@pellux/goodvibes-agent 0.1.80 → 0.1.82

package/src/input/commands/health-runtime.ts

@@ -8,7 +8,6 @@ import { getSettingsControlPlaneSnapshot } from '@/runtime/index.ts';
 import { checkRecoveryFile, readLastSessionPointer } from '@/runtime/index.ts';
 import {
   openCommandPanel,
-  requireLocalUserAuthManager,
   requireOperatorClient,
   requireProviderApi,
   requireReadModels,
@@ -78,12 +77,13 @@ export function registerHealthRuntimeCommands(registry: CommandRegistry): void {
       if (sub === 'auth') {
         const auth = readModels.localAuth.getSnapshot();
         ctx.print([
-          'Health Review: Local Auth',
-          `  users: ${auth.userCount}`,
-          `  sessions: ${auth.sessionCount}`,
-          `  bootstrap file: ${auth.bootstrapCredentialPresent ? 'present' : 'cleared'}`,
-          ...(auth.userCount <= 1 ? ['  issue: only one local auth user configured'] : []),
-          ...(auth.bootstrapCredentialPresent ? ['  issue: bootstrap credential file still present; rotate or clear it when no longer needed'] : []),
+          'Health Review: Runtime Auth',
+          '  owner: external GoodVibes runtime host',
+          `  compatibility users visible: ${auth.userCount}`,
+          `  compatibility sessions visible: ${auth.sessionCount}`,
+          `  bootstrap file signal: ${auth.bootstrapCredentialPresent ? 'present' : 'cleared'}`,
+          '  Agent action: review provider/subscription auth only; do not mutate runtime auth users or bootstrap credentials.',
+          ...(auth.bootstrapCredentialPresent ? ['  issue: bootstrap cleanup belongs to the runtime-owning TUI or host tooling'] : []),
         ].join('\n'));
         return;
       }
@@ -222,13 +222,11 @@ export function registerHealthRuntimeCommands(registry: CommandRegistry): void {
           ));
           lines.push('  verify: /health settings');
         } else if (domain === 'auth') {
-          const auth = requireLocalUserAuthManager(ctx).inspect();
           lines.push('  domain: auth');
-          lines.push(...(
-            auth.bootstrapCredentialPresent
-              ? ['  /auth local review', '  /auth local rotate-password admin <password> --yes', '  /auth local clear-bootstrap-file --yes']
-              : ['  /auth local review']
-          ));
+          lines.push('  /auth review');
+          lines.push('  /providers');
+          lines.push('  /subscription providers');
+          lines.push('  runtime auth users/bootstrap cleanup: use the runtime-owning GoodVibes TUI or host tooling');
           lines.push('  verify: /health auth');
         } else if (domain === 'accounts') {
           lines.push('  domain: accounts');
@@ -316,7 +314,7 @@ export function registerHealthRuntimeCommands(registry: CommandRegistry): void {
         `  account issues: ${accountSnapshot.issueCount}`,
         `  settings conflicts: ${settingsSnapshot.conflicts.length}`,
         `  managed locks: ${settingsSnapshot.managedLockCount}`,
-        `  local auth users: ${readModels.localAuth.getSnapshot().userCount}`,
+        `  runtime auth owner: external`,
         `  remote workers: ${snapshot.remoteRunnerCount}`,
         ...formatSessionMaintenanceLines(maintenance, 'guided').map((line) => `  ${line}`),
         ...(snapshot.issues.length > 0 ? ['', ...snapshot.issues.map((issue) => `  [${issue.severity.toUpperCase()}] ${issue.area}: ${issue.message}`)] : []),

