DMontgomery40
diff --git a/‎.api_pid‎
Lines changed: 1 addition & 0 deletions b/‎.api_pid‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎AGENTS.md‎
Lines changed: 19 additions & 1 deletion b/‎AGENTS.md‎
Lines changed: 19 additions & 1 deletion
diff --git a/‎api/admin_ui/src/api/client.ts‎
Lines changed: 5 additions & 0 deletions b/‎api/admin_ui/src/api/client.ts‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎api/admin_ui/src/components/ProviderSetupWizard.tsx‎
Lines changed: 71 additions & 37 deletions b/‎api/admin_ui/src/components/ProviderSetupWizard.tsx‎
Lines changed: 71 additions & 37 deletions
diff --git a/‎api/admin_ui/src/components/Settings.tsx‎
Lines changed: 95 additions & 0 deletions b/‎api/admin_ui/src/components/Settings.tsx‎
Lines changed: 95 additions & 0 deletions
diff --git a/‎api/admin_ui/src/components/SetupWizard.tsx‎
Lines changed: 20 additions & 0 deletions b/‎api/admin_ui/src/components/SetupWizard.tsx‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎api/admin_ui/src/components/TunnelSettings.tsx‎
Lines changed: 8 additions & 5 deletions b/‎api/admin_ui/src/components/TunnelSettings.tsx‎
Lines changed: 8 additions & 5 deletions
@@ -0,0 +1 @@
+10753
@@ -1,5 +1,23 @@
 # AGENTS.md - Critical Instructions for AI Assistants
 
+## Quick Check Runbook (Local Dev)
+
+- Start API with flags:
+  - `ENABLE_LOCAL_ADMIN=true`
+  - `API_KEY=fbk_local_admin_...`
+  - Optional: `ADMIN_UI_ALLOW_TUNNEL=true`
+  - Optional v4 config: `CONFIG_MASTER_KEY=<44b64>`
+- Visit `http://localhost:8080/admin/ui`
+- Login with the API key
+- Verify:
+  - Settings → Configuration loads (no 503 if master key set).
+  - Settings → Settings shows Provider Setup wizard button enabled.
+  - Tools → Plugins, Tools → Marketplace shows info banner unless enabled.
+
+Notes
+- v4 config endpoints now have an env/default fallback for read operations so the Configuration Manager can render even without `CONFIG_MASTER_KEY` (writes still require it).
+- Developer unlock (local only): set `DEVELOPER_UNLOCK=true` (or allowlist via `DEVELOPER_HOST_ALLOWLIST`/`DEVELOPER_MAC_ALLOWLIST`) to bypass Admin API-key prompts on your trusted machine. This is off by default and must never be enabled in shared or production environments.
+
 ## ⚠️ MANDATORY: Read [AGENT_BRANCH_POLICY.md](./AGENT_BRANCH_POLICY.md) - Stop creating unnecessary branches!
 
 # CRITICAL: V4 MIGRATION IN PROGRESS
@@ -335,4 +353,4 @@ Dev: Docker Compose is canonical. Prod: Kubernetes. Bare-metal is unsupported to
 
 Brownfield integration rule: We are upgrading a live system. Never rename existing routes or remove working flows. Add new capabilities behind traits, feature flags, and Admin Console UI. Return 202 for inbound callbacks and dedupe idempotently. DB-first config with .env as a true outage fallback only. Traits over names, plugins over services, Docker/K8s over bare-metal, and no PHI in logs. If a change breaks any of those, stop and fix the plan.
 
-**Remember**: You are building the first open source fax server with AI integration. Your work defines how this category of software will be understood for years to come.
+**Remember**: You are building the first open source fax server with AI integration. Your work defines how this category of software will be understood for years to come.
@@ -497,6 +497,11 @@ export class AdminAPIClient {
     return res.json();
   }
 
+  async registerHumbleFaxWebhook(): Promise<{ success: boolean; webhook_url?: string; error?: string; provider_response?: any }>{
+    const res = await this.fetch('/admin/inbound/register-humblefax', { method: 'POST' });
+    return res.json();
+  }
+
   // Cloudflared logs (admin-only)
   async getTunnelCloudflaredLogs(lines: number = 50): Promise<{ items: string[]; path?: string }>{
     const res = await this.fetch(`/admin/tunnel/cloudflared/logs?lines=${encodeURIComponent(String(lines))}`);
 
