@authrim/setup 0.1.140 → 0.1.142

package/dist/web/api.js

@@ -18,15 +18,19 @@ import { isWranglerInstalled, checkAuth, provisionResources, detectEnvironments,
 import { AuthrimConfigSchema, createDefaultConfig, D1LocationSchema, D1JurisdictionSchema, } from '../core/config.js';
 import { generateAllSecrets, saveKeysToDirectory, keysExistForEnvironment } from '../core/keys.js';
 import { createLockFile, saveLockFile } from '../core/lock.js';
-import { getEnvironmentPaths, resolvePaths, listEnvironments, findAuthrimBaseDir, } from '../core/paths.js';
+import { getEnvironmentPaths, getExternalKeysDir, findKeysDirectory, resolvePaths, listEnvironments, findAuthrimBaseDir, } from '../core/paths.js';
 import { generateWranglerConfig, toToml } from '../core/wrangler.js';
 import { syncWranglerConfigs } from '../core/wrangler-sync.js';
+import { buildUrlsConfig } from '../core/url-config.js';
+import { normalizeTenantConfigForApiDomain } from '../core/tenant-mode.js';
 import { deployAll, uploadSecrets, buildApiPackages, deployAllPages, deployPagesComponent, deployWorker, PAGES_COMPONENTS, } from '../core/deploy.js';
 import { getEnabledComponents, WORKER_COMPONENTS } from '../core/naming.js';
 import { getLocalPackageVersions, compareVersions, getComponentsToUpdate, } from '../core/version.js';
 import { completeInitialSetup } from '../core/admin.js';
-import { writeFile } from 'node:fs/promises';
-import { join } from 'node:path';
+import { resolveUiDeploymentSettings } from '../core/ui-deployment.js';
+import { saveUiEnv, buildInitialUiEnvConfig } from '../core/ui-env.js';
+import { writeFile, chmod, mkdir } from 'node:fs/promises';
+import { join, dirname } from 'node:path';
 // =============================================================================
 // Session & Security
 // =============================================================================
@@ -117,6 +121,29 @@ export function createApiRoutes() {
     api.use('/deploy', validateSession);
     api.use('/reset', validateSession);
     api.use('/admin/*', validateSession);
+    api.use('/cloudflare/*', validateSession);
+    // ==========================================================================
+    // Cloudflare Zone Check
+    // ==========================================================================
+    api.post('/cloudflare/check-zone', async (c) => {
+        try {
+            const body = (await c.req.json());
+            const { domain } = body;
+            if (!domain || typeof domain !== 'string') {
+                return c.json({ found: false, error: 'domain is required' }, 400);
+            }
+            if (!/^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)*\.[a-z]{2,}$/.test(domain)) {
+                return c.json({ found: false, error: 'Invalid domain format' }, 400);
+            }
+            const { checkZoneExists } = await import('../core/cloudflare.js');
+            const result = await checkZoneExists(domain);
+            return c.json(result);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : 'Unknown error';
+            return c.json({ found: false, error: message }, 500);
+        }
+    });
     // Get current state (no auth required - read-only)
     api.get('/state', (c) => {
         return c.json(state);
@@ -248,10 +275,13 @@ export function createApiRoutes() {
                 // Use new structure for saving
                 const envPaths = getEnvironmentPaths({ baseDir, env });
                 // Ensure directory exists
-                const { mkdir } = await import('node:fs/promises');
                 await mkdir(envPaths.root, { recursive: true });
                 // Save config
                 await writeFile(envPaths.config, JSON.stringify(config, null, 2));
+                const initialUiEnv = buildInitialUiEnvConfig(config);
+                if (initialUiEnv) {
+                    await saveUiEnv(envPaths.uiEnv, initialUiEnv);
+                }
                 state.config = config;
                 return c.json({ success: true, configPath: envPaths.config, structure: 'new' });
             }
@@ -268,34 +298,21 @@ export function createApiRoutes() {
         return withLock(async () => {
             try {
                 const body = await c.req.json();
-                const { env = 'prod', apiDomain, loginUiDomain, adminUiDomain, tenant, components } = body;
+                const { env = 'prod', apiDomain, loginUiDomain, adminUiDomain, tenant, components, zoneId, customDomainBinding, } = body;
                 const config = createDefaultConfig(env);
                 // Update tenant configuration
                 if (tenant) {
