npm - @lifeaitools/clauth - Versions diffs - 1.1.0 → 1.2.3 - Mend

@lifeaitools/clauth 1.1.0 → 1.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/cli/commands/serve.js CHANGED Viewed

@@ -280,6 +280,40 @@ function dashboardHtml(port, whitelist) {
     color: rgba(255,255,255,0.6);
     font-size: 12px;
   }
+  /* Tunnel setup wizard */
+  .wizard-panel{background:#0a1628;border:1px solid #1e3a5f;border-radius:10px;padding:1.5rem;margin-bottom:1.25rem;display:none}
+  .wizard-panel.open{display:block}
+  .wizard-header{display:flex;align-items:center;gap:10px;margin-bottom:1.25rem}
+  .wizard-title{font-size:1rem;font-weight:600;color:#f8fafc;flex:1}
+  .wizard-steps{display:flex;gap:6px;margin-bottom:1.5rem;flex-wrap:wrap}
+  .wstep{padding:4px 10px;border-radius:20px;font-size:.72rem;font-weight:600;border:1px solid #1e3a5f;color:#475569;background:#0f172a}
+  .wstep.active{border-color:#3b82f6;color:#60a5fa;background:rgba(59,130,246,.1)}
+  .wstep.done{border-color:#166534;color:#4ade80;background:rgba(74,222,128,.08)}
+  .wizard-body{min-height:80px}
+  .wizard-foot{display:flex;gap:8px;margin-top:1.25rem;align-items:center}
+  .btn-wiz-primary{background:#3b82f6;color:#fff;padding:8px 20px;font-size:.875rem;border-radius:7px;border:none;cursor:pointer;font-weight:600}
+  .btn-wiz-primary:hover{background:#2563eb}
+  .btn-wiz-primary:disabled{opacity:.4;cursor:not-allowed}
+  .btn-wiz-secondary{background:#1e293b;color:#94a3b8;padding:8px 16px;font-size:.875rem;border-radius:7px;border:1px solid #334155;cursor:pointer}
+  .btn-wiz-secondary:hover{color:#e2e8f0}
+  .wiz-input{width:100%;background:#0f172a;border:1px solid #334155;border-radius:6px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.9rem;padding:9px 12px;outline:none;margin-top:8px;transition:border-color .2s}
+  .wiz-input:focus{border-color:#3b82f6}
+  .wiz-label{font-size:.8rem;color:#64748b;margin-bottom:4px}
+  .wiz-msg{font-size:.82rem;margin-left:auto}
+  .wiz-msg.ok{color:#4ade80}.wiz-msg.fail{color:#f87171}
+  .wiz-log{background:#030712;border:1px solid #1e293b;border-radius:6px;padding:10px;font-family:'Courier New',monospace;font-size:.75rem;color:#6ee7b7;max-height:160px;overflow-y:auto;margin-top:10px;white-space:pre-wrap}
+  .wiz-tunnel-list{display:flex;flex-direction:column;gap:8px;margin-top:10px}
+  .wiz-tunnel-item{display:flex;align-items:center;gap:10px;padding:10px 12px;background:#0f172a;border:1px solid #1e3a5f;border-radius:6px;cursor:pointer;transition:border-color .15s}
+  .wiz-tunnel-item:hover,.wiz-tunnel-item.selected{border-color:#3b82f6;background:rgba(59,130,246,.08)}
+  .wiz-tunnel-name{font-weight:600;color:#f8fafc;font-size:.9rem;flex:1}
+  .wiz-tunnel-id{font-family:'Courier New',monospace;font-size:.72rem;color:#475569}
+  .wiz-tunnel-status{font-size:.72rem;padding:2px 7px;border-radius:4px;background:rgba(74,222,128,.1);color:#4ade80;border:1px solid rgba(74,222,128,.2)}
+  .wiz-desc{font-size:.85rem;color:#94a3b8;line-height:1.6;margin-bottom:.75rem}
+  .wiz-link{color:#60a5fa;text-decoration:none;font-size:.82rem}
+  .wiz-link:hover{text-decoration:underline}
+  .wiz-test-result{padding:12px 14px;border-radius:8px;font-size:.85rem;margin-top:10px;display:none}
+  .wiz-test-result.ok{background:rgba(74,222,128,.08);border:1px solid rgba(74,222,128,.2);color:#4ade80}
+  .wiz-test-result.fail{background:rgba(248,113,113,.08);border:1px solid rgba(248,113,113,.2);color:#f87171}
 </style>
 </head>
 <body>
@@ -441,6 +475,17 @@ function dashboardHtml(port, whitelist) {
     <div style="font-size:.72rem;color:#64748b;margin-top:4px">Paste these into <a href="https://claude.ai/settings/integrations" target="_blank" style="color:#60a5fa">claude.ai Settings → Integrations</a></div>
   </div>
+  <div class="wizard-panel" id="wizard-panel">
+    <div class="wizard-header">
+      <div class="tunnel-dot off" id="wiz-dot" style="width:10px;height:10px;border-radius:50%"></div>
+      <div class="wizard-title">claude.ai Tunnel Setup</div>
+      <button class="btn-cancel" onclick="closeSetupWizard()">✕ Dismiss</button>
+    </div>
+    <div class="wizard-steps" id="wizard-steps"></div>
+    <div class="wizard-body" id="wizard-body"><p class="loading">Checking setup state…</p></div>
+    <div class="wizard-foot" id="wizard-foot"></div>
+  </div>
   <div id="project-tabs" class="project-tabs" style="display:none"></div>
   <div id="grid" class="grid"><p class="loading">Loading services…</p></div>
   <div class="footer">localhost:${port} · 127.0.0.1 only · 10-strike lockout</div>
@@ -1193,9 +1238,7 @@ async function toggleTunnel(action) {
   } catch {}
 }
-function runTunnelSetup() {
-  alert("Run in your terminal:\\n\\n  clauth tunnel setup\\n\\nThis will guide you through Cloudflare authentication and tunnel creation.");
-}
+function runTunnelSetup() { openSetupWizard(); }
 async function testTunnel() {
   const liveState = document.querySelector("#tunnel-panel .tunnel-state.live");
@@ -1267,6 +1310,423 @@ function copyMcp(elId) {
   }).catch(() => {});
 }
+// ── Tunnel Setup Wizard ─────────────────────
+let wizStep = null;
+let wizData = {};
+async function openSetupWizard() {
+  const panel = document.getElementById("wizard-panel");
+  panel.classList.add("open");
+  panel.scrollIntoView({ behavior: "smooth", block: "start" });
+  wizStep = "loading";
+  renderWizBody('<p class="loading">Checking setup state…</p>', [], []);
+  const state = await apiFetch("/tunnel/setup-state");
+  if (!state) {
+    renderWizBody('<p class="wiz-desc" style="color:#f87171">Could not reach daemon.</p>', [], []);
+    return;
+  }
+  if (state.step === "ready") {
+    await apiFetch("/tunnel/start", { method: "POST" });
+    closeSetupWizard();
+    return;
+  }
+  wizData = state;
+  if (state.step === "need_cf_token") wizShowCfToken();
+  else if (state.step === "pick_tunnel") wizShowPickTunnel(state.tunnels);
+  else if (state.step === "no_tunnels") wizShowCreateViaCfApi(state.accountId);
+  else wizShowInstallCheck(); // no CF token — needs cloudflared login
+}
+function closeSetupWizard() {
+  document.getElementById("wizard-panel").classList.remove("open");
+  wizStep = null; wizData = {};
+}
+function renderWizBody(html, steps, footHtml) {
+  document.getElementById("wizard-body").innerHTML = html;
+  const stepLabels = ["CF Token","Tunnel","cloudflared","MCP Setup","Test"];
+  const stepsEl = document.getElementById("wizard-steps");
+  stepsEl.innerHTML = stepLabels.map((label, i) => {
+    const stepKeys = ["need_cf_token","pick_tunnel","check_cf","mcp_setup","test"];
+    const currentIdx = stepKeys.indexOf(wizStep);
+    let cls = "wstep";
+    if (i < currentIdx) cls += " done";
+    else if (i === currentIdx) cls += " active";
+    return \`<div class="\${cls}">\${i < currentIdx ? "✓ " : ""}\${label}</div>\`;
+  }).join("");
+  document.getElementById("wizard-foot").innerHTML = footHtml.join("");
+}
+// Step: Enter CF API token
