@lifeaitools/clauth 0.7.6 → 1.2.3

package/cli/index.js

@@ -10,9 +10,10 @@ import { getConfOptions } from "./conf-path.js";
 import { getMachineHash, deriveToken, deriveSeedHash } from "./fingerprint.js";
 import * as api from "./api.js";
 import os from "os";
+import fs from "fs";
 
 const config = new Conf(getConfOptions());
-const VERSION = "0.7.0";
+const VERSION = JSON.parse(fs.readFileSync(new URL('../package.json', import.meta.url), 'utf8')).version;
 
 // ============================================================
 // Password prompt helper
@@ -128,6 +129,7 @@ program
       const result = await api.registerMachine(machineHash, seedHash, answers.label, answers.adminTk);
       if (result.error) throw new Error(result.error);
       spinner.succeed(chalk.green(`Machine registered: ${machineHash.slice(0,12)}...`));
+
       console.log(chalk.green("\n✓ clauth is ready.\n"));
       console.log(chalk.cyan("  clauth test     — verify connection"));
       console.log(chalk.cyan("  clauth status   — see all services\n"));
@@ -144,22 +146,24 @@ program
   .command("status")
   .description("Show all services and their state")
   .option("-p, --pw <password>", "Password (or will prompt)")
+  .option("--project <name>", "Filter by project scope")
   .action(async (opts) => {
     const auth = await getAuth(opts.pw);
     const spinner = ora("Fetching service status...").start();
     try {
-      const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp);
+      const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp, opts.project);
       spinner.stop();
       if (result.error) { console.log(chalk.red(`Error: ${result.error}`)); return; }
 
-      console.log(chalk.cyan("\n🔐 clauth service status\n"));
+      const heading = opts.project ? `clauth service status (project: ${opts.project})` : "clauth service status";
+      console.log(chalk.cyan(`\n🔐 ${heading}\n`));
       console.log(
         chalk.bold(
-          "  " + "SERVICE".padEnd(20) + "TYPE".padEnd(12) + "STATUS".padEnd(12) +
+          "  " + "SERVICE".padEnd(24) + "TYPE".padEnd(12) + "PROJECT".padEnd(22) + "STATUS".padEnd(12) +
           "KEY STORED".padEnd(12) + "LAST RETRIEVED"
         )
       );
-      console.log("  " + "─".repeat(72));
+      console.log("  " + "─".repeat(90));
 
       for (const s of result.services || []) {
         const status = s.enabled
@@ -171,8 +175,9 @@ program
         const lastGet = s.last_retrieved
           ? new Date(s.last_retrieved).toLocaleDateString()
           : chalk.gray("never");
+        const proj = s.project ? chalk.blue(s.project.padEnd(22)) : chalk.gray("—".padEnd(22));
 
