@pellux/goodvibes-tui 0.19.34 → 0.19.35

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pellux/goodvibes-tui",
-  "version": "0.19.34",
+  "version": "0.19.35",
   "description": "Terminal-native GoodVibes product for coding, operations, automation, knowledge, channels, and daemon-backed control-plane workflows.",
   "type": "module",
   "main": "src/main.ts",
@@ -91,7 +91,7 @@
     "@anthropic-ai/vertex-sdk": "^0.16.0",
     "@ast-grep/napi": "^0.42.0",
     "@aws/bedrock-token-generator": "^1.1.0",
-    "@pellux/goodvibes-sdk": "0.25.10",
+    "@pellux/goodvibes-sdk": "0.25.11",
     "bash-language-server": "^5.6.0",
     "fuse.js": "^7.1.0",
     "graphql": "^16.13.2",

package/src/cli/management.ts

@@ -601,7 +601,7 @@ async function renderAuth(runtime: CliCommandRuntime): Promise<string> {
     }
     if (sub === 'revoke-session') {
       const token = rest[0];
-      if (!token) return 'Usage: goodvibes auth revoke-session <token>';
+      if (!token) return 'Usage: goodvibes auth revoke-session <token-or-fingerprint>';
       return services.localUserAuthManager.revokeSession(token)
         ? 'Auth session revoked.'
         : 'No auth session found.';
@@ -637,7 +637,7 @@ async function renderAuth(runtime: CliCommandRuntime): Promise<string> {
     if (sub === 'sessions') {
       return formatJsonOrText(runtime.cli)(snapshot.sessions, [
         `GoodVibes auth sessions (${snapshot.sessions.length})`,
-        ...snapshot.sessions.map((session) => `  ${session.username} expires=${new Date(session.expiresAt).toISOString()} token=${session.token.slice(0, 8)}...`),
+        ...snapshot.sessions.map((session) => `  ${session.username} expires=${new Date(session.expiresAt).toISOString()} fingerprint=${session.tokenFingerprint}`),
       ].join('\n'));
     }
     return formatJsonOrText(runtime.cli)(value, [

