npm - @lifeaitools/clauth - Versions diffs - 1.1.0 → 1.3.0 - Mend

@lifeaitools/clauth 1.1.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/cli/commands/serve.js CHANGED Viewed

@@ -58,7 +58,10 @@ ALTER TABLE clauth_config ENABLE ROW LEVEL SECURITY;`,
 const CURRENT_SCHEMA_VERSION = 3;
 const PID_FILE = path.join(os.tmpdir(), "clauth-serve.pid");
+const STAGED_PID_FILE = path.join(os.tmpdir(), "clauth-serve-staged.pid");
 const LOG_FILE = path.join(os.tmpdir(), "clauth-serve.log");
+const LIVE_PORT = 52437;
+const STAGED_PORT = 52438;
 // ── PID helpers ──────────────────────────────────────────────
 function readPid() {
@@ -73,6 +76,22 @@ function writePid(pid, port) {
   fs.writeFileSync(PID_FILE, `${pid}:${port}`, "utf8");
 }
+function readStagedPid() {
+  try {
+    const raw = fs.readFileSync(STAGED_PID_FILE, "utf8").trim();
+    const [pid, port] = raw.split(":");
+    return { pid: parseInt(pid, 10), port: parseInt(port, 10) };
+  } catch { return null; }
+}
+function writeStagedPid(pid, port) {
+  fs.writeFileSync(STAGED_PID_FILE, `${pid}:${port}`, "utf8");
+}
+function removeStagedPid() {
+  try { fs.unlinkSync(STAGED_PID_FILE); } catch {}
+}
 function removePid() {
   try { fs.unlinkSync(PID_FILE); } catch {}
 }
@@ -91,7 +110,7 @@ function openBrowser(url) {
 }
 // ── Dashboard HTML ───────────────────────────────────────────
-function dashboardHtml(port, whitelist) {
+function dashboardHtml(port, whitelist, isStaged = false) {
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -280,6 +299,40 @@ function dashboardHtml(port, whitelist) {
     color: rgba(255,255,255,0.6);
     font-size: 12px;
   }
+  /* Tunnel setup wizard */
+  .wizard-panel{background:#0a1628;border:1px solid #1e3a5f;border-radius:10px;padding:1.5rem;margin-bottom:1.25rem;display:none}
+  .wizard-panel.open{display:block}
+  .wizard-header{display:flex;align-items:center;gap:10px;margin-bottom:1.25rem}
+  .wizard-title{font-size:1rem;font-weight:600;color:#f8fafc;flex:1}
+  .wizard-steps{display:flex;gap:6px;margin-bottom:1.5rem;flex-wrap:wrap}
+  .wstep{padding:4px 10px;border-radius:20px;font-size:.72rem;font-weight:600;border:1px solid #1e3a5f;color:#475569;background:#0f172a}
+  .wstep.active{border-color:#3b82f6;color:#60a5fa;background:rgba(59,130,246,.1)}
+  .wstep.done{border-color:#166534;color:#4ade80;background:rgba(74,222,128,.08)}
+  .wizard-body{min-height:80px}
+  .wizard-foot{display:flex;gap:8px;margin-top:1.25rem;align-items:center}
+  .btn-wiz-primary{background:#3b82f6;color:#fff;padding:8px 20px;font-size:.875rem;border-radius:7px;border:none;cursor:pointer;font-weight:600}
+  .btn-wiz-primary:hover{background:#2563eb}
+  .btn-wiz-primary:disabled{opacity:.4;cursor:not-allowed}
+  .btn-wiz-secondary{background:#1e293b;color:#94a3b8;padding:8px 16px;font-size:.875rem;border-radius:7px;border:1px solid #334155;cursor:pointer}
+  .btn-wiz-secondary:hover{color:#e2e8f0}
+  .wiz-input{width:100%;background:#0f172a;border:1px solid #334155;border-radius:6px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.9rem;padding:9px 12px;outline:none;margin-top:8px;transition:border-color .2s}
+  .wiz-input:focus{border-color:#3b82f6}
+  .wiz-label{font-size:.8rem;color:#64748b;margin-bottom:4px}
+  .wiz-msg{font-size:.82rem;margin-left:auto}
+  .wiz-msg.ok{color:#4ade80}.wiz-msg.fail{color:#f87171}
+  .wiz-log{background:#030712;border:1px solid #1e293b;border-radius:6px;padding:10px;font-family:'Courier New',monospace;font-size:.75rem;color:#6ee7b7;max-height:160px;overflow-y:auto;margin-top:10px;white-space:pre-wrap}
+  .wiz-tunnel-list{display:flex;flex-direction:column;gap:8px;margin-top:10px}
+  .wiz-tunnel-item{display:flex;align-items:center;gap:10px;padding:10px 12px;background:#0f172a;border:1px solid #1e3a5f;border-radius:6px;cursor:pointer;transition:border-color .15s}
+  .wiz-tunnel-item:hover,.wiz-tunnel-item.selected{border-color:#3b82f6;background:rgba(59,130,246,.08)}
+  .wiz-tunnel-name{font-weight:600;color:#f8fafc;font-size:.9rem;flex:1}
+  .wiz-tunnel-id{font-family:'Courier New',monospace;font-size:.72rem;color:#475569}
+  .wiz-tunnel-status{font-size:.72rem;padding:2px 7px;border-radius:4px;background:rgba(74,222,128,.1);color:#4ade80;border:1px solid rgba(74,222,128,.2)}
+  .wiz-desc{font-size:.85rem;color:#94a3b8;line-height:1.6;margin-bottom:.75rem}
+  .wiz-link{color:#60a5fa;text-decoration:none;font-size:.82rem}
+  .wiz-link:hover{text-decoration:underline}
+  .wiz-test-result{padding:12px 14px;border-radius:8px;font-size:.85rem;margin-top:10px;display:none}
+  .wiz-test-result.ok{background:rgba(74,222,128,.08);border:1px solid rgba(74,222,128,.2);color:#4ade80}
+  .wiz-test-result.fail{background:rgba(248,113,113,.08);border:1px solid rgba(248,113,113,.2);color:#f87171}
 </style>
 </head>
 <body>
@@ -307,8 +360,15 @@ function dashboardHtml(port, whitelist) {
   </div>
   <div class="header">
     <div class="dot" id="dot"></div>
-    <h1>🔐 clauth vault <span style="font-size:0.55em;opacity:0.45;font-weight:400">v${VERSION}</span></h1>
+    <h1>🔐 clauth vault <span style="font-size:0.55em;opacity:0.45;font-weight:400">v${VERSION}</span>${isStaged ? `<span style="font-size:0.5em;background:#b45309;color:#fef3c7;border-radius:4px;padding:2px 10px;margin-left:12px;font-weight:600;letter-spacing:.5px">STAGED</span>` : ""}</h1>
   </div>
+  ${isStaged ? `<div id="staged-banner" style="background:linear-gradient(135deg,#78350f,#92400e);border:1px solid #b45309;border-radius:6px;padding:12px 16px;margin:0 16px 8px;display:flex;align-items:center;justify-content:space-between">
+    <div>
+      <strong style="color:#fef3c7">⚡ Staged deployment</strong>
+      <span style="color:#fcd34d;font-size:.85rem;margin-left:8px">Running on port ${port} — verify before making live</span>
+    </div>
+    <button onclick="makeLive()" style="background:#15803d;border:1px solid #16a34a;color:#dcfce7;padding:6px 16px;border-radius:4px;cursor:pointer;font-weight:600;font-size:.85rem">✓ Make Live</button>
+  </div>` : ""}
   <div id="error-bar" class="error-bar"></div>
   <div class="status-bar">
     <div>PID: <span id="s-pid">—</span></div>
@@ -330,6 +390,7 @@ function dashboardHtml(port, whitelist) {
     <button class="btn-add" onclick="toggleAddService()">+ Add Service</button>
     <button class="btn-check" id="check-btn" onclick="checkAll()">⬤ Check All</button>
     <button class="btn-lock" onclick="lockVault()">🔒 Lock</button>
+    <button class="btn-stop" onclick="stopDaemon()" style="background:#7f1d1d;border:1px solid #991b1b;color:#fca5a5" title="Stop daemon — password required on next start">⏹ Stop</button>
     <button class="btn-cancel" style="margin-left:auto" onclick="toggleChangePw()">Change Password</button>
   </div>
@@ -441,6 +502,17 @@ function dashboardHtml(port, whitelist) {
     <div style="font-size:.72rem;color:#64748b;margin-top:4px">Paste these into <a href="https://claude.ai/settings/integrations" target="_blank" style="color:#60a5fa">claude.ai Settings → Integrations</a></div>
   </div>
+  <div class="wizard-panel" id="wizard-panel">
+    <div class="wizard-header">
+      <div class="tunnel-dot off" id="wiz-dot" style="width:10px;height:10px;border-radius:50%"></div>
+      <div class="wizard-title">claude.ai Tunnel Setup</div>
+      <button class="btn-cancel" onclick="closeSetupWizard()">✕ Dismiss</button>
+    </div>
+    <div class="wizard-steps" id="wizard-steps"></div>
+    <div class="wizard-body" id="wizard-body"><p class="loading">Checking setup state…</p></div>
+    <div class="wizard-foot" id="wizard-foot"></div>
+  </div>
   <div id="project-tabs" class="project-tabs" style="display:none"></div>
   <div id="grid" class="grid"><p class="loading">Loading services…</p></div>
   <div class="footer">localhost:${port} · 127.0.0.1 only · 10-strike lockout</div>
@@ -650,6 +722,34 @@ async function lockVault() {
   showLockScreen();
 }
+// ── Make Live (blue-green: promote staged instance to live port) ──
+async function makeLive() {
+  if (!confirm("Promote this staged instance to live?\\n\\nThe current live daemon (port ${LIVE_PORT}) will be stopped and this instance will restart on port ${LIVE_PORT}.")) return;
+  const banner = document.getElementById("staged-banner");
+  if (banner) banner.innerHTML = '<div style="color:#fef3c7"><strong>⏳ Promoting to live...</strong></div>';
+  try {
+    const resp = await fetch(BASE + "/make-live", { method: "POST" });
+    const data = await resp.json();
+    if (data.ok) {
+      document.getElementById("main-view").innerHTML = '<div style="text-align:center;padding:80px 20px"><div style="font-size:3rem;margin-bottom:16px">✅</div><div style="font-size:1.1rem;color:#4ade80">Promoted to live!</div><div style="font-size:.85rem;color:#94a3b8;margin-top:8px">Restarting on port ${LIVE_PORT}... page will reload in 5 seconds.</div></div>';
