@pellux/goodvibes-agent 0.1.10 → 0.1.11

package/src/input/handler-onboarding-cloudflare.ts

@@ -4,9 +4,6 @@ import {
   type CloudflareComponentSelection,
   type CloudflareDaemonClient,
   type CloudflareDiscoverResult,
-  type CloudflareOperationalTokenResult,
-  type CloudflareProvisionRequest,
-  type CloudflareProvisionResult,
   type CloudflareTokenRequirementsResult,
   type CloudflareValidateResult,
   type CloudflareVerifyResult,
@@ -16,7 +13,6 @@ import type { InputHandler } from './handler.ts';
 import type { OnboardingWizardAction, OnboardingWizardApplyFeedback } from './onboarding/onboarding-wizard.ts';
 import {
   buildCloudflareApiTokenRef,
-  buildCloudflareProvisionRequest,
   getCloudflareBatchMode,
   getCloudflareComponentSelection,
   getCloudflareSetupSource,
@@ -113,26 +109,6 @@ function formatCloudflareDiscovery(result: CloudflareDiscoverResult): string[] {
   ];
 }
 
-function formatCloudflareTokenCreate(result: CloudflareOperationalTokenResult): string[] {
-  return [
-    `token: ${result.tokenName}${result.tokenId ? ` (${result.tokenId})` : ''}`,
-    `account: ${result.accountId}`,
-    `stored ref: ${result.apiTokenRef ?? 'not stored'}`,
-    `permissions: ${result.permissions.length}`,
-    'Delete or expire the temporary bootstrap token in Cloudflare after confirming the operational token works.',
-  ];
-}
-
-function formatCloudflareProvision(result: CloudflareProvisionResult): string[] {
-  return [
-    `result: ${result.ok ? 'ok' : 'needs attention'}`,
-    ...(result.worker ? [`worker: ${result.worker.name}${result.worker.baseUrl ? ` at ${result.worker.baseUrl}` : ''}`] : []),
-    ...(result.queues ? [`queue: ${result.queues.queueName}; DLQ: ${result.queues.deadLetterQueueName}`] : []),
-    ...result.steps.map((step) => `${step.status}: ${step.name}${step.message ? ` - ${step.message}` : ''}`),
-    ...(result.verification ? formatCloudflareVerify(result.verification).map((line) => `verify ${line}`) : []),
-  ];
-}
-
 function formatCloudflareVerify(result: CloudflareVerifyResult): string[] {
   return [
     `worker health: ${result.workerHealth.ok ? 'ok' : 'failed'} (HTTP ${result.workerHealth.status})${result.workerHealth.error ? ` - ${result.workerHealth.error}` : ''}`,
@@ -171,40 +147,6 @@ function getCloudflareApiTokenRefFromWizard(handler: InputHandler): string {
   return wizard.runtimeSnapshot?.config.cloudflare.apiTokenRef ?? '';
 }
 
-async function createCloudflareOperationalTokenForHandler(handler: InputHandler): Promise<CloudflareOperationalTokenResult> {
-  const wizard = handler.onboardingWizard;
-  const bootstrapToken = getCloudflareBootstrapTokenFromWizard(handler);
-  if (!bootstrapToken) {
-    throw new Error('A bootstrap token is required. Paste it in the wizard or select an environment variable that is set in this TUI process.');
-  }
-  const accountId = wizard.getStringFieldValue('cloudflare.account-id', wizard.runtimeSnapshot?.config.cloudflare.accountId ?? '');
-  const zoneId = wizard.getStringFieldValue('cloudflare.zone-id', wizard.runtimeSnapshot?.config.cloudflare.zoneId ?? '');
-  const zoneName = wizard.getStringFieldValue('cloudflare.zone-name', wizard.runtimeSnapshot?.config.cloudflare.zoneName ?? '');
-  return await getCloudflareDaemonClientForHandler(handler).createOperationalToken({
-    components: getCloudflareComponentSelection(wizard),
-    bootstrapToken,
-    ...(accountId ? { accountId } : {}),
-    ...(zoneId ? { zoneId } : {}),
-    ...(zoneName ? { zoneName } : {}),
-    storeApiToken: true,
-    persistConfig: true,
-  });
-}
-
-async function buildCloudflareProvisionInputForHandler(handler: InputHandler): Promise<CloudflareProvisionRequest> {
-  const input = buildCloudflareProvisionRequest(handler.onboardingWizard, { includeTransientSecrets: true });
-  const setupSource = getCloudflareSetupSource(handler.onboardingWizard);
-  if (setupSource === 'bootstrap-token' || setupSource === 'bootstrap-env') {
-    const tokenResult = await createCloudflareOperationalTokenForHandler(handler);
-    if (tokenResult.apiTokenRef) {
-      const withoutInlineToken = { ...input };
-      delete withoutInlineToken.apiToken;
-      return { ...withoutInlineToken, apiTokenRef: tokenResult.apiTokenRef };
-    }
-  }
-  return input;
-}
-
 function buildCloudflareDiscoveryInputForHandler(handler: InputHandler): Parameters<CloudflareDaemonClient['discover']>[0] {
   const wizard = handler.onboardingWizard;
   const accountId = wizard.getStringFieldValue('cloudflare.account-id', wizard.runtimeSnapshot?.config.cloudflare.accountId ?? '');
@@ -223,6 +165,34 @@ function buildCloudflareDiscoveryInputForHandler(handler: InputHandler): Paramet
   };
 }
 
