@pellux/goodvibes-agent 0.1.81 → 0.1.82

package/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 All notable changes to GoodVibes Agent will be recorded here.
 
+## 0.1.82 - 2026-06-01
+
+- 3185531 Remove Agent local auth ownership paths
+
 ## 0.1.81 - 2026-06-01
 
 - Added local Agent skill bundles so users can group related local skills, enable or disable the bundle, and inject the bundle's member procedures into the same serial assistant conversation.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pellux/goodvibes-agent",
-  "version": "0.1.81",
+  "version": "0.1.82",
   "private": false,
   "description": "GoodVibes personal operator assistant TUI with a proactive Agent product brain, isolated Agent Knowledge, local profiles, routines, skills, personas, and explicit build delegation.",
   "type": "module",

package/src/cli/help.ts

@@ -38,7 +38,7 @@ export function renderGoodVibesHelp(binary = 'goodvibes-agent'): string {
     '  providers                  List/inspect/use provider config/auth posture',
     '  profiles                   Manage isolated Agent profile homes',
     '  routines                   Inspect local routines and explicitly promote one to an external schedule',
-    '  auth                       Inspect and manage local users, sessions, and bootstrap auth',
+    '  auth                       Inspect Agent auth posture and external runtime token state',
     '  compat                     Inspect Agent SDK pin, runtime version, and Agent knowledge route readiness',
     '  knowledge                  Use isolated Agent Knowledge/Wiki routes',
     '  ask|search                 Shortcuts for isolated Agent Knowledge ask/search',
@@ -170,9 +170,9 @@ const COMMAND_HELP: Record<string, CommandHelp> = {
     examples: ['models current', 'models openai', 'models use openai:gpt-5.4'],
   },
   auth: {
-    usage: ['auth status', 'auth users', 'auth sessions', 'auth add-user <username>', 'auth clear-bootstrap'],
-    summary: 'Inspect and manage local admin users, bootstrap auth, and local sessions.',
-    examples: ['auth', 'auth add-user admin --password-stdin', 'auth clear-bootstrap'],
+    usage: ['auth', 'auth status', 'auth review', 'auth users', 'auth sessions'],
+    summary: 'Inspect Agent auth posture and external runtime token state. Runtime user/session administration belongs to the runtime-owning TUI or host tooling.',
+    examples: ['auth', 'auth status', 'auth users'],
   },
   compat: {
     usage: ['compat', 'compat --json'],

package/src/cli/management.ts

@@ -1,4 +1,4 @@
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { existsSync, mkdirSync, writeFileSync } from 'node:fs';
 import { dirname, join } from 'node:path';
 import net from 'node:net';
 import { spawn } from 'node:child_process';
@@ -21,7 +21,6 @@ import { beginOpenAICodexLogin, exchangeOpenAICodexCode } from '@pellux/goodvibe
 import { inspectProviderAuth } from '@/runtime/index.ts';
 import { getOrCreateCompanionToken, buildCompanionConnectionInfo, encodeConnectionPayload, formatConnectionBlock } from '@pellux/goodvibes-sdk/platform/pairing';
 import { generateQrMatrix, renderQrToString } from '@pellux/goodvibes-sdk/platform/pairing';
-import { UserAuthManager } from '@pellux/goodvibes-sdk/platform/security';
 import type { GoodVibesCliParseResult } from './types.ts';
 import { formatProviderAuthRoute, summarizeProviderAuthRoutes } from './provider-auth-routes.ts';
 import { classifyProviderSetup } from './provider-classification.ts';
@@ -60,7 +59,7 @@ export function formatJsonOrText(cli: GoodVibesCliParseResult): Formatter {
 }
 
 function exitCodeForText(output: string): number {
-  if (output.startsWith('Usage:') || output.startsWith('Invalid ')) return 2;
+  if (output.startsWith('Usage:') || output.startsWith('Invalid ') || output.startsWith('Unsupported:')) return 2;
   if (output.startsWith('Session not found:') || output.startsWith('Unknown task:') || output.startsWith('Task submit failed ')) return 1;
   if (output.startsWith('No stored ') || output.startsWith('No pending ') || output.startsWith('No model ') || output.startsWith('No provider ') || output.startsWith('No auth ')) return 1;
   if (output.startsWith('Unknown ')) return 1;
@@ -74,59 +73,10 @@ function splitCommandOption(token: string): { readonly name: string; readonly va
   return { name: token.slice(0, index), value: token.slice(index + 1) };
 }
 
-function readOptionValue(args: readonly string[], name: string): string | undefined {
-  for (let index = 0; index < args.length; index += 1) {
-    const token = args[index]!;
-    const split = splitCommandOption(token);
-    if (split.name !== name) continue;
-    if (split.value !== undefined) return split.value;
-    const next = args[index + 1];
-    if (next === undefined || next.startsWith('--')) return undefined;
-    return next;
-  }
-  return undefined;
-}
-
-function readOptionValues(args: readonly string[], name: string): string[] {
-  const values: string[] = [];
-  for (let index = 0; index < args.length; index += 1) {
-    const token = args[index]!;
-    const split = splitCommandOption(token);
-    if (split.name !== name) continue;
-    if (split.value !== undefined) {
-      values.push(split.value);
-      continue;
-    }
-    const next = args[index + 1];
-    if (next !== undefined && !next.startsWith('--')) values.push(next);
-  }
-  return values;
-}
-
 export function hasCommandFlag(args: readonly string[], name: string): boolean {
   return args.some((arg) => splitCommandOption(arg).name === name);
 }
 
-function commandValues(args: readonly string[]): string[] {
-  const values: string[] = [];
-  for (let index = 0; index < args.length; index += 1) {
-    const token = args[index]!;
-    if (!token.startsWith('--')) {
-      values.push(token);
-      continue;
-    }
-    if (!token.includes('=') && args[index + 1] && !args[index + 1]!.startsWith('--')) index += 1;
-  }
-  return values;
-}
-
-function readPassword(args: readonly string[]): string | null {
-  const explicit = readOptionValue(args, '--password');
-  if (explicit !== undefined) return explicit;
-  if (hasCommandFlag(args, '--password-stdin')) return readFileSync(0, 'utf-8').trimEnd();
-  return process.env.GOODVIBES_AUTH_PASSWORD ?? null;
-}
-
 export function extractAuthorizationCode(input: string): string {
   try {
     const url = new URL(input);
@@ -291,14 +241,6 @@ export function readAuthPaths(runtime: CliCommandRuntime) {
   };
 }
 
