npm - @authrim/setup - Versions diffs - 0.1.141 → 0.1.142 - Mend

@authrim/setup 0.1.141 → 0.1.142

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (103) hide show

package/dist/__tests__/keys.test.js.map +1 -1
package/dist/__tests__/migrate.test.js +4 -4
package/dist/__tests__/migrate.test.js.map +1 -1
package/dist/__tests__/paths.test.js.map +1 -1
package/dist/cli/commands/deploy.d.ts.map +1 -1
package/dist/cli/commands/deploy.js +57 -63
package/dist/cli/commands/deploy.js.map +1 -1
package/dist/cli/commands/init.d.ts.map +1 -1
package/dist/cli/commands/init.js +231 -171
package/dist/cli/commands/init.js.map +1 -1
package/dist/core/admin.d.ts.map +1 -1
package/dist/core/admin.js +13 -3
package/dist/core/admin.js.map +1 -1
package/dist/core/cloudflare.d.ts +38 -1
package/dist/core/cloudflare.d.ts.map +1 -1
package/dist/core/cloudflare.js +729 -115
package/dist/core/cloudflare.js.map +1 -1
package/dist/core/config.d.ts +136 -28
package/dist/core/config.d.ts.map +1 -1
package/dist/core/config.js +58 -11
package/dist/core/config.js.map +1 -1
package/dist/core/deploy.d.ts +18 -0
package/dist/core/deploy.d.ts.map +1 -1
package/dist/core/deploy.js +126 -25
package/dist/core/deploy.js.map +1 -1
package/dist/core/keys.d.ts.map +1 -1
package/dist/core/keys.js +2 -0
package/dist/core/keys.js.map +1 -1
package/dist/core/login-ui-client.d.ts.map +1 -1
package/dist/core/login-ui-client.js +43 -7
package/dist/core/login-ui-client.js.map +1 -1
package/dist/core/paths.d.ts.map +1 -1
package/dist/core/paths.js +5 -5
package/dist/core/paths.js.map +1 -1
package/dist/core/tenant-mode.d.ts +4 -0
package/dist/core/tenant-mode.d.ts.map +1 -0
package/dist/core/tenant-mode.js +17 -0
package/dist/core/tenant-mode.js.map +1 -0
package/dist/core/ui-deployment.d.ts +21 -0
package/dist/core/ui-deployment.d.ts.map +1 -0
package/dist/core/ui-deployment.js +90 -0
package/dist/core/ui-deployment.js.map +1 -0
package/dist/core/ui-env.d.ts +17 -0
package/dist/core/ui-env.d.ts.map +1 -1
package/dist/core/ui-env.js +16 -0
package/dist/core/ui-env.js.map +1 -1
package/dist/core/url-config.d.ts +16 -0
package/dist/core/url-config.d.ts.map +1 -0
package/dist/core/url-config.js +46 -0
package/dist/core/url-config.js.map +1 -0
package/dist/core/wrangler.d.ts +50 -1
package/dist/core/wrangler.d.ts.map +1 -1
package/dist/core/wrangler.js +169 -55
package/dist/core/wrangler.js.map +1 -1
package/dist/i18n/locales/de.d.ts.map +1 -1
package/dist/i18n/locales/de.js +37 -0
package/dist/i18n/locales/de.js.map +1 -1
package/dist/i18n/locales/en.d.ts.map +1 -1
package/dist/i18n/locales/en.js +37 -0
package/dist/i18n/locales/en.js.map +1 -1
package/dist/i18n/locales/es.d.ts.map +1 -1
package/dist/i18n/locales/es.js +37 -0
package/dist/i18n/locales/es.js.map +1 -1
package/dist/i18n/locales/fr.d.ts.map +1 -1
package/dist/i18n/locales/fr.js +37 -0
package/dist/i18n/locales/fr.js.map +1 -1
package/dist/i18n/locales/id.d.ts.map +1 -1
package/dist/i18n/locales/id.js +37 -0
package/dist/i18n/locales/id.js.map +1 -1
package/dist/i18n/locales/ja.d.ts.map +1 -1
package/dist/i18n/locales/ja.js +37 -0
package/dist/i18n/locales/ja.js.map +1 -1
package/dist/i18n/locales/ko.d.ts.map +1 -1
package/dist/i18n/locales/ko.js +37 -0
package/dist/i18n/locales/ko.js.map +1 -1
package/dist/i18n/locales/pt.d.ts.map +1 -1
package/dist/i18n/locales/pt.js +37 -0
package/dist/i18n/locales/pt.js.map +1 -1
package/dist/i18n/locales/ru.d.ts.map +1 -1
package/dist/i18n/locales/ru.js +37 -0
package/dist/i18n/locales/ru.js.map +1 -1
package/dist/i18n/locales/zh-CN.d.ts.map +1 -1
package/dist/i18n/locales/zh-CN.js +37 -0
package/dist/i18n/locales/zh-CN.js.map +1 -1
package/dist/i18n/locales/zh-TW.d.ts.map +1 -1
package/dist/i18n/locales/zh-TW.js +37 -0
package/dist/i18n/locales/zh-TW.js.map +1 -1
package/dist/i18n/types.d.ts +8 -0
package/dist/i18n/types.d.ts.map +1 -1
package/dist/index.js +38 -29
package/dist/index.js.map +1 -1
package/dist/web/api.d.ts.map +1 -1
package/dist/web/api.js +207 -95
package/dist/web/api.js.map +1 -1
package/dist/web/ui.d.ts.map +1 -1
package/dist/web/ui.js +506 -109
package/dist/web/ui.js.map +1 -1
package/migrations/000_fresh_schema.sql +227 -9
package/migrations/admin/006_admin_setup_tokens.sql +91 -91
package/migrations/admin/007_admin_role_inheritance.sql +32 -0
package/migrations/admin/008_admin_rebac_definitions.sql +117 -0
package/migrations/admin/009_optimize_admin_audit_indexes.sql +15 -0
package/package.json +5 -5