package/src/input/commands/platform-access-runtime.ts

@@ -2,7 +2,6 @@ import { mkdirSync, readFileSync, writeFileSync } from 'node:fs';
 import { dirname } from 'node:path';
 import type { CommandRegistry } from '../command-registry.ts';
 import { listBuiltinSubscriptionProviders } from '@pellux/goodvibes-sdk/platform/config';
-import { handleLocalAuthCommand } from './local-auth-runtime.ts';
 import { buildAuthInspectionSnapshot, inspectProviderAuth } from '@/runtime/index.ts';
 import { requireSecretsManager, requireServiceRegistry, requireShellPaths, requireSubscriptionManager } from './runtime-services.ts';
 import { requireYesFlag, stripYesFlag } from './confirmation.ts';
@@ -113,7 +112,7 @@ export function registerPlatformAccessRuntimeCommands(registry: CommandRegistry)
   registry.register({
     name: 'auth',
     description: 'Review auth posture and exchange session login tokens with local services',
-    usage: '[review|show <provider>|repair <provider>|bundle export <path> --yes|bundle inspect <path>|login <runtime|listener> <baseUrl> <username> <password> [secretKey] --yes|local <review|panel|add-user --yes|delete-user --yes|rotate-password --yes|revoke-session --yes|clear-bootstrap-file --yes>]',
+    usage: '[review|show <provider>|repair <provider>|bundle export <path> --yes|bundle inspect <path>|login <runtime|listener> <baseUrl> <username> <password> [secretKey] --yes]',
     async handler(args, ctx) {
       const parsed = stripYesFlag(args);
       const commandArgs = [...parsed.rest];
@@ -123,7 +122,12 @@ export function registerPlatformAccessRuntimeCommands(registry: CommandRegistry)
       const serviceRegistry = requireServiceRegistry(ctx);
       const secretsManager = requireSecretsManager(ctx);
       if (sub === 'local') {
-        handleLocalAuthCommand(args.slice(1), ctx);
+        ctx.print([
+          'Local runtime auth management is external to GoodVibes Agent.',
+          'Agent connects to an already-running GoodVibes runtime and does not create, delete, rotate, revoke, or clear runtime auth users, sessions, or bootstrap credentials.',
+          'Use the runtime-owning GoodVibes TUI or host tooling for runtime auth administration.',
+          'Agent auth commands available here: /auth review, /auth show <provider>, /auth repair <provider>, /auth login <runtime|listener> ... --yes.',
+        ].join('\n'));
         return;
       }
       if (sub === 'review') {
@@ -270,7 +274,7 @@ export function registerPlatformAccessRuntimeCommands(registry: CommandRegistry)
         return;
       }
 
-      ctx.print('Usage: /auth [review|show <provider>|bundle export <path> --yes|bundle inspect <path>|login <runtime|listener> <baseUrl> <username> <password> [secretKey] --yes|local <review|panel|add-user --yes|delete-user --yes|rotate-password --yes|revoke-session --yes|clear-bootstrap-file --yes>]');
+      ctx.print('Usage: /auth [review|show <provider>|bundle export <path> --yes|bundle inspect <path>|login <runtime|listener> <baseUrl> <username> <password> [secretKey] --yes]');
     },
   });
 }

package/src/input/commands.ts

@@ -23,7 +23,6 @@ import { registerTasksRuntimeCommands } from './commands/tasks-runtime.ts';
 import { registerLocalProviderRuntimeCommands } from './commands/local-provider-runtime.ts';
 import { registerHealthRuntimeCommands } from './commands/health-runtime.ts';
 import { registerProviderAccountsRuntimeCommands } from './commands/provider-accounts-runtime.ts';
-import { registerLocalAuthRuntimeCommands } from './commands/local-auth-runtime.ts';
 import { registerConversationRuntimeCommands } from './commands/conversation-runtime.ts';
 import { registerQrcodeRuntimeCommands } from './commands/qrcode-runtime.ts';
 import { registerOnboardingRuntimeCommands } from './commands/onboarding-runtime.ts';
@@ -62,7 +61,6 @@ export function registerBuiltinCommands(registry: CommandRegistry): void {
   registerLocalProviderRuntimeCommands(registry);
   registerHealthRuntimeCommands(registry);
   registerProviderAccountsRuntimeCommands(registry);
-  registerLocalAuthRuntimeCommands(registry);
   registerConversationRuntimeCommands(registry);
   registerQrcodeRuntimeCommands(registry);
   registerOnboardingRuntimeCommands(registry);

package/src/input/onboarding/onboarding-wizard-helpers.ts

@@ -49,7 +49,7 @@ export function buildDefaultDerivedState(): OnboardingStepDerivationState {
         required: false,
         accepted: false,
         reason: 'not-needed',
-        detail: 'No local auth state needs confirmation.',
+        detail: 'No external runtime auth signal needs confirmation.',
       },
     },
   };

