@pellux/goodvibes-agent 0.1.9 → 0.1.11

package/src/input/handler-onboarding-cloudflare.ts

@@ -4,9 +4,6 @@ import {
   type CloudflareComponentSelection,
   type CloudflareDaemonClient,
   type CloudflareDiscoverResult,
-  type CloudflareOperationalTokenResult,
-  type CloudflareProvisionRequest,
-  type CloudflareProvisionResult,
   type CloudflareTokenRequirementsResult,
   type CloudflareValidateResult,
   type CloudflareVerifyResult,
@@ -16,7 +13,6 @@ import type { InputHandler } from './handler.ts';
 import type { OnboardingWizardAction, OnboardingWizardApplyFeedback } from './onboarding/onboarding-wizard.ts';
 import {
   buildCloudflareApiTokenRef,
-  buildCloudflareProvisionRequest,
   getCloudflareBatchMode,
   getCloudflareComponentSelection,
   getCloudflareSetupSource,
@@ -113,26 +109,6 @@ function formatCloudflareDiscovery(result: CloudflareDiscoverResult): string[] {
   ];
 }
 
-function formatCloudflareTokenCreate(result: CloudflareOperationalTokenResult): string[] {
-  return [
-    `token: ${result.tokenName}${result.tokenId ? ` (${result.tokenId})` : ''}`,
-    `account: ${result.accountId}`,
-    `stored ref: ${result.apiTokenRef ?? 'not stored'}`,
-    `permissions: ${result.permissions.length}`,
-    'Delete or expire the temporary bootstrap token in Cloudflare after confirming the operational token works.',
-  ];
-}
-
-function formatCloudflareProvision(result: CloudflareProvisionResult): string[] {
-  return [
-    `result: ${result.ok ? 'ok' : 'needs attention'}`,
-    ...(result.worker ? [`worker: ${result.worker.name}${result.worker.baseUrl ? ` at ${result.worker.baseUrl}` : ''}`] : []),
-    ...(result.queues ? [`queue: ${result.queues.queueName}; DLQ: ${result.queues.deadLetterQueueName}`] : []),
-    ...result.steps.map((step) => `${step.status}: ${step.name}${step.message ? ` - ${step.message}` : ''}`),
-    ...(result.verification ? formatCloudflareVerify(result.verification).map((line) => `verify ${line}`) : []),
-  ];
-}
-
 function formatCloudflareVerify(result: CloudflareVerifyResult): string[] {
   return [
     `worker health: ${result.workerHealth.ok ? 'ok' : 'failed'} (HTTP ${result.workerHealth.status})${result.workerHealth.error ? ` - ${result.workerHealth.error}` : ''}`,
@@ -171,40 +147,6 @@ function getCloudflareApiTokenRefFromWizard(handler: InputHandler): string {
   return wizard.runtimeSnapshot?.config.cloudflare.apiTokenRef ?? '';
 }
 
-async function createCloudflareOperationalTokenForHandler(handler: InputHandler): Promise<CloudflareOperationalTokenResult> {
-  const wizard = handler.onboardingWizard;
-  const bootstrapToken = getCloudflareBootstrapTokenFromWizard(handler);
-  if (!bootstrapToken) {
-    throw new Error('A bootstrap token is required. Paste it in the wizard or select an environment variable that is set in this TUI process.');
-  }
-  const accountId = wizard.getStringFieldValue('cloudflare.account-id', wizard.runtimeSnapshot?.config.cloudflare.accountId ?? '');
-  const zoneId = wizard.getStringFieldValue('cloudflare.zone-id', wizard.runtimeSnapshot?.config.cloudflare.zoneId ?? '');
-  const zoneName = wizard.getStringFieldValue('cloudflare.zone-name', wizard.runtimeSnapshot?.config.cloudflare.zoneName ?? '');
-  return await getCloudflareDaemonClientForHandler(handler).createOperationalToken({
-    components: getCloudflareComponentSelection(wizard),
-    bootstrapToken,
-    ...(accountId ? { accountId } : {}),
-    ...(zoneId ? { zoneId } : {}),
-    ...(zoneName ? { zoneName } : {}),
-    storeApiToken: true,
-    persistConfig: true,
-  });
-}
-
-async function buildCloudflareProvisionInputForHandler(handler: InputHandler): Promise<CloudflareProvisionRequest> {
-  const input = buildCloudflareProvisionRequest(handler.onboardingWizard, { includeTransientSecrets: true });
-  const setupSource = getCloudflareSetupSource(handler.onboardingWizard);
-  if (setupSource === 'bootstrap-token' || setupSource === 'bootstrap-env') {
-    const tokenResult = await createCloudflareOperationalTokenForHandler(handler);
-    if (tokenResult.apiTokenRef) {
-      const withoutInlineToken = { ...input };
-      delete withoutInlineToken.apiToken;
-      return { ...withoutInlineToken, apiTokenRef: tokenResult.apiTokenRef };
-    }
-  }
-  return input;
-}
-
 function buildCloudflareDiscoveryInputForHandler(handler: InputHandler): Parameters<CloudflareDaemonClient['discover']>[0] {
   const wizard = handler.onboardingWizard;
   const accountId = wizard.getStringFieldValue('cloudflare.account-id', wizard.runtimeSnapshot?.config.cloudflare.accountId ?? '');
@@ -223,6 +165,34 @@ function buildCloudflareDiscoveryInputForHandler(handler: InputHandler): Paramet
   };
 }
 
