forge-remote 0.1.0 → 0.1.2

package/src/init.js

@@ -4,6 +4,7 @@
 // AGPL-3.0 License — See LICENSE
 
 import { execSync } from "child_process";
+import { createInterface } from "readline";
 import { hostname, platform, homedir } from "os";
 import { existsSync, mkdirSync, writeFileSync, readFileSync } from "fs";
 import { join, dirname } from "path";
@@ -13,6 +14,19 @@ import { getFirestore, FieldValue } from "firebase-admin/firestore";
 import qrcode from "qrcode-terminal";
 import chalk from "chalk";
 
+import {
+  readRefreshToken,
+  enableAnonymousAuth,
+  enableApi,
+  findFirebaseAdminSdkAccount,
+  createServiceAccountKey,
+  deployFirestoreRules,
+} from "./google-auth.js";
+import {
+  installCloudflared,
+  isCloudflaredWorking,
+} from "./cloudflared-installer.js";
+
 // ─── Helpers ────────────────────────────────────────────────────────────────
 
 /**
@@ -81,16 +95,29 @@ function getDesktopId() {
 }
 
 /**
- * Walk up from a starting directory to find a file.
+ * Prompt the user and wait for Enter.
+ */
+function waitForEnter(message) {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(message, () => {
+      rl.close();
+      resolve();
+    });
+  });
+}
+
+/**
+ * Open a URL in the default browser (best-effort, no throw).
  */
-function findFileUpwards(filename, startDir) {
-  let dir = startDir;
-  while (true) {
-    const candidate = join(dir, filename);
-    if (existsSync(candidate)) return candidate;
-    const parent = dirname(dir);
-    if (parent === dir) return null; // reached filesystem root
-    dir = parent;
+function openBrowser(url) {
+  const p = platform();
+  try {
+    if (p === "darwin") execSync(`open "${url}"`, { stdio: "pipe" });
+    else if (p === "win32") execSync(`start "" "${url}"`, { stdio: "pipe" });
+    else execSync(`xdg-open "${url}"`, { stdio: "pipe" });
+  } catch {
+    // Silently fail — URL is always printed for manual opening.
   }
 }
 
@@ -98,51 +125,80 @@ function findFileUpwards(filename, startDir) {
 
 /**
  * Run the full Forge Remote initialization:
+ *
  *   1. Check Firebase CLI
- *   2. Check Firebase login
- *   3. Generate / confirm project name
- *   4. Create Firebase project
- *   5. Create web app
- *   6. Get SDK config
- *   7. Enable Firestore
- *   8. Deploy security rules (if found)
- *   9. Set up service account credentials
- *  10. Register desktop in Firestore
- *  11. Build QR payload
- *  12. Display QR code + success message
+ *   2. Firebase login (+ verify refresh token)
+ *   3. Create Firebase project
+ *   4. Create web app + get SDK config
+ *   5. Enable Firestore (with Blaze plan guidance)
+ *   6. Enable Anonymous Authentication (via REST API, no gcloud)
+ *   7. Service account key (via REST API, no gcloud)
+ *   8. Deploy Firestore security rules (via REST API, bundled rules file)
+ *   9. Register desktop + verify connection
+ *  10. Show QR code (only if all critical steps passed)
  */
 export async function runInit({ projectId: overrideProjectId } = {}) {
   const forgeDir = join(homedir(), ".forge-remote");
+  const configPath = join(forgeDir, "config.json");
   const line = "═".repeat(50);
 
+  // Ensure ~/.forge-remote directory exists.
+  if (!existsSync(forgeDir)) {
+    mkdirSync(forgeDir, { recursive: true });
+  }
+
+  // Load cached config from a previous init (project ID, desktop ID).
+  // This prevents hostname changes (e.g. different Wi-Fi networks on macOS)
+  // from creating a brand-new Firebase project each time.
+  let cachedConfig = {};
+  if (existsSync(configPath)) {
+    try {
+      cachedConfig = JSON.parse(readFileSync(configPath, "utf-8"));
+    } catch {
+      // Corrupt file — will be overwritten at the end.
+    }
+  }
+
+  // Track critical step results — QR code is gated on ALL passing.
+  const results = {
+    firestoreEnabled: false,
+    anonymousAuthEnabled: false,
+    serviceAccountKeyReady: false,
+    rulesDeployed: false,
+    desktopRegistered: false,
+  };
+
   console.log(`\n${chalk.bold.cyan(line)}`);
   console.log(chalk.bold.cyan("  ⚡ FORGE REMOTE INIT"));
   console.log(`${chalk.bold.cyan(line)}\n`);
   console.log(
-    chalk.dim("  This command will set up a Firebase project for Forge Remote"),
+    chalk.dim(
+      "  This will set up a Firebase project for Forge Remote and generate",
+    ),
   );
   console.log(
-    chalk.dim("  and generate a QR code to pair with the mobile app.\n"),
+    chalk.dim("  a QR code to pair with the mobile app. Fully automated.\n"),
   );
 