package/src/input/commands/cloudflare-runtime.ts

@@ -53,6 +53,8 @@ export function registerCloudflareRuntimeCommands(registry: CommandRegistry): vo
             `  worker URL: ${status.config.workerBaseUrl || '(not set)'}`,
             `  queue: ${status.config.queueName || '(not set)'}`,
             `  DLQ: ${status.config.deadLetterQueueName || '(not set)'}`,
+            `  tunnel: ${status.config.tunnelName || '(not set)'} ${status.config.tunnelId ? `(${status.config.tunnelId})` : ''}`.trimEnd(),
+            `  access app: ${status.config.accessAppId || '(not set)'}`,
             `  batch mode: ${String(ctx.platform.configManager.get('batch.mode') ?? 'off')}`,
             `  queue backend: ${String(ctx.platform.configManager.get('batch.queueBackend') ?? 'local')}`,
             ...status.warnings.map((warning) => `  warning: ${warning}`),
@@ -153,6 +155,25 @@ export function registerCloudflareRuntimeCommands(registry: CommandRegistry): vo
             ...optionalString('workerBaseUrl', getFlag(parsed, 'worker-url')),
             ...optionalString('queueName', getFlag(parsed, 'queue') || getFlag(parsed, 'queue-name')),
             ...optionalString('deadLetterQueueName', getFlag(parsed, 'dlq') || getFlag(parsed, 'dead-letter-queue')),
+            ...optionalString('tunnelName', getFlag(parsed, 'tunnel-name')),
+            ...optionalString('tunnelId', getFlag(parsed, 'tunnel-id')),
+            ...optionalString('tunnelServiceUrl', getFlag(parsed, 'tunnel-service-url')),
+            ...optionalString('tunnelTokenRef', getFlag(parsed, 'tunnel-token-ref')),
+            ...optionalString('accessAppId', getFlag(parsed, 'access-app-id')),
+            ...optionalString('accessServiceTokenId', getFlag(parsed, 'access-service-token-id')),
+            ...optionalString('accessServiceTokenRef', getFlag(parsed, 'access-service-token-ref')),
+            ...optionalString('kvNamespaceName', getFlag(parsed, 'kv-namespace-name')),
+            ...optionalString('kvNamespaceId', getFlag(parsed, 'kv-namespace-id')),
+            ...optionalString('durableObjectNamespaceName', getFlag(parsed, 'do-namespace-name') || getFlag(parsed, 'durable-object-namespace-name')),
+            ...optionalString('durableObjectNamespaceId', getFlag(parsed, 'do-namespace-id') || getFlag(parsed, 'durable-object-namespace-id')),
+            ...optionalString('r2BucketName', getFlag(parsed, 'r2-bucket-name')),
+            ...optionalString('secretsStoreName', getFlag(parsed, 'secrets-store-name')),
+            ...optionalString('secretsStoreId', getFlag(parsed, 'secrets-store-id')),
+            ...optionalString('workerCron', getFlag(parsed, 'worker-cron')),
+            ...optionalString('operatorToken', getFlag(parsed, 'operator-token')),
+            ...optionalString('operatorTokenRef', getFlag(parsed, 'operator-token-ref')),
+            ...optionalString('workerClientToken', getFlag(parsed, 'worker-client-token')),
+            ...optionalString('workerClientTokenRef', getFlag(parsed, 'worker-client-token-ref')),
             ...optionalBatchMode(readBatchMode(parsed)),
             persistConfig: true,
             verify: !hasFlag(parsed, 'no-verify'),
@@ -164,6 +185,12 @@ export function registerCloudflareRuntimeCommands(registry: CommandRegistry): vo
             `  ok: ${result.ok ? 'yes' : 'no'}`,
             ...(result.worker ? [`  worker: ${result.worker.name}${result.worker.baseUrl ? ` at ${result.worker.baseUrl}` : ''}`] : []),
             ...(result.queues ? [`  queues: ${result.queues.queueName}; DLQ ${result.queues.deadLetterQueueName}`] : []),
+            ...(result.tunnel ? [`  tunnel: ${result.tunnel.name} (${result.tunnel.id})${result.tunnel.hostname ? ` ${result.tunnel.hostname}` : ''}`] : []),
+            ...(result.access ? [`  access: app=${result.access.appId || '(none)'} serviceToken=${result.access.serviceTokenId || '(none)'}`] : []),
+            ...(result.dns ? [`  dns: ${result.dns.zoneName || result.dns.zoneId} records=${result.dns.records.length}`] : []),
+            ...(result.kv ? [`  kv: ${result.kv.namespaceName} (${result.kv.namespaceId})`] : []),
+            ...(result.r2 ? [`  r2: ${result.r2.bucketName}`] : []),
+            ...(result.secretsStore ? [`  secrets store: ${result.secretsStore.storeName} (${result.secretsStore.storeId})`] : []),
             ...formatProvisionSteps(result.steps),
           ].join('\n'));
           return;

package/src/input/commands/local-auth-runtime.ts

@@ -65,10 +65,10 @@ export function handleLocalAuthCommand(args: string[], ctx: CommandContext): voi
   if (sub === 'revoke-session') {
     const token = args[1];
     if (!token) {
-      ctx.print('Usage: /auth local revoke-session <token>');
+      ctx.print('Usage: /auth local revoke-session <token-or-fingerprint>');
       return;
     }
-    ctx.print(auth.revokeSession(token) ? `Revoked session ${token.slice(0, 12)}…` : `Unknown session token: ${token}`);
+    ctx.print(auth.revokeSession(token) ? `Revoked session ${token.slice(0, 12)}…` : `Unknown session token or fingerprint: ${token}`);
     return;
   }
 