+function blockedCloudflareMutationLines(action: CloudflareOnboardingAction): string[] {
+  switch (action) {
+    case 'cloudflare-create-operational-token':
+      return [
+        'Creating and storing Cloudflare tokens is a side-effecting operation.',
+        'Run /cloudflare create-token [flags] --yes from the main prompt when you explicitly want that mutation.',
+      ];
+    case 'cloudflare-provision':
+      return [
+        'Provisioning creates or updates Cloudflare resources.',
+        'Run /cloudflare provision [flags] --yes from the main prompt when you explicitly want that mutation.',
+      ];
+    case 'cloudflare-disable':
+      return [
+        'Disabling Cloudflare changes persisted daemon integration config.',
+        'Run /cloudflare disable [flags] --yes from the main prompt when you explicitly want that mutation.',
+      ];
+    default:
+      return [];
+  }
+}
+
+function isBlockedCloudflareMutation(action: CloudflareOnboardingAction): boolean {
+  return action === 'cloudflare-create-operational-token'
+    || action === 'cloudflare-provision'
+    || action === 'cloudflare-disable';
+}
+
 function buildCloudflareValidateInputForHandler(handler: InputHandler): Parameters<CloudflareDaemonClient['validate']>[0] {
   const wizard = handler.onboardingWizard;
   const accountId = wizard.getStringFieldValue('cloudflare.account-id', wizard.runtimeSnapshot?.config.cloudflare.accountId ?? '');
@@ -244,6 +214,16 @@ export async function handleCloudflareOnboardingActionForHandler(
   handler.onboardingWizard.clearApplyFeedback();
   handler.requestRender();
   try {
+    if (isBlockedCloudflareMutation(action)) {
+      setCloudflareWizardStatusForHandler(
+        handler,
+        'Cloudflare mutation requires explicit command',
+        blockedCloudflareMutationLines(action),
+        'warning',
+      );
+      return;
+    }
+
     const client = getCloudflareDaemonClientForHandler(handler);
     if (action === 'cloudflare-token-requirements') {
       const result = await client.tokenRequirements({
@@ -254,13 +234,6 @@ export async function handleCloudflareOnboardingActionForHandler(
       return;
     }
 
-    if (action === 'cloudflare-create-operational-token') {
-      const result = await createCloudflareOperationalTokenForHandler(handler);
-      setCloudflareWizardStatusForHandler(handler, 'Cloudflare operational token created', formatCloudflareTokenCreate(result));
-      await handler.refreshOnboardingHydration({ preserveValues: true, targetStepId: 'cloudflare' });
-      return;
-    }
-
     if (action === 'cloudflare-discover') {
       const result = await client.discover(buildCloudflareDiscoveryInputForHandler(handler));
       if (result.selectedAccount && !handler.onboardingWizard.getStringFieldValue('cloudflare.account-id', '')) {
@@ -293,19 +266,6 @@ export async function handleCloudflareOnboardingActionForHandler(
       return;
     }
 
-    if (action === 'cloudflare-provision') {
-      const input = await buildCloudflareProvisionInputForHandler(handler);
-      const result = await client.provision(input);
-      setCloudflareWizardStatusForHandler(
-        handler,
-        result.ok ? 'Cloudflare provisioning completed' : 'Cloudflare provisioning needs attention',
-        formatCloudflareProvision(result),
-        result.ok ? 'info' : 'warning',
-      );
-      await handler.refreshOnboardingHydration({ preserveValues: true, targetStepId: 'cloudflare' });
-      return;
-    }
-
     if (action === 'cloudflare-verify') {
       const result = await client.verify({
         workerBaseUrl: handler.onboardingWizard.getStringFieldValue('cloudflare.worker-base-url', handler.onboardingWizard.runtimeSnapshot?.config.cloudflare.workerBaseUrl ?? ''),
@@ -319,22 +279,6 @@ export async function handleCloudflareOnboardingActionForHandler(
       );
       return;
     }
-
-    if (action === 'cloudflare-disable') {
-      const result = await client.disable({
-        accountId: handler.onboardingWizard.getStringFieldValue('cloudflare.account-id', handler.onboardingWizard.runtimeSnapshot?.config.cloudflare.accountId ?? ''),
-        apiTokenRef: getCloudflareApiTokenRefFromWizard(handler),
-        workerName: handler.onboardingWizard.getStringFieldValue('cloudflare.worker-name', handler.onboardingWizard.runtimeSnapshot?.config.cloudflare.workerName ?? 'goodvibes-batch-worker'),
-        persistConfig: true,
-      });
-      setCloudflareWizardStatusForHandler(
-        handler,
-        result.ok ? 'Cloudflare integration disabled' : 'Cloudflare disable needs attention',
-        result.steps.map((step) => `${step.status}: ${step.name}${step.message ? ` - ${step.message}` : ''}`),
-        result.ok ? 'info' : 'warning',
-      );
-      await handler.refreshOnboardingHydration({ preserveValues: true, targetStepId: 'cloudflare' });
-    }
   } catch (error) {
     setCloudflareWizardStatusForHandler(handler, 'Cloudflare action failed', [normalizeCloudflareActionError(error)], 'error');
   } finally {
@@ -365,27 +309,14 @@ export async function maybeProvisionCloudflareOnFinalApplyForHandler(handler: In
     }];
   }
 
