@lifeaitools/clauth 1.2.3 → 1.3.0

package/cli/commands/serve.js

@@ -58,7 +58,10 @@ ALTER TABLE clauth_config ENABLE ROW LEVEL SECURITY;`,
 const CURRENT_SCHEMA_VERSION = 3;
 
 const PID_FILE = path.join(os.tmpdir(), "clauth-serve.pid");
+const STAGED_PID_FILE = path.join(os.tmpdir(), "clauth-serve-staged.pid");
 const LOG_FILE = path.join(os.tmpdir(), "clauth-serve.log");
+const LIVE_PORT = 52437;
+const STAGED_PORT = 52438;
 
 // ── PID helpers ──────────────────────────────────────────────
 function readPid() {
@@ -73,6 +76,22 @@ function writePid(pid, port) {
   fs.writeFileSync(PID_FILE, `${pid}:${port}`, "utf8");
 }
 
+function readStagedPid() {
+  try {
+    const raw = fs.readFileSync(STAGED_PID_FILE, "utf8").trim();
+    const [pid, port] = raw.split(":");
+    return { pid: parseInt(pid, 10), port: parseInt(port, 10) };
+  } catch { return null; }
+}
+
+function writeStagedPid(pid, port) {
+  fs.writeFileSync(STAGED_PID_FILE, `${pid}:${port}`, "utf8");
+}
+
+function removeStagedPid() {
+  try { fs.unlinkSync(STAGED_PID_FILE); } catch {}
+}
+
 function removePid() {
   try { fs.unlinkSync(PID_FILE); } catch {}
 }
@@ -91,7 +110,7 @@ function openBrowser(url) {
 }
 
 // ── Dashboard HTML ───────────────────────────────────────────
-function dashboardHtml(port, whitelist) {
+function dashboardHtml(port, whitelist, isStaged = false) {
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -341,8 +360,15 @@ function dashboardHtml(port, whitelist) {
   </div>
   <div class="header">
     <div class="dot" id="dot"></div>
-    <h1>🔐 clauth vault <span style="font-size:0.55em;opacity:0.45;font-weight:400">v${VERSION}</span></h1>
+    <h1>🔐 clauth vault <span style="font-size:0.55em;opacity:0.45;font-weight:400">v${VERSION}</span>${isStaged ? `<span style="font-size:0.5em;background:#b45309;color:#fef3c7;border-radius:4px;padding:2px 10px;margin-left:12px;font-weight:600;letter-spacing:.5px">STAGED</span>` : ""}</h1>
   </div>
+  ${isStaged ? `<div id="staged-banner" style="background:linear-gradient(135deg,#78350f,#92400e);border:1px solid #b45309;border-radius:6px;padding:12px 16px;margin:0 16px 8px;display:flex;align-items:center;justify-content:space-between">
+    <div>
+      <strong style="color:#fef3c7">⚡ Staged deployment</strong>
+      <span style="color:#fcd34d;font-size:.85rem;margin-left:8px">Running on port ${port} — verify before making live</span>
+    </div>
+    <button onclick="makeLive()" style="background:#15803d;border:1px solid #16a34a;color:#dcfce7;padding:6px 16px;border-radius:4px;cursor:pointer;font-weight:600;font-size:.85rem">✓ Make Live</button>
+  </div>` : ""}
   <div id="error-bar" class="error-bar"></div>
   <div class="status-bar">
     <div>PID: <span id="s-pid">—</span></div>
@@ -364,6 +390,7 @@ function dashboardHtml(port, whitelist) {
     <button class="btn-add" onclick="toggleAddService()">+ Add Service</button>
     <button class="btn-check" id="check-btn" onclick="checkAll()">⬤ Check All</button>
     <button class="btn-lock" onclick="lockVault()">🔒 Lock</button>
+    <button class="btn-stop" onclick="stopDaemon()" style="background:#7f1d1d;border:1px solid #991b1b;color:#fca5a5" title="Stop daemon — password required on next start">⏹ Stop</button>
     <button class="btn-cancel" style="margin-left:auto" onclick="toggleChangePw()">Change Password</button>
   </div>
 