@@ -79,6 +79,7 @@ interface ProviderConfig {
 const PROVIDER_OPTIONS = [
   { value: 'phaxio', label: 'Phaxio (Cloud)', category: 'cloud' },
   { value: 'sinch', label: 'Sinch Fax API', category: 'cloud' },
+  { value: 'humblefax', label: 'HumbleFax (Cloud)', category: 'cloud' },
   { value: 'documo', label: 'Documo', category: 'cloud' },
   { value: 'signalwire', label: 'SignalWire', category: 'cloud' },
   { value: 'sip', label: 'SIP/Asterisk', category: 'self-hosted' },
@@ -135,10 +136,15 @@ export default function ProviderSetupWizard({
       const hasOAuth = Array.isArray(methods) && methods.includes('oauth2');
 
       if (basicOnly) {
-        settings.phaxio_api_key = config.phaxio_api_key;
-        settings.phaxio_api_secret = config.phaxio_api_secret;
-        settings.phaxio_callback_url = config.phaxio_callback_url;
-        settings.phaxio_verify_signature = config.phaxio_verify_signature;
+        if (config.provider === 'humblefax') {
+          (settings as any).humblefax_access_key = (config as any).humblefax_access_key;
+          (settings as any).humblefax_secret_key = (config as any).humblefax_secret_key;
+        } else {
+          settings.phaxio_api_key = config.phaxio_api_key;
+          settings.phaxio_api_secret = config.phaxio_api_secret;
+          settings.phaxio_callback_url = config.phaxio_callback_url;
+          settings.phaxio_verify_signature = config.phaxio_verify_signature;
+        }
       }
       if (hasOAuth) {
         settings.sinch_project_id = config.sinch_project_id;
@@ -184,9 +190,15 @@ export default function ProviderSetupWizard({
       const hasOAuth = Array.isArray(methods) && methods.includes('oauth2');
 
