@authrim/setup 0.1.140 → 0.1.142

package/dist/cli/commands/init.js

@@ -14,11 +14,55 @@ import { createRequire } from 'node:module';
 import { execa } from 'execa';
 import { createDefaultConfig, parseConfig } from '../../core/config.js';
 import { generateAllSecrets, saveKeysToDirectory, generateKeyId, keysExistForEnvironment, } from '../../core/keys.js';
-import { isWranglerInstalled, checkAuth, provisionResources, toResourceIds, getAccountId, detectEnvironments, getWorkersSubdomain, } from '../../core/cloudflare.js';
+import { isRunningFromSource, getCommandPrefix } from '../../core/source-context.js';
+import { isWranglerInstalled, checkAuth, provisionResources, toResourceIds, getAccountId, detectEnvironments, getWorkersSubdomain, checkZoneExists, extractZoneName, } from '../../core/cloudflare.js';
 import { createLockFile, saveLockFile, loadLockFile } from '../../core/lock.js';
-import { getEnvironmentPaths, getRelativeKeysPath, AUTHRIM_DIR } from '../../core/paths.js';
-import { downloadSource, verifySourceStructure, checkForUpdate } from '../../core/source.js';
-import { saveUiEnv } from '../../core/ui-env.js';
+import { getEnvironmentPaths, getExternalKeysDir, getExternalKeysPathForConfig, AUTHRIM_DIR, } from '../../core/paths.js';
+import { downloadSource, verifySourceStructure, checkForUpdate, getLocalVersion, } from '../../core/source.js';
+import { saveUiEnv, buildInitialUiEnvConfig } from '../../core/ui-env.js';
+import { buildUrlsConfig, getPagesDevUrl, getWorkersDevUrl, } from '../../core/url-config.js';
+/**
+ * Check Cloudflare zone for a domain and prompt user for binding configuration.
+ * Never blocks setup - all errors are handled gracefully.
+ */
+async function checkAndPromptZone(domain, domainConfig) {
+    const spinner = ora(t('domain.checkingZone', { domain })).start();
+    try {
+        const result = await checkZoneExists(domain);
+        spinner.stop();
+        if (result.error) {
+            console.log(chalk.yellow(`  ⚠ ${t('domain.zoneCheckFailed')}: ${result.error}`));
+            console.log(chalk.gray(`    ${t('domain.zoneCheckSkipped')}`));
+            return;
+        }
+        if (!result.found) {
+            const zoneName = extractZoneName(domain);
+            console.log(chalk.yellow(`  ⚠ ${t('domain.zoneNotFound', { zone: zoneName })}`));
+            console.log(chalk.gray(`    ${t('domain.zoneNotFoundHint')}`));
+            console.log('');
+            const ok = await confirm({ message: t('domain.continueWithoutZone'), default: true });
+            if (!ok) {
+                throw new Error('USER_CANCELLED_DOMAIN');
+            }
+            return;
+        }
+        // Zone found
+        console.log(chalk.green(`  ✓ ${t('domain.zoneFound', { zone: result.zone.name, status: result.zone.status })}`));
+        domainConfig.zoneId = result.zone.id;
+        console.log('');
+        const bind = await confirm({ message: t('domain.configureBinding'), default: true });
+        domainConfig.customDomainBinding = bind;
+    }
+    catch (error) {
+        spinner.stop();
+        if (error instanceof Error && error.message === 'USER_CANCELLED_DOMAIN') {
+            throw error;
+        }
+        // Unexpected error - don't block setup
+        console.log(chalk.yellow(`  ⚠ ${t('domain.zoneCheckFailed')}`));
+        console.log(chalk.gray(`    ${t('domain.zoneCheckSkipped')}`));
+    }
+}
 // =============================================================================
 // WSL Detection
 // =============================================================================
@@ -138,21 +182,12 @@ function printBanner() {
 // Store the workers.dev subdomain for URL generation
 let workersSubdomain = null;
 /**
- * Get the correct workers.dev URL with account subdomain
- * Format: {worker}.{subdomain}.workers.dev
+ * Strip the protocol from a URL for display in domain-only prompts.