@@ -695,6 +722,34 @@ async function lockVault() {
   showLockScreen();
 }
 
+// ── Make Live (blue-green: promote staged instance to live port) ──
+async function makeLive() {
+  if (!confirm("Promote this staged instance to live?\\n\\nThe current live daemon (port ${LIVE_PORT}) will be stopped and this instance will restart on port ${LIVE_PORT}.")) return;
+  const banner = document.getElementById("staged-banner");
+  if (banner) banner.innerHTML = '<div style="color:#fef3c7"><strong>⏳ Promoting to live...</strong></div>';
+  try {
+    const resp = await fetch(BASE + "/make-live", { method: "POST" });
+    const data = await resp.json();
+    if (data.ok) {
+      document.getElementById("main-view").innerHTML = '<div style="text-align:center;padding:80px 20px"><div style="font-size:3rem;margin-bottom:16px">✅</div><div style="font-size:1.1rem;color:#4ade80">Promoted to live!</div><div style="font-size:.85rem;color:#94a3b8;margin-top:8px">Restarting on port ${LIVE_PORT}... page will reload in 5 seconds.</div></div>';
+      setTimeout(() => { window.location.href = "http://127.0.0.1:" + ${LIVE_PORT}; }, 5000);
+    } else {
+      if (banner) banner.innerHTML = '<div style="color:#fca5a5"><strong>❌ Promotion failed:</strong> ' + (data.error || 'unknown') + '</div>';
+    }
+  } catch (err) {
+    if (banner) banner.innerHTML = '<div style="color:#fca5a5"><strong>❌ Promotion failed:</strong> ' + err.message + '</div>';
+  }
+}
+
+// ── Stop daemon (user-initiated — clears boot.key, requires password on restart) ──
+async function stopDaemon() {
+  if (!confirm("Stop the daemon?\\n\\nCredentials will need to be re-entered on next start.")) return;
+  try {
+    await fetch(BASE + "/shutdown-ui", { method: "POST" });
+  } catch {}
+  document.getElementById("main-view").innerHTML = '<div style="text-align:center;padding:80px 20px"><div style="font-size:3rem;margin-bottom:16px">⏹</div><div style="font-size:1.1rem;color:#94a3b8">Daemon stopped</div><div style="font-size:.85rem;color:#64748b;margin-top:8px">Restart with: clauth serve start</div></div>';
+}
+
 // ── Load services ───────────────────────────
 let allServices = [];
 let activeProjectTab = "all";
@@ -1780,7 +1835,7 @@ function readBody(req) {
 }
 
 // ── Server logic (shared by foreground + daemon) ─────────────
-function createServer(initPassword, whitelist, port, tunnelHostnameInit = null) {
+function createServer(initPassword, whitelist, port, tunnelHostnameInit = null, isStaged = false) {
   // tunnelHostname may be updated at runtime (fetched from DB after unlock)
   let tunnelHostname = tunnelHostnameInit;
 
@@ -1916,6 +1971,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
 
       const proc = spawnProc(cfBin, args, {
         stdio: ["ignore", "pipe", "pipe"],
+        windowsHide: true,
       });
 
       tunnelProc = proc;
@@ -2516,7 +2572,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
     // GET / — built-in web dashboard
     if (method === "GET" && reqPath === "/") {
       res.writeHead(200, { "Content-Type": "text/html", ...CORS });
-      return res.end(dashboardHtml(port, whitelist));
+      return res.end(dashboardHtml(port, whitelist, isStaged));
     }
 
     // GET /ping
@@ -2532,6 +2588,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
         tunnel_status: tunnelStatus,
         tunnel_url: tunnelUrl || null,
         app_version: VERSION,
+        staged: isStaged,
         schema_version: CURRENT_SCHEMA_VERSION,
       });
     }
@@ -2603,7 +2660,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
       return ok(res, { status: tunnelStatus });
     }
 
-    // GET /shutdown (for daemon stop)
+    // GET /shutdown (for daemon stop — programmatic, keeps boot.key)
     if (method === "GET" && reqPath === "/shutdown") {
       stopTunnel();
       ok(res, { ok: true, message: "shutting down" });
@@ -2612,6 +2669,100 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
       return;
     }
 
