@pellux/goodvibes-tui 0.19.32 → 0.19.34

package/CHANGELOG.md

@@ -4,6 +4,29 @@ All notable changes to GoodVibes TUI.
 
 ---
 
+## [0.19.34] — 2026-04-26
+
+### Added
+- Cloudflare onboarding support for optional Workers/Queues batch and remote daemon/control-plane provisioning.
+- `/cloudflare` (`/cf`) runtime command for status, token requirements, bootstrap-token creation, discovery, validation, provisioning, verification, disable, and setup entry.
+- Cloudflare settings category in `/settings`, including SDK `cloudflare.*` and `batch.*` keys.
+- Documentation for Cloudflare token setup, daemon routes, onboarding fields, batch modes, and secret references.
+
+### Changed
+- Updated `@pellux/goodvibes-sdk` to `0.25.10` for SDK-owned Cloudflare daemon routes, token creation, discovery, validation, provisioning, and config persistence.
+- Onboarding Cloudflare provisioning failures are reported as warnings so local daemon usage is not blocked when optional Cloudflare setup needs follow-up.
+
+## [0.19.33] — 2026-04-26
+
+### Changed
+- `/config-tts` now opens an interactive TTS configuration modal instead of only printing provider and voice lists.
+- `/config-tts providers` and `/config-tts voices [provider]` open selectable provider/voice pickers in the TUI and persist the selected SDK config keys.
+- `/config-tts llm` opens the model picker for a separate `/tts` response-model override; `/tts` still defaults to the current chat provider/model when no override is configured.
+
+### Fixed
+- `/tts` now honors configured `tts.llmProvider`/`tts.llmModel` for that spoken turn without changing the main chat model or global provider settings.
+- Changing the TTS provider clears the provider-specific voice selection so a stale voice id is not reused against a different provider.
+
 ## [0.19.32] — 2026-04-25
 
 ### Added

package/README.md

@@ -2,7 +2,7 @@
 
 [![CI](https://github.com/mgd34msu/goodvibes-tui/actions/workflows/ci.yml/badge.svg)](https://github.com/mgd34msu/goodvibes-tui/actions/workflows/ci.yml)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
-[![Version](https://img.shields.io/badge/version-0.19.32-blue.svg)](https://github.com/mgd34msu/goodvibes-tui)
+[![Version](https://img.shields.io/badge/version-0.19.34-blue.svg)](https://github.com/mgd34msu/goodvibes-tui)
 
 A terminal-native AI coding, operations, automation, knowledge, and integration console with a typed runtime, omnichannel surfaces, structured memory/knowledge, and a raw ANSI renderer.
 
@@ -989,6 +989,7 @@ These systems are first-class runtime families.
 - `web-search`: provider-backed search with verbosity control, evidence shaping, optional source fetching, and normalized results across DuckDuckGo, SearXNG, Brave, Exa, Firecrawl, Tavily, and Perplexity
 - `artifacts`: durable file/object storage for markdown, text, JSON, CSV, spreadsheets, PDFs, images, audio, video, and generated outputs, with metadata, content access, and delivery reuse
 - `voice`: provider-backed TTS/STT/realtime negotiation with OpenAI, ElevenLabs, Deepgram, Google, Microsoft, and Vydra; the TUI also supports live `/tts` spoken output through streaming TTS providers and local `mpv`/`ffplay` playback
+- `cloudflare`: optional Workers/Queues batch execution and remote control-plane provisioning through SDK daemon routes; local immediate daemon behavior remains the default until Cloudflare and a batch mode are enabled
 - `multimodal`: unified image/audio/video/document analysis with packet building and optional knowledge write-back
 
