ObolNetwork
diff --git a/‎CLAUDE.md‎
Lines changed: 2 additions & 1 deletion b/‎CLAUDE.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 13 additions & 8 deletions b/‎README.md‎
Lines changed: 13 additions & 8 deletions
diff --git a/‎cmd/obol/main.go‎
Lines changed: 1 addition & 3 deletions b/‎cmd/obol/main.go‎
Lines changed: 1 addition & 3 deletions
diff --git a/‎cmd/obol/tunnel_domain.go‎
Lines changed: 30 additions & 76 deletions b/‎cmd/obol/tunnel_domain.go‎
Lines changed: 30 additions & 76 deletions
diff --git a/‎docs/guides/monetize-inference.md‎
Lines changed: 9 additions & 0 deletions b/‎docs/guides/monetize-inference.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎internal/tunnel/agent.go‎
Lines changed: 8 additions & 1 deletion b/‎internal/tunnel/agent.go‎
Lines changed: 8 additions & 1 deletion
@@ -87,7 +87,7 @@ obol
 │   └── skills      add, remove, list
 ├── model           setup (has sub: custom), status, token, sync, pull, list, prefer, discover, remove
 ├── app             install, sync, list, delete
-├── tunnel          status, setup, login, provision, restart, stop, logs
+├── tunnel          status, setup, restart, stop, logs (login hidden: browser-managed fallback)
 ├── domain          search, check, register
 ├── kubectl/helm/helmfile/k9s   Passthrough (auto KUBECONFIG)
 ├── update          Helm + CLI version check (--json)
@@ -102,6 +102,7 @@ obol
 - `sell info <name>` prints purchase instructions (URL, model, buy.py command).
 - `sell mcp [name]` runs a foreground x402-paid MCP server: forwards buyer JSON args to a backend HTTP service, injecting the seller's own API key (buyer never sees it). Payment rides MCP `_meta` (`internal/x402mcp`).
 - `sell resume` replays every persisted sell offer (inference incl. detached host-gateway relaunch; http/agent/demo-agent via the manifest ledger at `$OBOL_CONFIG_DIR/sell-http/`) — run after a host reboot; `obol stack up` runs the same path. `--install-boot-unit` adds a systemd user unit (Linux). `sell mcp` is foreground-only, no offer, not resumed.
+- `tunnel setup [<token>]`: the one permanent-URL command. Connector-token based (dashboard-managed) — no host binary, no account-wide API key. Accepts the bare connector token, the `--token` flag, a positional arg, or the whole `cloudflared tunnel run --token …` line (prefix stripped via `extractConnectorToken`). Reuses the remote runtime (`ProvisionWithToken` → `TUNNEL_TOKEN` secret, chart `management_mode=remote`); DNS/ingress are configured by the user in the Cloudflare dashboard (route Public Hostname → `http://traefik.traefik.svc.cluster.local:80`), not via API. The API-token provisioning path was removed (no more `tunnel provision`, no setup `--api-token/--account-id/--zone-id/--register-domain`). `--management local` (alias hidden `tunnel login`) is the browser fallback (needs `cloudflared`). `tunnel status` reads connector health from cloudflared's in-cluster `/ready`+`/metrics` (port 2000, no token) plus a public HTTP probe; concise by default, `--verbose` for replicas/pods, `--no-probe` to stay offline. Domain registration still lives under `obol domain register` (still uses a Cloudflare API token).
 - `hermes` is passthrough to native hermes CLI via `hermes.CLI()` (cmd/obol/hermes.go:27). No Go-level subcommands registered.
 - `bootstrap` (cmd/obol/bootstrap.go) is a hidden command for installer use only — not user-facing.
 