+      setTimeout(() => { window.location.href = "http://127.0.0.1:" + ${LIVE_PORT}; }, 5000);
+    } else {
+      if (banner) banner.innerHTML = '<div style="color:#fca5a5"><strong>❌ Promotion failed:</strong> ' + (data.error || 'unknown') + '</div>';
+    }
+  } catch (err) {
+    if (banner) banner.innerHTML = '<div style="color:#fca5a5"><strong>❌ Promotion failed:</strong> ' + err.message + '</div>';
+  }
+}
+// ── Stop daemon (user-initiated — clears boot.key, requires password on restart) ──
+async function stopDaemon() {
+  if (!confirm("Stop the daemon?\\n\\nCredentials will need to be re-entered on next start.")) return;
+  try {
+    await fetch(BASE + "/shutdown-ui", { method: "POST" });
+  } catch {}
+  document.getElementById("main-view").innerHTML = '<div style="text-align:center;padding:80px 20px"><div style="font-size:3rem;margin-bottom:16px">⏹</div><div style="font-size:1.1rem;color:#94a3b8">Daemon stopped</div><div style="font-size:.85rem;color:#64748b;margin-top:8px">Restart with: clauth serve start</div></div>';
+}
 // ── Load services ───────────────────────────
 let allServices = [];
 let activeProjectTab = "all";
@@ -1193,9 +1293,7 @@ async function toggleTunnel(action) {
   } catch {}
 }
-function runTunnelSetup() {
-  alert("Run in your terminal:\\n\\n  clauth tunnel setup\\n\\nThis will guide you through Cloudflare authentication and tunnel creation.");
-}
+function runTunnelSetup() { openSetupWizard(); }
 async function testTunnel() {
   const liveState = document.querySelector("#tunnel-panel .tunnel-state.live");
@@ -1267,6 +1365,423 @@ function copyMcp(elId) {
   }).catch(() => {});
 }
+// ── Tunnel Setup Wizard ─────────────────────
+let wizStep = null;
+let wizData = {};
+async function openSetupWizard() {
+  const panel = document.getElementById("wizard-panel");
+  panel.classList.add("open");
+  panel.scrollIntoView({ behavior: "smooth", block: "start" });
+  wizStep = "loading";
+  renderWizBody('<p class="loading">Checking setup state…</p>', [], []);
+  const state = await apiFetch("/tunnel/setup-state");
+  if (!state) {
+    renderWizBody('<p class="wiz-desc" style="color:#f87171">Could not reach daemon.</p>', [], []);
+    return;
+  }
+  if (state.step === "ready") {
+    await apiFetch("/tunnel/start", { method: "POST" });
+    closeSetupWizard();
+    return;
+  }
+  wizData = state;
+  if (state.step === "need_cf_token") wizShowCfToken();
+  else if (state.step === "pick_tunnel") wizShowPickTunnel(state.tunnels);
+  else if (state.step === "no_tunnels") wizShowCreateViaCfApi(state.accountId);
+  else wizShowInstallCheck(); // no CF token — needs cloudflared login
+}
+function closeSetupWizard() {
+  document.getElementById("wizard-panel").classList.remove("open");
+  wizStep = null; wizData = {};
+}
+function renderWizBody(html, steps, footHtml) {
+  document.getElementById("wizard-body").innerHTML = html;
+  const stepLabels = ["CF Token","Tunnel","cloudflared","MCP Setup","Test"];
+  const stepsEl = document.getElementById("wizard-steps");
+  stepsEl.innerHTML = stepLabels.map((label, i) => {
+    const stepKeys = ["need_cf_token","pick_tunnel","check_cf","mcp_setup","test"];
+    const currentIdx = stepKeys.indexOf(wizStep);
+    let cls = "wstep";
+    if (i < currentIdx) cls += " done";
+    else if (i === currentIdx) cls += " active";
+    return \`<div class="\${cls}">\${i < currentIdx ? "✓ " : ""}\${label}</div>\`;
+  }).join("");
+  document.getElementById("wizard-foot").innerHTML = footHtml.join("");
+}
+// Step: Enter CF API token
+function wizShowCfToken() {
+  wizStep = "need_cf_token";
+  renderWizBody(\`
+    <div class="wiz-desc">A Cloudflare API token is needed to check for existing tunnels and configure new ones.</div>
+    <div class="wiz-label">Cloudflare API Token</div>
+    <input class="wiz-input" id="wiz-cf-token-input" type="password" placeholder="Paste your CF API token…" autocomplete="off" spellcheck="false">
+    <div style="margin-top:8px">
+      <a class="wiz-link" href="https://dash.cloudflare.com/profile/api-tokens" target="_blank">↗ Create token at Cloudflare Dashboard</a>
+      <span style="color:#475569;font-size:.78rem;margin-left:8px">(needs Cloudflare Tunnel: Edit permission)</span>
+    </div>
+    <div class="wiz-msg fail" id="wiz-cf-err" style="display:none;margin-top:8px"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" id="wiz-cf-btn" onclick="wizSubmitCfToken()">Verify &amp; Save Token</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`,
+    \`<span class="wiz-msg" id="wiz-cf-msg"></span>\`
+  ]);
+  document.getElementById("wiz-cf-token-input").addEventListener("keydown", e => {
+    if (e.key === "Enter") wizSubmitCfToken();
+  });
+}
+async function wizSubmitCfToken() {
+  const input = document.getElementById("wiz-cf-token-input");
+  const btn = document.getElementById("wiz-cf-btn");
+  const errEl = document.getElementById("wiz-cf-err");
+  const token = input.value.trim();
+  if (!token) return;
+  btn.disabled = true; btn.textContent = "Verifying…";
+  if (errEl) errEl.style.display = "none";
+  const r = await fetch(BASE + "/tunnel/setup/cf-token", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ token }),
+  }).then(r => r.json()).catch(() => null);
+  btn.disabled = false; btn.textContent = "Verify & Save Token";
+  if (!r || r.error) {
+    if (errEl) { errEl.textContent = r?.error || "Request failed"; errEl.style.display = "block"; }
+    return;
+  }
+  wizData.accountId = r.accountId;
+  const tunnelState = await apiFetch("/tunnel/setup-state");
+  if (tunnelState?.step === "pick_tunnel") wizShowPickTunnel(tunnelState.tunnels);
+  else wizShowInstallCheck();
+}
+// Step: Pick existing tunnel
+function wizShowPickTunnel(tunnels) {
+  wizStep = "pick_tunnel";
+  const listHtml = tunnels.map(t => \`
+    <div class="wiz-tunnel-item" id="wti-\${t.id}" onclick="wizSelectTunnel('\${t.id}','\${t.name}',this)">
+      <div style="flex:1">
+        <div class="wiz-tunnel-name">\${t.name}</div>
+        <div class="wiz-tunnel-id">\${t.id}</div>
+      </div>
+      <div class="wiz-tunnel-status">\${t.status || "active"}</div>
+    </div>
+  \`).join("");
+  renderWizBody(\`
+    <div class="wiz-desc">Found \${tunnels.length} existing Cloudflare tunnel\${tunnels.length !== 1 ? "s" : ""}. Select one to use, or create a new one.</div>
+    <div class="wiz-tunnel-list">\${listHtml}</div>
+    <div style="margin-top:12px">
+      <div class="wiz-label">Public hostname for selected tunnel (e.g. clauth.yourdomain.com)</div>
+      <input class="wiz-input" id="wiz-hostname-input" type="text" placeholder="clauth.yourdomain.com" spellcheck="false" autocomplete="off">
+    </div>
+    <div class="wiz-msg fail" id="wiz-pick-err" style="display:none;margin-top:8px"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" id="wiz-pick-btn" onclick="wizSaveTunnel()">Use Selected Tunnel</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="wizShowInstallCheck()">Create New Tunnel Instead</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`
+  ]);
+  window._wizSelectedTunnel = null;
+}
+function wizSelectTunnel(id, name, el) {
+  document.querySelectorAll(".wiz-tunnel-item").forEach(e => e.classList.remove("selected"));
+  el.classList.add("selected");
+  window._wizSelectedTunnel = { id, name };
+}
+async function wizSaveTunnel() {
+  const sel = window._wizSelectedTunnel;
+  const hostname = document.getElementById("wiz-hostname-input")?.value.trim();
+  const errEl = document.getElementById("wiz-pick-err");
+  const btn = document.getElementById("wiz-pick-btn");
+  if (!sel) { if (errEl) { errEl.textContent = "Select a tunnel first"; errEl.style.display="block"; } return; }
+  if (!hostname) { if (errEl) { errEl.textContent = "Enter a public hostname"; errEl.style.display="block"; } return; }
+  btn.disabled = true; btn.textContent = "Saving…";
+  const r = await fetch(BASE + "/tunnel/setup/cf-save", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ tunnelId: sel.id, tunnelName: sel.name, hostname }),
+  }).then(r => r.json()).catch(() => null);
+  btn.disabled = false; btn.textContent = "Use Selected Tunnel";
+  if (!r?.ok) {
+    if (errEl) { errEl.textContent = r?.error || "Save failed"; errEl.style.display="block"; }
+    return;
+  }
+  await apiFetch("/tunnel/start", { method: "POST" });
+  wizShowMcpSetup(hostname);
+}
+// Step: Create tunnel via CF API (CF token already in vault — no cloudflared login needed)
+function wizShowCreateViaCfApi(accountId) {
+  wizStep = "pick_tunnel";
+  wizData.accountId = accountId;
+  renderWizBody(\`
+    <div class="wiz-desc">No existing tunnels found. Create a new one using your Cloudflare API token.</div>
+    <div class="wiz-label">Tunnel name</div>
+    <input class="wiz-input" id="wiz-api-tname" type="text" value="clauth" spellcheck="false">
