bloby-bot 0.70.12 → 0.71.0

package/bin/cli.js

@@ -125,13 +125,16 @@ const flags = new Set(globalArgs.filter(a => a.startsWith('-')));
 const HOSTED = flags.has('--hosted');
 const FOREGROUND = flags.has('--foreground');
 const FOLLOW = flags.has('-f') || flags.has('--follow');
+// `init -advanced` (also --advanced) reveals the named-tunnel + private-network
+// options. Without it, init goes straight to the zero-config quick tunnel.
+const ADVANCED = flags.has('-advanced') || flags.has('--advanced');
 const positional = globalArgs.filter(a => !a.startsWith('-'));
 const command = positional[0];
 const subcommand = positional[1];
 
 // Strict parsing covers flags too — a typo like --forground must not silently
 // fall through to a different behavior (x402's own flags pass through verbatim).
-const KNOWN_FLAGS = new Set(['--hosted', '--foreground', '-f', '--follow', '-n', '--lines', '-h', '--help', '-v', '--version']);
+const KNOWN_FLAGS = new Set(['--hosted', '--foreground', '-f', '--follow', '-n', '--lines', '-h', '--help', '-v', '--version', '-advanced', '--advanced']);
 for (const f of flags) {
   const name = f.includes('=') ? f.slice(0, f.indexOf('=')) : f;
   if (!KNOWN_FLAGS.has(name)) {
@@ -524,6 +527,7 @@ function printHelp() {
     ${c.blue}${'version'.padEnd(18)}${c.reset}Print the installed version
 
   ${c.bold}Flags${c.reset}
+    ${c.dim}init -advanced${c.reset}       Choose a named tunnel or private-network mode
     ${c.dim}start --foreground${c.reset}   Run attached to this terminal (debugging)
 `);
 }
@@ -568,7 +572,46 @@ function unknownCommand(input) {
 // ── Config helpers ──
 
 function readConfig() {
-  try { return JSON.parse(fs.readFileSync(CONFIG_PATH, 'utf-8')); } catch { return null; }
+  try { return JSON.parse(fs.readFileSync(CONFIG_PATH, 'utf-8')); }
+  catch {
+    // A torn/truncated write must NOT fall through to null — init treats a null
+    // config as "not set up" and regenerates a NEW wallet, permanently losing the
+    // funded key. Recover from the .bak mirror instead.
+    try {
+      const bak = `${CONFIG_PATH}.bak`;
+      if (fs.existsSync(bak)) {
+        const cfg = JSON.parse(fs.readFileSync(bak, 'utf-8'));
+        try { writeConfig(cfg); } catch {}
+        return cfg;
+      }
+    } catch {}
+    return null;
+  }
+}
+
+/** Atomic config write: temp file + rename (atomic on the same fs), then mirror
+ *  to .bak. The CLI and the long-lived supervisor both write config.json, so a
+ *  direct writeFileSync can be observed half-written (→ wallet loss). */
+function writeConfig(config) {
+  fs.mkdirSync(DATA_DIR, { recursive: true });
+  const json = JSON.stringify(config, null, 2);
+  const tmp = `${CONFIG_PATH}.${process.pid}.tmp`;
+  try {
+    fs.writeFileSync(tmp, json);
+    try {
+      fs.renameSync(tmp, CONFIG_PATH);
+    } catch (err) {
+      // Windows: rename over a file another process holds open can EPERM/EEXIST.
+      if (PLATFORM === 'win32' && (err.code === 'EPERM' || err.code === 'EEXIST')) {
+        fs.copyFileSync(tmp, CONFIG_PATH);
+        fs.unlinkSync(tmp);
+      } else throw err;
+    }
+    try { fs.copyFileSync(CONFIG_PATH, `${CONFIG_PATH}.bak`); } catch {}
+  } catch (err) {
+    try { fs.unlinkSync(tmp); } catch {}
+    throw err;
+  }
 }
 
 function tunnelModeOf(config) {
@@ -718,11 +761,17 @@ function getRealHome() {
 }
 
 function generateUnitFile({ user, home, nodePath, dataDir }) {
+  // A newline in any interpolated value would inject arbitrary unit directives.
+  for (const [k, v] of Object.entries({ user, home, nodePath, dataDir })) {
+    if (/[\r\n]/.test(String(v))) throw new Error(`Invalid ${k} for systemd unit (contains a newline)`);
+  }
   const nodeBinDir = path.dirname(nodePath);
   return `[Unit]
 Description=Bloby Bot
 After=network-online.target
 Wants=network-online.target
+StartLimitIntervalSec=60
+StartLimitBurst=10
 