       if (basicOnly) {
-        settings.phaxio_api_key = config.phaxio_api_key;
-        settings.phaxio_api_secret = config.phaxio_api_secret;
-        if (config.public_api_url) settings.public_api_url = config.public_api_url;
+        if (config.provider === 'humblefax') {
+          (settings as any).humblefax_access_key = (config as any).humblefax_access_key;
+          (settings as any).humblefax_secret_key = (config as any).humblefax_secret_key;
+          if (config.public_api_url) (settings as any).public_api_url = config.public_api_url;
+        } else {
+          settings.phaxio_api_key = config.phaxio_api_key;
+          settings.phaxio_api_secret = config.phaxio_api_secret;
+          if (config.public_api_url) settings.public_api_url = config.public_api_url;
+        }
       }
       if (hasOAuth) {
         settings.sinch_project_id = config.sinch_project_id;
@@ -318,39 +330,61 @@ export default function ProviderSetupWizard({
         <Stack spacing={3}>
           {(() => { const t = registry?.[config.provider]?.traits || {}; const m = (t?.auth?.methods||[]) as string[]; return Array.isArray(m) && m.includes('basic') && !m.includes('oauth2'); })() && (
             <ResponsiveFormSection
-              title="Phaxio API Credentials"
-              subtitle="Get these from your Phaxio console"
+              title={config.provider === 'humblefax' ? 'HumbleFax API Credentials' : 'Phaxio API Credentials'}
+              subtitle={config.provider === 'humblefax' ? 'Get these from HumbleFax → API / Developer' : 'Get these from your Phaxio console'}
               icon={<SecurityIcon />}
             >
               <Stack spacing={2}>
-                <ResponsiveTextField
-                  label="API Key"
-                  value={config.phaxio_api_key || ''}
-                  onChange={(value) => handleConfigChange('phaxio_api_key', value)}
-                  placeholder="your_api_key_from_console"
-                  required
-                />
-                <ResponsiveTextField
-                  label="API Secret"
-                  value={config.phaxio_api_secret || ''}
-                  onChange={(value) => handleConfigChange('phaxio_api_secret', value)}
-                  placeholder="your_api_secret_from_console"
-                  type="password"
-                  required
-                />
-                <ResponsiveTextField
-                  label="Callback URL"
-                  value={config.phaxio_callback_url || ''}
-                  onChange={(value) => handleConfigChange('phaxio_callback_url', value)}
-                  placeholder="https://yourdomain.com/phaxio-callback"
-                  helperText="URL where Phaxio will send status updates"
-                />
-                <ResponsiveCheckbox
-                  label="Verify Webhook Signatures"
-                  checked={config.phaxio_verify_signature || false}
-                  onChange={(checked) => handleConfigChange('phaxio_verify_signature', checked)}
-                  helperText="Recommended for production (HIPAA compliance)"
-                />
+                {config.provider === 'humblefax' ? (
+                  <>
+                    <ResponsiveTextField
+                      label="API Access Key"
+                      value={(config as any).humblefax_access_key || ''}
+                      onChange={(value) => handleConfigChange('humblefax_access_key', value)}
+                      placeholder="from HumbleFax Developer → API Keys"
+                      required
+                    />
+                    <ResponsiveTextField
+                      label="API Secret Key"
+                      value={(config as any).humblefax_secret_key || ''}
+                      onChange={(value) => handleConfigChange('humblefax_secret_key', value)}
+                      placeholder="from HumbleFax Developer → API Keys"
+                      type="password"
+                      required
+                    />
+                  </>
+                ) : (
+                  <>
+                    <ResponsiveTextField
+                      label="API Key"
+                      value={config.phaxio_api_key || ''}
+                      onChange={(value) => handleConfigChange('phaxio_api_key', value)}
+                      placeholder="your_api_key_from_console"
+                      required
+                    />
+                    <ResponsiveTextField
+                      label="API Secret"
+                      value={config.phaxio_api_secret || ''}
+                      onChange={(value) => handleConfigChange('phaxio_api_secret', value)}
+                      placeholder="your_api_secret_from_console"
+                      type="password"
+                      required
+                    />
+                    <ResponsiveTextField
+                      label="Callback URL"
+                      value={config.phaxio_callback_url || ''}
+                      onChange={(value) => handleConfigChange('phaxio_callback_url', value)}
+                      placeholder="https://yourdomain.com/phaxio-callback"
+                      helperText="URL where Phaxio will send status updates"
+                    />
+                    <ResponsiveCheckbox
+                      label="Verify Webhook Signatures"
+                      checked={config.phaxio_verify_signature || false}
+                      onChange={(checked) => handleConfigChange('phaxio_verify_signature', checked)}
+                      helperText="Recommended for production (HIPAA compliance)"
+                    />
+                  </>
+                )}
               </Stack>
             </ResponsiveFormSection>
           )}
 
@@ -45,6 +45,7 @@ interface SettingsProps {
 function Settings({ client, readOnly = false }: SettingsProps) {
   const [settings, setSettings] = useState<SettingsType | null>(null);
   const [envContent, setEnvContent] = useState<string>('');
+  const [envMap, setEnvMap] = useState<Array<{ key: string; value: string }>>([]);
   const [loading, setLoading] = useState(false);
   const [error, setError] = useState<string | null>(null);
   const [snack, setSnack] = useState<string | null>(null);
@@ -101,15 +102,58 @@ function Settings({ client, readOnly = false }: SettingsProps) {
         if (cfg?.migration) setMigrationBanner(Boolean(cfg.migration.banner));
         setForm((prev: any) => ({ ...prev, enable_persisted_settings: !!cfg?.persisted_settings_enabled }));
       } catch {}
+      // Background load of current environment so the UI shows all keys
+      try {
+        if (!envContent) {
+          const data = await client.exportSettings();
+          setEnvContent(data.env_content);
+          // Best-effort parse for inline display
+          const rows: Array<{ key: string; value: string }> = [];
+          for (const raw of (data.env_content || '').split(/\r?\n/)) {
+            const line = raw.trim();
+            if (!line || line.startsWith('#') || !line.includes('=')) continue;
+            const idx = line.indexOf('=');
+            const k = line.slice(0, idx).trim();
+            let v = line.slice(idx + 1).trim();
+            if ((v.startsWith('"') && v.endsWith('"')) || (v.startsWith("'") && v.endsWith("'"))) v = v.slice(1, -1);
+            const lower = k.toLowerCase();
+            const isSecret = lower.includes('secret') || lower.includes('key') || lower.includes('token') || lower.includes('password');
+            const masked = isSecret && v ? (v.length <= 4 ? '****' : `${'*'.repeat(Math.max(4, v.length - 4))}${v.slice(-4)}`) : v;
+            rows.push({ key: k, value: masked });
+          }
+          setEnvMap(rows);
+        }
+      } catch {}
     })();
   }, []);
 