   // ── Step 1: Check Firebase CLI ──────────────────────────────────────────
 
-  console.log(chalk.bold("\n📋 Step 1/12 — Checking Firebase CLI...\n"));
+  console.log(chalk.bold("\n📋 Step 1/11 — Checking Firebase CLI...\n"));
 
   const firebaseVersion = run("firebase --version", { silent: true });
   if (!firebaseVersion) {
-    console.error(chalk.red("Firebase CLI not found."));
+    console.error(chalk.red("  ✗ Firebase CLI not found.\n"));
+    console.error(chalk.bold("  Install it with:\n"));
+    console.error(chalk.cyan("    npm install -g firebase-tools\n"));
     console.error(
-      chalk.yellow("Install it with:\n\n  npm install -g firebase-tools\n"),
+      chalk.dim("  Then run this command again: forge-remote init\n"),
     );
-    console.error(chalk.dim("Then run this command again: forge-remote init"));
     process.exit(1);
   }
   console.log(chalk.green(`  ✓ Firebase CLI ${firebaseVersion}`));
 
-  // ── Step 2: Check Firebase login ────────────────────────────────────────
+  // ── Step 2: Firebase login ──────────────────────────────────────────────
 
-  console.log(chalk.bold("\n📋 Step 2/12 — Checking Firebase login...\n"));
+  console.log(chalk.bold("\n📋 Step 2/11 — Checking Firebase login...\n"));
 
   const loginList = run("firebase login:list", { silent: true });
   const isLoggedIn = loginList && !loginList.includes("No authorized accounts");
@@ -170,14 +226,32 @@ export async function runInit({ projectId: overrideProjectId } = {}) {
   }
   console.log(chalk.green("  ✓ Logged into Firebase"));
 
-  // ── Step 3: Generate project name ───────────────────────────────────────
+  // Verify the refresh token is available (needed for REST API calls later).
+  const refreshToken = readRefreshToken();
+  if (!refreshToken) {
+    console.error(
+      chalk.red("  ✗ Could not find Firebase CLI refresh token after login.\n"),
+    );
+    console.error(chalk.dim("  Try logging out and back in:"));
+    console.error(chalk.dim("    firebase logout && firebase login\n"));
+    process.exit(1);
+  }
+  console.log(chalk.green("  ✓ Auth token verified"));
 
-  console.log(chalk.bold("\n📋 Step 3/12 — Generating project name...\n"));
+  // ── Step 3: Create Firebase project ─────────────────────────────────────
 
+  console.log(chalk.bold("\n📋 Step 3/11 — Creating Firebase project...\n"));
+
+  // Priority: 1) CLI override, 2) cached from previous init, 3) hostname-based.
   const defaultProjectId = `forge-remote-${sanitizedHostname()}`;
-  const projectId = overrideProjectId || defaultProjectId;
+  const projectId =
+    overrideProjectId || cachedConfig.projectId || defaultProjectId;
   console.log(chalk.dim(`  Using project ID: ${projectId}`));
-  if (!overrideProjectId) {
+  if (cachedConfig.projectId && !overrideProjectId) {
+    console.log(
+      chalk.dim(`  (Cached from previous init — stable across networks)`),
+    );
+  } else if (!overrideProjectId) {
     console.log(
       chalk.dim(`  (Override with: forge-remote init --project-id <id>)`),
     );
@@ -198,93 +272,112 @@ export async function runInit({ projectId: overrideProjectId } = {}) {
     process.exit(1);
   }
 
-  console.log(chalk.green(`  ✓ Project ID: ${projectId}`));
-
-  // ── Step 4: Create Firebase project ─────────────────────────────────────
-
-  console.log(chalk.bold("\n📋 Step 4/12 — Creating Firebase project...\n"));
-
+  // Check if the project already exists.
+  let projectExists = false;
   try {
-    const createResult = runOrFail(
-      `firebase projects:create ${projectId} --display-name "Forge Remote"`,
-      "Failed to create Firebase project.",
+    execSync(`firebase apps:list --project ${projectId}`, {
+      encoding: "utf-8",
+      stdio: "pipe",
+    });
+    projectExists = true;
+  } catch {
+    // Project doesn't exist or isn't accessible.
+  }
+
+  if (projectExists) {
+    console.log(
+      chalk.yellow(`  ⚠ Project "${projectId}" already exists — reusing it.`),
     );
-    console.log(chalk.green(`  ✓ Firebase project created: ${projectId}`));
-    console.log(chalk.dim(`  ${createResult.split("\n").pop()}`));
-  } catch (e) {
-    const msg = e.message || "";
-    if (
-      msg.includes("already exists") ||
-      msg.includes("ALREADY_EXISTS") ||
-      msg.includes("already being used")
-    ) {
-      console.log(
-        chalk.yellow(`  ⚠ Project "${projectId}" already exists — reusing it.`),
-      );
-    } else {
-      console.error(chalk.red(`  ✗ ${e.message}`));
-      console.error(
-        chalk.dim(
-          "\n  If the project ID is taken, re-run with a different name.\n",
-        ),
+  } else {
+    try {
+      runOrFail(
+        `firebase projects:create ${projectId} --display-name "Forge Remote"`,
+        "Failed to create Firebase project.",
       );
-      process.exit(1);
+      console.log(chalk.green(`  ✓ Firebase project created: ${projectId}`));
+    } catch (e) {
+      const msg = e.message || "";
+      if (
+        msg.includes("already exists") ||
+        msg.includes("ALREADY_EXISTS") ||
+        msg.includes("already being used")
+      ) {
+        console.log(
+          chalk.yellow(
+            `  ⚠ Project "${projectId}" already exists — reusing it.`,
+          ),
+        );
+      } else {
+        console.error(chalk.red(`  ✗ ${e.message}`));
+        console.error(
+          chalk.dim(
+            "\n  If the project ID is taken by another account, re-run with:\n" +
+              "    forge-remote init --project-id <your-custom-id>\n",
+          ),
+        );
+        process.exit(1);
+      }
     }
   }
 