  */
-function getWorkersDevUrl(workerName) {
-    if (workersSubdomain) {
-        return `https://${workerName}.${workersSubdomain}.workers.dev`;
-    }
-    return `https://${workerName}.workers.dev`;
-}
-/**
- * Get the correct pages.dev URL
- * Note: Pages uses {project}.pages.dev format (no account subdomain, unlike Workers)
- */
-function getPagesDevUrl(projectName) {
-    return `https://${projectName}.pages.dev`;
+function stripProtocol(url) {
+    if (!url)
+        return '';
+    return url.replace(/^https?:\/\//, '');
 }
 // =============================================================================
 // Source Directory Detection
@@ -179,6 +214,12 @@ function isAuthrimSourceDir(dir = '.') {
  */
 async function ensureAuthrimSource(options) {
     const currentDir = resolve('.');
+    // If running from source repository (pnpm setup), skip update check entirely
+    if (isRunningFromSource(currentDir)) {
+        const localVersion = await getLocalVersion(currentDir);
+        console.log(chalk.green(`✓ Using Authrim source (v${localVersion || 'unknown'}) [from source]`));
+        return currentDir;
+    }
     // Check if we're already in an Authrim source directory
     if (isAuthrimSourceDir(currentDir)) {
         // Check for updates
@@ -538,7 +579,7 @@ export async function initCommand(options) {
         console.log(chalk.gray(t('startup.cancelled')));
         console.log('');
         console.log(chalk.gray(t('startup.resumeLater')));
-        console.log(chalk.cyan('  npx @authrim/setup'));
+        console.log(chalk.cyan(`  ${getCommandPrefix()}`));
         console.log('');
         return;
     }
@@ -877,7 +918,7 @@ async function runLoadConfig() {
         console.log(chalk.yellow('No configuration found in current directory.'));
         console.log('');
         console.log(chalk.gray('💡 Tip: You can specify a config file with:'));
-        console.log(chalk.cyan('   npx @authrim/setup --config /path/to/.authrim/{env}/config.json'));
+        console.log(chalk.cyan(`   ${getCommandPrefix()} --config /path/to/.authrim/{env}/config.json`));
         console.log('');
         const action = await select({
             message: 'What would you like to do?',
@@ -936,7 +977,7 @@ async function runQuickSetup(options) {
             console.log(`    ${t('env.d1Databases', { count: String(existingEnv.d1.length) })}`);
             console.log(`    ${t('env.kvNamespaces', { count: String(existingEnv.kv.length) })}`);
             console.log('');
-            console.log(chalk.yellow('  ' + t('env.chooseAnother')));
+            console.log(chalk.yellow('  ' + t('env.chooseAnother', { command: getCommandPrefix() })));
             return;
         }
         checkSpinner.succeed(t('env.available'));
@@ -971,6 +1012,7 @@ async function runQuickSetup(options) {
     let apiDomain = null;
     let loginUiDomain = null;
     let adminUiDomain = null;
+    const quickDomainConfig = {};
     if (useCustomDomain) {
         console.log('');
         console.log(chalk.gray('  ' + t('domain.singleTenantNote')));
@@ -986,6 +1028,18 @@ async function runQuickSetup(options) {
                 return true;
             },
         });
+        // Check Cloudflare zone for the domain
+        if (apiDomain) {
+            console.log('');
+            try {
+                await checkAndPromptZone(apiDomain, quickDomainConfig);
+            }
+            catch {
+                // User cancelled - clear domain and continue
+                apiDomain = null;
+            }
+            console.log('');
+        }
         loginUiDomain = await input({
             message: t('domain.loginUiDomain'),
             default: '',
@@ -1105,22 +1159,15 @@ async function runQuickSetup(options) {