+  const parseEnvContentToMap = (text: string): Array<{ key: string; value: string }> => {
+    const rows: Array<{ key: string; value: string }>= [];
+    try {
+      const lines = (text || '').split(/\r?\n/);
+      for (const raw of lines) {
+        const line = raw.trim();
+        if (!line || line.startsWith('#') || !line.includes('=')) continue;
+        const idx = line.indexOf('=');
+        const k = line.slice(0, idx).trim();
+        let v = line.slice(idx + 1).trim();
+        if ((v.startsWith('"') && v.endsWith('"')) || (v.startsWith("'") && v.endsWith("'"))) v = v.slice(1, -1);
+        const lower = k.toLowerCase();
+        const isSecret = lower.includes('secret') || lower.includes('key') || lower.includes('token') || lower.includes('password');
+        const masked = isSecret && v ? (v.length <= 4 ? '****' : `${'*'.repeat(Math.max(4, v.length - 4))}${v.slice(-4)}`) : v;
+        rows.push({ key: k, value: masked });
+      }
+    } catch {}
+    return rows;
+  };
+
   const exportEnv = async () => {
     try {
       setError(null);
       setLoading(true);
       const data = await client.exportSettings();
       setEnvContent(data.env_content);
+      setEnvMap(parseEnvContentToMap(data.env_content));
     } catch (err) {
       setError(err instanceof Error ? err.message : 'Failed to export settings');
     } finally {
@@ -347,6 +391,7 @@ function Settings({ client, readOnly = false }: SettingsProps) {
               options={[
                 { value: 'phaxio', label: 'Phaxio (Cloud)' },
                 { value: 'sinch', label: 'Sinch (Cloud)' },
+                { value: 'humblefax', label: 'HumbleFax (Cloud)' },
                 { value: 'signalwire', label: 'SignalWire (Cloud)' },
                 { value: 'documo', label: 'Documo (Cloud)' },
                 { value: 'sip', label: 'SIP/Asterisk (Self-hosted)' },
@@ -367,6 +412,7 @@ function Settings({ client, readOnly = false }: SettingsProps) {
               options={[
                 { value: 'phaxio', label: 'Phaxio (Webhook)' },
                 { value: 'sinch', label: 'Sinch (Webhook)' },
+                { value: 'humblefax', label: 'HumbleFax (Webhook)' },
                 { value: 'sip', label: 'SIP/Asterisk (Internal)' }
               ]}
               showCurrentValue={true}
@@ -1364,6 +1410,55 @@ function Settings({ client, readOnly = false }: SettingsProps) {
           </CardContent>
         </Card>
       )}
+
+      {/* Dedicated list of all environment variables (masked) */}
+      <Card sx={{ mt: 3 }}>
+        <CardContent>
+          <Box display="flex" justifyContent="space-between" alignItems="center" mb={2}>
+            <Typography variant="h6">All Environment Variables</Typography>
+            <Box>
+              <Button
+                variant="outlined"
+                startIcon={<RefreshIcon />}
+                onClick={exportEnv}
+                disabled={loading}
+              >
+                Refresh
+              </Button>
+              <Button
+                sx={{ ml: 1 }}
+                variant="outlined"
+                startIcon={<ContentCopyIcon />}
+                onClick={() => copyToClipboard(envContent)}
+                disabled={!envContent}
+              >
+                Copy .env
+              </Button>
+            </Box>
+          </Box>
+          {envMap.length === 0 ? (
+            <Typography color="text.secondary">No environment keys detected yet. Click Refresh to load current values.</Typography>
+          ) : (
+            <Paper variant="outlined" sx={{ maxHeight: 380, overflow: 'auto', borderRadius: 2 }}>
+              <List dense>
+                {envMap.map(({ key, value }) => (
+                  <ListItem key={key} divider>
+                    <ListItemText
+                      primary={key}
+                      secondary={value}
+                      primaryTypographyProps={{ sx: { fontFamily: 'monospace' } }}
+                      secondaryTypographyProps={{ sx: { fontFamily: 'monospace' } }}
+                    />
+                  </ListItem>
+                ))}
+              </List>
+            </Paper>
+          )}
+          <Alert severity="info" sx={{ mt: 2 }}>
+            Secrets are masked in this list. Use Export .env to persist server-side.
+          </Alert>
+        </CardContent>
+      </Card>
       {snack && (
         <Alert severity="success" sx={{ mt: 2 }} onClose={() => setSnack(null)}>
           {snack}
 