-  // ── Step 5: Create web app ──────────────────────────────────────────────
+  console.log(chalk.green(`  ✓ Project ID: ${projectId}`));
 
-  console.log(chalk.bold("\n📋 Step 5/12 — Creating web app...\n"));
+  // ── Step 4: Create web app + get SDK config ─────────────────────────────
+
+  console.log(
+    chalk.bold("\n📋 Step 4/11 — Creating web app & fetching SDK config...\n"),
+  );
 
   let appId = null;
 
+  // First, check if a web app already exists for this project.
   try {
-    const createAppOutput = runOrFail(
-      `firebase apps:create web "Forge Remote Mobile" --project ${projectId}`,
-      "Failed to create web app.",
+    const appsList = runOrFail(
+      `firebase apps:list --project ${projectId}`,
+      "Failed to list apps.",
     );
 
-    // Parse the app ID from the output.
-    // The output typically contains "App ID: 1:xxxx:web:xxxx" or similar.
-    const appIdMatch = createAppOutput.match(/(?:App ID|appId)[:\s]+(\S+)/i);
-    if (appIdMatch) {
-      appId = appIdMatch[1];
-    }
-    console.log(chalk.green(`  ✓ Web app created`));
-  } catch (e) {
-    const msg = e.message || "";
-    if (msg.includes("already exists") || msg.includes("ALREADY_EXISTS")) {
-      console.log(
-        chalk.yellow("  ⚠ Web app already exists — fetching existing app ID."),
-      );
-    } else {
-      console.error(chalk.red(`  ✗ ${e.message}`));
-      process.exit(1);
+    const lines = appsList.split("\n");
+    for (const appLine of lines) {
+      const idMatch = appLine.match(/1:\d+:web:[a-f0-9]+/);
+      if (idMatch) {
+        appId = idMatch[0];
+        break;
+      }
     }
+  } catch {
+    // Could not list apps — will try to create one.
   }
 
-  // If we didn't parse the app ID from creation output, list apps to find it.
-  if (!appId) {
+  if (appId) {
+    console.log(chalk.green(`  ✓ Existing web app found: ${appId}`));
+  } else {
+    // No existing web app — create one.
     try {
-      const appsList = runOrFail(
-        `firebase apps:list --project ${projectId}`,
-        "Failed to list apps.",
+      const createAppOutput = runOrFail(
+        `firebase apps:create web "Forge Remote Mobile" --project ${projectId}`,
+        "Failed to create web app.",
       );
 
-      // Look for a WEB app ID in the table output.
-      const lines = appsList.split("\n");
-      for (const appLine of lines) {
-        if (appLine.includes("WEB") || appLine.includes("web")) {
-          const idMatch = appLine.match(/1:\d+:web:[a-f0-9]+/);
-          if (idMatch) {
-            appId = idMatch[0];
-            break;
-          }
-        }
+      const appIdMatch = createAppOutput.match(/(?:App ID|appId)[:\s]+(\S+)/i);
+      if (appIdMatch) {
+        appId = appIdMatch[1];
       }
+      console.log(chalk.green("  ✓ Web app created"));
+    } catch (e) {
+      console.error(chalk.red(`  ✗ ${e.message}`));
+      process.exit(1);
+    }
 
-      if (!appId) {
-        // Try a broader pattern — any app ID in the list.
+    // If we still don't have the app ID, list apps to find it.
+    if (!appId) {
+      try {
+        const appsList = runOrFail(
+          `firebase apps:list --project ${projectId}`,
+          "Failed to list apps.",
+        );
+
+        const lines = appsList.split("\n");
         for (const appLine of lines) {
           const idMatch = appLine.match(/1:\d+:web:[a-f0-9]+/);
           if (idMatch) {
@@ -292,30 +385,25 @@ export async function runInit({ projectId: overrideProjectId } = {}) {
             break;
           }
         }
+      } catch (e) {
+        console.error(chalk.red("  ✗ Could not determine web app ID."));
+        console.error(chalk.dim(`  ${e.message}\n`));
+        process.exit(1);
       }
-    } catch (e) {
-      console.error(chalk.red(`  ✗ Could not determine web app ID.`));
-      console.error(chalk.dim(`  ${e.message}\n`));
-      process.exit(1);
     }
   }
 
   if (!appId) {
     console.error(chalk.red("  ✗ Could not determine web app ID."));
     console.error(
-      chalk.dim(
-        "  Run `firebase apps:list --project " + projectId + "` to find it.\n",
-      ),
+      chalk.dim(`  Run: firebase apps:list --project ${projectId}\n`),
     );
     process.exit(1);
   }
 
   console.log(chalk.green(`  ✓ App ID: ${appId}`));
 