 
@@ -234,20 +234,25 @@ Skills are delivered via host-path PVC injection — no ConfigMap size limits, w
 
 ## Public Access (Cloudflare Tunnel)
 
-Expose your stack to the internet via Cloudflare Tunnel:
+A tunnel exposes your stack to the public internet so buyers can discover and
+pay for the services you sell. You don't need it for local use — set one up once
+you're ready to sell, to get a permanent URL.
 
 ```bash
-# Check tunnel status (quick tunnel mode is the default)
+# Check tunnel status (a temporary quick-tunnel URL is the default)
 obol tunnel status
 
-# Use a persistent hostname
-obol tunnel login --hostname stack.example.com
-
-# Or provision via API
-obol tunnel provision --hostname stack.example.com \
-  --account-id ... --zone-id ... --api-token ...
+# Create a permanent URL. Create a tunnel in the Cloudflare dashboard
+# (Networks → Tunnels), route its Public Hostname to
+# http://traefik.traefik.svc.cluster.local:80, then paste the connector token —
+# you can paste the whole `cloudflared tunnel run --token …` line:
+obol tunnel setup --hostname stack.example.com <connector-token>
 ```
 
+This uses a least-privilege, single-tunnel connector token — no account-wide API
+key required. (Advanced: `obol tunnel setup --management local` uses a browser
+login on this machine instead, which needs `cloudflared` installed.)
+
 ## Managing the Stack
 
 ```bash
 
@@ -102,9 +102,7 @@ COMMANDS:
 
    Tunnel Management:
      tunnel status    Show tunnel status and public URL
-     tunnel setup     Guided persistent tunnel setup with optional domain registration
-     tunnel login     Authenticate and create persistent tunnel (browser)
-     tunnel provision Provision persistent tunnel (API token)
+     tunnel setup     Create a permanent public URL with a Cloudflare tunnel
      tunnel restart   Restart tunnel connector (quick tunnels get new URL)
      tunnel stop      Stop the tunnel connector
      tunnel logs      View cloudflared logs
 
@@ -19,17 +19,31 @@ func tunnelCommand(cfg *config.Config) *cli.Command {
 			{
 				Name:  "status",
 				Usage: "Show tunnel status and public URL",
+				Flags: []cli.Flag{
+					&cli.BoolFlag{Name: "no-probe", Usage: "Skip connector and public reachability probes (offline/fast)"},
+				},
 				Action: func(ctx context.Context, cmd *cli.Command) error {
-					return tunnel.Status(cfg, getUI(cmd))
+					return tunnel.Status(cfg, getUI(cmd), tunnel.StatusOptions{NoProbe: cmd.Bool("no-probe")})
 				},
 			},
 			{
-				Name:  "setup",
-				Usage: "Guided persistent tunnel setup with optional domain registration",
+				Name:      "setup",
+				Usage:     "Create a permanent public URL with a Cloudflare tunnel",
+				ArgsUsage: "[<connector-token>]",
+				Description: "A tunnel exposes your stack to the public internet so buyers can discover and\n" +
+					"pay for the services you sell. You don't need it for local use — set one up\n" +
+					"once you're ready to sell, to get a permanent URL.\n\n" +
+					"By default Obol wires a dashboard-managed tunnel from a Cloudflare connector\n" +
+					"token (least privilege, no API key, no local install). Create the tunnel in the\n" +
+					"Cloudflare dashboard, route its Public Hostname to\n" +
+					"http://traefik.traefik.svc.cluster.local:80, then paste the token here — you can\n" +
+					"paste the whole 'cloudflared tunnel run --token …' line and Obol extracts it.\n\n" +
+					"Advanced: '--management local' uses a browser login on this machine instead\n" +
+					"(needs cloudflared installed); 'obol tunnel login' is the same flow directly.",
 				Flags: tunnelSetupFlags(),
 				Action: func(ctx context.Context, cmd *cli.Command) error {
 					u := getUI(cmd)
-					opts, err := setupOptionsFromCommand(cmd, u)
+					opts, err := setupOptionsFromCommand(cmd)
 					if err != nil {
 						return err
 					}
@@ -46,8 +60,9 @@ func tunnelCommand(cfg *config.Config) *cli.Command {
 				},
 			},
 			{
-				Name:  "login",
-				Usage: "Authenticate via browser and create a locally-managed tunnel (no API token)",
+				Name:   "login",
+				Hidden: true,
+				Usage:  "Advanced: create a locally-managed tunnel via browser login (no token)",
 				Flags: []cli.Flag{
 					&cli.StringFlag{
 						Name:     "hostname",
@@ -69,46 +84,6 @@ func tunnelCommand(cfg *config.Config) *cli.Command {
 					})
 				},
 			},
-			{
-				Name:  "provision",
-				Usage: "Provision a persistent remote-managed Cloudflare Tunnel",
-				Flags: []cli.Flag{
-					&cli.StringFlag{
-						Name:     "hostname",
-						Aliases:  []string{"H"},
-						Usage:    "Public hostname to route (e.g. stack.example.com)",
-						Required: true,
-					},
-					&cli.StringFlag{
-						Name:    "account-id",
-						Aliases: []string{"a"},
