@pellux/goodvibes-agent 0.1.55 → 0.1.57

package/src/verification/live-verifier.ts

@@ -4,6 +4,12 @@ import { spawn } from 'node:child_process';
 import { buildVerificationLedger } from './verification-ledger.ts';
 import { SDK_VERSION } from '../version.ts';
 
+const AGENT_KNOWLEDGE_FORBIDDEN_RESPONSE_MARKERS = [
+  ['home', ' assistant'].join(''),
+  ['home', 'graph'].join(''),
+  ['home ', 'graph'].join(''),
+] as const;
+
 export type LiveVerificationStatus = 'pass' | 'warn' | 'fail' | 'skip';
 
 export interface LiveVerificationCheck {
@@ -284,7 +290,7 @@ export function buildAgentKnowledgeLiveSkipCheck(
     summary: `Skipped because external daemon SDK ${daemonVersion} does not match Agent SDK pin ${expectedSdkVersion}.`,
     detail: [
       'Agent Knowledge is intentionally isolated under /api/goodvibes-agent/knowledge/*.',
-      'An older daemon cannot validate those routes, and Agent must not fall back to default Knowledge/Wiki or HomeGraph.',
+      'An older daemon cannot validate those routes, and Agent must not fall back to default Knowledge/Wiki or non-Agent knowledge segments.',
       'Update/restart the external daemon, then rerun live verification.',
     ].join('\n'),
   };
@@ -495,8 +501,8 @@ export async function buildLiveVerificationReport(options: LiveVerificationOptio
             return { status: 'fail', summary: 'Agent Knowledge ask was not parseable JSON.' };
           }
           const lower = body.toLowerCase();
-          if (lower.includes('home assistant') || lower.includes('homegraph') || lower.includes('home graph')) {
-            return { status: 'fail', summary: 'Agent Knowledge ask returned HomeGraph/Home Assistant contamination.' };
+          if (AGENT_KNOWLEDGE_FORBIDDEN_RESPONSE_MARKERS.some((marker) => lower.includes(marker))) {
+            return { status: 'fail', summary: 'Agent Knowledge ask returned non-Agent knowledge contamination.' };
           }
           return { status: 'pass', summary: 'Agent Knowledge ask stayed on the isolated Agent route.' };
         },
@@ -519,8 +525,8 @@ export async function buildLiveVerificationReport(options: LiveVerificationOptio
             return { status: 'fail', summary: 'Agent Knowledge search was not parseable JSON.' };
           }
           const lower = body.toLowerCase();
-          if (lower.includes('home assistant') || lower.includes('homegraph') || lower.includes('home graph')) {
-            return { status: 'fail', summary: 'Agent Knowledge search returned HomeGraph/Home Assistant contamination.' };
+          if (AGENT_KNOWLEDGE_FORBIDDEN_RESPONSE_MARKERS.some((marker) => lower.includes(marker))) {
+            return { status: 'fail', summary: 'Agent Knowledge search returned non-Agent knowledge contamination.' };
           }
           return { status: 'pass', summary: 'Agent Knowledge search stayed on the isolated Agent route.' };
         },

package/src/verification/verification-ledger.ts

@@ -30,7 +30,6 @@ export interface VerificationLedger {
 const EXTERNAL_SLASH_COMMANDS = new Set([
   'auth',
   'bridge',
-  'cloudflare',
   'health',
   'listener',
   'login',
@@ -71,14 +70,12 @@ const ONBOARDING_CAPABILITIES = [
   'network-access',
   'webhook-events',
   'external-integrations',
-  'cloudflare-batch',
 ] as const;
 
 const EXTERNAL_SURFACES = [
   'bluebubbles',
   'discord',
   'googleChat',
-  'homeassistant',
   'imessage',
   'matrix',
   'mattermost',
@@ -185,9 +182,9 @@ export function buildVerificationLedger(root: string): VerificationLedger {
       area: 'Onboarding capability bundles',
       total: ONBOARDING_CAPABILITIES.length,
       localSignalVerified: ONBOARDING_CAPABILITIES.length,
-      localBehaviorVerified: 5,
-      externalOutcomeRequired: 1,
-      notes: 'Wizard state derivation/apply can be local; Cloudflare provisioning remains external.',
+      localBehaviorVerified: ONBOARDING_CAPABILITIES.length,
+      externalOutcomeRequired: 0,
+      notes: 'Wizard state derivation/apply is local; daemon-backed outcomes stay external to Agent ownership.',
     },
   ];
 

