@pellux/goodvibes-tui 0.19.33 → 0.19.35

package/src/renderer/compositor.ts

@@ -1,6 +1,6 @@
 import { TerminalBuffer } from './buffer.ts';
 import { DiffEngine } from './diff.ts';
-import { type Line, createStyledCell } from '../types/grid.ts';
+import { type Line, createEmptyCell, createStyledCell } from '../types/grid.ts';
 import { getDisplayWidth } from '../utils/terminal-width.ts';
 import type { SearchManager } from '../input/search.ts';
 
@@ -78,7 +78,7 @@ export class Compositor {
     if (!this.backBuffer) {
       this.backBuffer = new TerminalBuffer(width, height);
     } else {
-      this.backBuffer.reset(width, height);
+      this.backBuffer.reset(width, height, this.frontBuffer);
     }
     const newBuffer = this.backBuffer;
 
@@ -154,19 +154,31 @@ export class Compositor {
         }
 
         const panelStartX = sepX + 1;
+        const clearPanelRemainder = (fromX = 0) => {
+          for (let x = Math.max(0, fromX); x < panelWidth; x++) {
+            newBuffer.setCell(panelStartX + x, screenY, createEmptyCell());
+          }
+        };
+        const drawPanelLine = (panelLine: Line | undefined) => {
+          if (panelLine === undefined) {
+            clearPanelRemainder();
+            return;
+          }
+          const limit = Math.min(panelLine.length, panelWidth);
+          for (let x = 0; x < limit; x++) {
+            const cell = panelLine[x];
+            if (cell !== undefined) {
+              newBuffer.setCell(panelStartX + x, screenY, cell);
+            }
+          }
+          clearPanelRemainder(limit);
+        };
 
         if (!hasBottomPane) {
           // --- Single pane mode ---
           // viewport row 0 → workspace bar, viewport rows 1+ → panel content
           const panelLine = i === 0 ? p.workspaceBar : p.topContent[i - 1];
-          if (panelLine !== undefined) {
-            for (let x = 0; x < panelWidth; x++) {
-              const cell = panelLine[x];
-              if (cell !== undefined) {
-                newBuffer.setCell(panelStartX + x, screenY, cell);
-              }
-            }
-          }
+          drawPanelLine(panelLine);
         } else {
           // --- Two pane mode ---
           // Row layout (by viewport row i):
@@ -203,13 +215,8 @@ export class Compositor {
             panelLine = p.bottomContent?.[i - (hSepRow + 2)];
           }
 
-          if (panelLine !== undefined) {
-            for (let x = 0; x < panelWidth; x++) {
-              const cell = panelLine[x];
-              if (cell !== undefined) {
-                newBuffer.setCell(panelStartX + x, screenY, cell);
-              }
-            }
+          if (i !== hSepRow) {
+            drawPanelLine(panelLine);
           }
         }
       }
@@ -269,6 +276,7 @@ export class Compositor {
     // Swap: back (just written) becomes the new front reference; old front becomes the next back
     const swap = this.frontBuffer;
     this.frontBuffer = this.backBuffer;
+    this.frontBuffer.clearDirty();
     this.backBuffer = swap;
   }
 }

package/src/renderer/model-picker-overlay.ts

@@ -34,6 +34,10 @@ const MODE_TITLES: Record<string, string> = {
  */
 export const MODEL_PICKER_CHROME_LINES = 7;
 