 These surfaces are exposed through the daemon/API as well as the TUI panels and commands, giving future web and companion clients the same backend runtime.
@@ -1269,7 +1270,8 @@ Those pieces cover conversation-noise routing, panel-health/performance budgets,
 | `/notify [action]` | `/ntf` | Manage webhook notifications (ntfy.sh): add, remove, list, clear, test |
 | `/voice [action]` | — | Review optional voice posture and export/inspect voice bundles |
 | `/tts <prompt>` | — | Submit a normal prompt and play the assistant response through live TTS |
-| `/config-tts [action]` | `/tts-config` | Configure TTS provider, voice, and optional spoken-turn LLM overrides |
+| `/config-tts [action]` | `/tts-config` | Open TTS configuration for provider, voice, and optional `/tts` response-model override |
+| `/cloudflare [action]` | `/cf` | Configure optional Cloudflare Workers/Queues batch and remote control-plane provisioning |
 | `/diff [target]` | `/d` | Show unified diff: session, head, working, staged, or a git ref |
 | `/mcp [tools]` | — | List connected MCP servers and their tools |
 | `/help [command]` | `/h`, `/?` | Show available commands and keyboard shortcuts |

package/docs/foundation-artifacts/operator-contract.json

@@ -3,7 +3,7 @@
   "product": {
     "id": "goodvibes",
     "surface": "operator",
-    "version": "0.25.8"
+    "version": "0.25.10"
   },
   "auth": {
     "modes": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pellux/goodvibes-tui",
-  "version": "0.19.32",
+  "version": "0.19.34",
   "description": "Terminal-native GoodVibes product for coding, operations, automation, knowledge, channels, and daemon-backed control-plane workflows.",
   "type": "module",
   "main": "src/main.ts",
@@ -91,7 +91,7 @@
     "@anthropic-ai/vertex-sdk": "^0.16.0",
     "@ast-grep/napi": "^0.42.0",
     "@aws/bedrock-token-generator": "^1.1.0",
-    "@pellux/goodvibes-sdk": "0.25.8",
+    "@pellux/goodvibes-sdk": "0.25.10",
     "bash-language-server": "^5.6.0",
     "fuse.js": "^7.1.0",
     "graphql": "^16.13.2",