             configured: emailConfig.provider === 'resend',
         },
     };
-    config.urls = {
-        api: {
-            custom: apiDomain || null,
-            auto: getWorkersDevUrl(envPrefix + '-ar-router'),
-        },
-        loginUi: {
-            custom: loginUiDomain || null,
-            auto: getPagesDevUrl(envPrefix + '-ar-login-ui'),
-            sameAsApi: false,
-        },
-        adminUi: {
-            custom: adminUiDomain || null,
-            auto: getPagesDevUrl(envPrefix + '-ar-admin-ui'),
-            sameAsApi: false,
-        },
-    };
+    config.urls = buildUrlsConfig({
+        env: envPrefix,
+        apiDomain,
+        loginUiDomain,
+        adminUiDomain,
+        zoneId: quickDomainConfig.zoneId ?? null,
+        customDomainBinding: quickDomainConfig.customDomainBinding ?? false,
+        workersSubdomain,
+    });
     // Show summary
     console.log('');
     console.log(chalk.blue('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
@@ -1158,15 +1205,20 @@ async function runQuickSetup(options) {
     }
     // Save email secrets if configured
     if (emailConfig.provider === 'resend' && emailConfig.apiKey) {
-        // Use new structure for fresh setups
-        const paths = getEnvironmentPaths({ baseDir: process.cwd(), env: envPrefix });
-        const keysDir = paths.keys;
+        // Save to external keys directory: {cwd}/.authrim-keys/{env}/
+        const keysDir = getExternalKeysDir(envPrefix, process.cwd());
         await import('node:fs/promises').then(async (fs) => {
-            await fs.mkdir(keysDir, { recursive: true });
-            await fs.writeFile(paths.keyFiles.resendApiKey, emailConfig.apiKey.trim());
-            await fs.writeFile(paths.keyFiles.emailFrom, emailConfig.fromAddress.trim());
+            await fs.mkdir(keysDir, { recursive: true, mode: 0o700 });
+            const resendApiKeyPath = join(keysDir, 'resend_api_key.txt');
+            await fs.writeFile(resendApiKeyPath, emailConfig.apiKey.trim());
+            await fs.chmod(resendApiKeyPath, 0o600);
+            const emailFromPath = join(keysDir, 'email_from.txt');
+            await fs.writeFile(emailFromPath, emailConfig.fromAddress.trim());
+            await fs.chmod(emailFromPath, 0o600);
             if (emailConfig.fromName) {
-                await fs.writeFile(`${keysDir}/email_from_name.txt`, emailConfig.fromName.trim());
+                const emailFromNamePath = join(keysDir, 'email_from_name.txt');
+                await fs.writeFile(emailFromNamePath, emailConfig.fromName.trim());
+                await fs.chmod(emailFromNamePath, 0o600);
             }
         });
         console.log(chalk.gray(`📧 Email secrets saved to ${keysDir}/`));
@@ -1207,7 +1259,7 @@ async function runNormalSetup(options) {
             console.log(`    ${t('env.d1Databases', { count: String(existingEnv.d1.length) })}`);
             console.log(`    ${t('env.kvNamespaces', { count: String(existingEnv.kv.length) })}`);
             console.log('');
-            console.log(chalk.yellow('  ' + t('env.chooseAnother')));
+            console.log(chalk.yellow('  ' + t('env.chooseAnother', { command: getCommandPrefix() })));
             return;
         }
         checkSpinner.succeed(t('env.available'));
@@ -1266,44 +1318,58 @@ async function runNormalSetup(options) {
     // Step 5: Tenant configuration
     console.log(chalk.blue('━━━ ' + t('tenant.title') + ' ━━━'));
     console.log('');
-    const multiTenant = await confirm({
-        message: t('tenant.multiTenantPrompt'),
-        default: false,
-    });
     let tenantName = 'default';
     let tenantDisplayName = 'Default Tenant';
     let baseDomain;
-    // Step 6: URL configuration (depends on tenant mode)
+    let primaryTenant;
