@authrim/setup 0.1.140 → 0.1.142

package/dist/core/cloudflare.js

@@ -109,15 +109,11 @@ export async function getAccountId() {
     }
 }
 /**
- * Get the workers.dev subdomain for the account
- * This is needed because workers.dev URLs are: {worker}.{subdomain}.workers.dev
+ * Get Cloudflare API token from wrangler config or environment variable.
+ * Searches platform-specific paths for OAuth token, falls back to CLOUDFLARE_API_TOKEN env var.
  */
-export async function getWorkersSubdomain() {
+export async function getCloudflareApiToken() {
     try {
-        const accountId = await getAccountId();
-        if (!accountId)
-            return null;
-        // Read OAuth token from wrangler config
         const { readFile } = await import('node:fs/promises');
         const { homedir, platform } = await import('node:os');
         const { join } = await import('node:path');
@@ -126,23 +122,16 @@ export async function getWorkersSubdomain() {
         const home = homedir();
         const configPaths = [];
         if (platform() === 'darwin') {
-            // macOS: ~/Library/Preferences/.wrangler/config/default.toml (XDG-compliant)
             configPaths.push(join(home, 'Library/Preferences/.wrangler/config/default.toml'));
-            // macOS legacy fallback
             configPaths.push(join(home, '.wrangler/config/default.toml'));
         }
         else if (platform() === 'win32') {
-            // Windows: Multiple possible locations
             const appData = process.env.APPDATA;
             if (appData) {
-                // 1. XDG-compliant: %APPDATA%\xdg.config\.wrangler\config\default.toml (CORRECT PATH)
                 configPaths.push(join(appData, 'xdg.config/.wrangler/config/default.toml'));
-                // Also try without xdg.config prefix
                 configPaths.push(join(appData, '.wrangler/config/default.toml'));
             }
-            // 2. Legacy: %USERPROFILE%\.wrangler\config\default.toml
             configPaths.push(join(home, '.wrangler/config/default.toml'));
-            // 3. %LOCALAPPDATA%
             const localAppData = process.env.LOCALAPPDATA;
             if (localAppData) {
                 configPaths.push(join(localAppData, 'xdg.config/.wrangler/config/default.toml'));
@@ -150,13 +139,10 @@ export async function getWorkersSubdomain() {
             }
         }
         else {
-            // Linux: XDG-compliant path
             const xdgConfigHome = process.env.XDG_CONFIG_HOME || join(home, '.config');
             configPaths.push(join(xdgConfigHome, '.wrangler/config/default.toml'));
-            // Linux legacy fallback
             configPaths.push(join(home, '.wrangler/config/default.toml'));
         }
-        let oauthToken = null;
         for (const configPath of configPaths) {
             if (!existsSync(configPath))
                 continue;
@@ -164,28 +150,39 @@ export async function getWorkersSubdomain() {
                 const configContent = await readFile(configPath, 'utf-8');
                 const tokenMatch = configContent.match(/oauth_token\s*=\s*"([^"]+)"/);
                 if (tokenMatch?.[1]) {
-                    oauthToken = tokenMatch[1];
-                    break;
+                    return { token: tokenMatch[1], source: 'oauth' };
                 }
             }
             catch {
                 // Continue to next path
             }
         }
-        if (!oauthToken) {
-            // Try using CLOUDFLARE_API_TOKEN environment variable as fallback
-            const apiToken = process.env.CLOUDFLARE_API_TOKEN;
-            if (apiToken) {
-                oauthToken = apiToken;
-            }
-            else {
-                return null;
-            }
+        // Fallback to CLOUDFLARE_API_TOKEN environment variable
+        const apiToken = process.env.CLOUDFLARE_API_TOKEN;
+        if (apiToken) {
+            return { token: apiToken, source: 'env' };
         }
-        // Call Cloudflare API to get subdomain
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Get the workers.dev subdomain for the account
+ * This is needed because workers.dev URLs are: {worker}.{subdomain}.workers.dev
+ */
+export async function getWorkersSubdomain() {
+    try {
+        const accountId = await getAccountId();
+        if (!accountId)
+            return null;
+        const tokenInfo = await getCloudflareApiToken();
+        if (!tokenInfo)
+            return null;
         const response = await fetch(`https://api.cloudflare.com/client/v4/accounts/${accountId}/workers/subdomain`, {
             headers: {
-                Authorization: `Bearer ${oauthToken}`,
+                Authorization: `Bearer ${tokenInfo.token}`,
             },
         });
         if (!response.ok)
@@ -197,6 +194,488 @@ export async function getWorkersSubdomain() {
         return null;
     }
 }
+/**
+ * Extract zone name (registrable domain) from a hostname.
