logi-cli 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e169d7a77d8a0d247460b3010da3abcc4925c47a579582d24efcc90839f8466e
+  data.tar.gz: 6ad06a8bd52b41c8b5ebb5d12262edd848d4355519ed573bf47a15c22e9278ce
+SHA512:
+  metadata.gz: 80c5570bc590c7224a8049aeecd116264de4b916e2e2a42af5ffe9b46f1cfbe089256c121f575a44d0ea99acda20ea00aa23ef3cdbb57e3a4e009d3b662a13b3
+  data.tar.gz: 6d252d9bc5884d0da4c195423017e36689227200c312d0dd240cffed2478a87d3c02fbde246be8da849309a2ac0d6aae418384fb95767f19c2474c4be37d58a6

data/CHANGELOG.md

@@ -0,0 +1,25 @@
+# Changelog
+
+All notable changes to **logi-cli** are documented here.
+The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/).
+
+## [Unreleased]
+
+## [0.1.0] - 2026-05-27
+
+Initial public release on RubyGems.org.
+
+### Added
+- `logi login` — Browser-based OAuth 2.0 + PKCE sign-in, issues and stores a Personal API Key.
+- `logi login --code` — Device-code flow for headless / SSH environments.
+- `logi whoami` — Show current sign-in.
+- `logi logout` — Delete stored credentials.
+- `logi apps {list,show,create,verify,add-redirect,remove-redirect,rotate-secret,delete}` — Full OAuth application management for the signed-in user's organization.
+- `logi token inspect <JWT>` — Decode + verify JWT signatures against the JWKS endpoint.
+- Environment variable overrides: `LOGI_API_URL`, `LOGI_PORTAL_URL`, `LOGI_API_KEY`, `LOGI_CONFIG_PATH`.
+
+### Security
+- Credentials stored at `~/.config/logi/credentials.json` with `chmod 600`.
+- PAK plaintext shown to user once on issue; never re-displayed.
+- Stored values truncated to 18-char prefix in logs.

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Dcode
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.ko.md

