSON body" }));
       }
 
-      const { name, label, key_type, description } = body;
+      const { name, label, key_type, description, project } = body;
       if (!name || typeof name !== "string" || !name.trim()) {
         res.writeHead(400, { "Content-Type": "application/json", ...CORS });
         return res.end(JSON.stringify({ error: "name is required" }));
@@ -2028,7 +3354,7 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
 
       try {
         const { token, timestamp } = deriveToken(password, machineHash);
-        const result = await api.addService(password, machineHash, token, timestamp, name.trim().toLowerCase(), label || name.trim(), type, description || "");
+        const result = await api.addService(password, machineHash, token, timestamp, name.trim().toLowerCase(), label || name.trim(), type, description || "", project || undefined);
         if (result.error) return strike(res, 502, result.error);
         return ok(res, { ok: true, service: name.trim().toLowerCase() });
       } catch (err) {
@@ -2036,6 +3362,42 @@ function createServer(initPassword, whitelist, port, tunnelHostname = null) {
       }
     }
 
+    // POST /update-service — update service metadata (project, label, description)
+    if (method === "POST" && reqPath === "/update-service") {
+      if (lockedGuard(res)) return;
+
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
+      }
+
+      const { service, project, label, description } = body;
+      if (!service || typeof service !== "string") {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "service is required" }));
+      }
+
+      const updates = {};
+      if (project !== undefined) updates.project = project;
+      if (label !== undefined) updates.label = label;
+      if (description !== undefined) updates.description = description;
+
+      if (Object.keys(updates).length === 0) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "At least one field to update is required (project, label, description)" }));
+      }
+
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.updateService(password, machineHash, token, timestamp, service.toLowerCase(), updates);
+        if (result.error) return strike(res, 502, result.error);
+        return ok(res, { ok: true, service: service.toLowerCase(), ...updates });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
     // Unknown route — don't count browser/MCP noise as auth failures
     // Don't count browser noise, MCP discovery probes, or OAuth probes as auth failures
     const isBenign = reqPath.startsWith("/.well-known/") || [
@@ -2412,6 +3774,24 @@ const MCP_TOOLS = [
       additionalProperties: false
     }
   },
+  {
+    name: "clauth_set_project",
+    description: "Set or clear the project scope on a service. Pass empty string to clear.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        service: { type: "string", description: "Service name (e.g. gmail, github)" },
+        project: { type: "string", description: "Project name to assign (empty string to clear)" }
+      },
+      required: ["service", "project"],
+      additionalProperties: false
+    }
+  },
+  {
+    name: "clauth_self_check",
+    description: "Test whether the clauth MCP connector is reachable via the Cloudflare tunnel. Returns connectivity status and tunnel URL.",
+    inputSchema: { type: "object", properties: {}, additionalProperties: false }
+  },
 ];
 
 function writeTempSecret(service, value) {
@@ -2479,13 +3859,14 @@ async function handleMcpTool(vault, name, args) {
         if (vault.whitelist) {
           services = services.filter(s => vault.whitelist.includes(s.name.toLowerCase()));
         }
-        const lines = ["SERVICE              TYPE         STATUS       KEY    LAST RETRIEVED",
-                        "---              ----         ------       ---    --------------"];
+        const lines = ["SERVICE                  TYPE         PROJECT                STATUS       KEY    LAST RETRIEVED",
+                        "-------                  ----         -------                ------       ---    --------------"];
         for (const s of services) {
           const status = s.enabled ? "ACTIVE" : (s.vault_key ? "SUSPENDED" : "NO KEY");
           const hasKey = s.vault_key ? "yes" : "—";
           const lastGet = s.last_retrieved ? new Date(s.last_retrieved).toLocaleDateString() : "never";
-          lines.push(`${s.name.padEnd(20)} ${(s.key_type || "").padEnd(12)} ${status.padEnd(12)} ${hasKey.padEnd(6)} ${lastGet}`);
+          const proj = (s.project || "—").padEnd(22);
+          lines.push(`${s.name.padEnd(24)} ${(s.key_type || "").padEnd(12)} ${proj} ${status.padEnd(12)} ${hasKey.padEnd(6)} ${lastGet}`);
         }
         return mcpResult(lines.join("\n"));
       } catch (err) {
@@ -2652,6 +4033,57 @@ async function handleMcpTool(vault, name, args) {
       }
     }
 
