typeclaw 0.10.0 → 0.11.0

package/src/cli/channel.ts

@@ -8,8 +8,10 @@ import { config } from '@/config'
 import { start, status, stop } from '@/container'
 import {
   CHANNEL_KINDS,
+  appendOrReplaceEnvKey,
   findAgentDir,
   formatEagerGithubWebhookInstallResult,
+  hasEnvKey,
   isInitialized,
   readConfiguredChannels,
   readGithubAuthType,
@@ -61,7 +63,7 @@ const addSub = defineCommand({
 
     intro(`Adding channel: ${CHANNEL_LABELS[channel]}`)
 
-    const credentials = await collectCredentials(channel)
+    const credentials = await collectCredentials(channel, cwd)
 
     const events: AddChannelStepEvent[] = []
     try {
@@ -518,14 +520,14 @@ async function runSetGithub(cwd: string): Promise<void> {
   }
   const authLabel =
     authType === 'pat'
-      ? 'Personal access token (PAT) — the authentication credential (recommended)'
-      : 'GitHub App private key — the authentication credential (recommended)'
+      ? 'Auth credential — rotate the PAT, or switch to GitHub App auth (recommended)'
+      : 'Auth credential — rotate the App private key, or switch to PAT auth (recommended)'
   const choice = await select<GithubSetChoice>({
-    message: 'Which GitHub secret do you want to rotate?',
+    message: 'Which GitHub secret do you want to update?',
     options: [
       { value: 'auth', label: authLabel },
       { value: 'webhook', label: 'Webhook secret — shared secret for verifying GitHub payloads' },
-      { value: 'both', label: 'Both secrets — rotate the auth credential and the webhook secret' },
+      { value: 'both', label: 'Both secrets — update the auth credential and the webhook secret' },
     ],
     initialValue: 'auth',
   })
@@ -537,36 +539,7 @@ async function runSetGithub(cwd: string): Promise<void> {
   const patch: GithubCredentialPatch = {}
 
   if (choice === 'auth' || choice === 'both') {
-    if (authType === 'pat') {
-      note(
-        [
-          'Rotate at https://github.com/settings/personal-access-tokens.',
-          'Required permissions: Issues read/write, Pull requests read/write, Discussions read/write (if used),',
-          'Metadata read, and Webhooks read/write.',
-        ].join('\n'),
-        'Rotate the GitHub PAT',
-      )
-      const { pat } = await promptGithubPatAuth()
-      patch.auth = { type: 'pat', pat }
-    } else {
-      note(
-        [
-          'Rotate at https://github.com/settings/apps/<your-app> → Private keys → Generate a private key.',
-          'GitHub immediately downloads the new .pem. The previous key keeps working until you delete it,',
-          'so it is safe to rotate without downtime.',
-        ].join('\n'),
-        'Rotate the GitHub App private key',
-      )
-      const privateKeyInput = await text({
-        message: 'New GitHub App private key PEM, escaped PEM, or path to .pem file',
-        validate: (value) => (value && value.length > 0 ? undefined : 'Private key is required'),
-      })
-      if (isCancel(privateKeyInput)) {
-        cancel('Aborted.')
-        process.exit(0)
-      }
-      patch.auth = { type: 'app', privateKey: await resolvePrivateKeyInput(privateKeyInput) }
-    }
+    patch.auth = await promptGithubAuthUpdate(authType)
   }
 
   if (choice === 'webhook' || choice === 'both') {
@@ -604,7 +577,7 @@ type CollectedCredentials =
       auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string; installationId?: number }
     }
 
-async function collectCredentials(channel: ChannelKind): Promise<CollectedCredentials> {
+async function collectCredentials(channel: ChannelKind, cwd: string): Promise<CollectedCredentials> {
   switch (channel) {
     case 'discord-bot':
       return { channel, discordBotToken: await promptDiscordToken() }
@@ -628,17 +601,19 @@ async function collectCredentials(channel: ChannelKind): Promise<CollectedCreden
       }
     }
     case 'github': {
-      const creds = await promptGithubCredentials()
+      const creds = await promptGithubCredentials(cwd)
       return { channel, ...creds }
     }
   }
 }
 