+const renderCache = new WeakMap<ModelPickerModal, { key: string; lines: Line[] }>();
+const objectIds = new WeakMap<object, number>();
+let nextObjectId = 1;
+
 function putRowText(line: Line, startX: number, maxWidth: number, text: string, fg: string, bg = '', bold = false, dim = false): void {
   putOverlayText(line, startX, maxWidth, text, { fg, bg, bold, dim });
 }
@@ -51,6 +55,10 @@ export function renderModelPickerOverlay(
   maxVisible = 20,
   viewportHeight?: number,
 ): Line[] {
+  const cacheKey = getRenderCacheKey(picker, width, maxVisible, viewportHeight);
+  const cached = renderCache.get(picker);
+  if (cached?.key === cacheKey) return cached.lines;
+
   const lines: Line[] = [];
   const metrics = getOverlaySurfaceMetrics(width, viewportHeight ?? 24, {
     chromeRows: MODEL_PICKER_CHROME_LINES,
@@ -399,5 +407,67 @@ export function renderModelPickerOverlay(
   putRowText(footerLine, layout.margin + 2, contentW, fitDisplay(truncateDisplay(hints, contentW), contentW), mutedFg, '', false, true);
   lines.push(footerLine);
 
+  renderCache.set(picker, { key: cacheKey, lines });
   return lines;
 }
+
+function getRenderCacheKey(
+  picker: ModelPickerModal,
+  width: number,
+  maxVisible: number,
+  viewportHeight: number | undefined,
+): string {
+  const base = [
+    width,
+    maxVisible,
+    viewportHeight ?? '',
+    picker.mode,
+    picker.target,
+    picker.query,
+    picker.searchFocused ? 1 : 0,
+    picker.selectedIndex,
+    picker.scrollOffset,
+    picker.categoryFilter,
+    picker.capabilityFilter,
+    picker.availableOnly ? 1 : 0,
+    picker.benchmarkSort,
+    picker.groupBy,
+    keyForSet(picker.pinnedIds),
+    keyForSet(picker.configuredProviders),
+  ];
+
+  if (picker.mode === 'model') {
+    const filtered = picker.getFilteredModels();
+    const selected = filtered[picker.selectedIndex];
+    base.push(objectId(picker.models), objectId(filtered), filtered.length, selected?.registryKey ?? selected?.id ?? '');
+  } else if (picker.mode === 'provider') {
+    const filteredProviders = picker.getFilteredProviders();
+    base.push(objectId(picker.providers), objectId(filteredProviders), filteredProviders.length, keyForMap(picker.configuredViaMap));
+  } else if (picker.mode === 'effort') {
+    base.push(objectId(picker.effortLevels), picker.effortLevels.join('\u001f'), picker.pendingModel?.registryKey ?? picker.pendingModel?.id ?? '');
+  } else if (picker.mode === 'contextCap') {
+    base.push(picker.contextCapQuery, picker.contextCapPendingModel?.registryKey ?? picker.contextCapPendingModel?.id ?? '');
+  }
+
+  return base.join('\u001e');
+}
+
+function objectId(value: object): number {
+  const existing = objectIds.get(value);
+  if (existing !== undefined) return existing;
+  const next = nextObjectId++;
+  objectIds.set(value, next);
+  return next;
+}
+
+function keyForSet(values: ReadonlySet<string>): string {
+  return values.size === 0 ? '' : [...values].sort().join('\u001f');
+}
+
+function keyForMap(values: ReadonlyMap<string, string | undefined>): string {
+  if (values.size === 0) return '';
+  return [...values.entries()]
+    .sort(([left], [right]) => left.localeCompare(right))
+    .map(([key, value]) => `${key}\u001d${value ?? ''}`)
+    .join('\u001f');
+}

package/src/renderer/settings-modal-helpers.ts

@@ -76,6 +76,7 @@ export const CATEGORY_LABELS: Record<(typeof SETTINGS_CATEGORIES)[number], strin
   mcp: 'MCP',
   sandbox: 'Sandbox',
   surfaces: 'Surfaces',
+  cloudflare: 'Cloudflare',
   danger: 'Danger',
   tools: 'Tools',
   flags: 'Flags',
@@ -138,6 +139,14 @@ export const SETTING_LABELS: Partial<Record<string, string>> = {
   'surfaces.ntfy.remoteTopic': 'ntfy Daemon-Only Remote Topic',
   'surfaces.ntfy.token': 'ntfy Token',
   'surfaces.ntfy.defaultPriority': 'ntfy Default Priority',
+  'surfaces.homeassistant.enabled': 'Home Assistant Enabled',
+  'surfaces.homeassistant.instanceUrl': 'Home Assistant URL',
+  'surfaces.homeassistant.accessToken': 'Home Assistant Access Token',
+  'surfaces.homeassistant.webhookSecret': 'Home Assistant Webhook Secret',
+  'surfaces.homeassistant.defaultConversationId': 'Home Assistant Conversation ID',
+  'surfaces.homeassistant.deviceId': 'Home Assistant Device ID',
+  'surfaces.homeassistant.deviceName': 'Home Assistant Device Name',
+  'surfaces.homeassistant.eventType': 'Home Assistant Event Type',
 };
 