+    <div class="wiz-label" style="margin-top:10px">Public hostname (e.g. clauth.yourdomain.com)</div>
+    <input class="wiz-input" id="wiz-api-hostname" type="text" placeholder="clauth.yourdomain.com" spellcheck="false">
+    <div class="wiz-msg fail" id="wiz-api-err" style="display:none;margin-top:8px"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" id="wiz-api-btn" onclick="wizRunCreateViaCfApi()">Create Tunnel</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`,
+    \`<span class="wiz-msg" id="wiz-api-msg"></span>\`
+  ]);
+}
+async function wizRunCreateViaCfApi() {
+  const name = document.getElementById("wiz-api-tname")?.value.trim();
+  const hostname = document.getElementById("wiz-api-hostname")?.value.trim();
+  const btn = document.getElementById("wiz-api-btn");
+  const err = document.getElementById("wiz-api-err");
+  const msg = document.getElementById("wiz-api-msg");
+  if (!name || !hostname) { if(err){err.textContent="Name and hostname required";err.style.display="block";} return; }
+  btn.disabled=true; btn.textContent="Creating…"; if(err) err.style.display="none";
+  if(msg) msg.textContent="Calling Cloudflare API…";
+  const r = await fetch(BASE + "/tunnel/setup/cf-create-api", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ name, hostname, accountId: wizData.accountId }),
+  }).then(r => r.json()).catch(() => null);
+  btn.disabled=false; btn.textContent="Create Tunnel";
+  if (!r?.ok) {
+    if(err){err.textContent = r?.error || "Creation failed"; err.style.display="block";}
+    if(msg) msg.textContent="";
+    return;
+  }
+  await apiFetch("/tunnel/start", { method: "POST" });
+  wizShowMcpSetup(hostname);
+}
+// Step: cloudflared install check (for new tunnel creation flow)
+async function wizShowInstallCheck() {
+  wizStep = "check_cf";
+  renderWizBody('<p class="loading">Checking cloudflared…</p>', [], []);
+  const r = await apiFetch("/tunnel/setup/check-cloudflared");
+  if (r?.installed) {
+    wizShowCfLogin();
+  } else {
+    renderWizBody(\`
+      <div class="wiz-desc">cloudflared is required to create and run Cloudflare tunnels. It is not currently installed.</div>
+      <div style="display:flex;gap:12px;margin-top:12px;flex-wrap:wrap">
+        <a class="btn-wiz-secondary" href="https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/" target="_blank" style="text-decoration:none">↗ Download cloudflared</a>
+        <span style="color:#475569;font-size:.8rem;align-self:center">or: <code style="color:#60a5fa">winget install Cloudflare.cloudflared</code></span>
+      </div>
+      <div class="wiz-desc" style="margin-top:12px;font-size:.78rem;color:#475569">After installing, click "Check Again".</div>
+    \`, [], [
+      \`<button class="btn-wiz-primary" onclick="wizShowInstallCheck()">Check Again</button>\`,
+      \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`
+    ]);
+  }
+}
+// Step: cloudflared login (Cloudflare auth via browser)
+function wizShowCfLogin() {
+  wizStep = "check_cf";
+  renderWizBody(\`
+    <div class="wiz-desc">Authenticate cloudflared with your Cloudflare account. This opens a browser window.</div>
+    <div class="wiz-log" id="wiz-login-log" style="display:none"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" id="wiz-login-btn" onclick="wizRunCfLogin()">Open Browser to Authenticate</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`
+  ]);
+}
+async function wizRunCfLogin() {
+  const btn = document.getElementById("wiz-login-btn");
+  const log = document.getElementById("wiz-login-log");
+  btn.disabled = true; btn.textContent = "Authenticating…";
+  log.style.display = "block";
+  try {
+    const resp = await fetch(BASE + "/tunnel/setup/cf-login", { method: "POST" });
+    const reader = resp.body.getReader();
+    const dec = new TextDecoder();
+    let buf = "";
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      buf += dec.decode(value, { stream: true });
+      const lines = buf.split("\\n");
+      buf = lines.pop();
+      for (const line of lines) {
+        if (!line.startsWith("data:")) continue;
+        try {
+          const d = JSON.parse(line.slice(5).trim());
+          if (d.line !== undefined) { log.textContent += d.line + "\\n"; log.scrollTop = log.scrollHeight; }
+          if (d.done) {
+            if (d.code === 0) wizShowCreateTunnel();
+            else { btn.disabled=false; btn.textContent="Retry"; }
+            return;
+          }
+        } catch {}
+      }
+    }
+  } catch(e) {
+    log.textContent += "Error: " + e.message;
+    btn.disabled = false; btn.textContent = "Retry";
+  }
+}
+// Step: Create new tunnel
+function wizShowCreateTunnel() {
+  wizStep = "check_cf";
+  renderWizBody(\`
+    <div class="wiz-desc">Create a new named Cloudflare tunnel. Give it a name and a public hostname.</div>
+    <div class="wiz-label">Tunnel name (e.g. clauth)</div>
+    <input class="wiz-input" id="wiz-tname" type="text" value="clauth" spellcheck="false">
+    <div class="wiz-label" style="margin-top:10px">Public hostname (e.g. clauth.yourdomain.com)</div>
+    <input class="wiz-input" id="wiz-thostname" type="text" placeholder="clauth.yourdomain.com" spellcheck="false">
+    <div class="wiz-log" id="wiz-create-log" style="display:none;margin-top:10px"></div>
+    <div class="wiz-msg fail" id="wiz-create-err" style="display:none;margin-top:8px"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" id="wiz-create-btn" onclick="wizRunCreateTunnel()">Create Tunnel</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Postpone</button>\`
+  ]);
+}
+async function wizRunCreateTunnel() {
+  const name = document.getElementById("wiz-tname")?.value.trim();
+  const hostname = document.getElementById("wiz-thostname")?.value.trim();
+  const btn = document.getElementById("wiz-create-btn");
+  const log = document.getElementById("wiz-create-log");
+  const err = document.getElementById("wiz-create-err");
+  if (!name || !hostname) { if(err){err.textContent="Name and hostname required";err.style.display="block";} return; }
+  btn.disabled=true; btn.textContent="Creating…";
+  log.style.display="block"; err.style.display="none";
+  try {
+    const resp = await fetch(BASE + "/tunnel/setup/cf-create", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ name, hostname }),
+    });
+    const reader = resp.body.getReader();
+    const dec = new TextDecoder();
+    let buf = "";
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      buf += dec.decode(value, { stream: true });
+      const lines = buf.split("\\n");
+      buf = lines.pop();
+      for (const line of lines) {
+        if (!line.startsWith("data:")) continue;
+        try {
+          const d = JSON.parse(line.slice(5).trim());
+          if (d.line !== undefined) { log.textContent += d.line + "\\n"; log.scrollTop = log.scrollHeight; }
+          if (d.done && d.hostname) {
+            await apiFetch("/tunnel/start", { method: "POST" });
+            wizShowMcpSetup(d.hostname);
+            return;
+          }
+          if (d.error) { err.textContent = d.error; err.style.display="block"; btn.disabled=false; btn.textContent="Retry"; return; }
+        } catch {}
+      }
+    }
+  } catch(e) {
+    if(err){err.textContent=e.message;err.style.display="block";}
+    btn.disabled=false; btn.textContent="Retry";
+  }
+}
+// Step: MCP setup in claude.ai
+async function wizShowMcpSetup(hostname) {
+  wizStep = "mcp_setup";
+  const sseUrl = \`https://\${hostname}/sse\`;
+  const mcpData = await apiFetch("/mcp-setup");
+  renderWizBody(\`
+    <div class="wiz-desc">Add clauth as an MCP server in claude.ai settings. Paste these values:</div>
+    <div style="display:flex;flex-direction:column;gap:8px;margin-top:10px">
+      <div class="mcp-row">
+        <span class="mcp-label">URL</span>
+        <span class="mcp-val" id="wiz-mcp-url">\${sseUrl}</span>
+        <button class="mcp-copy" onclick="wizCopy('wiz-mcp-url',this)">copy</button>
+      </div>
+      <div class="mcp-row">
+        <span class="mcp-label">Client ID</span>
+        <span class="mcp-val" id="wiz-mcp-cid">\${mcpData?.clientId || '(unlock required)'}</span>
+        <button class="mcp-copy" onclick="wizCopy('wiz-mcp-cid',this)">copy</button>
+      </div>
+      <div class="mcp-row">
+        <span class="mcp-label">Secret</span>
+        <span class="mcp-val" id="wiz-mcp-sec">\${mcpData?.clientSecret || '(unlock required)'}</span>
+        <button class="mcp-copy" onclick="wizCopy('wiz-mcp-sec',this)">copy</button>
+      </div>
+    </div>
+    <div style="margin-top:10px;font-size:.78rem;color:#64748b">
+      Paste into <a class="wiz-link" href="https://claude.ai/settings/integrations" target="_blank">claude.ai → Settings → Integrations</a>