-                    config.tenant = {
-                        name: tenant.name || 'default',
-                        displayName: tenant.displayName || 'Default Tenant',
-                        multiTenant: tenant.multiTenant || false,
-                        baseDomain: tenant.baseDomain,
-                    };
+                    config.tenant = normalizeTenantConfigForApiDomain(tenant);
                 }
                 // Update URLs with domain configuration
-                config.urls = {
-                    api: {
-                        custom: apiDomain || null,
-                        auto: `https://${env}-ar-router.workers.dev`,
-                    },
-                    loginUi: {
-                        custom: loginUiDomain || null,
-                        auto: `https://${env}-ar-login-ui.pages.dev`,
-                        sameAsApi: false,
-                    },
-                    adminUi: {
-                        custom: adminUiDomain || null,
-                        auto: `https://${env}-ar-admin-ui.pages.dev`,
-                        sameAsApi: false,
-                    },
-                };
+                config.urls = buildUrlsConfig({
+                    env,
+                    apiDomain,
+                    loginUiDomain,
+                    adminUiDomain,
+                    zoneId: zoneId || null,
+                    customDomainBinding: customDomainBinding ?? false,
+                });
                 // Update components if provided
                 if (components) {
                     config.components = {
@@ -315,7 +332,8 @@ export function createApiRoutes() {
     api.get('/keys/check/:env', async (c) => {
         try {
             const env = c.req.param('env');
-            const exists = keysExistForEnvironment(process.cwd(), env);
+            const baseDir = findAuthrimBaseDir(process.cwd());
+            const exists = keysExistForEnvironment(baseDir, env, process.cwd());
             return c.json({ exists, env });
         }
         catch (error) {
@@ -323,26 +341,27 @@ export function createApiRoutes() {
         }
     });
     // Generate keys (with lock)
-    // Saves to new structure: .authrim/{env}/keys/
+    // Saves to external structure: {cwd}/.authrim-keys/{env}/
     api.post('/keys/generate', async (c) => {
         return withLock(async () => {
             try {
                 const body = await c.req.json();
                 const { keyId, env } = body;
-                const baseDir = findAuthrimBaseDir(process.cwd());
+                const envName = env || 'default';
+                const keysBaseDir = process.cwd();
                 addProgress('Generating cryptographic keys...');
                 const secrets = generateAllSecrets(keyId);
-                // Use new structure for saving keys
-                const envPaths = getEnvironmentPaths({ baseDir, env: env || 'default' });
-                addProgress(`Saving keys to directory: ${envPaths.keys}/`);
-                await saveKeysToDirectory(secrets, { baseDir, env: env || 'default' });
+                // Save to external keys directory: {cwd}/.authrim-keys/{env}/
+                const externalKeysDir = getExternalKeysDir(envName, keysBaseDir);
+                addProgress(`Saving keys to directory: ${externalKeysDir}/`);
+                await saveKeysToDirectory(secrets, { keysBaseDir, env: envName });
                 addProgress('Keys generated successfully');
                 // Only return public information
                 return c.json({
                     success: true,
                     keyId: secrets.keyPair.keyId,
                     publicKeyJwk: secrets.keyPair.publicKeyJwk,
-                    keysPath: envPaths.keys,
+                    keysPath: externalKeysDir,
                 });
             }
             catch (error) {
@@ -377,23 +396,26 @@ export function createApiRoutes() {
                     // Warning but not an error - just log it
                     addProgress('Warning: Resend API key should start with "re_"');
                 }
-                // Save secrets to keys directory (use new structure)
-                const baseDir = findAuthrimBaseDir(process.cwd());
-                const envPaths = getEnvironmentPaths({ baseDir, env });
-                const keysDir = envPaths.keys;
-                // Ensure directory exists
-                const { mkdir } = await import('node:fs/promises');
-                await mkdir(keysDir, { recursive: true });
-                // Save API key
+                // Save secrets to external keys directory: {cwd}/.authrim-keys/{env}/