+function blockedCloudflareMutationLines(action: CloudflareOnboardingAction): string[] {
+  switch (action) {
+    case 'cloudflare-create-operational-token':
+      return [
+        'Creating and storing Cloudflare tokens is a side-effecting operation.',
+        'Run /cloudflare create-token [flags] --yes from the main prompt when you explicitly want that mutation.',
+      ];
+    case 'cloudflare-provision':
+      return [
+        'Provisioning creates or updates Cloudflare resources.',
+        'Run /cloudflare provision [flags] --yes from the main prompt when you explicitly want that mutation.',
+      ];
+    case 'cloudflare-disable':
+      return [
+        'Disabling Cloudflare changes persisted daemon integration config.',
+        'Run /cloudflare disable [flags] --yes from the main prompt when you explicitly want that mutation.',
+      ];
+    default:
+      return [];
+  }
+}
+
+function isBlockedCloudflareMutation(action: CloudflareOnboardingAction): boolean {
+  return action === 'cloudflare-create-operational-token'
+    || action === 'cloudflare-provision'
+    || action === 'cloudflare-disable';
+}
+
 function buildCloudflareValidateInputForHandler(handler: InputHandler): Parameters<CloudflareDaemonClient['validate']>[0] {
   const wizard = handler.onboardingWizard;
   const accountId = wizard.getStringFieldValue('cloudflare.account-id', wizard.runtimeSnapshot?.config.cloudflare.accountId ?? '');
@@ -244,6 +214,16 @@ export async function handleCloudflareOnboardingActionForHandler(
   handler.onboardingWizard.clearApplyFeedback();
   handler.requestRender();
   try {
+    if (isBlockedCloudflareMutation(action)) {
+      setCloudflareWizardStatusForHandler(
+        handler,
+        'Cloudflare mutation requires explicit command',
+        blockedCloudflareMutationLines(action),
+        'warning',
+      );
+      return;
+    }
+
     const client = getCloudflareDaemonClientForHandler(handler);
     if (action === 'cloudflare-token-requirements') {
       const result = await client.tokenRequirements({
@@ -254,13 +234,6 @@ export async function handleCloudflareOnboardingActionForHandler(
       return;
     }
 
-    if (action === 'cloudflare-create-operational-token') {
-      const result = await createCloudflareOperationalTokenForHandler(handler);
-      setCloudflareWizardStatusForHandler(handler, 'Cloudflare operational token created', formatCloudflareTokenCreate(result));
-      await handler.refreshOnboardingHydration({ preserveValues: true, targetStepId: 'cloudflare' });
-      return;
-    }
-
     if (action === 'cloudflare-discover') {
       const result = await client.discover(buildCloudflareDiscoveryInputForHandler(handler));
       if (result.selectedAccount && !handler.onboardingWizard.getStringFieldValue('cloudflare.account-id', '')) {
@@ -293,19 +266,6 @@ export async function handleCloudflareOnboardingActionForHandler(
       return;
     }
 