+function wizShowCfToken() {
+  wizStep = "need_cf_token";
+  renderWizBody(\`
+    <div class="wiz-desc">A Cloudflare API token is needed to check for existing tunnels and configure new ones.</div>
+    <div class="wiz-label">Cloudflare API Token</div>
+    <input class="wiz-input" id="wiz-cf-token-input" type="password" placeholder="Paste your CF API token…" autocomplete="off" spellcheck="false">
+    <div style="margin-top:8px">
+      <a class="wiz-link" href="https://dash.cloudflare.com/profile/api-tokens" target="_blank">↗ Create token at Cloudflare Dashboard</a>
+      <span style="color:#475569;font-size:.78rem;margin-left:8px">(needs Cloudflare Tunnel: Edit permission)</span>
+    </div>
+    <div class="wiz-msg fail" id="wiz-cf-err" style="display:none;margin-top:8px"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" id="wiz-cf-btn" onclick="wizSubmitCfToken()">Verify &amp; Save Token</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`,
+    \`<span class="wiz-msg" id="wiz-cf-msg"></span>\`
+  ]);
+  document.getElementById("wiz-cf-token-input").addEventListener("keydown", e => {
+    if (e.key === "Enter") wizSubmitCfToken();
+  });
+}
+async function wizSubmitCfToken() {
+  const input = document.getElementById("wiz-cf-token-input");
+  const btn = document.getElementById("wiz-cf-btn");
+  const errEl = document.getElementById("wiz-cf-err");
+  const token = input.value.trim();
+  if (!token) return;
+  btn.disabled = true; btn.textContent = "Verifying…";
+  if (errEl) errEl.style.display = "none";
+  const r = await fetch(BASE + "/tunnel/setup/cf-token", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ token }),
+  }).then(r => r.json()).catch(() => null);
+  btn.disabled = false; btn.textContent = "Verify & Save Token";
+  if (!r || r.error) {
+    if (errEl) { errEl.textContent = r?.error || "Request failed"; errEl.style.display = "block"; }
+    return;
+  }
+  wizData.accountId = r.accountId;
+  const tunnelState = await apiFetch("/tunnel/setup-state");
+  if (tunnelState?.step === "pick_tunnel") wizShowPickTunnel(tunnelState.tunnels);
+  else wizShowInstallCheck();
+}
+// Step: Pick existing tunnel
+function wizShowPickTunnel(tunnels) {
+  wizStep = "pick_tunnel";
+  const listHtml = tunnels.map(t => \`
+    <div class="wiz-tunnel-item" id="wti-\${t.id}" onclick="wizSelectTunnel('\${t.id}','\${t.name}',this)">
+      <div style="flex:1">
+        <div class="wiz-tunnel-name">\${t.name}</div>
+        <div class="wiz-tunnel-id">\${t.id}</div>
+      </div>
+      <div class="wiz-tunnel-status">\${t.status || "active"}</div>
+    </div>
+  \`).join("");
+  renderWizBody(\`
+    <div class="wiz-desc">Found \${tunnels.length} existing Cloudflare tunnel\${tunnels.length !== 1 ? "s" : ""}. Select one to use, or create a new one.</div>
+    <div class="wiz-tunnel-list">\${listHtml}</div>
+    <div style="margin-top:12px">
+      <div class="wiz-label">Public hostname for selected tunnel (e.g. clauth.yourdomain.com)</div>
+      <input class="wiz-input" id="wiz-hostname-input" type="text" placeholder="clauth.yourdomain.com" spellcheck="false" autocomplete="off">
+    </div>
+    <div class="wiz-msg fail" id="wiz-pick-err" style="display:none;margin-top:8px"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" id="wiz-pick-btn" onclick="wizSaveTunnel()">Use Selected Tunnel</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="wizShowInstallCheck()">Create New Tunnel Instead</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`
+  ]);
+  window._wizSelectedTunnel = null;
+}
+function wizSelectTunnel(id, name, el) {
+  document.querySelectorAll(".wiz-tunnel-item").forEach(e => e.classList.remove("selected"));
+  el.classList.add("selected");
+  window._wizSelectedTunnel = { id, name };
+}
+async function wizSaveTunnel() {
+  const sel = window._wizSelectedTunnel;
+  const hostname = document.getElementById("wiz-hostname-input")?.value.trim();
+  const errEl = document.getElementById("wiz-pick-err");
+  const btn = document.getElementById("wiz-pick-btn");
+  if (!sel) { if (errEl) { errEl.textContent = "Select a tunnel first"; errEl.style.display="block"; } return; }
+  if (!hostname) { if (errEl) { errEl.textContent = "Enter a public hostname"; errEl.style.display="block"; } return; }
+  btn.disabled = true; btn.textContent = "Saving…";
+  const r = await fetch(BASE + "/tunnel/setup/cf-save", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ tunnelId: sel.id, tunnelName: sel.name, hostname }),
+  }).then(r => r.json()).catch(() => null);
+  btn.disabled = false; btn.textContent = "Use Selected Tunnel";
+  if (!r?.ok) {
+    if (errEl) { errEl.textContent = r?.error || "Save failed"; errEl.style.display="block"; }
+    return;
+  }
+  await apiFetch("/tunnel/start", { method: "POST" });
+  wizShowMcpSetup(hostname);
+}
+// Step: Create tunnel via CF API (CF token already in vault — no cloudflared login needed)
+function wizShowCreateViaCfApi(accountId) {
+  wizStep = "pick_tunnel";
+  wizData.accountId = accountId;
+  renderWizBody(\`
+    <div class="wiz-desc">No existing tunnels found. Create a new one using your Cloudflare API token.</div>
+    <div class="wiz-label">Tunnel name</div>
+    <input class="wiz-input" id="wiz-api-tname" type="text" value="clauth" spellcheck="false">
+    <div class="wiz-label" style="margin-top:10px">Public hostname (e.g. clauth.yourdomain.com)</div>
+    <input class="wiz-input" id="wiz-api-hostname" type="text" placeholder="clauth.yourdomain.com" spellcheck="false">
+    <div class="wiz-msg fail" id="wiz-api-err" style="display:none;margin-top:8px"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" id="wiz-api-btn" onclick="wizRunCreateViaCfApi()">Create Tunnel</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`,
+    \`<span class="wiz-msg" id="wiz-api-msg"></span>\`
+  ]);
+}
+async function wizRunCreateViaCfApi() {
+  const name = document.getElementById("wiz-api-tname")?.value.trim();
+  const hostname = document.getElementById("wiz-api-hostname")?.value.trim();
+  const btn = document.getElementById("wiz-api-btn");
+  const err = document.getElementById("wiz-api-err");
+  const msg = document.getElementById("wiz-api-msg");
+  if (!name || !hostname) { if(err){err.textContent="Name and hostname required";err.style.display="block";} return; }
+  btn.disabled=true; btn.textContent="Creating…"; if(err) err.style.display="none";
+  if(msg) msg.textContent="Calling Cloudflare API…";
+  const r = await fetch(BASE + "/tunnel/setup/cf-create-api", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ name, hostname, accountId: wizData.accountId }),
+  }).then(r => r.json()).catch(() => null);
+  btn.disabled=false; btn.textContent="Create Tunnel";
+  if (!r?.ok) {
+    if(err){err.textContent = r?.error || "Creation failed"; err.style.display="block";}
+    if(msg) msg.textContent="";
+    return;
+  }
+  await apiFetch("/tunnel/start", { method: "POST" });