+    // POST /shutdown-ui (user-initiated stop — clears boot.key so password is required on restart)
+    if (method === "POST" && reqPath === "/shutdown-ui") {
+      stopTunnel();
+      // Clear boot.key so watchdog can't auto-unlock on restart
+      const bootKeyPath = getBootKeyPath();
+      if (bootKeyPath) {
+        try { fs.unlinkSync(bootKeyPath); } catch {}
+      }
+      ok(res, { ok: true, message: "shutting down (user-initiated, boot.key cleared)" });
+      const logLine = `[${new Date().toISOString()}] User-initiated shutdown via UI — boot.key cleared\n`;
+      try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+      removePid();
+      setTimeout(() => process.exit(0), 100);
+      return;
+    }
+
+    // POST /make-live (blue-green: staged instance promotes itself to live port)
+    if (method === "POST" && reqPath === "/make-live") {
+      if (!isStaged) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Not a staged instance" }));
+      }
+      const logLine = `[${new Date().toISOString()}] Make-live: promoting staged (port ${port}) to live (port ${LIVE_PORT})\n`;
+      try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+
+      // Stop the current live daemon if running
+      try { await fetch(`http://127.0.0.1:${LIVE_PORT}/shutdown`); } catch {}
+
+      // Wait for port to be released (Windows is slow to release sockets)
+      let portFree = false;
+      for (let i = 0; i < 10; i++) {
+        await new Promise(r => setTimeout(r, 1000));
+        try {
+          await fetch(`http://127.0.0.1:${LIVE_PORT}/ping`);
+          // Still responding — not dead yet
+        } catch {
+          portFree = true;
+          break;
+        }
+      }
+      if (!portFree) {
+        const errLog = `[${new Date().toISOString()}] Make-live: live daemon on port ${LIVE_PORT} failed to stop within 10s\n`;
+        try { fs.appendFileSync(LOG_FILE, errLog); } catch {}
+      }
+
+      // Stop tunnel on this instance (will restart on new port)
+      stopTunnel();
+
+      // Clean up staged PID file
+      removeStagedPid();
+
+      // Spawn a new daemon on the live port with same credentials
+      const { spawn } = await import("child_process");
+      const cliEntry = path.resolve(__dirname, "../index.js");
+      const childArgs = [cliEntry, "serve", "start", "--port", String(LIVE_PORT)];
+      if (password) childArgs.push("--pw", password);
+      if (whitelist) childArgs.push("--services", whitelist.join(","));
+      if (tunnelHostname) childArgs.push("--tunnel", tunnelHostname);
+
+      const out = fs.openSync(LOG_FILE, "a");
+      const childEnv = { ...process.env, __CLAUTH_DAEMON: "1" };
+      delete childEnv.__CLAUTH_STAGED;  // Clear staged flag — child is live
+      const child = spawn(process.execPath, childArgs, {
+        detached: true,
+        stdio: ["ignore", out, out],
+        env: childEnv,
+      });
+      child.unref();
+
+      // Wait for new live daemon to be reachable
+      let promoted = false;
+      for (let i = 0; i < 8; i++) {
+        await new Promise(r => setTimeout(r, 1000));
+        try {
+          const resp = await fetch(`http://127.0.0.1:${LIVE_PORT}/ping`);
+          if (resp.ok) { promoted = true; break; }
+        } catch {}
+      }
+
+      if (promoted) {
+        const okLog = `[${new Date().toISOString()}] Make-live: promoted to live on port ${LIVE_PORT}\n`;
+        try { fs.appendFileSync(LOG_FILE, okLog); } catch {}
+        ok(res, { ok: true, message: "promoted to live", live_port: LIVE_PORT });
+      } else {
+        const failLog = `[${new Date().toISOString()}] Make-live: new daemon failed to start on port ${LIVE_PORT}\n`;
+        try { fs.appendFileSync(LOG_FILE, failLog); } catch {}
+        ok(res, { ok: false, error: "New daemon failed to start on live port — check log" });
+      }
+
+      // Self-terminate after response is sent
+      setTimeout(() => process.exit(0), 500);
+      return;
+    }
+
     // Locked guard — returns true if locked and already responded
     function lockedGuard(res) {
       if (!password) {
@@ -2708,6 +2859,25 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null)
         password = pw;   // unlock — store in process memory only
         const logLine = `[${new Date().toISOString()}] Vault unlocked\n`;
         try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+        // Auto-seal: DPAPI-encrypt password to boot.key for passwordless crash recovery
+        // Only on Windows; only if autostart dir exists (i.e., install was run)
+        if (os.platform() === "win32") {
+          const autostartDir = path.join(os.homedir(), "AppData", "Roaming", "clauth");
+          const bootKeyPath = path.join(autostartDir, "boot.key");
+          if (fs.existsSync(autostartDir)) {
+            try {
+              const pwEscaped = pw.replace(/'/g, "''");
+              const psExpr = `[Convert]::ToBase64String([Security.Cryptography.ProtectedData]::Protect([Text.Encoding]::UTF8.GetBytes('${pwEscaped}'),$null,'CurrentUser'))`;
+              const encrypted = execSyncTop(`powershell -NoProfile -Command "${psExpr}"`, { encoding: "utf8", timeout: 5000 }).trim();
+              fs.writeFileSync(bootKeyPath, encrypted, "utf8");
+              const sealLog = `[${new Date().toISOString()}] Auto-sealed boot.key via DPAPI (crash recovery enabled)\n`;
+              try { fs.appendFileSync(LOG_FILE, sealLog); } catch {}
+            } catch (sealErr) {
+              const sealLog = `[${new Date().toISOString()}] Auto-seal failed (non-fatal): ${sealErr.message}\n`;
+              try { fs.appendFileSync(LOG_FILE, sealLog); } catch {}
+            }
+          }
+        }
         // Auto-start tunnel: --tunnel flag takes priority, otherwise fetch from DB
         if (!tunnelHostname) {
           fetchTunnelConfig().then(configured => {
@@ -3426,19 +3596,36 @@ async function verifyAuth(password) {
 }
 
