ObolNetwork · bussyjd · Jun 16, 2026 · Jun 15, 2026 · Jun 15, 2026 · Jun 16, 2026
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -87,8 +87,8 @@ obol
 │   └── skills      add, remove, list
 ├── model           setup (has sub: custom), status, token, sync, pull, list, prefer, discover, remove
 ├── app             install, sync, list, delete
-├── tunnel          status, setup, login, provision, restart, stop, logs
-├── domain          search, check, register
+├── tunnel          status, setup, restart, stop, logs (login hidden: browser-managed fallback)
+├── domain          list, search, check, register
 ├── kubectl/helm/helmfile/k9s   Passthrough (auto KUBECONFIG)
 ├── update          Helm + CLI version check (--json)
 ├── upgrade         Apply chart upgrades (--defaults-only, --pinned, --major)
@@ -102,6 +102,7 @@ obol
 - `sell info <name>` prints purchase instructions (URL, model, buy.py command).
 - `sell mcp [name]` runs a foreground x402-paid MCP server: forwards buyer JSON args to a backend HTTP service, injecting the seller's own API key (buyer never sees it). Payment rides MCP `_meta` (`internal/x402mcp`).
 - `sell resume` replays every persisted sell offer (inference incl. detached host-gateway relaunch; http/agent/demo-agent via the manifest ledger at `$OBOL_CONFIG_DIR/sell-http/`) — run after a host reboot; `obol stack up` runs the same path. `--install-boot-unit` adds a systemd user unit (Linux). `sell mcp` is foreground-only, no offer, not resumed.
+- `tunnel setup [<token>]`: the one permanent-URL command. Connector-token based (dashboard-managed) — no host binary, no account-wide API key. Accepts the bare connector token, the `--token` flag, a positional arg, or the whole `cloudflared tunnel run --token …` line (prefix stripped via `extractConnectorToken`). Reuses the remote runtime (`ProvisionWithToken` → `TUNNEL_TOKEN` secret, chart `management_mode=remote`); DNS/ingress are configured by the user in the Cloudflare dashboard (route Public Hostname → `http://traefik.traefik.svc.cluster.local:80`), not via API. The API-token provisioning path was removed (no more `tunnel provision`, no setup `--api-token/--account-id/--zone-id/--register-domain`). `--management local` (alias hidden `tunnel login`) is the browser fallback (needs `cloudflared`). `tunnel status` reads connector health from cloudflared's in-cluster `/ready`+`/metrics` (port 2000, no token) plus a public HTTP probe; concise by default, `--verbose` for replicas/pods, `--no-probe` to stay offline. Domain management lives under `obol domain` (`list`, `search`, `check`, `register`) — an optional CLI wrapper around Cloudflare Registrar; still uses a scoped Cloudflare **API token** (Account → Domain perm, via `--api-token`/`CLOUDFLARE_API_TOKEN`; on a TTY it walks you through token creation and prompts). `--api-token` deliberately has NO `-t` alias to avoid colliding with `tunnel setup -t` (connector token — a different credential). `register` is billable (needs a payment method on the CF account); on success it prints the `obol tunnel setup --hostname …` handoff.
 - `hermes` is passthrough to native hermes CLI via `hermes.CLI()` (cmd/obol/hermes.go:27). No Go-level subcommands registered.
 - `bootstrap` (cmd/obol/bootstrap.go) is a hidden command for installer use only — not user-facing.
 

diff --git a/README.md b/README.md
@@ -234,20 +234,25 @@ Skills are delivered via host-path PVC injection — no ConfigMap size limits, w
 
 ## Public Access (Cloudflare Tunnel)
 
-Expose your stack to the internet via Cloudflare Tunnel:
+A tunnel exposes your stack to the public internet so buyers can discover and
+pay for the services you sell. You don't need it for local use — set one up once
+you're ready to sell, to get a permanent URL.
 
 ```bash
-# Check tunnel status (quick tunnel mode is the default)
+# Check tunnel status (a temporary quick-tunnel URL is the default)
 obol tunnel status
 
-# Use a persistent hostname
-obol tunnel login --hostname stack.example.com
-
-# Or provision via API
-obol tunnel provision --hostname stack.example.com \
-  --account-id ... --zone-id ... --api-token ...
+# Create a permanent URL. Create a tunnel in the Cloudflare dashboard
+# (Networks → Tunnels), route its Public Hostname to
+# http://traefik.traefik.svc.cluster.local:80, then paste the connector token —
+# you can paste the whole `cloudflared tunnel run --token …` line:
+obol tunnel setup --hostname stack.example.com <connector-token>
 ```
 
+This uses a least-privilege, single-tunnel connector token — no account-wide API
+key required. (Advanced: `obol tunnel setup --management local` uses a browser
+login on this machine instead, which needs `cloudflared` installed.)
+
 ## Managing the Stack
 
 ```bash

diff --git a/cmd/obol/main.go b/cmd/obol/main.go
@@ -102,9 +102,7 @@ COMMANDS:
 
    Tunnel Management:
      tunnel status    Show tunnel status and public URL
-     tunnel setup     Guided persistent tunnel setup with optional domain registration
-     tunnel login     Authenticate and create persistent tunnel (browser)
-     tunnel provision Provision persistent tunnel (API token)
+     tunnel setup     Create a permanent public URL with a Cloudflare tunnel
      tunnel restart   Restart tunnel connector (quick tunnels get new URL)
      tunnel stop      Stop the tunnel connector
      tunnel logs      View cloudflared logs