+  wizShowMcpSetup(hostname);
+}
+// Step: cloudflared install check (for new tunnel creation flow)
+async function wizShowInstallCheck() {
+  wizStep = "check_cf";
+  renderWizBody('<p class="loading">Checking cloudflared…</p>', [], []);
+  const r = await apiFetch("/tunnel/setup/check-cloudflared");
+  if (r?.installed) {
+    wizShowCfLogin();
+  } else {
+    renderWizBody(\`
+      <div class="wiz-desc">cloudflared is required to create and run Cloudflare tunnels. It is not currently installed.</div>
+      <div style="display:flex;gap:12px;margin-top:12px;flex-wrap:wrap">
+        <a class="btn-wiz-secondary" href="https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/" target="_blank" style="text-decoration:none">↗ Download cloudflared</a>
+        <span style="color:#475569;font-size:.8rem;align-self:center">or: <code style="color:#60a5fa">winget install Cloudflare.cloudflared</code></span>
+      </div>
+      <div class="wiz-desc" style="margin-top:12px;font-size:.78rem;color:#475569">After installing, click "Check Again".</div>
+    \`, [], [
+      \`<button class="btn-wiz-primary" onclick="wizShowInstallCheck()">Check Again</button>\`,
+      \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`
+    ]);
+  }
+}
+// Step: cloudflared login (Cloudflare auth via browser)
+function wizShowCfLogin() {
+  wizStep = "check_cf";
+  renderWizBody(\`
+    <div class="wiz-desc">Authenticate cloudflared with your Cloudflare account. This opens a browser window.</div>
+    <div class="wiz-log" id="wiz-login-log" style="display:none"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" id="wiz-login-btn" onclick="wizRunCfLogin()">Open Browser to Authenticate</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`
+  ]);
+}
+async function wizRunCfLogin() {
+  const btn = document.getElementById("wiz-login-btn");
+  const log = document.getElementById("wiz-login-log");
+  btn.disabled = true; btn.textContent = "Authenticating…";
+  log.style.display = "block";
+  try {
+    const resp = await fetch(BASE + "/tunnel/setup/cf-login", { method: "POST" });
+    const reader = resp.body.getReader();
+    const dec = new TextDecoder();
+    let buf = "";
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      buf += dec.decode(value, { stream: true });
+      const lines = buf.split("\\n");
+      buf = lines.pop();
+      for (const line of lines) {
+        if (!line.startsWith("data:")) continue;
+        try {
+          const d = JSON.parse(line.slice(5).trim());
+          if (d.line !== undefined) { log.textContent += d.line + "\\n"; log.scrollTop = log.scrollHeight; }
+          if (d.done) {
+            if (d.code === 0) wizShowCreateTunnel();
+            else { btn.disabled=false; btn.textContent="Retry"; }
+            return;
+          }
+        } catch {}
+      }
+    }
+  } catch(e) {
+    log.textContent += "Error: " + e.message;
+    btn.disabled = false; btn.textContent = "Retry";
+  }
+}
+// Step: Create new tunnel
+function wizShowCreateTunnel() {
+  wizStep = "check_cf";
+  renderWizBody(\`
+    <div class="wiz-desc">Create a new named Cloudflare tunnel. Give it a name and a public hostname.</div>
+    <div class="wiz-label">Tunnel name (e.g. clauth)</div>
+    <input class="wiz-input" id="wiz-tname" type="text" value="clauth" spellcheck="false">
+    <div class="wiz-label" style="margin-top:10px">Public hostname (e.g. clauth.yourdomain.com)</div>
+    <input class="wiz-input" id="wiz-thostname" type="text" placeholder="clauth.yourdomain.com" spellcheck="false">
+    <div class="wiz-log" id="wiz-create-log" style="display:none;margin-top:10px"></div>
+    <div class="wiz-msg fail" id="wiz-create-err" style="display:none;margin-top:8px"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" id="wiz-create-btn" onclick="wizRunCreateTunnel()">Create Tunnel</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`
+  ]);
+}
+async function wizRunCreateTunnel() {
+  const name = document.getElementById("wiz-tname")?.value.trim();
+  const hostname = document.getElementById("wiz-thostname")?.value.trim();
+  const btn = document.getElementById("wiz-create-btn");
+  const log = document.getElementById("wiz-create-log");
+  const err = document.getElementById("wiz-create-err");
+  if (!name || !hostname) { if(err){err.textContent="Name and hostname required";err.style.display="block";} return; }
+  btn.disabled=true; btn.textContent="Creating…";
+  log.style.display="block"; err.style.display="none";
+  try {
+    const resp = await fetch(BASE + "/tunnel/setup/cf-create", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ name, hostname }),
+    });
+    const reader = resp.body.getReader();
+    const dec = new TextDecoder();
+    let buf = "";
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      buf += dec.decode(value, { stream: true });
+      const lines = buf.split("\\n");
+      buf = lines.pop();
+      for (const line of lines) {
+        if (!line.startsWith("data:")) continue;
+        try {
+          const d = JSON.parse(line.slice(5).trim());
+          if (d.line !== undefined) { log.textContent += d.line + "\\n"; log.scrollTop = log.scrollHeight; }
+          if (d.done && d.hostname) {
+            await apiFetch("/tunnel/start", { method: "POST" });
+            wizShowMcpSetup(d.hostname);
+            return;
+          }
+          if (d.error) { err.textContent = d.error; err.style.display="block"; btn.disabled=false; btn.textContent="Retry"; return; }
+        } catch {}
+      }
+    }
+  } catch(e) {
+    if(err){err.textContent=e.message;err.style.display="block";}
+    btn.disabled=false; btn.textContent="Retry";
+  }
+}
+// Step: MCP setup in claude.ai
+async function wizShowMcpSetup(hostname) {
+  wizStep = "mcp_setup";
+  const sseUrl = \`https://\${hostname}/sse\`;
+  const mcpData = await apiFetch("/mcp-setup");
+  renderWizBody(\`
+    <div class="wiz-desc">Add clauth as an MCP server in claude.ai settings. Paste these values:</div>
+    <div style="display:flex;flex-direction:column;gap:8px;margin-top:10px">
+      <div class="mcp-row">
+        <span class="mcp-label">URL</span>
+        <span class="mcp-val" id="wiz-mcp-url">\${sseUrl}</span>
+        <button class="mcp-copy" onclick="wizCopy('wiz-mcp-url',this)">copy</button>
+      </div>
+      <div class="mcp-row">
+        <span class="mcp-label">Client ID</span>
+        <span class="mcp-val" id="wiz-mcp-cid">\${mcpData?.clientId || '(unlock required)'}</span>
+        <button class="mcp-copy" onclick="wizCopy('wiz-mcp-cid',this)">copy</button>
+      </div>
+      <div class="mcp-row">
+        <span class="mcp-label">Secret</span>
+        <span class="mcp-val" id="wiz-mcp-sec">\${mcpData?.clientSecret || '(unlock required)'}</span>
+        <button class="mcp-copy" onclick="wizCopy('wiz-mcp-sec',this)">copy</button>
+      </div>
+    </div>