-async function promptGithubCredentials(): Promise<{
+async function promptGithubCredentials(cwd: string): Promise<{
   webhookSecret: string
   tunnelProvider: GithubTunnelProvider
   webhookUrl?: string
   webhookPort?: number
+  hostname?: string
+  tokenEnv?: string
   repos: string[]
   auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string; installationId?: number }
 }> {
@@ -670,6 +645,10 @@ async function promptGithubCredentials(): Promise<{
         value: 'cloudflare-quick',
         label: 'Cloudflare Quick Tunnel — no signup, URL rotates on restart (recommended)',
       },
+      {
+        value: 'cloudflare-named',
+        label: 'Cloudflare Named Tunnel — stable URL, needs Cloudflare account + domain',
+      },
       { value: 'external', label: 'External URL — I have my own reverse proxy / tunnel' },
       { value: 'none', label: 'None — configure later by hand-editing typeclaw.json' },
     ],
@@ -690,6 +669,7 @@ async function promptGithubCredentials(): Promise<{
     cancel('Aborted.')
     process.exit(0)
   }
+  const namedCreds = tunnelProvider === 'cloudflare-named' ? await promptCloudflareNamedTunnel(cwd) : undefined
   const port = await text({
     message: 'Local webhook port inside the agent container',
     initialValue: '8975',
@@ -727,11 +707,128 @@ async function promptGithubCredentials(): Promise<{
     tunnelProvider,
     ...(webhookUrl !== undefined ? { webhookUrl } : {}),
     webhookPort: Number(port),
+    ...(namedCreds !== undefined ? namedCreds : {}),
     repos: parseRepos(reposRaw),
     auth,
   }
 }
 