-        console.log(`  ${s.name.padEnd(20)}${s.key_type.padEnd(12)}${status}${hasKey}${lastGet}`);
+        console.log(`  ${s.name.padEnd(24)}${s.key_type.padEnd(12)}${proj}${status}${hasKey}${lastGet}`);
       }
       console.log();
     } catch (err) {
@@ -296,6 +301,7 @@ addCmd
   .option("--type <type>", "Key type: token | keypair | connstring | oauth")
   .option("--label <label>", "Human-readable label")
   .option("--description <desc>", "Description")
+  .option("--project <project>", "Project scope (groups related services)")
   .option("-p, --pw <password>")
   .action(async (name, opts) => {
     const auth = await getAuth(opts.pw);
@@ -310,14 +316,14 @@ addCmd
         { type: "input",  name: "desc",  message: "Description (optional):", default: opts.description || "" }
       ]);
     }
-    const spinner = ora(`Adding service: ${name}...`).start();
+    const spinner = ora(`Adding service: ${name}${opts.project ? ` (project: ${opts.project})` : ""}...`).start();
     try {
       const result = await api.addService(
         auth.password, auth.machineHash, auth.token, auth.timestamp,
-        name, answers.label, answers.key_type, answers.desc
+        name, answers.label, answers.key_type, answers.desc, opts.project
       );
       if (result.error) throw new Error(result.error);
-      spinner.succeed(chalk.green(`Service added: ${name} (${answers.key_type})`));
+      spinner.succeed(chalk.green(`Service added: ${name} (${answers.key_type})${opts.project ? chalk.blue(` [${opts.project}]`) : ""}`));
       console.log(chalk.gray(`  Next: clauth write key ${name}`));
     } catch (err) { spinner.fail(chalk.red(err.message)); }
   });
@@ -346,13 +352,22 @@ program
   .command("list")
   .description("List all registered services")
   .option("-p, --pw <password>")
+  .option("--project <name>", "Filter by project scope")
   .action(async (opts) => {
     const auth = await getAuth(opts.pw);
-    const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp);
+    const result = await api.status(auth.password, auth.machineHash, auth.token, auth.timestamp, opts.project);
     if (result.error) { console.log(chalk.red(result.error)); return; }
-    console.log(chalk.cyan("\n Registered services:\n"));
+    const heading = opts.project ? `Registered services (project: ${opts.project})` : "Registered services";
+    console.log(chalk.cyan(`\n ${heading}:\n`));
+    let lastProject = undefined;
     for (const s of result.services || []) {
-      console.log(`  ${chalk.bold(s.name.padEnd(20))} ${chalk.gray(s.key_type.padEnd(12))} ${chalk.gray(s.description || "")}`);
+      const proj = s.project || null;
+      if (proj !== lastProject) {
+        if (lastProject !== undefined) console.log();
+        console.log(chalk.gray(`  [${proj || "global"}]`));
+        lastProject = proj;
+      }
+      console.log(`  ${chalk.bold(s.name.padEnd(24))} ${chalk.gray(s.key_type.padEnd(12))} ${chalk.gray(s.label || "")}`);
     }
     console.log();
   });
@@ -446,6 +461,166 @@ Examples:
     await runScrub(target, opts);
   });
 