+    <div style="margin-top:10px;font-size:.78rem;color:#64748b">
+      Paste into <a class="wiz-link" href="https://claude.ai/settings/integrations" target="_blank">claude.ai → Settings → Integrations</a>
+    </div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" onclick="window.open('https://claude.ai/settings/integrations','_blank');wizShowTest()">I've Added It — Test Now</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="wizShowTest()">Skip Test</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Done</button>\`
+  ]);
+}
+function wizCopy(elId, btn) {
+  const val = document.getElementById(elId)?.textContent?.trim();
+  if (!val) return;
+  navigator.clipboard.writeText(val).then(() => {
+    const orig = btn.textContent;
+    btn.textContent = "✓"; btn.classList.add("ok");
+    setTimeout(() => { btn.textContent = orig; btn.classList.remove("ok"); }, 1500);
+  }).catch(() => {});
+}
+// Step: Test — verify MCP is working
+function wizShowTest() {
+  wizStep = "test";
+  renderWizBody(\`
+    <div class="wiz-desc">In a new claude.ai chat, ask Claude to run this MCP tool call to verify the connection:</div>
+    <div style="background:#030712;border:1px solid #1e293b;border-radius:6px;padding:12px;margin:10px 0;font-family:'Courier New',monospace;font-size:.82rem;color:#6ee7b7;user-select:all">
+      Use the clauth MCP tool: GET /ping — what is the response?
+    </div>
+    <div class="wiz-desc">Claude should report back: <code style="color:#4ade80">{"status":"ok","version":"..."}</code></div>
+    <div class="wiz-test-result" id="wiz-test-result"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" onclick="wizMarkTestDone()">✓ It Worked — Done</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Close</button>\`
+  ]);
+}
+function wizMarkTestDone() {
+  const r = document.getElementById("wiz-test-result");
+  r.className = "wiz-test-result ok"; r.style.display="block";
+  r.textContent = "✓ Tunnel and MCP are working. claude.ai can now access your vault.";
+  document.getElementById("wizard-foot").innerHTML = \`<button class="btn-wiz-primary" onclick="closeSetupWizard()">Close Setup</button>\`;
+}
 // ── Build Status ──────────────────────────────────
 async function updateBuildStatus() {
   try {
@@ -1614,6 +2074,26 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
       if (rows.length > 0 && rows[0].value && rows[0].value !== "null") {
         return typeof rows[0].value === "string" ? JSON.parse(rows[0].value) : rows[0].value;
       }
+      // DB has no hostname — check ~/.cloudflared/config.yml
+      try {
+        const cfConfig = path.join(os.homedir(), ".cloudflared", "config.yml");
+        if (fs.existsSync(cfConfig)) {
+          const yml = fs.readFileSync(cfConfig, "utf8");
+          const hostMatch = yml.match(/^\s*-\s*hostname:\s*(\S+)/m);
+          if (hostMatch) {
+            const hostname = hostMatch[1];
+            // Save to DB so future loads skip this
+            await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+              method: "POST",
+              headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+              body: JSON.stringify({ key: "tunnel_hostname", value: JSON.stringify(hostname) }),
+            }).catch(() => {});
+            return hostname;
+          }
+        }
+      } catch {}
       return null;
     } catch {
       return null;
@@ -2379,6 +2859,415 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
       }
     }
+    // GET /tunnel/setup-state
+    if (method === "GET" && reqPath === "/tunnel/setup-state") {
+      if (lockedGuard(res)) return;
+      try {
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        // Check for existing hostname in DB
+        const hostnameResp = await fetch(
+          `${sbUrl}/rest/v1/clauth_config?key=eq.tunnel_hostname&select=value`,
+          { headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` }, signal: AbortSignal.timeout(5000) }
+        );
+        if (hostnameResp.ok) {
+          const rows = await hostnameResp.json();
+          if (rows.length > 0 && rows[0].value && rows[0].value !== "null" && rows[0].value !== '""') {
+            const hn = typeof rows[0].value === "string" ? JSON.parse(rows[0].value) : rows[0].value;
+            if (hn) return ok(res, { step: "ready", hostname: hn });
+          }
+        }
+        // Check ~/.cloudflared/config.yml for a previously configured tunnel
+        try {
+          const cfConfig = path.join(os.homedir(), ".cloudflared", "config.yml");
+          if (fs.existsSync(cfConfig)) {
+            const cfYml = fs.readFileSync(cfConfig, "utf8");
+            // Parse hostname from ingress block: "  - hostname: <hostname>"
+            const hostMatch = cfYml.match(/^\s*-\s*hostname:\s*(\S+)/m);
+            const tunnelMatch = cfYml.match(/^tunnel:\s*(\S+)/m);
+            if (hostMatch && tunnelMatch) {
+              const localHostname = hostMatch[1];
+              const localTunnelId = tunnelMatch[1];
+              // Save to DB so next load skips this check
+              await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+                method: "POST",
+                headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+                body: JSON.stringify({ key: "tunnel_hostname", value: JSON.stringify(localHostname) }),
+              });
+              tunnelHostname = localHostname;
+              return ok(res, { step: "ready", hostname: localHostname, tunnelId: localTunnelId, source: "local_config" });
+            }
+          }
+        } catch {}
+        // Check for CF token in vault
+        let cfToken = null;
+        try {
+          const { token: t, timestamp } = deriveToken(password, machineHash);
+          const cr = await api.retrieve(password, machineHash, t, timestamp, "cloudflare");
+          if (cr?.value) cfToken = cr.value;
+        } catch {}
+        if (!cfToken) return ok(res, { step: "need_cf_token" });
+        // Get or fetch account ID
+        let accountId = null;
+        try {
+          const acctResp = await fetch(
+            `${sbUrl}/rest/v1/clauth_config?key=eq.cf_account_id&select=value`,
+            { headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` }, signal: AbortSignal.timeout(5000) }
+          );
+          if (acctResp.ok) {
+            const rows = await acctResp.json();
+            if (rows.length > 0 && rows[0].value) {
+              accountId = typeof rows[0].value === "string" ? JSON.parse(rows[0].value) : rows[0].value;
+            }
+          }
+        } catch {}
+        if (!accountId) {
+          try {
+            const ar = await fetch("https://api.cloudflare.com/client/v4/accounts", {
+              headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000)
+            });
+            const ad = await ar.json();
+            accountId = ad?.result?.[0]?.id;
+            if (accountId) {
