@pellux/goodvibes-tui 0.19.33 → 0.19.34

package/src/input/onboarding/onboarding-wizard-cloudflare-step.ts

@@ -0,0 +1,449 @@
+import { CLOUDFLARE_COMPONENT_IDS, DEFAULT_CLOUDFLARE_COMPONENT_SELECTION } from '../../runtime/cloudflare-control-plane.ts';
+import { normalizeText } from './onboarding-wizard-helpers.ts';
+import type { OnboardingWizardController } from './onboarding-wizard.ts';
+import type { OnboardingWizardFieldDefinition, OnboardingWizardStepDefinition } from './onboarding-wizard-types.ts';
+import {
+  CLOUDFLARE_BATCH_MODE_OPTIONS,
+  CLOUDFLARE_PROVISION_OPTIONS,
+  CLOUDFLARE_SETUP_SOURCE_OPTIONS,
+  CLOUDFLARE_YES_NO_OPTIONS,
+  cloudflareComponentFieldId,
+  cloudflareComponentLabel,
+  getCloudflareBatchMode,
+  getCloudflareComponentSelection,
+  getCloudflareSetupSource,
+} from './onboarding-wizard-cloudflare.ts';
+
+export function buildCloudflareStep(controller: OnboardingWizardController): OnboardingWizardStepDefinition {
+  const config = controller.runtimeSnapshot?.config.cloudflare;
+  const batch = controller.runtimeSnapshot?.config.batch;
+  const enabledDefault = controller.isCapabilitySelected('cloudflare-batch') || config?.enabled === true;
+  const enabled = controller.getBooleanFieldValue('cloudflare.enabled', enabledDefault);
+  const components = getCloudflareComponentSelection(controller);
+  const componentCount = Object.values(components).filter(Boolean).length;
+  const setupSource = getCloudflareSetupSource(controller);
+  const batchMode = getCloudflareBatchMode(controller);
+  const bind = controller.runtimeSnapshot?.bindSettings.controlPlane;
+  const defaultDaemonBaseUrl = normalizeText(config?.daemonBaseUrl)
+    || `http://${bind?.host && bind.host !== '0.0.0.0' && bind.host !== '::' ? bind.host : '127.0.0.1'}:${bind?.port ?? 3421}`;
+  const resultMessage = controller.textState.get('cloudflare.action-status') ?? 'No Cloudflare daemon action has run in this wizard session.';
+  const fields: OnboardingWizardFieldDefinition[] = [
+    {
+      kind: 'checklist',
+      id: 'cloudflare.enabled',
+      label: 'Enable Cloudflare integration',
+      hint: 'Turns on GoodVibes Cloudflare config. Batch execution remains opt-in through the batch mode below.',
+      defaultValue: enabledDefault,
+    },
+  ];
+
+  if (enabled) {
+    fields.push(
+      {
+        kind: 'radio',
+        id: 'cloudflare.batch-mode',
+        label: 'Batch mode',
+        hint: 'Controls when daemon work uses the batch path. Off keeps normal immediate behavior.',
+        options: CLOUDFLARE_BATCH_MODE_OPTIONS,
+        defaultValue: batch?.mode ?? 'off',
+      },
+      {
+        kind: 'radio',
+        id: 'cloudflare.free-tier-mode',
+        label: 'Free-tier guardrails',
+        hint: 'Keep conservative queue-operation limits visible for free-tier Cloudflare accounts.',
+        options: CLOUDFLARE_YES_NO_OPTIONS,
+        defaultValue: config?.freeTierMode === false ? 'no' : 'yes',
+      },
+    );
+
+    for (const component of CLOUDFLARE_COMPONENT_IDS) {
+      const advanced = component !== 'workers' && component !== 'queues';
+      fields.push({
+        kind: 'checklist',
+        id: cloudflareComponentFieldId(component),
+        label: `${cloudflareComponentLabel(component)}${advanced ? ' (advanced)' : ''}`,
+        hint: cloudflareComponentHint(component),
+        defaultValue: config?.enabled === true
+          ? component === 'workers' || component === 'queues'
+          : DEFAULT_CLOUDFLARE_COMPONENT_SELECTION[component],
+      });
+    }
+
+    fields.push(
+      {
+        kind: 'radio',
+        id: 'cloudflare.setup-source',
+        label: 'Cloudflare token setup path',