@@ -0,0 +1,102 @@
+# logi-cli
+
+[![Gem Version](https://badge.fury.io/rb/logi-cli.svg)](https://rubygems.org/gems/logi-cli)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+English: [README.md](./README.md)
+
+logi Identity Provider 를 터미널에서 관리하는 CLI.
+
+## 설치
+
+편한 방법 하나 고르세요:
+
+```bash
+# Homebrew (macOS)
+brew install dcode-co/logi/logi
+
+# RubyGems (Ruby ≥ 3.3 환경 어디서나)
+gem install logi-cli
+```
+
+확인:
+
+```bash
+logi --version    # logi-cli 0.1.0
+logi              # 환영 + 로그인 상태
+logi login        # 브라우저 열림 → 로그인 → PAK 자동 저장
+```
+
+`gem install logi-cli` 후 `which logi` 가 비어있으면 gem `bin` 디렉토리가 PATH 에 없는 것:
+
+```bash
+echo 'export PATH="$(gem environment gemdir)/bin:$PATH"' >> ~/.zshrc && source ~/.zshrc
+```
+
+<details>
+<summary>개발 (소스에서)</summary>
+
+```bash
+cd cli && bundle install
+bundle exec bin/logi              # 환영 + 다음 단계 안내
+bundle exec bin/logi login        # 브라우저 OAuth 로그인
+bundle exec bin/logi apps list    # 내 OAuth 앱 보기
+```
+
+설치 후 `bin` 디렉토리를 `PATH` 에 추가하면 `logi` 만 입력 가능.
+
+</details>
+
+## 명령어
+
+| 명령 | 설명 |
+|---|---|
+| `logi` | 환영 + 현재 상태(로그인 여부) + 추천 다음 단계 |
+| `logi login` | 브라우저로 리다이렉트 → 권한 승인 → PAK 자동 발급 |
+| `logi whoami` | 로그인된 계정/PAK 정보 |
+| `logi logout` | 저장된 credentials 삭제 |
+| `logi apps list` | OAuth 앱 목록 |
+| `logi apps show <ID>` | 앱 상세 |
+| `logi apps create --name X -r URL` | 새 앱 등록 |
+| `logi apps verify <ID> -r URL` | RP 연동 진단 (tier/redirect_uri/env 권장값) |
+| `logi apps add-redirect <ID> URL` | redirect_uri 추가 |
+| `logi apps remove-redirect <ID> URL` | redirect_uri 제거 |
+| `logi apps rotate-secret <ID>` | client_secret 회전 (owner/admin만) |
+| `logi apps delete <ID>` | 앱 삭제 (owner/admin만) |
+| `logi token inspect <JWT>` | JWT 디코드 + JWKS 서명 검증 |
+
+## 환경변수
+
+| 변수 | 설명 |
+|---|---|
+| `LOGI_API_URL` | API 서버 URL (기본 `https://api.1pass.dev`) |
+| `LOGI_PORTAL_URL` | Developer Portal URL (기본 `https://start.1pass.dev`) |
+| `LOGI_API_KEY` | PAK 직접 주입 (CI/CD 친화) |
+| `LOGI_CONFIG_PATH` | credentials 파일 경로 |
+
+## 보안
+
+- credentials 파일은 `chmod 600`으로 저장
+- PAK는 출력·로그에 prefix 8자만 노출
+- `logi login`은 OAuth 2.0 PKCE 흐름 — 브라우저에서만 비밀번호 입력
+- `logi logout`은 서버 측 PAK도 revoke (API 호출 별도 추가 예정)
+
+## 미구현
+
+`test-flow`, `team`, `audit-log` 등은 v0.2 예정.
+
+## 진단 (verify)
+
+RP 측에서 "리다이렉트가 안 돌아온다" 같은 문제가 있을 때 가장 먼저:
+
+```bash
+logi apps verify $CLIENT_ID -r "https://yourapp.com/auth/callback"
+```
+
+체크 항목:
+- 앱 status (approved/pending)
+- tier (production/sandbox — sandbox면 prod 도메인 차단)
+- redirect_uri 등록 여부
+- RP 권장 환경변수 (`LOGI_API_URL` / `LOGI_CLIENT_ID` / `LOGI_CLIENT_SECRET`)
+
+자세한 트러블슈팅: https://docs.1pass.dev/guide/troubleshooting