+              await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+                method: "POST",
+                headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+                body: JSON.stringify({ key: "cf_account_id", value: accountId }),
+              });
+            }
+          } catch {}
+        }
+        if (!accountId) return ok(res, { step: "setup_wizard", error: "Could not get Cloudflare account ID" });
+        // List tunnels
+        try {
+          const tr = await fetch(
+            `https://api.cloudflare.com/client/v4/accounts/${accountId}/cfd_tunnel?is_deleted=false`,
+            { headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000) }
+          );
+          const td = await tr.json();
+          const tunnels = (td?.result || []).map(t => ({ id: t.id, name: t.name, status: t.status }));
+          if (tunnels.length > 0) return ok(res, { step: "pick_tunnel", tunnels, accountId });
+          // CF token exists but no tunnels — create via API (no cloudflared login needed)
+          return ok(res, { step: "no_tunnels", accountId });
+        } catch {}
+        return ok(res, { step: "setup_wizard" });
+      } catch (err) {
+        return ok(res, { step: "setup_wizard", error: err.message });
+      }
+    }
+    // POST /tunnel/setup/cf-token
+    if (method === "POST" && reqPath === "/tunnel/setup/cf-token") {
+      if (lockedGuard(res)) return;
+      let body;
+      try { body = await readBody(req); } catch { return strike(res, 400, "Invalid JSON"); }
+      const { token: cfToken } = body;
+      if (!cfToken) return strike(res, 400, "token required");
+      try {
+        const vr = await fetch("https://api.cloudflare.com/client/v4/user/tokens/verify", {
+          headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000)
+        });
+        const vd = await vr.json();
+        if (!vd?.success) return strike(res, 400, "Invalid Cloudflare API token");
+        const ar = await fetch("https://api.cloudflare.com/client/v4/accounts", {
+          headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000)
+        });
+        const ad = await ar.json();
+        const accountId = ad?.result?.[0]?.id;
+        const accountName = ad?.result?.[0]?.name;
+        // Save token to vault using api.write (same as /set/:service)
+        const { token: t, timestamp } = deriveToken(password, machineHash);
+        await api.write(password, machineHash, t, timestamp, "cloudflare", cfToken);
+        // Save accountId to clauth_config
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        if (accountId) {
+          await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+            method: "POST",
+            headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+            body: JSON.stringify({ key: "cf_account_id", value: accountId }),
+          });
+        }
+        return ok(res, { ok: true, accountId, accountName });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+    // GET /tunnel/setup/cf-tunnels
+    if (method === "GET" && reqPath === "/tunnel/setup/cf-tunnels") {
+      if (lockedGuard(res)) return;
+      try {
+        const { token: t, timestamp } = deriveToken(password, machineHash);
+        const cr = await api.retrieve(password, machineHash, t, timestamp, "cloudflare");
+        const cfToken = cr?.value;
+        if (!cfToken) return strike(res, 400, "No cloudflare token in vault");
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        const acctResp = await fetch(
+          `${sbUrl}/rest/v1/clauth_config?key=eq.cf_account_id&select=value`,
+          { headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` }, signal: AbortSignal.timeout(5000) }
+        );
+        const acctRows = await acctResp.json();
+        const accountId = acctRows?.[0]?.value ? JSON.parse(acctRows[0].value) : null;
+        if (!accountId) return strike(res, 400, "No account ID — run cf-token first");
+        const tr = await fetch(
+          `https://api.cloudflare.com/client/v4/accounts/${accountId}/cfd_tunnel?is_deleted=false`,
+          { headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000) }
+        );
+        const td = await tr.json();
+        return ok(res, { tunnels: (td?.result || []).map(t => ({ id: t.id, name: t.name, status: t.status, created_at: t.created_at })) });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+    // POST /tunnel/setup/cf-save
+    if (method === "POST" && reqPath === "/tunnel/setup/cf-save") {
+      if (lockedGuard(res)) return;
+      let body;
+      try { body = await readBody(req); } catch { return strike(res, 400, "Invalid JSON"); }
+      const { tunnelId, tunnelName, hostname } = body;
+      if (!hostname) return strike(res, 400, "hostname required");
+      try {
+        const cfDir = path.join(os.homedir(), ".cloudflared");
+        if (!fs.existsSync(cfDir)) fs.mkdirSync(cfDir, { recursive: true });
+        const credFile = tunnelId ? path.join(cfDir, `${tunnelId}.json`) : path.join(cfDir, "tunnel.json");
+        const configContent = `tunnel: ${tunnelId || tunnelName || "clauth"}\ncredentials-file: ${credFile}\ningress:\n  - hostname: ${hostname}\n    service: http://127.0.0.1:${port}\n  - service: http_status:404\n`;
+        fs.writeFileSync(path.join(cfDir, "config.yml"), configContent, "utf8");
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+          method: "POST",
+          headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+          body: JSON.stringify({ key: "tunnel_hostname", value: JSON.stringify(hostname) }),
+        });
+        tunnelHostname = hostname;
+        tunnelUrl = `https://${hostname}`;
+        return ok(res, { ok: true, hostname });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+    // POST /tunnel/setup/cf-create-api — create tunnel via CF API (no cloudflared login needed)
+    if (method === "POST" && reqPath === "/tunnel/setup/cf-create-api") {
+      if (lockedGuard(res)) return;
+      let body;
+      try { body = await readBody(req); } catch { return strike(res, 400, "Invalid JSON"); }
+      const { name, hostname, accountId: bodyAccountId } = body;
+      if (!name || !hostname) return strike(res, 400, "name and hostname required");
+      try {
+        const { token: t, timestamp } = deriveToken(password, machineHash);
+        const cr = await api.retrieve(password, machineHash, t, timestamp, "cloudflare");
+        const cfToken = cr?.value;
+        if (!cfToken) return strike(res, 400, "No cloudflare token in vault");
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        // Get accountId
+        let accountId = bodyAccountId;
+        if (!accountId) {
+          const acctResp = await fetch(`${sbUrl}/rest/v1/clauth_config?key=eq.cf_account_id&select=value`,
+            { headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` }, signal: AbortSignal.timeout(5000) });
+          const rows = await acctResp.json();