+    </div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" onclick="window.open('https://claude.ai/settings/integrations','_blank');wizShowTest()">I've Added It — Test Now</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="wizShowTest()">Skip Test</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Done</button>\`
+  ]);
+}
+function wizCopy(elId, btn) {
+  const val = document.getElementById(elId)?.textContent?.trim();
+  if (!val) return;
+  navigator.clipboard.writeText(val).then(() => {
+    const orig = btn.textContent;
+    btn.textContent = "✓"; btn.classList.add("ok");
+    setTimeout(() => { btn.textContent = orig; btn.classList.remove("ok"); }, 1500);
+  }).catch(() => {});
+}
+// Step: Test — verify MCP is working
+function wizShowTest() {
+  wizStep = "test";
+  renderWizBody(\`
+    <div class="wiz-desc">In a new claude.ai chat, ask Claude to run this MCP tool call to verify the connection:</div>
+    <div style="background:#030712;border:1px solid #1e293b;border-radius:6px;padding:12px;margin:10px 0;font-family:'Courier New',monospace;font-size:.82rem;color:#6ee7b7;user-select:all">
+      Use the clauth MCP tool: GET /ping — what is the response?
+    </div>
+    <div class="wiz-desc">Claude should report back: <code style="color:#4ade80">{"status":"ok","version":"..."}</code></div>
+    <div class="wiz-test-result" id="wiz-test-result"></div>
+  \`, [], [
+    \`<button class="btn-wiz-primary" onclick="wizMarkTestDone()">✓ It Worked — Done</button>\`,
+    \`<button class="btn-wiz-secondary" onclick="closeSetupWizard()">Close</button>\`
+  ]);
+}
+function wizMarkTestDone() {
+  const r = document.getElementById("wiz-test-result");
+  r.className = "wiz-test-result ok"; r.style.display="block";
+  r.textContent = "✓ Tunnel and MCP are working. claude.ai can now access your vault.";
+  document.getElementById("wizard-foot").innerHTML = \`<button class="btn-wiz-primary" onclick="closeSetupWizard()">Close Setup</button>\`;
+}
 // ── Build Status ──────────────────────────────────
 async function updateBuildStatus() {
   try {
@@ -1320,7 +1835,7 @@ function readBody(req) {
 }
 // ── Server logic (shared by foreground + daemon) ─────────────
-function createServer(initPassword, whitelist, port, tunnelHostnameInit = null) {
+function createServer(initPassword, whitelist, port, tunnelHostnameInit = null, isStaged = false) {
   // tunnelHostname may be updated at runtime (fetched from DB after unlock)
   let tunnelHostname = tunnelHostnameInit;
@@ -1456,6 +1971,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
       const proc = spawnProc(cfBin, args, {
         stdio: ["ignore", "pipe", "pipe"],
+        windowsHide: true,
       });
       tunnelProc = proc;
@@ -1614,6 +2130,26 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
       if (rows.length > 0 && rows[0].value && rows[0].value !== "null") {
         return typeof rows[0].value === "string" ? JSON.parse(rows[0].value) : rows[0].value;
       }
+      // DB has no hostname — check ~/.cloudflared/config.yml
+      try {
+        const cfConfig = path.join(os.homedir(), ".cloudflared", "config.yml");
+        if (fs.existsSync(cfConfig)) {
+          const yml = fs.readFileSync(cfConfig, "utf8");
+          const hostMatch = yml.match(/^\s*-\s*hostname:\s*(\S+)/m);
+          if (hostMatch) {
+            const hostname = hostMatch[1];
+            // Save to DB so future loads skip this
+            await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+              method: "POST",
+              headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+              body: JSON.stringify({ key: "tunnel_hostname", value: JSON.stringify(hostname) }),
+            }).catch(() => {});
+            return hostname;
+          }
+        }
+      } catch {}
       return null;
     } catch {
       return null;
@@ -2036,7 +2572,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
     // GET / — built-in web dashboard
     if (method === "GET" && reqPath === "/") {
       res.writeHead(200, { "Content-Type": "text/html", ...CORS });
-      return res.end(dashboardHtml(port, whitelist));
+      return res.end(dashboardHtml(port, whitelist, isStaged));
     }
     // GET /ping
@@ -2052,6 +2588,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
         tunnel_status: tunnelStatus,
         tunnel_url: tunnelUrl || null,
         app_version: VERSION,
+        staged: isStaged,
         schema_version: CURRENT_SCHEMA_VERSION,
       });
     }
@@ -2123,7 +2660,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
       return ok(res, { status: tunnelStatus });
     }
-    // GET /shutdown (for daemon stop)
+    // GET /shutdown (for daemon stop — programmatic, keeps boot.key)
     if (method === "GET" && reqPath === "/shutdown") {
       stopTunnel();
       ok(res, { ok: true, message: "shutting down" });
@@ -2132,6 +2669,100 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
       return;
     }
+    // POST /shutdown-ui (user-initiated stop — clears boot.key so password is required on restart)
+    if (method === "POST" && reqPath === "/shutdown-ui") {
+      stopTunnel();
+      // Clear boot.key so watchdog can't auto-unlock on restart
+      const bootKeyPath = getBootKeyPath();
+      if (bootKeyPath) {
+        try { fs.unlinkSync(bootKeyPath); } catch {}
+      }
+      ok(res, { ok: true, message: "shutting down (user-initiated, boot.key cleared)" });
+      const logLine = `[${new Date().toISOString()}] User-initiated shutdown via UI — boot.key cleared\n`;
+      try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+      removePid();
+      setTimeout(() => process.exit(0), 100);
+      return;
+    }
+    // POST /make-live (blue-green: staged instance promotes itself to live port)
+    if (method === "POST" && reqPath === "/make-live") {
+      if (!isStaged) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Not a staged instance" }));
+      }
+      const logLine = `[${new Date().toISOString()}] Make-live: promoting staged (port ${port}) to live (port ${LIVE_PORT})\n`;
+      try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+      // Stop the current live daemon if running
+      try { await fetch(`http://127.0.0.1:${LIVE_PORT}/shutdown`); } catch {}
+      // Wait for port to be released (Windows is slow to release sockets)
+      let portFree = false;
+      for (let i = 0; i < 10; i++) {
+        await new Promise(r => setTimeout(r, 1000));
+        try {
+          await fetch(`http://127.0.0.1:${LIVE_PORT}/ping`);
+          // Still responding — not dead yet
+        } catch {
+          portFree = true;
+          break;
+        }
+      }
+      if (!portFree) {
+        const errLog = `[${new Date().toISOString()}] Make-live: live daemon on port ${LIVE_PORT} failed to stop within 10s\n`;
+        try { fs.appendFileSync(LOG_FILE, errLog); } catch {}
+      }
+      // Stop tunnel on this instance (will restart on new port)
+      stopTunnel();
+      // Clean up staged PID file
+      removeStagedPid();
+      // Spawn a new daemon on the live port with same credentials
+      const { spawn } = await import("child_process");
+      const cliEntry = path.resolve(__dirname, "../index.js");
+      const childArgs = [cliEntry, "serve", "start", "--port", String(LIVE_PORT)];
+      if (password) childArgs.push("--pw", password);
+      if (whitelist) childArgs.push("--services", whitelist.join(","));
+      if (tunnelHostname) childArgs.push("--tunnel", tunnelHostname);
+      const out = fs.openSync(LOG_FILE, "a");
+      const childEnv = { ...process.env, __CLAUTH_DAEMON: "1" };
+      delete childEnv.__CLAUTH_STAGED;  // Clear staged flag — child is live
+      const child = spawn(process.execPath, childArgs, {
+        detached: true,
+        stdio: ["ignore", out, out],
+        env: childEnv,
+      });
+      child.unref();
+      // Wait for new live daemon to be reachable
+      let promoted = false;
+      for (let i = 0; i < 8; i++) {
+        await new Promise(r => setTimeout(r, 1000));
+        try {
+          const resp = await fetch(`http://127.0.0.1:${LIVE_PORT}/ping`);
+          if (resp.ok) { promoted = true; break; }
+        } catch {}
+      }
+      if (promoted) {
+        const okLog = `[${new Date().toISOString()}] Make-live: promoted to live on port ${LIVE_PORT}\n`;
+        try { fs.appendFileSync(LOG_FILE, okLog); } catch {}
+        ok(res, { ok: true, message: "promoted to live", live_port: LIVE_PORT });
+      } else {
+        const failLog = `[${new Date().toISOString()}] Make-live: new daemon failed to start on port ${LIVE_PORT}\n`;
+        try { fs.appendFileSync(LOG_FILE, failLog); } catch {}
+        ok(res, { ok: false, error: "New daemon failed to start on live port — check log" });
+      }
+      // Self-terminate after response is sent
+      setTimeout(() => process.exit(0), 500);
+      return;
+    }