 export function getSettingLabel(entry: SettingEntry): string {

package/src/runtime/cloudflare-control-plane.ts

@@ -0,0 +1,349 @@
+import { join } from 'node:path';
+import { getOrCreateCompanionToken } from '@pellux/goodvibes-sdk/platform/pairing/companion-token';
+import type { ConfigManager } from '../config/index.ts';
+
+export const CLOUDFLARE_COMPONENT_IDS = [
+  'workers',
+  'queues',
+  'zeroTrustTunnel',
+  'zeroTrustAccess',
+  'dns',
+  'kv',
+  'durableObjects',
+  'secretsStore',
+  'r2',
+] as const;
+
+export type CloudflareComponent = typeof CLOUDFLARE_COMPONENT_IDS[number];
+export type CloudflareComponentSelection = Partial<Record<CloudflareComponent, boolean>>;
+export type CloudflareBatchMode = 'off' | 'explicit' | 'eligible-by-default';
+
+export const DEFAULT_CLOUDFLARE_COMPONENT_SELECTION: Readonly<Record<CloudflareComponent, boolean>> = {
+  workers: true,
+  queues: true,
+  zeroTrustTunnel: false,
+  zeroTrustAccess: false,
+  dns: false,
+  kv: false,
+  durableObjects: false,
+  secretsStore: false,
+  r2: false,
+};
+
+export const CLOUDFLARE_COMPONENT_LABELS: Readonly<Record<CloudflareComponent, string>> = {
+  workers: 'Workers',
+  queues: 'Queues',
+  zeroTrustTunnel: 'Zero Trust Tunnel',
+  zeroTrustAccess: 'Zero Trust Access',
+  dns: 'DNS hostname',
+  kv: 'KV',
+  durableObjects: 'Durable Objects',
+  secretsStore: 'Secrets Store',
+  r2: 'R2 artifacts',
+};
+
+export interface CloudflareProvisionStep {
+  readonly name: string;
+  readonly status: 'ok' | 'skipped' | 'warning';
+  readonly message?: string;
+  readonly resourceId?: string;
+}
+
+export interface CloudflareControlPlaneStatus {
+  readonly enabled: boolean;
+  readonly ready: boolean;
+  readonly configured: Record<string, boolean>;
+  readonly config: Record<string, unknown>;
+  readonly warnings: readonly string[];
+}
+
+export interface CloudflareTokenRequirement {
+  readonly component: CloudflareComponent | 'bootstrap';
+  readonly scope: 'account' | 'zone' | 'user' | 'r2';
+  readonly permission: string;
+  readonly alternatives?: readonly string[];
+  readonly reason: string;
+}
+
+export interface CloudflareTokenRequirementsResult {
+  readonly ok: true;
+  readonly components: Readonly<Record<CloudflareComponent, boolean>>;
+  readonly permissions: readonly CloudflareTokenRequirement[];
+  readonly bootstrapToken: {
+    readonly requiredForSdkCreation: boolean;
+    readonly storeInGoodVibes: false;
+    readonly instructions: readonly string[];
+  };
+}
+
+export interface CloudflareValidateResult {
+  readonly ok: boolean;
+  readonly account?: {
+    readonly id: string;
+    readonly name: string;
+    readonly type?: string;
+  };
+  readonly tokenSource: string;
+}
+
+export interface CloudflareOperationalTokenResult {
+  readonly ok: true;
+  readonly tokenId?: string;
+  readonly tokenName: string;
+  readonly tokenSource: 'bootstrap';
+  readonly apiTokenRef?: string;
+  readonly generatedToken?: string;
+  readonly accountId: string;
+  readonly zoneId?: string;
+  readonly permissions: readonly CloudflareTokenRequirement[];
+}
+
+export interface CloudflareDiscoverResult {
+  readonly ok: true;
+  readonly tokenSource: string;
+  readonly accounts: ReadonlyArray<{ readonly id: string; readonly name: string; readonly type?: string }>;
+  readonly selectedAccount?: { readonly id: string; readonly name: string; readonly type?: string };
+  readonly zones: ReadonlyArray<{ readonly id: string; readonly name: string; readonly status?: string; readonly type?: string }>;
+  readonly selectedZone?: { readonly id: string; readonly name: string; readonly status?: string; readonly type?: string };
