Bug
Selecting a non-local exposure mode (e.g., Tailscale Funnel) during netclaw init causes the health check step (step 10) to fail. ExposureModeValidationService requires at least one paired device or configured auth scheme before the daemon will start, but device pairing requires a running daemon.
This is the bootstrap chicken-and-egg problem: can't pair without a running daemon, can't start the daemon without a paired device.
Steps to reproduce
- Run
netclaw init
- Select Tailscale Funnel as exposure mode
- Complete all wizard steps
- Step 10 (health check) fails — daemon refuses to start
Expected behavior
The wizard should handle the bootstrap case for non-local exposure modes so the daemon can start successfully after init.
Possible solutions
- Auto-pair the local machine during init — the machine running
netclaw init is implicitly trusted; generate a device token for localhost as part of the wizard finalization
- Bootstrap mode — allow the daemon to start accepting local-only connections until the first device is paired, then enforce the requirement
- Add a pairing step to the wizard — prompt the user to pair this device between exposure mode selection and health check
Option 1 is likely the cleanest UX — no extra steps, no special modes.
Files
src/Netclaw.Daemon/Services/ExposureModeValidationService.cs (enforcement)src/Netclaw.Cli/Tui/Wizard/Steps/HealthCheckStepViewModel.cs (crash point)src/Netclaw.Cli/Tui/Wizard/Steps/ExposureModeStepView.cs (high-risk warning mentions "ensure auth is configured" — also premature)
Bug
Selecting a non-local exposure mode (e.g., Tailscale Funnel) during
netclaw initcauses the health check step (step 10) to fail.ExposureModeValidationServicerequires at least one paired device or configured auth scheme before the daemon will start, but device pairing requires a running daemon.This is the bootstrap chicken-and-egg problem: can't pair without a running daemon, can't start the daemon without a paired device.
Steps to reproduce
netclaw initExpected behavior
The wizard should handle the bootstrap case for non-local exposure modes so the daemon can start successfully after init.
Possible solutions
netclaw initis implicitly trusted; generate a device token for localhost as part of the wizard finalizationOption 1 is likely the cleanest UX — no extra steps, no special modes.
Files
src/Netclaw.Daemon/Services/ExposureModeValidationService.cs(enforcement)src/Netclaw.Cli/Tui/Wizard/Steps/HealthCheckStepViewModel.cs(crash point)src/Netclaw.Cli/Tui/Wizard/Steps/ExposureModeStepView.cs(high-risk warning mentions "ensure auth is configured" — also premature)