 [Service]
 Type=simple
@@ -731,6 +780,7 @@ WorkingDirectory=${dataDir}
 ExecStart=${nodePath} --import tsx/esm ${dataDir}/supervisor/index.ts
 Restart=on-failure
 RestartSec=5
+TimeoutStopSec=30
 Environment=HOME=${home}
 Environment=NODE_ENV=development
 Environment=NODE_PATH=${dataDir}/node_modules
@@ -814,34 +864,47 @@ function launchdJob() {
   return primary; // both not-loaded/unknown — report the preferred domain's view
 }
 
+// Escape values interpolated into XML — a path/username containing & < > " '
+// would otherwise produce a malformed plist that launchd refuses to load.
+function xmlEscape(s) {
+  return String(s)
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&apos;');
+}
+
 function generateLaunchdPlist({ nodePath, dataDir }) {
   const nodeBinDir = path.dirname(nodePath);
   fs.mkdirSync(LAUNCHD_LOG_DIR, { recursive: true });
+  const e = xmlEscape;
+  const pathEnv = `${nodeBinDir}:${dataDir}/node_modules/.bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin`;
   return `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
   <key>Label</key>
-  <string>${LAUNCHD_LABEL}</string>
+  <string>${e(LAUNCHD_LABEL)}</string>
   <key>ProgramArguments</key>
   <array>
-    <string>${nodePath}</string>
+    <string>${e(nodePath)}</string>
     <string>--import</string>
     <string>tsx/esm</string>
-    <string>${dataDir}/supervisor/index.ts</string>
+    <string>${e(dataDir)}/supervisor/index.ts</string>
   </array>
   <key>WorkingDirectory</key>
-  <string>${dataDir}</string>
+  <string>${e(dataDir)}</string>
   <key>EnvironmentVariables</key>
   <dict>
     <key>HOME</key>
-    <string>${os.homedir()}</string>
+    <string>${e(os.homedir())}</string>
     <key>NODE_ENV</key>
     <string>development</string>
     <key>NODE_PATH</key>
-    <string>${dataDir}/node_modules</string>
+    <string>${e(dataDir)}/node_modules</string>
     <key>PATH</key>
-    <string>${nodeBinDir}:${dataDir}/node_modules/.bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin</string>
+    <string>${e(pathEnv)}</string>
   </dict>
   <key>RunAtLoad</key>
   <true/>
@@ -852,10 +915,14 @@ function generateLaunchdPlist({ nodePath, dataDir }) {
   </dict>
   <key>ThrottleInterval</key>
   <integer>5</integer>
+  <key>StandardInPath</key>
+  <string>/dev/null</string>
   <key>StandardOutPath</key>
-  <string>${LAUNCHD_LOG}</string>
+  <string>${e(LAUNCHD_LOG)}</string>
   <key>StandardErrorPath</key>
-  <string>${LAUNCHD_LOG}</string>
+  <string>${e(LAUNCHD_LOG)}</string>
+  <key>ExitTimeOut</key>
+  <integer>20</integer>
   <key>ProcessType</key>
   <string>Standard</string>
 </dict>
@@ -909,10 +976,27 @@ function isDaemonActive() {
   return daemonPid() !== null;
 }
 