-    if (action === 'cloudflare-provision') {
-      const input = await buildCloudflareProvisionInputForHandler(handler);
-      const result = await client.provision(input);
-      setCloudflareWizardStatusForHandler(
-        handler,
-        result.ok ? 'Cloudflare provisioning completed' : 'Cloudflare provisioning needs attention',
-        formatCloudflareProvision(result),
-        result.ok ? 'info' : 'warning',
-      );
-      await handler.refreshOnboardingHydration({ preserveValues: true, targetStepId: 'cloudflare' });
-      return;
-    }
-
     if (action === 'cloudflare-verify') {
       const result = await client.verify({
         workerBaseUrl: handler.onboardingWizard.getStringFieldValue('cloudflare.worker-base-url', handler.onboardingWizard.runtimeSnapshot?.config.cloudflare.workerBaseUrl ?? ''),
@@ -319,22 +279,6 @@ export async function handleCloudflareOnboardingActionForHandler(
       );
       return;
     }
-
-    if (action === 'cloudflare-disable') {
-      const result = await client.disable({
-        accountId: handler.onboardingWizard.getStringFieldValue('cloudflare.account-id', handler.onboardingWizard.runtimeSnapshot?.config.cloudflare.accountId ?? ''),
-        apiTokenRef: getCloudflareApiTokenRefFromWizard(handler),
-        workerName: handler.onboardingWizard.getStringFieldValue('cloudflare.worker-name', handler.onboardingWizard.runtimeSnapshot?.config.cloudflare.workerName ?? 'goodvibes-batch-worker'),
-        persistConfig: true,
-      });
-      setCloudflareWizardStatusForHandler(
-        handler,
-        result.ok ? 'Cloudflare integration disabled' : 'Cloudflare disable needs attention',
-        result.steps.map((step) => `${step.status}: ${step.name}${step.message ? ` - ${step.message}` : ''}`),
-        result.ok ? 'info' : 'warning',
-      );
-      await handler.refreshOnboardingHydration({ preserveValues: true, targetStepId: 'cloudflare' });
-    }
   } catch (error) {
     setCloudflareWizardStatusForHandler(handler, 'Cloudflare action failed', [normalizeCloudflareActionError(error)], 'error');
   } finally {
@@ -365,27 +309,14 @@ export async function maybeProvisionCloudflareOnFinalApplyForHandler(handler: In
     }];
   }
 
-  try {
-    const client = getCloudflareDaemonClientForHandler(handler);
-    const result = await client.provision(await buildCloudflareProvisionInputForHandler(handler));
-    handler.onboardingWizard.textState.set('cloudflare.action-status', [
-      result.ok ? 'Cloudflare provisioning completed during final apply.' : 'Cloudflare provisioning needs attention after final apply.',
-      ...formatCloudflareProvision(result),
-    ].join('\n'));
-    return [{
-      id: 'cloudflare:provision',
-      status: result.ok ? 'pass' : 'warn',
-      message: result.ok
-        ? 'Cloudflare resources were provisioned and verified through the daemon SDK route.'
-        : 'Cloudflare provisioning returned warnings or failed verification. Settings were saved; rerun the Cloudflare wizard action after correcting token/resource issues.',
-      target: 'cloudflare',
-    }];
-  } catch (error) {
-    return [{
-      id: 'cloudflare:provision',
-      status: 'warn',
-      message: `Cloudflare provisioning did not complete: ${normalizeCloudflareActionError(error)} Settings were saved; retry from the Cloudflare wizard or /cloudflare command.`,
-      target: 'cloudflare',
-    }];
-  }
+  handler.onboardingWizard.textState.set('cloudflare.action-status', [
+    'Cloudflare provisioning was not run during final apply.',
+    'GoodVibes Agent requires an explicit /cloudflare provision [flags] --yes command for Cloudflare resource mutations.',
+  ].join('\n'));
+  return [{
+    id: 'cloudflare:provision',
+    status: 'warn',
+    message: 'Cloudflare settings were saved, but provisioning was blocked because Agent onboarding cannot create/update Cloudflare resources. Run /cloudflare provision [flags] --yes explicitly.',
+    target: 'cloudflare',
+  }];
 }

package/src/input/keybindings.ts

@@ -68,7 +68,7 @@ export const ACTION_DESCRIPTIONS: Record<KeyAction, string> = {
   'search':                'Toggle conversation search',
   'block-copy':            'Copy nearest block to clipboard',
   'bookmark':              'Bookmark / unbookmark nearest block',
-  'block-save':            'Save nearest block to file',
+  'block-save':            'Block file save blocked; use /share --yes',
   'delete-word':           'Delete word backward',
   'apply-diff-line-start': 'Apply nearest diff / move to line start',
   'next-error-line-end':   'Navigate to next error / move to line end',