     // Locked guard — returns true if locked and already responded
     function lockedGuard(res) {
       if (!password) {
@@ -2228,6 +2859,25 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
         password = pw;   // unlock — store in process memory only
         const logLine = `[${new Date().toISOString()}] Vault unlocked\n`;
         try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+        // Auto-seal: DPAPI-encrypt password to boot.key for passwordless crash recovery
+        // Only on Windows; only if autostart dir exists (i.e., install was run)
+        if (os.platform() === "win32") {
+          const autostartDir = path.join(os.homedir(), "AppData", "Roaming", "clauth");
+          const bootKeyPath = path.join(autostartDir, "boot.key");
+          if (fs.existsSync(autostartDir)) {
+            try {
+              const pwEscaped = pw.replace(/'/g, "''");
+              const psExpr = `[Convert]::ToBase64String([Security.Cryptography.ProtectedData]::Protect([Text.Encoding]::UTF8.GetBytes('${pwEscaped}'),$null,'CurrentUser'))`;
+              const encrypted = execSyncTop(`powershell -NoProfile -Command "${psExpr}"`, { encoding: "utf8", timeout: 5000 }).trim();
+              fs.writeFileSync(bootKeyPath, encrypted, "utf8");
+              const sealLog = `[${new Date().toISOString()}] Auto-sealed boot.key via DPAPI (crash recovery enabled)\n`;
+              try { fs.appendFileSync(LOG_FILE, sealLog); } catch {}
+            } catch (sealErr) {
+              const sealLog = `[${new Date().toISOString()}] Auto-seal failed (non-fatal): ${sealErr.message}\n`;
+              try { fs.appendFileSync(LOG_FILE, sealLog); } catch {}
+            }
+          }
+        }
         // Auto-start tunnel: --tunnel flag takes priority, otherwise fetch from DB
         if (!tunnelHostname) {
           fetchTunnelConfig().then(configured => {
@@ -2379,6 +3029,415 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
       }
     }
+    // GET /tunnel/setup-state
+    if (method === "GET" && reqPath === "/tunnel/setup-state") {
+      if (lockedGuard(res)) return;
+      try {
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        // Check for existing hostname in DB
+        const hostnameResp = await fetch(
+          `${sbUrl}/rest/v1/clauth_config?key=eq.tunnel_hostname&select=value`,
+          { headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` }, signal: AbortSignal.timeout(5000) }
+        );
+        if (hostnameResp.ok) {
+          const rows = await hostnameResp.json();
+          if (rows.length > 0 && rows[0].value && rows[0].value !== "null" && rows[0].value !== '""') {
+            const hn = typeof rows[0].value === "string" ? JSON.parse(rows[0].value) : rows[0].value;
+            if (hn) return ok(res, { step: "ready", hostname: hn });
+          }
+        }
+        // Check ~/.cloudflared/config.yml for a previously configured tunnel
+        try {
+          const cfConfig = path.join(os.homedir(), ".cloudflared", "config.yml");
+          if (fs.existsSync(cfConfig)) {
+            const cfYml = fs.readFileSync(cfConfig, "utf8");
+            // Parse hostname from ingress block: "  - hostname: <hostname>"
+            const hostMatch = cfYml.match(/^\s*-\s*hostname:\s*(\S+)/m);
+            const tunnelMatch = cfYml.match(/^tunnel:\s*(\S+)/m);
+            if (hostMatch && tunnelMatch) {
+              const localHostname = hostMatch[1];
+              const localTunnelId = tunnelMatch[1];
+              // Save to DB so next load skips this check
+              await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+                method: "POST",
+                headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+                body: JSON.stringify({ key: "tunnel_hostname", value: JSON.stringify(localHostname) }),
+              });
+              tunnelHostname = localHostname;
+              return ok(res, { step: "ready", hostname: localHostname, tunnelId: localTunnelId, source: "local_config" });
+            }
+          }
+        } catch {}
+        // Check for CF token in vault
+        let cfToken = null;
+        try {
+          const { token: t, timestamp } = deriveToken(password, machineHash);
+          const cr = await api.retrieve(password, machineHash, t, timestamp, "cloudflare");
+          if (cr?.value) cfToken = cr.value;
+        } catch {}
+        if (!cfToken) return ok(res, { step: "need_cf_token" });
+        // Get or fetch account ID
+        let accountId = null;
+        try {
+          const acctResp = await fetch(
+            `${sbUrl}/rest/v1/clauth_config?key=eq.cf_account_id&select=value`,
+            { headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` }, signal: AbortSignal.timeout(5000) }
+          );
+          if (acctResp.ok) {
+            const rows = await acctResp.json();
+            if (rows.length > 0 && rows[0].value) {
+              accountId = typeof rows[0].value === "string" ? JSON.parse(rows[0].value) : rows[0].value;
+            }
+          }
+        } catch {}
+        if (!accountId) {
+          try {
+            const ar = await fetch("https://api.cloudflare.com/client/v4/accounts", {
+              headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000)
+            });
+            const ad = await ar.json();
+            accountId = ad?.result?.[0]?.id;
+            if (accountId) {
+              await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+                method: "POST",
+                headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+                body: JSON.stringify({ key: "cf_account_id", value: accountId }),
+              });
+            }
+          } catch {}
+        }
+        if (!accountId) return ok(res, { step: "setup_wizard", error: "Could not get Cloudflare account ID" });
+        // List tunnels
+        try {
+          const tr = await fetch(
+            `https://api.cloudflare.com/client/v4/accounts/${accountId}/cfd_tunnel?is_deleted=false`,
+            { headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000) }
+          );
+          const td = await tr.json();
+          const tunnels = (td?.result || []).map(t => ({ id: t.id, name: t.name, status: t.status }));
+          if (tunnels.length > 0) return ok(res, { step: "pick_tunnel", tunnels, accountId });
+          // CF token exists but no tunnels — create via API (no cloudflared login needed)
+          return ok(res, { step: "no_tunnels", accountId });
+        } catch {}
+        return ok(res, { step: "setup_wizard" });
+      } catch (err) {
+        return ok(res, { step: "setup_wizard", error: err.message });
+      }
+    }
+    // POST /tunnel/setup/cf-token
+    if (method === "POST" && reqPath === "/tunnel/setup/cf-token") {
+      if (lockedGuard(res)) return;
+      let body;
+      try { body = await readBody(req); } catch { return strike(res, 400, "Invalid JSON"); }
+      const { token: cfToken } = body;
+      if (!cfToken) return strike(res, 400, "token required");
+      try {
+        const vr = await fetch("https://api.cloudflare.com/client/v4/user/tokens/verify", {
+          headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000)
+        });
+        const vd = await vr.json();
+        if (!vd?.success) return strike(res, 400, "Invalid Cloudflare API token");
+        const ar = await fetch("https://api.cloudflare.com/client/v4/accounts", {
+          headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000)
+        });
+        const ad = await ar.json();
+        const accountId = ad?.result?.[0]?.id;
+        const accountName = ad?.result?.[0]?.name;
+        // Save token to vault using api.write (same as /set/:service)
+        const { token: t, timestamp } = deriveToken(password, machineHash);
+        await api.write(password, machineHash, t, timestamp, "cloudflare", cfToken);
+        // Save accountId to clauth_config
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        if (accountId) {
+          await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+            method: "POST",
+            headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+            body: JSON.stringify({ key: "cf_account_id", value: accountId }),
+          });
+        }
+        return ok(res, { ok: true, accountId, accountName });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+    // GET /tunnel/setup/cf-tunnels
+    if (method === "GET" && reqPath === "/tunnel/setup/cf-tunnels") {
+      if (lockedGuard(res)) return;
+      try {
+        const { token: t, timestamp } = deriveToken(password, machineHash);
+        const cr = await api.retrieve(password, machineHash, t, timestamp, "cloudflare");
+        const cfToken = cr?.value;
+        if (!cfToken) return strike(res, 400, "No cloudflare token in vault");