+    case "clauth_set_project": {
+      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
+      const service = (args.service || "").toLowerCase();
+      const project = args.project;
+      if (!service) return mcpError("service is required");
+      if (project === undefined) return mcpError("project is required (empty string to clear)");
+      try {
+        const { token, timestamp } = deriveToken(vault.password, vault.machineHash);
+        const result = await api.updateService(vault.password, vault.machineHash, token, timestamp, service, { project: project || "" });
+        if (result.error) return mcpError(result.error);
+        return mcpResult(project ? `${service} → project: ${project}` : `${service} → project cleared`);
+      } catch (err) {
+        return mcpError(err.message);
+      }
+    }
+
+    case "clauth_self_check": {
+      // Test connectivity via the Cloudflare tunnel and/or localhost daemon
+      const tunnelUrl = vault.tunnelUrl;
+      const results = [];
+
+      // Check localhost daemon
+      try {
+        const r = await fetch("http://127.0.0.1:52437/ping", { signal: AbortSignal.timeout(3000) });
+        const data = await r.json();
+        results.push(`Local daemon: PASS (${data.locked ? "locked" : "unlocked"}, failures: ${data.failures ?? 0})`);
+      } catch (err) {
+        results.push(`Local daemon: FAIL — http://127.0.0.1:52437 not reachable (${err.message})`);
+      }
+
+      // Check tunnel
+      if (tunnelUrl) {
+        try {
+          const r = await fetch(`${tunnelUrl}/ping`, { signal: AbortSignal.timeout(5000) });
+          const data = await r.json();
+          results.push(`Tunnel: PASS — ${tunnelUrl} reachable (${data.locked ? "locked" : "unlocked"})`);
+          results.push(`claude.ai SSE endpoint: ${tunnelUrl}/sse`);
+          results.push(`claude.ai MCP endpoint: ${tunnelUrl}/mcp`);
+        } catch (err) {
+          results.push(`Tunnel: FAIL — ${tunnelUrl} not reachable (${err.message})`);
+          results.push("claude.ai MCP connector will not work until tunnel is restored.");
+          results.push("Fix: clauth serve start --tunnel clauth.prtrust.fund");
+        }
+      } else {
+        results.push("Tunnel: NOT RUNNING — claude.ai connector requires the tunnel.");
+        results.push("Start with: clauth serve start --tunnel clauth.prtrust.fund");
+      }
+
+      return mcpResult(results.join("\n"));
+    }
+
     default:
       return mcpError(`Unknown tool: ${name}`);
   }
@@ -2674,6 +4106,7 @@ function createMcpServer(initPassword, whitelist) {
   const vault = {
     password: initPassword || null,
     get machineHash() { return ensureMachineHash(); },
+    get tunnelUrl() { return null; }, // stdio server has no tunnel — self_check will try localhost daemon
     whitelist,
     failCount: 0,
     MAX_FAILS: 10,
@@ -2765,61 +4198,154 @@ async function actionMcp(opts) {
   createMcpServer(password, whitelist);
 }
 
-// ── DPAPI auto-start install / uninstall (Windows only) ──────
-const AUTOSTART_DIR  = path.join(os.homedir(), "AppData", "Roaming", "clauth");
-const BOOT_KEY_PATH  = path.join(AUTOSTART_DIR, "boot.key");
-const PS_SCRIPT_PATH = path.join(AUTOSTART_DIR, "autostart.ps1");
-const TASK_NAME      = "ClauthAutostart";
+// ── Cross-platform auto-start install / uninstall ────────────
+// Windows: DPAPI + Scheduled Task
+// macOS:   Keychain + LaunchAgent
+// Linux:   libsecret/encrypted file + systemd user service
+
+const TASK_NAME = "ClauthAutostart";
+
+function getAutostartDir() {
+  const platform = os.platform();
+  if (platform === "win32") {
+    return path.join(os.homedir(), "AppData", "Roaming", "clauth");
+  } else if (platform === "darwin") {
+    return path.join(os.homedir(), "Library", "LaunchAgents");
+  } else {
+    return path.join(os.homedir(), ".config", "systemd", "user");
+  }
+}
+
+function getBootKeyPath() {
+  if (os.platform() === "win32") {
+    return path.join(os.homedir(), "AppData", "Roaming", "clauth", "boot.key");
+  } else if (os.platform() === "darwin") {
+    return null; // stored in Keychain, not a file
+  } else {
+    return path.join(os.homedir(), ".config", "clauth", "boot.key");
+  }
+}
 