+/** Resolve a stable Node path to bake into the launchd plist / systemd unit.
+ *  process.execPath under nvm/fnm/volta/asdf/mise is a per-version binary that
+ *  vanishes when the user switches/removes that version — the daemon then fails
+ *  to start on boot. Substitute Bloby's bundled node, then a system node, and
+ *  only fall back to the running node (never a guessed-missing path). */
+function resolveStableNodePath() {
+  const candidate = process.env.BLOBY_NODE_PATH || process.execPath;
+  const transient = /(?:[/\\]\.(?:nvm|fnm|volta|asdf)[/\\])|fnm_multishells|[/\\]fnm[/\\]node-versions[/\\]|[/\\]mise[/\\]/.test(candidate);
+  if (!transient) return candidate;
+  const bundled = path.join(DATA_DIR, 'tools', 'node', 'bin', PLATFORM === 'win32' ? 'node.exe' : 'node');
+  if (fs.existsSync(bundled)) return bundled;
+  for (const sys of ['/usr/local/bin/node', '/usr/bin/node']) {
+    if (fs.existsSync(sys)) return sys;
+  }
+  return candidate;
+}
+
 /** Write the service definition (idempotent; refreshes node path / data dir drift).
  *  Returns { ok, error }. */
 function installServiceFiles({ spinner } = {}) {
-  const nodePath = process.env.BLOBY_NODE_PATH || process.execPath;
+  const nodePath = resolveStableNodePath();
   if (PLATFORM === 'darwin') {
     const dataDir = ROOT; // repo in dev, ~/.bloby in production
     fs.mkdirSync(path.dirname(LAUNCHD_PLIST_PATH), { recursive: true });
@@ -958,6 +1042,9 @@ function startDaemonService({ spinner } = {}) {
       if (res.status === 0) return { ok: true };
       return { ok: false, error: launchdError(res) };
     }
+    // Enable before the first bootstrap: a stale disable override (Login Items
+    // toggle, a prior bootout) otherwise makes bootstrap fail with 119/5.
+    launchctl(['enable', `${launchdDomain()}/${LAUNCHD_LABEL}`]);
     let res = launchctl(['bootstrap', launchdDomain(), LAUNCHD_PLIST_PATH]);
     if (res.status === 0 || res.status === 37) return { ok: true }; // 37 = already bootstrapped
     if (res.status === 5) {
@@ -980,6 +1067,13 @@ function startDaemonService({ spinner } = {}) {
     return { ok: false, error: launchdError(res) };
   }
   if (PLATFORM === 'linux') {
+    // A prior crash-loop can latch the unit 'failed', after which `systemctl
+    // start` is rejected ("Start request repeated too quickly") until a manual
+    // reset-failed. Clear it only when actually failed so the happy path keeps
+    // its single sudo call (systemdShow needs no privilege).
+    if (systemdShow().activeState === 'failed') {
+      runPrivileged(['systemctl', 'reset-failed', SERVICE_NAME], { spinner });
+    }
     return runPrivileged(['systemctl', 'start', SERVICE_NAME], { spinner });
   }
   return { ok: false, error: 'No daemon support on this platform.' };
@@ -1774,14 +1868,28 @@ function cmdLogs() {
 function createConfig() {
   fs.mkdirSync(DATA_DIR, { recursive: true });
   if (!fs.existsSync(CONFIG_PATH)) {
+    // Env-seed (additive): hosted provisioning passes the pre-registered identity
+    // via BLOBY_* env vars (same contract as docker-entrypoint.sh) so the box boots
+    // already owning its handle + relay token. For normal local installs these are
+    // all unset, so the config is identical to before.
     const config = {
-      port: 7400,
-      username: '',
-      ai: { provider: '', model: '', apiKey: '' },
-      tunnel: { mode: 'quick' },
-      relay: { token: '', tier: '', url: '' },
+      port: parseInt(process.env.BLOBY_PORT || '7400', 10),
+      username: process.env.BLOBY_USERNAME || '',
+      ai: {
+        provider: process.env.BLOBY_AI_PROVIDER || '',
+        model: process.env.BLOBY_AI_MODEL || '',
+        apiKey: process.env.BLOBY_AI_API_KEY || '',
+      },
+      // Hosted boxes are reachable directly (public IP + Caddy + CF DNS), so they
+      // need no tunnel. Honor an explicit BLOBY_TUNNEL_MODE; otherwise default quick.
+      tunnel: { mode: process.env.BLOBY_TUNNEL_MODE || 'quick' },
+      relay: {
+        token: process.env.BLOBY_RELAY_TOKEN || '',
+        tier: process.env.BLOBY_RELAY_TIER || '',
+        url: process.env.BLOBY_RELAY_URL || '',
+      },
     };
-    fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2));
+    writeConfig(config);
   }
 }
 