+          accountId = rows?.[0]?.value ? JSON.parse(rows[0].value) : null;
+        }
+        if (!accountId) return strike(res, 400, "No account ID — verify CF token first");
+        // Generate tunnel secret (32 random bytes base64)
+        const { randomBytes } = await import("crypto");
+        const tunnelSecret = randomBytes(32).toString("base64");
+        // Create tunnel via CF API
+        const createResp = await fetch(`https://api.cloudflare.com/client/v4/accounts/${accountId}/cfd_tunnel`, {
+          method: "POST",
+          headers: { Authorization: `Bearer ${cfToken}`, "Content-Type": "application/json" },
+          body: JSON.stringify({ name, tunnel_secret: tunnelSecret }),
+          signal: AbortSignal.timeout(10000),
+        });
+        const createData = await createResp.json();
+        if (!createData?.success) return strike(res, 400, createData?.errors?.[0]?.message || "Tunnel creation failed");
+        const tunnelId = createData.result.id;
+        // Write credentials file
+        const cfDir = path.join(os.homedir(), ".cloudflared");
+        if (!fs.existsSync(cfDir)) fs.mkdirSync(cfDir, { recursive: true });
+        const credFile = path.join(cfDir, `${tunnelId}.json`);
+        fs.writeFileSync(credFile, JSON.stringify({ AccountTag: accountId, TunnelID: tunnelId, TunnelName: name, TunnelSecret: tunnelSecret }), "utf8");
+        // Write config.yml
+        const configContent = `tunnel: ${tunnelId}\ncredentials-file: ${credFile}\ningress:\n  - hostname: ${hostname}\n    service: http://127.0.0.1:${port}\n  - service: http_status:404\n`;
+        fs.writeFileSync(path.join(cfDir, "config.yml"), configContent, "utf8");
+        // Route DNS via CF API — find zone for hostname
+        const domain = hostname.split(".").slice(-2).join(".");
+        const zoneResp = await fetch(`https://api.cloudflare.com/client/v4/zones?name=${domain}`,
+          { headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000) });
+        const zoneData = await zoneResp.json();
+        const zoneId = zoneData?.result?.[0]?.id;
+        if (zoneId) {
+          await fetch(`https://api.cloudflare.com/client/v4/zones/${zoneId}/dns_records`, {
+            method: "POST",
+            headers: { Authorization: `Bearer ${cfToken}`, "Content-Type": "application/json" },
+            body: JSON.stringify({ type: "CNAME", name: hostname, content: `${tunnelId}.cfargotunnel.com`, proxied: false, ttl: 1 }),
+            signal: AbortSignal.timeout(8000),
+          });
+        }
+        // Save hostname to DB and in-process
+        await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+          method: "POST",
+          headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+          body: JSON.stringify({ key: "tunnel_hostname", value: JSON.stringify(hostname) }),
+        });
+        tunnelHostname = hostname;
+        tunnelUrl = `https://${hostname}`;
+        return ok(res, { ok: true, tunnelId, hostname });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+    // GET /tunnel/setup/check-cloudflared
+    if (method === "GET" && reqPath === "/tunnel/setup/check-cloudflared") {
+      let cfBin = "cloudflared";
+      let installed = false;
+      if (os.platform() === "win32") {
+        const candidates = [
+          "cloudflared",
+          path.join(process.env.ProgramFiles || "", "cloudflared", "cloudflared.exe"),
+          path.join(process.env["ProgramFiles(x86)"] || "C:\\Program Files (x86)", "cloudflared", "cloudflared.exe"),
+          path.join(os.homedir(), "scoop", "shims", "cloudflared.exe"),
+          "C:\\ProgramData\\chocolatey\\bin\\cloudflared.exe",
+        ];
+        for (const c of candidates) {
+          try { if (fs.statSync(c).isFile()) { cfBin = c; installed = true; break; } } catch {}
+        }
+      }
+      if (!installed) {
+        try {
+          const { execSync: es } = await import("child_process");
+          es("cloudflared --version", { stdio: "ignore" });
+          installed = true; cfBin = "cloudflared";
+        } catch {}
+      }
+      return ok(res, { installed, path: installed ? cfBin : null });
+    }
+    // POST /tunnel/setup/cf-login — SSE stream of cloudflared tunnel login
+    if (method === "POST" && reqPath === "/tunnel/setup/cf-login") {
+      if (lockedGuard(res)) return;
+      res.writeHead(200, { "Content-Type": "text/event-stream", "Cache-Control": "no-cache", "Connection": "keep-alive", ...CORS });
+      const sendEvt = (data) => res.write(`data: ${JSON.stringify(data)}\n\n`);
+      try {
+        const { spawn } = await import("child_process");
+        const proc = spawn("cloudflared", ["tunnel", "login"], { stdio: ["ignore","pipe","pipe"] });
+        proc.stdout.on("data", d => d.toString().split("\n").forEach(l => l.trim() && sendEvt({ line: l })));
+        proc.stderr.on("data", d => d.toString().split("\n").forEach(l => l.trim() && sendEvt({ line: l })));
+        proc.on("close", code => { sendEvt({ done: true, code }); res.end(); });
+        req.on("close", () => { try { proc.kill(); } catch {} });
+      } catch (err) {
+        sendEvt({ done: true, code: 1, error: err.message });
+        res.end();
+      }
+    }
+    // POST /tunnel/setup/cf-create — SSE stream create + route DNS + save
+    if (method === "POST" && reqPath === "/tunnel/setup/cf-create") {
+      if (lockedGuard(res)) return;
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON" }));
+      }
+      const { name, hostname } = body;
+      if (!name || !hostname) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "name and hostname required" }));
+      }
+      res.writeHead(200, { "Content-Type": "text/event-stream", "Cache-Control": "no-cache", "Connection": "keep-alive", ...CORS });
+      const sendEvt = (data) => res.write(`data: ${JSON.stringify(data)}\n\n`);
+      try {
+        const { spawn } = await import("child_process");
+        // Step 1: create tunnel
+        sendEvt({ line: `Creating tunnel "${name}"…`, step: 1 });
+        let tunnelId = null;
+        await new Promise((resolve, reject) => {
+          const proc = spawn("cloudflared", ["tunnel", "create", name], { stdio: ["ignore","pipe","pipe"] });
+          let output = "";
+          proc.stdout.on("data", d => { const s = d.toString(); output += s; s.split("\n").forEach(l => l.trim() && sendEvt({ line: l, step: 1 })); });
+          proc.stderr.on("data", d => { const s = d.toString(); output += s; s.split("\n").forEach(l => l.trim() && sendEvt({ line: l, step: 1 })); });
+          proc.on("close", code => {
+            const m = output.match(/Created tunnel .+ with id ([a-f0-9-]{36})/i);
+            if (m) tunnelId = m[1];
+            if (code !== 0 && !tunnelId) reject(new Error(`create failed (exit ${code})`));
+            else resolve();
+          });
+        });
+        if (!tunnelId) {