+    let nakedDomain = false;
+    let userIdFormat = 'nanoid';
+    // Step 6: URL configuration
     let apiDomain = null;
     let loginUiDomain = null;
     let adminUiDomain = null;
-    if (multiTenant) {
-        // Multi-tenant mode: base domain is required, becomes the issuer base
-        console.log('');
-        console.log(chalk.blue('━━━ ' + t('tenant.multiTenantTitle') + ' ━━━'));
-        console.log('');
-        console.log(chalk.gray('  ' + t('tenant.multiTenantNote1')));
-        console.log(chalk.gray('    • ' + t('tenant.multiTenantNote2')));
-        console.log(chalk.gray('    • ' + t('tenant.multiTenantNote3')));
-        console.log(chalk.gray('    • ' + t('tenant.multiTenantNote4')));
-        console.log('');
-        baseDomain = await input({
-            message: t('tenant.baseDomainPrompt'),
-            validate: (value) => {
-                if (!value)
-                    return t('tenant.baseDomainRequired');
-                if (!/^[a-z0-9][a-z0-9.-]*\.[a-z]{2,}$/.test(value)) {
-                    return t('tenant.baseDomainValidation');
-                }
+    const fullDomainConfig = {};
+    // Base domain configuration
+    console.log('');
+    console.log(chalk.blue('━━━ ' + t('tenant.multiTenantTitle') + ' ━━━'));
+    console.log('');
+    console.log(chalk.gray('  Leave empty to use workers.dev and single-tenant mode.'));
+    console.log(chalk.gray('  With a custom domain:'));
+    console.log(chalk.gray('    • https://example.com (naked domain issuer)'));
+    console.log(chalk.gray('    • https://acme.example.com (tenant subdomain issuer)'));
+    console.log('');
+    baseDomain = await input({
+        message: t('tenant.baseDomainPrompt'),
+        validate: (value) => {
+            if (!value)
                 return true;
-            },
-        });
-        console.log('');
-        console.log(chalk.green('  ✓ ' + t('tenant.issuerFormat', { domain: baseDomain })));
-        console.log(chalk.gray('    ' + t('tenant.issuerExample', { domain: baseDomain })));
-        console.log('');
-        // API domain in multi-tenant is the base domain (or custom apex)
-        apiDomain = baseDomain;
+            if (!/^[a-z0-9][a-z0-9.-]*\.[a-z]{2,}$/.test(value)) {
+                return t('tenant.baseDomainValidation');
+            }
+            return true;
+        },
+    });
+    baseDomain = baseDomain || undefined;
+    console.log('');
+    if (baseDomain) {
+        console.log(chalk.green('  ✓ Base domain: ' + baseDomain));
+    }
+    else {
+        console.log(chalk.green('  ✓ Using workers.dev (single-tenant mode)'));
+    }
+    // Check Cloudflare zone for the base domain
+    if (baseDomain) {
+        try {
+            await checkAndPromptZone(baseDomain, fullDomainConfig);
+        }
+        catch {
+            // User cancelled - this is non-fatal, continue with setup
+        }
+    }
+    console.log('');
+    // API domain is the base domain
+    apiDomain = baseDomain || null;
+    if (baseDomain) {
         tenantName = await input({
             message: t('tenant.defaultTenantPrompt'),
             default: 'default',
@@ -1314,80 +1380,78 @@ async function runNormalSetup(options) {
                 return true;
             },
         });
-        tenantDisplayName = await input({
-            message: t('tenant.displayNamePrompt'),
-            default: 'Default Tenant',
-        });
-        // UI domains for multi-tenant
-        console.log('');
-        console.log(chalk.blue('━━━ ' + t('tenant.uiDomainTitle') + ' ━━━'));
-        console.log('');
-        const useCustomUiDomain = await confirm({
-            message: t('tenant.customUiDomainPrompt'),
-            default: false,
-        });
-        if (useCustomUiDomain) {