+  readonly workerSubdomain?: string;
+  readonly queues?: ReadonlyArray<{ readonly queue_id?: string; readonly queue_name?: string }>;
+  readonly kvNamespaces?: ReadonlyArray<{ readonly id?: string; readonly title?: string }>;
+  readonly durableObjectNamespaces?: ReadonlyArray<{ readonly id?: string; readonly name?: string; readonly class?: string }>;
+  readonly r2Buckets?: ReadonlyArray<{ readonly name?: string; readonly storage_class?: string }>;
+  readonly secretsStores?: ReadonlyArray<{ readonly id: string; readonly name: string }>;
+  readonly tunnels?: ReadonlyArray<{ readonly id?: string; readonly name?: string; readonly status?: string }>;
+  readonly accessApplications?: ReadonlyArray<{ readonly id?: string; readonly name?: string; readonly domain?: string; readonly type?: string }>;
+  readonly warnings: readonly string[];
+}
+
+export interface CloudflareProvisionResult {
+  readonly ok: boolean;
+  readonly dryRun: false;
+  readonly steps: readonly CloudflareProvisionStep[];
+  readonly account?: { readonly id: string; readonly name: string };
+  readonly worker?: { readonly name: string; readonly baseUrl?: string; readonly subdomain?: string; readonly hostname?: string; readonly cron?: string };
+  readonly queues?: { readonly queueName: string; readonly queueId: string; readonly deadLetterQueueName: string; readonly deadLetterQueueId: string; readonly consumerId?: string };
+  readonly tunnel?: { readonly id: string; readonly name: string; readonly hostname?: string; readonly tokenRef?: string };
+  readonly access?: { readonly appId?: string; readonly serviceTokenId?: string; readonly serviceTokenRef?: string };
+  readonly dns?: {
+    readonly zoneId: string;
+    readonly zoneName?: string;
+    readonly records: ReadonlyArray<{ readonly id?: string; readonly name?: string; readonly type?: string; readonly content?: string }>;
+  };
+  readonly kv?: { readonly namespaceName: string; readonly namespaceId: string };
+  readonly durableObjects?: { readonly namespaceName: string; readonly namespaceId?: string };
+  readonly r2?: { readonly bucketName: string; readonly storageClass: 'Standard' };
+  readonly secretsStore?: { readonly storeName: string; readonly storeId: string };
+  readonly verification?: CloudflareVerifyResult;
+  readonly generatedSecrets?: {
+    readonly workerClientToken?: string;
+    readonly tunnelToken?: string;
+    readonly accessServiceTokenClientId?: string;
+    readonly accessServiceTokenClientSecret?: string;
+  };
+}
+
+export interface CloudflareVerifyResult {
+  readonly ok: boolean;
+  readonly workerHealth: {
+    readonly ok: boolean;
+    readonly status: number;
+    readonly error?: string;
+  };
+  readonly daemonBatchProxy?: {
+    readonly ok: boolean;
+    readonly status: number;
+    readonly error?: string;
+  };
+}
+
+export interface CloudflareDisableResult {
+  readonly ok: boolean;
+  readonly steps: readonly CloudflareProvisionStep[];
+}
+
+export interface CloudflareTokenRequirementsRequest {
+  readonly components?: CloudflareComponentSelection;
+  readonly includeBootstrap?: boolean;
+}
+
+export interface CloudflareOperationalTokenRequest extends CloudflareTokenRequirementsRequest {
+  readonly accountId?: string;
+  readonly zoneId?: string;
+  readonly zoneName?: string;
+  readonly bootstrapToken?: string;
+  readonly tokenName?: string;
+  readonly expiresOn?: string;
+  readonly persistConfig?: boolean;
+  readonly storeApiToken?: boolean;
+  readonly returnGeneratedToken?: boolean;
+}
+
+export interface CloudflareValidateRequest {
+  readonly accountId?: string;
+  readonly apiToken?: string;