-  // ── Step 6: Get SDK config ──────────────────────────────────────────────
-
-  console.log(chalk.bold("\n📋 Step 6/12 — Fetching SDK config...\n"));
-
+  // Get SDK config.
   let sdkConfig = {};
 
   try {
@@ -324,24 +412,37 @@ export async function runInit({ projectId: overrideProjectId } = {}) {
       "Failed to get SDK config.",
     );
 
-    // Parse the config object from the output.
-    // The output contains a JS object like: { apiKey: "...", authDomain: "...", ... }
-    const parseField = (field) => {
-      const regex = new RegExp(`${field}:\\s*"([^"]+)"`);
-      const match = sdkOutput.match(regex);
-      return match ? match[1] : null;
-    };
-
-    sdkConfig = {
-      apiKey: parseField("apiKey"),
-      authDomain: parseField("authDomain"),
-      projectId: parseField("projectId"),
-      storageBucket: parseField("storageBucket"),
-      messagingSenderId: parseField("messagingSenderId"),
-      appId: parseField("appId"),
-    };
-
-    // Validate we got the critical fields.
+    // Parse the config — output may be JSON or JS object.
+    const jsonMatch = sdkOutput.match(/\{[\s\S]*\}/);
+    if (jsonMatch) {
+      try {
+        const parsed = JSON.parse(jsonMatch[0]);
+        sdkConfig = {
+          apiKey: parsed.apiKey || null,
+          authDomain: parsed.authDomain || null,
+          projectId: parsed.projectId || null,
+          storageBucket: parsed.storageBucket || null,
+          messagingSenderId: parsed.messagingSenderId || null,
+          appId: parsed.appId || null,
+        };
+      } catch {
+        // Not valid JSON — fall back to regex.
+        const parseField = (field) => {
+          const regex = new RegExp(`"?${field}"?:\\s*"([^"]+)"`);
+          const match = sdkOutput.match(regex);
+          return match ? match[1] : null;
+        };
+        sdkConfig = {
+          apiKey: parseField("apiKey"),
+          authDomain: parseField("authDomain"),
+          projectId: parseField("projectId"),
+          storageBucket: parseField("storageBucket"),
+          messagingSenderId: parseField("messagingSenderId"),
+          appId: parseField("appId"),
+        };
+      }
+    }
+
     if (!sdkConfig.apiKey || !sdkConfig.projectId) {
       throw new Error(
         "Could not parse apiKey or projectId from SDK config output.",
@@ -367,177 +468,275 @@ export async function runInit({ projectId: overrideProjectId } = {}) {
     process.exit(1);
   }
 
-  // ── Step 7: Enable Firestore ────────────────────────────────────────────
+  // ── Step 5: Enable Firestore ────────────────────────────────────────────
 
-  console.log(chalk.bold("\n📋 Step 7/12 — Enabling Firestore...\n"));
+  console.log(chalk.bold("\n📋 Step 5/11 — Enabling Firestore...\n"));
 