-            loginUiDomain = await input({
-                message: t('tenant.loginUiDomain'),
-                default: '',
-            });
-            adminUiDomain = await input({
-                message: t('tenant.adminUiDomain'),
-                default: '',
-            });
-        }
     }
     else {
-        // Single-tenant mode
-        console.log('');
-        console.log(chalk.blue('━━━ ' + t('tenant.singleTenantTitle') + ' ━━━'));
-        console.log('');
-        console.log(chalk.gray('  ' + t('tenant.singleTenantNote1')));
-        console.log(chalk.gray('    • ' + t('tenant.singleTenantNote2')));
-        console.log(chalk.gray('    • ' + t('tenant.singleTenantNote3')));
-        console.log('');
-        tenantDisplayName = await input({
-            message: t('tenant.organizationName'),
-            default: 'Default Tenant',
-        });
-        const useCustomDomain = await confirm({
-            message: t('domain.prompt'),
+        tenantName = 'default';
+    }
+    tenantDisplayName = await input({
+        message: t('tenant.displayNamePrompt'),
+        default: 'Default Tenant',
+    });
+    if (baseDomain) {
+        nakedDomain = await confirm({
+            message: 'Use naked domain as the issuer for the primary tenant?',
             default: false,
         });
-        if (useCustomDomain) {
-            console.log('');
-            console.log(chalk.gray('  ' + t('domain.enterDomains')));
-            console.log('');
-            apiDomain = await input({
-                message: t('domain.apiDomain'),
+        if (nakedDomain) {
+            primaryTenant = await input({
+                message: 'Primary tenant ID for naked domain (leave empty for default tenant)',
+                default: '',
                 validate: (value) => {
-                    if (!value)
+                    if (!value) {
                         return true;
-                    if (!/^[a-z0-9][a-z0-9.-]*\.[a-z]{2,}$/.test(value)) {
-                        return t('domain.customValidation');
+                    }
+                    if (!/^[a-z][a-z0-9-]*$/.test(value)) {
+                        return 'Tenant ID must start with a letter and contain only lowercase letters, numbers, and hyphens';
                     }
                     return true;
                 },
             });
-            loginUiDomain = await input({
-                message: t('domain.loginUiDomain'),
-                default: '',
-            });
-            adminUiDomain = await input({
-                message: t('domain.adminUiDomain'),
-                default: '',
-            });
-        }
-        if (apiDomain) {
-            console.log('');
-            console.log(chalk.green('  ✓ ' + t('domain.issuerUrl', { url: 'https://' + apiDomain })));
-        }
-        else {
-            console.log('');
-            console.log(chalk.green('  ✓ ' + t('domain.issuerUrl', { url: getWorkersDevUrl(envPrefix + '-ar-router') })));
-            console.log(chalk.gray('    ' + t('domain.usingWorkersDev')));
+            primaryTenant = primaryTenant || undefined;
         }
     }
+    // User ID format selection
+    console.log('');
+    console.log(chalk.blue('━━━ ' + t('userId.title') + ' ━━━'));
+    console.log('');
+    console.log(chalk.gray('  ' + t('userId.note')));
+    console.log('');
+    userIdFormat = await select({
+        message: t('userId.prompt'),
+        choices: [
+            {
+                name: t('userId.nanoid'),
+                value: 'nanoid',
+                description: t('userId.nanoidDesc'),
+            },
+            {
+                name: t('userId.uuid'),
+                value: 'uuid',
+                description: t('userId.uuidDesc'),
+            },
+        ],