-function createCliLocalUserAuthManager(runtime: CliCommandRuntime): UserAuthManager {
-  const paths = readAuthPaths(runtime);
-  return new UserAuthManager({
-    bootstrapFilePath: paths.userStorePath,
-    bootstrapCredentialPath: paths.bootstrapCredentialPath,
-  });
-}
-
 export async function runNonInteractiveAgent(runtime: CliCommandRuntime): Promise<number> {
   const prompt = runtime.cli.flags.prompt ?? runtime.cli.positionals.join(' ').trim();
   if (!prompt) {
@@ -584,84 +526,60 @@ async function renderModels(runtime: CliCommandRuntime): Promise<string> {
 }
 
 async function renderAuth(runtime: CliCommandRuntime): Promise<string> {
-  const localUserAuthManager = createCliLocalUserAuthManager(runtime);
-    const [sub = 'status', ...rawRest] = runtime.cli.commandArgs;
-    const rest = commandValues(rawRest);
-    if (sub === 'add-user' || sub === 'add') {
-      const username = rest[0];
-      if (!username) return 'Usage: goodvibes auth add-user <username> [--password <value>|--password-stdin] [--role <role>]';
-      const password = readPassword(rawRest);
-      if (!password) return 'Usage: goodvibes auth add-user <username> [--password <value>|--password-stdin] [--role <role>]';
-      const roles = readOptionValues(rawRest, '--role').filter((role) => role.length > 0);
-      const user = localUserAuthManager.addUser(username, password, roles.length > 0 ? roles : ['user']);
-      return `Auth user added: ${user.username} (${user.roles.join(', ') || 'no roles'})`;
-    }
-    if (sub === 'delete-user' || sub === 'remove-user') {
-      const username = rest[0];
-      if (!username) return 'Usage: goodvibes auth delete-user <username>';
-      return localUserAuthManager.deleteUser(username)
-        ? `Auth user deleted: ${username}`
-        : `No auth user found: ${username}`;
-    }
-    if (sub === 'rotate-password' || sub === 'passwd') {
-      const username = rest[0];
-      if (!username) return 'Usage: goodvibes auth rotate-password <username> [--password <value>|--password-stdin]';
-      const password = readPassword(rawRest);
-      if (!password) return 'Usage: goodvibes auth rotate-password <username> [--password <value>|--password-stdin]';
-      localUserAuthManager.rotatePassword(username, password);
-      return `Auth password rotated: ${username}`;
-    }
-    if (sub === 'revoke-session') {
-      const token = rest[0];
-      if (!token) return 'Usage: goodvibes auth revoke-session <token-or-fingerprint>';
-      return localUserAuthManager.revokeSession(token)
-        ? 'Auth session revoked.'
-        : 'No auth session found.';
-    }
-    if (sub === 'revoke-sessions') {
-      const username = rest[0];
-      if (!username) return 'Usage: goodvibes auth revoke-sessions <username>';
-      const count = localUserAuthManager.revokeSessionsForUser(username);
-      return `Auth sessions revoked for ${username}: ${count}`;
-    }
-    if (sub === 'clear-bootstrap') {
-      return localUserAuthManager.clearBootstrapCredentialFile()
-        ? 'Bootstrap credential file removed.'
-        : 'Bootstrap credential file was already absent.';
-    }
-    if (sub !== 'status' && sub !== 'list' && sub !== 'users' && sub !== 'sessions') {
-      return 'Usage: goodvibes auth [status|users|sessions|add-user|delete-user|rotate-password|revoke-session|revoke-sessions|clear-bootstrap]';
-    }
-    const snapshot = localUserAuthManager.inspect();
-    const paths = readAuthPaths(runtime);
-    const value = {
-      ...paths,
-      users: snapshot.users.map((user) => ({ username: user.username, roles: user.roles })),
-      sessions: snapshot.sessions.length,
-      permissionMode: runtime.configManager.get('permissions.mode'),
-    };
-    if (sub === 'users') {
-      return formatJsonOrText(runtime.cli)(value.users, [
-        `GoodVibes auth users (${value.users.length})`,
-        ...value.users.map((user) => `  ${user.username} (${user.roles.join(', ') || 'no roles'})`),
-      ].join('\n'));
-    }
-    if (sub === 'sessions') {
-      return formatJsonOrText(runtime.cli)(snapshot.sessions, [
-        `GoodVibes auth sessions (${snapshot.sessions.length})`,
-        ...snapshot.sessions.map((session) => `  ${session.username} expires=${new Date(session.expiresAt).toISOString()} fingerprint=${session.tokenFingerprint}`),
-      ].join('\n'));
-    }
+  const [sub = 'status'] = runtime.cli.commandArgs;
+  const blocked = new Set([
+    'add-user',
+    'add',
+    'delete-user',
+    'remove-user',
+    'rotate-password',
+    'passwd',
+    'revoke-session',
+    'revoke-sessions',
+    'clear-bootstrap',
+  ]);
+  if (blocked.has(sub)) {
+    return [
+      'Unsupported: runtime auth user/session administration is external to GoodVibes Agent.',
+      'GoodVibes Agent connects to an already-running runtime and does not create, delete, rotate, revoke, or clear runtime users, sessions, or bootstrap credentials.',
+      'Use the runtime-owning GoodVibes TUI or host tooling for runtime auth administration.',
+    ].join('\n');
+  }
+  if (sub !== 'status' && sub !== 'review' && sub !== 'list' && sub !== 'users' && sub !== 'sessions') {
+    return 'Usage: goodvibes-agent auth [status|review|users|sessions]';
+  }
+  const paths = readAuthPaths(runtime);
+  const value = {
+    authOwner: 'external-runtime',
+    operatorTokenPresent: paths.operatorTokenPresent,
+    operatorTokenPath: paths.operatorTokenPath,
+    compatibilityUserStorePresent: paths.userStorePresent,
+    compatibilityUserStorePath: paths.userStorePath,
+    compatibilityBootstrapCredentialPresent: paths.bootstrapCredentialPresent,
+    compatibilityBootstrapCredentialPath: paths.bootstrapCredentialPath,
+    permissionMode: runtime.configManager.get('permissions.mode'),
+  };
+  if (sub === 'users' || sub === 'sessions') {
     return formatJsonOrText(runtime.cli)(value, [
-      'GoodVibes auth',
-      `  permission mode: ${String(value.permissionMode)}`,
-      `  users: ${value.users.length}`,
-      ...value.users.map((user) => `    ${user.username} (${user.roles.join(', ') || 'no roles'})`),
-      `  sessions: ${value.sessions}`,
-      `  user store: ${paths.userStorePresent ? 'present' : 'missing'} (${paths.userStorePath})`,
-      `  bootstrap credential: ${paths.bootstrapCredentialPresent ? 'present' : 'missing'} (${paths.bootstrapCredentialPath})`,
-      `  operator tokens: ${paths.operatorTokenPresent ? 'present' : 'missing'} (${paths.operatorTokenPath})`,
+      `GoodVibes Agent auth ${sub}`,
+      '  owner: external GoodVibes runtime',
+      `  operator token: ${paths.operatorTokenPresent ? 'present' : 'missing'}`,
+      `  operator token path: ${paths.operatorTokenPath}`,
+      `  ${sub}: managed by the runtime-owning TUI or host tooling`,
+      '  Agent does not enumerate or mutate runtime users/sessions from the local CLI.',
     ].join('\n'));
+  }
+  return formatJsonOrText(runtime.cli)(value, [
+    'GoodVibes Agent auth',
+    '  owner: external GoodVibes runtime',
+    `  permission mode: ${String(value.permissionMode)}`,
+    `  operator token: ${paths.operatorTokenPresent ? 'present' : 'missing'} (${paths.operatorTokenPath})`,
+    `  compatibility user store: ${paths.userStorePresent ? 'present' : 'missing'} (${paths.userStorePath})`,
+    `  compatibility bootstrap credential: ${paths.bootstrapCredentialPresent ? 'present' : 'missing'} (${paths.bootstrapCredentialPath})`,
+    '  runtime user/session administration: external',
+    '  next: goodvibes-agent providers',
+    '  next: goodvibes-agent subscription providers',
+  ].join('\n'));
 }
 