package/src/version.ts

@@ -6,7 +6,7 @@ import { join } from 'node:path';
 // The prebuild script updates the fallback value before compilation.
 // Uses import.meta.dir (Bun) to locate package.json relative to this file,
 // which is correct regardless of the process working directory.
-let _version = '0.1.55';
+let _version = '0.1.57';
 let _sdkVersion = '0.33.35';
 try {
   const pkg = JSON.parse(readFileSync(join(import.meta.dir, '..', 'package.json'), 'utf-8')) as {

package/src/input/commands/agent-externalized-tui.ts

@@ -1,73 +0,0 @@
-import type { CommandRegistry, SlashCommand } from '../command-registry.ts';
-
-type ExternalizedCommandId = 'git' | 'diff' | 'worktree' | 'sandbox';
-
-interface ExternalizedCommandSpec {
-  readonly name: ExternalizedCommandId;
-  readonly aliases?: readonly string[];
-  readonly description: string;
-  readonly usage: string;
-  readonly owner: string;
-  readonly reason: string;
-}
-
-const EXTERNALIZED_TUI_COMMANDS: readonly ExternalizedCommandSpec[] = [
-  {
-    name: 'git',
-    aliases: ['g'],
-    description: 'Externalized: git workflows are owned by GoodVibes TUI',
-    usage: '[status|log|diff]',
-    owner: 'GoodVibes TUI',
-    reason: 'Git status, commits, and repository mutation belong to the coding TUI, not the serial Agent surface.',
-  },
-  {
-    name: 'diff',
-    aliases: ['d'],
-    description: 'Externalized: code diff review is owned by GoodVibes TUI',
-    usage: '[session|head|working|staged|<git-ref>]',
-    owner: 'GoodVibes TUI',
-    reason: 'Diff views are part of delegated build/fix/review work and should stay attached to the coding TUI execution context.',
-  },
-  {
-    name: 'worktree',
-    aliases: ['worktrees'],
-    description: 'Externalized: git worktree lifecycle is owned by GoodVibes TUI',
-    usage: '[review|inspect|attach|recover|cleanup]',
-    owner: 'GoodVibes TUI',
-    reason: 'Worktree creation, attachment, recovery, and cleanup are coding-session lifecycle operations.',
-  },
-  {
-    name: 'sandbox',
-    description: 'Externalized: sandbox and QEMU workflows are owned by GoodVibes TUI',
-    usage: '[review|probe|session|qemu|bundle|preset]',
-    owner: 'GoodVibes TUI',
-    reason: 'Sandbox/QEMU setup and session execution are terminal-native coding/runtime isolation workflows.',
-  },
-];
-
-function makeExternalizedCommand(spec: ExternalizedCommandSpec): SlashCommand {
-  return {
-    name: spec.name,
-    aliases: spec.aliases ? [...spec.aliases] : undefined,
-    description: spec.description,
-    usage: spec.usage,
-    argsHint: spec.usage,
-    handler(_args, ctx) {
-      ctx.print([
-        `${spec.name} is externalized in GoodVibes Agent.`,
-        `  owner: ${spec.owner}`,
-        `  reason: ${spec.reason}`,
-        '  Agent policy: no local coding TUI, git/worktree, or sandbox execution from this surface.',
-        '  build/fix/review: ask Agent to delegate the full request to GoodVibes TUI, or run goodvibes-tui in the target workspace.',
-        '  result: blocked here; no local files, config, worktrees, sandbox sessions, or repository state were changed.',
-      ].join('\n'));
-    },
-  };
-}
-
-export function registerAgentExternalizedTuiCommands(registry: CommandRegistry): void {
-  for (const spec of EXTERNALIZED_TUI_COMMANDS) {
-    registry.register(makeExternalizedCommand(spec));
-  }
-}
-