+async function promptCloudflareNamedTunnel(cwd: string): Promise<{ hostname: string; tokenEnv: string }> {
+  const tokenEnv = 'CLOUDFLARE_TUNNEL_TOKEN'
+  note(
+    [
+      'Cloudflare Named Tunnel needs a tunnel you created in the Zero Trust dashboard:',
+      '  1. Networks → Tunnels → Create a tunnel → Cloudflared. Copy the token shown on the install screen.',
+      '  2. Public Hostname tab → Add: subdomain + your-domain, service type HTTP, URL localhost:<webhook port>.',
+      `  3. Paste the token below when prompted — TypeClaw will write it to .env as ${tokenEnv}.`,
+      'A tunnel without a Public Hostname registers but routes nothing.',
+    ].join('\n'),
+    'Cloudflare named tunnel',
+  )
+  const hostname = await text({
+    message: 'Public hostname configured in the dashboard (https://...)',
+    validate: (value) => validateUrl(value ?? '', 'Hostname is required'),
+  })
+  if (isCancel(hostname)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+  if (!hasEnvKey(cwd, tokenEnv)) {
+    const token = await password({
+      message: `Cloudflare tunnel token (will be written to .env as ${tokenEnv})`,
+      validate: (value) => (value && value.length > 0 ? undefined : 'Token is required'),
+    })
+    if (isCancel(token)) {
+      cancel('Aborted.')
+      process.exit(0)
+    }
+    appendOrReplaceEnvKey(cwd, tokenEnv, token)
+  }
+  return { hostname, tokenEnv }
+}
+
+type GithubAuthUpdateAction = 'rotate' | 'switch'
+
+async function promptGithubAuthUpdate(currentType: 'pat' | 'app'): Promise<GithubCredentialPatch['auth']> {
+  const rotateLabel =
+    currentType === 'pat'
+      ? 'Rotate the PAT (replace the current personal access token)'
+      : 'Rotate the App private key (replace the current GitHub App private key)'
+  const switchLabel =
+    currentType === 'pat'
+      ? 'Switch to GitHub App auth (replace the PAT with App credentials)'
+      : 'Switch to PAT auth (replace the App credentials with a personal access token)'
+  const action = await select<GithubAuthUpdateAction>({
+    message: 'Update the GitHub auth credential',
+    options: [
+      { value: 'rotate', label: rotateLabel },
+      { value: 'switch', label: switchLabel },
+    ],
+    initialValue: 'rotate',
+  })
+  if (isCancel(action)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+
+  const nextType: 'pat' | 'app' = action === 'rotate' ? currentType : currentType === 'pat' ? 'app' : 'pat'
+
+  if (nextType === 'pat') {
+    if (action === 'rotate') {
+      note(
+        [
+          'Rotate at https://github.com/settings/personal-access-tokens.',
+          'Required permissions: Issues read/write, Pull requests read/write, Discussions read/write (if used),',
+          'Metadata read, and Webhooks read/write.',
+        ].join('\n'),
+        'Rotate the GitHub PAT',
+      )
+    } else {
+      note(
+        [
+          'Create a fine-grained PAT at https://github.com/settings/personal-access-tokens.',
+          'Required permissions: Issues read/write, Pull requests read/write, Discussions read/write (if used),',
+          'Metadata read, and Webhooks read/write.',
+        ].join('\n'),
+        'Switch to GitHub PAT auth',
+      )
+    }
+    return await promptGithubPatAuth()
+  }
+
+  if (action === 'rotate') {
+    note(
+      [
+        'Rotate at https://github.com/settings/apps/<your-app> → Private keys → Generate a private key.',
+        'GitHub immediately downloads the new .pem. The previous key keeps working until you delete it,',
+        'so it is safe to rotate without downtime.',
+      ].join('\n'),
+      'Rotate the GitHub App private key',
+    )
+    const privateKeyInput = await text({
+      message: 'New GitHub App private key PEM, escaped PEM, or path to .pem file',
+      validate: (value) => (value && value.length > 0 ? undefined : 'Private key is required'),
+    })
+    if (isCancel(privateKeyInput)) {
+      cancel('Aborted.')
+      process.exit(0)
+    }
+    return { type: 'app', privateKey: await resolvePrivateKeyInput(privateKeyInput) }
+  }
+
+  note(
+    [
+      'Create a GitHub App at https://github.com/settings/apps/new and install it on your repositories.',
+      'Required permissions: Issues read/write, Pull requests read/write, Discussions read/write (if used),',
+      'Metadata read, and Webhooks read/write.',
+      'Then collect the App ID, generate a private key (.pem), and grab the Installation ID from the URL',
+      'of the installation page (https://github.com/settings/installations/<installation-id>).',
+    ].join('\n'),
+    'Switch to GitHub App auth',
+  )
+  return await promptGithubAppAuth()
+}
+
 async function promptGithubPatAuth(): Promise<{ type: 'pat'; pat: string }> {
   const pat = await password({
     message: 'GitHub fine-grained PAT',

package/src/cli/init.ts

@@ -6,7 +6,6 @@ import { defineCommand } from 'citty'
 
 import {
   KNOWN_PROVIDERS,
-  providerForModelRef,
   supportsApiKey as providerSupportsApiKey,
   supportsOAuth as providerSupportsOAuth,
   type KnownModelRef,
@@ -14,9 +13,12 @@ import {
 } from '@/config/providers'
 import { checkDockerAvailable, type DockerAvailability } from '@/container'
 import {
+  appendOrReplaceEnvKey,
   findAgentDir,
   formatEagerGithubWebhookInstallResult,
+  hasEnvKey,
   hasExistingChannelSecrets,
+  hasExistingOAuthCredentials,
   isDirectoryNonEmpty,
   isHatched,
   readExistingProviderApiKey,
@@ -79,8 +81,17 @@ export const init = defineCommand({
     name: 'init',
     description: 'initialize a new typeclaw agent in the current directory',
   },
-  async run() {
+  args: {
+    reset: {
+      type: 'boolean',
+      description:
+        'ignore any partial secrets.json state from an earlier aborted run and re-prompt for every credential',
+      default: false,
+    },
+  },
+  async run({ args }) {
     const cwd = process.cwd()
+    const reset = args.reset === true
 