 

package/src/cli/status.ts

@@ -50,7 +50,7 @@ export interface CliStatusSnapshot {
     readonly permissionLabel: string;
     readonly secretPolicy: unknown;
     readonly secretPolicyLabel: string;
-    readonly localUsers: CliAuthStatus | null;
+    readonly runtimeAuthSignal: CliAuthStatus | null;
   };
   readonly runtimeConnection: {
     readonly enabled: unknown;
@@ -182,13 +182,13 @@ export function buildCliDoctorFindings(options: CliStatusOptions): readonly CliD
 
   if (networkFacingSurfaces.length > 0 && options.auth?.userStorePresent !== true) {
     findings.push({
-      id: 'network-endpoint-without-local-users',
+      id: 'network-endpoint-without-runtime-auth-signal',
       area: 'auth',
       severity: 'risk',
-      summary: 'Network-facing runtime endpoints are enabled before local users are configured.',
-      cause: `${networkFacingSurfaces.map(([name]) => name).join(', ')} are LAN/custom-bound, but no local auth user store was found.`,
-      impact: 'Remote access paths may be unusable or unsafe until local admin auth is configured.',
-      action: 'Create/verify a local admin user before exposing GoodVibes on the network.',
+      summary: 'Network-facing runtime endpoints are enabled without a visible runtime auth signal.',
+      cause: `${networkFacingSurfaces.map(([name]) => name).join(', ')} are LAN/custom-bound, but Agent cannot see runtime auth state from its local compatibility files.`,
+      impact: 'Remote access paths may be unusable or unsafe unless the external runtime owner configured auth.',
+      action: 'Review runtime auth from the owning GoodVibes TUI or host tooling; Agent will not create local runtime users.',
     });
   }
 
@@ -200,7 +200,7 @@ export function buildCliDoctorFindings(options: CliStatusOptions): readonly CliD
       summary: 'A bootstrap credential is still present while network-facing surfaces are enabled.',
       cause: `${networkFacingSurfaces.map(([name]) => name).join(', ')} are LAN/custom-bound and auth-bootstrap.txt exists.`,
       impact: 'Bootstrap credentials should be treated as temporary setup material, not long-lived network access credentials.',
-      action: 'Replace bootstrap auth with a named admin user and retire the bootstrap credential.',
+      action: 'Use the runtime-owning GoodVibes TUI or host tooling to replace bootstrap auth and retire the bootstrap credential.',
     });
   }
 
@@ -264,7 +264,7 @@ export function buildCliStatusSnapshot(options: CliStatusOptions): CliStatusSnap
       permissionLabel: permissionModeLabel(config.get('permissions.mode')),
       secretPolicy: config.get('storage.secretPolicy'),
       secretPolicyLabel: secretPolicyLabel(config.get('storage.secretPolicy')),
-      localUsers: options.auth ?? null,
+      runtimeAuthSignal: options.auth ?? null,
     },
     runtimeConnection: {
       enabled: config.get('service.enabled'),
@@ -317,8 +317,8 @@ export function renderCliStatus(options: CliStatusOptions): string {
     `  permissions: ${permissionModeLabel(config.get('permissions.mode'))} (${String(config.get('permissions.mode'))})`,
     `  secretPolicy: ${secretPolicyLabel(config.get('storage.secretPolicy'))} (${String(config.get('storage.secretPolicy'))})`,
     options.auth
-      ? `  localUsers: ${options.auth.userStorePresent ? 'present' : 'missing'} (${options.auth.userStorePath})`
-      : '  localUsers: unknown',
+      ? `  runtimeAuthSignal: ${options.auth.userStorePresent ? 'present' : 'missing'} (${options.auth.userStorePath})`
+      : '  runtimeAuthSignal: unknown',
     options.auth
       ? `  bootstrapCredential: ${options.auth.bootstrapCredentialPresent ? 'present' : 'missing'} (${options.auth.bootstrapCredentialPath})`
       : '  bootstrapCredential: unknown',

package/src/input/commands/health-runtime.ts

@@ -8,7 +8,6 @@ import { getSettingsControlPlaneSnapshot } from '@/runtime/index.ts';
 import { checkRecoveryFile, readLastSessionPointer } from '@/runtime/index.ts';
 import {
   openCommandPanel,
-  requireLocalUserAuthManager,
   requireOperatorClient,
   requireProviderApi,
   requireReadModels,
@@ -78,12 +77,13 @@ export function registerHealthRuntimeCommands(registry: CommandRegistry): void {
       if (sub === 'auth') {
         const auth = readModels.localAuth.getSnapshot();
         ctx.print([
-          'Health Review: Local Auth',
-          `  users: ${auth.userCount}`,
-          `  sessions: ${auth.sessionCount}`,
-          `  bootstrap file: ${auth.bootstrapCredentialPresent ? 'present' : 'cleared'}`,
-          ...(auth.userCount <= 1 ? ['  issue: only one local auth user configured'] : []),
-          ...(auth.bootstrapCredentialPresent ? ['  issue: bootstrap credential file still present; rotate or clear it when no longer needed'] : []),
+          'Health Review: Runtime Auth',
+          '  owner: external GoodVibes runtime host',
+          `  compatibility users visible: ${auth.userCount}`,
+          `  compatibility sessions visible: ${auth.sessionCount}`,
+          `  bootstrap file signal: ${auth.bootstrapCredentialPresent ? 'present' : 'cleared'}`,
+          '  Agent action: review provider/subscription auth only; do not mutate runtime auth users or bootstrap credentials.',
+          ...(auth.bootstrapCredentialPresent ? ['  issue: bootstrap cleanup belongs to the runtime-owning TUI or host tooling'] : []),
         ].join('\n'));
         return;
       }
@@ -222,13 +222,11 @@ export function registerHealthRuntimeCommands(registry: CommandRegistry): void {
           ));
           lines.push('  verify: /health settings');
         } else if (domain === 'auth') {
-          const auth = requireLocalUserAuthManager(ctx).inspect();
           lines.push('  domain: auth');
-          lines.push(...(
-            auth.bootstrapCredentialPresent
-              ? ['  /auth local review', '  /auth local rotate-password admin <password> --yes', '  /auth local clear-bootstrap-file --yes']
-              : ['  /auth local review']
-          ));
+          lines.push('  /auth review');
+          lines.push('  /providers');
+          lines.push('  /subscription providers');
+          lines.push('  runtime auth users/bootstrap cleanup: use the runtime-owning GoodVibes TUI or host tooling');
           lines.push('  verify: /health auth');
         } else if (domain === 'accounts') {
           lines.push('  domain: accounts');
@@ -316,7 +314,7 @@ export function registerHealthRuntimeCommands(registry: CommandRegistry): void {
         `  account issues: ${accountSnapshot.issueCount}`,
         `  settings conflicts: ${settingsSnapshot.conflicts.length}`,
         `  managed locks: ${settingsSnapshot.managedLockCount}`,
-        `  local auth users: ${readModels.localAuth.getSnapshot().userCount}`,
+        `  runtime auth owner: external`,
         `  remote workers: ${snapshot.remoteRunnerCount}`,
         ...formatSessionMaintenanceLines(maintenance, 'guided').map((line) => `  ${line}`),
         ...(snapshot.issues.length > 0 ? ['', ...snapshot.issues.map((issue) => `  [${issue.severity.toUpperCase()}] ${issue.area}: ${issue.message}`)] : []),

