diff --git a/core/device-id/device-id-protocol.ts b/core/device-id/device-id-protocol.ts
index 8398ea5cd..69e254bfe 100644
--- a/core/device-id/device-id-protocol.ts
+++ b/core/device-id/device-id-protocol.ts
@@ -1,10 +1,19 @@
-import { IssueCertificateResult, JWKPrivateSchema, SuperThis } from "@fireproof/core-types-base";
-import { DeviceIdCA } from "./device-id-CA.js";
+import { IssueCertificateResult, JWKPrivateSchema, SuperThis, JWKPublic } from "@fireproof/core-types-base";
+import { CAActions, DeviceIdCA } from "./device-id-CA.js";
 import { param, Result } from "@adviser/cement";
 import { DeviceIdKey } from "./device-id-key.js";
 import { base58btc } from "multiformats/bases/base58";
 import { DeviceIdVerifyMsg, VerifyWithCertificateResult } from "./device-id-verify-msg.js";
 
+// Stub implementation until real CAActions is integrated
+const stubCAActions: CAActions = {
+  generateSerialNumber: async (_pub: JWKPublic) => {
+    // TODO: Implement proper serial number generation based on public key
+    // This should generate a unique, deterministic serial number for the certificate
+    return `stub-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+  },
+};
+
 async function ensureCA(sthis: SuperThis, opts: DeviceIdProtocolSrvOpts): Promise<Result<DeviceIdCA>> {
   const rEnv = sthis.env.gets({
     DEVICE_ID_CA_KEY: opts.env?.DEVICE_ID_CA_KEY ?? param.REQUIRED,
@@ -29,7 +38,7 @@ async function ensureCA(sthis: SuperThis, opts: DeviceIdProtocolSrvOpts): Promis
       caSubject: {
         commonName: env.DEVICE_ID_CA_COMMON_NAME ?? "Fireproof CA",
       },
-      actions: [], // opts.actions ,
+      actions: stubCAActions,
     }),
   );
 }
@@ -45,7 +54,7 @@ export interface DeviceIdProtocolSrvOpts {
     readonly DEVICE_ID_CA_KEY: string;
     readonly DEVICE_ID_CA_COMMON_NAME?: string;
   };
-  // readonly actions: CAActions;
+  // Note: Uses stubCAActions until proper CAActions implementation is provided
 }
 
 export class DeviceIdProtocolSrv implements DeviceIdProtocol {
diff --git a/core/gateways/cloud/to-cloud.ts b/core/gateways/cloud/to-cloud.ts
index 8fd51d259..6a2038e8d 100644
--- a/core/gateways/cloud/to-cloud.ts
+++ b/core/gateways/cloud/to-cloud.ts
@@ -248,7 +248,7 @@ class ToCloud implements ToCloudAttachable {
       // wait for the token
       // const token = await this._tokenObserver.getToken(logger, ledger);
       const rToken = await this.opts.strategy.waitForToken(ledger.sthis, logger, ledger.name, this.opts);
-      if (!rToken.isErr) {
+      if (rToken.isErr()) {
         return Result.Err(rToken);
       }
       const token = rToken.unwrap();
diff --git a/use-fireproof/fp-cloud-connect-strategy.ts b/use-fireproof/fp-cloud-connect-strategy.ts
index f50e7a093..0f88533fc 100644
--- a/use-fireproof/fp-cloud-connect-strategy.ts
+++ b/use-fireproof/fp-cloud-connect-strategy.ts
@@ -122,6 +122,9 @@ export class FPCloudConnectStrategy implements TokenStrategie {
       this.title,
       `left=${left},top=${top},width=${width},height=${height},scrollbars=yes,resizable=yes,popup=yes`,
     );
+    // TODO: Add popup callback handler here
+    // Need to listen for postMessage from popup window containing OAuth result
+    // Example: window.addEventListener('message', (event) => { ... })
     // window.location.href = url.toString();
   }
 
diff --git a/use-fireproof/fp-cloud-connector/iframe-fpcc-protocol.ts b/use-fireproof/fp-cloud-connector/iframe-fpcc-protocol.ts
index 9866c8d58..8a8f38551 100644
--- a/use-fireproof/fp-cloud-connector/iframe-fpcc-protocol.ts
+++ b/use-fireproof/fp-cloud-connector/iframe-fpcc-protocol.ts
@@ -95,6 +95,11 @@ class MemoryFPCCEvtEntity implements BackendFPCC {
   }
 
   waitForAuthToken(tid: string, tokenURI: string): Promise<string> {
+    // TODO: Implement real OAuth token exchange
+    // Should: 1) Listen for popup window callback message
+    //         2) Extract auth token from message
+    //         3) Exchange with tokenURI endpoint
+    //         4) Return real JWT token
     return sleep(100).then(() => `fake-auth-token:${tid}:${tokenURI}`);
   }
 
@@ -147,6 +152,9 @@ export class IframeFPCCProtocol implements FPCCProtocol {
   };
 
   getDeviceId(): string {
+    // TODO: Integrate with core/device-id/device-id-protocol.ts
+    // Should use DeviceIdProtocol to generate/retrieve device certificate
+    // This ties into the device identity and auth system
     return "we-need-to-implement-device-id";
   }
 
diff --git a/use-fireproof/fp-cloud-connector/page-fpcc-protocol.ts b/use-fireproof/fp-cloud-connector/page-fpcc-protocol.ts
index fc4cfd3df..4eb579f9e 100644
--- a/use-fireproof/fp-cloud-connector/page-fpcc-protocol.ts
+++ b/use-fireproof/fp-cloud-connector/page-fpcc-protocol.ts
@@ -82,7 +82,9 @@ export class PageFPCCProtocol implements FPCCProtocol {
   }
 
   getAppId(): string {
-    // setup in ready
+    // TODO: Generate or retrieve stable app ID
+    // Should be consistent across sessions for the same app origin
+    // Consider using: hash(window.location.origin) or stored value
     return "we-need-to-implement-app-id-this";
   }