package/src/input/mcp-workspace.ts

@@ -214,7 +214,7 @@ export class McpWorkspace {
   public formIndex = 0;
   public form: McpWorkspaceForm = serverConfigToForm();
   public editingServerName: string | null = null;
-  public status = 'Ready. Add, edit, remove, reload, and inspect MCP servers without restarting the TUI.';
+  public status = 'Ready. Inspect MCP servers and tools. Config writes/reloads require explicit /mcp ... --yes commands.';
   public tools: readonly RegisteredTool[] = [];
   public loadingTools = false;
   public lastError: string | null = null;
@@ -234,7 +234,7 @@ export class McpWorkspace {
     this.formIndex = 0;
     this.lastError = null;
     this.refreshSnapshot();
-    void this.refreshTools();
+    void this.refreshTools(false);
   }
 
   reopen(): void {
@@ -257,8 +257,8 @@ export class McpWorkspace {
   get rows(): readonly McpWorkspaceRow[] {
     return [
       ...this.snapshot.servers.map((server): McpWorkspaceRow => ({ type: 'server', server })),
-      { type: 'action', id: 'add', label: 'Add server', detail: `Write a server through the SDK config manager. Default scope: ${this.form.scope}.` },
-      { type: 'action', id: 'reload', label: 'Reload runtime', detail: 'Reconnect all MCP servers from global, Claude, and project config files.' },
+      { type: 'action', id: 'add', label: 'Add server preview', detail: `Draft server details here, then run /mcp add ... --scope ${this.form.scope} --yes to write config.` },
+      { type: 'action', id: 'reload', label: 'Reload guidance', detail: 'Runtime reload is blocked from the workspace; run /mcp reload --yes explicitly.' },
       { type: 'action', id: 'refresh-tools', label: 'Refresh tools', detail: 'Fetch the currently available MCP tool list from connected servers.' },
       { type: 'action', id: 'config', label: 'Config locations', detail: 'Show SDK-scanned config files and writable project/global paths.' },
     ];
@@ -284,7 +284,7 @@ export class McpWorkspace {
       { id: 'env', label: 'Environment', value: this.form.env, help: 'Comma-separated KEY=VALUE entries. Prefer env var references or secure secrets for sensitive values.', editable: true },
       { id: 'allowedPaths', label: 'Allowed paths', value: this.form.allowedPaths, help: 'Comma-separated path prefixes for filesystem-oriented servers.', editable: true },
       { id: 'allowedHosts', label: 'Allowed hosts', value: this.form.allowedHosts, help: 'Comma-separated hostnames for network-oriented servers.', editable: true },
-      { id: 'save', label: 'Save and reload', value: '', help: 'Write the selected scope config and reconnect the live MCP runtime.', editable: false },
+      { id: 'save', label: 'Show save command', value: '', help: 'No workspace write. Shows the explicit /mcp add ... --yes command to run from the prompt.', editable: false },
       { id: 'cancel', label: 'Cancel', value: '', help: 'Return to the MCP server browser without changing config.', editable: false },
     ];
   }
@@ -306,14 +306,14 @@ export class McpWorkspace {
     this.selectedIndex = Math.max(0, Math.min(this.selectedIndex, this.rows.length - 1));
   }
 
-  async refreshTools(): Promise<void> {
+  async refreshTools(updateStatus = true): Promise<void> {
     if (!this.context) return;
     this.loadingTools = true;
     this.lastError = null;
     try {
       const api = requireMcpApi(this.context);
       this.tools = await api.listAllTools();
-      this.status = `Tool list refreshed: ${this.tools.length} tool(s) available.`;
+      if (updateStatus) this.status = `Tool list refreshed: ${this.tools.length} tool(s) available.`;
     } catch (error) {
       this.lastError = summarizeError(error);
       this.status = `Tool refresh failed: ${this.lastError}`;
@@ -326,20 +326,8 @@ export class McpWorkspace {
   async reloadRuntime(): Promise<void> {
     if (!this.context) return;
     this.lastError = null;
-    try {
-      const api = requireMcpApi(this.context);
-      const roots = requireShellPaths(this.context);
-      const result = await api.reload(roots);
-      this.refreshSnapshot();
-      const connected = this.snapshot.servers.filter((server) => server.connected).length;
-      this.status = `Reloaded MCP runtime: ${connected}/${this.snapshot.servers.length} server(s) connected. Result: +${result.added} ~${result.changed} -${result.removed}, unchanged ${result.unchanged}.`;
-      void this.refreshTools();
-    } catch (error) {
-      this.lastError = summarizeError(error);
-      this.status = `Reload failed: ${this.lastError}`;
-    } finally {
-      this.context?.renderRequest();
-    }
+    this.status = 'MCP runtime reload is blocked in the workspace. Run /mcp reload --yes from the prompt to explicitly reload.';
+    this.context.renderRequest();
   }
 