+        hint: 'Choose whether the daemon SDK route creates/stores an operational token, uses an existing token, or only saves settings.',
+        options: CLOUDFLARE_SETUP_SOURCE_OPTIONS,
+        defaultValue: getCloudflareSetupSource(controller),
+      },
+    );
+
+    if (setupSource === 'bootstrap-token') {
+      fields.push({
+        kind: 'masked',
+        id: 'cloudflare.bootstrap-token',
+        label: 'Temporary bootstrap token',
+        hint: 'Used once by the SDK route to create a narrower GoodVibes operational token. It is never persisted.',
+        placeholder: 'temporary Cloudflare token',
+        defaultValue: '',
+      });
+    }
+    if (setupSource === 'bootstrap-env') {
+      fields.push({
+        kind: 'text',
+        id: 'cloudflare.bootstrap-env-name',
+        label: 'Bootstrap token environment variable',
+        hint: 'The TUI reads this environment variable once and passes the value to the SDK token-create route. It is not persisted.',
+        placeholder: 'GOODVIBES_CLOUDFLARE_BOOTSTRAP_TOKEN',
+        defaultValue: 'GOODVIBES_CLOUDFLARE_BOOTSTRAP_TOKEN',
+      });
+    }
+    if (setupSource === 'operational-token') {
+      fields.push({
+        kind: 'masked',
+        id: 'cloudflare.operational-token',
+        label: 'Final Cloudflare API token',
+        hint: 'A fully-created operational token. Provisioning can store it as goodvibes://secrets/goodvibes/CLOUDFLARE_API_TOKEN.',
+        placeholder: 'Cloudflare API token',
+        defaultValue: '',
+      });
+    }
+    if (setupSource === 'operational-env') {
+      fields.push({
+        kind: 'text',
+        id: 'cloudflare.operational-env-name',
+        label: 'Operational token environment variable',
+        hint: 'Defaults to CLOUDFLARE_API_TOKEN. The SDK can also resolve goodvibes://secrets/env/<name>.',
+        placeholder: 'CLOUDFLARE_API_TOKEN',
+        defaultValue: config?.apiTokenRef?.startsWith('goodvibes://secrets/env/')
+          ? decodeURIComponent(config.apiTokenRef.slice('goodvibes://secrets/env/'.length))
+          : 'CLOUDFLARE_API_TOKEN',
+      });
+    }
+
+    fields.push(
+      {
+        kind: 'text',
+        id: 'cloudflare.account-id',
+        label: 'Cloudflare account id',
+        hint: 'Required for validation, token creation, discovery, and provisioning. Discovery can list accounts when the token permits it.',
+        placeholder: 'account id',
+        defaultValue: config?.accountId ?? '',
+      },
+      {
+        kind: 'text',
+        id: 'cloudflare.zone-id',
+        label: 'Zone id',
+        hint: 'Optional unless DNS or Access hostname automation is selected. Use the zone that owns the chosen hostname.',
+        placeholder: 'optional zone id',
+        defaultValue: config?.zoneId ?? '',
+      },
+      {
+        kind: 'text',
+        id: 'cloudflare.zone-name',
+        label: 'Zone name',
+        hint: 'Optional unless DNS or Access hostname automation is selected. Example: example.com for goodvibes.example.com.',
+        placeholder: 'example.com',
+        defaultValue: config?.zoneName ?? '',
+      },
+      {
+        kind: 'text',
+        id: 'cloudflare.daemon-base-url',
+        label: 'Daemon base URL for Worker calls',
+        hint: 'The URL Cloudflare Worker/Tunnel uses to reach the GoodVibes daemon. 127.0.0.1 only works for local verification, not remote Cloudflare calls.',
+        placeholder: 'https://daemon.example.com or http://127.0.0.1:3421',
+        defaultValue: defaultDaemonBaseUrl,
+      },
+      {
+        kind: 'text',
+        id: 'cloudflare.daemon-hostname',
+        label: 'Daemon hostname',
+        hint: 'Optional hostname used by Tunnel, Access, and DNS automation. Leave blank to infer it from daemon base URL when possible.',