package/src/audio/spoken-turn-model-routing.ts

@@ -0,0 +1,117 @@
+import type { ConfigManager } from '@pellux/goodvibes-sdk/platform/config/manager';
+import type { ModelDefinition, ProviderRegistry } from '@pellux/goodvibes-sdk/platform/providers/registry';
+import type { ContentPart } from '@pellux/goodvibes-sdk/platform/providers/interface';
+import type { Orchestrator, OrchestratorUserInputOptions } from '../core/orchestrator.ts';
+
+const SPOKEN_TURN_SOURCE = 'tts';
+
+type RunTurn = (
+  text: string,
+  content?: ContentPart[],
+  options?: OrchestratorUserInputOptions,
+) => Promise<void>;
+
+type PatchableOrchestrator = {
+  runTurn?: RunTurn;
+  setCoreServices: (services: { providerRegistry?: ProviderRegistry }) => void;
+};
+
+export interface SpokenTurnModelRoutingOptions {
+  readonly orchestrator: Orchestrator;
+  readonly providerRegistry: ProviderRegistry;
+  readonly configManager: Pick<ConfigManager, 'get'>;
+  readonly notify?: (message: string) => void;
+}
+
+export function createSpokenTurnInputOptions(): OrchestratorUserInputOptions {
+  return {
+    origin: {
+      source: SPOKEN_TURN_SOURCE,
+      surface: 'tui',
+      metadata: { spokenOutput: true },
+    },
+  };
+}
+
+export function attachSpokenTurnModelRouting(options: SpokenTurnModelRoutingOptions): () => void {
+  const target = options.orchestrator as unknown as PatchableOrchestrator;
+  const originalRunTurn = target.runTurn?.bind(options.orchestrator);
+  if (!originalRunTurn) return () => {};
+
+  target.runTurn = async (text, content, inputOptions) => {
+    if (!isSpokenTurn(inputOptions)) {
+      await originalRunTurn(text, content, inputOptions);
+      return;
+    }
+
+    const override = resolveSpokenTurnModelOverride({
+      providerRegistry: options.providerRegistry,
+      configManager: options.configManager,
+      notify: options.notify,
+    });
+    if (!override) {
+      await originalRunTurn(text, content, inputOptions);
+      return;
+    }
+
+    const routedRegistry = createRoutedProviderRegistry(options.providerRegistry, override);
+    target.setCoreServices({ providerRegistry: routedRegistry });
+    try {
+      await originalRunTurn(text, content, inputOptions);
+    } finally {
+      target.setCoreServices({ providerRegistry: options.providerRegistry });
+    }
+  };
+
+  return () => {
+    target.runTurn = originalRunTurn;
+    target.setCoreServices({ providerRegistry: options.providerRegistry });
+  };
+}
+
+export function resolveSpokenTurnModelOverride(options: {
+  readonly providerRegistry: Pick<ProviderRegistry, 'listModels' | 'getCurrentModel'>;
+  readonly configManager: Pick<ConfigManager, 'get'>;
+  readonly notify?: (message: string) => void;
+}): ModelDefinition | null {
+  const modelRef = readConfigString(options.configManager, 'tts.llmModel');
+  if (!modelRef) return null;
+
+  const providerId = readConfigString(options.configManager, 'tts.llmProvider');
+  const current = options.providerRegistry.getCurrentModel();
+  const model = options.providerRegistry.listModels().find((candidate) => {
+    const refMatches = candidate.registryKey === modelRef || candidate.id === modelRef;
+    const providerMatches = !providerId || candidate.provider === providerId;
+    return refMatches && providerMatches;
+  });
+
+  if (!model) {
+    options.notify?.(`[TTS] Configured TTS LLM '${modelRef}' was not found; using current chat model.`);
+    return null;
+  }
+  if (model.selectable === false) {
+    options.notify?.(`[TTS] Configured TTS LLM '${modelRef}' is not selectable; using current chat model.`);
+    return null;
+  }
+  if ((model.registryKey ?? model.id) === (current.registryKey ?? current.id)) return null;
+  return model;
+}
+
+function isSpokenTurn(options: OrchestratorUserInputOptions | undefined): boolean {
+  return options?.origin?.source === SPOKEN_TURN_SOURCE
+    || options?.origin?.metadata?.['spokenOutput'] === true;
+}
+
+function createRoutedProviderRegistry(providerRegistry: ProviderRegistry, model: ModelDefinition): ProviderRegistry {
+  return new Proxy(providerRegistry, {
+    get(target, prop, receiver) {
+      if (prop === 'getCurrentModel') return () => model;
+      const value = Reflect.get(target, prop, receiver);
+      return typeof value === 'function' ? value.bind(target) : value;
+    },
+  });
+}
+
+function readConfigString(configManager: Pick<ConfigManager, 'get'>, key: 'tts.llmProvider' | 'tts.llmModel'): string {
+  return String(configManager.get(key) ?? '').trim();
+}

package/src/input/command-registry.ts

@@ -79,6 +79,8 @@ export interface CommandShellUiOpeners {
   reloadSystemPrompt?: () => string;
   openOnboardingWizard?: (modeOrOptions?: OnboardingWizardMode | OpenOnboardingWizardOptions) => void;
   openModelPicker?: () => void;
+  openModelPickerWithTarget?: (target: import('./model-picker.ts').ModelPickerTarget) => boolean;
+  openProviderModelPickerWithTarget?: (target: import('./model-picker.ts').ModelPickerTarget) => boolean;
   openProviderPicker?: () => void;
   openContextInspector?: () => void;
   openBookmarkModal?: () => void;