-  try {
-    const client = getCloudflareDaemonClientForHandler(handler);
-    const result = await client.provision(await buildCloudflareProvisionInputForHandler(handler));
-    handler.onboardingWizard.textState.set('cloudflare.action-status', [
-      result.ok ? 'Cloudflare provisioning completed during final apply.' : 'Cloudflare provisioning needs attention after final apply.',
-      ...formatCloudflareProvision(result),
-    ].join('\n'));
-    return [{
-      id: 'cloudflare:provision',
-      status: result.ok ? 'pass' : 'warn',
-      message: result.ok
-        ? 'Cloudflare resources were provisioned and verified through the daemon SDK route.'
-        : 'Cloudflare provisioning returned warnings or failed verification. Settings were saved; rerun the Cloudflare wizard action after correcting token/resource issues.',
-      target: 'cloudflare',
-    }];
-  } catch (error) {
-    return [{
-      id: 'cloudflare:provision',
-      status: 'warn',
-      message: `Cloudflare provisioning did not complete: ${normalizeCloudflareActionError(error)} Settings were saved; retry from the Cloudflare wizard or /cloudflare command.`,
-      target: 'cloudflare',
-    }];
-  }
+  handler.onboardingWizard.textState.set('cloudflare.action-status', [
+    'Cloudflare provisioning was not run during final apply.',
+    'GoodVibes Agent requires an explicit /cloudflare provision [flags] --yes command for Cloudflare resource mutations.',
+  ].join('\n'));
+  return [{
+    id: 'cloudflare:provision',
+    status: 'warn',
+    message: 'Cloudflare settings were saved, but provisioning was blocked because Agent onboarding cannot create/update Cloudflare resources. Run /cloudflare provision [flags] --yes explicitly.',
+    target: 'cloudflare',
+  }];
 }

package/src/input/handler.ts

@@ -238,6 +238,7 @@ export class InputHandler {
       agentManager: uiServices.agents.agentManager,
       processManager: uiServices.shell.processManager,
       wrfcController: uiServices.agents.wrfcController,
+      agentEntries: 'hidden',
     });
     this.liveTailModal = new LiveTailModal({
       agentManager: uiServices.agents.agentManager,

package/src/input/keybindings.ts

@@ -68,7 +68,7 @@ export const ACTION_DESCRIPTIONS: Record<KeyAction, string> = {
   'search':                'Toggle conversation search',
   'block-copy':            'Copy nearest block to clipboard',
   'bookmark':              'Bookmark / unbookmark nearest block',
-  'block-save':            'Save nearest block to file',
+  'block-save':            'Block file save blocked; use /share --yes',
   'delete-word':           'Delete word backward',
   'apply-diff-line-start': 'Apply nearest diff / move to line start',
   'next-error-line-end':   'Navigate to next error / move to line end',

package/src/input/mcp-workspace.ts

@@ -214,7 +214,7 @@ export class McpWorkspace {
   public formIndex = 0;
   public form: McpWorkspaceForm = serverConfigToForm();
   public editingServerName: string | null = null;
-  public status = 'Ready. Add, edit, remove, reload, and inspect MCP servers without restarting the TUI.';
+  public status = 'Ready. Inspect MCP servers and tools. Config writes/reloads require explicit /mcp ... --yes commands.';
   public tools: readonly RegisteredTool[] = [];
   public loadingTools = false;
   public lastError: string | null = null;
@@ -234,7 +234,7 @@ export class McpWorkspace {
     this.formIndex = 0;
     this.lastError = null;
     this.refreshSnapshot();
-    void this.refreshTools();
+    void this.refreshTools(false);
   }
 