+        default: 'nanoid',
+    });
+    console.log('');
+    console.log(chalk.green('  ✓ ' + t('userId.selected', { format: userIdFormat })));
+    // UI domains
+    console.log('');
+    console.log(chalk.blue('━━━ ' + t('tenant.uiDomainTitle') + ' ━━━'));
+    console.log('');
+    const useCustomUiDomain = await confirm({
+        message: t('tenant.customUiDomainPrompt'),
+        default: false,
+    });
+    if (useCustomUiDomain) {
+        loginUiDomain = await input({
+            message: t('tenant.loginUiDomain'),
+            default: '',
+        });
+        adminUiDomain = await input({
+            message: t('tenant.adminUiDomain'),
+            default: '',
+        });
+    }
     // Step 5: Optional components
     console.log('');
     console.log(chalk.blue('━━━ ' + t('components.title') + ' ━━━'));
@@ -1648,8 +1712,11 @@ async function runNormalSetup(options) {
     config.tenant = {
         name: tenantName,
         displayName: tenantDisplayName,
-        multiTenant,
+        multiTenant: !!baseDomain,
         baseDomain,
+        userIdFormat,
+        primaryTenant,
+        nakedDomain,
     };
     config.components = {
         ...config.components,
@@ -1659,22 +1726,15 @@ async function runNormalSetup(options) {
         bridge: true, // Standard component
         policy: true, // Standard component
     };
-    config.urls = {
-        api: {
-            custom: apiDomain || null,
-            auto: getWorkersDevUrl(envPrefix + '-ar-router'),
-        },
-        loginUi: {
-            custom: loginUiDomain || null,
-            auto: getPagesDevUrl(envPrefix + '-ar-login-ui'),
-            sameAsApi: false,
-        },
-        adminUi: {
-            custom: adminUiDomain || null,
-            auto: getPagesDevUrl(envPrefix + '-ar-admin-ui'),
-            sameAsApi: false,
-        },
-    };
+    config.urls = buildUrlsConfig({
+        env: envPrefix,
+        apiDomain,
+        loginUiDomain,
+        adminUiDomain,
+        zoneId: fullDomainConfig.zoneId ?? null,
+        customDomainBinding: fullDomainConfig.customDomainBinding ?? false,
+        workersSubdomain,
+    });
     config.oidc = {
         ...config.oidc,
         accessTokenTtl,
@@ -1717,14 +1777,17 @@ async function runNormalSetup(options) {
     console.log('');
     // Tenant mode and Issuer
     console.log(chalk.bold('Tenant & Issuer:'));
-    console.log(`  Mode:          ${multiTenant ? chalk.cyan('Multi-tenant') : chalk.cyan('Single-tenant')}`);
-    if (multiTenant && baseDomain) {
+    console.log(`  Mode:          ${chalk.cyan(baseDomain ? 'Multi-tenant' : 'Single-tenant')}`);
+    if (baseDomain) {
         console.log(`  Base Domain:   ${chalk.cyan(baseDomain)}`);
-        console.log(`  Issuer Format: ${chalk.cyan('https://{tenant}.' + baseDomain)}`);
-        console.log(`  Example:       ${chalk.gray('https://acme.' + baseDomain)}`);
+        console.log(`  Domain Pattern: ${chalk.cyan('{tenant}.' + baseDomain)}`);
+        console.log(`  Example:       ${chalk.gray(nakedDomain ? 'https://' + baseDomain : 'https://acme.' + baseDomain)}`);
+        if (nakedDomain) {
+            console.log(`  Naked Domain:  ${chalk.cyan(primaryTenant || tenantName)} ${chalk.gray('(primary tenant issuer)')}`);
+        }
     }
     else {
-        const issuerUrl = config.urls.api.custom || config.urls.api.auto;
+        const issuerUrl = config.urls?.api?.custom || config.urls?.api?.auto;
         console.log(`  Issuer URL:    ${chalk.cyan(issuerUrl)}`);
     }
     console.log(`  Default Tenant: ${chalk.cyan(tenantName)}`);
@@ -1732,8 +1795,11 @@ async function runNormalSetup(options) {
     console.log('');
     // Public URLs
     console.log(chalk.bold('Public URLs:'));
-    if (multiTenant && baseDomain) {