-  try {
-    runOrFail(
-      `firebase firestore:databases:create default --project ${projectId} --location=nam5`,
-      "Failed to enable Firestore.",
-    );
-    console.log(chalk.green("  ✓ Firestore enabled (nam5 — US multi-region)"));
-  } catch (e) {
-    const msg = e.message || "";
-    if (
-      msg.includes("already exists") ||
-      msg.includes("ALREADY_EXISTS") ||
-      msg.includes("database already exists")
-    ) {
-      console.log(chalk.yellow("  ⚠ Firestore already enabled — continuing."));
-    } else {
-      console.error(chalk.red(`  ✗ ${e.message}`));
-      console.error(
-        chalk.dim("\n  You may need to enable Firestore manually at:"),
-      );
-      console.error(
-        chalk.dim(
-          `  https://console.firebase.google.com/project/${projectId}/firestore\n`,
-        ),
-      );
-      process.exit(1);
+  // First check if Firestore already exists by listing databases.
+  const existingDbs = run(
+    `firebase firestore:databases:list --project ${projectId}`,
+    { silent: true },
+  );
+
+  if (existingDbs && existingDbs.includes("(default)")) {
+    console.log(chalk.yellow("  ⚠ Firestore already enabled — continuing."));
+    results.firestoreEnabled = true;
+  } else {
+    const maxFirestoreRetries = 2;
+
+    for (let attempt = 0; attempt < maxFirestoreRetries; attempt++) {
+      try {
+        runOrFail(
+          `firebase firestore:databases:create default --project ${projectId} --location=nam5`,
+          "Failed to enable Firestore.",
+        );
+        console.log(
+          chalk.green("  ✓ Firestore enabled (nam5 — US multi-region)"),
+        );
+        results.firestoreEnabled = true;
+        break;
+      } catch (e) {
+        const msg = e.message || "";
+        // Also capture stdout/stderr from the original exec error for detection.
+        const fullOutput = [msg, e.stdout || "", e.stderr || ""].join("\n");
+
+        if (
+          fullOutput.includes("already exists") ||
+          fullOutput.includes("ALREADY_EXISTS") ||
+          fullOutput.includes("database already exists")
+        ) {
+          console.log(
+            chalk.yellow("  ⚠ Firestore already enabled — continuing."),
+          );
+          results.firestoreEnabled = true;
+          break;
+        }
+
+        if (
+          (fullOutput.includes("billing") ||
+            fullOutput.includes("FAILED_PRECONDITION") ||
+            fullOutput.includes("403")) &&
+          attempt === 0
+        ) {
+          // First attempt failed due to billing — guide the user through upgrading.
+          console.log(
+            chalk.yellow(
+              "\n  Firestore requires the Blaze (pay-as-you-go) plan.",
+            ),
+          );
+          console.log(
+            chalk.yellow(
+              "  The Blaze plan has a generous free tier — you likely won't be charged.\n",
+            ),
+          );
+
+          const billingUrl = `https://console.firebase.google.com/project/${projectId}/usage/details`;
+          console.log(chalk.bold(`  Opening: ${chalk.cyan(billingUrl)}\n`));
+          openBrowser(billingUrl);
+
+          await waitForEnter(
+            chalk.bold("  Press Enter after upgrading to Blaze plan... "),
+          );
+          console.log(chalk.dim("\n  Retrying Firestore creation...\n"));
+          continue;
+        }
+
+        // Final attempt failed.
+        console.error(chalk.red(`  ✗ ${e.message}`));
+        break;
+      }
     }
   }
 
-  // ── Step 8: Deploy security rules ───────────────────────────────────────
+  // ── Step 6: Enable Anonymous Authentication ─────────────────────────────
 
   console.log(
-    chalk.bold("\n📋 Step 8/12 — Deploying Firestore security rules...\n"),
+    chalk.bold("\n📋 Step 6/11 — Enabling Anonymous Authentication...\n"),
   );
 
-  // Walk up from the relay directory to find firestore.rules in the project root.
-  const __dirname = dirname(fileURLToPath(import.meta.url));
-  const rulesPath = findFileUpwards("firestore.rules", join(__dirname, ".."));
+  try {
+    await enableAnonymousAuth(projectId);
+    console.log(chalk.green("  ✓ Anonymous Authentication enabled"));
+    results.anonymousAuthEnabled = true;
+  } catch (e) {
+    console.error(chalk.red(`  ✗ Could not enable Anonymous Auth.`));
+    console.error(chalk.dim(`  ${e.message}\n`));
+    console.error(chalk.bold("  Enable it manually:"));
+    console.error(
+      chalk.cyan(
+        `  https://console.firebase.google.com/project/${projectId}/authentication/providers`,
+      ),
+    );
+    console.error(chalk.dim("  → Click Anonymous → Enable → Save\n"));
+  }
 
-  if (rulesPath) {
-    console.log(chalk.dim(`  Found rules at: ${rulesPath}`));
-    const rulesDir = dirname(rulesPath);
+  // ── Step 7: Install cloudflared tunnel binary ────────────────────────────
 
-    try {
-      // Deploy rules using the directory containing firestore.rules.
-      runOrFail(
-        `firebase deploy --only firestore:rules --project ${projectId}`,
-        "Failed to deploy Firestore security rules.",
+  console.log(
+    chalk.bold("\n📋 Step 7/11 — Installing cloudflared tunnel binary...\n"),
+  );
+
+  try {
+    const cfPath = await installCloudflared();
+    console.log(chalk.green(`  ✓ cloudflared installed at ${cfPath}`));
+    if (isCloudflaredWorking(cfPath)) {
+      console.log(chalk.green("  ✓ cloudflared verified and functional"));
+    } else {
+      console.log(
+        chalk.yellow("  ⚠ cloudflared installed but verification failed"),
       );
-      console.log(chalk.green("  ✓ Firestore security rules deployed"));
-    } catch (e) {
-      console.warn(chalk.yellow(`  ⚠ Could not deploy rules automatically.`));
-      console.warn(chalk.dim(`  ${e.message}`));
-      console.warn(
-        chalk.dim(
-          "  You can deploy them manually: firebase deploy --only firestore:rules --project " +
-            projectId,
-        ),
+      console.log(
+        chalk.dim("  Live preview tunnels may fall back to localtunnel"),
       );
     }
-  } else {
-    console.log(chalk.yellow("  ⚠ No firestore.rules file found — skipping."));
+  } catch (e) {
+    console.log(
+      chalk.yellow(`  ⚠ Could not install cloudflared: ${e.message}`),
+    );
     console.log(
       chalk.dim(
-        "  You can add rules later and deploy with: firebase deploy --only firestore:rules --project " +
-          projectId,
+        "  Live preview will use localtunnel as fallback (may show splash page)",
+      ),
+    );
+    console.log(
+      chalk.dim(
+        "  Install manually: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/\n",
       ),
     );
   }
 