package/src/input/commands/platform-access-runtime.ts

@@ -2,7 +2,6 @@ import { mkdirSync, readFileSync, writeFileSync } from 'node:fs';
 import { dirname } from 'node:path';
 import type { CommandRegistry } from '../command-registry.ts';
 import { listBuiltinSubscriptionProviders } from '@pellux/goodvibes-sdk/platform/config';
-import { handleLocalAuthCommand } from './local-auth-runtime.ts';
 import { buildAuthInspectionSnapshot, inspectProviderAuth } from '@/runtime/index.ts';
 import { requireSecretsManager, requireServiceRegistry, requireShellPaths, requireSubscriptionManager } from './runtime-services.ts';
 import { requireYesFlag, stripYesFlag } from './confirmation.ts';
@@ -113,7 +112,7 @@ export function registerPlatformAccessRuntimeCommands(registry: CommandRegistry)
   registry.register({
     name: 'auth',
     description: 'Review auth posture and exchange session login tokens with local services',
-    usage: '[review|show <provider>|repair <provider>|bundle export <path> --yes|bundle inspect <path>|login <runtime|listener> <baseUrl> <username> <password> [secretKey] --yes|local <review|panel|add-user --yes|delete-user --yes|rotate-password --yes|revoke-session --yes|clear-bootstrap-file --yes>]',
+    usage: '[review|show <provider>|repair <provider>|bundle export <path> --yes|bundle inspect <path>|login <runtime|listener> <baseUrl> <username> <password> [secretKey] --yes]',
     async handler(args, ctx) {
       const parsed = stripYesFlag(args);
       const commandArgs = [...parsed.rest];
@@ -123,7 +122,12 @@ export function registerPlatformAccessRuntimeCommands(registry: CommandRegistry)
       const serviceRegistry = requireServiceRegistry(ctx);
       const secretsManager = requireSecretsManager(ctx);
       if (sub === 'local') {
-        handleLocalAuthCommand(args.slice(1), ctx);
+        ctx.print([
+          'Local runtime auth management is external to GoodVibes Agent.',
+          'Agent connects to an already-running GoodVibes runtime and does not create, delete, rotate, revoke, or clear runtime auth users, sessions, or bootstrap credentials.',
+          'Use the runtime-owning GoodVibes TUI or host tooling for runtime auth administration.',
+          'Agent auth commands available here: /auth review, /auth show <provider>, /auth repair <provider>, /auth login <runtime|listener> ... --yes.',
+        ].join('\n'));
         return;
       }
       if (sub === 'review') {
@@ -270,7 +274,7 @@ export function registerPlatformAccessRuntimeCommands(registry: CommandRegistry)
         return;
       }
 
-      ctx.print('Usage: /auth [review|show <provider>|bundle export <path> --yes|bundle inspect <path>|login <runtime|listener> <baseUrl> <username> <password> [secretKey] --yes|local <review|panel|add-user --yes|delete-user --yes|rotate-password --yes|revoke-session --yes|clear-bootstrap-file --yes>]');
+      ctx.print('Usage: /auth [review|show <provider>|bundle export <path> --yes|bundle inspect <path>|login <runtime|listener> <baseUrl> <username> <password> [secretKey] --yes]');
     },
   });
 }

package/src/input/commands.ts

@@ -23,7 +23,6 @@ import { registerTasksRuntimeCommands } from './commands/tasks-runtime.ts';
 import { registerLocalProviderRuntimeCommands } from './commands/local-provider-runtime.ts';
 import { registerHealthRuntimeCommands } from './commands/health-runtime.ts';
 import { registerProviderAccountsRuntimeCommands } from './commands/provider-accounts-runtime.ts';
-import { registerLocalAuthRuntimeCommands } from './commands/local-auth-runtime.ts';
 import { registerConversationRuntimeCommands } from './commands/conversation-runtime.ts';
 import { registerQrcodeRuntimeCommands } from './commands/qrcode-runtime.ts';
 import { registerOnboardingRuntimeCommands } from './commands/onboarding-runtime.ts';
@@ -62,7 +61,6 @@ export function registerBuiltinCommands(registry: CommandRegistry): void {
   registerLocalProviderRuntimeCommands(registry);
   registerHealthRuntimeCommands(registry);
   registerProviderAccountsRuntimeCommands(registry);
-  registerLocalAuthRuntimeCommands(registry);
   registerConversationRuntimeCommands(registry);
   registerQrcodeRuntimeCommands(registry);
   registerOnboardingRuntimeCommands(registry);

package/src/input/onboarding/onboarding-wizard-helpers.ts

@@ -49,7 +49,7 @@ export function buildDefaultDerivedState(): OnboardingStepDerivationState {
         required: false,
         accepted: false,
         reason: 'not-needed',
-        detail: 'No local auth state needs confirmation.',
+        detail: 'No external runtime auth signal needs confirmation.',
       },
     },
   };

package/src/panels/builtin/operations.ts

@@ -2,7 +2,6 @@ import type { PanelManager } from '../panel-manager.ts';
 import { ApprovalPanel } from '../approval-panel.ts';
 import { AutomationControlPanel } from '../automation-control-panel.ts';
 import { SubscriptionPanel } from '../subscription-panel.ts';
-import { LocalAuthPanel } from '../local-auth-panel.ts';
 import { ProviderAccountsPanel } from '../provider-accounts-panel.ts';
 import { SecurityPanel } from '../security-panel.ts';
 import { TasksPanel } from '../tasks-panel.ts';
@@ -59,15 +58,6 @@ export function registerOperationsPanels(manager: PanelManager, deps: ResolvedBu
     factory: () => new SubscriptionPanel(deps.serviceRegistry, deps.subscriptionManager),
   });
 