+                const keysBaseDir = process.cwd();
+                const keysDir = getExternalKeysDir(env, keysBaseDir);
+                const baseDir = findAuthrimBaseDir(keysBaseDir);
+                const envPaths = getEnvironmentPaths({ baseDir, env, keysBaseDir });
+                // Ensure directory exists with restrictive permissions
+                await mkdir(keysDir, { recursive: true, mode: 0o700 });
+                // Save API key with restrictive permissions
                 await writeFile(envPaths.keyFiles.resendApiKey, apiKey.trim());
+                await chmod(envPaths.keyFiles.resendApiKey, 0o600);
                 addProgress(`Saved ${provider} API key to ${envPaths.keyFiles.resendApiKey}`);
-                // Save from address
+                // Save from address with restrictive permissions
                 await writeFile(envPaths.keyFiles.emailFrom, fromAddress.trim());
+                await chmod(envPaths.keyFiles.emailFrom, 0o600);
                 addProgress(`Saved email from address to ${envPaths.keyFiles.emailFrom}`);
                 // Save from name if provided
                 if (fromName) {
                     const fromNameFile = join(keysDir, 'email_from_name.txt');
                     await writeFile(fromNameFile, fromName.trim());
+                    await chmod(fromNameFile, 0o600);
                     addProgress(`Saved email from name to ${fromNameFile}`);
                 }
                 addProgress('Email configuration saved successfully');
@@ -469,6 +491,8 @@ export function createApiRoutes() {
                 addProgress('Creating lock file...');
                 const lock = createLockFile(env, resources);
                 const rootDir = findAuthrimBaseDir(process.cwd());
+                const envPaths = getEnvironmentPaths({ baseDir: rootDir, env });
+                addProgress(`Saving lock.json to ${envPaths.lock} ...`);
                 await saveLockFile(lock, { env, baseDir: rootDir });
                 // Save config.json
                 addProgress('Saving config.json...');
@@ -491,16 +515,32 @@ export function createApiRoutes() {
                 const apiUrl = workersSubdomain
                     ? `https://${env}-ar-router.${workersSubdomain}.workers.dev`
                     : `https://${env}-ar-router.workers.dev`;
-                const loginUiUrl = `https://${env}-ar-login-ui.pages.dev`;
-                const adminUiUrl = `https://${env}-ar-admin-ui.pages.dev`;
-                config.urls = {
-                    api: { auto: apiUrl },
-                    loginUi: { sameAsApi: false, auto: loginUiUrl },
-                    adminUi: { sameAsApi: false, auto: adminUiUrl },
-                };
+                config.urls = buildUrlsConfig({
+                    env,
+                    apiDomain: config.urls?.api?.custom || null,
+                    loginUiDomain: config.urls?.loginUi?.custom || null,
+                    adminUiDomain: config.urls?.adminUi?.custom || null,
+                    zoneId: config.urls?.api?.zoneId ?? null,
+                    customDomainBinding: config.urls?.api?.customDomainBinding ?? false,
+                    workersSubdomain,
+                    existingUrls: {
+                        api: {
+                            ...config.urls?.api,
+                            auto: apiUrl,
+                        },
+                        loginUi: config.urls?.loginUi,
+                        adminUi: config.urls?.adminUi,
+                    },
+                });
                 addProgress(`Configured URLs: API=${apiUrl}`);
-                const envPaths = getEnvironmentPaths({ baseDir: rootDir, env });
+                // Explicitly ensure directory exists (defense in depth; saveLockFile also creates it)
+                await mkdir(dirname(envPaths.config), { recursive: true });
+                addProgress(`Saving config.json to ${envPaths.config} ...`);
                 await writeFile(envPaths.config, JSON.stringify(config, null, 2), 'utf-8');
+                const initialUiEnv = buildInitialUiEnvConfig(config);
+                if (initialUiEnv) {
+                    await saveUiEnv(envPaths.uiEnv, initialUiEnv);
+                }
                 state.config = config;
                 // Generate wrangler.toml files
                 addProgress('Generating wrangler.toml files...');
@@ -529,11 +569,18 @@ export function createApiRoutes() {
                 }
                 state.status = 'configuring';
                 addProgress('Provisioning complete!');
+                addProgress(`📁 Config saved: ${envPaths.config}`);
+                addProgress(`📁 Lock saved:   ${envPaths.lock}`);