@@ -1903,6 +2011,14 @@ function ask(question) {
 }
 
 async function runNamedTunnelSetup() {
+  // cloudflared writes cert.pem + <uuid>.json under $HOME/.cloudflared. Under
+  // sudo that's /root, which the non-root daemon can't read — the named tunnel
+  // then fails silently on every boot. Refuse, mirroring `bloby update`.
+  if (PLATFORM !== 'win32' && process.getuid?.() === 0) {
+    console.log(`\n  ${GLYPH.err}  Don't run named-tunnel setup with sudo.`);
+    console.log(`     ${c.dim}cloudflared stores credentials under your home dir — run it as your normal user.${c.reset}\n`);
+    process.exit(1);
+  }
   const s = new Spinner().start('Checking cloudflared...');
   await installCloudflared();
   s.succeed('cloudflared ready');
@@ -1952,7 +2068,7 @@ async function runNamedTunnelSetup() {
 
   const config = readConfig() || {};
   const port = config.port || 7400;
-  const cfHome = path.join(os.homedir(), '.cloudflared');
+  const cfHome = path.join(resolveRealHome(), '.cloudflared');
   const cfConfigPath = path.join(DATA_DIR, 'cloudflared-config.yml');
 
   const yamlContent = `tunnel: ${tunnelUuid}
@@ -1984,7 +2100,11 @@ async function cmdInit() {
     if (dPid || runtime) {
       const config = readConfig();
       if (HOSTED) {
-        console.log(`__HOSTED_READY__=${JSON.stringify({ tunnelUrl: config?.tunnelUrl || `http://localhost:${config?.port || 7400}`, status: config?.tunnelUrl ? 'ok' : 'tunnel_failed', daemon: true })}`);
+        // Managed mode (tunnel off) has no tunnelUrl by design — a running daemon
+        // is itself "ok". Only the tunnel modes treat a missing URL as a failure.
+        const noTunnel = (config?.tunnel?.mode || 'quick') === 'off';
+        const reStatus = noTunnel ? 'ok' : (config?.tunnelUrl ? 'ok' : 'tunnel_failed');
+        console.log(`__HOSTED_READY__=${JSON.stringify({ tunnelUrl: config?.tunnelUrl || `http://localhost:${config?.port || 7400}`, status: reStatus, daemon: true })}`);
         process.exit(0);
       }
       resultBox([` ${c.blue}●${c.reset}  ${c.bold}Bloby is already set up and running${c.reset}`]);
@@ -1998,15 +2118,34 @@ async function cmdInit() {
   createConfig();
   writeVersionFile(pkg.version);
 
-  // --hosted: non-interactive, quick tunnel, machine-readable output
-  const tunnelMode = HOSTED ? 'quick' : await (async () => {
+  // --hosted: non-interactive, quick tunnel, machine-readable output.
+  const config = readConfig() || {};
+  const existingMode = config.tunnel?.mode;
+
+  // --hosted: non-interactive quick tunnel.
+  // Default (no -advanced): KEEP an already-configured named/private mode instead
+  // of clobbering it, otherwise use the zero-config quick tunnel. The full chooser
+  // (named tunnel + private network) only appears with `bloby init -advanced`.
+  let tunnelMode;
+  if (HOSTED) {
+    // Managed boxes are reachable directly (public IP + Caddy + a per-bot CF DNS
+    // record), so the default is NO tunnel — the AMI's provision.sh sets
+    // BLOBY_TUNNEL_MODE=off, which createConfig() seeded here. Legacy tunnel AMIs
+    // that don't set it keep the historical quick-tunnel behavior.
+    tunnelMode = existingMode || 'quick';
+  } else if (!ADVANCED) {
+    tunnelMode = (existingMode === 'named' || existingMode === 'off') ? existingMode : 'quick';
+    if (tunnelMode === 'quick') {
+      console.log(`\n  ${c.dim}Using the quick tunnel (random URL). For a named tunnel or private-network mode, run ${c.reset}${c.blue}bloby init -advanced${c.reset}${c.dim}.${c.reset}`);
+    } else {
+      const label = existingMode === 'named' ? 'named tunnel' : 'private-network';
+      console.log(`\n  ${c.dim}Keeping your existing ${c.reset}${c.white}${label}${c.reset}${c.dim} configuration. Run ${c.reset}${c.blue}bloby init -advanced${c.reset}${c.dim} to change it.${c.reset}`);
+    }
+  } else {
     console.log('');
-    const mode = await chooseTunnelMode();
+    tunnelMode = await chooseTunnelMode();
     console.log('');
-    return mode;
-  })();
-
-  const config = readConfig() || {};
+  }
 