package/src/panels/builtin/operations.ts

@@ -2,7 +2,6 @@ import type { PanelManager } from '../panel-manager.ts';
 import { ApprovalPanel } from '../approval-panel.ts';
 import { AutomationControlPanel } from '../automation-control-panel.ts';
 import { SubscriptionPanel } from '../subscription-panel.ts';
-import { LocalAuthPanel } from '../local-auth-panel.ts';
 import { ProviderAccountsPanel } from '../provider-accounts-panel.ts';
 import { SecurityPanel } from '../security-panel.ts';
 import { TasksPanel } from '../tasks-panel.ts';
@@ -59,15 +58,6 @@ export function registerOperationsPanels(manager: PanelManager, deps: ResolvedBu
     factory: () => new SubscriptionPanel(deps.serviceRegistry, deps.subscriptionManager),
   });
 
-  manager.registerType({
-    id: 'local-auth',
-    name: 'Local Auth',
-    icon: 'U',
-    category: 'monitoring',
-    description: 'Local runtime auth users, bootstrap posture, and active sessions',
-    factory: () => new LocalAuthPanel(deps.localUserAuthManager),
-  });
-
   manager.registerType({
     id: 'accounts',
     name: 'Accounts',

package/src/panels/provider-health-domains.ts

@@ -44,18 +44,19 @@ export function buildProviderHealthDomainSummaries(
 
   summaries.push({
     name: 'auth',
-    level: auth.bootstrapCredentialPresent || auth.userCount <= 1 ? 'warn' : 'good',
+    level: auth.bootstrapCredentialPresent ? 'warn' : 'info',
     summary: auth.bootstrapCredentialPresent
-      ? 'bootstrap credential file still present'
-      : `${auth.userCount} users / ${auth.sessionCount} sessions`,
-    next: auth.bootstrapCredentialPresent ? '/auth local clear-bootstrap-file --yes' : '/auth local review',
+      ? 'external runtime bootstrap credential visible in local compatibility state'
+      : 'runtime auth administration belongs to the external runtime owner',
+    next: '/auth review',
     details: [
-      auth.bootstrapCredentialPresent ? 'bootstrap credential file should be cleared after rotation' : `${auth.userCount} local auth users configured`,
-      auth.userCount <= 1 ? 'only one local auth user configured' : `${auth.sessionCount} active local auth sessions`,
+      'GoodVibes Agent does not create, delete, rotate, revoke, or clear runtime auth users or sessions.',
+      `${auth.userCount} compatibility user record(s) and ${auth.sessionCount} session record(s) are visible for diagnostics only.`,
+      auth.bootstrapCredentialPresent ? 'Runtime bootstrap cleanup must be done from the runtime-owning TUI or host tooling.' : '',
     ].filter(Boolean),
     nextSteps: auth.bootstrapCredentialPresent
-      ? ['/auth local review', '/auth local rotate-password <user> <password> --yes', '/auth local clear-bootstrap-file --yes']
-      : ['/auth local review'],
+      ? ['/auth review', '/providers', '/subscription providers']
+      : ['/auth review', '/providers'],
   });
 
   const settingIssueCount = settings.conflictCount + settings.recentFailureCount + (settings.hasStagedManagedBundle ? 1 : 0);