+ * e.g., "auth.example.com" → "example.com"
+ *       "example.co.jp" → "example.co.jp"
+ */
+export function extractZoneName(hostname) {
+    const parts = hostname.split('.');
+    // Comprehensive two-part TLD list based on the Public Suffix List (PSL).
+    // Only includes patterns commonly used for web hosting on Cloudflare.
+    // Sorted alphabetically by country code.
+    const twoPartTlds = new Set([
+        // ae - United Arab Emirates
+        'ac.ae',
+        'co.ae',
+        'net.ae',
+        'org.ae',
+        // ar - Argentina
+        'com.ar',
+        'net.ar',
+        'org.ar',
+        // at - Austria
+        'co.at',
+        'or.at',
+        // au - Australia
+        'com.au',
+        'net.au',
+        'org.au',
+        // bd - Bangladesh
+        'com.bd',
+        'net.bd',
+        'org.bd',
+        // bh - Bahrain
+        'com.bh',
+        'net.bh',
+        'org.bh',
+        // bn - Brunei
+        'com.bn',
+        'net.bn',
+        'org.bn',
+        // bo - Bolivia
+        'com.bo',
+        'net.bo',
+        'org.bo',
+        // br - Brazil
+        'com.br',
+        'net.br',
+        'org.br',
+        // bw - Botswana
+        'co.bw',
+        'org.bw',
+        // bz - Belize
+        'co.bz',
+        'com.bz',
+        'net.bz',
+        'org.bz',
+        // cn - China
+        'com.cn',
+        'net.cn',
+        'org.cn',
+        // co - Colombia
+        'com.co',
+        'net.co',
+        'org.co',
+        // cr - Costa Rica
+        'co.cr',
+        'or.cr',
+        // cu - Cuba
+        'com.cu',
+        'net.cu',
+        'org.cu',
+        // cy - Cyprus
+        'com.cy',
+        'net.cy',
+        'org.cy',
+        // do - Dominican Republic
+        'com.do',
+        'net.do',
+        'org.do',
+        // dz - Algeria
+        'com.dz',
+        'net.dz',
+        'org.dz',
+        // ec - Ecuador
+        'com.ec',
+        'net.ec',
+        'org.ec',
+        // eg - Egypt
+        'com.eg',
+        'net.eg',
+        'org.eg',
+        // et - Ethiopia
+        'com.et',
+        'net.et',
+        'org.et',
+        // fj - Fiji
+        'com.fj',
+        'net.fj',
+        'org.fj',
+        // ge - Georgia
+        'com.ge',
+        'net.ge',
+        'org.ge',
+        // gh - Ghana
+        'com.gh',
+        'net.gh',
+        'org.gh',
+        // gr - Greece
+        'com.gr',
+        'net.gr',
+        'org.gr',
+        // gt - Guatemala
+        'com.gt',
+        'net.gt',
+        'org.gt',
+        // gy - Guyana
+        'co.gy',
+        'com.gy',
+        'net.gy',
+        'org.gy',
+        // hk - Hong Kong
+        'com.hk',
+        'net.hk',
+        'org.hk',
+        // hn - Honduras
+        'com.hn',
+        'net.hn',
+        'org.hn',
+        // hr - Croatia
+        'com.hr',
+        // id - Indonesia
+        'co.id',
+        'or.id',
+        'web.id',
+        'net.id',
+        // il - Israel
+        'co.il',
+        'net.il',
+        'org.il',
+        // im - Isle of Man
+        'co.im',
+        'com.im',
+        'net.im',
+        'org.im',
+        // in - India
+        'co.in',
+        'net.in',
+        'org.in',
+        // io - British Indian Ocean Territory
+        'com.io',
+        'net.io',
+        'org.io',
+        // iq - Iraq
+        'com.iq',
+        'net.iq',
+        'org.iq',
+        // ir - Iran
+        'co.ir',
+        'net.ir',
+        'org.ir',
+        // je - Jersey
+        'co.je',
+        'net.je',
+        'org.je',
+        // jo - Jordan
+        'com.jo',
+        'net.jo',
+        'org.jo',
+        // jp - Japan
+        'co.jp',
+        'ne.jp',
+        'or.jp',
+        'ac.jp',
+        'go.jp',
+        'gr.jp',
+        'ed.jp',
+        'ad.jp',
+        'lg.jp',
+        // ke - Kenya
+        'co.ke',
+        'or.ke',
+        'ne.ke',
+        // kh - Cambodia (uses .com.kh etc.)