     const existingAgent = findAgentDir(cwd)
     if (existingAgent !== null && existingAgent !== cwd) {
@@ -129,7 +140,7 @@ export const init = defineCommand({
 
     let collected: CollectedInputs
     try {
-      collected = await collectWizardInputs(cwd, defaultWizardPrompts)
+      collected = await collectWizardInputs(cwd, defaultWizardPrompts, { reset })
     } catch (error) {
       if (error instanceof WizardAbortedError) {
         if (error.oauthCredentialsSaved) {
@@ -330,17 +341,13 @@ type StepId =
 export interface WizardPrompts {
   loadCatalog: () => Promise<NonNullable<WizardState['catalog']>>
   readExistingApiKey: (cwd: string, providerId: KnownProviderId) => Promise<string | null>
+  hasExistingOAuthCredentials: (cwd: string, providerId: KnownProviderId) => Promise<boolean>
   pickProvider: (options: ModelOption[], initial: KnownProviderId | undefined) => Promise<StepResult<KnownProviderId>>
   pickModel: (
     options: ModelOption[],
     providerId: KnownProviderId,
     initial: KnownModelRef | undefined,
   ) => Promise<StepResult<ModelOption>>
-  askReuseExistingKey: (
-    provider: (typeof KNOWN_PROVIDERS)[KnownProviderId],
-    existingApiKey: string | null,
-    initial: boolean | undefined,
-  ) => Promise<StepResult<'reuse' | 'prompt'>>
   pickAuthMethod: (
     provider: (typeof KNOWN_PROVIDERS)[KnownProviderId],
     initial: 'api-key' | 'oauth' | undefined,
@@ -358,17 +365,12 @@ export interface WizardPrompts {
   ) => Promise<StepResult<ModelOption>>
   pickChannel: (initial: ChannelChoice | undefined) => Promise<StepResult<ChannelChoice>>
   hasExistingChannelSecrets: (cwd: string, channel: Exclude<ChannelChoice, 'none'>) => Promise<boolean>
-  askReuseExistingChannel: (channel: Exclude<ChannelChoice, 'none'>) => Promise<StepResult<'reuse' | 'prompt'>>
-  runChannelFlow: (choice: ChannelChoice) => Promise<StepResult<CollectedInputs['channelSecrets']>>
+  runChannelFlow: (choice: ChannelChoice, cwd: string) => Promise<StepResult<CollectedInputs['channelSecrets']>>
   runOAuthLogin: (
     provider: (typeof KNOWN_PROVIDERS)[KnownProviderId],
     cwd: string,
     model: KnownModelRef,
   ) => Promise<OAuthLoginResult>
-  // Asked after a failed OAuth login. `apiKeyAvailable` is true when the
-  // provider also supports api-key auth (so the wizard can offer a fallback
-  // path); false for OAuth-only providers like openai-codex, where the only
-  // options are retry or abort.
   askOAuthFailureRecovery: (
     provider: (typeof KNOWN_PROVIDERS)[KnownProviderId],
     reason: string,
@@ -376,14 +378,18 @@ export interface WizardPrompts {
   ) => Promise<OAuthFailureRecovery>
 }
 