+          sendEvt({ error: "Could not parse tunnel ID from cloudflared output" });
+          return res.end();
+        }
+        // Step 2: route DNS
+        sendEvt({ line: `Routing DNS: ${hostname}…`, step: 2 });
+        await new Promise((resolve) => {
+          const proc = spawn("cloudflared", ["tunnel", "route", "dns", name, hostname], { stdio: ["ignore","pipe","pipe"] });
+          proc.stdout.on("data", d => d.toString().split("\n").forEach(l => l.trim() && sendEvt({ line: l, step: 2 })));
+          proc.stderr.on("data", d => d.toString().split("\n").forEach(l => l.trim() && sendEvt({ line: l, step: 2 })));
+          proc.on("close", () => resolve());
+        });
+        // Step 3: save config
+        const cfDir = path.join(os.homedir(), ".cloudflared");
+        if (!fs.existsSync(cfDir)) fs.mkdirSync(cfDir, { recursive: true });
+        const credFile = path.join(cfDir, `${tunnelId}.json`);
+        const configContent = `tunnel: ${tunnelId}\ncredentials-file: ${credFile}\ningress:\n  - hostname: ${hostname}\n    service: http://127.0.0.1:${port}\n  - service: http_status:404\n`;
+        fs.writeFileSync(path.join(cfDir, "config.yml"), configContent, "utf8");
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+          method: "POST",
+          headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+          body: JSON.stringify({ key: "tunnel_hostname", value: JSON.stringify(hostname) }),
+        });
+        tunnelHostname = hostname;
+        tunnelUrl = `https://${hostname}`;
+        sendEvt({ done: true, tunnelId, hostname });
+        res.end();
+      } catch (err) {
+        sendEvt({ error: err.message, done: true });
+        res.end();
+      }
+    }
     // POST /change-pw — change master password (must be unlocked)
     if (method === "POST" && reqPath === "/change-pw") {
       if (lockedGuard(res)) return;

package/cli/index.js CHANGED Viewed

@@ -532,40 +532,93 @@ program
   });
 // ──────────────────────────────────────────────
-// clauth tunnel setup
+// clauth tunnel start|stop|status
+// (setup moved to in-browser wizard at http://127.0.0.1:52437)
 // ──────────────────────────────────────────────
 const tunnelCmd = program.command("tunnel").description("Manage Cloudflare tunnel for claude.ai web integration");
 tunnelCmd
   .command("setup")
-  .description("Interactive wizard — configure cloudflared named tunnel")
+  .description("Open the tunnel setup wizard in your browser")
   .action(async () => {
-    const { actionTunnelSetup } = await import("./commands/tunnel.js");
-    await actionTunnelSetup();
+    console.log(chalk.cyan("\n  Tunnel setup is now handled in the browser.\n"));
+    console.log(chalk.white("  1. Start the daemon:  clauth serve start"));
+    console.log(chalk.white("  2. Open:              http://127.0.0.1:52437"));
+    console.log(chalk.white("  3. Unlock the vault and click \"Setup Tunnel\"\n"));
   });
 tunnelCmd
   .command("start")
   .description("Tell daemon to start the tunnel")
   .action(async () => {
-    const { actionTunnelStart } = await import("./commands/tunnel.js");
-    await actionTunnelStart();
+    try {
+      const r = await fetch("http://127.0.0.1:52437/tunnel/start", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        signal: AbortSignal.timeout(5000),
+      });
+      const data = await r.json().catch(() => ({}));
+      if (!r.ok) {
+        console.error(`  ✗ ${data.error || r.statusText}`);
+        if (r.status === 401) console.error("  Unlock the daemon first: http://127.0.0.1:52437");
+        process.exit(1);
+      }
+      console.log(`  ✓ ${data.message || "Tunnel starting — check status with: clauth tunnel status"}`);
+    } catch (e) {
+      console.error("  ✗ Daemon not running. Start it with: clauth serve");
+      process.exit(1);
+    }
   });
 tunnelCmd
   .command("stop")
   .description("Tell daemon to stop the tunnel")
   .action(async () => {
-    const { actionTunnelStop } = await import("./commands/tunnel.js");
-    await actionTunnelStop();
+    try {
+      const r = await fetch("http://127.0.0.1:52437/tunnel/stop", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        signal: AbortSignal.timeout(5000),
+      });
+      const data = await r.json().catch(() => ({}));
+      if (!r.ok) {
+        console.error(`  ✗ ${data.error || r.statusText}`);
+        process.exit(1);
+      }
+      console.log("  ✓ Tunnel stopped.");
+    } catch (e) {
+      console.error("  ✗ Daemon not running.");
+      process.exit(1);
+    }
   });
 tunnelCmd
   .command("status")
   .description("Show current tunnel status")
   .action(async () => {
-    const { actionTunnelStatus } = await import("./commands/tunnel.js");
-    await actionTunnelStatus();
+    try {
+      const r = await fetch("http://127.0.0.1:52437/tunnel", {
+        signal: AbortSignal.timeout(5000),
+      });
+      const data = await r.json().catch(() => ({}));
+      const icons = {
+        live: "✓", starting: "◌", not_configured: "⚠",
+        not_started: "○", error: "✗", missing_cloudflared: "✗",
+      };
+      const labels = {
+        live: `Live — ${data.url || ""}`,
+        starting: "Starting...",
+        not_configured: "Not configured — open http://127.0.0.1:52437 and click Setup Tunnel",
+        not_started: "Not started — run: clauth tunnel start",
+        error: `Error${data.error ? ": " + data.error : ""} — check cloudflared config`,
+        missing_cloudflared: "cloudflared not installed — https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/",
+      };
+      const status = data.status || "unknown";
+      console.log(`\n  ${icons[status] || "?"} Tunnel: ${labels[status] || status}\n`);
+    } catch (e) {
+      console.error("  ✗ Daemon not running. Start it with: clauth serve");
+      process.exit(1);
+    }
   });
 // ──────────────────────────────────────────────

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.1.0",
+  "version": "1.2.3",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {

package/cli/commands/tunnel.js DELETED Viewed

@@ -1,210 +0,0 @@
-// cli/commands/tunnel.js
-// clauth tunnel setup — configures Cloudflare named tunnel for claude.ai web integration
-import { execSync, spawnSync } from "child_process";
-import os from "os";
-import path from "path";
-import fs from "fs";
-import readline from "readline";
-function ask(question) {
-  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-  return new Promise(resolve => rl.question(question, ans => { rl.close(); resolve(ans.trim()); }));
-}
-async function actionTunnelSetup() {
-  console.log("\n  clauth tunnel setup\n");
-  console.log("  This wizard configures a Cloudflare named tunnel so claude.ai web");
-  console.log("  can connect to your local clauth daemon without exposing any ports.\n");
-  // Step 1: Check cloudflared is installed
-  try {
-    execSync("cloudflared --version", { stdio: "ignore" });