   reopen(): void {
@@ -257,8 +257,8 @@ export class McpWorkspace {
   get rows(): readonly McpWorkspaceRow[] {
     return [
       ...this.snapshot.servers.map((server): McpWorkspaceRow => ({ type: 'server', server })),
-      { type: 'action', id: 'add', label: 'Add server', detail: `Write a server through the SDK config manager. Default scope: ${this.form.scope}.` },
-      { type: 'action', id: 'reload', label: 'Reload runtime', detail: 'Reconnect all MCP servers from global, Claude, and project config files.' },
+      { type: 'action', id: 'add', label: 'Add server preview', detail: `Draft server details here, then run /mcp add ... --scope ${this.form.scope} --yes to write config.` },
+      { type: 'action', id: 'reload', label: 'Reload guidance', detail: 'Runtime reload is blocked from the workspace; run /mcp reload --yes explicitly.' },
       { type: 'action', id: 'refresh-tools', label: 'Refresh tools', detail: 'Fetch the currently available MCP tool list from connected servers.' },
       { type: 'action', id: 'config', label: 'Config locations', detail: 'Show SDK-scanned config files and writable project/global paths.' },
     ];
@@ -284,7 +284,7 @@ export class McpWorkspace {
       { id: 'env', label: 'Environment', value: this.form.env, help: 'Comma-separated KEY=VALUE entries. Prefer env var references or secure secrets for sensitive values.', editable: true },
       { id: 'allowedPaths', label: 'Allowed paths', value: this.form.allowedPaths, help: 'Comma-separated path prefixes for filesystem-oriented servers.', editable: true },
       { id: 'allowedHosts', label: 'Allowed hosts', value: this.form.allowedHosts, help: 'Comma-separated hostnames for network-oriented servers.', editable: true },
-      { id: 'save', label: 'Save and reload', value: '', help: 'Write the selected scope config and reconnect the live MCP runtime.', editable: false },
+      { id: 'save', label: 'Show save command', value: '', help: 'No workspace write. Shows the explicit /mcp add ... --yes command to run from the prompt.', editable: false },
       { id: 'cancel', label: 'Cancel', value: '', help: 'Return to the MCP server browser without changing config.', editable: false },
     ];
   }
@@ -306,14 +306,14 @@ export class McpWorkspace {
     this.selectedIndex = Math.max(0, Math.min(this.selectedIndex, this.rows.length - 1));
   }
 
-  async refreshTools(): Promise<void> {
+  async refreshTools(updateStatus = true): Promise<void> {
     if (!this.context) return;
     this.loadingTools = true;
     this.lastError = null;
     try {
       const api = requireMcpApi(this.context);
       this.tools = await api.listAllTools();
-      this.status = `Tool list refreshed: ${this.tools.length} tool(s) available.`;
+      if (updateStatus) this.status = `Tool list refreshed: ${this.tools.length} tool(s) available.`;
     } catch (error) {
       this.lastError = summarizeError(error);
       this.status = `Tool refresh failed: ${this.lastError}`;
@@ -326,20 +326,8 @@ export class McpWorkspace {
   async reloadRuntime(): Promise<void> {
     if (!this.context) return;
     this.lastError = null;
-    try {
-      const api = requireMcpApi(this.context);
-      const roots = requireShellPaths(this.context);
-      const result = await api.reload(roots);
-      this.refreshSnapshot();
-      const connected = this.snapshot.servers.filter((server) => server.connected).length;
-      this.status = `Reloaded MCP runtime: ${connected}/${this.snapshot.servers.length} server(s) connected. Result: +${result.added} ~${result.changed} -${result.removed}, unchanged ${result.unchanged}.`;
-      void this.refreshTools();
-    } catch (error) {
-      this.lastError = summarizeError(error);
-      this.status = `Reload failed: ${this.lastError}`;
-    } finally {
-      this.context?.renderRequest();
-    }
+    this.status = 'MCP runtime reload is blocked in the workspace. Run /mcp reload --yes from the prompt to explicitly reload.';
+    this.context.renderRequest();
   }
 
   openAddForm(): void {
@@ -347,7 +335,7 @@ export class McpWorkspace {
     this.formIndex = 0;
     this.editingServerName = null;
     this.form = serverConfigToForm();
-    this.status = 'Add an MCP server. Choose project or global scope, then save and reload.';
+    this.status = 'Draft an MCP server. Saving from this workspace is blocked; use the shown /mcp add ... --yes command.';
   }
 
   openEditForm(serverName: string): void {
@@ -357,8 +345,8 @@ export class McpWorkspace {
     this.editingServerName = serverName;
     this.form = { ...serverConfigToForm(entry?.server), scope: entry?.source.scope === 'global' ? 'global' : 'project' };
     this.status = entry
-      ? `Editing ${serverName}. Saving writes a ${this.form.scope} config entry and reloads the live runtime.`
-      : `Editing ${serverName}. Runtime status exists, but no launch config was found; enter command details before saving.`;
+      ? `Viewing ${serverName}. Workspace saves are blocked; copy the generated /mcp add ... --yes command if you intend to change it.`
+      : `Viewing ${serverName}. Runtime status exists, but no launch config was found.`;
   }
 