+export type CollectWizardInputsOptions = {
+  reset?: boolean
+}
+
 export type OAuthFailureRecovery = 'retry' | 'api-key' | 'abort'
 
 export const defaultWizardPrompts: WizardPrompts = {
   loadCatalog,
   readExistingApiKey: readExistingProviderApiKey,
+  hasExistingOAuthCredentials,
   pickProvider,
   pickModel: pickModelForProvider,
-  askReuseExistingKey,
   pickAuthMethod,
   askApiKey,
   validateApiKey,
@@ -391,7 +397,6 @@ export const defaultWizardPrompts: WizardPrompts = {
   pickVisionModel,
   pickChannel,
   hasExistingChannelSecrets,
-  askReuseExistingChannel,
   runChannelFlow,
   runOAuthLogin: async (provider, cwd, model) => {
     const { callbacks, dispose } = buildOAuthCallbacks(provider.name)
@@ -404,7 +409,12 @@ export const defaultWizardPrompts: WizardPrompts = {
   askOAuthFailureRecovery,
 }
 
-export async function collectWizardInputs(cwd: string, prompts: WizardPrompts): Promise<CollectedInputs> {
+export async function collectWizardInputs(
+  cwd: string,
+  prompts: WizardPrompts,
+  options: CollectWizardInputsOptions = {},
+): Promise<CollectedInputs> {
+  const reset = options.reset === true
   const catalog = await prompts.loadCatalog()
   const state: WizardState = { catalog }
   let step: StepId = 'pick-provider'
@@ -425,6 +435,21 @@ export async function collectWizardInputs(cwd: string, prompts: WizardPrompts):
     return result
   }
 
+  const readExistingApiKey = async (providerId: KnownProviderId): Promise<string | null> => {
+    if (reset) return null
+    return await prompts.readExistingApiKey(cwd, providerId)
+  }
+
+  const hasExistingOAuth = async (providerId: KnownProviderId): Promise<boolean> => {
+    if (reset) return false
+    return await prompts.hasExistingOAuthCredentials(cwd, providerId)
+  }
+
+  const hasExistingChannel = async (channel: Exclude<ChannelChoice, 'none'>): Promise<boolean> => {
+    if (reset) return false
+    return await prompts.hasExistingChannelSecrets(cwd, channel)
+  }
+
   while (true) {
     switch (step) {
       case 'pick-provider': {
@@ -456,17 +481,15 @@ export async function collectWizardInputs(cwd: string, prompts: WizardPrompts):
 