-  // ── Step 9: Set up service account credentials ──────────────────────────
+  // ── Step 8: Service account key ─────────────────────────────────────────
 
   console.log(
-    chalk.bold("\n📋 Step 9/12 — Setting up service account credentials...\n"),
+    chalk.bold("\n📋 Step 8/11 — Setting up service account credentials...\n"),
   );
 
   const saKeyPath = join(forgeDir, "service-account.json");
 
-  // Ensure ~/.forge-remote directory exists.
-  if (!existsSync(forgeDir)) {
-    mkdirSync(forgeDir, { recursive: true });
-  }
-
-  let saReady = false;
-
   if (existsSync(saKeyPath)) {
-    console.log(
-      chalk.green(`  ✓ Service account key already exists at ${saKeyPath}`),
-    );
-    saReady = true;
-  } else {
-    // Try to find the service account email for this project.
-    let saEmail = null;
-
+    // Verify the existing key is for the correct project.
     try {
-      const saListOutput = run(
-        `gcloud iam service-accounts list --project ${projectId} --format="value(email)" --filter="email:firebase-adminsdk"`,
-        { silent: true },
-      );
-      if (saListOutput) {
-        saEmail = saListOutput.split("\n")[0].trim();
+      const existingKey = JSON.parse(readFileSync(saKeyPath, "utf-8"));
+      if (existingKey.project_id && existingKey.project_id !== projectId) {
+        console.log(
+          chalk.yellow(
+            `  ⚠ Existing key is for project "${existingKey.project_id}", not "${projectId}".`,
+          ),
+        );
+        console.log(
+          chalk.yellow("  Generating a new key for the correct project..."),
+        );
+      } else {
+        console.log(
+          chalk.green(`  ✓ Service account key already exists at ${saKeyPath}`),
+        );
+        results.serviceAccountKeyReady = true;
       }
     } catch {
-      // gcloud not available — fall through to manual instructions.
+      // Can't parse — regenerate.
+      console.log(chalk.yellow("  ⚠ Existing key is corrupt. Regenerating..."));
     }
+  }
 
-    if (saEmail) {
-      // gcloud is available — try to generate the key automatically.
-      console.log(chalk.dim(`  Found service account: ${saEmail}`));
-
-      try {
-        runOrFail(
-          `gcloud iam service-accounts keys create "${saKeyPath}" --iam-account="${saEmail}" --project="${projectId}"`,
-          "Failed to create service account key.",
-        );
-        console.log(
-          chalk.green(`  ✓ Service account key saved to ${saKeyPath}`),
+  if (!results.serviceAccountKeyReady) {
+    try {
+      // Enable the IAM API (required to list/create service account keys).
+      console.log(chalk.dim("  Enabling IAM API (if not already enabled)..."));
+      await enableApi(projectId, "iam.googleapis.com");
+      console.log(chalk.green("  ✓ IAM API enabled"));
+
+      console.log(chalk.dim("  Finding Firebase Admin SDK service account..."));
+      const sa = await findFirebaseAdminSdkAccount(projectId);
+      if (!sa) {
+        throw new Error(
+          "No firebase-adminsdk service account found for this project.",
         );
-        saReady = true;
-      } catch (e) {
-        console.warn(chalk.yellow("  ⚠ Could not generate key automatically."));
-        console.warn(chalk.dim(`  ${e.message}`));
       }
-    }
+      console.log(chalk.dim(`  Found: ${sa.email}`));
 
-    if (!saReady) {
-      // Fallback: guide the user to download manually.
-      const consoleUrl = `https://console.firebase.google.com/project/${projectId}/settings/serviceaccounts/adminsdk`;
+      console.log(chalk.dim("  Generating private key..."));
+      const keyJson = await createServiceAccountKey(projectId, sa.email);
+      writeFileSync(saKeyPath, JSON.stringify(keyJson, null, 2), {
+        mode: 0o600,
+      });
+      console.log(chalk.green(`  ✓ Service account key saved to ${saKeyPath}`));
+      results.serviceAccountKeyReady = true;
+    } catch (e) {
+      console.error(chalk.red(`  ✗ ${e.message}`));
 