package/dist/cli/commands/init.js CHANGED Viewed

@@ -15,11 +15,54 @@ import { execa } from 'execa';
 import { createDefaultConfig, parseConfig } from '../../core/config.js';
 import { generateAllSecrets, saveKeysToDirectory, generateKeyId, keysExistForEnvironment, } from '../../core/keys.js';
 import { isRunningFromSource, getCommandPrefix } from '../../core/source-context.js';
-import { isWranglerInstalled, checkAuth, provisionResources, toResourceIds, getAccountId, detectEnvironments, getWorkersSubdomain, } from '../../core/cloudflare.js';
+import { isWranglerInstalled, checkAuth, provisionResources, toResourceIds, getAccountId, detectEnvironments, getWorkersSubdomain, checkZoneExists, extractZoneName, } from '../../core/cloudflare.js';
 import { createLockFile, saveLockFile, loadLockFile } from '../../core/lock.js';
-import { getEnvironmentPaths, getExternalKeysDir, getExternalKeysPathForConfig, AUTHRIM_DIR } from '../../core/paths.js';
+import { getEnvironmentPaths, getExternalKeysDir, getExternalKeysPathForConfig, AUTHRIM_DIR, } from '../../core/paths.js';
 import { downloadSource, verifySourceStructure, checkForUpdate, getLocalVersion, } from '../../core/source.js';
-import { saveUiEnv } from '../../core/ui-env.js';
+import { saveUiEnv, buildInitialUiEnvConfig } from '../../core/ui-env.js';
+import { buildUrlsConfig, getPagesDevUrl, getWorkersDevUrl, } from '../../core/url-config.js';
+/**
+ * Check Cloudflare zone for a domain and prompt user for binding configuration.
+ * Never blocks setup - all errors are handled gracefully.
+ */
+async function checkAndPromptZone(domain, domainConfig) {
+    const spinner = ora(t('domain.checkingZone', { domain })).start();
+    try {
+        const result = await checkZoneExists(domain);
+        spinner.stop();
+        if (result.error) {
+            console.log(chalk.yellow(`  ⚠ ${t('domain.zoneCheckFailed')}: ${result.error}`));
+            console.log(chalk.gray(`    ${t('domain.zoneCheckSkipped')}`));
+            return;
+        }
+        if (!result.found) {
+            const zoneName = extractZoneName(domain);
+            console.log(chalk.yellow(`  ⚠ ${t('domain.zoneNotFound', { zone: zoneName })}`));
+            console.log(chalk.gray(`    ${t('domain.zoneNotFoundHint')}`));
+            console.log('');
+            const ok = await confirm({ message: t('domain.continueWithoutZone'), default: true });
+            if (!ok) {
+                throw new Error('USER_CANCELLED_DOMAIN');
+            }
+            return;
+        }
+        // Zone found
+        console.log(chalk.green(`  ✓ ${t('domain.zoneFound', { zone: result.zone.name, status: result.zone.status })}`));
+        domainConfig.zoneId = result.zone.id;
+        console.log('');
+        const bind = await confirm({ message: t('domain.configureBinding'), default: true });
+        domainConfig.customDomainBinding = bind;
+    }
+    catch (error) {
+        spinner.stop();
+        if (error instanceof Error && error.message === 'USER_CANCELLED_DOMAIN') {
+            throw error;
+        }
+        // Unexpected error - don't block setup