package/src/renderer/agent-workspace.ts

@@ -196,10 +196,10 @@ function snapshotLines(workspace: AgentWorkspace, category: AgentWorkspaceCatego
     base.push(
       { text: `GoodVibes runtime: ${snapshot.daemonBaseUrl}`, fg: PALETTE.info },
       { text: `Runtime owner: ${snapshot.daemonOwnership}; Agent connects but never starts or restarts it`, fg: PALETTE.good },
+      ...setupChecklistLines(snapshot),
+      { text: '' },
       { text: `Workspace: ${snapshot.workingDirectory}`, fg: PALETTE.muted },
       { text: `Home: ${snapshot.homeDirectory}`, fg: PALETTE.muted },
-      { text: '' },
-      ...setupChecklistLines(snapshot),
     );
   } else if (category.id === 'channels') {
     const enabledCount = snapshot.channels.filter((channel) => channel.enabled).length;
@@ -283,10 +283,11 @@ function snapshotLines(workspace: AgentWorkspace, category: AgentWorkspaceCatego
     base.push(
       { text: `Active Agent profile: ${snapshot.activeRuntimeProfile}`, fg: PALETTE.info },
       { text: `Agent profiles under this home: ${snapshot.runtimeProfileCount}`, fg: PALETTE.info },
-      { text: `Agent profile root: ${snapshot.runtimeProfileRoot}`, fg: PALETTE.muted },
       { text: `Starter templates: ${snapshot.runtimeStarterTemplateCount}; local custom: ${snapshot.localStarterTemplateCount}`, fg: PALETTE.info },
       { text: `Config profiles: ${snapshot.configProfileCount}`, fg: PALETTE.info },
       { text: `Starter ids: ${snapshot.runtimeStarterTemplates.map((template) => template.id).join(', ') || 'none'}`, fg: PALETTE.info },
+      { text: 'Starter Templates', fg: PALETTE.title, bold: true },
+      { text: `Agent profile root: ${snapshot.runtimeProfileRoot}`, fg: PALETTE.muted },
       { text: '' },
       ...profileLines(snapshot),
       { text: '' },
@@ -301,7 +302,7 @@ function snapshotLines(workspace: AgentWorkspace, category: AgentWorkspaceCatego
     base.push(
       { text: `Session memories: ${snapshot.sessionMemoryCount}`, fg: PALETTE.info },
       { text: `Local routines: ${snapshot.localRoutineCount}; enabled: ${snapshot.enabledRoutineCount}`, fg: PALETTE.info },
-      { text: `Local skills: ${snapshot.localSkillCount}; enabled: ${snapshot.enabledSkillCount}`, fg: PALETTE.info },
+      { text: `Local skills: ${snapshot.localSkillCount}; enabled: ${snapshot.enabledSkillCount}; bundles: ${snapshot.localSkillBundleCount}; active skills: ${snapshot.activeSkillCount}`, fg: PALETTE.info },
       { text: `Local personas: ${snapshot.localPersonaCount}; active: ${snapshot.activePersonaName}`, fg: PALETTE.info },
       { text: 'Durable memory, routines, skills, and personas remain Agent-local until shared registry contracts exist.', fg: PALETTE.good },
       { text: 'Secrets are rejected/redacted; store secret references instead of secret values.', fg: PALETTE.warn },
@@ -316,11 +317,13 @@ function snapshotLines(workspace: AgentWorkspace, category: AgentWorkspaceCatego
     );
   } else if (category.id === 'skills') {
     base.push(
-      { text: `Skills: ${snapshot.localSkillCount}; enabled: ${snapshot.enabledSkillCount}`, fg: PALETTE.info },
+      { text: `Skills: ${snapshot.localSkillCount}; enabled: ${snapshot.enabledSkillCount}; bundles: ${snapshot.localSkillBundleCount}; enabled bundles: ${snapshot.enabledSkillBundleCount}; active skills: ${snapshot.activeSkillCount}`, fg: PALETTE.info },
       { text: 'Skills are reusable local procedures the assistant can apply from the main conversation.', fg: PALETTE.good },
-      { text: 'Enabled skills are injected as operating guidance; secret-looking content is rejected.', fg: PALETTE.warn },
+      { text: 'Enabled skills and enabled bundles are injected as operating guidance; secret-looking content is rejected.', fg: PALETTE.warn },
       { text: '' },
       ...localLibraryLines('Skill Library', snapshot.localSkills, 'No local skills yet. Create one here with Create skill.', workspace.selectedLocalLibraryItem('skill')?.id ?? null),
+      { text: '' },
+      ...localLibraryLines('Skill Bundles', snapshot.localSkillBundles, 'No local skill bundles yet. Use Skill bundles and Create bundle after creating skills.', null),
     );
   } else if (category.id === 'routines') {
     base.push(

package/src/runtime/onboarding/apply.ts

@@ -62,22 +62,6 @@ function setNestedValue(root: Record<string, unknown>, key: string, value: unkno
 
 type RollbackAction = () => Promise<void> | void;
 