+// ──────────────────────────────────────────────
+// clauth doctor
+// ──────────────────────────────────────────────
+program
+  .command("doctor")
+  .description("Check all prerequisites and diagnose issues")
+  .action(async () => {
+    const { runDoctor } = await import("./commands/doctor.js");
+    await runDoctor();
+  });
+
+// ──────────────────────────────────────────────
+// clauth invite generate|list|revoke
+// ──────────────────────────────────────────────
+const invite = program.command("invite").description("Manage vault invites");
+
+invite
+  .command("generate")
+  .description("Generate an invite code for a friend")
+  .option("--uses <n>", "Max redemptions", "1")
+  .option("--expires <hours>", "Expiry in hours", "168")
+  .action(async (opts) => {
+    const { runInvite } = await import("./commands/invite.js");
+    await runInvite("generate", opts);
+  });
+
+invite
+  .command("list")
+  .description("List active invites")
+  .action(async () => {
+    const { runInvite } = await import("./commands/invite.js");
+    await runInvite("list", {});
+  });
+
+invite
+  .command("revoke <code>")
+  .description("Revoke an invite code")
+  .action(async (code) => {
+    const { runInvite } = await import("./commands/invite.js");
+    await runInvite("revoke", { code });
+  });
+
+// ──────────────────────────────────────────────
+// clauth join <invite-code>
+// ──────────────────────────────────────────────
+program
+  .command("join <invite-code>")
+  .description("Join a vault using an invite code from a friend")
+  .action(async (code) => {
+    const { runJoin } = await import("./commands/join.js");
+    await runJoin(code);
+  });
+
+// ──────────────────────────────────────────────
+// clauth update
+// ──────────────────────────────────────────────
+program
+  .command("update")
+  .description("Update clauth to the latest version")
+  .action(async () => {
+    const { execSync } = await import("child_process");
+    console.log(chalk.cyan("\n  Updating clauth...\n"));
+    try {
+      execSync("npm install -g @lifeaitools/clauth@latest", { stdio: "inherit" });
+      console.log(chalk.green("\n  Updated successfully.\n"));
+    } catch (err) {
+      console.log(chalk.red(`\n  Update failed: ${err.message}\n`));
+    }
+  });
+
+// ──────────────────────────────────────────────
+// clauth tunnel start|stop|status
+// (setup moved to in-browser wizard at http://127.0.0.1:52437)
+// ──────────────────────────────────────────────
+const tunnelCmd = program.command("tunnel").description("Manage Cloudflare tunnel for claude.ai web integration");
+
+tunnelCmd
+  .command("setup")
+  .description("Open the tunnel setup wizard in your browser")
+  .action(async () => {
+    console.log(chalk.cyan("\n  Tunnel setup is now handled in the browser.\n"));
+    console.log(chalk.white("  1. Start the daemon:  clauth serve start"));
+    console.log(chalk.white("  2. Open:              http://127.0.0.1:52437"));
+    console.log(chalk.white("  3. Unlock the vault and click \"Setup Tunnel\"\n"));
+  });
+
+tunnelCmd
+  .command("start")
+  .description("Tell daemon to start the tunnel")
+  .action(async () => {
+    try {
+      const r = await fetch("http://127.0.0.1:52437/tunnel/start", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        signal: AbortSignal.timeout(5000),
+      });
+      const data = await r.json().catch(() => ({}));
+      if (!r.ok) {
+        console.error(`  ✗ ${data.error || r.statusText}`);
+        if (r.status === 401) console.error("  Unlock the daemon first: http://127.0.0.1:52437");
+        process.exit(1);
+      }
+      console.log(`  ✓ ${data.message || "Tunnel starting — check status with: clauth tunnel status"}`);
+    } catch (e) {
+      console.error("  ✗ Daemon not running. Start it with: clauth serve");
+      process.exit(1);
+    }
+  });
+
+tunnelCmd
+  .command("stop")
+  .description("Tell daemon to stop the tunnel")
+  .action(async () => {
+    try {
+      const r = await fetch("http://127.0.0.1:52437/tunnel/stop", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        signal: AbortSignal.timeout(5000),
+      });
+      const data = await r.json().catch(() => ({}));
+      if (!r.ok) {
+        console.error(`  ✗ ${data.error || r.statusText}`);
+        process.exit(1);
+      }
+      console.log("  ✓ Tunnel stopped.");
+    } catch (e) {
+      console.error("  ✗ Daemon not running.");
+      process.exit(1);
+    }
+  });
+
+tunnelCmd
+  .command("status")
+  .description("Show current tunnel status")
+  .action(async () => {
+    try {
+      const r = await fetch("http://127.0.0.1:52437/tunnel", {
+        signal: AbortSignal.timeout(5000),
+      });
+      const data = await r.json().catch(() => ({}));
+      const icons = {
+        live: "✓", starting: "◌", not_configured: "⚠",
+        not_started: "○", error: "✗", missing_cloudflared: "✗",
+      };
+      const labels = {
+        live: `Live — ${data.url || ""}`,
+        starting: "Starting...",
+        not_configured: "Not configured — open http://127.0.0.1:52437 and click Setup Tunnel",
+        not_started: "Not started — run: clauth tunnel start",
+        error: `Error${data.error ? ": " + data.error : ""} — check cloudflared config`,
+        missing_cloudflared: "cloudflared not installed — https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/",
+      };
+      const status = data.status || "unknown";
+      console.log(`\n  ${icons[status] || "?"} Tunnel: ${labels[status] || status}\n`);
+    } catch (e) {
+      console.error("  ✗ Daemon not running. Start it with: clauth serve");
+      process.exit(1);
+    }
+  });
+
 // ──────────────────────────────────────────────
 // clauth --help override banner
 // ──────────────────────────────────────────────
@@ -478,8 +653,9 @@ Actions:
   ping        Check if the daemon is running
   foreground  Run in foreground (Ctrl+C to stop) — default if no action given
   mcp         Run as MCP stdio server for Claude Code (JSON-RPC over stdin/stdout)
-  install     (Windows) Encrypt password with DPAPI + create Scheduled Task for auto-start on login
-  uninstall   (Windows) Remove Scheduled Task + delete boot.key
+  install     Store password securely + register auto-start service (cross-platform)
+              Windows: DPAPI + Scheduled Task | macOS: Keychain + LaunchAgent | Linux: libsecret/openssl + systemd
+  uninstall   Remove auto-start service + delete stored password
 