   requestDelete(serverName: string): void {
@@ -366,24 +354,23 @@ export class McpWorkspace {
     this.editingServerName = serverName;
     const entry = this.snapshot.effectiveConfig.servers.find((configEntry) => configEntry.server.name === serverName);
     const scope = entry?.source.scope === 'global' ? 'global' : 'project';
-    this.status = `Remove ${scope} server "${serverName}"? Press y to confirm or n/Esc to cancel.`;
+    this.status = `MCP server removal is blocked in the workspace. Run /mcp remove ${serverName} --scope ${scope} --yes from the prompt.`;
   }
 
   async saveForm(): Promise<void> {
     if (!this.context) return;
     try {
       const server = formToServerConfig(this.form);
-      this.status = `Saving ${server.name} to ${this.form.scope} MCP config and reloading runtime...`;
       this.mode = 'browse';
       this.editingServerName = null;
-      const api = requireMcpApi(this.context);
-      const result = await api.upsertServerConfig(requireShellPaths(this.context), this.form.scope, server);
-      this.refreshSnapshot();
-      this.status = `Saved ${server.name} to ${result.path}. Reload result: +${result.reload.added} ~${result.reload.changed} -${result.reload.removed}, unchanged ${result.reload.unchanged}.`;
-      void this.refreshTools();
+      const args = server.args?.length ? ` ${server.args.join(' ')}` : '';
+      const role = server.role ? ` --role ${server.role}` : '';
+      const trust = server.trustMode ? ` --trust ${server.trustMode}` : '';
+      this.status = `MCP config write blocked here. Run: /mcp add ${server.name} ${server.command}${args} --scope ${this.form.scope}${role}${trust} --yes`;
+      this.context.renderRequest();
     } catch (error) {
       this.lastError = summarizeError(error);
-      this.status = `Save failed: ${this.lastError}`;
+      this.status = `Save command preview failed: ${this.lastError}`;
       this.context.renderRequest();
     }
   }
@@ -391,23 +378,12 @@ export class McpWorkspace {
   async confirmDelete(): Promise<void> {
     if (!this.context || !this.editingServerName) return;
     const name = this.editingServerName;
-    try {
-      const server = this.snapshot.effectiveConfig.servers.find((entry) => entry.server.name === name);
-      const scope = server?.source.scope === 'global' ? 'global' : 'project';
-      const api = requireMcpApi(this.context);
-      const result = await api.removeServerConfig(requireShellPaths(this.context), scope, name);
-      this.mode = 'browse';
-      this.editingServerName = null;
-      this.refreshSnapshot();
-      this.status = result.removed
-        ? `Removed ${scope} server "${name}" from ${result.path}. Reload result: +${result.reload.added} ~${result.reload.changed} -${result.reload.removed}.`
-        : `No ${scope} MCP server named "${name}" exists in ${result.path}.`;
-      void this.refreshTools();
-    } catch (error) {
-      this.lastError = summarizeError(error);
-      this.status = `Remove failed: ${this.lastError}`;
-      this.context.renderRequest();
-    }
+    const server = this.snapshot.effectiveConfig.servers.find((entry) => entry.server.name === name);
+    const scope = server?.source.scope === 'global' ? 'global' : 'project';
+    this.mode = 'browse';
+    this.editingServerName = null;
+    this.status = `MCP removal blocked here. Run: /mcp remove ${name} --scope ${scope} --yes`;
+    this.context.renderRequest();
   }
 
   cancelForm(): void {

package/src/input/onboarding/onboarding-runtime-status.ts

@@ -19,24 +19,24 @@ export function runtimePortDiagnostic(
   if (status) {
     const reason = status.reason ? ` ${status.reason}` : '';
     if (status.mode === 'blocked') {
-      return `The configured endpoint ${status.baseUrl} is occupied but was not usable by this TUI instance.${reason}`;
+      return `The configured endpoint ${status.baseUrl} is occupied but was not usable by this Agent instance.${reason}`;
     }
     if (status.mode === 'disabled') {
       return `The configured endpoint ${status.baseUrl} is disabled in the runtime service configuration.${reason}`;
     }
     if (status.mode === 'unavailable') {
-      return `The configured endpoint ${status.baseUrl} is unavailable after startup or restart.${reason}`;
+      return `The configured endpoint ${status.baseUrl} is unavailable to Agent.${reason}`;
     }
     if (status.mode === 'external') {
       const version = status.version ? ` version ${status.version}` : '';
       return `An existing GoodVibes service was verified at ${status.baseUrl}${version}.`;
     }
-    return `An embedded GoodVibes service is running at ${status.baseUrl}.`;
+    return `A GoodVibes service reports embedded mode at ${status.baseUrl}; Agent still treats daemon lifecycle as external.`;
   }
   if (portInUse) {
-    return `The configured port ${binding.host}:${binding.port} is occupied after restart; another GoodVibes process, an overlapping restart, or another service may still own it.`;
+    return `The configured port ${binding.host}:${binding.port} is occupied; another GoodVibes process or another service may own it.`;
   }
-  return `No process is listening on ${binding.host}:${binding.port} after restart.`;
+  return `No process is listening on ${binding.host}:${binding.port}.`;
 }
 