+        placeholder: 'daemon.example.com',
+        defaultValue: config?.daemonHostname ?? '',
+      },
+      {
+        kind: 'text',
+        id: 'cloudflare.worker-name',
+        label: 'Worker name',
+        hint: 'Cloudflare Worker script name to create or update.',
+        placeholder: 'goodvibes-batch-worker',
+        defaultValue: config?.workerName || 'goodvibes-batch-worker',
+      },
+      {
+        kind: 'text',
+        id: 'cloudflare.worker-subdomain',
+        label: 'workers.dev subdomain',
+        hint: 'Optional workers.dev subdomain. If unavailable or blank, a custom route can still be used later.',
+        placeholder: 'account-subdomain',
+        defaultValue: config?.workerSubdomain ?? '',
+      },
+      {
+        kind: 'text',
+        id: 'cloudflare.worker-hostname',
+        label: 'Worker custom hostname',
+        hint: 'Optional custom hostname for Worker DNS/route automation.',
+        placeholder: 'goodvibes.example.com',
+        defaultValue: config?.workerHostname ?? '',
+      },
+      {
+        kind: 'text',
+        id: 'cloudflare.worker-base-url',
+        label: 'Worker base URL',
+        hint: 'Optional existing Worker URL. Provisioning fills this when it can infer the workers.dev URL.',
+        placeholder: 'https://goodvibes-batch-worker.account.workers.dev',
+        defaultValue: config?.workerBaseUrl ?? '',
+      },
+    );
+
+    if (components.queues) {
+      fields.push(
+        {
+          kind: 'text',
+          id: 'cloudflare.queue-name',
+          label: 'Queue name',
+          hint: 'Cloudflare Queue used for GoodVibes batch job signals.',
+          placeholder: 'goodvibes-batch',
+          defaultValue: config?.queueName || 'goodvibes-batch',
+        },
+        {
+          kind: 'text',
+          id: 'cloudflare.dead-letter-queue-name',
+          label: 'Dead-letter queue name',
+          hint: 'Cloudflare dead-letter queue for failed batch signals.',
+          placeholder: 'goodvibes-batch-dlq',
+          defaultValue: config?.deadLetterQueueName || 'goodvibes-batch-dlq',
+        },
+      );
+    }
+
+    if (components.zeroTrustTunnel) {
+      fields.push(
+        {
+          kind: 'text',
+          id: 'cloudflare.tunnel-name',
+          label: 'Tunnel name',
+          hint: 'Cloudflare Tunnel name to create or reuse.',
+          placeholder: 'goodvibes-daemon',
+          defaultValue: config?.tunnelName || 'goodvibes-daemon',
+        },
+        {
+          kind: 'text',
+          id: 'cloudflare.tunnel-id',
+          label: 'Existing tunnel id',
+          hint: 'Optional existing Tunnel id. Leave blank to let provisioning create or discover one by name.',
+          placeholder: 'optional tunnel id',
+          defaultValue: config?.tunnelId ?? '',
+        },
+      );
+    }
+
+    if (components.kv) {
+      fields.push(
+        {
+          kind: 'text',
+          id: 'cloudflare.kv-namespace-name',
+          label: 'KV namespace name',
+          hint: 'Cloudflare KV namespace for optional batch/runtime state.',
+          placeholder: 'goodvibes-runtime',
+          defaultValue: config?.kvNamespaceName || 'goodvibes-runtime',
+        },
+        {
+          kind: 'text',
+          id: 'cloudflare.kv-namespace-id',
+          label: 'Existing KV namespace id',
+          hint: 'Optional existing KV namespace id.',
+          placeholder: 'optional KV id',
+          defaultValue: config?.kvNamespaceId ?? '',
+        },
+      );
+    }
+
+    if (components.durableObjects) {
+      fields.push(
+        {
+          kind: 'text',
+          id: 'cloudflare.do-namespace-name',
+          label: 'Durable Object namespace name',