-interface BootstrapCredential {
-  readonly username: string;
-  readonly password: string;
-}
-
-interface PersistedAuthUser {
-  readonly username: string;
-  readonly passwordHash: string;
-  readonly roles?: readonly string[];
-}
-
-interface MutableAuthManager {
-  readonly users?: Map<string, PersistedAuthUser>;
-  readonly sessions?: Map<string, { readonly token: string; readonly username: string; readonly expiresAt: number }>;
-}
-
 function restoreFile(path: string, previous: string | null, reload?: () => void): void {
   if (previous === null) {
     if (existsSync(path)) unlinkSync(path);
@@ -88,31 +72,6 @@ function restoreFile(path: string, previous: string | null, reload?: () => void)
   reload?.();
 }
 
-function parseBootstrapCredential(content: string | null): BootstrapCredential | null {
-  if (content === null) return null;
-  let username = '';
-  let password = '';
-  for (const rawLine of content.split('\n')) {
-    const line = rawLine.trim();
-    if (line.startsWith('username=')) username = line.slice('username='.length);
-    if (line.startsWith('password=')) password = line.slice('password='.length);
-  }
-  return username.length > 0 && password.length > 0 ? { username, password } : null;
-}
-
-function parsePersistedAuthUsers(content: string): readonly PersistedAuthUser[] {
-  const parsed = JSON.parse(content) as unknown;
-  if (!isPlainObject(parsed) || parsed.version !== 1 || !Array.isArray(parsed.users)) {
-    throw new Error('Expected a version 1 local auth user store.');
-  }
-  return parsed.users.filter((user): user is PersistedAuthUser => (
-    isPlainObject(user)
-    && typeof user.username === 'string'
-    && typeof user.passwordHash === 'string'
-    && (user.roles === undefined || (Array.isArray(user.roles) && user.roles.every((role) => typeof role === 'string')))
-  ));
-}
-
 function snapshotFileRollback(path: string, reload?: () => void): RollbackAction {
   const previous = existsSync(path) ? readFileSync(path, 'utf-8') : null;
   return () => restoreFile(path, previous, reload);
@@ -227,18 +186,10 @@ function validateSecretOperation(
 }
 
 function validateAuthOperation(
-  deps: OnboardingApplyDependencies,
-  operation: Extract<OnboardingApplyOperation, { kind: 'ensure-auth-user' }>,
+  _deps: OnboardingApplyDependencies,
+  _operation: Extract<OnboardingApplyOperation, { kind: 'ensure-auth-user' }>,
 ): void {
-  if (!deps.auth) throw new Error('Local auth management is unavailable.');
-  if (operation.username.trim().length === 0) throw new Error('Local auth username is required.');
-  if (operation.password.length === 0) throw new Error(`Local auth password for ${operation.username} is required.`);
-  const username = operation.username.trim();
-  const existing = deps.auth.inspect().users.find((user) => user.username === username);
-  const requiredRoles = operation.roles ?? ['admin'];
-  if (existing && !requiredRoles.every((role) => existing.roles.includes(role))) {
-    throw new Error(`Existing local auth user ${username} is missing required role(s): ${requiredRoles.join(', ')}.`);
-  }
+  throw new Error('Runtime auth user/session administration is external to GoodVibes Agent onboarding.');
 }
 
 function validateAcknowledgementOperation(
@@ -313,44 +264,6 @@ async function applySecretOperation(
   };
 }
 
-function applyAuthOperation(
-  deps: OnboardingApplyDependencies,
-  operation: Extract<OnboardingApplyOperation, { kind: 'ensure-auth-user' }>,
-): OnboardingAppliedOperation {
-  validateAuthOperation(deps, operation);
-  const auth = deps.auth!;
-  const username = operation.username.trim();
-  const before = auth.inspect();
-  const existing = before.users.find((user) => user.username === username);
-  const bootstrapCredential = before.bootstrapCredentialPresent
-    ? parseBootstrapCredential(readFileSync(before.bootstrapCredentialPath, 'utf-8'))
-    : null;
-
-  if (existing) {
-    auth.rotatePassword(username, operation.password);
-  } else {
-    auth.addUser(username, operation.password, operation.roles ?? ['admin']);
-  }
-
-  if (operation.retireBootstrapCredential) {
-    if (bootstrapCredential && bootstrapCredential.username !== username && auth.getUser(bootstrapCredential.username)) {
-      auth.deleteUser(bootstrapCredential.username);
-    }
-    auth.clearBootstrapCredentialFile();
-  }
-
-  if (operation.createSession ?? true) {
-    auth.createSession(username);
-  }
-
-  return {
-    kind: operation.kind,
-    summary: existing
-      ? `Updated local auth user ${username}.`
-      : `Created local auth user ${username}.`,
-  };
-}
-
 async function buildSecretRollbackAction(
   deps: OnboardingApplyDependencies,
   operation: Extract<OnboardingApplyOperation, { kind: 'set-secret' }>,
@@ -369,67 +282,6 @@ async function buildSecretRollbackAction(
   };
 }
 