   openAddForm(): void {
@@ -347,7 +335,7 @@ export class McpWorkspace {
     this.formIndex = 0;
     this.editingServerName = null;
     this.form = serverConfigToForm();
-    this.status = 'Add an MCP server. Choose project or global scope, then save and reload.';
+    this.status = 'Draft an MCP server. Saving from this workspace is blocked; use the shown /mcp add ... --yes command.';
   }
 
   openEditForm(serverName: string): void {
@@ -357,8 +345,8 @@ export class McpWorkspace {
     this.editingServerName = serverName;
     this.form = { ...serverConfigToForm(entry?.server), scope: entry?.source.scope === 'global' ? 'global' : 'project' };
     this.status = entry
-      ? `Editing ${serverName}. Saving writes a ${this.form.scope} config entry and reloads the live runtime.`
-      : `Editing ${serverName}. Runtime status exists, but no launch config was found; enter command details before saving.`;
+      ? `Viewing ${serverName}. Workspace saves are blocked; copy the generated /mcp add ... --yes command if you intend to change it.`
+      : `Viewing ${serverName}. Runtime status exists, but no launch config was found.`;
   }
 
   requestDelete(serverName: string): void {
@@ -366,24 +354,23 @@ export class McpWorkspace {
     this.editingServerName = serverName;
     const entry = this.snapshot.effectiveConfig.servers.find((configEntry) => configEntry.server.name === serverName);
     const scope = entry?.source.scope === 'global' ? 'global' : 'project';
-    this.status = `Remove ${scope} server "${serverName}"? Press y to confirm or n/Esc to cancel.`;
+    this.status = `MCP server removal is blocked in the workspace. Run /mcp remove ${serverName} --scope ${scope} --yes from the prompt.`;
   }
 
   async saveForm(): Promise<void> {
     if (!this.context) return;
     try {
       const server = formToServerConfig(this.form);
-      this.status = `Saving ${server.name} to ${this.form.scope} MCP config and reloading runtime...`;
       this.mode = 'browse';
       this.editingServerName = null;
-      const api = requireMcpApi(this.context);
-      const result = await api.upsertServerConfig(requireShellPaths(this.context), this.form.scope, server);
-      this.refreshSnapshot();
-      this.status = `Saved ${server.name} to ${result.path}. Reload result: +${result.reload.added} ~${result.reload.changed} -${result.reload.removed}, unchanged ${result.reload.unchanged}.`;
-      void this.refreshTools();
+      const args = server.args?.length ? ` ${server.args.join(' ')}` : '';
+      const role = server.role ? ` --role ${server.role}` : '';
+      const trust = server.trustMode ? ` --trust ${server.trustMode}` : '';
+      this.status = `MCP config write blocked here. Run: /mcp add ${server.name} ${server.command}${args} --scope ${this.form.scope}${role}${trust} --yes`;
+      this.context.renderRequest();
     } catch (error) {
       this.lastError = summarizeError(error);
-      this.status = `Save failed: ${this.lastError}`;
+      this.status = `Save command preview failed: ${this.lastError}`;
       this.context.renderRequest();
     }
   }
@@ -391,23 +378,12 @@ export class McpWorkspace {
   async confirmDelete(): Promise<void> {
     if (!this.context || !this.editingServerName) return;
     const name = this.editingServerName;
-    try {
-      const server = this.snapshot.effectiveConfig.servers.find((entry) => entry.server.name === name);
-      const scope = server?.source.scope === 'global' ? 'global' : 'project';
-      const api = requireMcpApi(this.context);
-      const result = await api.removeServerConfig(requireShellPaths(this.context), scope, name);
-      this.mode = 'browse';
-      this.editingServerName = null;
-      this.refreshSnapshot();
-      this.status = result.removed
-        ? `Removed ${scope} server "${name}" from ${result.path}. Reload result: +${result.reload.added} ~${result.reload.changed} -${result.reload.removed}.`
-        : `No ${scope} MCP server named "${name}" exists in ${result.path}.`;
-      void this.refreshTools();
-    } catch (error) {
-      this.lastError = summarizeError(error);
-      this.status = `Remove failed: ${this.lastError}`;
-      this.context.renderRequest();
-    }
+    const server = this.snapshot.effectiveConfig.servers.find((entry) => entry.server.name === name);
+    const scope = server?.source.scope === 'global' ? 'global' : 'project';
+    this.mode = 'browse';
+    this.editingServerName = null;
+    this.status = `MCP removal blocked here. Run: /mcp remove ${name} --scope ${scope} --yes`;
+    this.context.renderRequest();
   }
 