@@ -88,7 +88,7 @@ export function handleLocalAuthCommand(args: string[], ctx: CommandContext): voi
     `  users: ${snapshot.userCount}`,
     `  sessions: ${snapshot.sessionCount}`,
     ...snapshot.users.map((user) => `  user: ${user.username}  roles=${formatRoles(user.roles)}`),
-    ...snapshot.sessions.map((session) => `  session: ${session.username}  expires=${new Date(session.expiresAt).toISOString()}  token=${session.token.slice(0, 12)}…`),
+    ...snapshot.sessions.map((session) => `  session: ${session.username}  expires=${new Date(session.expiresAt).toISOString()}  fingerprint=${session.tokenFingerprint}`),
   ].join('\n'));
 }
 
@@ -97,7 +97,7 @@ export function registerLocalAuthRuntimeCommands(registry: CommandRegistry): voi
     name: 'local-auth',
     aliases: ['auth-local'],
     description: 'Inspect and manage local daemon/listener auth users, sessions, and bootstrap credentials',
-    usage: '[review|panel|add-user <username> <password> [roles]|delete-user <username>|rotate-password <username> <password>|revoke-session <token>|clear-bootstrap-file]',
+    usage: '[review|panel|add-user <username> <password> [roles]|delete-user <username>|rotate-password <username> <password>|revoke-session <token-or-fingerprint>|clear-bootstrap-file]',
     handler(args, ctx) {
       handleLocalAuthCommand(args, ctx);
     },

package/src/input/onboarding/onboarding-wizard-apply.ts

@@ -234,6 +234,10 @@ function addCloudflareOperations(
     setConfig('cloudflare.deadLetterQueueName', controller.getStringFieldValue('cloudflare.dead-letter-queue-name', config?.deadLetterQueueName ?? 'goodvibes-batch-dlq'));
     setConfig('cloudflare.tunnelName', controller.getStringFieldValue('cloudflare.tunnel-name', config?.tunnelName ?? 'goodvibes-daemon'));
     setConfig('cloudflare.tunnelId', controller.getStringFieldValue('cloudflare.tunnel-id', config?.tunnelId ?? ''));
+    setConfig('cloudflare.tunnelTokenRef', controller.getStringFieldValue('cloudflare.tunnel-token-ref', config?.tunnelTokenRef ?? ''));
+    setConfig('cloudflare.accessAppId', controller.getStringFieldValue('cloudflare.access-app-id', config?.accessAppId ?? ''));
+    setConfig('cloudflare.accessServiceTokenId', controller.getStringFieldValue('cloudflare.access-service-token-id', config?.accessServiceTokenId ?? ''));
+    setConfig('cloudflare.accessServiceTokenRef', controller.getStringFieldValue('cloudflare.access-service-token-ref', config?.accessServiceTokenRef ?? ''));
     setConfig('cloudflare.kvNamespaceName', controller.getStringFieldValue('cloudflare.kv-namespace-name', config?.kvNamespaceName ?? 'goodvibes-runtime'));
     setConfig('cloudflare.kvNamespaceId', controller.getStringFieldValue('cloudflare.kv-namespace-id', config?.kvNamespaceId ?? ''));
     setConfig('cloudflare.durableObjectNamespaceName', controller.getStringFieldValue('cloudflare.do-namespace-name', config?.durableObjectNamespaceName ?? 'GoodVibesCoordinator'));