 async function actionStart(opts) {
-  const port     = parseInt(opts.port || "52437", 10);
+  const isStaged = !!opts.staged || process.env.__CLAUTH_STAGED === "1";
+  const port     = isStaged ? STAGED_PORT : parseInt(opts.port || String(LIVE_PORT), 10);
   const password = opts.pw;
   const tunnelHostname = opts.tunnel || null;
   const whitelist = opts.services
     ? opts.services.split(",").map(s => s.trim().toLowerCase())
     : null;
 
-  // Check for existing instance
-  const existing = readPid();
-  if (existing && isProcessAlive(existing.pid)) {
-    console.log(chalk.yellow(`\n  clauth serve already running (PID ${existing.pid}, port ${existing.port})`));
-    console.log(chalk.gray(`  Stop it first: clauth serve stop\n`));
-    process.exit(1);
+  if (isStaged) {
+    // Staged mode: allow running alongside live instance
+    const existingStaged = readStagedPid();
+    if (existingStaged) {
+      try {
+        const resp = await fetch(`http://127.0.0.1:${existingStaged.port}/ping`);
+        if (resp.ok) {
+          console.log(chalk.yellow(`\n  Staged instance already running (PID ${existingStaged.pid}, port ${existingStaged.port})`));
+          console.log(chalk.gray(`  Open http://127.0.0.1:${existingStaged.port} to verify, then click Make Live\n`));
+          process.exit(1);
+        }
+      } catch {}
+      removeStagedPid();
+    }
+  } else {
+    // Normal mode: check for existing instance
+    const existing = readPid();
+    if (existing && isProcessAlive(existing.pid)) {
+      console.log(chalk.yellow(`\n  clauth serve already running (PID ${existing.pid}, port ${existing.port})`));
+      console.log(chalk.gray(`  Stop it first: clauth serve stop\n`));
+      process.exit(1);
+    }
   }
 
   // If we're the daemon child, run the server directly
@@ -3454,10 +3641,15 @@ async function actionStart(opts) {
       }
     }
 
-    const server = createServer(password, whitelist, port, tunnelHostname);
+    const server = createServer(password, whitelist, port, tunnelHostname, isStaged);
     server.listen(port, "127.0.0.1", () => {
-      writePid(process.pid, port);
-      const msg = `[${new Date().toISOString()}] clauth serve started — PID ${process.pid}, port ${port}, services: ${whitelist ? whitelist.join(",") : "all"}\n`;
+      if (isStaged) {
+        writeStagedPid(process.pid, port);
+      } else {
+        writePid(process.pid, port);
+      }
+      const label = isStaged ? "STAGED" : "LIVE";
+      const msg = `[${new Date().toISOString()}] clauth serve started [${label}] — PID ${process.pid}, port ${port}, services: ${whitelist ? whitelist.join(",") : "all"}\n`;
       fs.appendFileSync(LOG_FILE, msg);
     });
 
@@ -3467,7 +3659,10 @@ async function actionStart(opts) {
       process.exit(1);
     });
 