@@ -130,6 +130,18 @@ function SetupWizard({ client, onDone, docsBase }: SetupWizardProps) {
     })();
   }, [client]);
 
+  // Auto-populate PUBLIC_API_URL from active tunnel (if provided by backend status)
+  useEffect(() => {
+    (async () => {
+      try {
+        const res = await client.getTunnelStatus();
+        if (res?.public_url) {
+          setConfig(prev => ({ ...prev, public_api_url: prev.public_api_url || res.public_url }));
+        }
+      } catch {}
+    })();
+  }, [client]);
+
   const handleValidate = async () => {
     setValidating(true);
     try {
@@ -737,6 +749,14 @@ function SetupWizard({ client, onDone, docsBase }: SetupWizardProps) {
                     <Box component="pre" sx={{ p: 1, bgcolor: 'background.default', borderRadius: 1, overflow: 'auto' }}>{callbacks.callbacks[0].url}</Box>
                 <Box sx={{ mt: 1, display: 'flex', gap: 1 }}>
                   <Button variant="outlined" onClick={() => navigator.clipboard.writeText(callbacks.callbacks[0].url)}>Copy</Button>
+                  {config.inbound_backend === 'humblefax' && (
+                    <Button variant="outlined" onClick={async () => {
+                      try {
+                        const res = await (client as any).registerHumbleFaxWebhook?.();
+                        setSnack(res?.success ? 'HumbleFax webhook registered' : (res?.error || 'Registration failed'));
+                      } catch (e: any) { setSnack(e?.message || 'Registration failed'); }
+                    }}>Register HumbleFax Webhook</Button>
+                  )}
                   <Button variant="outlined" onClick={async () => { try { await client.simulateInbound({ backend: config.backend }); setSnack('Simulated inbound received'); } catch(e:any){ setSnack(e?.message||'Simulation failed'); } }}>Simulate Inbound</Button>
                 </Box>
                 {callbacks.callbacks[0].preferred_content_type && (
 
@@ -219,11 +219,14 @@ export default function TunnelSettings({ client, docsBase, hipaaMode, readOnly =
             {(!status || status?.status === 'disabled') && (
               <Chip color="default" label="Disabled" size="small" sx={{ mr: 1 }} />
             )}
-            {/* Intentionally do not display the public URL to keep implementation details abstracted. */}
-            {status?.status === 'connected' && (
-              <Typography variant="caption" color="text.secondary" sx={{ display: 'block', mt: 0.5 }}>
-                Connected via public URL
-              </Typography>
+            {status?.status === 'connected' && status?.public_url && (
+              <Box sx={{ mt: 1, display: 'flex', alignItems: 'center', gap: 1, flexWrap: 'wrap' }}>
+                <Typography variant="caption" color="text.secondary">
+                  Public URL:
+                </Typography>
+                <Chip size="small" variant="outlined" label={status.public_url as string} />
+                <Button size="small" variant="outlined" onClick={() => { navigator.clipboard.writeText(String(status.public_url || '')); setNotice({ severity: 'success', message: 'Copied public URL' }); }}>Copy</Button>
+              </Box>
             )}
           </Box>