 MCP SSE (built into start/foreground):
   The HTTP daemon also serves MCP SSE transport at GET /sse + POST /message.
@@ -494,8 +670,9 @@ Examples:
   clauth serve start --services github,vercel
   clauth serve mcp                       Start MCP server for Claude Code
   clauth serve mcp -p mypass             Start MCP server pre-unlocked
-  clauth serve install                   (Windows) Set up auto-start on login via DPAPI
-  clauth serve uninstall                 (Windows) Remove auto-start
+  clauth serve install                   Set up auto-start on login (DPAPI/Keychain/libsecret)
+  clauth serve install --tunnel host     Auto-start with Cloudflare Tunnel
+  clauth serve uninstall                 Remove auto-start
 `)
   .action(async (action, opts) => {
     const resolvedAction = opts.action || action || "foreground";

package/install.ps1

@@ -23,6 +23,13 @@ try { node --version | Out-Null } catch {
     exit 1
 }
 
+# Check cloudflared (soft warning — not required for install)
+if (-not (Get-Command cloudflared -ErrorAction SilentlyContinue)) {
+    Write-Host "  Note: cloudflared not found. Install after setup for claude.ai web integration." -ForegroundColor Yellow
+    Write-Host "        winget install Cloudflare.cloudflared" -ForegroundColor Gray
+    Write-Host ""
+}
+
 # Clone or update
 if (Test-Path "$DIR\.git") {
     Write-Host "  Updating clauth..."

package/install.sh

@@ -19,6 +19,17 @@ if ! command -v node &>/dev/null; then
   exit 1
 fi
 
+# Check cloudflared (soft warning)
+if ! command -v cloudflared &>/dev/null; then
+  echo "  Note: cloudflared not found. Install after setup for claude.ai web integration."
+  if [[ "$OSTYPE" == "darwin"* ]]; then
+    echo "        brew install cloudflare/cloudflare/cloudflared"
+  else
+    echo "        https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/"
+  fi
+  echo ""
+fi
+
 # Clone or update
 if [ -d "$DIR/.git" ]; then
   echo "  Updating clauth..."; cd "$DIR" && git pull --quiet

package/package.json

@@ -1,13 +1,17 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "0.7.6",
+  "version": "1.2.3",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {
     "clauth": "./cli/index.js"
   },
   "scripts": {
-    "build": "bash scripts/build.sh"
+    "build": "bash scripts/build.sh",
+    "postinstall": "node scripts/postinstall.js",
+    "worker:start": "node cli/index.js serve",
+    "worker:stop": "curl -s http://127.0.0.1:52437/shutdown 2>nul || taskkill /F /IM cloudflared.exe 2>nul & exit 0",
+    "worker:restart": "npm run worker:stop && timeout /t 3 /nobreak >nul && npm run worker:start"
   },
   "dependencies": {
     "chalk": "^5.3.0",
@@ -41,6 +45,7 @@
     "scripts/bin/",
     "scripts/bootstrap.cjs",
     "scripts/build.sh",
+    "scripts/postinstall.js",
     "supabase/",
     ".clauth-skill/",
     "install.sh",

package/scripts/bootstrap.cjs

@@ -38,6 +38,84 @@ if (lnk.status !== 0) {
 }
 console.log('  + clauth linked');
 