-						Usage:   "Cloudflare account ID (optional if the API token can access a single account)",
-						Sources: cli.EnvVars("CLOUDFLARE_ACCOUNT_ID"),
-					},
-					&cli.StringFlag{
-						Name:    "zone-id",
-						Aliases: []string{"z"},
-						Usage:   "Cloudflare zone ID for the hostname (auto-detected when omitted)",
-						Sources: cli.EnvVars("CLOUDFLARE_ZONE_ID"),
-					},
-					&cli.StringFlag{
-						Name:    "api-token",
-						Aliases: []string{"t"},
-						Usage:   "Cloudflare API token",
-						Sources: cli.EnvVars("CLOUDFLARE_API_TOKEN"),
-					},
-					tunnelTransportProtocolFlag(),
-				},
-				Action: func(ctx context.Context, cmd *cli.Command) error {
-					return tunnel.Provision(cfg, getUI(cmd), tunnel.ProvisionOptions{
-						Hostname:          cmd.String("hostname"),
-						AccountID:         cmd.String("account-id"),
-						ZoneID:            cmd.String("zone-id"),
-						APIToken:          cmd.String("api-token"),
-						TransportProtocol: cmd.String("transport-protocol"),
-					})
-				},
-			},
 			{
 				Name:  "restart",
 				Usage: "Restart the tunnel connector (quick tunnels get a new URL)",
@@ -242,25 +217,15 @@ func tunnelTransportProtocolFlag() cli.Flag {
 func tunnelSetupFlags() []cli.Flag {
 	return []cli.Flag{
 		&cli.StringFlag{Name: "hostname", Aliases: []string{"H"}, Usage: "Public hostname to route (e.g. stack.example.com)"},
-		&cli.StringFlag{Name: "management", Usage: "Tunnel management mode: local or remote", Value: "auto"},
+		&cli.StringFlag{Name: "token", Aliases: []string{"t"}, Usage: "Cloudflare tunnel connector token (or pass it as a positional argument)"},
+		&cli.StringFlag{Name: "management", Usage: "Tunnel management: connector (default) or local (browser fallback)", Value: "connector"},
 		tunnelTransportProtocolFlag(),
-		&cli.StringFlag{Name: "account-id", Aliases: []string{"a"}, Usage: "Cloudflare account ID", Sources: cli.EnvVars("CLOUDFLARE_ACCOUNT_ID")},
-		&cli.StringFlag{Name: "zone-id", Aliases: []string{"z"}, Usage: "Cloudflare zone ID (auto-detected when omitted)", Sources: cli.EnvVars("CLOUDFLARE_ZONE_ID")},
-		&cli.StringFlag{Name: "api-token", Aliases: []string{"t"}, Usage: "Cloudflare API token", Sources: cli.EnvVars("CLOUDFLARE_API_TOKEN")},
-		&cli.BoolFlag{Name: "register-domain", Usage: "Register the domain apex via Cloudflare Registrar when the zone is missing"},
-		&cli.IntFlag{Name: "years", Usage: "Domain registration term in years", Value: 1},
-		&cli.BoolFlag{Name: "auto-renew", Usage: "Enable domain auto-renew when registering a domain"},
-		&cli.StringFlag{Name: "privacy-mode", Usage: "WHOIS privacy mode for registration", Value: "redaction"},
-		&cli.BoolFlag{Name: "yes", Aliases: []string{"y"}, Usage: "Confirm billable domain registration without prompting"},
-		&cli.BoolFlag{Name: "overwrite-dns", Usage: "Replace any existing A/AAAA/CNAME at the hostname (forwards --overwrite-dns to cloudflared in local-managed mode)"},
+		&cli.BoolFlag{Name: "overwrite-dns", Usage: "Local-managed only: replace any existing A/AAAA/CNAME at the hostname"},
 		&cli.StringFlag{Name: "from-json", Usage: "Read setup options from JSON file (or - for stdin)"},
 	}
 }
 
-func setupOptionsFromCommand(cmd *cli.Command, u interface {
-	Input(string, string) (string, error)
-},
-) (tunnel.SetupOptions, error) {
+func setupOptionsFromCommand(cmd *cli.Command) (tunnel.SetupOptions, error) {
 	if jsonPath := cmd.String("from-json"); jsonPath != "" {
 		var opts tunnel.SetupOptions
 		data, err := readJSONInput(jsonPath)
@@ -273,27 +238,16 @@ func setupOptionsFromCommand(cmd *cli.Command, u interface {
 		return opts, nil
 	}
 
-	hostname := cmd.String("hostname")
-	if strings.TrimSpace(hostname) == "" {
-		input, err := u.Input("Public hostname", "")
-		if err != nil {
-			return tunnel.SetupOptions{}, err
-		}
-		hostname = input
+	token := strings.TrimSpace(cmd.String("token"))
+	if token == "" {
+		token = strings.TrimSpace(cmd.Args().First())
 	}
 
 	return tunnel.SetupOptions{
-		Hostname:          hostname,
+		Hostname:          cmd.String("hostname"),
 		Management:        cmd.String("management"),
+		ConnectorToken:    token,
 		TransportProtocol: cmd.String("transport-protocol"),
-		AccountID:         cmd.String("account-id"),
-		ZoneID:            cmd.String("zone-id"),
-		APIToken:          cmd.String("api-token"),
-		RegisterDomain:    cmd.Bool("register-domain"),
-		Years:             cmd.Int("years"),
-		AutoRenew:         cmd.Bool("auto-renew"),
-		PrivacyMode:       cmd.String("privacy-mode"),
-		ConfirmCharge:     cmd.Bool("yes"),
 		OverwriteDNS:      cmd.Bool("overwrite-dns"),
 	}, nil
 }
 
@@ -236,6 +236,15 @@ If the tunnel isn't running or you want a fresh URL:
 obol tunnel restart
 ```
 