+          hint: 'Durable Object namespace expected by the Worker when this advanced component is selected.',
+          placeholder: 'GoodVibesCoordinator',
+          defaultValue: config?.durableObjectNamespaceName || 'GoodVibesCoordinator',
+        },
+        {
+          kind: 'text',
+          id: 'cloudflare.do-namespace-id',
+          label: 'Durable Object namespace id',
+          hint: 'Optional existing Durable Object namespace id.',
+          placeholder: 'optional Durable Object id',
+          defaultValue: config?.durableObjectNamespaceId ?? '',
+        },
+      );
+    }
+
+    if (components.r2) {
+      fields.push({
+        kind: 'text',
+        id: 'cloudflare.r2-bucket-name',
+        label: 'R2 bucket name',
+        hint: 'R2 Standard bucket for optional batch artifacts.',
+        placeholder: 'goodvibes-artifacts',
+        defaultValue: config?.r2BucketName || 'goodvibes-artifacts',
+      });
+    }
+
+    if (components.secretsStore) {
+      fields.push(
+        {
+          kind: 'text',
+          id: 'cloudflare.secrets-store-name',
+          label: 'Secrets Store name',
+          hint: 'Cloudflare Secrets Store name for optional account-level secrets.',
+          placeholder: 'goodvibes',
+          defaultValue: config?.secretsStoreName || 'goodvibes',
+        },
+        {
+          kind: 'text',
+          id: 'cloudflare.secrets-store-id',
+          label: 'Secrets Store id',
+          hint: 'Optional existing Cloudflare Secrets Store id.',
+          placeholder: 'optional Secrets Store id',
+          defaultValue: config?.secretsStoreId ?? '',
+        },
+      );
+    }
+
+    fields.push(
+      {
+        kind: 'text',
+        id: 'cloudflare.worker-cron',
+        label: 'Worker cron',
+        hint: 'Cron trigger installed on the Worker for batch scheduler ticks. Leave blank to skip cron automation.',
+        placeholder: '*/5 * * * *',
+        defaultValue: config?.workerCron || '*/5 * * * *',
+      },
+      {
+        kind: 'text',
+        id: 'cloudflare.max-queue-ops-per-day',
+        label: 'Max queue ops per day',
+        hint: 'Free-tier queue-operation budget used for local warnings.',
+        placeholder: '10000',
+        defaultValue: String(config?.maxQueueOpsPerDay ?? 10000),
+      },
+      {
+        kind: 'radio',
+        id: 'cloudflare.provision-on-apply',
+        label: 'Provision Cloudflare on final apply',
+        hint: 'If yes, final Apply calls SDK daemon routes to create/update resources and verify them. Failure is reported as a warning; settings still save.',
+        options: CLOUDFLARE_PROVISION_OPTIONS,
+        defaultValue: 'no',
+      },
+      {
+        kind: 'status',
+        id: 'cloudflare.action-status',
+        label: 'Last Cloudflare daemon action',
+        hint: resultMessage,
+        defaultValue: resultMessage,
+      },
+      {
+        kind: 'action',
+        id: 'cloudflare.requirements',
+        action: 'cloudflare-token-requirements',
+        label: 'Show token requirements',
+        hint: 'Calls the daemon SDK route and displays the required token permissions for the selected components.',
+        defaultValue: 'Action',
+      },
+      {
+        kind: 'action',
+        id: 'cloudflare.create-token',
+        action: 'cloudflare-create-operational-token',
+        label: 'Create operational token from bootstrap token',
+        hint: 'Uses a pasted or environment bootstrap token once. The SDK stores the generated operational token as a goodvibes:// secret.',
+        defaultValue: 'Action',
+      },
+      {
+        kind: 'action',
+        id: 'cloudflare.discover',
+        action: 'cloudflare-discover',
+        label: 'Discover accounts, zones, and resources',