package/src/input/onboarding/onboarding-wizard-cloudflare-step.ts

@@ -238,6 +238,51 @@ export function buildCloudflareStep(controller: OnboardingWizardController): Onb
           placeholder: 'optional tunnel id',
           defaultValue: config?.tunnelId ?? '',
         },
+        {
+          kind: 'text',
+          id: 'cloudflare.tunnel-service-url',
+          label: 'Tunnel service URL',
+          hint: 'Optional origin service URL for Tunnel ingress. Leave blank to use the daemon base URL.',
+          placeholder: 'http://127.0.0.1:3421',
+          defaultValue: '',
+        },
+        {
+          kind: 'text',
+          id: 'cloudflare.tunnel-token-ref',
+          label: 'Tunnel token secret ref',
+          hint: 'Optional existing goodvibes:// secret ref for a Cloudflare Tunnel token.',
+          placeholder: 'goodvibes://secrets/goodvibes/CLOUDFLARE_TUNNEL_TOKEN',
+          defaultValue: config?.tunnelTokenRef ?? '',
+        },
+      );
+    }
+
+    if (components.zeroTrustAccess) {
+      fields.push(
+        {
+          kind: 'text',
+          id: 'cloudflare.access-app-id',
+          label: 'Access app id',
+          hint: 'Optional existing Cloudflare Access application id. Leave blank to let provisioning create or discover one.',
+          placeholder: 'optional Access app id',
+          defaultValue: config?.accessAppId ?? '',
+        },
+        {
+          kind: 'text',
+          id: 'cloudflare.access-service-token-id',
+          label: 'Access service token id',
+          hint: 'Optional existing Access service token id.',
+          placeholder: 'optional service token id',
+          defaultValue: config?.accessServiceTokenId ?? '',
+        },
+        {
+          kind: 'text',
+          id: 'cloudflare.access-service-token-ref',
+          label: 'Access service token secret ref',
+          hint: 'Optional existing goodvibes:// secret ref for Access service token material.',
+          placeholder: 'goodvibes://secrets/goodvibes/CLOUDFLARE_ACCESS_SERVICE_TOKEN',
+          defaultValue: config?.accessServiceTokenRef ?? '',
+        },
       );
     }
 

package/src/input/onboarding/onboarding-wizard-cloudflare.ts

@@ -178,6 +178,11 @@ export function buildCloudflareProvisionRequest(controller: OnboardingWizardCont
     deadLetterQueueName: controller.getStringFieldValue('cloudflare.dead-letter-queue-name', controller.runtimeSnapshot?.config.cloudflare.deadLetterQueueName ?? 'goodvibes-batch-dlq'),
     tunnelName: controller.getStringFieldValue('cloudflare.tunnel-name', controller.runtimeSnapshot?.config.cloudflare.tunnelName ?? 'goodvibes-daemon'),
     tunnelId: controller.getStringFieldValue('cloudflare.tunnel-id', controller.runtimeSnapshot?.config.cloudflare.tunnelId ?? ''),
+    tunnelServiceUrl: controller.getStringFieldValue('cloudflare.tunnel-service-url', ''),
+    tunnelTokenRef: controller.getStringFieldValue('cloudflare.tunnel-token-ref', controller.runtimeSnapshot?.config.cloudflare.tunnelTokenRef ?? ''),
+    accessAppId: controller.getStringFieldValue('cloudflare.access-app-id', controller.runtimeSnapshot?.config.cloudflare.accessAppId ?? ''),
+    accessServiceTokenId: controller.getStringFieldValue('cloudflare.access-service-token-id', controller.runtimeSnapshot?.config.cloudflare.accessServiceTokenId ?? ''),
+    accessServiceTokenRef: controller.getStringFieldValue('cloudflare.access-service-token-ref', controller.runtimeSnapshot?.config.cloudflare.accessServiceTokenRef ?? ''),
     kvNamespaceName: controller.getStringFieldValue('cloudflare.kv-namespace-name', controller.runtimeSnapshot?.config.cloudflare.kvNamespaceName ?? 'goodvibes-runtime'),
     kvNamespaceId: controller.getStringFieldValue('cloudflare.kv-namespace-id', controller.runtimeSnapshot?.config.cloudflare.kvNamespaceId ?? ''),
     durableObjectNamespaceName: controller.getStringFieldValue('cloudflare.do-namespace-name', controller.runtimeSnapshot?.config.cloudflare.durableObjectNamespaceName ?? 'GoodVibesCoordinator'),