+> **Get a permanent URL once you're selling.** Quick-tunnel URLs change on every
+> restart, so buyers who bookmarked the old one hit errors. When you're ready to
+> attract buyers, create a stable hostname: create a tunnel in the Cloudflare
+> dashboard (Networks → Tunnels), route its Public Hostname to
+> `http://traefik.traefik.svc.cluster.local:80`, then run
+> `obol tunnel setup --hostname stack.example.com <connector-token>` (paste the
+> whole `cloudflared tunnel run --token …` line — Obol extracts the token). This
+> needs only a least-privilege connector token, not an account-wide API key.
+
 ### 1.6 Verify Your Paths
 
 Test each route to confirm everything is wired correctly:
 
@@ -9,6 +9,7 @@ import (
 
 	"github.com/ObolNetwork/obol-stack/internal/agentruntime"
 	"github.com/ObolNetwork/obol-stack/internal/config"
+	"github.com/ObolNetwork/obol-stack/internal/helmcmd"
 )
 
 const agentDeploymentID = agentruntime.DefaultInstanceID
@@ -54,7 +55,13 @@ func SyncAgentBaseURL(cfg *config.Config, tunnelURL string) error {
 
 	fmt.Printf("Syncing AGENT_BASE_URL=%s to obol-agent...\n", tunnelURL)
 
-	cmd := exec.Command(helmfileBin, "-f", helmfilePath, "sync")
+	// Match every other helmfile-sync path (stack/app/openclaw/hermes): on Helm 4+
+	// append --force-conflicts so the SSA upgrade can take ownership of the
+	// AGENT_BASE_URL env field, which InjectBaseURL previously wrote via
+	// `kubectl set env` (field manager "kubectl-set"). Without this, Helm 4's
+	// server-side apply refuses the field and the sync fails with a conflict.
+	syncArgs := append([]string{"-f", helmfilePath, "sync"}, helmcmd.SyncFlagsForVersion(filepath.Join(cfg.BinDir, "helm"))...)
+	cmd := exec.Command(helmfileBin, syncArgs...)
 	cmd.Dir = deploymentDir
 
 	cmd.Env = append(os.Environ(), "KUBECONFIG="+kubeconfigPath)