data/README.md

@@ -0,0 +1,102 @@
+# logi-cli
+
+[![Gem Version](https://badge.fury.io/rb/logi-cli.svg)](https://rubygems.org/gems/logi-cli)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+Command-line tool for managing the logi Identity Provider from your terminal.
+
+한국어 버전: [README.ko.md](./README.ko.md)
+
+## Install
+
+Pick whichever feels native:
+
+```bash
+# Homebrew (macOS)
+brew install dcode-co/logi/logi
+
+# RubyGems (anywhere with Ruby ≥ 3.3)
+gem install logi-cli
+```
+
+Verify:
+
+```bash
+logi --version    # logi-cli 0.1.0
+logi              # welcome + sign-in status
+logi login        # opens browser → sign in → PAK auto-saved
+```
+
+If `gem install logi-cli` succeeds but `which logi` is empty on macOS, your gem `bin` dir isn't on `PATH`:
+
+```bash
+echo 'export PATH="$(gem environment gemdir)/bin:$PATH"' >> ~/.zshrc && source ~/.zshrc
+```
+
+<details>
+<summary>Development (from source)</summary>
+
+```bash
+cd cli && bundle install
+bundle exec bin/logi              # Welcome screen + suggested next steps
+bundle exec bin/logi login        # Browser OAuth sign-in
+bundle exec bin/logi apps list    # List your OAuth apps
+```
+
+Once installed, add `bin/` to your `PATH` and you can just type `logi`.
+
+</details>
+
+## Commands
+
+| Command | What it does |
+|---|---|
+| `logi` | Welcome screen + current sign-in status + suggested next steps |
+| `logi login` | Opens your browser → grant access → issues a PAK automatically |
+| `logi whoami` | Show the signed-in account and PAK |
+| `logi logout` | Delete saved credentials |
+| `logi apps list` | List your OAuth apps |
+| `logi apps show <ID>` | Show app details |
+| `logi apps create --name X -r URL` | Register a new app |
+| `logi apps verify <ID> -r URL` | Check an RP integration (tier / redirect URI / env values) |
+| `logi apps add-redirect <ID> URL` | Add a redirect URI |
+| `logi apps remove-redirect <ID> URL` | Remove a redirect URI |
+| `logi apps rotate-secret <ID>` | Rotate `client_secret` (owner/admin only) |
+| `logi apps delete <ID>` | Delete an app (owner/admin only) |
+| `logi token inspect <JWT>` | Decode a JWT and verify its signature against JWKS |
+
+## Environment variables
+
+| Variable | What it does |
+|---|---|
+| `LOGI_API_URL` | API server URL (default `https://api.1pass.dev`) |
+| `LOGI_PORTAL_URL` | Developer Portal URL (default `https://start.1pass.dev`) |
+| `LOGI_API_KEY` | Use a PAK directly (handy in CI/CD) |
+| `LOGI_CONFIG_PATH` | Path to the credentials file |
+
+## Security
+
+- Credentials are stored with `chmod 600`.
+- Only the first 8 characters of a PAK are ever shown in output or logs.
+- `logi login` uses OAuth 2.0 with PKCE — you only enter your password in the browser.
+- `logi logout` will also revoke the PAK on the server (server-side revocation is coming in a follow-up).
+
+## Not yet implemented
+
+`test-flow`, `team`, `audit-log` and a few others are planned for v0.2.
+
+## Diagnosing (`verify`)
+
+When someone integrating an RP says "the redirect never comes back," start here:
+
+```bash
+logi apps verify $CLIENT_ID -r "https://yourapp.com/auth/callback"
+```
+
+It checks:
+- App status (approved / pending)
+- Tier (production / sandbox — sandbox apps can't talk to prod domains)
+- Whether the redirect URI is registered
+- Recommended environment variables for the RP (`LOGI_API_URL` / `LOGI_CLIENT_ID` / `LOGI_CLIENT_SECRET`)
+
+Full troubleshooting guide: https://docs.1pass.dev/guide/troubleshooting

data/bin/logi

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require_relative "../lib/logi"
+
+Logi::CLI.start(ARGV)