 async function actionInstall(opts) {
-  if (os.platform() !== "win32") {
-    console.log(chalk.red("\n  serve install is only supported on Windows\n"));
-    process.exit(1);
+  const platform = os.platform();
+  const { execSync } = await import("child_process");
+  const config = new Conf(getConfOptions());
+
+  const tunnelHostname = opts.tunnel || null;
+
+  // Persist tunnel hostname in config if provided
+  if (tunnelHostname) {
+    config.set("tunnel_hostname", tunnelHostname);
+    console.log(chalk.gray(`\n  Tunnel hostname saved: ${tunnelHostname}`));
   }
 
-  const { default: inquirer } = await import("inquirer");
-  const { pw } = await inquirer.prompt([{
-    type: "password", name: "pw",
-    message: "Enter clauth password to store for auto-start:", mask: "*"
-  }]);
+  // Check for cloudflared if tunnel is requested
+  if (tunnelHostname) {
+    try {
+      execSync("cloudflared --version", { encoding: "utf8", stdio: "pipe" });
+    } catch {
+      console.log(chalk.yellow("\n  cloudflared not found — required for tunnel support"));
+      console.log(chalk.gray("  Install: winget install Cloudflare.cloudflared"));
+      try {
+        const { installCloudflared } = await import("./doctor.js");
+        await installCloudflared();
+      } catch {
+        console.log(chalk.yellow("  Continuing without tunnel — install cloudflared manually later"));
+      }
+    }
+  }
 
-  fs.mkdirSync(AUTOSTART_DIR, { recursive: true });
+  // Two modes:
+  //   1. Password provided via -p flag → encrypt + install (non-interactive)
+  //   2. No password → install watchdog that starts daemon in locked mode
+  //      The browser dashboard opens, user enters password there.
+  //      For passwordless restart, user can later run: clauth serve seal
+  const pw = opts.pw || null;
 
-  // Encrypt password with Windows DPAPI (CurrentUser scope — machine+user bound)
-  const spinner = ora("Encrypting password with Windows DPAPI...").start();
-  let encrypted;
-  try {
-    const { execSync } = await import("child_process");
-    const pwEscaped = pw.replace(/'/g, "''");
-    const psExpr = `[Convert]::ToBase64String([Security.Cryptography.ProtectedData]::Protect([Text.Encoding]::UTF8.GetBytes('${pwEscaped}'),$null,'CurrentUser'))`;
-    encrypted = execSync(`powershell -NoProfile -Command "${psExpr}"`, { encoding: "utf8" }).trim();
-    fs.writeFileSync(BOOT_KEY_PATH, encrypted, "utf8");
-    spinner.succeed(chalk.green("Password encrypted → boot.key"));
-  } catch (err) {
-    spinner.fail(chalk.red(`DPAPI encryption failed: ${err.message}`));
-    process.exit(1);
+  if (platform === "win32") {
+    await installWindows(pw, tunnelHostname, execSync);
+  } else if (platform === "darwin") {
+    await installMacOS(pw, tunnelHostname, execSync);
+  } else {
+    await installLinux(pw, tunnelHostname, execSync);
   }
+}
 