       case 'reuse-existing-key': {
         const provider = KNOWN_PROVIDERS[state.providerId!]
-        const existingApiKey = await prompts.readExistingApiKey(cwd, state.providerId!)
-        const decision = onResult(
-          step,
-          await prompts.askReuseExistingKey(provider, existingApiKey, state.reuseExisting),
-        )
-        if (decision.kind === 'back') {
-          step = 'pick-model'
-          break
-        }
-        if (decision.value === 'reuse' && existingApiKey !== null) {
-          log.info(`Using existing ${provider.name} API key from secrets.json.`)
+        // Auto-resume: if `secrets.json` already has a usable api-key for
+        // this provider, reuse it silently. Issue #330: re-running init
+        // after a partial abort should pick up where the user left off
+        // without re-prompting for credentials they already supplied.
+        // `--reset` bypasses this by making `readExistingApiKey` return
+        // null, falling through to the normal auth-method flow.
+        const existingApiKey = await readExistingApiKey(state.providerId!)
+        if (existingApiKey !== null) {
+          log.info(`Reusing existing ${provider.name} API key from secrets.json.`)
           state.llmAuth = { kind: 'api-key', apiKey: existingApiKey }
           state.reuseExisting = true
           step = stepAfterDefaultAuth(state)
@@ -482,11 +505,29 @@ export async function collectWizardInputs(cwd: string, prompts: WizardPrompts):
         const provider = KNOWN_PROVIDERS[state.providerId!]
         const result = onResult(step, await prompts.pickAuthMethod(provider, state.authMethod))
         if (result.kind === 'back') {
-          step = 'reuse-existing-key'
+          // Skip past `reuse-existing-key` — it is a silent auto-resume
+          // step with no user prompt, so unwind directly to pick-model
+          // (the prior user-visible step). This only fires when
+          // pickAuthMethod was an interactive choice (dual-auth providers);
+          // single-method providers return autoValue and never reach the
+          // back branch.
+          step = 'pick-model'
           break
         }
         state.authMethod = result.value
         if (result.value === 'oauth') {
+          // Auto-resume: skip the browser flow when OAuth credentials are
+          // already on disk from a prior partial run. The fresh-tokens path
+          // and the resume path both leave `state.llmAuth = oauth-completed`,
+          // so downstream steps (vision, channel, scaffold) can't tell the
+          // difference. `--reset` short-circuits this by making
+          // `hasExistingOAuth` return false.
+          if (await hasExistingOAuth(state.providerId!)) {
+            log.info(`Reusing existing ${provider.name} OAuth credentials from secrets.json.`)
+            state.llmAuth = { kind: 'oauth-completed' }
+            step = stepAfterDefaultAuth(state)
+            break
+          }
           // Run the browser login eagerly so the user sees the OAuth URL the
           // moment they pick "OAuth (browser login)" — not at the end of the
           // wizard. On failure we ask the user how to recover (retry / fall
@@ -583,9 +624,9 @@ export async function collectWizardInputs(cwd: string, prompts: WizardPrompts):
           step = 'pick-channel'
           break
         }
-        const existingVisionKey = await prompts.readExistingApiKey(cwd, state.visionProviderId!)
+        const existingVisionKey = await readExistingApiKey(state.visionProviderId!)
         if (existingVisionKey !== null) {
-          log.info(`Using existing ${KNOWN_PROVIDERS[state.visionProviderId!].name} API key from secrets.json.`)
+          log.info(`Reusing existing ${KNOWN_PROVIDERS[state.visionProviderId!].name} API key from secrets.json.`)
           state.visionLlmAuth = { kind: 'api-key', apiKey: existingVisionKey }
           state.visionReuseExisting = true
           step = 'pick-channel'
@@ -606,6 +647,16 @@ export async function collectWizardInputs(cwd: string, prompts: WizardPrompts):
         }
         state.visionAuthMethod = result.value
         if (result.value === 'oauth') {
+          // Auto-resume mirror of the default-provider branch above: skip
+          // the browser flow when vision OAuth credentials are already on
+          // disk. The same `--reset` short-circuit applies via
+          // `hasExistingOAuth`.
+          if (await hasExistingOAuth(state.visionProviderId!)) {
+            log.info(`Reusing existing ${provider.name} OAuth credentials from secrets.json.`)
+            state.visionLlmAuth = { kind: 'oauth-completed' }
+            step = 'pick-channel'
+            break
+          }
           // Same eager-login + recovery-prompt rationale as the default-provider branch above.
           const login = await runOAuthLoginSafely(prompts, provider, cwd, state.visionModel!.ref)
           if (!login.ok) {
@@ -667,31 +718,26 @@ export async function collectWizardInputs(cwd: string, prompts: WizardPrompts):
 
       case 'reuse-existing-channel': {
         const choice = state.channelChoice as Exclude<ChannelChoice, 'none'>
-        const present = await prompts.hasExistingChannelSecrets(cwd, choice)
+        // Auto-resume: when usable channel credentials already exist on
+        // disk, reuse them silently — mirrors the api-key and OAuth
+        // resume paths above. `--reset` short-circuits via
+        // `hasExistingChannel` returning false, falling through to the
+        // normal channel-flow prompts.
+        const present = await hasExistingChannel(choice)
         if (!present) {
           state.channelReuseOffered = false
           state.channelReuseExisting = false
           step = 'channel-flow'
           break
         }
+        log.info(`Reusing existing ${channelDisplayName(choice)} credentials from secrets.json.`)
         state.channelReuseOffered = true
-        const decision = onResult(step, await prompts.askReuseExistingChannel(choice))
-        if (decision.kind === 'back') {
-          step = 'pick-channel'
-          break
-        }
-        if (decision.value === 'reuse') {
-          log.info(`Using existing ${channelDisplayName(choice)} credentials from secrets.json.`)
-          state.channelReuseExisting = true
-          return finalize(state, {})
-        }
-        state.channelReuseExisting = false
-        step = 'channel-flow'
-        break
+        state.channelReuseExisting = true
+        return finalize(state, {})
       }
 