-  manager.registerType({
-    id: 'local-auth',
-    name: 'Local Auth',
-    icon: 'U',
-    category: 'monitoring',
-    description: 'Local runtime auth users, bootstrap posture, and active sessions',
-    factory: () => new LocalAuthPanel(deps.localUserAuthManager),
-  });
-
   manager.registerType({
     id: 'accounts',
     name: 'Accounts',

package/src/panels/provider-health-domains.ts

@@ -44,18 +44,19 @@ export function buildProviderHealthDomainSummaries(
 
   summaries.push({
     name: 'auth',
-    level: auth.bootstrapCredentialPresent || auth.userCount <= 1 ? 'warn' : 'good',
+    level: auth.bootstrapCredentialPresent ? 'warn' : 'info',
     summary: auth.bootstrapCredentialPresent
-      ? 'bootstrap credential file still present'
-      : `${auth.userCount} users / ${auth.sessionCount} sessions`,
-    next: auth.bootstrapCredentialPresent ? '/auth local clear-bootstrap-file --yes' : '/auth local review',
+      ? 'external runtime bootstrap credential visible in local compatibility state'
+      : 'runtime auth administration belongs to the external runtime owner',
+    next: '/auth review',
     details: [
-      auth.bootstrapCredentialPresent ? 'bootstrap credential file should be cleared after rotation' : `${auth.userCount} local auth users configured`,
-      auth.userCount <= 1 ? 'only one local auth user configured' : `${auth.sessionCount} active local auth sessions`,
+      'GoodVibes Agent does not create, delete, rotate, revoke, or clear runtime auth users or sessions.',
+      `${auth.userCount} compatibility user record(s) and ${auth.sessionCount} session record(s) are visible for diagnostics only.`,
+      auth.bootstrapCredentialPresent ? 'Runtime bootstrap cleanup must be done from the runtime-owning TUI or host tooling.' : '',
     ].filter(Boolean),
     nextSteps: auth.bootstrapCredentialPresent
-      ? ['/auth local review', '/auth local rotate-password <user> <password> --yes', '/auth local clear-bootstrap-file --yes']
-      : ['/auth local review'],
+      ? ['/auth review', '/providers', '/subscription providers']
+      : ['/auth review', '/providers'],
   });
 
   const settingIssueCount = settings.conflictCount + settings.recentFailureCount + (settings.hasStagedManagedBundle ? 1 : 0);

package/src/runtime/onboarding/apply.ts

@@ -62,22 +62,6 @@ function setNestedValue(root: Record<string, unknown>, key: string, value: unkno
 
 type RollbackAction = () => Promise<void> | void;
 
-interface BootstrapCredential {
-  readonly username: string;
-  readonly password: string;
-}
-
-interface PersistedAuthUser {
-  readonly username: string;
-  readonly passwordHash: string;
-  readonly roles?: readonly string[];
-}
-
-interface MutableAuthManager {
-  readonly users?: Map<string, PersistedAuthUser>;
-  readonly sessions?: Map<string, { readonly token: string; readonly username: string; readonly expiresAt: number }>;
-}
-
 function restoreFile(path: string, previous: string | null, reload?: () => void): void {
   if (previous === null) {
     if (existsSync(path)) unlinkSync(path);
@@ -88,31 +72,6 @@ function restoreFile(path: string, previous: string | null, reload?: () => void)
   reload?.();
 }
 
-function parseBootstrapCredential(content: string | null): BootstrapCredential | null {
-  if (content === null) return null;
-  let username = '';
-  let password = '';
-  for (const rawLine of content.split('\n')) {
-    const line = rawLine.trim();
-    if (line.startsWith('username=')) username = line.slice('username='.length);
-    if (line.startsWith('password=')) password = line.slice('password='.length);
-  }
-  return username.length > 0 && password.length > 0 ? { username, password } : null;
-}
-
-function parsePersistedAuthUsers(content: string): readonly PersistedAuthUser[] {
-  const parsed = JSON.parse(content) as unknown;
-  if (!isPlainObject(parsed) || parsed.version !== 1 || !Array.isArray(parsed.users)) {
-    throw new Error('Expected a version 1 local auth user store.');
-  }
-  return parsed.users.filter((user): user is PersistedAuthUser => (
-    isPlainObject(user)
-    && typeof user.username === 'string'
-    && typeof user.passwordHash === 'string'
-    && (user.roles === undefined || (Array.isArray(user.roles) && user.roles.every((role) => typeof role === 'string')))
-  ));
-}
-
 function snapshotFileRollback(path: string, reload?: () => void): RollbackAction {
   const previous = existsSync(path) ? readFileSync(path, 'utf-8') : null;
   return () => restoreFile(path, previous, reload);
@@ -227,18 +186,10 @@ function validateSecretOperation(
 }
 
 function validateAuthOperation(
-  deps: OnboardingApplyDependencies,
-  operation: Extract<OnboardingApplyOperation, { kind: 'ensure-auth-user' }>,
+  _deps: OnboardingApplyDependencies,
+  _operation: Extract<OnboardingApplyOperation, { kind: 'ensure-auth-user' }>,
 ): void {
-  if (!deps.auth) throw new Error('Local auth management is unavailable.');
-  if (operation.username.trim().length === 0) throw new Error('Local auth username is required.');
-  if (operation.password.length === 0) throw new Error(`Local auth password for ${operation.username} is required.`);
-  const username = operation.username.trim();
-  const existing = deps.auth.inspect().users.find((user) => user.username === username);
-  const requiredRoles = operation.roles ?? ['admin'];
-  if (existing && !requiredRoles.every((role) => existing.roles.includes(role))) {
-    throw new Error(`Existing local auth user ${username} is missing required role(s): ${requiredRoles.join(', ')}.`);
-  }
+  throw new Error('Runtime auth user/session administration is external to GoodVibes Agent onboarding.');
 }
 
 function validateAcknowledgementOperation(
@@ -313,44 +264,6 @@ async function applySecretOperation(
   };
 }
 