-      console.log(
-        chalk.yellow("  gcloud CLI not available or key generation failed."),
-      );
-      console.log(
-        chalk.yellow("  Please download the service account key manually:\n"),
-      );
-      console.log(chalk.bold(`  1. Open: ${chalk.cyan(consoleUrl)}`));
-      console.log(chalk.bold('  2. Click "Generate new private key"'));
-      console.log(
+      const consoleUrl = `https://console.firebase.google.com/project/${projectId}/settings/serviceaccounts/adminsdk`;
+      console.error(chalk.bold("\n  Download the key manually:"));
+      console.error(chalk.bold(`  1. Open: ${chalk.cyan(consoleUrl)}`));
+      console.error(chalk.bold('  2. Click "Generate new private key"'));
+      console.error(
         chalk.bold(`  3. Save the file to: ${chalk.cyan(saKeyPath)}\n`),
       );
+    }
+  }
 
-      console.log(
-        chalk.yellow(
-          `  Save the key to ${chalk.cyan(saKeyPath)} and re-run, or run ${chalk.cyan("forge-remote start")} once the key is in place.\n`,
-        ),
+  // ── Step 8: Deploy Firestore security rules ─────────────────────────────
+
+  console.log(
+    chalk.bold("\n📋 Step 9/11 — Deploying Firestore security rules...\n"),
+  );
+
+  try {
+    // Read the bundled rules file from the package directory.
+    const __dirname = dirname(fileURLToPath(import.meta.url));
+    const packageRoot = join(__dirname, "..");
+    const rulesPath = join(packageRoot, "firestore.rules");
+
+    if (!existsSync(rulesPath)) {
+      throw new Error(
+        `Rules file not found at ${rulesPath}. Package may be corrupted.`,
       );
     }
+
+    const rulesContent = readFileSync(rulesPath, "utf-8");
+    console.log(chalk.dim("  Deploying rules via Firebase Rules API..."));
+
+    await deployFirestoreRules(projectId, rulesContent);
+    console.log(chalk.green("  ✓ Firestore security rules deployed"));
+    results.rulesDeployed = true;
+  } catch (e) {
+    console.error(chalk.red(`  ✗ Could not deploy rules: ${e.message}`));
+    console.error(
+      chalk.dim(
+        `  You can deploy manually: firebase deploy --only firestore:rules --project ${projectId}\n`,
+      ),
+    );
   }
 
-  // ── Step 10: Register desktop in Firestore ──────────────────────────────
+  // ── Step 9: Register desktop + verify connection ────────────────────────
 
   console.log(
-    chalk.bold("\n📋 Step 10/12 — Registering desktop in Firestore...\n"),
+    chalk.bold(
+      "\n📋 Step 10/11 — Registering desktop & verifying connection...\n",
+    ),
   );
 
-  const desktopId = getDesktopId();
+  // Use cached desktop ID if available (stable across network changes).
+  const desktopId = cachedConfig.desktopId || getDesktopId();
   const platformName = getPlatformName();
   const host = hostname();
 
-  if (saReady) {
+  if (results.serviceAccountKeyReady && results.firestoreEnabled) {
     try {
       const serviceAccount = JSON.parse(readFileSync(saKeyPath, "utf-8"));
 
-      initializeApp({
-        credential: cert(serviceAccount),
-      });
-
+      initializeApp({ credential: cert(serviceAccount) });
       const db = getFirestore();
+
+      // Verification: write, read, delete a test document.
+      console.log(chalk.dim("  Verifying Firestore connection..."));
+      const testDocRef = db.collection("_forge_remote_init_test").doc();
+      await testDocRef.set({ test: true, ts: FieldValue.serverTimestamp() });
+      const snap = await testDocRef.get();
+      if (!snap.exists) throw new Error("Verification read failed.");
+      await testDocRef.delete();
+      console.log(chalk.green("  ✓ Firestore connection verified"));
+
+      // Register the desktop.
       const desktopRef = db.collection("desktops").doc(desktopId);
       const doc = await desktopRef.get();
 
@@ -550,7 +749,7 @@ export async function runInit({ projectId: overrideProjectId } = {}) {
         });
       } else {
         await desktopRef.set({
-          ownerUid: "", // Will be set during pairing.
+          ownerUid: null, // Will be set when the mobile app scans the QR code.
           hostname: host,
           platform: platformName,
           status: "online",
@@ -563,18 +762,21 @@ export async function runInit({ projectId: overrideProjectId } = {}) {
       console.log(
         chalk.green(`  ✓ Desktop registered: ${desktopId} (${host})`),
       );
+      results.desktopRegistered = true;
     } catch (e) {
-      console.warn(
-        chalk.yellow(`  ⚠ Could not register desktop: ${e.message}`),
+      console.error(
+        chalk.red(`  ✗ Connection verification failed: ${e.message}`),
       );
-      console.warn(
-        chalk.dim("  The relay will register on first `forge-remote start`.\n"),
+      console.error(
+        chalk.dim(
+          "  The relay will attempt to register on first `forge-remote start`.\n",
+        ),
       );
     }
   } else {
     console.log(
       chalk.yellow(
-        "  ⚠ Skipping desktop registration (no service account key).",
+        "  ⚠ Skipping (missing service account key or Firestore not ready).",
       ),
     );
     console.log(
@@ -582,9 +784,79 @@ export async function runInit({ projectId: overrideProjectId } = {}) {
     );
   }
 