 export function getRuntimeEndpointStatus(
@@ -79,9 +79,9 @@ export function formatRuntimeActiveSuccessMessage(
     return `${label} is already running as a verified external GoodVibes service at ${status.baseUrl}${version}.`;
   }
   if (status?.mode === 'embedded') {
-    return `${label} is running as an embedded service at ${status.baseUrl}.`;
+    return `${label} reports embedded mode at ${status.baseUrl}; Agent does not own that service lifecycle.`;
   }
   return endpoint === 'daemon'
-    ? 'The GoodVibes daemon is running with the applied onboarding settings.'
-    : 'The HTTP listener is running with the applied onboarding settings.';
+    ? 'The GoodVibes daemon is reachable to Agent.'
+    : 'The HTTP listener is reachable to Agent.';
 }

package/src/input/onboarding/onboarding-wizard-apply.ts

@@ -15,7 +15,7 @@ import {
   getExternalSurfaceAutoStartFieldId,
   isExternalSurfaceSelectedByDefault,
 } from './onboarding-wizard-external-surfaces.ts';
-import { buildGoodVibesSecretKey, buildGoodVibesSecretRef, isLoopbackAddress, isSecretReferenceValue } from './onboarding-wizard-helpers.ts';
+import { buildGoodVibesSecretKey, buildGoodVibesSecretRef, isSecretReferenceValue } from './onboarding-wizard-helpers.ts';
 import type { OnboardingWizardController } from './onboarding-wizard.ts';
 
 export function buildOnboardingApplyRequest(controller: OnboardingWizardController): OnboardingApplyRequest {
@@ -203,7 +203,7 @@ function addCloudflareOperations(
     setConfig('cloudflare.workerCron', controller.getStringFieldValue('cloudflare.worker-cron', config?.workerCron ?? '*/5 * * * *'));
     setConfig('cloudflare.queueName', controller.getStringFieldValue('cloudflare.queue-name', config?.queueName ?? 'goodvibes-batch'));
     setConfig('cloudflare.deadLetterQueueName', controller.getStringFieldValue('cloudflare.dead-letter-queue-name', config?.deadLetterQueueName ?? 'goodvibes-batch-dlq'));
-    setConfig('cloudflare.tunnelName', controller.getStringFieldValue('cloudflare.tunnel-name', config?.tunnelName ?? 'goodvibes-daemon'));
+    setConfig('cloudflare.tunnelName', controller.getStringFieldValue('cloudflare.tunnel-name', config?.tunnelName ?? 'goodvibes-agent-daemon'));
     setConfig('cloudflare.tunnelId', controller.getStringFieldValue('cloudflare.tunnel-id', config?.tunnelId ?? ''));
     setConfig('cloudflare.tunnelTokenRef', controller.getStringFieldValue('cloudflare.tunnel-token-ref', config?.tunnelTokenRef ?? ''));
     setConfig('cloudflare.accessAppId', controller.getStringFieldValue('cloudflare.access-app-id', config?.accessAppId ?? ''));
@@ -222,56 +222,16 @@ function addCloudflareOperations(
   }
 