                 return c.json({
                     success: true,
                     resources,
                     lock,
                     config,
+                    savedPaths: {
+                        config: envPaths.config,
+                        lock: envPaths.lock,
+                        root: envPaths.root,
+                    },
                 });
             }
             catch (error) {
@@ -634,11 +681,19 @@ export function createApiRoutes() {
                     addProgress('Packages built successfully');
                 }
                 // Upload secrets first (secrets are read but not stored in state)
-                // Check both new (.authrim/{env}/keys/) and legacy (.keys/{env}/) structures
+                // Check external (.authrim-keys/), new (.authrim/{env}/keys/), and legacy (.keys/{env}/) structures
                 const baseDir = findAuthrimBaseDir(process.cwd());
                 const resolved = resolvePaths({ baseDir, env });
                 let keysDir;
-                if (resolved.type === 'new') {
+                const foundKeys = findKeysDirectory({
+                    env,
+                    sourceDir: baseDir,
+                    keysBaseDir: process.cwd(),
+                });
+                if (foundKeys) {
+                    keysDir = foundKeys.path;
+                }
+                else if (resolved.type === 'new') {
                     keysDir = resolved.paths.keys;
                 }
                 else {
@@ -649,6 +704,7 @@ export function createApiRoutes() {
                     const secrets = {};
                     const secretFiles = [
                         { file: join(keysDir, 'private.pem'), name: 'PRIVATE_KEY_PEM' },
+                        { file: join(keysDir, 'public.jwk.json'), name: 'PUBLIC_JWK_JSON' },
                         { file: join(keysDir, 'rp_token_encryption_key.txt'), name: 'RP_TOKEN_ENCRYPTION_KEY' },
                         { file: join(keysDir, 'admin_api_secret.txt'), name: 'ADMIN_API_SECRET' },
                         { file: join(keysDir, 'key_manager_secret.txt'), name: 'KEY_MANAGER_SECRET' },
@@ -792,45 +848,70 @@ export function createApiRoutes() {
                     const apiBaseUrl = cfg?.urls?.api?.custom ||
                         cfg?.urls?.api?.auto ||
                         `https://${env}-ar-router.workers.dev`;
-                    // Get ui.env path for Vite builds (new structure only)
-                    // Always regenerate ui.env from config to ensure sync
-                    let uiEnvPath;
-                    if (resolved.type === 'new') {
-                        uiEnvPath = resolved.paths.uiEnv;
-                        // Regenerate ui.env from config.json to ensure they are in sync
-                        // Detect if custom domains are used (same registrable domain = no need for proxy)
-                        const apiHasCustomDomain = !!cfg?.urls?.api?.custom;
-                        const adminUiHasCustomDomain = !!cfg?.urls?.adminUi?.custom;
-                        const useDirectMode = apiHasCustomDomain && adminUiHasCustomDomain;
-                        const { saveUiEnv } = await import('../core/ui-env.js');
-                        try {
-                            if (useDirectMode) {
-                                await saveUiEnv(uiEnvPath, {
-                                    PUBLIC_API_BASE_URL: apiBaseUrl, // Frontend sends directly to backend
-                                    API_BACKEND_URL: '', // Proxy disabled
-                                });
-                                addProgress(`ui.env synced (direct mode: ${apiBaseUrl})`);
-                                addProgress(`Custom domains detected - Safari ITP proxy disabled`);
+                    let loginUiClientId;
+                    if (cfg?.components?.loginUi && !dryRun) {
+                        const loginUiUrl = cfg?.urls?.loginUi?.custom ||
+                            cfg?.urls?.loginUi?.auto ||
+                            `https://${env}-ar-login-ui.pages.dev`;
+                        const foundKeys = findKeysDirectory({
+                            env,
+                            sourceDir: rootDir,
+                            keysBaseDir: process.cwd(),
+                        });
+                        const adminApiSecretPath = foundKeys
+                            ? join(foundKeys.path, 'admin_api_secret.txt')
+                            : resolved.paths.keyFiles.adminApiSecret;
+                        const { ensureLoginUiClient } = await import('../core/login-ui-client.js');