       case 'channel-flow': {
-        const result = onResult(step, await prompts.runChannelFlow(state.channelChoice!))
+        const result = onResult(step, await prompts.runChannelFlow(state.channelChoice!, cwd))
         if (result.kind === 'back') {
           step = state.channelReuseOffered === true ? 'reuse-existing-channel' : 'pick-channel'
           break
@@ -818,31 +864,6 @@ async function pickModelForProvider(
   return value(picked)
 }
 
-async function askReuseExistingKey(
-  provider: (typeof KNOWN_PROVIDERS)[KnownProviderId],
-  existingApiKey: string | null,
-  initial: boolean | undefined,
-): Promise<StepResult<'reuse' | 'prompt'>> {
-  if (!providerSupportsApiKey(provider) || existingApiKey === null) return value('prompt')
-  const reuse = await confirm({
-    message: `Reuse existing ${provider.name} API key from secrets.json?`,
-    initialValue: initial ?? true,
-  })
-  if (isCancel(reuse)) return back()
-  return value(reuse === true ? 'reuse' : 'prompt')
-}
-
-async function askReuseExistingChannel(
-  channel: Exclude<ChannelChoice, 'none'>,
-): Promise<StepResult<'reuse' | 'prompt'>> {
-  const reuse = await confirm({
-    message: `Reuse existing ${channelDisplayName(channel)} credentials from secrets.json?`,
-    initialValue: true,
-  })
-  if (isCancel(reuse)) return back()
-  return value(reuse === true ? 'reuse' : 'prompt')
-}
-
 async function pickAuthMethod(
   provider: (typeof KNOWN_PROVIDERS)[KnownProviderId],
   initial: 'api-key' | 'oauth' | undefined,
@@ -1011,7 +1032,10 @@ async function pickChannel(initial: ChannelChoice | undefined): Promise<StepResu
   return value(choice)
 }
 
-async function runChannelFlow(choice: ChannelChoice): Promise<StepResult<CollectedInputs['channelSecrets']>> {
+async function runChannelFlow(
+  choice: ChannelChoice,
+  cwd: string,
+): Promise<StepResult<CollectedInputs['channelSecrets']>> {
   switch (choice) {
     case 'none':
       return value({})
@@ -1024,7 +1048,7 @@ async function runChannelFlow(choice: ChannelChoice): Promise<StepResult<Collect
     case 'telegram':
       return runTelegramFlow()
     case 'github':
-      return runGithubFlow()
+      return runGithubFlow(cwd)
   }
 }
 
@@ -1144,7 +1168,7 @@ async function runSlackFlow(): Promise<StepResult<CollectedInputs['channelSecret
   }
 }
 