+    if (baseDomain) {
         console.log(`  API Router:    ${chalk.cyan('*.' + baseDomain)} → ${chalk.gray(envPrefix + '-ar-router')}`);
+        if (nakedDomain) {
+            console.log(`  API Router:    ${chalk.cyan(baseDomain + ' (naked)')} → ${chalk.gray(envPrefix + '-ar-router')}`);
+        }
     }
     else {
         console.log(`  API Router:    ${chalk.cyan(config.urls.api.custom || config.urls.api.auto)}`);
@@ -1797,15 +1863,20 @@ async function runNormalSetup(options) {
     }
     // Save email secrets if configured
     if (emailConfigNormal.provider === 'resend' && emailConfigNormal.apiKey) {
-        // Use new structure for fresh setups
-        const paths = getEnvironmentPaths({ baseDir: process.cwd(), env: envPrefix });
-        const keysDir = paths.keys;
+        // Save to external keys directory: {cwd}/.authrim-keys/{env}/
+        const keysDir = getExternalKeysDir(envPrefix, process.cwd());
         await import('node:fs/promises').then(async (fs) => {
-            await fs.mkdir(keysDir, { recursive: true });
-            await fs.writeFile(paths.keyFiles.resendApiKey, emailConfigNormal.apiKey.trim());
-            await fs.writeFile(paths.keyFiles.emailFrom, emailConfigNormal.fromAddress.trim());
+            await fs.mkdir(keysDir, { recursive: true, mode: 0o700 });
+            const resendApiKeyPath = join(keysDir, 'resend_api_key.txt');
+            await fs.writeFile(resendApiKeyPath, emailConfigNormal.apiKey.trim());
+            await fs.chmod(resendApiKeyPath, 0o600);
+            const emailFromPath = join(keysDir, 'email_from.txt');
+            await fs.writeFile(emailFromPath, emailConfigNormal.fromAddress.trim());
+            await fs.chmod(emailFromPath, 0o600);
             if (emailConfigNormal.fromName) {
-                await fs.writeFile(`${keysDir}/email_from_name.txt`, emailConfigNormal.fromName.trim());
+                const emailFromNamePath = join(keysDir, 'email_from_name.txt');
+                await fs.writeFile(emailFromNamePath, emailConfigNormal.fromName.trim());
+                await fs.chmod(emailFromNamePath, 0o600);
             }
         });
         console.log(chalk.gray(`📧 Email secrets saved to ${keysDir}/`));
@@ -1861,9 +1932,10 @@ async function executeSetup(config, cfApiToken, keepPath) {
         console.error(error);
         return;
     }
-    // Step 1: Generate keys (environment-specific directory)
+    // Step 1: Generate keys (external directory: .authrim-keys/{env}/)
     // Check if keys already exist for this environment
-    if (keysExistForEnvironment(outputDir, env)) {
+    const cwdDir = process.cwd();
+    if (keysExistForEnvironment(outputDir, env, cwdDir)) {
         console.log(chalk.yellow(`⚠️  Warning: Keys already exist for environment "${env}"`));
         console.log(chalk.yellow('   Existing keys will be overwritten.'));
         console.log('');
@@ -1872,16 +1944,17 @@ async function executeSetup(config, cfApiToken, keepPath) {
     try {
         const keyId = generateKeyId(env);
         secrets = generateAllSecrets(keyId);
-        // Save to new structure: .authrim/{env}/keys/
-        const envPaths = getEnvironmentPaths({ baseDir: outputDir, env });
-        await saveKeysToDirectory(secrets, { baseDir: outputDir, env });
+        // Save to external structure: {cwd}/.authrim-keys/{env}/
+        const externalKeysDir = getExternalKeysDir(env, cwdDir);
+        await saveKeysToDirectory(secrets, { keysBaseDir: cwdDir, env });
         config.keys = {
             keyId: secrets.keyPair.keyId,
             publicKeyJwk: secrets.keyPair.publicKeyJwk,
-            secretsPath: getRelativeKeysPath(), // './keys/' (relative from config location)
+            secretsPath: getExternalKeysPathForConfig(env, cwdDir),