package/src/input/commands/cloudflare-runtime.ts

@@ -1,385 +0,0 @@
-import {
-  CLOUDFLARE_COMPONENT_IDS,
-  CLOUDFLARE_COMPONENT_LABELS,
-  DEFAULT_CLOUDFLARE_COMPONENT_SELECTION,
-  CloudflareDaemonRouteError,
-  createCloudflareDaemonClient,
-  type CloudflareComponent,
-  type CloudflareComponentSelection,
-  type CloudflareDaemonClient,
-  type CloudflareProvisionStep,
-} from '../../runtime/cloudflare-control-plane.ts';
-import type { CommandContext, CommandRegistry } from '../command-registry.ts';
-import { requireShellPaths } from './runtime-services.ts';
-import { requireYesFlag, stripYesFlag } from './confirmation.ts';
-
-interface ParsedCloudflareArgs {
-  readonly positional: readonly string[];
-  readonly flags: ReadonlyMap<string, readonly string[]>;
-}
-
-export function registerCloudflareRuntimeCommands(registry: CommandRegistry): void {
-  registry.register({
-    name: 'cloudflare',
-    aliases: ['cf'],
-    description: 'Inspect and manage optional Cloudflare batch/control-plane integration through daemon SDK routes',
-    usage: '[status|setup|requirements|create-token --yes|discover|validate|provision --yes|verify|disable --yes] [flags]',
-    async handler(args, ctx) {
-      const confirmation = stripYesFlag(args);
-      const commandArgs = [...confirmation.rest];
-      const subcommand = (commandArgs[0] ?? 'status').toLowerCase();
-      const parsed = parseCloudflareArgs(commandArgs.slice(1));
-      if (subcommand === 'setup' || subcommand === 'onboarding') {
-        ctx.openOnboardingWizard?.({ mode: 'edit', reset: true });
-        ctx.print('Opening onboarding wizard. Select the Cloudflare batch capability to configure Cloudflare.');
-        return;
-      }
-
-      let client: CloudflareDaemonClient;
-      try {
-        client = createCloudflareClient(ctx);
-      } catch (error) {
-        ctx.print(`Cloudflare command unavailable: ${formatCloudflareError(error)}`);
-        return;
-      }
-
-      try {
-        if (subcommand === 'status' || subcommand === 'show') {
-          const status = await client.status();
-          ctx.print([
-            'Cloudflare Status',
-            `  enabled: ${status.enabled ? 'yes' : 'no'}`,
-            `  ready: ${status.ready ? 'yes' : 'no'}`,
-            `  account: ${status.config.accountId || '(not set)'}`,
-            `  token ref: ${status.config.apiTokenRef || '(CLOUDFLARE_API_TOKEN fallback)'}`,
-            `  worker: ${status.config.workerName || '(not set)'}`,
-            `  worker URL: ${status.config.workerBaseUrl || '(not set)'}`,
-            `  queue: ${status.config.queueName || '(not set)'}`,
-            `  DLQ: ${status.config.deadLetterQueueName || '(not set)'}`,
-            `  tunnel: ${status.config.tunnelName || '(not set)'} ${status.config.tunnelId ? `(${status.config.tunnelId})` : ''}`.trimEnd(),
-            `  access app: ${status.config.accessAppId || '(not set)'}`,
-            `  batch mode: ${String(ctx.platform.configManager.get('batch.mode') ?? 'off')}`,
-            `  queue backend: ${String(ctx.platform.configManager.get('batch.queueBackend') ?? 'local')}`,
-            ...status.warnings.map((warning) => `  warning: ${warning}`),
-          ].join('\n'));
-          return;
-        }
-
-        if (subcommand === 'requirements') {
-          const result = await client.tokenRequirements({
-            components: componentsFromArgs(parsed),
-            includeBootstrap: true,
-          });
-          ctx.print([
-            'Cloudflare Token Requirements',
-            `  components: ${formatComponents(result.components)}`,
-            '  permissions:',
-            ...result.permissions.map((permission) => `    ${permission.scope}: ${permission.permission} (${permission.component}) - ${permission.reason}`),
-            ...(result.bootstrapToken.instructions.length > 0