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        const acctResp = await fetch(
+          `${sbUrl}/rest/v1/clauth_config?key=eq.cf_account_id&select=value`,
+          { headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` }, signal: AbortSignal.timeout(5000) }
+        );
+        const acctRows = await acctResp.json();
+        const accountId = acctRows?.[0]?.value ? JSON.parse(acctRows[0].value) : null;
+        if (!accountId) return strike(res, 400, "No account ID — run cf-token first");
+        const tr = await fetch(
+          `https://api.cloudflare.com/client/v4/accounts/${accountId}/cfd_tunnel?is_deleted=false`,
+          { headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000) }
+        );
+        const td = await tr.json();
+        return ok(res, { tunnels: (td?.result || []).map(t => ({ id: t.id, name: t.name, status: t.status, created_at: t.created_at })) });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+    // POST /tunnel/setup/cf-save
+    if (method === "POST" && reqPath === "/tunnel/setup/cf-save") {
+      if (lockedGuard(res)) return;
+      let body;
+      try { body = await readBody(req); } catch { return strike(res, 400, "Invalid JSON"); }
+      const { tunnelId, tunnelName, hostname } = body;
+      if (!hostname) return strike(res, 400, "hostname required");
+      try {
+        const cfDir = path.join(os.homedir(), ".cloudflared");
+        if (!fs.existsSync(cfDir)) fs.mkdirSync(cfDir, { recursive: true });
+        const credFile = tunnelId ? path.join(cfDir, `${tunnelId}.json`) : path.join(cfDir, "tunnel.json");
+        const configContent = `tunnel: ${tunnelId || tunnelName || "clauth"}\ncredentials-file: ${credFile}\ningress:\n  - hostname: ${hostname}\n    service: http://127.0.0.1:${port}\n  - service: http_status:404\n`;
+        fs.writeFileSync(path.join(cfDir, "config.yml"), configContent, "utf8");
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+          method: "POST",
+          headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+          body: JSON.stringify({ key: "tunnel_hostname", value: JSON.stringify(hostname) }),
+        });
+        tunnelHostname = hostname;
+        tunnelUrl = `https://${hostname}`;
+        return ok(res, { ok: true, hostname });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+    // POST /tunnel/setup/cf-create-api — create tunnel via CF API (no cloudflared login needed)
+    if (method === "POST" && reqPath === "/tunnel/setup/cf-create-api") {
+      if (lockedGuard(res)) return;
+      let body;
+      try { body = await readBody(req); } catch { return strike(res, 400, "Invalid JSON"); }
+      const { name, hostname, accountId: bodyAccountId } = body;
+      if (!name || !hostname) return strike(res, 400, "name and hostname required");
+      try {
+        const { token: t, timestamp } = deriveToken(password, machineHash);
+        const cr = await api.retrieve(password, machineHash, t, timestamp, "cloudflare");
+        const cfToken = cr?.value;
+        if (!cfToken) return strike(res, 400, "No cloudflare token in vault");
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        // Get accountId
+        let accountId = bodyAccountId;
+        if (!accountId) {
+          const acctResp = await fetch(`${sbUrl}/rest/v1/clauth_config?key=eq.cf_account_id&select=value`,
+            { headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}` }, signal: AbortSignal.timeout(5000) });
+          const rows = await acctResp.json();
+          accountId = rows?.[0]?.value ? JSON.parse(rows[0].value) : null;
+        }
+        if (!accountId) return strike(res, 400, "No account ID — verify CF token first");
+        // Generate tunnel secret (32 random bytes base64)
+        const { randomBytes } = await import("crypto");
+        const tunnelSecret = randomBytes(32).toString("base64");
+        // Create tunnel via CF API
+        const createResp = await fetch(`https://api.cloudflare.com/client/v4/accounts/${accountId}/cfd_tunnel`, {
+          method: "POST",
+          headers: { Authorization: `Bearer ${cfToken}`, "Content-Type": "application/json" },
+          body: JSON.stringify({ name, tunnel_secret: tunnelSecret }),
+          signal: AbortSignal.timeout(10000),
+        });
+        const createData = await createResp.json();
+        if (!createData?.success) return strike(res, 400, createData?.errors?.[0]?.message || "Tunnel creation failed");
+        const tunnelId = createData.result.id;
+        // Write credentials file
+        const cfDir = path.join(os.homedir(), ".cloudflared");
+        if (!fs.existsSync(cfDir)) fs.mkdirSync(cfDir, { recursive: true });
+        const credFile = path.join(cfDir, `${tunnelId}.json`);
+        fs.writeFileSync(credFile, JSON.stringify({ AccountTag: accountId, TunnelID: tunnelId, TunnelName: name, TunnelSecret: tunnelSecret }), "utf8");
+        // Write config.yml
+        const configContent = `tunnel: ${tunnelId}\ncredentials-file: ${credFile}\ningress:\n  - hostname: ${hostname}\n    service: http://127.0.0.1:${port}\n  - service: http_status:404\n`;
+        fs.writeFileSync(path.join(cfDir, "config.yml"), configContent, "utf8");
+        // Route DNS via CF API — find zone for hostname
+        const domain = hostname.split(".").slice(-2).join(".");
+        const zoneResp = await fetch(`https://api.cloudflare.com/client/v4/zones?name=${domain}`,
+          { headers: { Authorization: `Bearer ${cfToken}` }, signal: AbortSignal.timeout(8000) });
+        const zoneData = await zoneResp.json();
+        const zoneId = zoneData?.result?.[0]?.id;
+        if (zoneId) {
+          await fetch(`https://api.cloudflare.com/client/v4/zones/${zoneId}/dns_records`, {
+            method: "POST",
+            headers: { Authorization: `Bearer ${cfToken}`, "Content-Type": "application/json" },
+            body: JSON.stringify({ type: "CNAME", name: hostname, content: `${tunnelId}.cfargotunnel.com`, proxied: false, ttl: 1 }),
+            signal: AbortSignal.timeout(8000),
+          });
+        }
+        // Save hostname to DB and in-process
+        await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+          method: "POST",
+          headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+          body: JSON.stringify({ key: "tunnel_hostname", value: JSON.stringify(hostname) }),
+        });
+        tunnelHostname = hostname;
+        tunnelUrl = `https://${hostname}`;
+        return ok(res, { ok: true, tunnelId, hostname });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+    // GET /tunnel/setup/check-cloudflared
+    if (method === "GET" && reqPath === "/tunnel/setup/check-cloudflared") {
+      let cfBin = "cloudflared";
+      let installed = false;
+      if (os.platform() === "win32") {
+        const candidates = [
+          "cloudflared",
+          path.join(process.env.ProgramFiles || "", "cloudflared", "cloudflared.exe"),
+          path.join(process.env["ProgramFiles(x86)"] || "C:\\Program Files (x86)", "cloudflared", "cloudflared.exe"),
+          path.join(os.homedir(), "scoop", "shims", "cloudflared.exe"),
+          "C:\\ProgramData\\chocolatey\\bin\\cloudflared.exe",
+        ];
+        for (const c of candidates) {
+          try { if (fs.statSync(c).isFile()) { cfBin = c; installed = true; break; } } catch {}
+        }
+      }
+      if (!installed) {
+        try {
+          const { execSync: es } = await import("child_process");
+          es("cloudflared --version", { stdio: "ignore" });
+          installed = true; cfBin = "cloudflared";
+        } catch {}
+      }
+      return ok(res, { installed, path: installed ? cfBin : null });
+    }
+    // POST /tunnel/setup/cf-login — SSE stream of cloudflared tunnel login
+    if (method === "POST" && reqPath === "/tunnel/setup/cf-login") {
+      if (lockedGuard(res)) return;
+      res.writeHead(200, { "Content-Type": "text/event-stream", "Cache-Control": "no-cache", "Connection": "keep-alive", ...CORS });
+      const sendEvt = (data) => res.write(`data: ${JSON.stringify(data)}\n\n`);
+      try {
+        const { spawn } = await import("child_process");
+        const proc = spawn("cloudflared", ["tunnel", "login"], { stdio: ["ignore","pipe","pipe"] });
+        proc.stdout.on("data", d => d.toString().split("\n").forEach(l => l.trim() && sendEvt({ line: l })));
+        proc.stderr.on("data", d => d.toString().split("\n").forEach(l => l.trim() && sendEvt({ line: l })));
+        proc.on("close", code => { sendEvt({ done: true, code }); res.end(); });
+        req.on("close", () => { try { proc.kill(); } catch {} });
+      } catch (err) {
+        sendEvt({ done: true, code: 1, error: err.message });
+        res.end();
+      }
+    }
+    // POST /tunnel/setup/cf-create — SSE stream create + route DNS + save