package/src/input/commands/cloudflare-runtime.ts

@@ -0,0 +1,343 @@
+import {
+  CLOUDFLARE_COMPONENT_IDS,
+  CLOUDFLARE_COMPONENT_LABELS,
+  DEFAULT_CLOUDFLARE_COMPONENT_SELECTION,
+  CloudflareDaemonRouteError,
+  createCloudflareDaemonClient,
+  type CloudflareComponent,
+  type CloudflareComponentSelection,
+  type CloudflareDaemonClient,
+  type CloudflareProvisionStep,
+} from '../../runtime/cloudflare-control-plane.ts';
+import type { CommandContext, CommandRegistry } from '../command-registry.ts';
+import { requireShellPaths } from './runtime-services.ts';
+
+interface ParsedCloudflareArgs {
+  readonly positional: readonly string[];
+  readonly flags: ReadonlyMap<string, readonly string[]>;
+}
+
+export function registerCloudflareRuntimeCommands(registry: CommandRegistry): void {
+  registry.register({
+    name: 'cloudflare',
+    aliases: ['cf'],
+    description: 'Inspect and manage optional Cloudflare batch/control-plane integration through daemon SDK routes',
+    usage: '[status|setup|requirements|create-token|discover|validate|provision|verify|disable] [flags]',
+    async handler(args, ctx) {
+      const subcommand = (args[0] ?? 'status').toLowerCase();
+      const parsed = parseCloudflareArgs(args.slice(1));
+      if (subcommand === 'setup' || subcommand === 'onboarding') {
+        ctx.openOnboardingWizard?.({ mode: 'edit', reset: true });
+        ctx.print('Opening onboarding wizard. Select the Cloudflare batch capability to configure Cloudflare.');
+        return;
+      }
+
+      let client: CloudflareDaemonClient;
+      try {
+        client = createCloudflareClient(ctx);
+      } catch (error) {
+        ctx.print(`Cloudflare command unavailable: ${formatCloudflareError(error)}`);
+        return;
+      }
+
+      try {
+        if (subcommand === 'status' || subcommand === 'show') {
+          const status = await client.status();
+          ctx.print([
+            'Cloudflare Status',
+            `  enabled: ${status.enabled ? 'yes' : 'no'}`,
+            `  ready: ${status.ready ? 'yes' : 'no'}`,
+            `  account: ${status.config.accountId || '(not set)'}`,
+            `  token ref: ${status.config.apiTokenRef || '(CLOUDFLARE_API_TOKEN fallback)'}`,
+            `  worker: ${status.config.workerName || '(not set)'}`,
+            `  worker URL: ${status.config.workerBaseUrl || '(not set)'}`,
+            `  queue: ${status.config.queueName || '(not set)'}`,
+            `  DLQ: ${status.config.deadLetterQueueName || '(not set)'}`,
+            `  batch mode: ${String(ctx.platform.configManager.get('batch.mode') ?? 'off')}`,
+            `  queue backend: ${String(ctx.platform.configManager.get('batch.queueBackend') ?? 'local')}`,
+            ...status.warnings.map((warning) => `  warning: ${warning}`),
+          ].join('\n'));
+          return;
+        }
+
+        if (subcommand === 'requirements') {
+          const result = await client.tokenRequirements({
+            components: componentsFromArgs(parsed),
+            includeBootstrap: true,
+          });
+          ctx.print([
+            'Cloudflare Token Requirements',
+            `  components: ${formatComponents(result.components)}`,
+            '  permissions:',
+            ...result.permissions.map((permission) => `    ${permission.scope}: ${permission.permission} (${permission.component}) - ${permission.reason}`),
+            ...(result.bootstrapToken.instructions.length > 0
+              ? ['  bootstrap token:', ...result.bootstrapToken.instructions.map((line) => `    ${line}`)]
+              : []),
+          ].join('\n'));
+          return;
+        }
+
+        if (subcommand === 'create-token') {
+          const bootstrapToken = getFlag(parsed, 'bootstrap-token') || readTokenEnv(parsed, 'bootstrap-env');
+          if (!bootstrapToken) {
+            ctx.print('Usage: /cloudflare create-token --account <account-id> --bootstrap-token <token> or --bootstrap-env <env-name>');