+        'com.kh',
+        'net.kh',
+        'org.kh',
+        // kr - South Korea
+        'co.kr',
+        'or.kr',
+        'ne.kr',
+        // kw - Kuwait
+        'com.kw',
+        'net.kw',
+        'org.kw',
+        // kz - Kazakhstan
+        'com.kz',
+        'net.kz',
+        'org.kz',
+        // lb - Lebanon
+        'com.lb',
+        'net.lb',
+        'org.lb',
+        // lc - Saint Lucia
+        'co.lc',
+        'com.lc',
+        'net.lc',
+        'org.lc',
+        // lk - Sri Lanka
+        'com.lk',
+        'net.lk',
+        'org.lk',
+        // ly - Libya
+        'com.ly',
+        'net.ly',
+        'org.ly',
+        // ma - Morocco
+        'co.ma',
+        'net.ma',
+        'org.ma',
+        // mm - Myanmar
+        'com.mm',
+        'net.mm',
+        'org.mm',
+        // mo - Macau
+        'com.mo',
+        'net.mo',
+        'org.mo',
+        // mt - Malta
+        'com.mt',
+        'net.mt',
+        'org.mt',
+        // mu - Mauritius
+        'co.mu',
+        'com.mu',
+        'net.mu',
+        'org.mu',
+        // mv - Maldives
+        'com.mv',
+        'net.mv',
+        'org.mv',
+        // mx - Mexico
+        'com.mx',
+        'net.mx',
+        'org.mx',
+        // my - Malaysia
+        'com.my',
+        'net.my',
+        'org.my',
+        // mz - Mozambique
+        'co.mz',
+        'net.mz',
+        'org.mz',
+        // na - Namibia
+        'co.na',
+        'com.na',
+        'net.na',
+        'org.na',
+        // ng - Nigeria
+        'com.ng',
+        'net.ng',
+        'org.ng',
+        // ni - Nicaragua
+        'com.ni',
+        'net.ni',
+        'org.ni',
+        // np - Nepal
+        'com.np',
+        'net.np',
+        'org.np',
+        // nz - New Zealand
+        'co.nz',
+        'net.nz',
+        'org.nz',
+        // om - Oman
+        'com.om',
+        'net.om',
+        'org.om',
+        // pa - Panama
+        'com.pa',
+        'net.pa',
+        'org.pa',
+        // pe - Peru
+        'com.pe',
+        'net.pe',
+        'org.pe',
+        // pg - Papua New Guinea
+        'com.pg',
+        'net.pg',
+        'org.pg',
+        // ph - Philippines
+        'com.ph',
+        'net.ph',
+        'org.ph',
+        // pk - Pakistan
+        'com.pk',
+        'net.pk',
+        'org.pk',
+        // pr - Puerto Rico
+        'com.pr',
+        'net.pr',
+        'org.pr',
+        // ps - Palestine
+        'com.ps',
+        'net.ps',
+        'org.ps',
+        // pt - Portugal
+        'com.pt',
+        'net.pt',
+        'org.pt',
+        // py - Paraguay
+        'com.py',
+        'net.py',
+        'org.py',
+        // qa - Qatar
+        'com.qa',
+        'net.qa',
+        'org.qa',
+        // ro - Romania
+        'com.ro',
+        'net.ro',
+        'org.ro',
+        // rs - Serbia
+        'co.rs',
+        'org.rs',
+        // ru - Russia (ru uses direct TLD, but also has some patterns)
+        'com.ru',
+        'net.ru',
+        'org.ru',
+        // rw - Rwanda
+        'co.rw',
+        'net.rw',
+        'org.rw',
+        // sa - Saudi Arabia
+        'com.sa',
+        'net.sa',
+        'org.sa',
+        // sb - Solomon Islands
+        'com.sb',
+        'net.sb',
+        'org.sb',
+        // sc - Seychelles
+        'com.sc',
+        'net.sc',
+        'org.sc',
+        // sd - Sudan
+        'com.sd',
+        'net.sd',
+        'org.sd',
+        // sg - Singapore
+        'com.sg',
+        'net.sg',
+        'org.sg',
+        // sl - Sierra Leone
+        'com.sl',
+        'net.sl',
+        'org.sl',
+        // sv - El Salvador
+        'com.sv',
+        'org.sv',
+        // sy - Syria
+        'com.sy',
+        'net.sy',
+        'org.sy',
+        // th - Thailand
+        'co.th',
+        'in.th',
+        'ac.th',
+        'or.th',
+        'net.th',
+        // tn - Tunisia
+        'com.tn',
+        'net.tn',
+        'org.tn',
+        // tr - Turkey
+        'com.tr',
+        'net.tr',
+        'org.tr',
+        // tt - Trinidad and Tobago
+        'co.tt',
+        'com.tt',
+        'net.tt',
+        'org.tt',
+        // tw - Taiwan
+        'com.tw',
+        'net.tw',