+    if (method === "POST" && reqPath === "/tunnel/setup/cf-create") {
+      if (lockedGuard(res)) return;
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON" }));
+      }
+      const { name, hostname } = body;
+      if (!name || !hostname) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "name and hostname required" }));
+      }
+      res.writeHead(200, { "Content-Type": "text/event-stream", "Cache-Control": "no-cache", "Connection": "keep-alive", ...CORS });
+      const sendEvt = (data) => res.write(`data: ${JSON.stringify(data)}\n\n`);
+      try {
+        const { spawn } = await import("child_process");
+        // Step 1: create tunnel
+        sendEvt({ line: `Creating tunnel "${name}"…`, step: 1 });
+        let tunnelId = null;
+        await new Promise((resolve, reject) => {
+          const proc = spawn("cloudflared", ["tunnel", "create", name], { stdio: ["ignore","pipe","pipe"] });
+          let output = "";
+          proc.stdout.on("data", d => { const s = d.toString(); output += s; s.split("\n").forEach(l => l.trim() && sendEvt({ line: l, step: 1 })); });
+          proc.stderr.on("data", d => { const s = d.toString(); output += s; s.split("\n").forEach(l => l.trim() && sendEvt({ line: l, step: 1 })); });
+          proc.on("close", code => {
+            const m = output.match(/Created tunnel .+ with id ([a-f0-9-]{36})/i);
+            if (m) tunnelId = m[1];
+            if (code !== 0 && !tunnelId) reject(new Error(`create failed (exit ${code})`));
+            else resolve();
+          });
+        });
+        if (!tunnelId) {
+          sendEvt({ error: "Could not parse tunnel ID from cloudflared output" });
+          return res.end();
+        }
+        // Step 2: route DNS
+        sendEvt({ line: `Routing DNS: ${hostname}…`, step: 2 });
+        await new Promise((resolve) => {
+          const proc = spawn("cloudflared", ["tunnel", "route", "dns", name, hostname], { stdio: ["ignore","pipe","pipe"] });
+          proc.stdout.on("data", d => d.toString().split("\n").forEach(l => l.trim() && sendEvt({ line: l, step: 2 })));
+          proc.stderr.on("data", d => d.toString().split("\n").forEach(l => l.trim() && sendEvt({ line: l, step: 2 })));
+          proc.on("close", () => resolve());
+        });
+        // Step 3: save config
+        const cfDir = path.join(os.homedir(), ".cloudflared");
+        if (!fs.existsSync(cfDir)) fs.mkdirSync(cfDir, { recursive: true });
+        const credFile = path.join(cfDir, `${tunnelId}.json`);
+        const configContent = `tunnel: ${tunnelId}\ncredentials-file: ${credFile}\ningress:\n  - hostname: ${hostname}\n    service: http://127.0.0.1:${port}\n  - service: http_status:404\n`;
+        fs.writeFileSync(path.join(cfDir, "config.yml"), configContent, "utf8");
+        const sbUrl = (api.getBaseUrl() || "").replace("/functions/v1/auth-vault", "");
+        const sbKey = api.getAnonKey();
+        await fetch(`${sbUrl}/rest/v1/clauth_config`, {
+          method: "POST",
+          headers: { apikey: sbKey, Authorization: `Bearer ${sbKey}`, "Content-Type": "application/json", Prefer: "resolution=merge-duplicates" },
+          body: JSON.stringify({ key: "tunnel_hostname", value: JSON.stringify(hostname) }),
+        });
+        tunnelHostname = hostname;
+        tunnelUrl = `https://${hostname}`;
+        sendEvt({ done: true, tunnelId, hostname });
+        res.end();
+      } catch (err) {
+        sendEvt({ error: err.message, done: true });
+        res.end();
+      }
+    }
     // POST /change-pw — change master password (must be unlocked)
     if (method === "POST" && reqPath === "/change-pw") {
       if (lockedGuard(res)) return;
@@ -2537,19 +3596,36 @@ async function verifyAuth(password) {
 }
 async function actionStart(opts) {
-  const port     = parseInt(opts.port || "52437", 10);
+  const isStaged = !!opts.staged || process.env.__CLAUTH_STAGED === "1";
+  const port     = isStaged ? STAGED_PORT : parseInt(opts.port || String(LIVE_PORT), 10);
   const password = opts.pw;
   const tunnelHostname = opts.tunnel || null;
   const whitelist = opts.services
     ? opts.services.split(",").map(s => s.trim().toLowerCase())
     : null;
-  // Check for existing instance
-  const existing = readPid();
-  if (existing && isProcessAlive(existing.pid)) {
-    console.log(chalk.yellow(`\n  clauth serve already running (PID ${existing.pid}, port ${existing.port})`));
-    console.log(chalk.gray(`  Stop it first: clauth serve stop\n`));
-    process.exit(1);
+  if (isStaged) {
+    // Staged mode: allow running alongside live instance
+    const existingStaged = readStagedPid();
+    if (existingStaged) {
+      try {
+        const resp = await fetch(`http://127.0.0.1:${existingStaged.port}/ping`);
+        if (resp.ok) {
+          console.log(chalk.yellow(`\n  Staged instance already running (PID ${existingStaged.pid}, port ${existingStaged.port})`));
+          console.log(chalk.gray(`  Open http://127.0.0.1:${existingStaged.port} to verify, then click Make Live\n`));
+          process.exit(1);
+        }
+      } catch {}
+      removeStagedPid();
+    }
+  } else {
+    // Normal mode: check for existing instance
+    const existing = readPid();
+    if (existing && isProcessAlive(existing.pid)) {
+      console.log(chalk.yellow(`\n  clauth serve already running (PID ${existing.pid}, port ${existing.port})`));
+      console.log(chalk.gray(`  Stop it first: clauth serve stop\n`));
+      process.exit(1);
+    }
   }
   // If we're the daemon child, run the server directly
@@ -2565,10 +3641,15 @@ async function actionStart(opts) {
       }
     }
-    const server = createServer(password, whitelist, port, tunnelHostname);
+    const server = createServer(password, whitelist, port, tunnelHostname, isStaged);
     server.listen(port, "127.0.0.1", () => {
-      writePid(process.pid, port);
-      const msg = `[${new Date().toISOString()}] clauth serve started — PID ${process.pid}, port ${port}, services: ${whitelist ? whitelist.join(",") : "all"}\n`;
+      if (isStaged) {
+        writeStagedPid(process.pid, port);
+      } else {
+        writePid(process.pid, port);
+      }
+      const label = isStaged ? "STAGED" : "LIVE";
+      const msg = `[${new Date().toISOString()}] clauth serve started [${label}] — PID ${process.pid}, port ${port}, services: ${whitelist ? whitelist.join(",") : "all"}\n`;
       fs.appendFileSync(LOG_FILE, msg);
     });
@@ -2578,7 +3659,10 @@ async function actionStart(opts) {
       process.exit(1);
     });
-    const shutdown = () => { removePid(); process.exit(0); };
+    const shutdown = () => {
+      if (isStaged) { removeStagedPid(); } else { removePid(); }
+      process.exit(0);
+    };
     process.on("SIGTERM", shutdown);
     process.on("SIGINT", shutdown);
     return;
@@ -2610,12 +3694,13 @@ async function actionStart(opts) {
   if (password) childArgs.push("--pw", password);
   if (opts.services) childArgs.push("--services", opts.services);
   if (tunnelHostname) childArgs.push("--tunnel", tunnelHostname);
+  if (isStaged) childArgs.push("--staged");
   const out = fs.openSync(LOG_FILE, "a");
   const child = spawn(process.execPath, childArgs, {
     detached: true,
     stdio: ["ignore", out, out],
-    env: { ...process.env, __CLAUTH_DAEMON: "1" },
+    env: { ...process.env, __CLAUTH_DAEMON: "1", ...(isStaged ? { __CLAUTH_STAGED: "1" } : {}) },
   });
   child.unref();
@@ -2630,14 +3715,18 @@ async function actionStart(opts) {
     } catch {}
   }
-  const info = readPid();
+  const readInfo = isStaged ? readStagedPid : readPid;
+  const info = readInfo();
   if (started && info) {
-    console.log(chalk.green(`\n  🔐 clauth serve started`));
+    const label = isStaged ? "⚡ STAGED" : "🔐";
+    console.log(chalk.green(`\n  ${label} clauth serve started`));
     console.log(chalk.gray(`  PID:      ${info.pid}`));
     console.log(chalk.gray(`  Port:     127.0.0.1:${info.port}`));
     console.log(chalk.gray(`  Services: ${whitelist ? whitelist.join(", ") : "all"}`));
     console.log(chalk.gray(`  Log:      ${LOG_FILE}`));
-    if (!password) {
+    if (isStaged) {
+      console.log(chalk.yellow(`\n  ⚡ Staged on port ${port} — open dashboard to verify, then click "Make Live"`));
+    } else if (!password) {
       console.log(chalk.cyan(`\n  👉 Open http://127.0.0.1:${info.port} to unlock the vault`));
     }
     console.log(chalk.gray(`  Stop:     clauth serve stop\n`));
@@ -3428,19 +4517,33 @@ async function installWindows(pw, tunnelHostname, execSync) {
     ].join("\n");
     fs.writeFileSync(psScriptPath, psScript, "utf8");
   } else {
-    // ── First-run mode: no password yet — start locked, browser opens for setup ──
-    // Watchdog starts the daemon in locked mode; user enters password in the browser dashboard.