+        hint: 'Calls the daemon SDK route using the configured or supplied token and summarizes discoverable Cloudflare resources.',
+        defaultValue: 'Action',
+      },
+      {
+        kind: 'action',
+        id: 'cloudflare.validate',
+        action: 'cloudflare-validate',
+        label: 'Validate Cloudflare token',
+        hint: 'Calls the daemon SDK route to validate account access with the configured or supplied token.',
+        defaultValue: 'Action',
+      },
+      {
+        kind: 'action',
+        id: 'cloudflare.provision',
+        action: 'cloudflare-provision',
+        label: 'Provision and verify now',
+        hint: 'Calls the daemon SDK route immediately with the current wizard values. This creates/updates selected Cloudflare resources.',
+        defaultValue: 'Action',
+      },
+      {
+        kind: 'action',
+        id: 'cloudflare.verify',
+        action: 'cloudflare-verify',
+        label: 'Verify Worker now',
+        hint: 'Calls the daemon SDK route to verify Worker health and daemon batch proxy readiness.',
+        defaultValue: 'Action',
+      },
+      {
+        kind: 'action',
+        id: 'cloudflare.disable',
+        action: 'cloudflare-disable',
+        label: 'Disable Cloudflare integration',
+        hint: 'Calls the daemon SDK route to disable local Cloudflare usage and return the batch queue backend to local behavior.',
+        defaultValue: 'Action',
+      },
+    );
+  }
+
+  return {
+    id: 'cloudflare',
+    title: 'Cloudflare batch setup',
+    shortLabel: 'Cloudflare',
+    description: 'Optional Cloudflare Workers and Queues setup. GoodVibes uses local immediate daemon behavior unless Cloudflare and a batch mode are enabled.',
+    summaryTitle: 'Cloudflare summary',
+    summaryLines: [
+      `Enabled: ${enabled ? 'yes' : 'no'}`,
+      `Batch mode: ${enabled ? batchMode : 'off'}`,
+      `Components: ${enabled ? componentCount : 0} selected`,
+      `Token setup: ${enabled ? setupSource : 'not used'}`,
+      `Provision on final apply: ${enabled ? controller.getStringFieldValue('cloudflare.provision-on-apply', 'no') : 'no'}`,
+    ],
+    fields,
+  };
+}
+
+function cloudflareComponentHint(component: string): string {
+  switch (component) {
+    case 'workers':
+      return 'Deploy the GoodVibes Worker used for batch signals and optional public ingress.';
+    case 'queues':
+      return 'Create Cloudflare Queue and dead-letter queue resources for batch job signals.';
+    case 'zeroTrustTunnel':
+      return 'Create or reuse a Cloudflare Tunnel so Cloudflare can reach the daemon through a controlled path.';
+    case 'zeroTrustAccess':
+      return 'Configure Cloudflare Access application/service-token protection around the daemon hostname.';
+    case 'dns':
+      return 'Create DNS records for selected custom hostnames. Requires a Cloudflare-managed zone.';
+    case 'kv':
+      return 'Create or reuse KV for optional Worker-side state.';
+    case 'durableObjects':
+      return 'Use Durable Objects for advanced Worker coordination where supported.';
+    case 'secretsStore':
+      return 'Create or reuse a Cloudflare Secrets Store for optional account-level secrets.';
+    case 'r2':
+      return 'Create or reuse an R2 Standard bucket for optional batch artifacts.';
+    default:
+      return 'Optional Cloudflare component.';
+  }
+}

package/src/input/onboarding/onboarding-wizard-cloudflare.ts

@@ -0,0 +1,199 @@
+import {
+  CLOUDFLARE_COMPONENT_IDS,
+  CLOUDFLARE_COMPONENT_LABELS,
+  DEFAULT_CLOUDFLARE_COMPONENT_SELECTION,
+  type CloudflareBatchMode,
+  type CloudflareComponent,
+  type CloudflareComponentSelection,
+  type CloudflareProvisionRequest,
+} from '../../runtime/cloudflare-control-plane.ts';