-  // Write PowerShell autostart script — decrypts boot.key and pipes to clauth serve start
+// ── Windows: DPAPI + Scheduled Task ────────────────────────
+async function installWindows(pw, tunnelHostname, execSync) {
+  const autostartDir = path.join(os.homedir(), "AppData", "Roaming", "clauth");
+  const bootKeyPath  = path.join(autostartDir, "boot.key");
+  const psScriptPath = path.join(autostartDir, "autostart.ps1");
   const cliEntry = path.resolve(__dirname, "../index.js").replace(/\\/g, "\\\\");
   const nodeExe  = process.execPath.replace(/\\/g, "\\\\");
-  const bootKey  = BOOT_KEY_PATH.replace(/\\/g, "\\\\");
-  const psScript = [
-    "# clauth autostart — generated by clauth serve install",
-    `$enc = (Get-Content '${bootKey}' -Raw).Trim()`,
-    `$pw = [Text.Encoding]::UTF8.GetString([Security.Cryptography.ProtectedData]::Unprotect([Convert]::FromBase64String($enc),$null,'CurrentUser'))`,
-    `Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start -p $pw" -WindowStyle Hidden`,
-  ].join("\n");
-  fs.writeFileSync(PS_SCRIPT_PATH, psScript, "utf8");
+  const bootKey  = bootKeyPath.replace(/\\/g, "\\\\");
+  const tunnelArg = tunnelHostname ? ` --tunnel ${tunnelHostname}` : "";
+
+  fs.mkdirSync(autostartDir, { recursive: true });
+
+  if (pw) {
+    // ── Sealed mode: DPAPI-encrypt password for fully unattended restart ──
+    const spinner = ora("Encrypting password with Windows DPAPI...").start();
+    try {
+      const pwEscaped = pw.replace(/'/g, "''");
+      const psExpr = `[Convert]::ToBase64String([Security.Cryptography.ProtectedData]::Protect([Text.Encoding]::UTF8.GetBytes('${pwEscaped}'),$null,'CurrentUser'))`;
+      const encrypted = execSync(`powershell -NoProfile -Command "${psExpr}"`, { encoding: "utf8" }).trim();
+      fs.writeFileSync(bootKeyPath, encrypted, "utf8");
+      spinner.succeed(chalk.green("Password sealed via DPAPI → boot.key"));
+    } catch (err) {
+      spinner.fail(chalk.red(`DPAPI encryption failed: ${err.message}`));
+      process.exit(1);
+    }
+
+    // Watchdog script: decrypts password, starts daemon unlocked, monitors for crash
+    const psScript = [
+      "# clauth autostart + watchdog (sealed mode)",
+      "# Starts unlocked and restarts on crash every 15s",
+      "",
+      `$enc = (Get-Content '${bootKey}' -Raw).Trim()`,
+      `$pw = [Text.Encoding]::UTF8.GetString([Security.Cryptography.ProtectedData]::Unprotect([Convert]::FromBase64String($enc),$null,'CurrentUser'))`,
+      "",
+      "while ($true) {",
+      "  try {",
+      "    $ping = Invoke-RestMethod -Uri 'http://127.0.0.1:52437/ping' -TimeoutSec 3 -ErrorAction Stop",
+      "  } catch {",
+      `    Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start -p $pw${tunnelArg}" -WindowStyle Hidden`,
+      "    Start-Sleep -Seconds 5",
+      "  }",
+      "  Start-Sleep -Seconds 15",
+      "}",
+    ].join("\n");
+    fs.writeFileSync(psScriptPath, psScript, "utf8");
+  } else {
+    // ── First-run mode: no password yet — start locked, browser opens for setup ──
+    // Watchdog starts the daemon in locked mode; user enters password in the browser dashboard.
+    // After entering password in the browser, user can seal it for future unattended restarts
+    // by running: clauth serve seal
+    const psScript = [
+      "# clauth autostart + watchdog (locked mode — browser password entry)",
+      "# Starts daemon locked, opens browser for password. Restarts on crash every 15s.",
+      "",
+      "while ($true) {",
+      "  try {",
+      "    $ping = Invoke-RestMethod -Uri 'http://127.0.0.1:52437/ping' -TimeoutSec 3 -ErrorAction Stop",
+      "  } catch {",
+      `    Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start${tunnelArg}" -WindowStyle Hidden`,
+      "    Start-Sleep -Seconds 5",
+      "  }",
+      "  Start-Sleep -Seconds 15",
+      "}",
+    ].join("\n");
+    fs.writeFileSync(psScriptPath, psScript, "utf8");
+  }
 