+        'org.tw',
+        // tz - Tanzania
+        'co.tz',
+        'or.tz',
+        'ne.tz',
+        // ua - Ukraine
+        'com.ua',
+        'net.ua',
+        'org.ua',
+        // ug - Uganda
+        'co.ug',
+        'or.ug',
+        'ne.ug',
+        // uk - United Kingdom
+        'co.uk',
+        'org.uk',
+        'me.uk',
+        'net.uk',
+        // uy - Uruguay
+        'com.uy',
+        'net.uy',
+        'org.uy',
+        // uz - Uzbekistan
+        'co.uz',
+        'com.uz',
+        'net.uz',
+        'org.uz',
+        // vc - Saint Vincent and the Grenadines
+        'com.vc',
+        'net.vc',
+        'org.vc',
+        // ve - Venezuela
+        'co.ve',
+        'com.ve',
+        'net.ve',
+        'org.ve',
+        // vn - Vietnam
+        'com.vn',
+        'net.vn',
+        'org.vn',
+        // za - South Africa
+        'co.za',
+        'net.za',
+        'org.za',
+        // zm - Zambia
+        'co.zm',
+        'com.zm',
+        'net.zm',
+        'org.zm',
+        // zw - Zimbabwe
+        'co.zw',
+        'org.zw',
+    ]);
+    const lastTwo = parts.slice(-2).join('.');
+    if (twoPartTlds.has(lastTwo) && parts.length >= 3) {
+        return parts.slice(-3).join('.');
+    }
+    return parts.length >= 2 ? parts.slice(-2).join('.') : hostname;
+}
+/**
+ * Check if a Cloudflare zone exists for the given domain.
+ * Gracefully handles authentication failures and network errors.
+ */
+export async function checkZoneExists(domain) {
+    try {
+        const tokenInfo = await getCloudflareApiToken();
+        if (!tokenInfo) {
+            return { found: false, error: 'Not logged in to Cloudflare (run: wrangler login)' };
+        }
+        const zoneName = extractZoneName(domain);
+        const response = await fetch(`https://api.cloudflare.com/client/v4/zones?name=${encodeURIComponent(zoneName)}`, {
+            headers: {
+                Authorization: `Bearer ${tokenInfo.token}`,
+            },
+        });
+        if (!response.ok) {
+            if (response.status === 403) {
+                return { found: false, error: 'Token lacks zone:read permission' };
+            }
+            return { found: false, error: `Cloudflare API returned ${response.status}` };
+        }
+        const data = (await response.json());
+        if (!data.success || !data.result || data.result.length === 0) {
+            return { found: false };
+        }
+        const zone = data.result[0];
+        return {
+            found: true,
+            zone: { id: zone.id, name: zone.name, status: zone.status },
+        };
+    }
+    catch (error) {
+        return {
+            found: false,
+            error: error instanceof Error ? error.message : 'Unknown error',
+        };
+    }
+}
 // =============================================================================
 // D1 Database Operations
 // =============================================================================
@@ -344,8 +823,76 @@ export async function executeD1Migration(dbName, sqlFilePath, onProgress) {
         return { success: false, error: message };
     }
 }
+/** SQL to create the migration tracking table (idempotent) */
+const CREATE_MIGRATIONS_TABLE_SQL = `
+CREATE TABLE IF NOT EXISTS authrim_migrations (
+  filename TEXT PRIMARY KEY,
+  applied_at INTEGER NOT NULL
+);
+`.trim();
 /**
- * Run all D1 migrations for a database
+ * Ensure the authrim_migrations tracking table exists in the target database.
+ * Returns true on success, false on failure.
+ */
+async function ensureMigrationsTable(dbName, onProgress) {
+    try {
+        await wrangler([
+            'd1',
+            'execute',
+            dbName,
+            '--remote',
+            '--yes',
+            '--command',
+            CREATE_MIGRATIONS_TABLE_SQL,
+        ]);
+        return true;
+    }
+    catch (error) {
+        onProgress?.(`  ⚠️  Could not create migrations table: ${error instanceof Error ? error.message : String(error)}`);
+        return false;
+    }
+}
+/**
+ * Return the set of migration filenames already recorded in authrim_migrations.
+ * Falls back to an empty set on error so we never skip migrations when unsure.