-              ? ['  bootstrap token:', ...result.bootstrapToken.instructions.map((line) => `    ${line}`)]
-              : []),
-          ].join('\n'));
-          return;
-        }
-
-        if (subcommand === 'create-token') {
-          if (!confirmation.yes) {
-            requireYesFlag(ctx, 'create and store a Cloudflare operational token', '/cloudflare create-token [flags] --yes');
-            return;
-          }
-          const bootstrapToken = getFlag(parsed, 'bootstrap-token') || readTokenEnv(parsed, 'bootstrap-env');
-          if (!bootstrapToken) {
-            ctx.print('Usage: /cloudflare create-token --account <account-id> (--bootstrap-token <token> | --bootstrap-env <env-name>) --yes');
-            return;
-          }
-          const result = await client.createOperationalToken({
-            components: componentsFromArgs(parsed),
-            ...optionalString('accountId', getFlag(parsed, 'account') || getFlag(parsed, 'account-id')),
-            ...optionalString('zoneId', getFlag(parsed, 'zone-id')),
-            ...optionalString('zoneName', getFlag(parsed, 'zone') || getFlag(parsed, 'zone-name')),
-            bootstrapToken,
-            storeApiToken: true,
-            persistConfig: true,
-          });
-          ctx.print([
-            'Cloudflare Operational Token Created',
-            `  token: ${result.tokenName}${result.tokenId ? ` (${result.tokenId})` : ''}`,
-            `  account: ${result.accountId}`,
-            `  zone: ${result.zoneId || '(none)'}`,
-            `  stored ref: ${result.apiTokenRef ?? '(not stored)'}`,
-            '  revoke or expire the temporary bootstrap token after validation.',
-          ].join('\n'));
-          return;
-        }
-
-        if (subcommand === 'discover') {
-          const result = await client.discover({
-            ...cloudflareAuthInput(parsed),
-            components: componentsFromArgs(parsed),
-            ...optionalString('zoneId', getFlag(parsed, 'zone-id')),
-            ...optionalString('zoneName', getFlag(parsed, 'zone') || getFlag(parsed, 'zone-name')),
-            includeResources: !hasFlag(parsed, 'fast'),
-          });
-          ctx.print([
-            'Cloudflare Discovery',
-            `  token source: ${result.tokenSource}`,
-            `  accounts: ${result.accounts.length}`,
-            ...result.accounts.slice(0, 12).map((account) => `    account ${account.id}: ${account.name}`),
-            `  zones: ${result.zones.length}`,
-            ...result.zones.slice(0, 12).map((zone) => `    zone ${zone.id}: ${zone.name}${zone.status ? ` (${zone.status})` : ''}`),
-            `  worker subdomain: ${result.workerSubdomain || '(not detected)'}`,
-            `  queues: ${result.queues?.length ?? 0}`,
-            `  KV namespaces: ${result.kvNamespaces?.length ?? 0}`,
-            `  R2 buckets: ${result.r2Buckets?.length ?? 0}`,
-            ...result.warnings.map((warning) => `  warning: ${warning}`),
-          ].join('\n'));
-          return;
-        }
-
-        if (subcommand === 'validate') {
-          const result = await client.validate(cloudflareAuthInput(parsed));
-          ctx.print([
-            'Cloudflare Token Validation',
-            `  ok: ${result.ok ? 'yes' : 'no'}`,
-            `  token source: ${result.tokenSource}`,
-            result.account ? `  account: ${result.account.name} (${result.account.id})` : '  account: not resolved',
-          ].join('\n'));
-          return;
-        }
-
-        if (subcommand === 'provision') {
-          if (!confirmation.yes) {
-            requireYesFlag(ctx, 'provision Cloudflare resources and persist config', '/cloudflare provision [flags] --yes');
-            return;
-          }
-          const result = await client.provision({
-            ...cloudflareAuthInput(parsed),
-            components: componentsFromArgs(parsed),