package/src/input/onboarding/onboarding-wizard-constants.ts

@@ -42,7 +42,7 @@ export const DEFAULT_CAPABILITIES: readonly OnboardingStep1CapabilityItem[] = [
     id: 'external-integrations',
     label: 'Connect GoodVibes to external apps and services',
     selected: false,
-    detail: 'Enable setup screens for Slack, Discord, Telegram, Teams, Matrix, and other app surfaces you choose.',
+    detail: 'Enable setup screens for Slack, Discord, Telegram, Home Assistant, Teams, Matrix, and other app surfaces you choose.',
   },
   {
     id: 'cloudflare-batch',
@@ -102,6 +102,7 @@ export const INBOUND_EXTERNAL_SURFACE_IDS = new Set<string>([
   'bluebubbles',
   'discord',
   'googleChat',
+  'homeassistant',
   'imessage',
   'mattermost',
   'matrix',
@@ -123,6 +124,9 @@ export const REQUIRED_EXTERNAL_SETUP_FIELD_IDS = new Set<string>([
   'external-services.telegram.bot-token',
   'external-services.telegram.webhook-secret',
   'external-services.webhook.default-target',
+  'external-services.homeassistant.instance-url',
+  'external-services.homeassistant.access-token',
+  'external-services.homeassistant.webhook-secret',
   'external-services.google-chat.webhook-url',
   'external-services.google-chat.verification-token',
   'external-services.signal.bridge-url',

package/src/input/onboarding/onboarding-wizard-external-surface-extra-specs.ts

@@ -0,0 +1,117 @@
+import type { ExternalSurfaceSpec } from './onboarding-wizard-external-surfaces.ts';
+
+export const WEBHOOK_SURFACE_SPEC: ExternalSurfaceSpec = {
+  id: 'webhook',
+  enabledFieldId: 'external-services.webhook',
+  enabledConfigKey: 'surfaces.webhook.enabled',
+  label: 'Outbound webhook surface',
+  hint: 'Enable outbound webhook delivery targets.',
+  defaultEnabled: (snapshot) => snapshot?.config.surfaces.webhook.enabled ?? false,
+  fields: [
+    {
+      id: 'external-services.webhook.default-target',
+      configKey: 'surfaces.webhook.defaultTarget',
+      kind: 'text',
+      label: 'Default webhook target',
+      hint: 'Fallback URL used for outbound webhook deliveries.',
+      placeholder: 'https://example.com/goodvibes',
+      defaultValue: (snapshot) => snapshot?.config.surfaces.webhook.defaultTarget ?? '',
+    },
+    {
+      id: 'external-services.webhook.secret',
+      configKey: 'surfaces.webhook.secret',
+      kind: 'masked',
+      label: 'Webhook signing secret',
+      hint: 'Secret used to sign outbound webhook payloads.',
+      placeholder: 'secret',
+      defaultValue: (snapshot) => snapshot?.config.surfaces.webhook.secret ?? '',
+    },
+    {
+      id: 'external-services.webhook.timeout-ms',
+      configKey: 'surfaces.webhook.timeoutMs',
+      kind: 'text',
+      valueType: 'number',
+      label: 'Webhook timeout ms',
+      hint: 'Request timeout for outbound webhook deliveries.',
+      placeholder: '10000',
+      defaultNumber: 10000,
+      min: 1000,
+      max: 60000,
+      defaultValue: (snapshot) => String(snapshot?.config.surfaces.webhook.timeoutMs ?? 10000),
+    },
+  ],
+};
+
+export const HOME_ASSISTANT_SURFACE_SPEC: ExternalSurfaceSpec = {
+  id: 'homeassistant',
+  enabledFieldId: 'external-services.homeassistant',