+import { buildGoodVibesSecretRef, normalizeText } from './onboarding-wizard-helpers.ts';
+import type { OnboardingWizardController } from './onboarding-wizard.ts';
+import type { OnboardingWizardRadioOption } from './onboarding-wizard-types.ts';
+
+export const CLOUDFLARE_SETUP_SOURCE_OPTIONS: readonly OnboardingWizardRadioOption[] = [
+  {
+    id: 'save-only',
+    label: 'Save settings only',
+    hint: 'Persist Cloudflare fields without passing a token to the daemon. Provision later from the Cloudflare command or settings.',
+  },
+  {
+    id: 'bootstrap-token',
+    label: 'Paste temporary bootstrap token',
+    hint: 'Use a short-lived Cloudflare token once. The SDK creates and stores a narrower GoodVibes operational token.',
+  },
+  {
+    id: 'bootstrap-env',
+    label: 'Read bootstrap token from environment',
+    hint: 'Read a temporary token from an environment variable and pass it once to the SDK. The value is not stored.',
+  },
+  {
+    id: 'operational-token',
+    label: 'Paste final operational token',
+    hint: 'Use a token you already created. The SDK can store it as a GoodVibes secret during provisioning.',
+  },
+  {
+    id: 'operational-env',
+    label: 'Use final token from environment',
+    hint: 'Use an environment-backed token reference such as CLOUDFLARE_API_TOKEN.',
+  },
+];
+
+export const CLOUDFLARE_BATCH_MODE_OPTIONS: readonly OnboardingWizardRadioOption[] = [
+  {
+    id: 'off',
+    label: 'Off',
+    hint: 'Keep daemon requests on the immediate local path. Cloudflare resource settings can still be saved.',
+  },
+  {
+    id: 'explicit',
+    label: 'Explicit batch only',
+    hint: 'Only requests explicitly marked for batch execution use the configured batch path.',
+  },
+  {
+    id: 'eligible-by-default',
+    label: 'Eligible requests batch by default',
+    hint: 'Batch-capable daemon work can use the configured batch path unless the caller opts out.',
+  },
+];
+
+export const CLOUDFLARE_YES_NO_OPTIONS: readonly OnboardingWizardRadioOption[] = [
+  { id: 'yes', label: 'Yes', hint: 'Enable this behavior.' },
+  { id: 'no', label: 'No', hint: 'Leave this behavior off.' },
+];
+
+export const CLOUDFLARE_PROVISION_OPTIONS: readonly OnboardingWizardRadioOption[] = [
+  {
+    id: 'no',
+    label: 'No, save configuration only',
+    hint: 'Final Apply saves the settings. Use the Cloudflare command or this wizard later to provision resources.',
+  },
+  {
+    id: 'yes',
+    label: 'Yes, create or update Cloudflare resources',
+    hint: 'Final Apply asks the daemon SDK route to create/update selected Cloudflare resources and verify the Worker when possible.',
+  },
+];
+
+export type CloudflareSetupSource =
+  | 'save-only'
+  | 'bootstrap-token'
+  | 'bootstrap-env'
+  | 'operational-token'
+  | 'operational-env';
+
+export function cloudflareComponentFieldId(component: CloudflareComponent): string {
+  return `cloudflare.component.${component}`;
+}
+
+export function cloudflareComponentLabel(component: CloudflareComponent): string {
+  return CLOUDFLARE_COMPONENT_LABELS[component];
+}
+
+export function isCloudflareConfigured(controller: OnboardingWizardController): boolean {
+  const config = controller.runtimeSnapshot?.config.cloudflare;
+  if (!config) return false;
+  return config.enabled
+    || normalizeText(config.accountId).length > 0
+    || normalizeText(config.apiTokenRef).length > 0
+    || normalizeText(config.workerBaseUrl).length > 0
+    || normalizeText(config.workerName).length > 0;
+}
+
+export function shouldShowCloudflareStep(controller: OnboardingWizardController): boolean {
+  return controller.isCapabilitySelected('cloudflare-batch') || isCloudflareConfigured(controller);
+}
+