-    const shutdown = () => { removePid(); process.exit(0); };
+    const shutdown = () => {
+      if (isStaged) { removeStagedPid(); } else { removePid(); }
+      process.exit(0);
+    };
     process.on("SIGTERM", shutdown);
     process.on("SIGINT", shutdown);
     return;
@@ -3499,12 +3694,13 @@ async function actionStart(opts) {
   if (password) childArgs.push("--pw", password);
   if (opts.services) childArgs.push("--services", opts.services);
   if (tunnelHostname) childArgs.push("--tunnel", tunnelHostname);
+  if (isStaged) childArgs.push("--staged");
 
   const out = fs.openSync(LOG_FILE, "a");
   const child = spawn(process.execPath, childArgs, {
     detached: true,
     stdio: ["ignore", out, out],
-    env: { ...process.env, __CLAUTH_DAEMON: "1" },
+    env: { ...process.env, __CLAUTH_DAEMON: "1", ...(isStaged ? { __CLAUTH_STAGED: "1" } : {}) },
   });
   child.unref();
 
@@ -3519,14 +3715,18 @@ async function actionStart(opts) {
     } catch {}
   }
 
-  const info = readPid();
+  const readInfo = isStaged ? readStagedPid : readPid;
+  const info = readInfo();
   if (started && info) {
-    console.log(chalk.green(`\n  🔐 clauth serve started`));
+    const label = isStaged ? "⚡ STAGED" : "🔐";
+    console.log(chalk.green(`\n  ${label} clauth serve started`));
     console.log(chalk.gray(`  PID:      ${info.pid}`));
     console.log(chalk.gray(`  Port:     127.0.0.1:${info.port}`));
     console.log(chalk.gray(`  Services: ${whitelist ? whitelist.join(", ") : "all"}`));
     console.log(chalk.gray(`  Log:      ${LOG_FILE}`));
-    if (!password) {
+    if (isStaged) {
+      console.log(chalk.yellow(`\n  ⚡ Staged on port ${port} — open dashboard to verify, then click "Make Live"`));
+    } else if (!password) {
       console.log(chalk.cyan(`\n  👉 Open http://127.0.0.1:${info.port} to unlock the vault`));
     }
     console.log(chalk.gray(`  Stop:     clauth serve stop\n`));
@@ -4317,19 +4517,33 @@ async function installWindows(pw, tunnelHostname, execSync) {
     ].join("\n");
     fs.writeFileSync(psScriptPath, psScript, "utf8");
   } else {
-    // ── First-run mode: no password yet — start locked, browser opens for setup ──
-    // Watchdog starts the daemon in locked mode; user enters password in the browser dashboard.
-    // After entering password in the browser, user can seal it for future unattended restarts
-    // by running: clauth serve seal
+    // ── Adaptive mode: check for boot.key on each restart ──
+    // If boot.key exists (auto-sealed after browser unlock), decrypt and start unlocked.
+    // If boot.key missing (user clicked Stop, or first run), start locked + open browser.
     const psScript = [
-      "# clauth autostart + watchdog (locked mode — browser password entry)",
-      "# Starts daemon locked, opens browser for password. Restarts on crash every 15s.",
+      "# clauth autostart + watchdog (adaptive: sealed if boot.key exists, locked otherwise)",
+      "# Restarts on crash every 15s. Auto-unlock if DPAPI boot.key available.",
+      "",
+      `$bootKey = '${bootKey}'`,
       "",
       "while ($true) {",
       "  try {",
       "    $ping = Invoke-RestMethod -Uri 'http://127.0.0.1:52437/ping' -TimeoutSec 3 -ErrorAction Stop",
       "  } catch {",
-      `    Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start${tunnelArg}" -WindowStyle Hidden`,
+      "    if (Test-Path $bootKey) {",
+      "      # boot.key exists — decrypt via DPAPI and start unlocked",
+      "      try {",
+      "        $enc = (Get-Content $bootKey -Raw).Trim()",
+      "        $pw = [Text.Encoding]::UTF8.GetString([Security.Cryptography.ProtectedData]::Unprotect([Convert]::FromBase64String($enc),$null,'CurrentUser'))",
+      `        Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start -p $pw${tunnelArg}" -WindowStyle Hidden`,
+      "      } catch {",
+      "        # DPAPI decrypt failed — start locked",
+      `        Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start${tunnelArg}" -WindowStyle Hidden`,
+      "      }",
+      "    } else {",
+      "      # No boot.key — start locked, user enters password in browser",
+      `      Start-Process '${nodeExe}' -ArgumentList "'${cliEntry}' serve start${tunnelArg}" -WindowStyle Hidden`,
+      "    }",
       "    Start-Sleep -Seconds 5",
       "  }",
       "  Start-Sleep -Seconds 15",
@@ -4338,20 +4552,35 @@ async function installWindows(pw, tunnelHostname, execSync) {
     fs.writeFileSync(psScriptPath, psScript, "utf8");
   }
 