+  readonly apiTokenRef?: string;
+}
+
+export interface CloudflareDiscoverRequest extends CloudflareValidateRequest {
+  readonly components?: CloudflareComponentSelection;
+  readonly zoneId?: string;
+  readonly zoneName?: string;
+  readonly includeResources?: boolean;
+}
+
+export interface CloudflareProvisionRequest extends CloudflareDiscoverRequest {
+  readonly workerName?: string;
+  readonly workerSubdomain?: string;
+  readonly workerHostname?: string;
+  readonly workerBaseUrl?: string;
+  readonly daemonBaseUrl?: string;
+  readonly daemonHostname?: string;
+  readonly queueName?: string;
+  readonly deadLetterQueueName?: string;
+  readonly tunnelName?: string;
+  readonly tunnelId?: string;
+  readonly tunnelServiceUrl?: string;
+  readonly tunnelTokenRef?: string;
+  readonly accessAppId?: string;
+  readonly accessServiceTokenId?: string;
+  readonly accessServiceTokenRef?: string;
+  readonly kvNamespaceName?: string;
+  readonly kvNamespaceId?: string;
+  readonly durableObjectNamespaceName?: string;
+  readonly durableObjectNamespaceId?: string;
+  readonly r2BucketName?: string;
+  readonly secretsStoreName?: string;
+  readonly secretsStoreId?: string;
+  readonly workerCron?: string;
+  readonly operatorToken?: string;
+  readonly operatorTokenRef?: string;
+  readonly workerClientToken?: string;
+  readonly workerClientTokenRef?: string;
+  readonly storeApiToken?: boolean;
+  readonly storeOperatorToken?: boolean;
+  readonly storeWorkerClientToken?: boolean;
+  readonly returnGeneratedSecrets?: boolean;
+  readonly enableWorkersDev?: boolean;
+  readonly queueJobPayloads?: boolean;
+  readonly verify?: boolean;
+  readonly persistConfig?: boolean;
+  readonly batchMode?: CloudflareBatchMode;
+}
+
+export interface CloudflareVerifyRequest {
+  readonly workerBaseUrl?: string;
+  readonly workerClientToken?: string;
+  readonly workerClientTokenRef?: string;
+}
+
+export interface CloudflareDisableRequest extends CloudflareValidateRequest {
+  readonly workerName?: string;
+  readonly disableWorkerSubdomain?: boolean;
+  readonly disableCron?: boolean;
+  readonly persistConfig?: boolean;
+}
+
+export class CloudflareDaemonRouteError extends Error {
+  readonly status: number;
+  readonly code: string;
+
+  constructor(message: string, status: number, code: string) {
+    super(message);
+    this.name = 'CloudflareDaemonRouteError';
+    this.status = status;
+    this.code = code;
+  }
+}
+
+export interface CloudflareDaemonClient {
+  status(): Promise<CloudflareControlPlaneStatus>;
+  tokenRequirements(input?: CloudflareTokenRequirementsRequest): Promise<CloudflareTokenRequirementsResult>;
+  createOperationalToken(input: CloudflareOperationalTokenRequest): Promise<CloudflareOperationalTokenResult>;
+  discover(input?: CloudflareDiscoverRequest): Promise<CloudflareDiscoverResult>;
+  validate(input?: CloudflareValidateRequest): Promise<CloudflareValidateResult>;
+  provision(input: CloudflareProvisionRequest): Promise<CloudflareProvisionResult>;
+  verify(input?: CloudflareVerifyRequest): Promise<CloudflareVerifyResult>;
+  disable(input?: CloudflareDisableRequest): Promise<CloudflareDisableResult>;
+}
+
+export interface CloudflareDaemonClientOptions {
+  readonly configManager: Pick<ConfigManager, 'get'>;
+  readonly homeDirectory: string;
+}
+
+function connectHostForBindHost(host: string): string {
+  if (host === '0.0.0.0' || host === '::' || host.trim().length === 0) return '127.0.0.1';
+  return host;
+}
+
+function hostForUrl(host: string): string {
+  return host.includes(':') && !host.startsWith('[') ? `[${host}]` : host;
+}
+
+export function resolveCloudflareDaemonBaseUrl(configManager: Pick<ConfigManager, 'get'>): string {