data/lib/logi/cli.rb

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+module Logi
+  class CLI < Thor
+    # When invoked with no command, show a friendly welcome instead of Thor's default help dump.
+    default_task :welcome
+
+    desc "welcome", "logi CLI welcome screen (default)", hide: true
+    def welcome
+      pastel = Pastel.new
+      logged_in = Config.load.authenticated?
+
+      puts pastel.bold("logi") + pastel.dim(" — Identity Provider CLI")
+      puts ""
+
+      if logged_in
+        config = Config.load
+        puts pastel.green("✓ Signed in") + pastel.dim(" — #{config.api_url}")
+        puts ""
+        puts pastel.bold("Common commands")
+        puts "  logi apps list                                # List your OAuth apps"
+        puts "  logi apps create --name \"My App\" -r URL       # Register a new app"
+        puts "  logi apps verify <id> -r URL                 # Check an RP integration (env / redirect URI)"
+        puts "  logi apps rotate-secret <id>                  # Rotate client_secret"
+        puts "  logi whoami                                   # Show sign-in info"
+        puts "  logi --help                                   # All commands"
+      else
+        puts pastel.yellow("You're not signed in yet.")
+        puts ""
+        puts pastel.bold("Get started in 3 steps:")
+        puts pastel.dim("  1.") + " " + pastel.cyan("logi login") + pastel.dim("                              # Sign in via your browser")
+        puts pastel.dim("  2.") + " " + pastel.cyan("logi apps create --name \"App name\" -r URL") + pastel.dim("  # Register your first app")
+        puts pastel.dim("  3.") + " " + pastel.cyan("logi apps list") + pastel.dim("                          # Check your apps")
+        puts ""
+        puts pastel.dim("Docs: https://docs.1pass.dev")
+      end
+    end
+
+    # Thor convention: --version / -v flag → :version task. Without these maps
+    # `logi --version` falls back to default_task (:welcome) which surprises
+    # users coming from gh/cargo/npm where `--version` is universal.
+    map %w[--version -v] => :version
+    desc "version", "Show the logi-cli version"
+    def version
+      puts "logi-cli #{Logi::VERSION}"
+    end
+
+    desc "login", "Sign in with your logi account and save a PAK"
+    method_option :api_url,    type: :string,  default: nil,   desc: "logi API URL (default: https://api.1pass.dev)"
+    method_option :portal_url, type: :string,  default: nil,   desc: "Developer Portal URL (default: https://start.1pass.dev)"
+    method_option :name,       type: :string,  default: "CLI", desc: "PAK name"
+    method_option :scope,      type: :array,   default: nil,   desc: "Scopes to request"
+    method_option :code,       type: :boolean, default: false, desc: "Sign in with a code instead of a browser (for SSH / headless environments)"
+    def login
+      api_url    = options[:api_url] || ENV["LOGI_API_URL"] || Config::DEFAULT_API_URL
+      portal_url = options[:portal_url] || ENV["LOGI_PORTAL_URL"]
+
+      if options[:code]
+        Commands::DeviceLogin.perform(api_url: api_url, portal_url: portal_url)
+      else
+        Commands::Login.perform(
+          api_url:    api_url,
+          portal_url: portal_url,
+          name:       options[:name],
+          scopes:     options[:scope]
+        )
+      end
+    end
+
+    desc "whoami", "Show who owns the current PAK"
+    def whoami
+      config = Config.load
+      pastel = Pastel.new
+      unless config.authenticated?
+        abort pastel.red("You're not signed in. Run `logi login`.")
+      end
+
+      puts "API URL: #{config.api_url}"
+      puts "Source:  #{config.source}"
+      puts "Name:    #{config.name || '-'}"
+      puts "PAK:     #{config.api_key[0, 18]}…"
+    end
+
+    desc "logout", "Delete saved credentials"
+    def logout
+      Config.clear
+      puts "✓ Signed out (credentials deleted)"
+    end
+
+    desc "apps SUBCOMMAND", "Manage apps (list / show / create / rotate-secret / add-redirect / remove-redirect / delete)"
+    subcommand "apps", Commands::App
+
+    # Backwards-compat singular alias.
+    desc "app SUBCOMMAND", "(alias) same as `apps`", hide: true
+    subcommand "app", Commands::App
+
+    desc "token SUBCOMMAND", "JWT access token tools (inspect)"
+    subcommand "token", Commands::Token
+
+    def self.exit_on_failure?
+      true
+    end
+  end
+end