+                        const clientResult = await ensureLoginUiClient({
+                            apiBaseUrl,
+                            loginUiUrl,
+                            adminApiSecretPath,
+                            onProgress: addProgress,
+                        });
+                        if (clientResult.success && clientResult.clientId) {
+                            loginUiClientId = clientResult.clientId;
+                            if (clientResult.alreadyExists) {
+                                addProgress(`  ✓ Login UI client exists: ${loginUiClientId}`);
                             }
                             else {
-                                await saveUiEnv(uiEnvPath, {
-                                    PUBLIC_API_BASE_URL: '', // Empty for proxy mode (same-origin)
-                                    API_BACKEND_URL: apiBaseUrl, // Server-side proxy target
-                                });
-                                addProgress(`ui.env synced (proxy mode: ${apiBaseUrl})`);
+                                addProgress(`  ✓ Login UI client created: ${loginUiClientId}`);
                             }
                         }
-                        catch (syncError) {
-                            addProgress(`⚠️  Could not sync ui.env: ${syncError}`);
+                        else {
+                            addProgress(`  ⚠️  Login UI client creation skipped: ${clientResult.error}`);
                         }
                     }
+                    const loginUiSettings = resolveUiDeploymentSettings({
+                        component: 'ar-login-ui',
+                        config: cfg,
+                        apiBaseUrl,
+                        loginUiClientId,
+                    });
+                    const adminUiSettings = resolveUiDeploymentSettings({
+                        component: 'ar-admin-ui',
+                        config: cfg,
+                        apiBaseUrl,
+                    });
                     pagesSummary = await deployAllPages({
                         env,
                         rootDir: resolve(rootDir),
                         dryRun,
                         onProgress: addProgress,
                         apiBaseUrl,
-                        uiEnvPath,
+                        perComponent: {
+                            'ar-login-ui': {
+                                apiBaseUrl: loginUiSettings.apiBaseUrl,
+                                runtimeApiBackendUrl: loginUiSettings.runtimeApiBackendUrl,
+                                uiEnvConfig: loginUiSettings.uiEnv,
+                                serviceBindingName: loginUiSettings.serviceBindingName,
+                            },
+                            'ar-admin-ui': {
+                                apiBaseUrl: adminUiSettings.apiBaseUrl,
+                                runtimeApiBackendUrl: adminUiSettings.runtimeApiBackendUrl,
+                                uiEnvConfig: adminUiSettings.uiEnv,
+                                serviceBindingName: adminUiSettings.serviceBindingName,
+                            },
+                        },
                     }, {
                         loginUi: cfg?.components?.loginUi ?? true,
                         adminUi: cfg?.components?.adminUi ?? true,
@@ -855,10 +936,13 @@ export function createApiRoutes() {
                 // Update lock file with deployed workers information
                 if (workersSuccess && !dryRun && summary.successCount > 0) {
                     try {
-                        const { loadLockFileAuto, saveLockFile: saveLock } = await import('../core/lock.js');
+                        const { loadLockFileAuto, saveLockFile: saveLock, AuthrimLockSchema, } = await import('../core/lock.js');
                         const { lock: currentLock, path: lockPath } = await loadLockFileAuto(rootDir, env);
-                        if (currentLock && lockPath) {
-                            const workers = { ...currentLock.workers };
+                        if (lockPath) {
+                            // Use existing lock or create minimal one (recovery scenario: lock deleted/missing)
+                            const now = new Date().toISOString();
+                            const baseLock = currentLock ?? AuthrimLockSchema.parse({ env, createdAt: now });
+                            const workers = { ...baseLock.workers };
                             for (const result of summary.results) {
                                 if (result.success && result.deployedAt) {
                                     workers[result.component] = {