   cancelForm(): void {

package/src/input/onboarding/onboarding-wizard-cloudflare-step.ts

@@ -380,8 +380,8 @@ export function buildCloudflareStep(controller: OnboardingWizardController): Onb
       {
         kind: 'radio',
         id: 'cloudflare.provision-on-apply',
-        label: 'Provision Cloudflare on final apply',
-        hint: 'If yes, final Apply calls SDK daemon routes to create/update resources and verify them. Failure is reported as a warning; settings still save.',
+        label: 'Final apply Cloudflare provisioning',
+        hint: 'Agent onboarding saves config only. Run /cloudflare provision [flags] --yes explicitly for resource changes.',
         options: CLOUDFLARE_PROVISION_OPTIONS,
         defaultValue: 'no',
       },
@@ -404,8 +404,8 @@ export function buildCloudflareStep(controller: OnboardingWizardController): Onb
         kind: 'action',
         id: 'cloudflare.create-token',
         action: 'cloudflare-create-operational-token',
-        label: 'Create operational token from bootstrap token',
-        hint: 'Uses a pasted or environment bootstrap token once. The SDK stores the generated operational token as a goodvibes:// secret.',
+        label: 'Show create-token command',
+        hint: 'Token creation is side-effecting. The wizard shows the explicit /cloudflare create-token ... --yes path instead of running it.',
         defaultValue: 'Action',
       },
       {
@@ -428,8 +428,8 @@ export function buildCloudflareStep(controller: OnboardingWizardController): Onb
         kind: 'action',
         id: 'cloudflare.provision',
         action: 'cloudflare-provision',
-        label: 'Provision and verify now',
-        hint: 'Calls the daemon SDK route immediately with the current wizard values. This creates/updates selected Cloudflare resources.',
+        label: 'Show provision command',
+        hint: 'Provisioning is side-effecting. The wizard shows the explicit /cloudflare provision ... --yes path instead of running it.',
         defaultValue: 'Action',
       },
       {
@@ -444,8 +444,8 @@ export function buildCloudflareStep(controller: OnboardingWizardController): Onb
         kind: 'action',
         id: 'cloudflare.disable',
         action: 'cloudflare-disable',
-        label: 'Disable Cloudflare integration',
-        hint: 'Calls the daemon SDK route to disable local Cloudflare usage and return the batch queue backend to local behavior.',
+        label: 'Show disable command',
+        hint: 'Disabling persists config changes. The wizard shows the explicit /cloudflare disable ... --yes path instead of running it.',
         defaultValue: 'Action',
       },
     );

package/src/input/onboarding/onboarding-wizard-cloudflare.ts

@@ -66,12 +66,7 @@ export const CLOUDFLARE_PROVISION_OPTIONS: readonly OnboardingWizardRadioOption[
   {
     id: 'no',
     label: 'No, save configuration only',
-    hint: 'Final Apply saves the settings. Use the Cloudflare command or this wizard later to provision resources.',
-  },
-  {
-    id: 'yes',
-    label: 'Yes, create or update Cloudflare resources',
-    hint: 'Final Apply asks the daemon SDK route to create/update selected Cloudflare resources and verify the Worker when possible.',
+    hint: 'Final Apply saves the settings. Run /cloudflare provision [flags] --yes explicitly when you want resource changes.',
   },
 ];
 

package/src/input/profile-picker-modal.ts

@@ -2,7 +2,7 @@
  * ProfilePickerModal — state management for the /profiles picker modal.
  *
  * Lists profiles from ProfileManager.list(), tracks selected index,
- * and handles load/delete/save actions.
+ * and handles load actions.
  */
 
 import type { ProfileInfo, ProfileData, ProfileManager } from '@pellux/goodvibes-sdk/platform/profiles';
@@ -141,39 +141,12 @@ export class ProfilePickerModal {
     }
   }
 