+export function getCloudflareSetupSource(controller: OnboardingWizardController): CloudflareSetupSource {
+  const configuredTokenRef = controller.runtimeSnapshot?.config.cloudflare.apiTokenRef ?? '';
+  const defaultValue = configuredTokenRef.startsWith('goodvibes://secrets/env/') ? 'operational-env' : 'save-only';
+  const value = controller.getStringFieldValue('cloudflare.setup-source', defaultValue);
+  if (
+    value === 'bootstrap-token'
+    || value === 'bootstrap-env'
+    || value === 'operational-token'
+    || value === 'operational-env'
+    || value === 'save-only'
+  ) {
+    return value;
+  }
+  return 'save-only';
+}
+
+export function getCloudflareComponentSelection(controller: OnboardingWizardController): Record<CloudflareComponent, boolean> {
+  const selected: Record<CloudflareComponent, boolean> = { ...DEFAULT_CLOUDFLARE_COMPONENT_SELECTION };
+  const configured = controller.runtimeSnapshot?.config.cloudflare;
+  for (const component of CLOUDFLARE_COMPONENT_IDS) {
+    const fallback = configured?.enabled === true
+      ? component === 'workers' || component === 'queues'
+      : DEFAULT_CLOUDFLARE_COMPONENT_SELECTION[component];
+    selected[component] = controller.getBooleanFieldValue(cloudflareComponentFieldId(component), fallback);
+  }
+  return selected;
+}
+
+export function getSelectedCloudflareComponents(controller: OnboardingWizardController): CloudflareComponentSelection {
+  return getCloudflareComponentSelection(controller);
+}
+
+export function getCloudflareBatchMode(controller: OnboardingWizardController): CloudflareBatchMode {
+  const value = controller.getStringFieldValue('cloudflare.batch-mode', controller.runtimeSnapshot?.config.batch.mode ?? 'off');
+  return value === 'explicit' || value === 'eligible-by-default' ? value : 'off';
+}
+
+export function buildCloudflareApiTokenRef(envName: string): string {
+  const normalized = normalizeText(envName) || 'CLOUDFLARE_API_TOKEN';
+  return `goodvibes://secrets/env/${encodeURIComponent(normalized)}`;
+}
+
+export function buildCloudflareProvisionRequest(controller: OnboardingWizardController, options: {
+  readonly includeTransientSecrets?: boolean;
+} = {}): CloudflareProvisionRequest {
+  const components = getCloudflareComponentSelection(controller);
+  const setupSource = getCloudflareSetupSource(controller);
+  const accountId = controller.getStringFieldValue('cloudflare.account-id', controller.runtimeSnapshot?.config.cloudflare.accountId ?? '');
+  const zoneId = controller.getStringFieldValue('cloudflare.zone-id', controller.runtimeSnapshot?.config.cloudflare.zoneId ?? '');
+  const zoneName = controller.getStringFieldValue('cloudflare.zone-name', controller.runtimeSnapshot?.config.cloudflare.zoneName ?? '');
+  const apiToken = setupSource === 'operational-token' && options.includeTransientSecrets
+    ? controller.getStringFieldValue('cloudflare.operational-token', '')
+    : '';
+  const apiTokenRef = setupSource === 'operational-env'
+    ? buildCloudflareApiTokenRef(controller.getStringFieldValue('cloudflare.operational-env-name', 'CLOUDFLARE_API_TOKEN'))
+    : controller.runtimeSnapshot?.config.cloudflare.apiTokenRef ?? '';
+
+  return {
+    components,
+    ...(accountId ? { accountId } : {}),
+    ...(zoneId ? { zoneId } : {}),
+    ...(zoneName ? { zoneName } : {}),
+    ...(apiToken ? { apiToken, storeApiToken: true } : {}),
+    ...(!apiToken && apiTokenRef ? { apiTokenRef } : {}),
+    workerName: controller.getStringFieldValue('cloudflare.worker-name', controller.runtimeSnapshot?.config.cloudflare.workerName ?? 'goodvibes-batch-worker'),
+    workerSubdomain: controller.getStringFieldValue('cloudflare.worker-subdomain', controller.runtimeSnapshot?.config.cloudflare.workerSubdomain ?? ''),