-            ...optionalString('accountId', getFlag(parsed, 'account') || getFlag(parsed, 'account-id')),
-            ...optionalString('zoneId', getFlag(parsed, 'zone-id')),
-            ...optionalString('zoneName', getFlag(parsed, 'zone') || getFlag(parsed, 'zone-name')),
-            ...optionalString('daemonBaseUrl', getFlag(parsed, 'daemon-url')),
-            ...optionalString('daemonHostname', getFlag(parsed, 'daemon-hostname')),
-            ...optionalString('workerName', getFlag(parsed, 'worker-name')),
-            ...optionalString('workerSubdomain', getFlag(parsed, 'worker-subdomain')),
-            ...optionalString('workerHostname', getFlag(parsed, 'worker-hostname')),
-            ...optionalString('workerBaseUrl', getFlag(parsed, 'worker-url')),
-            ...optionalString('queueName', getFlag(parsed, 'queue') || getFlag(parsed, 'queue-name')),
-            ...optionalString('deadLetterQueueName', getFlag(parsed, 'dlq') || getFlag(parsed, 'dead-letter-queue')),
-            ...optionalString('tunnelName', getFlag(parsed, 'tunnel-name')),
-            ...optionalString('tunnelId', getFlag(parsed, 'tunnel-id')),
-            ...optionalString('tunnelServiceUrl', getFlag(parsed, 'tunnel-service-url')),
-            ...optionalString('tunnelTokenRef', getFlag(parsed, 'tunnel-token-ref')),
-            ...optionalString('accessAppId', getFlag(parsed, 'access-app-id')),
-            ...optionalString('accessServiceTokenId', getFlag(parsed, 'access-service-token-id')),
-            ...optionalString('accessServiceTokenRef', getFlag(parsed, 'access-service-token-ref')),
-            ...optionalString('kvNamespaceName', getFlag(parsed, 'kv-namespace-name')),
-            ...optionalString('kvNamespaceId', getFlag(parsed, 'kv-namespace-id')),
-            ...optionalString('durableObjectNamespaceName', getFlag(parsed, 'do-namespace-name') || getFlag(parsed, 'durable-object-namespace-name')),
-            ...optionalString('durableObjectNamespaceId', getFlag(parsed, 'do-namespace-id') || getFlag(parsed, 'durable-object-namespace-id')),
-            ...optionalString('r2BucketName', getFlag(parsed, 'r2-bucket-name')),
-            ...optionalString('secretsStoreName', getFlag(parsed, 'secrets-store-name')),
-            ...optionalString('secretsStoreId', getFlag(parsed, 'secrets-store-id')),
-            ...optionalString('workerCron', getFlag(parsed, 'worker-cron')),
-            ...optionalString('operatorToken', getFlag(parsed, 'operator-token')),
-            ...optionalString('operatorTokenRef', getFlag(parsed, 'operator-token-ref')),
-            ...optionalString('workerClientToken', getFlag(parsed, 'worker-client-token')),
-            ...optionalString('workerClientTokenRef', getFlag(parsed, 'worker-client-token-ref')),
-            ...optionalBatchMode(readBatchMode(parsed)),
-            persistConfig: true,
-            verify: !hasFlag(parsed, 'no-verify'),
-            storeApiToken: !hasFlag(parsed, 'no-store-token'),
-            enableWorkersDev: !hasFlag(parsed, 'no-workers-dev'),
-          });
-          ctx.print([
-            'Cloudflare Provisioning',
-            `  ok: ${result.ok ? 'yes' : 'no'}`,
-            ...(result.worker ? [`  worker: ${result.worker.name}${result.worker.baseUrl ? ` at ${result.worker.baseUrl}` : ''}`] : []),
-            ...(result.queues ? [`  queues: ${result.queues.queueName}; DLQ ${result.queues.deadLetterQueueName}`] : []),
-            ...(result.tunnel ? [`  tunnel: ${result.tunnel.name} (${result.tunnel.id})${result.tunnel.hostname ? ` ${result.tunnel.hostname}` : ''}`] : []),
-            ...(result.access ? [`  access: app=${result.access.appId || '(none)'} serviceToken=${result.access.serviceTokenId || '(none)'}`] : []),
-            ...(result.dns ? [`  dns: ${result.dns.zoneName || result.dns.zoneId} records=${result.dns.records.length}`] : []),