+  enabledConfigKey: 'surfaces.homeassistant.enabled',
+  label: 'Home Assistant surface',
+  hint: 'Enable the Home Assistant companion surface, daemon callbacks, and event delivery.',
+  defaultEnabled: (snapshot) => snapshot?.config.surfaces.homeassistant.enabled ?? false,
+  fields: [
+    {
+      id: 'external-services.homeassistant.instance-url',
+      configKey: 'surfaces.homeassistant.instanceUrl',
+      kind: 'text',
+      label: 'Home Assistant URL',
+      hint: 'Base URL of the Home Assistant instance.',
+      placeholder: 'http://homeassistant.local:8123',
+      defaultValue: (snapshot) => snapshot?.config.surfaces.homeassistant.instanceUrl ?? '',
+    },
+    {
+      id: 'external-services.homeassistant.access-token',
+      configKey: 'surfaces.homeassistant.accessToken',
+      kind: 'masked',
+      label: 'Home Assistant access token',
+      hint: 'Long-lived Home Assistant access token or goodvibes:// secret reference.',
+      placeholder: 'long-lived access token',
+      defaultValue: (snapshot) => snapshot?.config.surfaces.homeassistant.accessToken ?? '',
+    },
+    {
+      id: 'external-services.homeassistant.webhook-secret',
+      configKey: 'surfaces.homeassistant.webhookSecret',
+      kind: 'masked',
+      label: 'Home Assistant webhook secret',
+      hint: 'Shared secret used to verify inbound Home Assistant callbacks.',
+      placeholder: 'webhook secret',
+      defaultValue: (snapshot) => snapshot?.config.surfaces.homeassistant.webhookSecret ?? '',
+    },
+    {
+      id: 'external-services.homeassistant.default-conversation-id',
+      configKey: 'surfaces.homeassistant.defaultConversationId',
+      kind: 'text',
+      label: 'Default conversation ID',
+      hint: 'Default Home Assistant conversation id used for route binding.',
+      placeholder: 'goodvibes',
+      defaultValue: (snapshot) => snapshot?.config.surfaces.homeassistant.defaultConversationId ?? 'goodvibes',
+    },
+    {
+      id: 'external-services.homeassistant.device-id',
+      configKey: 'surfaces.homeassistant.deviceId',
+      kind: 'text',
+      label: 'Home Assistant device ID',
+      hint: 'Stable device identifier exposed by the GoodVibes daemon.',
+      placeholder: 'goodvibes-daemon',
+      defaultValue: (snapshot) => snapshot?.config.surfaces.homeassistant.deviceId ?? 'goodvibes-daemon',
+    },
+    {
+      id: 'external-services.homeassistant.device-name',
+      configKey: 'surfaces.homeassistant.deviceName',
+      kind: 'text',
+      label: 'Home Assistant device name',
+      hint: 'Display name for the GoodVibes daemon device in Home Assistant.',
+      placeholder: 'GoodVibes Daemon',
+      defaultValue: (snapshot) => snapshot?.config.surfaces.homeassistant.deviceName ?? 'GoodVibes Daemon',
+    },
+    {
+      id: 'external-services.homeassistant.event-type',
+      configKey: 'surfaces.homeassistant.eventType',
+      kind: 'text',
+      label: 'Home Assistant event type',
+      hint: 'Event type used for daemon-to-Home Assistant deliveries.',
+      placeholder: 'goodvibes_message',
+      defaultValue: (snapshot) => snapshot?.config.surfaces.homeassistant.eventType ?? 'goodvibes_message',
+    },
+  ],
+};