-function applyAuthOperation(
-  deps: OnboardingApplyDependencies,
-  operation: Extract<OnboardingApplyOperation, { kind: 'ensure-auth-user' }>,
-): OnboardingAppliedOperation {
-  validateAuthOperation(deps, operation);
-  const auth = deps.auth!;
-  const username = operation.username.trim();
-  const before = auth.inspect();
-  const existing = before.users.find((user) => user.username === username);
-  const bootstrapCredential = before.bootstrapCredentialPresent
-    ? parseBootstrapCredential(readFileSync(before.bootstrapCredentialPath, 'utf-8'))
-    : null;
-
-  if (existing) {
-    auth.rotatePassword(username, operation.password);
-  } else {
-    auth.addUser(username, operation.password, operation.roles ?? ['admin']);
-  }
-
-  if (operation.retireBootstrapCredential) {
-    if (bootstrapCredential && bootstrapCredential.username !== username && auth.getUser(bootstrapCredential.username)) {
-      auth.deleteUser(bootstrapCredential.username);
-    }
-    auth.clearBootstrapCredentialFile();
-  }
-
-  if (operation.createSession ?? true) {
-    auth.createSession(username);
-  }
-
-  return {
-    kind: operation.kind,
-    summary: existing
-      ? `Updated local auth user ${username}.`
-      : `Created local auth user ${username}.`,
-  };
-}
-
 async function buildSecretRollbackAction(
   deps: OnboardingApplyDependencies,
   operation: Extract<OnboardingApplyOperation, { kind: 'set-secret' }>,
@@ -369,67 +282,6 @@ async function buildSecretRollbackAction(
   };
 }
 
-function buildAuthRollbackAction(
-  deps: OnboardingApplyDependencies,
-  operation: Extract<OnboardingApplyOperation, { kind: 'ensure-auth-user' }>,
-): RollbackAction {
-  validateAuthOperation(deps, operation);
-  const auth = deps.auth!;
-  const mutable = auth as unknown as MutableAuthManager;
-  const username = operation.username.trim();
-  const before = auth.inspect();
-  const existingUser = before.users.find((user) => user.username === username);
-  const existingSessionFingerprints = new Set(before.sessions
-    .filter((session) => session.username === username)
-    .map((session) => session.tokenFingerprint));
-  const userStoreSnapshot = existsSync(before.userStorePath) ? readFileSync(before.userStorePath, 'utf-8') : null;
-  const bootstrapCredentialSnapshot = existsSync(before.bootstrapCredentialPath)
-    ? readFileSync(before.bootstrapCredentialPath, 'utf-8')
-    : null;
-  const bootstrapCredential = parseBootstrapCredential(bootstrapCredentialSnapshot);
-  const beforeSessions = mutable.sessions instanceof Map
-    ? [...mutable.sessions.entries()].map(([token, session]) => [token, { ...session }] as const)
-    : [];
-
-  return () => {
-    for (const session of auth.inspect().sessions) {
-      if (session.username === username && !existingSessionFingerprints.has(session.tokenFingerprint)) {
-        auth.revokeSession(session.tokenFingerprint);
-      }
-    }
-
-    if (bootstrapCredential && !auth.getUser(bootstrapCredential.username)) {
-      auth.addUser(bootstrapCredential.username, bootstrapCredential.password, ['admin']);
-    }
-
-    if (!existingUser && auth.getUser(username)) {
-      try {
-        auth.deleteUser(username);
-      } catch (error) {
-        if (mutable.users instanceof Map) mutable.users.delete(username);
-        else throw error;
-      }
-    }
-
-    restoreFile(before.bootstrapCredentialPath, bootstrapCredentialSnapshot);
-    restoreFile(before.userStorePath, userStoreSnapshot);
-
-    if (mutable.users instanceof Map) {
-      if (userStoreSnapshot === null) {
-        if (before.users.length === 0) mutable.users.clear();
-      } else {
-        mutable.users.clear();
-        for (const user of parsePersistedAuthUsers(userStoreSnapshot)) mutable.users.set(user.username, user);
-      }
-    }
-
-    if (mutable.sessions instanceof Map) {
-      mutable.sessions.clear();
-      for (const [token, session] of beforeSessions) mutable.sessions.set(token, session);
-    }
-  };
-}
-
 async function buildRollbackAction(
   deps: OnboardingApplyDependencies,
   operation: OnboardingApplyOperation,
@@ -453,7 +305,8 @@ async function buildRollbackAction(
   }
 
   if (operation.kind === 'ensure-auth-user') {
-    return buildAuthRollbackAction(deps, operation);
+    validateAuthOperation(deps, operation);
+    return () => {};
   }
 
   if (operation.kind === 'acknowledge') {
@@ -633,8 +486,7 @@ export async function applyOnboardingRequest(
         }
 
         if (operation.kind === 'ensure-auth-user') {
-          applied.push(applyAuthOperation(deps, operation));
-          rollbacks.push(rollback);
+          validateAuthOperation(deps, operation);
           continue;
         }
 

package/src/runtime/onboarding/derivation.ts

@@ -500,23 +500,23 @@ export function deriveReopenEditAcknowledgementState(
         snapshot,
         'auth',
         'bootstrap-credential',
-        'The local auth bootstrap credential file is still present.',
+        'An external runtime bootstrap credential signal is still visible to Agent.',
       )
     : authSessionCount > 0
       ? buildRequiredAcknowledgement(
           snapshot,
           'auth',
           'active-sessions',
-          `${authSessionCount} local auth session(s) are currently active.`,
+          `${authSessionCount} external runtime auth session signal(s) are currently visible.`,
         )
       : authUserCount > 0
         ? buildRequiredAcknowledgement(
             snapshot,
             'auth',
             'auth-state',
-            `${authUserCount} local auth user(s) are already configured.`,
+            `${authUserCount} external runtime auth user signal(s) are already visible.`,
           )
-        : buildNotNeededAcknowledgement(snapshot, 'auth', 'No local auth state needs confirmation.');
+        : buildNotNeededAcknowledgement(snapshot, 'auth', 'No external runtime auth signal needs confirmation.');
 
   return {
     providers,

package/src/runtime/onboarding/types.ts

@@ -383,17 +383,7 @@ export interface OnboardingApplyDependencies {
   readonly clock?: () => number;
   readonly config: Pick<ConfigManager, 'get' | 'getRaw' | 'load' | 'setDynamic'>;
   readonly secrets?: Pick<SecretsManager, 'delete' | 'get' | 'inspect' | 'set'>;
-  readonly auth?: Pick<
-    UserAuthManager,
-    'addUser'
-    | 'clearBootstrapCredentialFile'
-    | 'createSession'
-    | 'deleteUser'
-    | 'getUser'
-    | 'inspect'
-    | 'revokeSession'
-    | 'rotatePassword'
-  >;
+  readonly auth?: Pick<UserAuthManager, 'inspect'>;
   readonly shellPaths: OnboardingShellPaths;
   readonly acknowledgementScope?: OnboardingStateScope;
 }