   // Generate USDC wallet (skip if one already exists)
   if (!config.wallet?.privateKey) {
@@ -2017,17 +2156,22 @@ async function cmdInit() {
   }
 
   if (tunnelMode === 'named') {
-    const setup = await runNamedTunnelSetup();
-    config.tunnel = {
-      mode: 'named',
-      name: setup.tunnelName,
-      domain: setup.domain,
-      configPath: setup.cfConfigPath,
-    };
+    // Re-run the interactive cloudflared setup only on an explicit `-advanced`
+    // choice; the default path reuses the already-configured named tunnel as-is.
+    const reuseExisting = !ADVANCED && config.tunnel?.mode === 'named' && config.tunnel?.name;
+    if (!reuseExisting) {
+      const setup = await runNamedTunnelSetup();
+      config.tunnel = {
+        mode: 'named',
+        name: setup.tunnelName,
+        domain: setup.domain,
+        configPath: setup.cfConfigPath,
+      };
+    }
   } else {
     config.tunnel = { mode: tunnelMode };
   }
-  fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2));
+  writeConfig(config);
 
   const log = HOSTED ? (msg) => console.log(`[bloby] ${msg}`) : null;
 
@@ -2037,9 +2181,12 @@ async function cmdInit() {
   if (!hasDaemonSupport()) {
     if (HOSTED) {
       if (log) log('Starting server (foreground, no daemon support)...');
+      const noTunnel = tunnelMode === 'off';
       let result;
       try {
-        await installCloudflared();
+        // Managed mode (tunnel off) is reached directly via Caddy + CF DNS — no
+        // cloudflared needed. Only install it when a tunnel mode is actually used.
+        if (!noTunnel) await installCloudflared();
         result = await bootServer({
           onTunnelUp: (url) => { if (log && url) log(`Tunnel up: ${url}`); },
         });
@@ -2048,7 +2195,13 @@ async function cmdInit() {
         process.exit(1);
       }
       await Promise.race([result.viteWarm, new Promise(r => setTimeout(r, 30_000))]);
-      console.log(`__HOSTED_READY__=${JSON.stringify({ tunnelUrl: result.tunnelUrl, status: result.tunnelFailed ? 'tunnel_failed' : 'ok' })}`);
+      // With no tunnel, readiness == the local server is healthy; a missing
+      // tunnelUrl is expected, not a failure.
+      const status = noTunnel
+        ? (result.healthy === false ? 'failed' : 'ok')
+        : (result.tunnelFailed ? 'tunnel_failed' : 'ok');
+      const readyUrl = result.tunnelUrl || `http://localhost:${result.port || config.port || 7400}`;
+      console.log(`__HOSTED_READY__=${JSON.stringify({ tunnelUrl: readyUrl, status })}`);
       result.child.stdout.on('data', (d) => process.stdout.write(d));
       result.child.stderr.on('data', (d) => process.stderr.write(d));
       return; // stays attached
@@ -2059,7 +2212,13 @@ async function cmdInit() {
 
   if (log) log('Starting daemon...');
   const initConfig = readConfig() || {};
-  const steps = new Steps(startStepTitles(initConfig)).start();
+  const initTitles = startStepTitles(initConfig);
+  // The tunnel URL answers a few seconds after registration succeeds — hold
+  // before revealing it on first setup so the user's first click doesn't 404.
+  // Shown as its own step so the wait doesn't look like a hang.
+  const goLiveHold = !HOSTED && tunnelModeOf(initConfig) !== 'off';
+  if (goLiveHold) initTitles.push('Going live');
+  const steps = new Steps(initTitles).start();
   // Hosted provisioning treats tunnel_failed as meaningful — give cold cloud
   // boxes a longer window before declaring the tunnel down.
   const result = await startCore({ ui: steps, ...(HOSTED ? { timeoutMs: 180_000 } : {}) });
@@ -2070,14 +2229,21 @@ async function cmdInit() {
     }
     process.exit(1);
   }
-  if (result.healthy && !result.tunnelFailed && (result.tunnelMode === 'off' || result.ready)) steps.finish();
-  else steps.fail();
+  if (result.healthy && !result.tunnelFailed && (result.tunnelMode === 'off' || result.ready)) {
+    if (goLiveHold && result.tunnelUrl) await new Promise((r) => setTimeout(r, 5000));
+    steps.finish();
+  } else steps.fail();
 