-            ...(result.kv ? [`  kv: ${result.kv.namespaceName} (${result.kv.namespaceId})`] : []),
-            ...(result.r2 ? [`  r2: ${result.r2.bucketName}`] : []),
-            ...(result.secretsStore ? [`  secrets store: ${result.secretsStore.storeName} (${result.secretsStore.storeId})`] : []),
-            ...formatProvisionSteps(result.steps),
-          ].join('\n'));
-          return;
-        }
-
-        if (subcommand === 'verify') {
-          const result = await client.verify({
-            ...optionalString('workerBaseUrl', getFlag(parsed, 'worker-url')),
-            ...optionalString('workerClientToken', getFlag(parsed, 'worker-token')),
-            ...optionalString('workerClientTokenRef', getFlag(parsed, 'worker-token-ref')),
-          });
-          ctx.print([
-            'Cloudflare Verification',
-            `  ok: ${result.ok ? 'yes' : 'no'}`,
-            `  worker health: ${result.workerHealth.ok ? 'ok' : 'failed'} (HTTP ${result.workerHealth.status})${result.workerHealth.error ? ` - ${result.workerHealth.error}` : ''}`,
-            ...(result.daemonBatchProxy ? [`  daemon batch proxy: ${result.daemonBatchProxy.ok ? 'ok' : 'failed'} (HTTP ${result.daemonBatchProxy.status})${result.daemonBatchProxy.error ? ` - ${result.daemonBatchProxy.error}` : ''}`] : []),
-          ].join('\n'));
-          return;
-        }
-
-        if (subcommand === 'disable') {
-          if (!confirmation.yes) {
-            requireYesFlag(ctx, 'disable Cloudflare integration and persist config', '/cloudflare disable [flags] --yes');
-            return;
-          }
-          const result = await client.disable({
-            ...cloudflareAuthInput(parsed),
-            ...optionalString('workerName', getFlag(parsed, 'worker-name')),
-            disableWorkerSubdomain: hasFlag(parsed, 'disable-worker-subdomain'),
-            disableCron: !hasFlag(parsed, 'keep-cron'),
-            persistConfig: true,
-          });
-          ctx.print([
-            'Cloudflare Disabled',
-            `  ok: ${result.ok ? 'yes' : 'no'}`,
-            ...formatProvisionSteps(result.steps),
-          ].join('\n'));
-          return;
-        }
-
-        ctx.print('Usage: /cloudflare [status|setup|requirements|create-token --yes|discover|validate|provision --yes|verify|disable --yes] [flags]');
-      } catch (error) {
-        ctx.print(`Cloudflare ${subcommand} failed: ${formatCloudflareError(error)}`);
-      }
-    },
-  });
-}
-
-function createCloudflareClient(ctx: CommandContext): CloudflareDaemonClient {
-  const shellPaths = requireShellPaths(ctx);
-  return createCloudflareDaemonClient({
-    configManager: ctx.platform.configManager,
-    homeDirectory: shellPaths.homeDirectory,
-  });
-}
-
-function parseCloudflareArgs(args: readonly string[]): ParsedCloudflareArgs {
-  const positional: string[] = [];
-  const flags = new Map<string, string[]>();
-  for (let index = 0; index < args.length; index += 1) {
-    const arg = args[index]!;
-    if (!arg.startsWith('--')) {
-      positional.push(arg);
-      continue;
-    }
-    const raw = arg.slice(2);
-    const equalsIndex = raw.indexOf('=');
-    if (equalsIndex >= 0) {
-      const key = raw.slice(0, equalsIndex);
-      const value = raw.slice(equalsIndex + 1);
-      flags.set(key, [...(flags.get(key) ?? []), value]);
-      continue;
-    }
-    const next = args[index + 1];
-    if (next && !next.startsWith('--')) {
-      flags.set(raw, [...(flags.get(raw) ?? []), next]);
-      index += 1;
-    } else {
-      flags.set(raw, [...(flags.get(raw) ?? []), 'true']);
-    }
-  }
-  return { positional, flags };
-}
-
-function hasFlag(args: ParsedCloudflareArgs, key: string): boolean {
-  return args.flags.has(key);
-}
-
-function getFlag(args: ParsedCloudflareArgs, key: string): string {
-  const values = args.flags.get(key);
-  const value = values?.[values.length - 1] ?? '';