 export function addNetworkOperations(
-  controller: OnboardingWizardController,
-    operations: OnboardingApplyOperation[],
-    customNetwork: boolean,
-    enabled: {
-      readonly controlPlane: boolean;
-      readonly controlPlaneRemote: boolean;
-      readonly httpListener: boolean;
-      readonly web: boolean;
-    },
+  _controller: OnboardingWizardController,
+  _operations: OnboardingApplyOperation[],
+  _customNetwork: boolean,
+  _enabled: {
+    readonly controlPlane: boolean;
+    readonly controlPlaneRemote: boolean;
+    readonly httpListener: boolean;
+    readonly web: boolean;
+  },
   ): void {
-    const setConfig = (
-      key: Extract<OnboardingApplyOperation, { kind: 'set-config' }>['key'],
-      value: unknown,
-    ): void => {
-      operations.push({ kind: 'set-config', key, value });
-    };
-    const networkFacingEnabled = {
-      controlPlane: enabled.controlPlaneRemote,
-      httpListener: enabled.httpListener,
-      web: enabled.web,
-    };
-    const sharedIpDefault = controller.getSharedIpDefault(networkFacingEnabled);
-    const sharedIp = controller.getBooleanFieldValue('network.shared-ip', sharedIpDefault);
-    const sharedHost = controller.getStringFieldValue('network.shared-ip-address', controller.getSharedIpHostDefault(networkFacingEnabled)) || '0.0.0.0';
-    const controlPlaneHost = sharedIp
-      ? sharedHost
-      : controller.getStringFieldValue('network.service-ip', controller.runtimeSnapshot?.bindSettings.controlPlane.host ?? '0.0.0.0');
-    const httpListenerHost = sharedIp
-      ? sharedHost
-      : controller.getStringFieldValue('network.webhook-ip', controller.runtimeSnapshot?.bindSettings.httpListener.host ?? '0.0.0.0');
-    const webHost = sharedIp
-      ? sharedHost
-      : controller.getStringFieldValue('network.browser-ip', controller.runtimeSnapshot?.bindSettings.web.host ?? '0.0.0.0');
-
-    if (enabled.controlPlane) {
-      setConfig('controlPlane.hostMode', enabled.controlPlaneRemote ? (customNetwork ? 'custom' : 'network') : 'local');
-      setConfig('controlPlane.host', enabled.controlPlaneRemote ? (customNetwork ? controlPlaneHost : '0.0.0.0') : '127.0.0.1');
-      setConfig('controlPlane.port', controller.getPortFieldValue('network.service-port', controller.runtimeSnapshot?.bindSettings.controlPlane.port ?? 3421));
-      setConfig('controlPlane.allowRemote', enabled.controlPlaneRemote && (customNetwork ? !isLoopbackAddress(controlPlaneHost) : true));
-    }
-
-    if (enabled.httpListener) {
-      setConfig('httpListener.hostMode', customNetwork ? 'custom' : 'network');
-      setConfig('httpListener.host', customNetwork ? httpListenerHost : '0.0.0.0');
-      setConfig('httpListener.port', controller.getPortFieldValue('network.webhook-port', controller.runtimeSnapshot?.bindSettings.httpListener.port ?? 3422));
-    }
-
-    if (enabled.web) {
-      setConfig('web.hostMode', customNetwork ? 'custom' : 'network');
-      setConfig('web.host', customNetwork ? webHost : '0.0.0.0');
-      setConfig('web.port', controller.getPortFieldValue('network.browser-port', controller.runtimeSnapshot?.bindSettings.web.port ?? 3423));
-    }
+    // Agent onboarding intentionally never mutates daemon/listener/web bind posture.
+    // Network fields are advisory for the external daemon owner.
   }