+            return;
+          }
+          const result = await client.createOperationalToken({
+            components: componentsFromArgs(parsed),
+            ...optionalString('accountId', getFlag(parsed, 'account') || getFlag(parsed, 'account-id')),
+            ...optionalString('zoneId', getFlag(parsed, 'zone-id')),
+            ...optionalString('zoneName', getFlag(parsed, 'zone') || getFlag(parsed, 'zone-name')),
+            bootstrapToken,
+            storeApiToken: true,
+            persistConfig: true,
+          });
+          ctx.print([
+            'Cloudflare Operational Token Created',
+            `  token: ${result.tokenName}${result.tokenId ? ` (${result.tokenId})` : ''}`,
+            `  account: ${result.accountId}`,
+            `  zone: ${result.zoneId || '(none)'}`,
+            `  stored ref: ${result.apiTokenRef ?? '(not stored)'}`,
+            '  revoke or expire the temporary bootstrap token after validation.',
+          ].join('\n'));
+          return;
+        }
+
+        if (subcommand === 'discover') {
+          const result = await client.discover({
+            ...cloudflareAuthInput(parsed),
+            components: componentsFromArgs(parsed),
+            ...optionalString('zoneId', getFlag(parsed, 'zone-id')),
+            ...optionalString('zoneName', getFlag(parsed, 'zone') || getFlag(parsed, 'zone-name')),
+            includeResources: !hasFlag(parsed, 'fast'),
+          });
+          ctx.print([
+            'Cloudflare Discovery',
+            `  token source: ${result.tokenSource}`,
+            `  accounts: ${result.accounts.length}`,
+            ...result.accounts.slice(0, 12).map((account) => `    account ${account.id}: ${account.name}`),
+            `  zones: ${result.zones.length}`,
+            ...result.zones.slice(0, 12).map((zone) => `    zone ${zone.id}: ${zone.name}${zone.status ? ` (${zone.status})` : ''}`),
+            `  worker subdomain: ${result.workerSubdomain || '(not detected)'}`,
+            `  queues: ${result.queues?.length ?? 0}`,
+            `  KV namespaces: ${result.kvNamespaces?.length ?? 0}`,
+            `  R2 buckets: ${result.r2Buckets?.length ?? 0}`,
+            ...result.warnings.map((warning) => `  warning: ${warning}`),
+          ].join('\n'));
+          return;
+        }
+
+        if (subcommand === 'validate') {
+          const result = await client.validate(cloudflareAuthInput(parsed));
+          ctx.print([
+            'Cloudflare Token Validation',
+            `  ok: ${result.ok ? 'yes' : 'no'}`,
+            `  token source: ${result.tokenSource}`,
+            result.account ? `  account: ${result.account.name} (${result.account.id})` : '  account: not resolved',
+          ].join('\n'));
+          return;
+        }
+
+        if (subcommand === 'provision') {
+          const result = await client.provision({
+            ...cloudflareAuthInput(parsed),
+            components: componentsFromArgs(parsed),
+            ...optionalString('accountId', getFlag(parsed, 'account') || getFlag(parsed, 'account-id')),
+            ...optionalString('zoneId', getFlag(parsed, 'zone-id')),
+            ...optionalString('zoneName', getFlag(parsed, 'zone') || getFlag(parsed, 'zone-name')),
+            ...optionalString('daemonBaseUrl', getFlag(parsed, 'daemon-url')),
+            ...optionalString('daemonHostname', getFlag(parsed, 'daemon-hostname')),
+            ...optionalString('workerName', getFlag(parsed, 'worker-name')),
+            ...optionalString('workerSubdomain', getFlag(parsed, 'worker-subdomain')),
+            ...optionalString('workerHostname', getFlag(parsed, 'worker-hostname')),
+            ...optionalString('workerBaseUrl', getFlag(parsed, 'worker-url')),
+            ...optionalString('queueName', getFlag(parsed, 'queue') || getFlag(parsed, 'queue-name')),
+            ...optionalString('deadLetterQueueName', getFlag(parsed, 'dlq') || getFlag(parsed, 'dead-letter-queue')),