-  // ── Step 11: Build QR payload ───────────────────────────────────────────
+  // ── Step 10: QR code or failure summary ─────────────────────────────────
 
-  console.log(chalk.bold("\n📋 Step 11/12 — Building pairing QR code...\n"));
+  console.log(chalk.bold("\n📋 Step 11/11 — Finalizing...\n"));
+
+  const CRITICAL_STEPS = [
+    "firestoreEnabled",
+    "anonymousAuthEnabled",
+    "serviceAccountKeyReady",
+    "rulesDeployed",
+    "desktopRegistered",
+  ];
+
+  const stepLabels = {
+    firestoreEnabled: {
+      label: "Firestore database",
+      fix: `https://console.firebase.google.com/project/${projectId}/firestore`,
+    },
+    anonymousAuthEnabled: {
+      label: "Anonymous Authentication",
+      fix: `https://console.firebase.google.com/project/${projectId}/authentication/providers`,
+    },
+    serviceAccountKeyReady: {
+      label: "Service account key",
+      fix: `https://console.firebase.google.com/project/${projectId}/settings/serviceaccounts/adminsdk`,
+    },
+    rulesDeployed: {
+      label: "Firestore security rules",
+      fix: `firebase deploy --only firestore:rules --project ${projectId}`,
+    },
+    desktopRegistered: {
+      label: "Desktop registration",
+      fix: "Will auto-register on first `forge-remote start`",
+    },
+  };
+
+  const failures = CRITICAL_STEPS.filter((step) => !results[step]);
+
+  if (failures.length > 0) {
+    // ── FAILURE — show summary and do NOT show QR code ──────────────────
+
+    const failLine = "═".repeat(50);
+    console.log(`\n${chalk.bold.red(failLine)}`);
+    console.log(
+      chalk.bold.red("  SETUP INCOMPLETE — Some steps need attention"),
+    );
+    console.log(`${chalk.bold.red(failLine)}\n`);
+
+    for (const step of CRITICAL_STEPS) {
+      const info = stepLabels[step];
+      if (results[step]) {
+        console.log(chalk.green(`  ✓ ${info.label}`));
+      } else {
+        console.log(chalk.red(`  ✗ ${info.label}`));
+        console.log(chalk.dim(`    → ${info.fix}`));
+      }
+    }
+
+    console.log(
+      chalk.bold(
+        `\n  Fix the issues above, then re-run: ${chalk.cyan("forge-remote init")}\n`,
+      ),
+    );
+    process.exit(1);
+  }
+
+  // ── SUCCESS — all critical steps passed, show QR code ─────────────────
+
+  // Persist project ID and desktop ID so re-runs (even on different networks)
+  // always target the same Firebase project and desktop document.
+  writeFileSync(configPath, JSON.stringify({ projectId, desktopId }, null, 2));
+  console.log(
+    chalk.dim(`  Config saved to ${configPath} (stable across networks)`),
+  );
 
   const qrPayload = {
     v: 1,
@@ -604,10 +876,6 @@ export async function runInit({ projectId: overrideProjectId } = {}) {
 
   const qrString = JSON.stringify(qrPayload);
 
-  // ── Step 12: Display QR code ────────────────────────────────────────────
-
-  console.log(chalk.bold("\n📋 Step 12/12 — Displaying QR code...\n"));
-
   console.log(
     chalk.cyan("  Scan this QR code with the Forge Remote mobile app:\n"),
   );
@@ -617,8 +885,7 @@ export async function runInit({ projectId: overrideProjectId } = {}) {
   console.log(chalk.dim("\n  Raw pairing data (for manual entry):\n"));
   console.log(chalk.dim(`  ${qrString}\n`));
 
-  // ── Success! ────────────────────────────────────────────────────────────
-
+  // Success banner.
   const successLine = "═".repeat(50);
 
   console.log(`\n${chalk.bold.green(successLine)}`);
@@ -626,10 +893,10 @@ export async function runInit({ projectId: overrideProjectId } = {}) {
   console.log(`${chalk.bold.green(successLine)}\n`);
 
   console.log(chalk.bold("  What's next:\n"));
-  console.log(`  1. Scan the QR code above with the Forge Remote app`);
+  console.log("  1. Scan the QR code above with the Forge Remote app");
   console.log(`  2. Start the relay:  ${chalk.cyan("forge-remote start")}`);
   console.log(
-    `  3. Open a Claude Code session and watch it appear in the app!\n`,
+    "  3. Open a Claude Code session and watch it appear in the app!\n",
   );
 
   console.log(chalk.dim("  Your Firebase project:"));
@@ -639,7 +906,7 @@ export async function runInit({ projectId: overrideProjectId } = {}) {
 
   console.log(
     chalk.dim(
-      "  Love Forge Remote? Support us: https://github.com/sponsors/AirForgeApps\n",
+      "  Love Forge Remote? Support us: https://github.com/sponsors/IronForgeApps\n",
     ),
   );
 }