package/src/input/onboarding/onboarding-wizard-external-surfaces.ts

@@ -7,6 +7,7 @@ import {
 import { DEFAULT_CONFIG, type ConfigKey } from '../../config/index.ts';
 import type { OnboardingSnapshotState } from '../../runtime/onboarding/index.ts';
 import { TELEGRAM_MODE_OPTIONS, WHATSAPP_PROVIDER_OPTIONS } from './onboarding-wizard-constants.ts';
+import { HOME_ASSISTANT_SURFACE_SPEC, WEBHOOK_SURFACE_SPEC } from './onboarding-wizard-external-surface-extra-specs.ts';
 import type { OnboardingWizardRadioOption } from './onboarding-wizard-types.ts';
 
 export interface ExternalSurfaceSetupFieldSpec {
@@ -333,47 +334,8 @@ export const EXTERNAL_SURFACE_SPECS: readonly ExternalSurfaceSpec[] = [
       },
     ],
   },
-  {
-    id: 'webhook',
-    enabledFieldId: 'external-services.webhook',
-    enabledConfigKey: 'surfaces.webhook.enabled',
-    label: 'Outbound webhook surface',
-    hint: 'Enable outbound webhook delivery targets.',
-    defaultEnabled: (snapshot) => snapshot?.config.surfaces.webhook.enabled ?? false,
-    fields: [
-      {
-        id: 'external-services.webhook.default-target',
-        configKey: 'surfaces.webhook.defaultTarget',
-        kind: 'text',
-        label: 'Default webhook target',
-        hint: 'Fallback URL used for outbound webhook deliveries.',
-        placeholder: 'https://example.com/goodvibes',
-        defaultValue: (snapshot) => snapshot?.config.surfaces.webhook.defaultTarget ?? '',
-      },
-      {
-        id: 'external-services.webhook.secret',
-        configKey: 'surfaces.webhook.secret',
-        kind: 'masked',
-        label: 'Webhook signing secret',
-        hint: 'Secret used to sign outbound webhook payloads.',
-        placeholder: 'secret',
-        defaultValue: (snapshot) => snapshot?.config.surfaces.webhook.secret ?? '',
-      },
-      {
-        id: 'external-services.webhook.timeout-ms',
-        configKey: 'surfaces.webhook.timeoutMs',
-        kind: 'text',
-        valueType: 'number',
-        label: 'Webhook timeout ms',
-        hint: 'Request timeout for outbound webhook deliveries.',
-        placeholder: '10000',
-        defaultNumber: 10000,
-        min: 1000,
-        max: 60000,
-        defaultValue: (snapshot) => String(snapshot?.config.surfaces.webhook.timeoutMs ?? 10000),
-      },
-    ],
-  },
+  WEBHOOK_SURFACE_SPEC,
+  HOME_ASSISTANT_SURFACE_SPEC,
   {
     id: 'googleChat',
     enabledFieldId: 'external-services.google-chat',

package/src/renderer/settings-modal-helpers.ts

@@ -139,6 +139,14 @@ export const SETTING_LABELS: Partial<Record<string, string>> = {
   'surfaces.ntfy.remoteTopic': 'ntfy Daemon-Only Remote Topic',
   'surfaces.ntfy.token': 'ntfy Token',
   'surfaces.ntfy.defaultPriority': 'ntfy Default Priority',
+  'surfaces.homeassistant.enabled': 'Home Assistant Enabled',
+  'surfaces.homeassistant.instanceUrl': 'Home Assistant URL',
+  'surfaces.homeassistant.accessToken': 'Home Assistant Access Token',
+  'surfaces.homeassistant.webhookSecret': 'Home Assistant Webhook Secret',
+  'surfaces.homeassistant.defaultConversationId': 'Home Assistant Conversation ID',
+  'surfaces.homeassistant.deviceId': 'Home Assistant Device ID',
+  'surfaces.homeassistant.deviceName': 'Home Assistant Device Name',
+  'surfaces.homeassistant.eventType': 'Home Assistant Event Type',
 };
 
 export function getSettingLabel(entry: SettingEntry): string {

package/src/runtime/cloudflare-control-plane.ts

@@ -123,7 +123,24 @@ export interface CloudflareProvisionResult {
   readonly account?: { readonly id: string; readonly name: string };
   readonly worker?: { readonly name: string; readonly baseUrl?: string; readonly subdomain?: string; readonly hostname?: string; readonly cron?: string };
   readonly queues?: { readonly queueName: string; readonly queueId: string; readonly deadLetterQueueName: string; readonly deadLetterQueueId: string; readonly consumerId?: string };
+  readonly tunnel?: { readonly id: string; readonly name: string; readonly hostname?: string; readonly tokenRef?: string };
+  readonly access?: { readonly appId?: string; readonly serviceTokenId?: string; readonly serviceTokenRef?: string };
+  readonly dns?: {
+    readonly zoneId: string;
+    readonly zoneName?: string;
+    readonly records: ReadonlyArray<{ readonly id?: string; readonly name?: string; readonly type?: string; readonly content?: string }>;
+  };
+  readonly kv?: { readonly namespaceName: string; readonly namespaceId: string };
+  readonly durableObjects?: { readonly namespaceName: string; readonly namespaceId?: string };
+  readonly r2?: { readonly bucketName: string; readonly storageClass: 'Standard' };
+  readonly secretsStore?: { readonly storeName: string; readonly storeId: string };
   readonly verification?: CloudflareVerifyResult;
+  readonly generatedSecrets?: {
+    readonly workerClientToken?: string;
+    readonly tunnelToken?: string;
+    readonly accessServiceTokenClientId?: string;
+    readonly accessServiceTokenClientSecret?: string;
+  };
 }
 