package/src/runtime/onboarding/verify.ts

@@ -116,36 +116,14 @@ async function verifySecretOperation(
 }
 
 function verifyAuthOperation(
-  deps: OnboardingVerificationDependencies,
+  _deps: OnboardingVerificationDependencies,
   operation: Extract<OnboardingApplyOperation, { kind: 'ensure-auth-user' }>,
 ): OnboardingVerificationItem {
-  if (!deps.auth) {
-    return {
-      id: `auth:${operation.username}`,
-      status: 'fail',
-      message: 'Local auth manager is unavailable.',
-      target: operation.username,
-    };
-  }
-
-  const snapshot = deps.auth.inspect();
   const username = operation.username.trim();
-  const user = snapshot.users.find((entry) => entry.username === username);
-  const requiredRoles = operation.roles ?? ['admin'];
-  const userExists = Boolean(user) && requiredRoles.every((role) => user!.roles.includes(role));
-  const sessionExists = operation.createSession === false
-    ? true
-    : snapshot.sessions.some((session) => session.username === username);
-  const bootstrapRetired = operation.retireBootstrapCredential
-    ? snapshot.bootstrapCredentialPresent === false
-    : true;
-  const ok = userExists && sessionExists && bootstrapRetired;
   return {
     id: `auth:${username}`,
-    status: ok ? 'pass' : 'fail',
-    message: ok
-      ? `${username} local auth user has required role(s) and session state.`
-      : `${username} local auth user/session/role/bootstrap state was not created.`,
+    status: 'fail',
+    message: 'Runtime auth user/session administration is external to GoodVibes Agent onboarding.',
     target: username,
   };
 }

package/src/version.ts

@@ -6,7 +6,7 @@ import { join } from 'node:path';
 // The prebuild script updates the fallback value before compilation.
 // Uses import.meta.dir (Bun) to locate package.json relative to this file,
 // which is correct regardless of the process working directory.
-let _version = '0.1.81';
+let _version = '0.1.82';
 let _sdkVersion = '0.33.35';
 try {
   const pkg = JSON.parse(readFileSync(join(import.meta.dir, '..', 'package.json'), 'utf-8')) as {

package/src/input/commands/local-auth-runtime.ts

@@ -1,128 +0,0 @@
-import type { CommandContext, CommandRegistry } from '../command-registry.ts';
-import { openCommandPanel, requireLocalUserAuthManager } from './runtime-services.ts';
-import { summarizeError } from '@pellux/goodvibes-sdk/platform/utils';
-import { requireYesFlag, stripYesFlag } from './confirmation.ts';
-
-function formatRoles(roles: readonly string[]): string {
-  return roles.length > 0 ? roles.join(', ') : '(none)';
-}
-
-export function handleLocalAuthCommand(args: string[], ctx: CommandContext): void {
-  const parsed = stripYesFlag(args);
-  const commandArgs = [...parsed.rest];
-  const sub = (commandArgs[0] ?? 'review').toLowerCase();
-  const auth = requireLocalUserAuthManager(ctx);
-  if (sub === 'panel' || sub === 'open') {
-    openCommandPanel(ctx, 'local-auth');
-    return;
-  }
-
-  if (sub === 'add-user') {
-    const username = commandArgs[1];
-    const password = commandArgs[2];
-    const roles = commandArgs[3]?.split(',').map((value) => value.trim()).filter(Boolean) ?? ['admin'];
-    if (!username || !password) {
-      ctx.print('Usage: /auth local add-user <username> <password> [roles] --yes');
-      return;
-    }
-    if (!parsed.yes) {
-      requireYesFlag(ctx, `add local auth user ${username}`, '/auth local add-user <username> <password> [roles] --yes');
-      return;
-    }
-    try {
-      const added = auth.addUser(username, password, roles);
-      ctx.print(`Added local auth user ${added.username} (${formatRoles(added.roles)}).`);
-    } catch (error) {
-      ctx.print(summarizeError(error));
-    }
-    return;
-  }
-
-  if (sub === 'delete-user') {
-    const username = commandArgs[1];
-    if (!username) {
-      ctx.print('Usage: /auth local delete-user <username> --yes');
-      return;
-    }
-    if (!parsed.yes) {
-      requireYesFlag(ctx, `delete local auth user ${username}`, '/auth local delete-user <username> --yes');
-      return;
-    }
-    try {
-      const deleted = auth.deleteUser(username);
-      ctx.print(deleted ? `Deleted local auth user ${username}.` : `Unknown local auth user: ${username}`);
-    } catch (error) {
-      ctx.print(summarizeError(error));
-    }
-    return;
-  }
-
-  if (sub === 'rotate-password') {
-    const username = commandArgs[1];
-    const password = commandArgs[2];
-    if (!username || !password) {
-      ctx.print('Usage: /auth local rotate-password <username> <password> --yes');
-      return;
-    }
-    if (!parsed.yes) {
-      requireYesFlag(ctx, `rotate password for local auth user ${username}`, '/auth local rotate-password <username> <password> --yes');
-      return;
-    }
-    try {
-      auth.rotatePassword(username, password);
-      ctx.print(`Rotated password for ${username}. Existing sessions were revoked.`);
-    } catch (error) {
-      ctx.print(summarizeError(error));
-    }
-    return;
-  }
-
-  if (sub === 'revoke-session') {
-    const token = commandArgs[1];
-    if (!token) {
-      ctx.print('Usage: /auth local revoke-session <token-or-fingerprint> --yes');
-      return;
-    }
-    if (!parsed.yes) {
-      requireYesFlag(ctx, 'revoke local auth session', '/auth local revoke-session <token-or-fingerprint> --yes');
-      return;
-    }
-    ctx.print(auth.revokeSession(token) ? `Revoked session ${token.slice(0, 12)}…` : `Unknown session token or fingerprint: ${token}`);
-    return;
-  }
-
-  if (sub === 'clear-bootstrap-file') {
-    if (!parsed.yes) {
-      requireYesFlag(ctx, 'clear the local auth bootstrap credential file', '/auth local clear-bootstrap-file --yes');
-      return;
-    }
-    ctx.print(auth.clearBootstrapCredentialFile()
-      ? 'Removed bootstrap credential file.'
-      : 'No bootstrap credential file was present.');
-    return;
-  }
-
-  const snapshot = auth.inspect();
-  ctx.print([
-    'Local Auth Review',
-    `  user store: ${snapshot.userStorePath}`,
-    `  bootstrap file: ${snapshot.bootstrapCredentialPath}`,
-    `  bootstrap credentials: ${snapshot.bootstrapCredentialPresent ? 'present' : 'cleared'}`,
-    `  users: ${snapshot.userCount}`,
-    `  sessions: ${snapshot.sessionCount}`,
-    ...snapshot.users.map((user) => `  user: ${user.username}  roles=${formatRoles(user.roles)}`),
-    ...snapshot.sessions.map((session) => `  session: ${session.username}  expires=${new Date(session.expiresAt).toISOString()}  fingerprint=${session.tokenFingerprint}`),
-  ].join('\n'));
-}
-
-export function registerLocalAuthRuntimeCommands(registry: CommandRegistry): void {
-  registry.register({
-    name: 'local-auth',
-    aliases: ['auth-local'],
-    description: 'Inspect and manage local runtime auth users, sessions, and bootstrap credentials',
-    usage: '[review|panel|add-user <username> <password> [roles] --yes|delete-user <username> --yes|rotate-password <username> <password> --yes|revoke-session <token-or-fingerprint> --yes|clear-bootstrap-file --yes]',
-    handler(args, ctx) {
-      handleLocalAuthCommand(args, ctx);
-    },
-  });
-}