+            ...optionalBatchMode(readBatchMode(parsed)),
+            persistConfig: true,
+            verify: !hasFlag(parsed, 'no-verify'),
+            storeApiToken: !hasFlag(parsed, 'no-store-token'),
+            enableWorkersDev: !hasFlag(parsed, 'no-workers-dev'),
+          });
+          ctx.print([
+            'Cloudflare Provisioning',
+            `  ok: ${result.ok ? 'yes' : 'no'}`,
+            ...(result.worker ? [`  worker: ${result.worker.name}${result.worker.baseUrl ? ` at ${result.worker.baseUrl}` : ''}`] : []),
+            ...(result.queues ? [`  queues: ${result.queues.queueName}; DLQ ${result.queues.deadLetterQueueName}`] : []),
+            ...formatProvisionSteps(result.steps),
+          ].join('\n'));
+          return;
+        }
+
+        if (subcommand === 'verify') {
+          const result = await client.verify({
+            ...optionalString('workerBaseUrl', getFlag(parsed, 'worker-url')),
+            ...optionalString('workerClientToken', getFlag(parsed, 'worker-token')),
+            ...optionalString('workerClientTokenRef', getFlag(parsed, 'worker-token-ref')),
+          });
+          ctx.print([
+            'Cloudflare Verification',
+            `  ok: ${result.ok ? 'yes' : 'no'}`,
+            `  worker health: ${result.workerHealth.ok ? 'ok' : 'failed'} (HTTP ${result.workerHealth.status})${result.workerHealth.error ? ` - ${result.workerHealth.error}` : ''}`,
+            ...(result.daemonBatchProxy ? [`  daemon batch proxy: ${result.daemonBatchProxy.ok ? 'ok' : 'failed'} (HTTP ${result.daemonBatchProxy.status})${result.daemonBatchProxy.error ? ` - ${result.daemonBatchProxy.error}` : ''}`] : []),
+          ].join('\n'));
+          return;
+        }
+
+        if (subcommand === 'disable') {
+          const result = await client.disable({
+            ...cloudflareAuthInput(parsed),
+            ...optionalString('workerName', getFlag(parsed, 'worker-name')),
+            disableWorkerSubdomain: hasFlag(parsed, 'disable-worker-subdomain'),
+            disableCron: !hasFlag(parsed, 'keep-cron'),
+            persistConfig: true,
+          });
+          ctx.print([
+            'Cloudflare Disabled',
+            `  ok: ${result.ok ? 'yes' : 'no'}`,
+            ...formatProvisionSteps(result.steps),
+          ].join('\n'));
+          return;
+        }
+
+        ctx.print('Usage: /cloudflare [status|setup|requirements|create-token|discover|validate|provision|verify|disable] [flags]');
+      } catch (error) {
+        ctx.print(`Cloudflare ${subcommand} failed: ${formatCloudflareError(error)}`);
+      }
+    },
+  });
+}
+
+function createCloudflareClient(ctx: CommandContext): CloudflareDaemonClient {
+  const shellPaths = requireShellPaths(ctx);
+  return createCloudflareDaemonClient({
+    configManager: ctx.platform.configManager,
+    homeDirectory: shellPaths.homeDirectory,
+  });
+}
+
+function parseCloudflareArgs(args: readonly string[]): ParsedCloudflareArgs {
+  const positional: string[] = [];
+  const flags = new Map<string, string[]>();
+  for (let index = 0; index < args.length; index += 1) {
+    const arg = args[index]!;
+    if (!arg.startsWith('--')) {
+      positional.push(arg);
+      continue;
+    }
+    const raw = arg.slice(2);
+    const equalsIndex = raw.indexOf('=');
+    if (equalsIndex >= 0) {
+      const key = raw.slice(0, equalsIndex);
+      const value = raw.slice(equalsIndex + 1);
+      flags.set(key, [...(flags.get(key) ?? []), value]);
+      continue;
+    }
+    const next = args[index + 1];
+    if (next && !next.startsWith('--')) {
+      flags.set(raw, [...(flags.get(raw) ?? []), next]);
+      index += 1;
+    } else {
+      flags.set(raw, [...(flags.get(raw) ?? []), 'true']);
+    }
+  }
+  return { positional, flags };
+}
+
+function hasFlag(args: ParsedCloudflareArgs, key: string): boolean {
+  return args.flags.has(key);
+}
+
+function getFlag(args: ParsedCloudflareArgs, key: string): string {
+  const values = args.flags.get(key);