-function buildAuthRollbackAction(
-  deps: OnboardingApplyDependencies,
-  operation: Extract<OnboardingApplyOperation, { kind: 'ensure-auth-user' }>,
-): RollbackAction {
-  validateAuthOperation(deps, operation);
-  const auth = deps.auth!;
-  const mutable = auth as unknown as MutableAuthManager;
-  const username = operation.username.trim();
-  const before = auth.inspect();
-  const existingUser = before.users.find((user) => user.username === username);
-  const existingSessionFingerprints = new Set(before.sessions
-    .filter((session) => session.username === username)
-    .map((session) => session.tokenFingerprint));
-  const userStoreSnapshot = existsSync(before.userStorePath) ? readFileSync(before.userStorePath, 'utf-8') : null;
-  const bootstrapCredentialSnapshot = existsSync(before.bootstrapCredentialPath)
-    ? readFileSync(before.bootstrapCredentialPath, 'utf-8')
-    : null;
-  const bootstrapCredential = parseBootstrapCredential(bootstrapCredentialSnapshot);
-  const beforeSessions = mutable.sessions instanceof Map
-    ? [...mutable.sessions.entries()].map(([token, session]) => [token, { ...session }] as const)
-    : [];
-
-  return () => {
-    for (const session of auth.inspect().sessions) {
-      if (session.username === username && !existingSessionFingerprints.has(session.tokenFingerprint)) {
-        auth.revokeSession(session.tokenFingerprint);
-      }
-    }
-
-    if (bootstrapCredential && !auth.getUser(bootstrapCredential.username)) {
-      auth.addUser(bootstrapCredential.username, bootstrapCredential.password, ['admin']);
-    }
-
-    if (!existingUser && auth.getUser(username)) {
-      try {
-        auth.deleteUser(username);
-      } catch (error) {
-        if (mutable.users instanceof Map) mutable.users.delete(username);
-        else throw error;
-      }
-    }
-
-    restoreFile(before.bootstrapCredentialPath, bootstrapCredentialSnapshot);
-    restoreFile(before.userStorePath, userStoreSnapshot);
-
-    if (mutable.users instanceof Map) {
-      if (userStoreSnapshot === null) {
-        if (before.users.length === 0) mutable.users.clear();
-      } else {
-        mutable.users.clear();
-        for (const user of parsePersistedAuthUsers(userStoreSnapshot)) mutable.users.set(user.username, user);
-      }
-    }
-
-    if (mutable.sessions instanceof Map) {
-      mutable.sessions.clear();
-      for (const [token, session] of beforeSessions) mutable.sessions.set(token, session);
-    }
-  };
-}
-
 async function buildRollbackAction(
   deps: OnboardingApplyDependencies,
   operation: OnboardingApplyOperation,
@@ -453,7 +305,8 @@ async function buildRollbackAction(
   }
 
   if (operation.kind === 'ensure-auth-user') {
-    return buildAuthRollbackAction(deps, operation);
+    validateAuthOperation(deps, operation);
+    return () => {};
   }
 
   if (operation.kind === 'acknowledge') {
@@ -633,8 +486,7 @@ export async function applyOnboardingRequest(
         }
 
         if (operation.kind === 'ensure-auth-user') {
-          applied.push(applyAuthOperation(deps, operation));
-          rollbacks.push(rollback);
+          validateAuthOperation(deps, operation);
           continue;
         }
 