package/src/input/onboarding/onboarding-wizard-cloudflare-step.ts

@@ -26,7 +26,7 @@ export function buildCloudflareStep(controller: OnboardingWizardController): Onb
   const bind = controller.runtimeSnapshot?.bindSettings.controlPlane;
   const defaultDaemonBaseUrl = normalizeText(config?.daemonBaseUrl)
     || `http://${bind?.host && bind.host !== '0.0.0.0' && bind.host !== '::' ? bind.host : '127.0.0.1'}:${bind?.port ?? 3421}`;
-  const resultMessage = controller.textState.get('cloudflare.action-status') ?? 'No Cloudflare daemon action has run in this wizard session.';
+  const resultMessage = controller.textState.get('cloudflare.action-status') ?? 'No Cloudflare action has run in this wizard session.';
   const fields: OnboardingWizardFieldDefinition[] = [
     {
       kind: 'checklist',
@@ -96,7 +96,7 @@ export function buildCloudflareStep(controller: OnboardingWizardController): Onb
         kind: 'text',
         id: 'cloudflare.bootstrap-env-name',
         label: 'Bootstrap token environment variable',
-        hint: 'The TUI reads this environment variable once and passes the value to the SDK token-create route. It is not persisted.',
+        hint: 'Agent reads this environment variable once and passes the value to the SDK token-create route. It is not persisted.',
         placeholder: 'GOODVIBES_CLOUDFLARE_BOOTSTRAP_TOKEN',
         defaultValue: 'GOODVIBES_CLOUDFLARE_BOOTSTRAP_TOKEN',
       });
@@ -227,8 +227,8 @@ export function buildCloudflareStep(controller: OnboardingWizardController): Onb
           id: 'cloudflare.tunnel-name',
           label: 'Tunnel name',
           hint: 'Cloudflare Tunnel name to create or reuse.',
-          placeholder: 'goodvibes-daemon',
-          defaultValue: config?.tunnelName || 'goodvibes-daemon',
+          placeholder: 'goodvibes-agent-daemon',
+          defaultValue: config?.tunnelName || 'goodvibes-agent-daemon',
         },
         {
           kind: 'text',
@@ -380,8 +380,8 @@ export function buildCloudflareStep(controller: OnboardingWizardController): Onb
       {
         kind: 'radio',
         id: 'cloudflare.provision-on-apply',
-        label: 'Provision Cloudflare on final apply',
-        hint: 'If yes, final Apply calls SDK daemon routes to create/update resources and verify them. Failure is reported as a warning; settings still save.',
+        label: 'Final apply Cloudflare provisioning',
+        hint: 'Agent onboarding saves config only. Run /cloudflare provision [flags] --yes explicitly for resource changes.',
         options: CLOUDFLARE_PROVISION_OPTIONS,
         defaultValue: 'no',
       },
@@ -404,8 +404,8 @@ export function buildCloudflareStep(controller: OnboardingWizardController): Onb
         kind: 'action',
         id: 'cloudflare.create-token',
         action: 'cloudflare-create-operational-token',
-        label: 'Create operational token from bootstrap token',
-        hint: 'Uses a pasted or environment bootstrap token once. The SDK stores the generated operational token as a goodvibes:// secret.',
+        label: 'Show create-token command',
+        hint: 'Token creation is side-effecting. The wizard shows the explicit /cloudflare create-token ... --yes path instead of running it.',
         defaultValue: 'Action',
       },
       {
@@ -428,8 +428,8 @@ export function buildCloudflareStep(controller: OnboardingWizardController): Onb
         kind: 'action',
         id: 'cloudflare.provision',
         action: 'cloudflare-provision',
-        label: 'Provision and verify now',
-        hint: 'Calls the daemon SDK route immediately with the current wizard values. This creates/updates selected Cloudflare resources.',
+        label: 'Show provision command',
+        hint: 'Provisioning is side-effecting. The wizard shows the explicit /cloudflare provision ... --yes path instead of running it.',
         defaultValue: 'Action',
       },
       {
@@ -444,8 +444,8 @@ export function buildCloudflareStep(controller: OnboardingWizardController): Onb
         kind: 'action',
         id: 'cloudflare.disable',
         action: 'cloudflare-disable',
-        label: 'Disable Cloudflare integration',
-        hint: 'Calls the daemon SDK route to disable local Cloudflare usage and return the batch queue backend to local behavior.',
+        label: 'Show disable command',
+        hint: 'Disabling persists config changes. The wizard shows the explicit /cloudflare disable ... --yes path instead of running it.',
         defaultValue: 'Action',
       },
     );

package/src/input/onboarding/onboarding-wizard-cloudflare.ts

@@ -66,12 +66,7 @@ export const CLOUDFLARE_PROVISION_OPTIONS: readonly OnboardingWizardRadioOption[
   {
     id: 'no',
     label: 'No, save configuration only',
-    hint: 'Final Apply saves the settings. Use the Cloudflare command or this wizard later to provision resources.',
-  },
-  {
-    id: 'yes',
-    label: 'Yes, create or update Cloudflare resources',
-    hint: 'Final Apply asks the daemon SDK route to create/update selected Cloudflare resources and verify the Worker when possible.',
+    hint: 'Final Apply saves the settings. Run /cloudflare provision [flags] --yes explicitly when you want resource changes.',
   },
 ];
 
@@ -176,7 +171,7 @@ export function buildCloudflareProvisionRequest(controller: OnboardingWizardCont
     daemonHostname: controller.getStringFieldValue('cloudflare.daemon-hostname', controller.runtimeSnapshot?.config.cloudflare.daemonHostname ?? ''),
     queueName: controller.getStringFieldValue('cloudflare.queue-name', controller.runtimeSnapshot?.config.cloudflare.queueName ?? 'goodvibes-batch'),
     deadLetterQueueName: controller.getStringFieldValue('cloudflare.dead-letter-queue-name', controller.runtimeSnapshot?.config.cloudflare.deadLetterQueueName ?? 'goodvibes-batch-dlq'),
-    tunnelName: controller.getStringFieldValue('cloudflare.tunnel-name', controller.runtimeSnapshot?.config.cloudflare.tunnelName ?? 'goodvibes-daemon'),
+    tunnelName: controller.getStringFieldValue('cloudflare.tunnel-name', controller.runtimeSnapshot?.config.cloudflare.tunnelName ?? 'goodvibes-agent-daemon'),
     tunnelId: controller.getStringFieldValue('cloudflare.tunnel-id', controller.runtimeSnapshot?.config.cloudflare.tunnelId ?? ''),
     tunnelServiceUrl: controller.getStringFieldValue('cloudflare.tunnel-service-url', ''),
     tunnelTokenRef: controller.getStringFieldValue('cloudflare.tunnel-token-ref', controller.runtimeSnapshot?.config.cloudflare.tunnelTokenRef ?? ''),