data/lib/logi/commands/app.rb

@@ -0,0 +1,235 @@
+# frozen_string_literal: true
+
+module Logi
+  module Commands
+    class App < Thor
+      class_option :json, type: :boolean, default: false,
+                   desc: "JSON output mode for LLM and CI workflows. You can also set LOGI_OUTPUT=json."
+
+      desc "list", "List your registered apps"
+      def list
+        data = authed_client.get("/api/v1/applications")
+        apps = data["applications"]
+
+        Output.success({ count: apps.size, applications: apps }, options) do
+          if apps.empty?
+            puts pastel.dim("You don't have any apps yet.")
+          else
+            table = TTY::Table.new(
+              header: [ "name", "client_id", "status", "redirect_uris" ],
+              rows: apps.map { |a| [ a["name"], a["client_id"], a["status"], a["redirect_uris"].first ] }
+            )
+            puts table.render(:unicode, padding: [ 0, 1 ])
+          end
+        end
+      rescue HttpClient::Error => e
+        Output.failure(code: "list_failed", message: e.body.to_s, status: e.status, options: options) do
+          abort pastel.red("Couldn't list apps: #{e.status} #{e.body}")
+        end
+      end
+
+      desc "show ID", "Show app details"
+      def show(id)
+        data = authed_client.get("/api/v1/applications/#{id}")
+        Output.success(data, options) do
+          puts JSON.pretty_generate(data)
+        end
+      rescue HttpClient::Error => e
+        Output.failure(code: "show_failed", message: e.body.to_s, status: e.status, options: options) do
+          abort pastel.red("Couldn't fetch app: #{e.status} #{e.body}")
+        end
+      end
+
+      desc "create", "Register a new app"
+      method_option :name, type: :string, required: true
+      method_option :redirect_uri, type: :string, required: true, aliases: "-r"
+      method_option :scope, type: :array, default: [], aliases: "-s",
+                    desc: "Scopes to enable (e.g. -s openid profile:basic email). Optional."
+      method_option :webhook_url, type: :string
+      def create
+        data = authed_client.post("/api/v1/applications", body: {
+          application: {
+            name: options[:name],
+            redirect_uris: [ options[:redirect_uri] ],
+            allowed_scopes: options[:scope],
+            webhook_url: options[:webhook_url]
+          }.compact
+        })
+        Output.success(data, options) do
+          puts pastel.green("✓ App created")
+          puts "  client_id:     #{data['client_id']}"
+          puts "  client_secret: #{pastel.yellow(data['client_secret'])}"
+          puts pastel.dim("  ⚠ The secret is only shown once. Store it somewhere safe.")
+        end
+      rescue HttpClient::Error => e
+        Output.failure(code: "create_failed", message: e.body.to_s, status: e.status, options: options) do
+          abort pastel.red("Couldn't create app: #{e.status} #{e.body}")
+        end
+      end
+
+      desc "rotate-secret ID", "Rotate the client_secret"
+      def rotate_secret(id)
+        data = authed_client.post("/api/v1/applications/#{id}/rotate_secret")
+        puts pastel.green("✓ Secret rotated")
+        puts "  client_secret: #{pastel.yellow(data['client_secret'])}"
+        puts pastel.dim("  ⚠ The old secret has been revoked immediately.")
+      rescue HttpClient::Error => e
+        abort pastel.red("Couldn't rotate secret: #{e.status} #{e.body}")
+      end
+
+      desc "delete ID", "Delete an app"
+      def delete(id)
+        authed_client.delete("/api/v1/applications/#{id}")
+        puts pastel.green("✓ Deleted")
+      rescue HttpClient::Error => e
+        abort pastel.red("Couldn't delete app: #{e.status} #{e.body}")
+      end
+
+      desc "add-redirect ID URI", "Add a redirect_uri (does nothing if already registered)"
+      def add_redirect(id, uri)
+        client = authed_client
+        current = client.get("/api/v1/applications/#{id}")["redirect_uris"] || []
+        if current.include?(uri)
+          puts pastel.dim("Already registered: #{uri}")
+          return
+        end
+        client.patch("/api/v1/applications/#{id}", body: {
+          application: { redirect_uris: current + [ uri ] }
+        })
+        puts pastel.green("✓ Added: #{uri}")
+      rescue HttpClient::Error => e
+        abort pastel.red("Couldn't add redirect: #{e.status} #{e.body}")
+      end
+
+      desc "verify ID", "Check an RP integration: app status, redirect_uri registration, and reachability"
+      method_option :redirect_uri, type: :string, aliases: "-r",
+                    desc: "The RP callback URL. Checks registration and reachability."
+      def verify(id)
+        client = authed_client
+        app = client.get("/api/v1/applications/#{id}")
+        target_uri = options[:redirect_uri]
+
+        if options[:json]
+          result = build_verify_result(app, target_uri, client)