   // Register Windows Scheduled Task — triggers on user logon
-  const spinner2 = ora("Registering Windows Scheduled Task...").start();
+  const mode = pw ? "sealed — fully unattended" : "locked — browser password entry";
+  const spinner2 = ora(`Registering Scheduled Task (${mode})...`).start();
   try {
-    const { execSync } = await import("child_process");
-    const psScriptEsc = PS_SCRIPT_PATH.replace(/\\/g, "\\\\");
+    const psScriptEsc = psScriptPath.replace(/\\/g, "\\\\");
     const args = `-NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File "${psScriptEsc}"`;
     execSync(
-      `schtasks /create /f /tn "${TASK_NAME}" /sc onlogon /tr "powershell.exe ${args}"`,
+      `${process.env.SystemRoot || "C:\\\\Windows"}\\\\System32\\\\schtasks.exe /create /f /tn "${TASK_NAME}" /sc onlogon /tr "powershell.exe ${args}"`,
       { encoding: "utf8", stdio: "pipe" }
     );
     spinner2.succeed(chalk.green(`Scheduled Task "${TASK_NAME}" registered`));
@@ -2828,33 +4354,327 @@ async function actionInstall(opts) {
     console.log(chalk.gray("  You can still start manually: clauth serve start"));
   }
 
-  console.log(chalk.cyan("\n  Auto-start installed:\n"));
-  console.log(chalk.gray(`  boot.key:  ${BOOT_KEY_PATH}`));
-  console.log(chalk.gray(`  script:    ${PS_SCRIPT_PATH}`));
-  console.log(chalk.gray(`  task:      ${TASK_NAME}\n`));
-  console.log(chalk.green("  Daemon will auto-start on next Windows login.\n"));
+  // Start the daemon now
+  const spinner3 = ora("Starting daemon...").start();
+  try {
+    if (pw) {
+      execSync(`"${nodeExe.replace(/\\\\/g, "\\")}" "${cliEntry.replace(/\\\\/g, "\\")}" serve start -p "${pw}"`, {
+        encoding: "utf8", stdio: "pipe", timeout: 10000,
+      });
+    } else {
+      execSync(`"${nodeExe.replace(/\\\\/g, "\\")}" "${cliEntry.replace(/\\\\/g, "\\")}" serve start`, {
+        encoding: "utf8", stdio: "pipe", timeout: 10000,
+      });
+    }
+    spinner3.succeed(chalk.green("Daemon started"));
+  } catch {
+    spinner3.succeed(chalk.green("Daemon starting..."));
+  }
+
+  // Open browser for first-run password setup (locked mode only)
+  if (!pw) {
+    try { openBrowser("http://127.0.0.1:52437"); } catch {}
+  }
+
+  console.log(chalk.cyan("\n  Auto-start installed (Windows):\n"));
+  if (pw) {
+    console.log(chalk.gray(`  mode:      sealed (DPAPI — fully unattended restart)`));
+    console.log(chalk.gray(`  boot.key:  ${bootKeyPath}`));
+  } else {
+    console.log(chalk.gray(`  mode:      locked (enter password in browser on restart)`));
+    console.log(chalk.gray(`  browser:   http://127.0.0.1:52437`));
+    console.log(chalk.gray(`  seal later: clauth serve seal  (enables unattended restart)`));
+  }
+  console.log(chalk.gray(`  watchdog:  ${psScriptPath}`));
+  console.log(chalk.gray(`  task:      ${TASK_NAME} (restarts every 15s on crash)`));
+  if (tunnelHostname) console.log(chalk.gray(`  tunnel:    ${tunnelHostname}`));
+  console.log(chalk.green("\n  Done. Daemon will auto-start on login and restart on crash.\n"));
 }
 