-  // Register Windows Scheduled Task — triggers on user logon
+  // Register auto-start — try HKCU\Run first (no admin), fall back to Scheduled Task
   const mode = pw ? "sealed — fully unattended" : "locked — browser password entry";
-  const spinner2 = ora(`Registering Scheduled Task (${mode})...`).start();
+  const spinner2 = ora(`Registering auto-start (${mode})...`).start();
+  const psScriptEsc = psScriptPath.replace(/\\/g, "\\\\");
+  const regValue = `powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File "${psScriptEsc}"`;
+  let autoStartOk = false;
+
+  // Method 1: HKCU\Run registry key (no elevation needed)
   try {
-    const psScriptEsc = psScriptPath.replace(/\\/g, "\\\\");
-    const args = `-NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File "${psScriptEsc}"`;
     execSync(
-      `${process.env.SystemRoot || "C:\\\\Windows"}\\\\System32\\\\schtasks.exe /create /f /tn "${TASK_NAME}" /sc onlogon /tr "powershell.exe ${args}"`,
+      `reg add "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v "${TASK_NAME}" /t REG_SZ /d "${regValue}" /f`,
       { encoding: "utf8", stdio: "pipe" }
     );
-    spinner2.succeed(chalk.green(`Scheduled Task "${TASK_NAME}" registered`));
-  } catch (err) {
-    spinner2.fail(chalk.yellow(`Scheduled task failed (non-fatal): ${err.message}`));
-    console.log(chalk.gray("  You can still start manually: clauth serve start"));
+    spinner2.succeed(chalk.green(`Registry auto-start registered (HKCU\\Run)`));
+    autoStartOk = true;
+  } catch {
+    // Method 2: Scheduled Task (needs admin)
+    try {
+      const args = `-NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File "${psScriptEsc}"`;
+      execSync(
+        `${process.env.SystemRoot || "C:\\\\Windows"}\\\\System32\\\\schtasks.exe /create /f /tn "${TASK_NAME}" /sc onlogon /tr "powershell.exe ${args}"`,
+        { encoding: "utf8", stdio: "pipe" }
+      );
+      spinner2.succeed(chalk.green(`Scheduled Task "${TASK_NAME}" registered`));
+      autoStartOk = true;
+    } catch (err) {
+      spinner2.fail(chalk.yellow(`Auto-start registration failed (non-fatal): ${err.message}`));
+      console.log(chalk.gray("  You can still start manually: clauth serve start"));
+    }
   }
 
   // Start the daemon now
@@ -4600,7 +4829,13 @@ async function uninstallWindows(execSync) {
   const bootKeyPath  = path.join(autostartDir, "boot.key");
   const psScriptPath = path.join(autostartDir, "autostart.ps1");
 
-  // Remove scheduled task
+  // Remove HKCU\Run registry key
+  try {
+    execSync(`reg delete "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" /v "${TASK_NAME}" /f`, { encoding: "utf8", stdio: "pipe" });
+    console.log(chalk.green(`  Removed Registry auto-start: ${TASK_NAME}`));
+  } catch { console.log(chalk.gray(`  Registry key not found (already removed): ${TASK_NAME}`)); }
+
+  // Remove scheduled task (legacy)
   try {
     execSync(`${process.env.SystemRoot || "C:\\\\Windows"}\\\\System32\\\\schtasks.exe /delete /f /tn "${TASK_NAME}"`, { encoding: "utf8", stdio: "pipe" });
     console.log(chalk.green(`  Removed Scheduled Task: ${TASK_NAME}`));
@@ -4678,6 +4913,53 @@ async function uninstallLinux(execSync) {
 }
 