-    console.log("  ✓ cloudflared detected\n");
-  } catch {
-    console.log("  ✗ cloudflared not found.\n");
-    console.log("  Install it first:");
-    console.log("  Windows: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/");
-    console.log("  Or via winget: winget install Cloudflare.cloudflared\n");
-    process.exit(1);
-  }
-  // Step 2: Authenticate with Cloudflare
-  console.log("  Step 1/4 — Authenticate with Cloudflare");
-  console.log("  This will open your browser to log in.\n");
-  const doAuth = await ask("  Proceed? (y/n): ");
-  if (doAuth.toLowerCase() !== "y") { console.log("  Aborted."); process.exit(0); }
-  try {
-    spawnSync("cloudflared", ["tunnel", "login"], { stdio: "inherit" });
-    console.log("  ✓ Authenticated\n");
-  } catch (e) {
-    console.error("  ✗ Login failed:", e.message);
-    process.exit(1);
-  }
-  // Step 3: Create tunnel
-  console.log("  Step 2/4 — Create named tunnel");
-  const tunnelName = await ask("  Tunnel name (default: clauth): ") || "clauth";
-  let tunnelId;
-  try {
-    const result = execSync(`cloudflared tunnel create ${tunnelName}`, { encoding: "utf8" });
-    const match = result.match(/Created tunnel (.+) with id ([a-f0-9-]+)/i);
-    if (match) tunnelId = match[2];
-    console.log(`  ✓ Tunnel created: ${tunnelName} (${tunnelId || "see above"})\n`);
-  } catch (e) {
-    // Tunnel may already exist
-    console.log("  (Tunnel may already exist — continuing)\n");
-    try {
-      const listResult = execSync(`cloudflared tunnel list`, { encoding: "utf8" });
-      const lines = listResult.split("\n");
-      for (const line of lines) {
-        if (line.toLowerCase().includes(tunnelName.toLowerCase())) {
-          const parts = line.trim().split(/\s+/);
-          if (parts[0] && parts[0].includes("-")) tunnelId = parts[0];
-        }
-      }
-    } catch {
-      // ignore list errors
-    }
-  }
-  // Step 4: Configure hostname
-  console.log("  Step 3/4 — Set public hostname");
-  const hostname = await ask("  Public hostname (e.g. clauth.yourdomain.com): ");
-  if (!hostname) { console.log("  Hostname required."); process.exit(1); }
-  // Write config.yml
-  const cfDir = path.join(os.homedir(), ".cloudflared");
-  if (!fs.existsSync(cfDir)) fs.mkdirSync(cfDir, { recursive: true });
-  const configPath = path.join(cfDir, "config.yml");
-  const credFile = tunnelId ? path.join(cfDir, `${tunnelId}.json`) : `<tunnel-id>.json`;
-  const config = `tunnel: ${tunnelId || tunnelName}
-credentials-file: ${credFile}
-ingress:
-  - hostname: ${hostname}
-    service: http://127.0.0.1:52437
-  - service: http_status:404
-`;
-  fs.writeFileSync(configPath, config, "utf8");
-  console.log(`  ✓ Config written: ${configPath}\n`);
-  // Route DNS
-  console.log("  Step 4/4 — Configure DNS");
-  try {
-    execSync(`cloudflared tunnel route dns ${tunnelName} ${hostname}`, { stdio: "inherit" });
-    console.log(`  ✓ DNS configured: ${hostname}\n`);
-  } catch {
-    console.log(`  ⚠ DNS route failed — add manually in Cloudflare dashboard:`);
-    console.log(`    CNAME ${hostname} → ${tunnelId}.cfargotunnel.com\n`);
-  }
-  // Save hostname to clauth config via api module
-  try {
-    const apiMod = await import("../api.js").catch(() => null);
-    if (apiMod) {
-      const sbUrl = (apiMod.getBaseUrl?.() || "").replace("/functions/v1/auth-vault", "");
-      const sbKey = apiMod.getAnonKey?.();
-      if (sbUrl && sbKey) {
-        await fetch(
-          `${sbUrl}/rest/v1/clauth_config`,
-          {
-            method: "POST",
-            headers: {
-              apikey: sbKey,
-              Authorization: `Bearer ${sbKey}`,
-              "Content-Type": "application/json",
-              Prefer: "resolution=merge-duplicates",
-            },
-            body: JSON.stringify({ key: "tunnel_hostname", value: hostname }),
-          }
-        );
-        console.log(`  ✓ Hostname saved to clauth config: ${hostname}`);
-      }
-    }
-  } catch {
-    console.log(`  ⚠ Could not save to DB. Hostname is set in config.yml — 'clauth serve' will pick it up.`);
-  }
-  console.log("\n  Setup complete!");
-  console.log(`  Restart the daemon: clauth serve restart`);
-  console.log(`  Or use: npm run worker:restart (from clauth directory)\n`);
-}
-// clauth tunnel start — tells daemon to start the tunnel
-async function actionTunnelStart() {
-  try {
-    const r = await fetch("http://127.0.0.1:52437/tunnel/start", {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      signal: AbortSignal.timeout(5000),
-    });
-    const data = await r.json().catch(() => ({}));
-    if (!r.ok) {
-      console.error(`  ✗ ${data.error || r.statusText}`);
-      if (r.status === 401) console.error("  Unlock the daemon first: http://127.0.0.1:52437");
-      process.exit(1);
-    }
-    console.log(`  ✓ ${data.message || "Tunnel starting — check status with: clauth tunnel status"}`);
-  } catch (e) {
-    console.error("  ✗ Daemon not running. Start it with: clauth serve");
-    process.exit(1);
-  }
-}
-// clauth tunnel stop — tells daemon to stop the tunnel
-async function actionTunnelStop() {
-  try {
-    const r = await fetch("http://127.0.0.1:52437/tunnel/stop", {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      signal: AbortSignal.timeout(5000),
-    });
-    const data = await r.json().catch(() => ({}));
-    if (!r.ok) {
-      console.error(`  ✗ ${data.error || r.statusText}`);
-      process.exit(1);
-    }
-    console.log("  ✓ Tunnel stopped.");
-  } catch (e) {
-    console.error("  ✗ Daemon not running.");
-    process.exit(1);
-  }
-}
-// clauth tunnel status — shows current tunnel status from daemon
-async function actionTunnelStatus() {
-  try {
-    const r = await fetch("http://127.0.0.1:52437/tunnel", {
-      signal: AbortSignal.timeout(5000),
-    });
-    const data = await r.json().catch(() => ({}));
-    const icons = {
-      live:                "✓",
-      starting:            "◌",
-      not_configured:      "⚠",
-      not_started:         "○",
-      error:               "✗",
-      missing_cloudflared: "✗",
-    };
-    const labels = {
-      live:                `Live — ${data.url || ""}`,
-      starting:            "Starting...",
-      not_configured:      "Not configured — run: clauth tunnel setup",
-      not_started:         "Not started — run: clauth tunnel start",
-      error:               `Error${data.error ? ": " + data.error : ""} — check cloudflared config`,
-      missing_cloudflared: "cloudflared not installed — https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/",
-    };
-    const status = data.status || "unknown";
-    console.log(`\n  ${icons[status] || "?"} Tunnel: ${labels[status] || status}\n`);
-  } catch (e) {
-    console.error("  ✗ Daemon not running. Start it with: clauth serve");
-    process.exit(1);
-  }
-}
-export { actionTunnelSetup, actionTunnelStart, actionTunnelStop, actionTunnelStatus };