-async function actionUninstall() {
-  if (os.platform() !== "win32") {
-    console.log(chalk.red("\n  serve uninstall is only supported on Windows\n"));
+// ── macOS: Keychain + LaunchAgent ──────────────────────────
+async function installMacOS(pw, tunnelHostname, execSync) {
+  const launchAgentsDir = path.join(os.homedir(), "Library", "LaunchAgents");
+  const plistPath = path.join(launchAgentsDir, "com.lifeai.clauth.plist");
+  const keychainService = "com.lifeai.clauth";
+  const keychainAccount = "clauth-daemon";
+
+  fs.mkdirSync(launchAgentsDir, { recursive: true });
+
+  // Store password in macOS Keychain
+  const spinner = ora("Storing password in macOS Keychain...").start();
+  try {
+    // Delete existing entry if present (ignore errors)
+    try {
+      execSync(
+        `security delete-generic-password -s "${keychainService}" -a "${keychainAccount}"`,
+        { encoding: "utf8", stdio: "pipe" }
+      );
+    } catch {}
+
+    execSync(
+      `security add-generic-password -s "${keychainService}" -a "${keychainAccount}" -w "${pw.replace(/"/g, '\\"')}" -U`,
+      { encoding: "utf8", stdio: "pipe" }
+    );
+    spinner.succeed(chalk.green("Password stored in Keychain"));
+  } catch (err) {
+    spinner.fail(chalk.red(`Keychain storage failed: ${err.message}`));
     process.exit(1);
   }
+
+  // Find the node executable and cli entry
+  const cliEntry = path.resolve(__dirname, "../index.js");
+  const nodeExe = process.execPath;
+
+  // Build shell command that reads from Keychain and starts clauth
+  const tunnelArg = tunnelHostname ? ` --tunnel ${tunnelHostname}` : "";
+  const shellCmd = `PW=$(security find-generic-password -s "${keychainService}" -a "${keychainAccount}" -w) && exec "${nodeExe}" "${cliEntry}" serve start -p "$PW"${tunnelArg}`;
+
+  // Create LaunchAgent plist
+  const plistContent = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>com.lifeai.clauth</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>/bin/sh</string>
+    <string>-c</string>
+    <string>${shellCmd.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;")}</string>
+  </array>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>KeepAlive</key>
+  <true/>
+  <key>StandardOutPath</key>
+  <string>/tmp/clauth-serve.log</string>
+  <key>StandardErrorPath</key>
+  <string>/tmp/clauth-serve.log</string>
+</dict>
+</plist>`;
+
+  fs.writeFileSync(plistPath, plistContent, "utf8");
+
+  // Load the LaunchAgent
+  const spinner2 = ora("Loading LaunchAgent...").start();
+  try {
+    // Unload first in case it's already loaded (ignore errors)
+    try { execSync(`launchctl unload "${plistPath}"`, { stdio: "pipe" }); } catch {}
+    execSync(`launchctl load "${plistPath}"`, { stdio: "pipe" });
+    spinner2.succeed(chalk.green("LaunchAgent loaded"));
+  } catch (err) {
+    spinner2.fail(chalk.yellow(`LaunchAgent load failed (non-fatal): ${err.message}`));
+    console.log(chalk.gray("  You can still start manually: clauth serve start"));
+  }
+
+  console.log(chalk.cyan("\n  Auto-start installed (macOS):\n"));
+  console.log(chalk.gray(`  plist:     ${plistPath}`));
+  console.log(chalk.gray(`  keychain:  ${keychainService}`));
+  if (tunnelHostname) console.log(chalk.gray(`  tunnel:    ${tunnelHostname}`));
+  console.log(chalk.green("\n  Daemon will auto-start on login and restart on crash.\n"));
+}
+
+// ── Linux: encrypted file + systemd user service ───────────
+async function installLinux(pw, tunnelHostname, execSync) {
+  const configDir = path.join(os.homedir(), ".config", "clauth");
+  const bootKeyPath = path.join(configDir, "boot.key");
+  const systemdDir = path.join(os.homedir(), ".config", "systemd", "user");
+  const serviceFile = path.join(systemdDir, "clauth.service");
+
+  fs.mkdirSync(configDir, { recursive: true });
+  fs.mkdirSync(systemdDir, { recursive: true });
+
+  // Try to store password using secret-tool (libsecret/GNOME Keyring)
+  let useSecretTool = false;
+  const spinner = ora("Storing password securely...").start();