+// Check if cloudflared is installed
+var cfFound = false;
+try {
+  execSync('cloudflared --version', { stdio: 'ignore' });
+  cfFound = true;
+} catch {}
+
+if (!cfFound) {
+  console.log('\n  cloudflared not found — needed for claude.ai web integration (tunnel).');
+
+  var platform = process.platform;
+  var installCmd = null;
+  var installLabel = null;
+
+  if (platform === 'win32') {
+    try {
+      execSync('winget --version', { stdio: 'ignore' });
+      installCmd = 'winget install Cloudflare.cloudflared --silent --accept-package-agreements --accept-source-agreements';
+      installLabel = 'winget';
+    } catch {}
+  } else if (platform === 'darwin') {
+    try {
+      execSync('brew --version', { stdio: 'ignore' });
+      installCmd = 'brew install cloudflare/cloudflare/cloudflared';
+      installLabel = 'Homebrew';
+    } catch {}
+  }
+  // Linux: no auto-install — falls through to manual instructions
+
+  if (installCmd) {
+    process.stdout.write('  Install now via ' + installLabel + '? (y/n): ');
+    var answer = (function () {
+      try {
+        var buf = Buffer.alloc(3);
+        var fd = require('fs').openSync('/dev/tty', 'r');
+        require('fs').readSync(fd, buf, 0, 3);
+        require('fs').closeSync(fd);
+        return buf.toString().trim().toLowerCase();
+      } catch {
+        try {
+          var result = require('child_process').spawnSync(
+            'powershell',
+            ['-Command', "$k = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown'); $k.Character"],
+            { encoding: 'utf8' }
+          );
+          return (result.stdout || '').trim().toLowerCase();
+        } catch { return 'n'; }
+      }
+    })();
+
+    if (answer === 'y') {
+      console.log('  Installing cloudflared via ' + installLabel + '...');
+      try {
+        execSync(installCmd, { stdio: 'inherit' });
+        console.log('  + cloudflared installed.');
+      } catch (e) {
+        console.log('  x Auto-install failed. Install manually:');
+        console.log('    https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/');
+      }
+    } else {
+      console.log('  Skipped. Install later and run: clauth tunnel setup');
+    }
+  } else {
+    console.log('  Install manually:');
+    if (platform === 'win32') {
+      console.log('    winget install Cloudflare.cloudflared');
+      console.log('    or: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/');
+    } else if (platform === 'darwin') {
+      console.log('    brew install cloudflare/cloudflare/cloudflared');
+      console.log('    or: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/');
+    } else {
+      console.log('    https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/');
+    }
+    console.log('  Then run: clauth tunnel setup');
+  }
+  console.log('');
+}
+
 console.log('\n  -> Launching clauth install...\n');
 var r = run('clauth install');
 process.exit(r.status || 0);

package/scripts/postinstall.js

@@ -0,0 +1,52 @@
+#!/usr/bin/env node
+// scripts/postinstall.js
+// Runs after npm install -g @lifeaitools/clauth
+// Detects fresh install vs upgrade and acts accordingly
+
+import fs from "fs";
+import path from "path";
+import os from "os";
+import { fileURLToPath } from "url";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+const CONFIG_DIR = os.platform() === "win32"
+  ? path.join(process.env.APPDATA || path.join(os.homedir(), "AppData", "Roaming"), "clauth-nodejs", "Config")
+  : path.join(os.homedir(), ".config", "clauth-nodejs");
+
+let version = "1.0.0";
+try {
+  const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, "..", "package.json"), "utf8"));
+  version = pkg.version;
+} catch {}
+
+async function main() {
+  const configPath = path.join(CONFIG_DIR, "config.json");
+  const isUpgrade = fs.existsSync(configPath);
+
+  if (isUpgrade) {
+    console.log(`\n  \u2713 clauth upgraded to v${version}`);
+    console.log(`  \u2713 Config preserved at ${CONFIG_DIR}`);
+
+    // Try to detect running daemon
+    try {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), 2000);
+      const res = await fetch("http://127.0.0.1:52437/ping", { signal: controller.signal });
+      clearTimeout(timeout);
+      if (res.ok) {
+        console.log("  \u21BB Daemon is running \u2014 restart it with: clauth serve restart");
+      }
+    } catch {
+      console.log("  \u25CB Daemon not running");
+    }
+
+    console.log("  Run 'clauth doctor' to verify installation\n");
+  } else {
+    console.log(`\n  Welcome to clauth v${version}!`);
+    console.log("  Run 'clauth install' to set up your vault");
+    console.log("  Run 'clauth doctor' to check prerequisites\n");
+  }
+}
+
+main().catch(() => {});