+ */
+async function getAppliedMigrations(dbName) {
+    try {
+        const { stdout } = await wrangler([
+            'd1',
+            'execute',
+            dbName,
+            '--remote',
+            '--yes',
+            '--command',
+            'SELECT filename FROM authrim_migrations;',
+            '--json',
+        ]);
+        const rows = JSON.parse(stdout);
+        const results = rows?.[0]?.results ?? [];
+        return new Set(results.map((r) => r.filename));
+    }
+    catch {
+        return new Set();
+    }
+}
+/**
+ * Record a migration filename as applied.
+ */
+async function recordMigration(dbName, filename) {
+    const sql = `INSERT OR IGNORE INTO authrim_migrations (filename, applied_at) VALUES ('${filename.replace(/'/g, "''")}', ${Date.now()});`;
+    try {
+        await wrangler(['d1', 'execute', dbName, '--remote', '--yes', '--command', sql]);
+    }
+    catch {
+        // Non-fatal: tracking failure should not abort the migration run
+    }
+}
+/**
+ * Run all D1 migrations for a database.
+ *
+ * Uses an `authrim_migrations` tracking table inside the D1 database to skip
+ * files that have already been applied, making repeated runs idempotent.
  */
 export async function runD1Migrations(dbName, migrationsDir, onProgress) {
     const { existsSync, readdirSync } = await import('node:fs');
@@ -354,6 +901,7 @@ export async function runD1Migrations(dbName, migrationsDir, onProgress) {
         return {
             success: false,
             appliedCount: 0,
+            skippedCount: 0,
             error: `Migrations directory not found: ${migrationsDir}`,
         };
     }
@@ -363,18 +911,34 @@ export async function runD1Migrations(dbName, migrationsDir, onProgress) {
         .sort();
     if (sqlFiles.length === 0) {
         onProgress?.(`  No migration files found in ${migrationsDir}`);
-        return { success: true, appliedCount: 0 };
+        return { success: true, appliedCount: 0, skippedCount: 0 };
     }
     onProgress?.(`  Found ${sqlFiles.length} migration files`);
+    // Ensure tracking table exists; if it fails we continue without tracking
+    await ensureMigrationsTable(dbName, onProgress);
+    const applied = await getAppliedMigrations(dbName);
+    onProgress?.(`  ${applied.size} migration(s) already recorded as applied`);
     let appliedCount = 0;
+    let skippedCount = 0;
     for (const sqlFile of sqlFiles) {
+        if (applied.has(sqlFile)) {
+            onProgress?.(`  ⏭  Skipping (already applied): ${sqlFile}`);
+            skippedCount++;
+            continue;
+        }
         const result = await executeD1Migration(dbName, join(migrationsDir, sqlFile), onProgress);
         if (!result.success) {
-            return { success: false, appliedCount, error: `Failed on ${sqlFile}: ${result.error}` };
+            return {
+                success: false,
+                appliedCount,
+                skippedCount,
+                error: `Failed on ${sqlFile}: ${result.error}`,
+            };
         }
+        await recordMigration(dbName, sqlFile);
         appliedCount++;
     }
-    return { success: true, appliedCount };
+    return { success: true, appliedCount, skippedCount };
 }
 /**
  * Run migrations for an Authrim environment
@@ -419,9 +983,9 @@ export async function runMigrationsForEnvironment(env, rootDir, onProgress) {
         onProgress?.(`  ❌ ${errorMsg}`);
         return {
             success: false,
-            core: { success: false, appliedCount: 0, error: errorMsg },
-            pii: { success: false, appliedCount: 0, error: errorMsg },
-            admin: { success: false, appliedCount: 0, error: errorMsg },
+            core: { success: false, appliedCount: 0, skippedCount: 0, error: errorMsg },
+            pii: { success: false, appliedCount: 0, skippedCount: 0, error: errorMsg },
+            admin: { success: false, appliedCount: 0, skippedCount: 0, error: errorMsg },
         };
     }
     // Run core database migrations
@@ -431,7 +995,7 @@ export async function runMigrationsForEnvironment(env, rootDir, onProgress) {
         onProgress?.(`  ❌ Core migration failed: ${coreResult.error}`);
     }
     else {
-        onProgress?.(`  ✅ Applied ${coreResult.appliedCount} core migrations`);
+        onProgress?.(`  ✅ Applied ${coreResult.appliedCount} core migrations (${coreResult.skippedCount} skipped)`);
     }
     // Run PII database migrations
     const piiMigrationsDir = join(migrationsRoot, 'pii');
@@ -439,7 +1003,7 @@ export async function runMigrationsForEnvironment(env, rootDir, onProgress) {
     let piiResult;
     if (!existsSync(piiMigrationsDir)) {
         onProgress?.(`  ⚠️ PII migrations directory not found: ${piiMigrationsDir}`);
-        piiResult = { success: true, appliedCount: 0 };