 export interface CloudflareVerifyResult {
@@ -187,6 +204,10 @@ export interface CloudflareProvisionRequest extends CloudflareDiscoverRequest {
   readonly tunnelName?: string;
   readonly tunnelId?: string;
   readonly tunnelServiceUrl?: string;
+  readonly tunnelTokenRef?: string;
+  readonly accessAppId?: string;
+  readonly accessServiceTokenId?: string;
+  readonly accessServiceTokenRef?: string;
   readonly kvNamespaceName?: string;
   readonly kvNamespaceId?: string;
   readonly durableObjectNamespaceName?: string;

package/src/runtime/onboarding/apply.ts

@@ -353,25 +353,26 @@ function buildAuthRollbackAction(
 ): RollbackAction {
   validateAuthOperation(deps, operation);
   const auth = deps.auth!;
+  const mutable = auth as unknown as MutableAuthManager;
   const username = operation.username.trim();
   const before = auth.inspect();
   const existingUser = before.users.find((user) => user.username === username);
-  const existingSessionTokens = new Set(before.sessions
+  const existingSessionFingerprints = new Set(before.sessions
     .filter((session) => session.username === username)
-    .map((session) => session.token));
+    .map((session) => session.tokenFingerprint));
   const userStoreSnapshot = existsSync(before.userStorePath) ? readFileSync(before.userStorePath, 'utf-8') : null;
   const bootstrapCredentialSnapshot = existsSync(before.bootstrapCredentialPath)
     ? readFileSync(before.bootstrapCredentialPath, 'utf-8')
     : null;
   const bootstrapCredential = parseBootstrapCredential(bootstrapCredentialSnapshot);
-  const beforeSessions = before.sessions.map((session) => ({ ...session }));
+  const beforeSessions = mutable.sessions instanceof Map
+    ? [...mutable.sessions.entries()].map(([token, session]) => [token, { ...session }] as const)
+    : [];
 
   return () => {
-    const mutable = auth as unknown as MutableAuthManager;
-
     for (const session of auth.inspect().sessions) {
-      if (session.username === username && !existingSessionTokens.has(session.token)) {
-        auth.revokeSession(session.token);
+      if (session.username === username && !existingSessionFingerprints.has(session.tokenFingerprint)) {
+        auth.revokeSession(session.tokenFingerprint);
       }
     }
 
@@ -402,7 +403,7 @@ function buildAuthRollbackAction(
 
     if (mutable.sessions instanceof Map) {
       mutable.sessions.clear();
-      for (const session of beforeSessions) mutable.sessions.set(session.token, session);
+      for (const [token, session] of beforeSessions) mutable.sessions.set(token, session);
     }
   };
 }

package/src/runtime/onboarding/derivation.ts

@@ -281,7 +281,7 @@ function describeExternalIntegrations(snapshot: OnboardingSnapshotState): string
   ]).size;
 
   if (integrationCount === 0) {
-    return 'Enable setup screens for Slack, Discord, Telegram, Teams, Matrix, and other app surfaces you choose.';
+    return 'Enable setup screens for Slack, Discord, Telegram, Home Assistant, Teams, Matrix, and other app surfaces you choose.';
   }
 
   return `Review and configure ${integrationCount} detected external app, service, or surface integration signal(s).`;

package/src/version.ts

@@ -6,7 +6,7 @@ import { join } from 'node:path';
 // The prebuild script updates the fallback value before compilation.
 // Uses import.meta.dir (Bun) to locate package.json relative to this file,
 // which is correct regardless of the process working directory.
-let _version = '0.19.34';
+let _version = '0.19.35';
 try {
   const pkg = JSON.parse(readFileSync(join(import.meta.dir, '..', 'package.json'), 'utf-8'));
   _version = pkg.version ?? _version;