package/src/panels/local-auth-panel.ts

@@ -1,130 +0,0 @@
-import type { Line } from '../types/grid.ts';
-import { createEmptyLine } from '../types/grid.ts';
-import { ScrollableListPanel } from './scrollable-list-panel.ts';
-import {
-  buildDetailBlock,
-  buildGuidanceLine,
-  buildPanelListRow,
-  buildPanelLine,
-  buildSummaryBlock,
-  buildPanelWorkspace,
-  DEFAULT_PANEL_PALETTE,
-  type PanelPalette,
-} from './polish.ts';
-import type { LocalAuthSnapshot } from '@pellux/goodvibes-sdk/platform/security';
-import type { LocalAuthInspectionQuery } from '../runtime/ui-service-queries.ts';
-
-const C = {
-  ...DEFAULT_PANEL_PALETTE,
-  info: '#38bdf8',
-  warn: '#eab308',
-  error: '#ef4444',
-  selectBg: '#1e293b',
-} as const;
-
-function formatRoles(roles: readonly string[]): string {
-  return roles.length > 0 ? roles.join(', ') : '(none)';
-}
-
-type LocalAuthUser = LocalAuthSnapshot['users'][number];
-
-export class LocalAuthPanel extends ScrollableListPanel<LocalAuthUser> {
-  private readonly authManager: LocalAuthInspectionQuery;
-
-  public constructor(authManager: LocalAuthInspectionQuery) {
-    super('local-auth', 'Local Auth', 'U', 'monitoring');
-    this.showSelectionGutter = true; // I5: non-color selection affordance
-    this.authManager = authManager;
-  }
-
-  protected override getPalette(): PanelPalette {
-    return C;
-  }
-
-  protected getItems(): readonly LocalAuthUser[] {
-    return this.authManager.inspect().users;
-  }
-
-  protected renderItem(user: LocalAuthUser, _index: number, selected: boolean, width: number): Line {
-    return buildPanelListRow(width, [
-      { text: user.username.padEnd(20), fg: C.value },
-      { text: ` roles=${formatRoles(user.roles)}`.slice(0, Math.max(0, width - 24)), fg: C.info },
-    ], C, { selected });
-  }
-
-  protected override getEmptyStateMessage(): string {
-    return ' No local auth users configured.';
-  }
-
-  public render(width: number, height: number): Line[] {
-    const intro = 'Review local runtime auth users, bootstrap state, and active sessions.';
-    const snapshot = this.authManager.inspect();
-    const users = this.getItems();
-
-    const issueMessages: string[] = [];
-    if (snapshot.bootstrapCredentialPresent) issueMessages.push('Bootstrap credential file still exists and should be cleared after password rotation.');
-    if (snapshot.userCount <= 1) issueMessages.push('Only one local auth user is configured.');
-    if (snapshot.sessionCount === 0) issueMessages.push('No active local auth sessions are currently tracked.');
-
-    const headerLines: Line[] = [
-      ...buildSummaryBlock(width, 'Local auth posture', [
-        buildPanelLine(width, [
-          [' users ', C.label],
-          [String(snapshot.userCount), C.value],
-          ['  sessions ', C.label],
-          [String(snapshot.sessionCount), snapshot.sessionCount > 0 ? C.info : C.dim],
-          ['  bootstrap ', C.label],
-          [snapshot.bootstrapCredentialPresent ? 'present' : 'cleared', snapshot.bootstrapCredentialPresent ? C.warn : C.good],
-        ]),
-        buildPanelLine(width, [[' user store ', C.label], [snapshot.userStorePath.slice(0, Math.max(0, width - 13)), C.dim]]),
-        buildPanelLine(width, [[' bootstrap file ', C.label], [snapshot.bootstrapCredentialPath.slice(0, Math.max(0, width - 18)), C.dim]]),
-        ...(issueMessages.length > 0
-          ? issueMessages.map((issue) => buildPanelLine(width, [[` issue: ${issue}`.slice(0, Math.max(0, width)), C.warn]]))
-          : [buildPanelLine(width, [[' local auth posture looks healthy.', C.good]])]),
-        buildGuidanceLine(width, '/auth local rotate-password <user> <password> --yes', 'rotate bootstrap/default credentials and revoke older sessions as needed', C),
-      ], C),
-    ];
-
-    if (users.length === 0) {
-      const workspace = buildPanelWorkspace(width, height, {
-        title: 'Local Auth Control Room',
-        intro,
-        sections: [{ lines: headerLines }],
-        palette: C,
-      });
-      while (workspace.length < height) workspace.push(createEmptyLine(width));
-      return workspace;
-    }
-
-    this.clampSelection();
-    const selected = users[this.selectedIndex];
-
-    const footerLines: Line[] = [];
-    if (selected) {
-      footerLines.push(
-        ...buildDetailBlock(width, 'Selected user', [
-          buildPanelLine(width, [[' username ', C.label], [selected.username, C.value], ['  roles ', C.label], [formatRoles(selected.roles).slice(0, Math.max(0, width - 23)), C.info]]),
-          buildPanelLine(width, [[` next: /auth local rotate-password ${selected.username} <password> --yes`.slice(0, Math.max(0, width)), C.dim]]),
-          buildPanelLine(width, [[` next: /auth local delete-user ${selected.username} --yes`.slice(0, Math.max(0, width)), C.dim]]),
-        ], C),
-      );
-    }
-
-    if (snapshot.sessions.length > 0) {
-      footerLines.push(
-        ...snapshot.sessions.slice(0, 8).map((session) => buildPanelLine(width, [
-          [' ', C.label],
-          [session.username.padEnd(18), C.value],
-          [` expires ${new Date(session.expiresAt).toLocaleString()}`.slice(0, Math.max(0, width - 20)), C.dim],
-        ])),
-      );
-    }
-    footerLines.push(buildPanelLine(width, [[' /auth local review  mutations require --yes: add-user rotate-password revoke-session ', C.dim]]));
-
-    return this.renderList(width, height, {
-      title: 'Local Auth Control Room',
-      header: headerLines,
-      footer: footerLines,
-    });
-  }
-}