-    // After entering password in the browser, user can seal it for future unattended restarts
-    // by running: clauth serve seal
+    // ── Adaptive mode: check for boot.key on each restart ──
+    // If boot.key exists (auto-sealed after browser unlock), decrypt and start unlocked.
+    // If boot.key missing (user clicked Stop, or first run), start locked + open browser.
     const psScript = [
-      "# clauth autostart + watchdog (locked mode — browser password entry)",
-      "# Starts daemon locked, opens browser for password. Restarts on crash every 15s.",
+      "# clauth autostart + watchdog (adaptive: sealed if boot.key exists, locked otherwise)",
+      "# Restarts on crash every 15s. Auto-unlock if DPAPI boot.key available.",
+      "",
+      `$bootKey = '${bootKey}'`,
       "",
       "while ($true) {",
       "  try {",
       "    $ping = Invoke-RestMethod -Uri 'http://127.0.0.1:52437/ping' -TimeoutSec 3 -ErrorAction Stop",
       "  } catch {",
-      `    Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start${tunnelArg}" -WindowStyle Hidden`,
+      "    if (Test-Path $bootKey) {",
+      "      # boot.key exists — decrypt via DPAPI and start unlocked",
+      "      try {",
+      "        $enc = (Get-Content $bootKey -Raw).Trim()",
+      "        $pw = [Text.Encoding]::UTF8.GetString([Security.Cryptography.ProtectedData]::Unprotect([Convert]::FromBase64String($enc),$null,'CurrentUser'))",
+      `        Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start -p $pw${tunnelArg}" -WindowStyle Hidden`,
+      "      } catch {",
+      "        # DPAPI decrypt failed — start locked",
+      `        Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start${tunnelArg}" -WindowStyle Hidden`,
+      "      }",
+      "    } else {",
+      "      # No boot.key — start locked, user enters password in browser",
+      `      Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start${tunnelArg}" -WindowStyle Hidden`,
+      "    }",
       "    Start-Sleep -Seconds 5",
       "  }",
       "  Start-Sleep -Seconds 15",
@@ -3449,20 +4552,35 @@ async function installWindows(pw, tunnelHostname, execSync) {
     fs.writeFileSync(psScriptPath, psScript, "utf8");
   }
-  // Register Windows Scheduled Task — triggers on user logon
+  // Register auto-start — try HKCU\Run first (no admin), fall back to Scheduled Task
   const mode = pw ? "sealed — fully unattended" : "locked — browser password entry";
-  const spinner2 = ora(`Registering Scheduled Task (${mode})...`).start();
+  const spinner2 = ora(`Registering auto-start (${mode})...`).start();
+  const psScriptEsc = psScriptPath.replace(/\\/g, "\\\\");
+  const regValue = `powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File "${psScriptEsc}"`;
+  let autoStartOk = false;
+  // Method 1: HKCU\Run registry key (no elevation needed)
   try {
-    const psScriptEsc = psScriptPath.replace(/\\/g, "\\\\");
-    const args = `-NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File "${psScriptEsc}"`;
     execSync(
-      `${process.env.SystemRoot || "C:\\\\Windows"}\\\\System32\\\\schtasks.exe /create /f /tn "${TASK_NAME}" /sc onlogon /tr "powershell.exe ${args}"`,
+      `reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v "${TASK_NAME}" /t REG_SZ /d "${regValue}" /f`,
       { encoding: "utf8", stdio: "pipe" }
     );
-    spinner2.succeed(chalk.green(`Scheduled Task "${TASK_NAME}" registered`));
-  } catch (err) {
-    spinner2.fail(chalk.yellow(`Scheduled task failed (non-fatal): ${err.message}`));
-    console.log(chalk.gray("  You can still start manually: clauth serve start"));
+    spinner2.succeed(chalk.green(`Registry auto-start registered (HKCU\\Run)`));
+    autoStartOk = true;
+  } catch {
+    // Method 2: Scheduled Task (needs admin)
+    try {
+      const args = `-NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File "${psScriptEsc}"`;
+      execSync(
+        `${process.env.SystemRoot || "C:\\\\Windows"}\\\\System32\\\\schtasks.exe /create /f /tn "${TASK_NAME}" /sc onlogon /tr "powershell.exe ${args}"`,
+        { encoding: "utf8", stdio: "pipe" }
+      );
+      spinner2.succeed(chalk.green(`Scheduled Task "${TASK_NAME}" registered`));
+      autoStartOk = true;
+    } catch (err) {
+      spinner2.fail(chalk.yellow(`Auto-start registration failed (non-fatal): ${err.message}`));
+      console.log(chalk.gray("  You can still start manually: clauth serve start"));
+    }
   }
   // Start the daemon now
@@ -3711,7 +4829,13 @@ async function uninstallWindows(execSync) {
   const bootKeyPath  = path.join(autostartDir, "boot.key");
   const psScriptPath = path.join(autostartDir, "autostart.ps1");
-  // Remove scheduled task
+  // Remove HKCU\Run registry key
+  try {
+    execSync(`reg delete "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v "${TASK_NAME}" /f`, { encoding: "utf8", stdio: "pipe" });
+    console.log(chalk.green(`  Removed Registry auto-start: ${TASK_NAME}`));
+  } catch { console.log(chalk.gray(`  Registry key not found (already removed): ${TASK_NAME}`)); }
+  // Remove scheduled task (legacy)
   try {
     execSync(`${process.env.SystemRoot || "C:\\\\Windows"}\\\\System32\\\\schtasks.exe /delete /f /tn "${TASK_NAME}"`, { encoding: "utf8", stdio: "pipe" });
     console.log(chalk.green(`  Removed Scheduled Task: ${TASK_NAME}`));
@@ -3789,6 +4913,53 @@ async function uninstallLinux(execSync) {
 }
 // ── Export ────────────────────────────────────────────────────
+// ── Blue-green upgrade: npm update + start staged + open dashboard ──
+async function actionUpgrade(opts) {
+  console.log(chalk.cyan("\n  ⚡ Blue-green upgrade\n"));
+  // Step 1: Check current live version
+  const liveInfo = readPid();
+  let liveVersion = "unknown";
+  if (liveInfo) {
+    try {
+      const resp = await fetch(`http://127.0.0.1:${liveInfo.port}/ping`);
+      const data = await resp.json();
+      liveVersion = data.app_version || "unknown";
+    } catch {}
+  }
+  console.log(chalk.gray(`  Live version:    v${liveVersion} (port ${liveInfo?.port || LIVE_PORT})`));
+  // Step 2: npm update
+  const spinner = ora("Updating @lifeaitools/clauth from npm...").start();
+  try {
+    execSyncTop("npm install -g @lifeaitools/clauth@latest", { encoding: "utf8", stdio: "pipe", timeout: 60000 });
+    // Read new version from installed package
+    const newPkg = JSON.parse(fs.readFileSync(
+      path.join(path.dirname(process.execPath), "..", "lib", "node_modules", "@lifeaitools", "clauth", "package.json"), "utf8"
+    ).toString());
+    spinner.succeed(chalk.green(`Updated to v${newPkg.version}`));
+    console.log(chalk.gray(`  Staged version:  v${newPkg.version} (port ${STAGED_PORT})`));
+  } catch (err) {
+    // Try alternate npm global path (Windows)
+    try {
+      const npmGlobal = path.join(os.homedir(), "AppData", "Roaming", "npm");
+      const newPkg = JSON.parse(fs.readFileSync(
+        path.join(npmGlobal, "node_modules", "@lifeaitools", "clauth", "package.json"), "utf8"
+      ).toString());
+      spinner.succeed(chalk.green(`Updated to v${newPkg.version}`));
+    } catch {
+      spinner.fail(chalk.yellow(`npm update may have failed: ${err.message}`));
+      console.log(chalk.gray("  Continuing with staged start anyway..."));
+    }
+  }
+  // Step 3: Start staged instance
+  console.log(chalk.gray(`\n  Starting staged instance on port ${STAGED_PORT}...`));
+  opts.staged = true;
+  opts.port = String(STAGED_PORT);
+  return actionStart(opts);
+}
 export async function runServe(opts) {
   const action = opts.action || "foreground";
@@ -3801,9 +4972,10 @@ export async function runServe(opts) {
     case "mcp":        return actionMcp(opts);
     case "install":    return actionInstall(opts);
     case "uninstall":  return actionUninstall();
+    case "upgrade":    return actionUpgrade(opts);
     default:
       console.log(chalk.red(`\n  Unknown serve action: ${action}`));
-      console.log(chalk.gray("  Actions: start | stop | restart | ping | foreground | mcp | install | uninstall\n"));
+      console.log(chalk.gray("  Actions: start | stop | restart | ping | foreground | mcp | install | uninstall | upgrade\n"));
       process.exit(1);
   }
 }