-  /**
-   * Delete the selected profile from disk.
-   * Refreshes the list after deletion.
-   */
   deleteSelected(): boolean {
     const profile = this.getSelected();
     if (!profile) return false;
-    if (this.deleteConfirmationTarget !== profile.name) {
-      this.deleteConfirmationTarget = profile.name;
-      this.statusMessage = `Press delete again to remove profile: ${profile.name}`;
-      return false;
-    }
-
-    try {
-      const deleted = this.profileManager.delete(profile.name);
-      if (!deleted) {
-        this.statusMessage = `Profile not found: ${profile.name}`;
-        this.deleteConfirmationTarget = null;
-        return false;
-      }
-      this.profiles = this.profileManager.list();
-      if (this.selectedIndex >= this.profiles.length) {
-        this.selectedIndex = Math.max(0, this.profiles.length - 1);
-      }
-      this._clampScroll();
-      this.deleteConfirmationTarget = null;
-      this.statusMessage = `Deleted: ${profile.name}`;
-      return true;
-    } catch (e) {
-      this.deleteConfirmationTarget = null;
-      this.statusMessage = `Error: ${summarizeError(e)}`;
-      return false;
-    }
+    this.deleteConfirmationTarget = null;
+    this.statusMessage = `Deletion requires an explicit command: /profiles delete ${profile.name} --yes`;
+    return false;
   }
 
   /**
@@ -184,7 +157,16 @@ export class ProfilePickerModal {
       this.statusMessage = 'Profile name cannot be empty';
       return false;
     }
+    void configManager;
+    this.statusMessage = `Saving requires an explicit command: /profiles save ${name} --yes`;
+    return false;
+  }
 
+  public saveCurrentAsConfirmed(name: string, configManager: ConfigManager): boolean {
+    if (!name || !name.trim()) {
+      this.statusMessage = 'Profile name cannot be empty';
+      return false;
+    }
     try {
       const all = configManager.getAll();
       const data: ProfileData = {

package/src/input/session-picker-modal.ts

@@ -2,10 +2,9 @@
  * SessionPickerModal — state management for the /sessions picker modal.
  *
  * Lists sessions from SessionManager.list(), tracks selected index,
- * and handles load/delete actions.
+ * and handles load actions.
  */
 
-import { unlinkSync } from 'node:fs';
 import type { SessionInfo, SessionManager } from '@pellux/goodvibes-sdk/platform/sessions';
 import type { ConversationManager } from '../core/conversation';
 import { summarizeError } from '@pellux/goodvibes-sdk/platform/utils';
@@ -90,37 +89,12 @@ export class SessionPickerModal {
     }
   }
 
-  /**
-   * Delete the currently selected session from disk.
-   * Refreshes the list after deletion.
-   */
   deleteSelected(): boolean {
     const session = this.getSelected();
     if (!session) return false;
-    if (this.deleteConfirmationTarget !== session.name) {
-      this.deleteConfirmationTarget = session.name;
-      this.statusMessage = `Press d again to delete ${session.name}.`;
-      return false;
-    }
-
-    try {
-      // Delete directly via filePath so it works with any session directory
-      unlinkSync(session.filePath);
-      // Reload list from the global session manager (removes the deleted entry)
-      this.sessions = this.sessionManager.list();
-      // Adjust selection
-      if (this.selectedIndex >= this.sessions.length) {
-        this.selectedIndex = Math.max(0, this.sessions.length - 1);
-      }
-      this._clampScroll();
-      this.deleteConfirmationTarget = null;
-      this.statusMessage = `Deleted: ${session.name}`;
-      return true;
-    } catch (e) {
-      this.deleteConfirmationTarget = null;
-      this.statusMessage = `Error: ${summarizeError(e)}`;
-      return false;
-    }
+    this.deleteConfirmationTarget = null;
+    this.statusMessage = `Deletion requires an explicit command: /session delete ${session.name} --yes`;
+    return false;
   }
 
   private _clampScroll(): void {

package/src/input/settings-modal-subscriptions.ts

@@ -23,7 +23,7 @@ export function buildSubscriptionEntries(
       activeRoute: 'unconfigured',
       authFreshness: 'unconfigured',
       routeReason: 'Built-in subscription adapter is available, but no active subscription session is stored yet.',
-      nextActions: [`Use /subscription login ${provider} start to begin browser sign-in.`],
+      nextActions: [`Use /subscription login ${provider} start --yes to begin browser sign-in.`],
     });
   }
 