@@ -869,9 +953,9 @@ export function createApiRoutes() {
                                 }
                             }
                             const updatedLock = {
-                                ...currentLock,
+                                ...baseLock,
                                 workers,
-                                updatedAt: new Date().toISOString(),
+                                updatedAt: now,
                             };
                             await saveLock(updatedLock, lockPath);
                             addProgress('Lock file updated with deployment info');
@@ -954,7 +1038,7 @@ export function createApiRoutes() {
         });
     });
     // Complete initial admin setup (store setup token in KV)
-    // Supports both new (.authrim/{env}/keys/) and legacy (.keys/{env}/) structures
+    // Supports external (.authrim-keys/), internal (.authrim/{env}/keys/), and legacy (.keys/{env}/) structures
     api.post('/admin/setup', async (c) => {
         return withLock(async () => {
             try {
@@ -964,9 +1048,17 @@ export function createApiRoutes() {
                 // Determine structure type
                 const resolved = resolvePaths({ baseDir, env });
                 const isLegacy = resolved.type === 'legacy';
-                const tokenPath = isLegacy
-                    ? resolved.paths.keyFiles.setupToken
-                    : resolved.paths.keyFiles.setupToken;
+                // Detect actual token path using 3-tier fallback (external → internal → legacy)
+                const foundKeys = findKeysDirectory({
+                    env,
+                    sourceDir: baseDir,
+                    keysBaseDir: process.cwd(),
+                });
+                const tokenPath = foundKeys
+                    ? join(foundKeys.path, 'setup_token.txt')
+                    : isLegacy
+                        ? resolved.paths.keyFiles.setupToken
+                        : resolved.paths.keyFiles.setupToken;
                 addProgress(`Admin setup request: env=${env}, baseUrl=${baseUrl}, structure=${resolved.type}`);
                 if (!env || !baseUrl) {
                     addProgress('Error: env and baseUrl are required');
@@ -978,6 +1070,7 @@ export function createApiRoutes() {
                     env,
                     baseUrl,
                     baseDir,
+                    keysBaseDir: process.cwd(),
                     legacy: isLegacy,
                     onProgress: addProgress,
                 });
@@ -1032,7 +1125,7 @@ export function createApiRoutes() {
         return withLock(async () => {
             try {
                 const body = await c.req.json();
-                const { kvNamespaceId, baseUrl } = body;
+                const { kvNamespaceId, baseUrl, env: envName } = body;
                 if (!kvNamespaceId || !/^[a-f0-9]{32}$/i.test(kvNamespaceId)) {
                     return c.json({ success: false, error: 'Invalid KV namespace ID' }, 400);
                 }
@@ -1053,8 +1146,29 @@ export function createApiRoutes() {
                 if (!result.success || !result.token) {
                     return c.json({ success: false, error: result.error || 'Failed to generate token' }, 500);
                 }
+                // Resolve the best base URL: prefer custom API domain from config
+                let resolvedBaseUrl = baseUrl;
+                if (envName) {
+                    try {
+                        const baseDir = findAuthrimBaseDir(process.cwd());
+                        const resolved = resolvePaths({ baseDir, env: envName });
+                        const configPath = resolved.type === 'new'
+                            ? resolved.paths.config
+                            : resolved.paths.config;
+                        if (existsSync(configPath)) {
+                            const cfg = JSON.parse(await readFile(configPath, 'utf-8'));
+                            const configBaseUrl = cfg?.urls?.api?.custom || cfg?.urls?.api?.auto;
+                            if (configBaseUrl) {
+                                resolvedBaseUrl = configBaseUrl;
+                            }
+                        }
+                    }
+                    catch {
+                        // Config not available, use the provided baseUrl
+                    }
+                }
                 // Construct setup URL
-                const cleanBaseUrl = baseUrl.replace(/\/+$/, '');
+                const cleanBaseUrl = resolvedBaseUrl.replace(/\/+$/, '');
                 const setupUrl = `${cleanBaseUrl}/admin-init-setup?token=${result.token}`;
                 return c.json({