+        piiResult = { success: true, appliedCount: 0, skippedCount: 0 };
     }
     else {
         piiResult = await runD1Migrations(piiDbName, piiMigrationsDir, onProgress);
@@ -447,7 +1011,7 @@ export async function runMigrationsForEnvironment(env, rootDir, onProgress) {
             onProgress?.(`  ❌ PII migration failed: ${piiResult.error}`);
         }
         else {
-            onProgress?.(`  ✅ Applied ${piiResult.appliedCount} PII migrations`);
+            onProgress?.(`  ✅ Applied ${piiResult.appliedCount} PII migrations (${piiResult.skippedCount} skipped)`);
         }
     }
     // Run Admin database migrations
@@ -456,7 +1020,7 @@ export async function runMigrationsForEnvironment(env, rootDir, onProgress) {
     let adminResult;
     if (!existsSync(adminMigrationsDir)) {
         onProgress?.(`  ⚠️ Admin migrations directory not found: ${adminMigrationsDir}`);
-        adminResult = { success: true, appliedCount: 0 };
+        adminResult = { success: true, appliedCount: 0, skippedCount: 0 };
     }
     else {
         adminResult = await runD1Migrations(adminDbName, adminMigrationsDir, onProgress);
@@ -464,7 +1028,7 @@ export async function runMigrationsForEnvironment(env, rootDir, onProgress) {
             onProgress?.(`  ❌ Admin migration failed: ${adminResult.error}`);
         }
         else {
-            onProgress?.(`  ✅ Applied ${adminResult.appliedCount} admin migrations`);
+            onProgress?.(`  ✅ Applied ${adminResult.appliedCount} admin migrations (${adminResult.skippedCount} skipped)`);
         }
     }
     return {
@@ -604,7 +1168,14 @@ export async function createKVNamespace(name, preview = false) {
  */
 export async function deleteKVNamespace(namespaceId) {
     try {
-        await wrangler(['kv', 'namespace', 'delete', '--namespace-id', namespaceId]);
+        await wrangler([
+            'kv',
+            'namespace',
+            'delete',
+            '--namespace-id',
+            namespaceId,
+            '--skip-confirmation',
+        ]);
         return true;
     }
     catch {
@@ -837,18 +1408,31 @@ export async function provisionResources(options) {
     // Provision R2 buckets (optional)
     if (options.createR2) {
         onProgress('📁 R2 Buckets');
-        const bucketName = `${env}-authrim-avatars`;
-        onProgress(`  ⏳ Creating: ${bucketName}...`);
+        const avatarBucketName = `${env}-authrim-avatars`;
+        onProgress(`  ⏳ Creating: ${avatarBucketName}...`);
         try {
-            const result = await createR2Bucket(bucketName);
+            const result = await createR2Bucket(avatarBucketName);
             resources.r2.push({
                 binding: 'AVATARS',
                 name: result.name,
             });
-            onProgress(`  ✅ ${bucketName} created`);
+            onProgress(`  ✅ ${avatarBucketName} created`);
         }
         catch (error) {
-            onProgress(`  ⚠️ Skipped: ${bucketName} - ${sanitizeError(error)}`);
+            onProgress(`  ⚠️ Skipped: ${avatarBucketName} - ${sanitizeError(error)}`);
+        }
+        const diagnosticBucketName = `${env}-diagnostic-logs`;
+        onProgress(`  ⏳ Creating: ${diagnosticBucketName}...`);
+        try {
+            const result = await createR2Bucket(diagnosticBucketName);
+            resources.r2.push({
+                binding: 'DIAGNOSTIC_LOGS',
+                name: result.name,
+            });
+            onProgress(`  ✅ ${diagnosticBucketName} created`);
+        }
+        catch (error) {
+            onProgress(`  ⚠️ Skipped: ${diagnosticBucketName} - ${sanitizeError(error)}`);
         }
         onProgress('');
     }
@@ -898,7 +1482,7 @@ const AUTHRIM_PATTERNS = {
     // KV can have either lowercase or uppercase env prefix (e.g., conformance-CLIENTS_CACHE or TESTENV-CLIENTS_CACHE)
     kv: /^([a-zA-Z][a-zA-Z0-9-]*)-(?:CLIENTS_CACHE|INITIAL_ACCESS_TOKENS|SETTINGS|REBAC_CACHE|USER_CACHE|AUTHRIM_CONFIG|STATE_STORE|CONSENT_CACHE)(?:_preview)?$/i,
     queue: /^([a-z][a-z0-9-]*)-audit-queue$/,
-    r2: /^([a-z][a-z0-9-]*)-authrim-avatars$/,
+    r2: /^([a-z][a-z0-9-]*)-(authrim-avatars|diagnostic-logs)$/,
     // Pages projects: {env}-ar-admin-ui, {env}-ar-login-ui
     pages: /^([a-z][a-z0-9-]*)-(ar-admin-ui|ar-login-ui)$/,
 };
@@ -907,11 +1491,17 @@ const AUTHRIM_PATTERNS = {
  */
 export async function listWorkers() {
     try {
-        const { stdout: _stdout } = await wrangler(['deployments', 'list', '--json']);
-        // Note: wrangler deployments list doesn't give us what we need
-        // We'll use wrangler whoami to get account and then list workers differently
-        // For now, return empty - we'll detect workers from D1/KV patterns
-        return [];
+        const accountId = await getAccountId();
+        if (!accountId)
+            return [];