+  const value = values?.[values.length - 1] ?? '';
+  return value === 'true' ? '' : value.trim();
+}
+
+function getFlagValues(args: ParsedCloudflareArgs, key: string): readonly string[] {
+  return args.flags.get(key)?.map((value) => value.trim()).filter(Boolean) ?? [];
+}
+
+function componentsFromArgs(args: ParsedCloudflareArgs): Record<CloudflareComponent, boolean> {
+  const components: Record<CloudflareComponent, boolean> = { ...DEFAULT_CLOUDFLARE_COMPONENT_SELECTION };
+  if (hasFlag(args, 'all') || hasFlag(args, 'advanced')) {
+    for (const component of CLOUDFLARE_COMPONENT_IDS) components[component] = true;
+  }
+  for (const raw of [...args.positional, ...getFlagValues(args, 'component')]) {
+    const normalized = normalizeComponent(raw);
+    if (normalized) components[normalized] = true;
+  }
+  for (const raw of getFlagValues(args, 'no-component')) {
+    const normalized = normalizeComponent(raw);
+    if (normalized) components[normalized] = false;
+  }
+  return components;
+}
+
+function normalizeComponent(value: string): CloudflareComponent | null {
+  const normalized = value.trim().toLowerCase().replace(/[-_]/g, '');
+  for (const component of CLOUDFLARE_COMPONENT_IDS) {
+    if (component.toLowerCase() === normalized) return component;
+  }
+  if (normalized === 'workerscript' || normalized === 'worker') return 'workers';
+  if (normalized === 'queue') return 'queues';
+  if (normalized === 'tunnel') return 'zeroTrustTunnel';
+  if (normalized === 'access') return 'zeroTrustAccess';
+  if (normalized === 'domain' || normalized === 'hostname') return 'dns';
+  if (normalized === 'do' || normalized === 'durableobject') return 'durableObjects';
+  if (normalized === 'secret' || normalized === 'secrets') return 'secretsStore';
+  return null;
+}
+
+function formatComponents(components: CloudflareComponentSelection): string {
+  const selected = CLOUDFLARE_COMPONENT_IDS
+    .filter((component) => components[component] === true)
+    .map((component) => CLOUDFLARE_COMPONENT_LABELS[component]);
+  return selected.length > 0 ? selected.join(', ') : 'none';
+}
+
+function cloudflareAuthInput(args: ParsedCloudflareArgs): {
+  readonly accountId?: string;
+  readonly apiToken?: string;
+  readonly apiTokenRef?: string;
+} {
+  const token = getFlag(args, 'token') || readTokenEnv(args, 'token-env');
+  const tokenRef = getFlag(args, 'token-ref');
+  return {
+    ...optionalString('accountId', getFlag(args, 'account') || getFlag(args, 'account-id')),
+    ...(token ? { apiToken: token } : tokenRef ? { apiTokenRef: tokenRef } : {}),
+  };
+}
+
+function readTokenEnv(args: ParsedCloudflareArgs, key: string): string {
+  const envName = getFlag(args, key);
+  if (!envName) return '';
+  return process.env[envName] ?? '';
+}
+
+function readBatchMode(args: ParsedCloudflareArgs): 'off' | 'explicit' | 'eligible-by-default' | undefined {
+  const value = getFlag(args, 'batch-mode');
+  if (value === 'off' || value === 'explicit' || value === 'eligible-by-default') return value;
+  return undefined;
+}
+
+function optionalString<K extends string>(key: K, value: string): Partial<Record<K, string>> {
+  return value.trim().length > 0 ? { [key]: value.trim() } as Partial<Record<K, string>> : {};
+}
+
+function optionalBatchMode(value: ReturnType<typeof readBatchMode>): { readonly batchMode?: 'off' | 'explicit' | 'eligible-by-default' } {
+  return value ? { batchMode: value } : {};
+}
+
+function formatProvisionSteps(steps: readonly CloudflareProvisionStep[]): string[] {
+  return steps.length > 0
+    ? steps.map((step) => `  ${step.status}: ${step.name}${step.message ? ` - ${step.message}` : ''}`)
+    : ['  no steps returned'];
+}
+
+function formatCloudflareError(error: unknown): string {
+  if (error instanceof CloudflareDaemonRouteError) {
+    return `${error.message} (HTTP ${error.status}, ${error.code})`;
+  }
+  return error instanceof Error ? error.message : String(error);
+}