   if (HOSTED) {
     if (log) log(result.healthy ? 'Daemon running' : 'Daemon starting');
-    // status keyed off the supervisor's explicit __TUNNEL_FAILED__ marker (same
-    // semantics as the no-daemon foreground path) — a slow tunnel is not a failure.
-    const hostedStatus = result.tunnelFailed || !result.tunnelUrl ? 'tunnel_failed' : 'ok';
+    // Managed mode (tunnel off) is reached directly via Caddy + CF DNS, so there is
+    // no tunnelUrl — readiness is just a healthy local server. For tunnel modes,
+    // status keys off the supervisor's __TUNNEL_FAILED__ marker (a slow tunnel is
+    // not a failure).
+    const noTunnel = (result.tunnelMode || tunnelModeOf(initConfig)) === 'off';
+    const hostedStatus = noTunnel
+      ? (result.healthy ? 'ok' : 'starting')
+      : (result.tunnelFailed || !result.tunnelUrl ? 'tunnel_failed' : 'ok');
     console.log(`__HOSTED_READY__=${JSON.stringify({ tunnelUrl: result.tunnelUrl || `http://localhost:${result.port}`, status: hostedStatus, daemon: true })}`);
     process.exit(0);
   }
@@ -2140,9 +2306,29 @@ async function cmdUpdate() {
   const tarball = path.join(tmpDir, 'bloby.tgz');
 
   try {
-    const res = await fetch(latest.dist.tarball, { signal: AbortSignal.timeout(300_000) });
-    if (!res.ok) throw new Error(`HTTP ${res.status}`);
-    const buf = Buffer.from(await res.arrayBuffer());
+    // Retry transient failures (network/5xx); a 4xx means the tarball genuinely
+    // isn't there, so fail fast instead of burning the 300s window three times.
+    let buf = null;
+    for (let attempt = 1; attempt <= 3; attempt++) {
+      try {
+        const res = await fetch(latest.dist.tarball, { signal: AbortSignal.timeout(300_000) });
+        if (res.status >= 400 && res.status < 500) throw Object.assign(new Error(`HTTP ${res.status}`), { fatal: true });
+        if (!res.ok) throw new Error(`HTTP ${res.status}`);
+        buf = Buffer.from(await res.arrayBuffer());
+        break;
+      } catch (e) {
+        if (e.fatal || attempt === 3) throw e;
+        await new Promise((r) => setTimeout(r, 2000 * attempt));
+      }
+    }
+    // Integrity: match the npm registry's published sha512 (dist.integrity) before
+    // this is auto-deployed onto a running, wallet-bearing agent. Zero-dep (node:crypto).
+    const want = (latest.dist.integrity || '').replace(/^sha512-/, '');
+    if (want) {
+      const crypto = await import('crypto');
+      const got = crypto.createHash('sha512').update(buf).digest('base64');
+      if (got !== want) throw new Error('integrity check failed (sha512 mismatch) — refusing to install a corrupt update');
+    }
     fs.writeFileSync(tarball, buf);
     execSync(`tar xzf "${tarball}" -C "${tmpDir}"`, { stdio: 'ignore' });
   } catch (e) {
@@ -2439,7 +2625,7 @@ async function cmdTunnel(sub) {
         domain: setup.domain,
         configPath: setup.cfConfigPath,
       };
-      fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2));
+      writeConfig(config);
       console.log(`  ${GLYPH.ok}  Bloby config updated\n`);
 
       if (isDaemonActive()) {
@@ -2486,7 +2672,7 @@ async function cmdTunnel(sub) {
       const config = readConfig() || {};
       config.tunnel = { mode: 'quick' };
       delete config.tunnelUrl;
-      fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2));
+      writeConfig(config);
       console.log(`\n  ${GLYPH.ok}  Tunnel mode reset to ${c.bold}quick${c.reset} (random trycloudflare.com URL).`);
       if (isDaemonActive()) {
         console.log(`  ${c.dim}Restart to apply: ${c.reset}${c.blue}bloby restart${c.reset}`);