+        const tokenInfo = await getCloudflareApiToken();
+        if (!tokenInfo)
+            return [];
+        const response = await fetch(`https://api.cloudflare.com/client/v4/accounts/${accountId}/workers/scripts`, { headers: { Authorization: `Bearer ${tokenInfo.token}` } });
+        if (!response.ok)
+            return [];
+        const data = (await response.json());
+        return (data.result || []).map((w) => ({ name: w.id }));
     }
     catch {
         return [];
@@ -996,6 +1586,46 @@ export async function listPagesProjects() {
  */
 export async function deletePagesProject(name) {
     try {
+        // First, remove all custom domains from the Pages project
+        // This is required before the project can be deleted
+        const token = await getCloudflareApiToken();
+        if (token) {
+            try {
+                const accountId = await getAccountId();
+                // Get project details to list custom domains
+                const projectResponse = await fetch(`https://api.cloudflare.com/client/v4/accounts/${accountId}/pages/projects/${name}`, {
+                    headers: {
+                        Authorization: `Bearer ${token.token}`,
+                    },
+                });
+                if (projectResponse.ok) {
+                    const projectData = (await projectResponse.json());
+                    const domains = projectData.result?.domains || [];
+                    // Remove each custom domain (skip *.pages.dev domains)
+                    for (const domain of domains) {
+                        if (!domain.endsWith('.pages.dev')) {
+                            try {
+                                await fetch(`https://api.cloudflare.com/client/v4/accounts/${accountId}/pages/projects/${name}/domains/${domain}`, {
+                                    method: 'DELETE',
+                                    headers: {
+                                        Authorization: `Bearer ${token.token}`,
+                                    },
+                                });
+                                // Small delay to let Cloudflare process the deletion
+                                await new Promise((resolve) => setTimeout(resolve, 1000));
+                            }
+                            catch {
+                                // Continue even if domain deletion fails
+                            }
+                        }
+                    }
+                }
+            }
+            catch {
+                // Continue even if custom domain cleanup fails
+            }
+        }
+        // Now delete the Pages project
         await wrangler(['pages', 'project', 'delete', name, '--yes']);
         return true;
     }
@@ -1009,13 +1639,16 @@ export async function deletePagesProject(name) {
 export async function detectEnvironments(onProgress) {
     const environments = new Map();
     const progress = onProgress || (() => { });
-    progress('Scanning D1 databases...');
+    // Scan Workers first — environments are only valid if Workers or D1 exist
+    progress('Scanning Workers...');
+    const workerEnvs = new Set();
     try {
-        const databases = await listD1Databases();
-        for (const db of databases) {
-            const match = db.name.match(AUTHRIM_PATTERNS.d1);
+        const workers = await listWorkers();
+        for (const w of workers) {
+            const match = w.name.match(AUTHRIM_PATTERNS.worker);
             if (match) {
                 const env = match[1].toLowerCase();
+                workerEnvs.add(env);
                 if (!environments.has(env)) {
                     environments.set(env, {
                         env,
@@ -1027,20 +1660,22 @@ export async function detectEnvironments(onProgress) {
                         pages: [],
                     });
                 }
-                environments.get(env).d1.push({ name: db.name, id: db.uuid });
+                environments.get(env).workers.push({ name: w.name });
             }
         }
     }
     catch (error) {
-        progress(`  ⚠️ Could not scan D1: ${error instanceof Error ? error.message : error}`);
+        progress(`  ⚠️ Could not scan Workers: ${error instanceof Error ? error.message : error}`);
     }
-    progress('Scanning KV namespaces...');
+    progress('Scanning D1 databases...');
+    const d1Envs = new Set();
     try {
-        const namespaces = await listKVNamespaces();
-        for (const ns of namespaces) {
-            const match = ns.title.match(AUTHRIM_PATTERNS.kv);
+        const databases = await listD1Databases();
+        for (const db of databases) {
+            const match = db.name.match(AUTHRIM_PATTERNS.d1);
             if (match) {
                 const env = match[1].toLowerCase();
+                d1Envs.add(env);