package/supabase/functions/auth-vault/index.ts

@@ -119,12 +119,27 @@ async function handleEnable(sb: any, body: any, mh: string) {
 }
 
 async function handleAdd(sb: any, body: any, mh: string) {
-  const { name, label, key_type, description } = body;
+  const { name, label, key_type, description, project } = body;
   if (!name || !label || !key_type) return { error: "name, label, key_type required" };
-  const { error } = await sb.from("clauth_services").insert({ name, label, key_type, description: description || null });
+  const row: any = { name, label, key_type, description: description || null };
+  if (project) row.project = project;
+  const { error } = await sb.from("clauth_services").insert(row);
   if (error) return { error: error.message };
   await auditLog(sb, mh, name, "add", "success");
-  return { success: true, name, label, key_type };
+  return { success: true, name, label, key_type, project: project || null };
+}
+
+async function handleUpdate(sb: any, body: any, mh: string) {
+  const { service, project, label, description } = body;
+  if (!service) return { error: "service required" };
+  const updates: any = { updated_at: new Date().toISOString() };
+  if (project !== undefined) updates.project = project || null; // empty string clears project
+  if (label !== undefined) updates.label = label;
+  if (description !== undefined) updates.description = description || null;
+  const { error } = await sb.from("clauth_services").update(updates).eq("name", service);
+  if (error) return { error: error.message };
+  await auditLog(sb, mh, service, "update", "success", `fields: ${Object.keys(updates).join(", ")}`);
+  return { success: true, service, ...updates };
 }
 
 async function handleRemove(sb: any, body: any, mh: string) {
@@ -152,9 +167,13 @@ async function handleRevoke(sb: any, body: any, mh: string) {
   return { success: true, service };
 }
 
-async function handleStatus(sb: any, mh: string) {
-  const { data: services } = await sb.from("clauth_services")
-    .select("name, label, key_type, enabled, vault_key, last_retrieved, last_rotated, created_at").order("name");
+async function handleStatus(sb: any, body: any, mh: string) {
+  let q = sb.from("clauth_services")
+    .select("name, label, key_type, enabled, vault_key, last_retrieved, last_rotated, created_at, project")
+    .order("project", { ascending: true, nullsFirst: true })
+    .order("name");
+  if (body.project) q = q.eq("project", body.project);
+  const { data: services } = await q;
   await auditLog(sb, mh, "all", "status", "success");
   return { services: services || [] };
 }
@@ -225,9 +244,10 @@ Deno.serve(async (req: Request) => {
     case "write":    return Response.json(await handleWrite(sb, body, mh));
     case "enable":   return Response.json(await handleEnable(sb, body, mh));
     case "add":      return Response.json(await handleAdd(sb, body, mh));
+    case "update":   return Response.json(await handleUpdate(sb, body, mh));
     case "remove":   return Response.json(await handleRemove(sb, body, mh));
     case "revoke":   return Response.json(await handleRevoke(sb, body, mh));
-    case "status":          return Response.json(await handleStatus(sb, mh));
+    case "status":          return Response.json(await handleStatus(sb, body, mh));
     case "change-password": return Response.json(await handleChangePassword(sb, body, mh));
     case "test":            return Response.json({ valid: true, machine_hash: mh, timestamp: body.timestamp, ip });
     default:         return Response.json({ error: "unknown_route", route }, { status: 404 });

package/supabase/migrations/003_clauth_config.sql

@@ -0,0 +1,13 @@
+-- clauth_config: key/value store for daemon configuration
+-- Used to persist tunnel hostname and other daemon settings
+CREATE TABLE IF NOT EXISTS clauth_config (
+  key        text PRIMARY KEY,
+  value      jsonb NOT NULL,
+  updated_at timestamptz DEFAULT now()
+);
+
+-- RLS: only service role can access (same pattern as other clauth tables)
+ALTER TABLE clauth_config ENABLE ROW LEVEL SECURITY;
+
+-- Seed: no tunnel by default (user must run clauth tunnel setup)
+-- INSERT INTO clauth_config (key, value) VALUES ('tunnel_hostname', 'null');