@@ -38,7 +38,7 @@ export function buildSubscriptionEntries(
       activeRoute: providers.get(provider)?.activeRoute ?? 'unconfigured',
       authFreshness: providers.get(provider)?.authFreshness ?? 'unconfigured',
       routeReason: providers.get(provider)?.routeReason ?? 'OAuth metadata is configured for this provider.',
-      nextActions: providers.get(provider)?.nextActions ?? [`Use /subscription login ${provider} start to begin browser sign-in.`],
+      nextActions: providers.get(provider)?.nextActions ?? [`Use /subscription login ${provider} start --yes to begin browser sign-in.`],
     });
   }
 
@@ -51,7 +51,7 @@ export function buildSubscriptionEntries(
       activeRoute: 'unconfigured',
       authFreshness: 'pending',
       routeReason: 'OAuth login is pending completion for this provider.',
-      nextActions: [`Finish /subscription login ${pending.provider} finish <code> to activate this session.`],
+      nextActions: [`Finish /subscription login ${pending.provider} finish <code> --yes to activate this session.`],
     });
   }
 

package/src/panels/incident-review-panel.ts

@@ -185,7 +185,7 @@ export class IncidentReviewPanel extends ScrollableListPanel<FailureReport> {
       }
     }
     footerLines.push(buildPanelLine(width, [['  Action Rail', C.label]]));
-    footerLines.push(buildPanelLine(width, [[`  /incident latest   /incident export ${selected.id}   /recall capture incident ${selected.id}`, C.info]]));
+    footerLines.push(buildPanelLine(width, [[`  /incident latest   /incident export ${selected.id} <path> --yes   /incident capture ${selected.id} --yes`, C.info]]));
     footerLines.push(buildGuidanceLine(width, '/security', 'open the broader trust and incident posture control room', C));
 
     return this.renderList(width, height, {

package/src/panels/local-auth-panel.ts

@@ -81,7 +81,7 @@ export class LocalAuthPanel extends ScrollableListPanel<LocalAuthUser> {
         ...(issueMessages.length > 0
           ? issueMessages.map((issue) => buildPanelLine(width, [[` issue: ${issue}`.slice(0, Math.max(0, width)), C.warn]]))
           : [buildPanelLine(width, [[' local auth posture looks healthy.', C.good]])]),
-        buildGuidanceLine(width, '/auth local rotate-password <user> <password>', 'rotate bootstrap/default credentials and revoke older sessions as needed', C),
+        buildGuidanceLine(width, '/auth local rotate-password <user> <password> --yes', 'rotate bootstrap/default credentials and revoke older sessions as needed', C),
       ], C),
     ];
 
@@ -104,8 +104,8 @@ export class LocalAuthPanel extends ScrollableListPanel<LocalAuthUser> {
       footerLines.push(
         ...buildDetailBlock(width, 'Selected user', [
           buildPanelLine(width, [[' username ', C.label], [selected.username, C.value], ['  roles ', C.label], [formatRoles(selected.roles).slice(0, Math.max(0, width - 23)), C.info]]),
-          buildPanelLine(width, [[` next: /auth local rotate-password ${selected.username} <password>`.slice(0, Math.max(0, width)), C.dim]]),
-          buildPanelLine(width, [[` next: /auth local delete-user ${selected.username}`.slice(0, Math.max(0, width)), C.dim]]),
+          buildPanelLine(width, [[` next: /auth local rotate-password ${selected.username} <password> --yes`.slice(0, Math.max(0, width)), C.dim]]),
+          buildPanelLine(width, [[` next: /auth local delete-user ${selected.username} --yes`.slice(0, Math.max(0, width)), C.dim]]),
         ], C),
       );
     }
@@ -119,7 +119,7 @@ export class LocalAuthPanel extends ScrollableListPanel<LocalAuthUser> {
         ])),
       );
     }
-    footerLines.push(buildPanelLine(width, [[' /auth local review  /auth local add-user  /auth local rotate-password  /auth local revoke-session ', C.dim]]));
+    footerLines.push(buildPanelLine(width, [[' /auth local review  mutations require --yes: add-user rotate-password revoke-session ', C.dim]]));
 
     return this.renderList(width, height, {
       title: 'Local Auth Control Room',