+  const configuredBaseUrl = String(configManager.get('controlPlane.baseUrl' as never) ?? '').trim();
+  if (configuredBaseUrl) return configuredBaseUrl.replace(/\/+$/, '');
+  const host = hostForUrl(connectHostForBindHost(String(configManager.get('controlPlane.host' as never) ?? '127.0.0.1')));
+  const portValue = Number(configManager.get('controlPlane.port' as never) ?? 3421);
+  const port = Number.isFinite(portValue) && portValue > 0 ? portValue : 3421;
+  return `http://${host}:${port}`;
+}
+
+export function buildDefaultCloudflareDaemonBaseUrl(configManager: Pick<ConfigManager, 'get'>): string {
+  return resolveCloudflareDaemonBaseUrl(configManager);
+}
+
+function readDaemonToken(homeDirectory: string): string {
+  const daemonHomeDir = join(homeDirectory, '.goodvibes', 'daemon');
+  return getOrCreateCompanionToken('tui', { daemonHomeDir }).token;
+}
+
+async function readJsonResponse<T>(response: Response): Promise<T> {
+  const text = await response.text();
+  const body = text.trim().length > 0 ? JSON.parse(text) as unknown : {};
+  if (!response.ok) {
+    const record = body && typeof body === 'object' ? body as Record<string, unknown> : {};
+    const message = typeof record.error === 'string' ? record.error : `Cloudflare daemon route failed with HTTP ${response.status}`;
+    const code = typeof record.code === 'string' ? record.code : 'CLOUDFLARE_DAEMON_ROUTE_ERROR';
+    throw new CloudflareDaemonRouteError(message, response.status, code);
+  }
+  return body as T;
+}
+
+export function createCloudflareDaemonClient(options: CloudflareDaemonClientOptions): CloudflareDaemonClient {
+  const baseUrl = resolveCloudflareDaemonBaseUrl(options.configManager);
+  const token = readDaemonToken(options.homeDirectory);
+
+  const requestJson = async <T>(path: string, init: RequestInit = {}): Promise<T> => {
+    const headers = new Headers(init.headers);
+    headers.set('Authorization', `Bearer ${token}`);
+    if (init.body !== undefined) headers.set('Content-Type', 'application/json');
+    const response = await fetch(`${baseUrl}${path}`, { ...init, headers });
+    return await readJsonResponse<T>(response);
+  };
+
+  const postJson = <T>(path: string, body: unknown): Promise<T> => requestJson<T>(path, {
+    method: 'POST',
+    body: JSON.stringify(body ?? {}),
+  });
+
+  return {
+    status: () => requestJson<CloudflareControlPlaneStatus>('/api/cloudflare/status'),
+    tokenRequirements: (input = {}) => postJson<CloudflareTokenRequirementsResult>('/api/cloudflare/token/requirements', input),
+    createOperationalToken: (input) => postJson<CloudflareOperationalTokenResult>('/api/cloudflare/token/create', input),
+    discover: (input = {}) => postJson<CloudflareDiscoverResult>('/api/cloudflare/discover', input),
+    validate: (input = {}) => postJson<CloudflareValidateResult>('/api/cloudflare/validate', input),
+    provision: (input) => postJson<CloudflareProvisionResult>('/api/cloudflare/provision', input),
+    verify: (input = {}) => postJson<CloudflareVerifyResult>('/api/cloudflare/verify', input),
+    disable: (input = {}) => postJson<CloudflareDisableResult>('/api/cloudflare/disable', input),
+  };
+}
+
+export function normalizeCloudflareComponents(selection: CloudflareComponentSelection | undefined): Record<CloudflareComponent, boolean> {
+  const result: Record<CloudflareComponent, boolean> = { ...DEFAULT_CLOUDFLARE_COMPONENT_SELECTION };
+  for (const component of CLOUDFLARE_COMPONENT_IDS) {
+    if (typeof selection?.[component] === 'boolean') result[component] = selection[component] === true;
+  }
+  return result;
+}