                 if (!environments.has(env)) {
                     environments.set(env, {
                         env,
@@ -1052,7 +1687,24 @@ export async function detectEnvironments(onProgress) {
                         pages: [],
                     });
                 }
-                environments.get(env).kv.push({ name: ns.title, id: ns.id });
+                environments.get(env).d1.push({ name: db.name, id: db.uuid });
+            }
+        }
+    }
+    catch (error) {
+        progress(`  ⚠️ Could not scan D1: ${error instanceof Error ? error.message : error}`);
+    }
+    progress('Scanning KV namespaces...');
+    try {
+        const namespaces = await listKVNamespaces();
+        for (const ns of namespaces) {
+            const match = ns.title.match(AUTHRIM_PATTERNS.kv);
+            if (match) {
+                const env = match[1].toLowerCase();
+                // Only attach KV to environments that already have Workers or D1
+                if (environments.has(env)) {
+                    environments.get(env).kv.push({ name: ns.title, id: ns.id });
+                }
             }
         }
     }
@@ -1066,18 +1718,10 @@ export async function detectEnvironments(onProgress) {
             const match = q.name.match(AUTHRIM_PATTERNS.queue);
             if (match) {
                 const env = match[1].toLowerCase();
-                if (!environments.has(env)) {
-                    environments.set(env, {
-                        env,
-                        workers: [],
-                        d1: [],
-                        kv: [],
-                        queues: [],
-                        r2: [],
-                        pages: [],
-                    });
+                // Only attach Queues to environments that already have Workers or D1
+                if (environments.has(env)) {
+                    environments.get(env).queues.push({ name: q.name, id: q.id });
                 }
-                environments.get(env).queues.push({ name: q.name, id: q.id });
             }
         }
     }
@@ -1091,18 +1735,10 @@ export async function detectEnvironments(onProgress) {
             const match = bucket.name.match(AUTHRIM_PATTERNS.r2);
             if (match) {
                 const env = match[1].toLowerCase();
-                if (!environments.has(env)) {
-                    environments.set(env, {
-                        env,
-                        workers: [],
-                        d1: [],
-                        kv: [],
-                        queues: [],
-                        r2: [],
-                        pages: [],
-                    });
+                // Only attach R2 to environments that already have Workers or D1
+                if (environments.has(env)) {
+                    environments.get(env).r2.push({ name: bucket.name });
                 }
-                environments.get(env).r2.push({ name: bucket.name });
             }
         }
     }
@@ -1116,42 +1752,20 @@ export async function detectEnvironments(onProgress) {
             const match = project.name.match(AUTHRIM_PATTERNS.pages);
             if (match) {
                 const env = match[1].toLowerCase();
-                if (!environments.has(env)) {
-                    environments.set(env, {
-                        env,
-                        workers: [],
-                        d1: [],
-                        kv: [],
-                        queues: [],
-                        r2: [],
-                        pages: [],
-                    });
+                // Only attach Pages to environments that already have Workers or D1
+                if (environments.has(env)) {
+                    environments.get(env).pages.push({ name: project.name });
                 }
-                environments.get(env).pages.push({ name: project.name });
             }
         }
     }
     catch (error) {
         progress(`  ⚠️ Could not scan Pages: ${error instanceof Error ? error.message : error}`);
     }
-    // Infer workers from detected environments
-    const workerComponents = [
-        'ar-lib-core',
-        'ar-auth',
-        'ar-token',
-        'ar-userinfo',
-        'ar-discovery',
-        'ar-management',
-        'ar-router',
-        'ar-async',
-        'ar-saml',
-        'ar-bridge',
-        'ar-vc',
-        'ar-policy',
-    ];
+    // Filter: only keep environments that have actual Workers or D1 databases
     for (const [env, info] of environments) {
-        for (const comp of workerComponents) {
-            info.workers.push({ name: `${env}-${comp}` });
+        if (info.workers.length === 0 && info.d1.length === 0) {
+            environments.delete(env);
         }
     }
     progress(`Found ${environments.size} environment(s)`);