             includeSecrets: false,
+            storageType: 'external',
         };
-        keysSpinner.succeed(`Keys generated (${envPaths.keys})`);
+        keysSpinner.succeed(`Keys generated (${externalKeysDir})`);
     }
     catch (error) {
         keysSpinner.fail('Failed to generate keys');
@@ -1949,11 +2022,9 @@ async function executeSetup(config, cfApiToken, keepPath) {
     // Step 4.5: Generate ui.env for UI builds
     const uiEnvSpinner = ora('Generating UI environment file...').start();
     try {
-        const apiBaseUrl = config.urls?.api?.custom || config.urls?.api?.auto || '';
-        if (apiBaseUrl) {
-            await saveUiEnv(envPaths.uiEnv, {
-                PUBLIC_API_BASE_URL: apiBaseUrl,
-            });
+        const initialUiEnv = buildInitialUiEnvConfig(config);
+        if (initialUiEnv) {
+            await saveUiEnv(envPaths.uiEnv, initialUiEnv);
             uiEnvSpinner.succeed(`UI env saved (${envPaths.uiEnv})`);
         }
         else {
@@ -2063,7 +2134,7 @@ async function executeSetup(config, cfApiToken, keepPath) {
     console.log(chalk.bold('📋 Next Steps:'));
     console.log('');
     console.log('  1. Upload secrets to Cloudflare:');
-    console.log(chalk.cyan(`     npx @authrim/setup secrets --env=${env}`));
+    console.log(chalk.cyan(`     ${getCommandPrefix()} secrets --env=${env}`));
     console.log('');
     console.log('  2. Deploy Workers:');
     console.log(chalk.cyan(`     pnpm deploy --env=${env}`));
@@ -2347,7 +2418,7 @@ async function editUrls(config) {
     console.log('');
     const apiDomain = await input({
         message: 'API (issuer) domain (leave empty for workers.dev)',
-        default: config.urls.api?.custom || '',
+        default: stripProtocol(config.urls.api?.custom),
         validate: (value) => {
             if (!value)
                 return true;
@@ -2357,28 +2428,36 @@ async function editUrls(config) {
             return true;
         },
     });
+    // Check Cloudflare zone for the domain
+    const updateDomainConfig = {};
+    if (apiDomain) {
+        console.log('');
+        try {
+            await checkAndPromptZone(apiDomain, updateDomainConfig);
+        }
+        catch {
+            // User cancelled - non-fatal
+        }
+        console.log('');
+    }
     const loginUiDomain = await input({
         message: 'Login UI domain (leave empty for pages.dev)',
-        default: config.urls.loginUi?.custom || '',
+        default: stripProtocol(config.urls.loginUi?.custom),
     });
     const adminUiDomain = await input({
         message: 'Admin UI domain (leave empty for pages.dev)',
-        default: config.urls.adminUi?.custom || '',
+        default: stripProtocol(config.urls.adminUi?.custom),
+    });
+    config.urls = buildUrlsConfig({
+        env,
+        apiDomain,
+        loginUiDomain,
+        adminUiDomain,
+        zoneId: updateDomainConfig.zoneId,
+        customDomainBinding: updateDomainConfig.customDomainBinding,
+        workersSubdomain,
+        existingUrls: config.urls,
     });
-    config.urls.api = {
-        custom: apiDomain || null,
-        auto: config.urls.api?.auto || getWorkersDevUrl(env + '-ar-router'),
-    };
-    config.urls.loginUi = {
-        custom: loginUiDomain || null,
-        auto: config.urls.loginUi?.auto || getPagesDevUrl(env + '-ar-login-ui'),
-        sameAsApi: config.urls.loginUi?.sameAsApi ?? false,
-    };
-    config.urls.adminUi = {
-        custom: adminUiDomain || null,
-        auto: config.urls.adminUi?.auto || getPagesDevUrl(env + '-ar-admin-ui'),
-        sameAsApi: config.urls.adminUi?.sameAsApi ?? false,
-    };
     return true;
 }
 // =============================================================================