package/src/runtime/onboarding/apply.ts

@@ -353,25 +353,26 @@ function buildAuthRollbackAction(
 ): RollbackAction {
   validateAuthOperation(deps, operation);
   const auth = deps.auth!;
+  const mutable = auth as unknown as MutableAuthManager;
   const username = operation.username.trim();
   const before = auth.inspect();
   const existingUser = before.users.find((user) => user.username === username);
-  const existingSessionTokens = new Set(before.sessions
+  const existingSessionFingerprints = new Set(before.sessions
     .filter((session) => session.username === username)
-    .map((session) => session.token));
+    .map((session) => session.tokenFingerprint));
   const userStoreSnapshot = existsSync(before.userStorePath) ? readFileSync(before.userStorePath, 'utf-8') : null;
   const bootstrapCredentialSnapshot = existsSync(before.bootstrapCredentialPath)
     ? readFileSync(before.bootstrapCredentialPath, 'utf-8')
     : null;
   const bootstrapCredential = parseBootstrapCredential(bootstrapCredentialSnapshot);
-  const beforeSessions = before.sessions.map((session) => ({ ...session }));
+  const beforeSessions = mutable.sessions instanceof Map
+    ? [...mutable.sessions.entries()].map(([token, session]) => [token, { ...session }] as const)
+    : [];
 
   return () => {
-    const mutable = auth as unknown as MutableAuthManager;
-
     for (const session of auth.inspect().sessions) {
-      if (session.username === username && !existingSessionTokens.has(session.token)) {
-        auth.revokeSession(session.token);
+      if (session.username === username && !existingSessionFingerprints.has(session.tokenFingerprint)) {
+        auth.revokeSession(session.tokenFingerprint);
       }
     }
 
@@ -402,7 +403,7 @@ function buildAuthRollbackAction(
 
     if (mutable.sessions instanceof Map) {
       mutable.sessions.clear();
-      for (const session of beforeSessions) mutable.sessions.set(session.token, session);
+      for (const [token, session] of beforeSessions) mutable.sessions.set(token, session);
     }
   };
 }

package/src/runtime/onboarding/derivation.ts

@@ -238,6 +238,15 @@ function hasExternalIntegrations(snapshot: OnboardingSnapshotState): boolean {
     || countConfiguredSurfaceKinds(snapshot) > 0;
 }
 
+function hasCloudflareBatch(snapshot: OnboardingSnapshotState): boolean {
+  return snapshot.config.cloudflare.enabled
+    || snapshot.config.batch.queueBackend === 'cloudflare'
+    || snapshot.config.batch.mode !== 'off'
+    || snapshot.config.cloudflare.accountId.trim().length > 0
+    || snapshot.config.cloudflare.apiTokenRef.trim().length > 0
+    || snapshot.config.cloudflare.workerBaseUrl.trim().length > 0;
+}
+
 function describeLocalTuiOnly(snapshot: OnboardingSnapshotState): string {
   if (!hasAnyServerEnabled(snapshot)) {
     return 'Use GoodVibes only in this terminal. No browser access, background service, HTTP listener, external app surface, or network setup.';
@@ -272,12 +281,20 @@ function describeExternalIntegrations(snapshot: OnboardingSnapshotState): string
   ]).size;
 