                     success: true,
@@ -1440,40 +1554,53 @@ export function createApiRoutes() {
                         const apiBaseUrl = cfg?.urls?.api?.custom ||
                             cfg?.urls?.api?.auto ||
                             `https://${env}-ar-router.workers.dev`;
-                        // Get ui.env path for new structure
-                        let uiEnvPath;
-                        if (resolved.type === 'new') {
-                            uiEnvPath = resolved.paths.uiEnv;
-                            // Sync ui.env before build
-                            const apiHasCustomDomain = !!cfg?.urls?.api?.custom;
-                            const adminUiHasCustomDomain = !!cfg?.urls?.adminUi?.custom;
-                            const useDirectMode = apiHasCustomDomain && adminUiHasCustomDomain;
-                            const { saveUiEnv } = await import('../core/ui-env.js');
-                            try {
-                                if (useDirectMode) {
-                                    await saveUiEnv(uiEnvPath, {
-                                        PUBLIC_API_BASE_URL: apiBaseUrl,
-                                        API_BACKEND_URL: '',
-                                    });
+                        let loginUiClientId;
+                        if (componentName === 'ar-login-ui' && !dryRun) {
+                            const loginUiUrl = cfg?.urls?.loginUi?.custom ||
+                                cfg?.urls?.loginUi?.auto ||
+                                `https://${env}-ar-login-ui.pages.dev`;
+                            const foundKeys = findKeysDirectory({
+                                env,
+                                sourceDir: rootDir,
+                                keysBaseDir: process.cwd(),
+                            });
+                            const adminApiSecretPath = foundKeys
+                                ? join(foundKeys.path, 'admin_api_secret.txt')
+                                : resolved.paths.keyFiles.adminApiSecret;
+                            const { ensureLoginUiClient } = await import('../core/login-ui-client.js');
+                            const clientResult = await ensureLoginUiClient({
+                                apiBaseUrl,
+                                loginUiUrl,
+                                adminApiSecretPath,
+                                onProgress: addProgress,
+                            });
+                            if (clientResult.success && clientResult.clientId) {
+                                loginUiClientId = clientResult.clientId;
+                                if (clientResult.alreadyExists) {
+                                    addProgress(`  ✓ Login UI client exists: ${loginUiClientId}`);
                                 }
                                 else {
-                                    await saveUiEnv(uiEnvPath, {
-                                        PUBLIC_API_BASE_URL: '',
-                                        API_BACKEND_URL: apiBaseUrl,
-                                    });
+                                    addProgress(`  ✓ Login UI client created: ${loginUiClientId}`);
                                 }
-                                addProgress(`ui.env synced for ${componentName}`);
                             }
-                            catch {
-                                addProgress(`Warning: Could not sync ui.env`);
+                            else {
+                                addProgress(`  ⚠️  Login UI client creation skipped: ${clientResult.error}`);
                             }
                         }
+                        const uiSettings = resolveUiDeploymentSettings({
+                            component: componentName,
+                            config: cfg,
+                            apiBaseUrl,
+                            loginUiClientId,
+                        });
                         const result = await deployPagesComponent(componentName, {
                             env,
                             rootDir,
                             dryRun,
-                            apiBaseUrl,
-                            uiEnvPath,
+                            apiBaseUrl: uiSettings.apiBaseUrl,
+                            runtimeApiBackendUrl: uiSettings.runtimeApiBackendUrl,
+                            uiEnvConfig: uiSettings.uiEnv,
+                            serviceBindingName: uiSettings.serviceBindingName,
                             onProgress: addProgress,
                         });
                         if (result.success) {