 // ── Export ────────────────────────────────────────────────────
+// ── Blue-green upgrade: npm update + start staged + open dashboard ──
+async function actionUpgrade(opts) {
+  console.log(chalk.cyan("\n  ⚡ Blue-green upgrade\n"));
+
+  // Step 1: Check current live version
+  const liveInfo = readPid();
+  let liveVersion = "unknown";
+  if (liveInfo) {
+    try {
+      const resp = await fetch(`http://127.0.0.1:${liveInfo.port}/ping`);
+      const data = await resp.json();
+      liveVersion = data.app_version || "unknown";
+    } catch {}
+  }
+  console.log(chalk.gray(`  Live version:    v${liveVersion} (port ${liveInfo?.port || LIVE_PORT})`));
+
+  // Step 2: npm update
+  const spinner = ora("Updating @lifeaitools/clauth from npm...").start();
+  try {
+    execSyncTop("npm install -g @lifeaitools/clauth@latest", { encoding: "utf8", stdio: "pipe", timeout: 60000 });
+    // Read new version from installed package
+    const newPkg = JSON.parse(fs.readFileSync(
+      path.join(path.dirname(process.execPath), "..", "lib", "node_modules", "@lifeaitools", "clauth", "package.json"), "utf8"
+    ).toString());
+    spinner.succeed(chalk.green(`Updated to v${newPkg.version}`));
+    console.log(chalk.gray(`  Staged version:  v${newPkg.version} (port ${STAGED_PORT})`));
+  } catch (err) {
+    // Try alternate npm global path (Windows)
+    try {
+      const npmGlobal = path.join(os.homedir(), "AppData", "Roaming", "npm");
+      const newPkg = JSON.parse(fs.readFileSync(
+        path.join(npmGlobal, "node_modules", "@lifeaitools", "clauth", "package.json"), "utf8"
+      ).toString());
+      spinner.succeed(chalk.green(`Updated to v${newPkg.version}`));
+    } catch {
+      spinner.fail(chalk.yellow(`npm update may have failed: ${err.message}`));
+      console.log(chalk.gray("  Continuing with staged start anyway..."));
+    }
+  }
+
+  // Step 3: Start staged instance
+  console.log(chalk.gray(`\n  Starting staged instance on port ${STAGED_PORT}...`));
+  opts.staged = true;
+  opts.port = String(STAGED_PORT);
+  return actionStart(opts);
+}
+
 export async function runServe(opts) {
   const action = opts.action || "foreground";
 
@@ -4690,9 +4972,10 @@ export async function runServe(opts) {
     case "mcp":        return actionMcp(opts);
     case "install":    return actionInstall(opts);
     case "uninstall":  return actionUninstall();
+    case "upgrade":    return actionUpgrade(opts);
     default:
       console.log(chalk.red(`\n  Unknown serve action: ${action}`));
-      console.log(chalk.gray("  Actions: start | stop | restart | ping | foreground | mcp | install | uninstall\n"));
+      console.log(chalk.gray("  Actions: start | stop | restart | ping | foreground | mcp | install | uninstall | upgrade\n"));
       process.exit(1);
   }
 }

package/cli/index.js

@@ -644,6 +644,7 @@ program
   .option("-p, --pw <password>", "clauth password (optional — omit to start locked, unlock in browser)")
   .option("--services <list>", "Comma-separated service whitelist (default: all)")
   .option("--tunnel <hostname>", "Fixed tunnel hostname (e.g. clauth.prtrust.fund) — uses named Cloudflare Tunnel instead of random URL")
+  .option("--staged", "Start on staging port (52438) for blue-green verification before make-live")
   .option("--action <action>", "Internal: action override for daemon child")
   .addHelpText("after", `
 Actions:
@@ -654,8 +655,9 @@ Actions:
   foreground  Run in foreground (Ctrl+C to stop) — default if no action given
   mcp         Run as MCP stdio server for Claude Code (JSON-RPC over stdin/stdout)
   install     Store password securely + register auto-start service (cross-platform)
-              Windows: DPAPI + Scheduled Task | macOS: Keychain + LaunchAgent | Linux: libsecret/openssl + systemd
+              Windows: DPAPI + HKCU\\Run | macOS: Keychain + LaunchAgent | Linux: libsecret/openssl + systemd
   uninstall   Remove auto-start service + delete stored password
+  upgrade     Blue-green upgrade: start new version on staging port, verify, then make live
 
 MCP SSE (built into start/foreground):
   The HTTP daemon also serves MCP SSE transport at GET /sse + POST /message.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifeaitools/clauth",
-  "version": "1.2.3",
+  "version": "1.3.0",
   "description": "Hardware-bound credential vault for the LIFEAI infrastructure stack",
   "type": "module",
   "bin": {