+    workerHostname: controller.getStringFieldValue('cloudflare.worker-hostname', controller.runtimeSnapshot?.config.cloudflare.workerHostname ?? ''),
+    workerBaseUrl: controller.getStringFieldValue('cloudflare.worker-base-url', controller.runtimeSnapshot?.config.cloudflare.workerBaseUrl ?? ''),
+    daemonBaseUrl: controller.getStringFieldValue('cloudflare.daemon-base-url', controller.runtimeSnapshot?.config.cloudflare.daemonBaseUrl ?? ''),
+    daemonHostname: controller.getStringFieldValue('cloudflare.daemon-hostname', controller.runtimeSnapshot?.config.cloudflare.daemonHostname ?? ''),
+    queueName: controller.getStringFieldValue('cloudflare.queue-name', controller.runtimeSnapshot?.config.cloudflare.queueName ?? 'goodvibes-batch'),
+    deadLetterQueueName: controller.getStringFieldValue('cloudflare.dead-letter-queue-name', controller.runtimeSnapshot?.config.cloudflare.deadLetterQueueName ?? 'goodvibes-batch-dlq'),
+    tunnelName: controller.getStringFieldValue('cloudflare.tunnel-name', controller.runtimeSnapshot?.config.cloudflare.tunnelName ?? 'goodvibes-daemon'),
+    tunnelId: controller.getStringFieldValue('cloudflare.tunnel-id', controller.runtimeSnapshot?.config.cloudflare.tunnelId ?? ''),
+    kvNamespaceName: controller.getStringFieldValue('cloudflare.kv-namespace-name', controller.runtimeSnapshot?.config.cloudflare.kvNamespaceName ?? 'goodvibes-runtime'),
+    kvNamespaceId: controller.getStringFieldValue('cloudflare.kv-namespace-id', controller.runtimeSnapshot?.config.cloudflare.kvNamespaceId ?? ''),
+    durableObjectNamespaceName: controller.getStringFieldValue('cloudflare.do-namespace-name', controller.runtimeSnapshot?.config.cloudflare.durableObjectNamespaceName ?? 'GoodVibesCoordinator'),
+    durableObjectNamespaceId: controller.getStringFieldValue('cloudflare.do-namespace-id', controller.runtimeSnapshot?.config.cloudflare.durableObjectNamespaceId ?? ''),
+    r2BucketName: controller.getStringFieldValue('cloudflare.r2-bucket-name', controller.runtimeSnapshot?.config.cloudflare.r2BucketName ?? 'goodvibes-artifacts'),
+    secretsStoreName: controller.getStringFieldValue('cloudflare.secrets-store-name', controller.runtimeSnapshot?.config.cloudflare.secretsStoreName ?? 'goodvibes'),
+    secretsStoreId: controller.getStringFieldValue('cloudflare.secrets-store-id', controller.runtimeSnapshot?.config.cloudflare.secretsStoreId ?? ''),
+    workerCron: controller.getStringFieldValue('cloudflare.worker-cron', controller.runtimeSnapshot?.config.cloudflare.workerCron ?? '*/5 * * * *'),
+    enableWorkersDev: true,
+    queueJobPayloads: false,
+    persistConfig: true,
+    verify: true,
+    batchMode: getCloudflareBatchMode(controller),
+  };
+}
+
+export function buildCloudflareOperationalTokenRef(): string {
+  return buildGoodVibesSecretRef('CLOUDFLARE_API_TOKEN');
+}

package/src/input/onboarding/onboarding-wizard-constants.ts

@@ -6,6 +6,7 @@ export const STEP_ORDER: readonly OnboardingWizardStepId[] = [
   'network',
   'access',
   'external-services',
+  'cloudflare',
   'provider-access',
   'default-model',
   'experience',
@@ -43,6 +44,12 @@ export const DEFAULT_CAPABILITIES: readonly OnboardingStep1CapabilityItem[] = [
     selected: false,
     detail: 'Enable setup screens for Slack, Discord, Telegram, Teams, Matrix, and other app surfaces you choose.',
   },
+  {
+    id: 'cloudflare-batch',
+    label: 'Use Cloudflare for batch or remote daemon work',
+    selected: false,
+    detail: 'Optionally configure Cloudflare Workers and Queues for explicit or eligible background batch jobs. Immediate local daemon behavior stays the default unless enabled.',
+  },
 ];
 
 export const REASONING_OPTIONS: readonly OnboardingWizardRadioOption[] = [