-  return value === 'true' ? '' : value.trim();
-}
-
-function getFlagValues(args: ParsedCloudflareArgs, key: string): readonly string[] {
-  return args.flags.get(key)?.map((value) => value.trim()).filter(Boolean) ?? [];
-}
-
-function componentsFromArgs(args: ParsedCloudflareArgs): Record<CloudflareComponent, boolean> {
-  const components: Record<CloudflareComponent, boolean> = { ...DEFAULT_CLOUDFLARE_COMPONENT_SELECTION };
-  if (hasFlag(args, 'all') || hasFlag(args, 'advanced')) {
-    for (const component of CLOUDFLARE_COMPONENT_IDS) components[component] = true;
-  }
-  for (const raw of [...args.positional, ...getFlagValues(args, 'component')]) {
-    const normalized = normalizeComponent(raw);
-    if (normalized) components[normalized] = true;
-  }
-  for (const raw of getFlagValues(args, 'no-component')) {
-    const normalized = normalizeComponent(raw);
-    if (normalized) components[normalized] = false;
-  }
-  return components;
-}
-
-function normalizeComponent(value: string): CloudflareComponent | null {
-  const normalized = value.trim().toLowerCase().replace(/[-_]/g, '');
-  for (const component of CLOUDFLARE_COMPONENT_IDS) {
-    if (component.toLowerCase() === normalized) return component;
-  }
-  if (normalized === 'workerscript' || normalized === 'worker') return 'workers';
-  if (normalized === 'queue') return 'queues';
-  if (normalized === 'tunnel') return 'zeroTrustTunnel';
-  if (normalized === 'access') return 'zeroTrustAccess';
-  if (normalized === 'domain' || normalized === 'hostname') return 'dns';
-  if (normalized === 'do' || normalized === 'durableobject') return 'durableObjects';
-  if (normalized === 'secret' || normalized === 'secrets') return 'secretsStore';
-  return null;
-}
-
-function formatComponents(components: CloudflareComponentSelection): string {
-  const selected = CLOUDFLARE_COMPONENT_IDS
-    .filter((component) => components[component] === true)
-    .map((component) => CLOUDFLARE_COMPONENT_LABELS[component]);
-  return selected.length > 0 ? selected.join(', ') : 'none';
-}
-
-function cloudflareAuthInput(args: ParsedCloudflareArgs): {
-  readonly accountId?: string;
-  readonly apiToken?: string;
-  readonly apiTokenRef?: string;
-} {
-  const token = getFlag(args, 'token') || readTokenEnv(args, 'token-env');
-  const tokenRef = getFlag(args, 'token-ref');
-  return {
-    ...optionalString('accountId', getFlag(args, 'account') || getFlag(args, 'account-id')),
-    ...(token ? { apiToken: token } : tokenRef ? { apiTokenRef: tokenRef } : {}),
-  };
-}
-
-function readTokenEnv(args: ParsedCloudflareArgs, key: string): string {
-  const envName = getFlag(args, key);
-  if (!envName) return '';
-  return process.env[envName] ?? '';
-}
-
-function readBatchMode(args: ParsedCloudflareArgs): 'off' | 'explicit' | 'eligible-by-default' | undefined {
-  const value = getFlag(args, 'batch-mode');
-  if (value === 'off' || value === 'explicit' || value === 'eligible-by-default') return value;
-  return undefined;
-}
-
-function optionalString<K extends string>(key: K, value: string): Partial<Record<K, string>> {
-  return value.trim().length > 0 ? { [key]: value.trim() } as Partial<Record<K, string>> : {};
-}
-
-function optionalBatchMode(value: ReturnType<typeof readBatchMode>): { readonly batchMode?: 'off' | 'explicit' | 'eligible-by-default' } {
-  return value ? { batchMode: value } : {};
-}
-
-function formatProvisionSteps(steps: readonly CloudflareProvisionStep[]): string[] {
-  return steps.length > 0
-    ? steps.map((step) => `  ${step.status}: ${step.name}${step.message ? ` - ${step.message}` : ''}`)
-    : ['  no steps returned'];
-}
-
-function formatCloudflareError(error: unknown): string {
-  if (error instanceof CloudflareDaemonRouteError) {
-    return `${error.message} (HTTP ${error.status}, ${error.code})`;
-  }
-  return error instanceof Error ? error.message : String(error);
-}