package/src/runtime/onboarding/derivation.ts

@@ -500,23 +500,23 @@ export function deriveReopenEditAcknowledgementState(
         snapshot,
         'auth',
         'bootstrap-credential',
-        'The local auth bootstrap credential file is still present.',
+        'An external runtime bootstrap credential signal is still visible to Agent.',
       )
     : authSessionCount > 0
       ? buildRequiredAcknowledgement(
           snapshot,
           'auth',
           'active-sessions',
-          `${authSessionCount} local auth session(s) are currently active.`,
+          `${authSessionCount} external runtime auth session signal(s) are currently visible.`,
         )
       : authUserCount > 0
         ? buildRequiredAcknowledgement(
             snapshot,
             'auth',
             'auth-state',
-            `${authUserCount} local auth user(s) are already configured.`,
+            `${authUserCount} external runtime auth user signal(s) are already visible.`,
           )
-        : buildNotNeededAcknowledgement(snapshot, 'auth', 'No local auth state needs confirmation.');
+        : buildNotNeededAcknowledgement(snapshot, 'auth', 'No external runtime auth signal needs confirmation.');
 
   return {
     providers,

package/src/runtime/onboarding/types.ts

@@ -383,17 +383,7 @@ export interface OnboardingApplyDependencies {
   readonly clock?: () => number;
   readonly config: Pick<ConfigManager, 'get' | 'getRaw' | 'load' | 'setDynamic'>;
   readonly secrets?: Pick<SecretsManager, 'delete' | 'get' | 'inspect' | 'set'>;
-  readonly auth?: Pick<
-    UserAuthManager,
-    'addUser'
-    | 'clearBootstrapCredentialFile'
-    | 'createSession'
-    | 'deleteUser'
-    | 'getUser'
-    | 'inspect'
-    | 'revokeSession'
-    | 'rotatePassword'
-  >;
+  readonly auth?: Pick<UserAuthManager, 'inspect'>;
   readonly shellPaths: OnboardingShellPaths;
   readonly acknowledgementScope?: OnboardingStateScope;
 }

package/src/runtime/onboarding/verify.ts

@@ -116,36 +116,14 @@ async function verifySecretOperation(
 }
 
 function verifyAuthOperation(
-  deps: OnboardingVerificationDependencies,
+  _deps: OnboardingVerificationDependencies,
   operation: Extract<OnboardingApplyOperation, { kind: 'ensure-auth-user' }>,
 ): OnboardingVerificationItem {
-  if (!deps.auth) {
-    return {
-      id: `auth:${operation.username}`,
-      status: 'fail',
-      message: 'Local auth manager is unavailable.',
-      target: operation.username,
-    };
-  }
-
-  const snapshot = deps.auth.inspect();
   const username = operation.username.trim();
-  const user = snapshot.users.find((entry) => entry.username === username);
-  const requiredRoles = operation.roles ?? ['admin'];
-  const userExists = Boolean(user) && requiredRoles.every((role) => user!.roles.includes(role));
-  const sessionExists = operation.createSession === false
-    ? true
-    : snapshot.sessions.some((session) => session.username === username);
-  const bootstrapRetired = operation.retireBootstrapCredential
-    ? snapshot.bootstrapCredentialPresent === false
-    : true;
-  const ok = userExists && sessionExists && bootstrapRetired;
   return {
     id: `auth:${username}`,
-    status: ok ? 'pass' : 'fail',
-    message: ok
-      ? `${username} local auth user has required role(s) and session state.`
-      : `${username} local auth user/session/role/bootstrap state was not created.`,
+    status: 'fail',
+    message: 'Runtime auth user/session administration is external to GoodVibes Agent onboarding.',
     target: username,
   };
 }

package/src/version.ts

@@ -6,7 +6,7 @@ import { join } from 'node:path';
 // The prebuild script updates the fallback value before compilation.
 // Uses import.meta.dir (Bun) to locate package.json relative to this file,
 // which is correct regardless of the process working directory.
-let _version = '0.1.80';
+let _version = '0.1.82';
 let _sdkVersion = '0.33.35';
 try {
   const pkg = JSON.parse(readFileSync(join(import.meta.dir, '..', 'package.json'), 'utf-8')) as {