   if (integrationCount === 0) {
-    return 'Enable setup screens for Slack, Discord, Telegram, Teams, Matrix, and other app surfaces you choose.';
+    return 'Enable setup screens for Slack, Discord, Telegram, Home Assistant, Teams, Matrix, and other app surfaces you choose.';
   }
 
   return `Review and configure ${integrationCount} detected external app, service, or surface integration signal(s).`;
 }
 
+function describeCloudflareBatch(snapshot: OnboardingSnapshotState): string {
+  if (hasCloudflareBatch(snapshot)) {
+    return 'Review Cloudflare Workers/Queues batch processing, token storage, and optional remote daemon provisioning settings.';
+  }
+
+  return 'Optionally configure Cloudflare Workers and Queues for explicit or eligible background batch jobs. Immediate local daemon behavior stays the default unless enabled.';
+}
+
 function getAcknowledgementAccepted(
   snapshot: OnboardingSnapshotState,
   target: OnboardingAcknowledgementTarget,
@@ -346,6 +363,12 @@ export function deriveStep1Capabilities(
       selected: hasExternalIntegrations(snapshot),
       detail: describeExternalIntegrations(snapshot),
     },
+    {
+      id: 'cloudflare-batch',
+      label: 'Use Cloudflare for batch or remote daemon work',
+      selected: hasCloudflareBatch(snapshot),
+      detail: describeCloudflareBatch(snapshot),
+    },
   ];
 }
 
@@ -360,6 +383,7 @@ export function deriveStep1CapabilityFlags(
   readonly httpListener: boolean;
   readonly web: boolean;
   readonly surfaces: boolean;
+  readonly cloudflare: boolean;
 } {
   return {
     providers: hasConfiguredProviderState(snapshot) || hasCustomizedProviderRouting(snapshot),
@@ -372,6 +396,7 @@ export function deriveStep1CapabilityFlags(
     httpListener: snapshot.bindSettings.httpListenerEnabled,
     web: snapshot.bindSettings.web.enabled,
     surfaces: countConfiguredSurfaceKinds(snapshot) > 0,
+    cloudflare: hasCloudflareBatch(snapshot),
   };
 }
 

package/src/runtime/onboarding/snapshot.ts

@@ -41,6 +41,8 @@ function buildConfigSnapshot(
     surfaces: config.getCategory('surfaces'),
     service: config.getCategory('service'),
     featureFlags: config.getCategory('featureFlags'),
+    batch: config.getCategory('batch'),
+    cloudflare: config.getCategory('cloudflare'),
   };
 }
 

package/src/runtime/onboarding/types.ts

@@ -47,6 +47,8 @@ export interface OnboardingConfigSnapshot {
   readonly surfaces: GoodVibesConfig['surfaces'];
   readonly service: GoodVibesConfig['service'];
   readonly featureFlags: GoodVibesConfig['featureFlags'];
+  readonly batch: GoodVibesConfig['batch'];
+  readonly cloudflare: GoodVibesConfig['cloudflare'];
 }
 
 export interface OnboardingProviderRoutingSnapshot {
@@ -196,7 +198,8 @@ export type OnboardingStep1CapabilityId =
   | 'browser-access'
   | 'network-access'
   | 'webhook-events'
-  | 'external-integrations';
+  | 'external-integrations'
+  | 'cloudflare-batch';
 
 export interface OnboardingStep1CapabilityItem {
   readonly id: OnboardingStep1CapabilityId;
@@ -214,6 +217,7 @@ export interface OnboardingStep1CapabilityFlags {
   readonly httpListener: boolean;
   readonly web: boolean;
   readonly surfaces: boolean;
+  readonly cloudflare: boolean;
 }
 
 export interface OnboardingAcknowledgementState {