-async function runGithubFlow(): Promise<StepResult<CollectedInputs['channelSecrets']>> {
+async function runGithubFlow(cwd: string): Promise<StepResult<CollectedInputs['channelSecrets']>> {
   note(
     [
       'Choose PAT auth for a quick setup, or GitHub App auth for expiring installation tokens.',
@@ -1171,6 +1195,10 @@ async function runGithubFlow(): Promise<StepResult<CollectedInputs['channelSecre
         value: 'cloudflare-quick',
         label: 'Cloudflare Quick Tunnel — no signup, URL rotates on restart (recommended)',
       },
+      {
+        value: 'cloudflare-named',
+        label: 'Cloudflare Named Tunnel — stable URL, needs Cloudflare account + domain',
+      },
       { value: 'external', label: 'External URL — I have my own reverse proxy / tunnel' },
       { value: 'none', label: 'None — configure later by hand-editing typeclaw.json' },
     ],
@@ -1185,6 +1213,8 @@ async function runGithubFlow(): Promise<StepResult<CollectedInputs['channelSecre
         })
       : undefined
   if (isCancel(webhookUrl)) return back()
+  const namedCreds = tunnelProvider === 'cloudflare-named' ? await promptGithubCloudflareNamedTunnel(cwd) : undefined
+  if (namedCreds === null) return back()
   const port = await text({
     message: 'Local webhook port inside the agent container',
     initialValue: '8975',
@@ -1214,12 +1244,41 @@ async function runGithubFlow(): Promise<StepResult<CollectedInputs['channelSecre
       tunnelProvider,
       ...(webhookUrl !== undefined ? { webhookUrl } : {}),
       webhookPort: Number(port),
+      ...(namedCreds !== undefined ? namedCreds : {}),
       repos: parseGithubRepos(reposRaw),
       auth,
     },
   })
 }
 
+async function promptGithubCloudflareNamedTunnel(cwd: string): Promise<{ hostname: string; tokenEnv: string } | null> {
+  const tokenEnv = 'CLOUDFLARE_TUNNEL_TOKEN'
+  note(
+    [
+      'Cloudflare Named Tunnel needs a tunnel you created in the Zero Trust dashboard:',
+      '  1. Networks → Tunnels → Create a tunnel → Cloudflared. Copy the token shown on the install screen.',
+      '  2. Public Hostname tab → Add: subdomain + your-domain, service type HTTP, URL localhost:<webhook port>.',
+      `  3. Paste the token below when prompted — TypeClaw will write it to .env as ${tokenEnv}.`,
+      'A tunnel without a Public Hostname registers but routes nothing.',
+    ].join('\n'),
+    'Cloudflare named tunnel',
+  )
+  const hostname = await text({
+    message: 'Public hostname configured in the dashboard (https://...)',
+    validate: (v) => validateGithubUrl(v ?? '', 'Hostname is required'),
+  })
+  if (isCancel(hostname)) return null
+  if (!hasEnvKey(cwd, tokenEnv)) {
+    const token = await password({
+      message: `Cloudflare tunnel token (will be written to .env as ${tokenEnv})`,
+      validate: (v) => (v && v.length > 0 ? undefined : 'Token is required'),
+    })
+    if (isCancel(token)) return null
+    appendOrReplaceEnvKey(cwd, tokenEnv, token)
+  }
+  return { hostname, tokenEnv }
+}
+
 async function promptGithubPatAuth(): Promise<{ type: 'pat'; pat: string } | null> {
   const pat = await password({
     message: 'GitHub fine-grained PAT',
@@ -1432,18 +1491,6 @@ function reportHatching(event: Extract<InitStepEvent, { step: 'hatching' }>): vo
   }
 }
 
-export async function decideExistingApiKeyReuse(
-  provider: (typeof KNOWN_PROVIDERS)[KnownProviderId],
-  existingApiKey: string | null,
-  askReuse: (message: string) => Promise<unknown>,
-): Promise<'reuse' | 'prompt' | 'cancel'> {
-  if (!providerSupportsApiKey(provider) || existingApiKey === null) return 'prompt'
-
-  const reuse = await askReuse(`Reuse existing ${provider.name} API key from secrets.json?`)
-  if (isCancel(reuse)) return 'cancel'
-  return reuse === true ? 'reuse' : 'prompt'
-}
-
 function uniqueProviders(options: ModelOption[]): KnownProviderId[] {
   const seen = new Set<KnownProviderId>()
   const out: KnownProviderId[] = []