+
+  try {
+    execSync("which secret-tool", { encoding: "utf8", stdio: "pipe" });
+    execSync(
+      `echo -n "${pw.replace(/"/g, '\\"')}" | secret-tool store --label="clauth daemon password" service clauth account daemon`,
+      { encoding: "utf8", stdio: "pipe" }
+    );
+    useSecretTool = true;
+    spinner.succeed(chalk.green("Password stored via secret-tool (GNOME Keyring)"));
+  } catch {
+    // Fallback: encrypt with openssl and store in file
+    // Uses a key derived from machine-id for basic protection at rest
+    try {
+      const machineId = fs.readFileSync("/etc/machine-id", "utf8").trim();
+      const encrypted = execSync(
+        `echo -n "${pw.replace(/"/g, '\\"')}" | openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -pass pass:"${machineId}" -base64`,
+        { encoding: "utf8", stdio: "pipe" }
+      ).trim();
+      fs.writeFileSync(bootKeyPath, encrypted, { mode: 0o600 });
+      spinner.succeed(chalk.green("Password encrypted -> boot.key (openssl fallback)"));
+    } catch (err) {
+      spinner.fail(chalk.red(`Password storage failed: ${err.message}`));
+      process.exit(1);
+    }
+  }
+
+  // Find the node executable and cli entry
+  const cliEntry = path.resolve(__dirname, "../index.js");
+  const nodeExe = process.execPath;
+
+  // Build the ExecStart command
+  const tunnelArg = tunnelHostname ? ` --tunnel ${tunnelHostname}` : "";
+  let execStart;
+  if (useSecretTool) {
+    // Create a wrapper script that reads from secret-tool
+    const wrapperPath = path.join(configDir, "start.sh");
+    const wrapperContent = [
+      "#!/bin/sh",
+      `PW=$(secret-tool lookup service clauth account daemon)`,
+      `exec "${nodeExe}" "${cliEntry}" serve start -p "$PW"${tunnelArg}`,
+    ].join("\n");
+    fs.writeFileSync(wrapperPath, wrapperContent, { mode: 0o700 });
+    execStart = `/bin/sh ${wrapperPath}`;
+  } else {
+    // Create a wrapper script that decrypts boot.key
+    const wrapperPath = path.join(configDir, "start.sh");
+    const wrapperContent = [
+      "#!/bin/sh",
+      `MACHINE_ID=$(cat /etc/machine-id)`,
+      `PW=$(openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -pass pass:"$MACHINE_ID" -base64 -d < "${bootKeyPath}")`,
+      `exec "${nodeExe}" "${cliEntry}" serve start -p "$PW"${tunnelArg}`,
+    ].join("\n");
+    fs.writeFileSync(wrapperPath, wrapperContent, { mode: 0o700 });
+    execStart = `/bin/sh ${wrapperPath}`;
+  }
+
+  // Create systemd user service
+  const serviceContent = `[Unit]
+Description=clauth credential daemon
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=${execStart}
+Restart=always
+RestartSec=5
+Environment=NODE_ENV=production
+
+[Install]
+WantedBy=default.target
+`;
+
+  fs.writeFileSync(serviceFile, serviceContent, "utf8");
+
+  // Enable and start the service
+  const spinner2 = ora("Enabling systemd user service...").start();
+  try {
+    execSync("systemctl --user daemon-reload", { stdio: "pipe" });
+    execSync("systemctl --user enable clauth", { stdio: "pipe" });
+    execSync("systemctl --user start clauth", { stdio: "pipe" });
+    spinner2.succeed(chalk.green("systemd user service enabled and started"));
+  } catch (err) {
+    spinner2.fail(chalk.yellow(`systemd setup failed (non-fatal): ${err.message}`));
+    console.log(chalk.gray("  You can still start manually: clauth serve start"));
+  }
+
+  console.log(chalk.cyan("\n  Auto-start installed (Linux):\n"));
+  console.log(chalk.gray(`  service:   ${serviceFile}`));
+  console.log(chalk.gray(`  password:  ${useSecretTool ? "GNOME Keyring" : bootKeyPath}`));
+  if (tunnelHostname) console.log(chalk.gray(`  tunnel:    ${tunnelHostname}`));
+  console.log(chalk.green("\n  Daemon will auto-start on login and restart on crash.\n"));
+}
+
+// ── Cross-platform uninstall ───────────────────────────────
+async function actionUninstall() {
+  const platform = os.platform();
   const { execSync } = await import("child_process");
 