+          puts JSON.pretty_generate(result)
+          exit(result[:checks].all? { |c| c[:ok] } ? 0 : 1)
+        end
+
+        puts pastel.bold("logi verify ") + pastel.dim(id)
+        puts ""
+
+        # Check 1: app status
+        if app["status"] == "approved"
+          ok "App status: approved"
+        else
+          warn "App status: #{app['status']} (production traffic needs status=approved)"
+        end
+
+        # Check 2: tier
+        tier = app["tier"]
+        if tier == "production"
+          ok "Tier: production"
+        else
+          warn "Tier: sandbox — only localhost / staging redirects are allowed. To use a production URL, request a tier upgrade."
+        end
+
+        # Check 3: redirect_uri registration
+        registered = app["redirect_uris"] || []
+        puts pastel.dim("  Registered redirect_uris:")
+        registered.each { |u| puts pastel.dim("    - #{u}") }
+
+        if target_uri
+          if registered.include?(target_uri)
+            ok "redirect_uri is registered: #{target_uri}"
+          else
+            err "redirect_uri is NOT registered: #{target_uri}"
+            puts pastel.dim("       → logi apps add-redirect #{id} '#{target_uri}'")
+          end
+
+          # If the app is sandbox-tier but the target URL is on a prod domain, warn.
+          if tier == "sandbox" && target_uri =~ %r{https?://(?!localhost|127\.0\.0\.1)([^/]+)}
+            host = ::Regexp.last_match(1)
+            unless host.match?(/\.staging\.|\.test\.|\.localhost$/)
+              err "Sandbox tier but a prod domain (#{host}) — this will be blocked."
+              puts pastel.dim("       → Request a tier upgrade, or use a staging domain.")
+            end
+          end
+        end
+
+        # Check 4: env vars cheatsheet
+        puts ""
+        puts pastel.bold("Recommended environment variables for the RP:")
+        api_url = Config.load.api_url
+        puts "  LOGI_API_URL=#{api_url}"
+        puts "  LOGI_CLIENT_ID=#{app['client_id']}"
+        puts "  LOGI_CLIENT_SECRET=" + pastel.dim("(issued via rotate-secret)")
+        puts ""
+        puts pastel.dim("Docs: https://docs.1pass.dev/guide/troubleshooting")
+      rescue HttpClient::Error => e
+        Output.failure(code: "verify_failed", message: e.body.to_s, status: e.status, options: options) do
+          abort pastel.red("Couldn't verify app: #{e.status} #{e.body}")
+        end
+      end
+
+      desc "remove-redirect ID URI", "Remove a redirect_uri (keeps at least one)"
+      def remove_redirect(id, uri)
+        client = authed_client
+        current = client.get("/api/v1/applications/#{id}")["redirect_uris"] || []
+        unless current.include?(uri)
+          puts pastel.dim("Not registered: #{uri}")
+          return
+        end
+        if current.size <= 1
+          abort pastel.red("At least one redirect_uri is required. Add another URI first.")
+        end
+        client.patch("/api/v1/applications/#{id}", body: {
+          application: { redirect_uris: current - [ uri ] }
+        })
+        puts pastel.green("✓ Removed: #{uri}")
+      rescue HttpClient::Error => e
+        abort pastel.red("Couldn't remove redirect: #{e.status} #{e.body}")
+      end
+
+      no_commands do
+        def pastel
+          @pastel ||= Pastel.new
+        end
+
+        def authed_client
+          config = Config.load
+          unless config.authenticated?
+            abort pastel.red("You need to sign in. Run `logi login`.")
+          end
+          HttpClient.new(base_url: config.api_url, api_key: config.api_key)
+        end
+
+        def ok(msg);   puts pastel.green("  ✓ ") + msg;          end
+        def warn(msg); puts pastel.yellow("  ⚠ ") + msg;         end
+        def err(msg);  puts pastel.red("  ✗ ") + msg;            end
+
+        def build_verify_result(app, target_uri, _client)
+          checks = []
+          checks << { name: "status_approved",  ok: app["status"] == "approved", value: app["status"] }
+          checks << { name: "tier_production",  ok: app["tier"] == "production", value: app["tier"] }
+          if target_uri
+            registered = (app["redirect_uris"] || []).include?(target_uri)
+            checks << { name: "redirect_uri_registered", ok: registered, value: target_uri }
+          end
+          {
+            client_id: app["client_id"],
+            tier: app["tier"],
+            status: app["status"],
+            redirect_uris: app["redirect_uris"],
+            target_redirect_uri: target_uri,
+            checks: checks,
+            recommended_env: {
+              "LOGI_API_URL"      => Config.load.api_url,
+              "LOGI_CLIENT_ID"    => app["client_id"],
+              "LOGI_CLIENT_SECRET" => "(rotate-secret to issue)"
+            }
+          }
+        end
+      end
+    end
+  end
+end