+  if (platform === "win32") {
+    await uninstallWindows(execSync);
+  } else if (platform === "darwin") {
+    await uninstallMacOS(execSync);
+  } else {
+    await uninstallLinux(execSync);
+  }
+}
+
+async function uninstallWindows(execSync) {
+  const autostartDir = path.join(os.homedir(), "AppData", "Roaming", "clauth");
+  const bootKeyPath  = path.join(autostartDir, "boot.key");
+  const psScriptPath = path.join(autostartDir, "autostart.ps1");
+
   // Remove scheduled task
   try {
-    execSync(`schtasks /delete /f /tn "${TASK_NAME}"`, { encoding: "utf8", stdio: "pipe" });
+    execSync(`${process.env.SystemRoot || "C:\\\\Windows"}\\\\System32\\\\schtasks.exe /delete /f /tn "${TASK_NAME}"`, { encoding: "utf8", stdio: "pipe" });
     console.log(chalk.green(`  Removed Scheduled Task: ${TASK_NAME}`));
   } catch { console.log(chalk.gray(`  Task not found (already removed): ${TASK_NAME}`)); }
 
   // Remove boot.key and autostart script
-  for (const f of [BOOT_KEY_PATH, PS_SCRIPT_PATH]) {
+  for (const f of [bootKeyPath, psScriptPath]) {
+    try { fs.unlinkSync(f); console.log(chalk.green(`  Deleted: ${f}`)); }
+    catch { console.log(chalk.gray(`  Not found (skipped): ${f}`)); }
+  }
+
+  console.log(chalk.cyan("\n  Auto-start uninstalled (Windows).\n"));
+}
+
+async function uninstallMacOS(execSync) {
+  const plistPath = path.join(os.homedir(), "Library", "LaunchAgents", "com.lifeai.clauth.plist");
+  const keychainService = "com.lifeai.clauth";
+  const keychainAccount = "clauth-daemon";
+
+  // Unload LaunchAgent
+  try {
+    execSync(`launchctl unload "${plistPath}"`, { stdio: "pipe" });
+    console.log(chalk.green("  Unloaded LaunchAgent"));
+  } catch { console.log(chalk.gray("  LaunchAgent not loaded (already removed)")); }
+
+  // Remove plist
+  try { fs.unlinkSync(plistPath); console.log(chalk.green(`  Deleted: ${plistPath}`)); }
+  catch { console.log(chalk.gray(`  Not found (skipped): ${plistPath}`)); }
+
+  // Remove Keychain entry
+  try {
+    execSync(
+      `security delete-generic-password -s "${keychainService}" -a "${keychainAccount}"`,
+      { encoding: "utf8", stdio: "pipe" }
+    );
+    console.log(chalk.green("  Removed Keychain entry"));
+  } catch { console.log(chalk.gray("  Keychain entry not found (already removed)")); }
+
+  console.log(chalk.cyan("\n  Auto-start uninstalled (macOS).\n"));
+}
+
+async function uninstallLinux(execSync) {
+  const configDir = path.join(os.homedir(), ".config", "clauth");
+  const bootKeyPath = path.join(configDir, "boot.key");
+  const wrapperPath = path.join(configDir, "start.sh");
+  const serviceFile = path.join(os.homedir(), ".config", "systemd", "user", "clauth.service");
+
+  // Stop and disable systemd service
+  try {
+    execSync("systemctl --user stop clauth", { stdio: "pipe" });
+    execSync("systemctl --user disable clauth", { stdio: "pipe" });
+    console.log(chalk.green("  Stopped and disabled systemd service"));
+  } catch { console.log(chalk.gray("  systemd service not running (already removed)")); }
+
+  // Remove service file
+  try { fs.unlinkSync(serviceFile); console.log(chalk.green(`  Deleted: ${serviceFile}`)); }
+  catch { console.log(chalk.gray(`  Not found (skipped): ${serviceFile}`)); }
+
+  // Reload systemd
+  try { execSync("systemctl --user daemon-reload", { stdio: "pipe" }); } catch {}
+
+  // Remove boot.key and wrapper script
+  for (const f of [bootKeyPath, wrapperPath]) {
     try { fs.unlinkSync(f); console.log(chalk.green(`  Deleted: ${f}`)); }
     catch { console.log(chalk.gray(`  Not found (skipped): ${f}`)); }
   }
 
-  console.log(chalk.cyan("\n  Auto-start uninstalled.\n"));
+  // Try to remove secret-tool entry
+  try {
+    execSync("secret-tool clear service clauth account daemon", { stdio: "pipe" });
+    console.log(chalk.green("  Removed secret-tool entry"));
+  } catch { /* secret-tool may not be installed */ }
+
+  console.log(chalk.cyan("\n  Auto-start uninstalled (Linux).\n"));
 }
 
 // ── Export ────────────────────────────────────────────────────