+        console.log(chalk.yellow(`  ⚠ ${t('domain.zoneCheckFailed')}`));
+        console.log(chalk.gray(`    ${t('domain.zoneCheckSkipped')}`));
+    }
+}
 // =============================================================================
 // WSL Detection
 // =============================================================================
@@ -139,21 +182,12 @@ function printBanner() {
 // Store the workers.dev subdomain for URL generation
 let workersSubdomain = null;
 /**
- * Get the correct workers.dev URL with account subdomain
- * Format: {worker}.{subdomain}.workers.dev
+ * Strip the protocol from a URL for display in domain-only prompts.
  */
-function getWorkersDevUrl(workerName) {
-    if (workersSubdomain) {
-        return `https://${workerName}.${workersSubdomain}.workers.dev`;
-    }
-    return `https://${workerName}.workers.dev`;
-}
-/**
- * Get the correct pages.dev URL
- * Note: Pages uses {project}.pages.dev format (no account subdomain, unlike Workers)
- */
-function getPagesDevUrl(projectName) {
-    return `https://${projectName}.pages.dev`;
+function stripProtocol(url) {
+    if (!url)
+        return '';
+    return url.replace(/^https?:\/\//, '');
 }
 // =============================================================================
 // Source Directory Detection
@@ -978,6 +1012,7 @@ async function runQuickSetup(options) {
     let apiDomain = null;
     let loginUiDomain = null;
     let adminUiDomain = null;
+    const quickDomainConfig = {};
     if (useCustomDomain) {
         console.log('');
         console.log(chalk.gray('  ' + t('domain.singleTenantNote')));
@@ -993,6 +1028,18 @@ async function runQuickSetup(options) {
                 return true;
             },
         });
+        // Check Cloudflare zone for the domain
+        if (apiDomain) {
+            console.log('');
+            try {
+                await checkAndPromptZone(apiDomain, quickDomainConfig);
+            }
+            catch {
+                // User cancelled - clear domain and continue
+                apiDomain = null;
+            }
+            console.log('');
+        }
         loginUiDomain = await input({
             message: t('domain.loginUiDomain'),
             default: '',
@@ -1112,22 +1159,15 @@ async function runQuickSetup(options) {
             configured: emailConfig.provider === 'resend',
         },
     };
-    config.urls = {
-        api: {
-            custom: apiDomain || null,
-            auto: getWorkersDevUrl(envPrefix + '-ar-router'),
-        },
-        loginUi: {
-            custom: loginUiDomain || null,
-            auto: getPagesDevUrl(envPrefix + '-ar-login-ui'),
-            sameAsApi: false,
-        },
-        adminUi: {
-            custom: adminUiDomain || null,
-            auto: getPagesDevUrl(envPrefix + '-ar-admin-ui'),
-            sameAsApi: false,
-        },
-    };
+    config.urls = buildUrlsConfig({
+        env: envPrefix,
+        apiDomain,
+        loginUiDomain,
+        adminUiDomain,
+        zoneId: quickDomainConfig.zoneId ?? null,
+        customDomainBinding: quickDomainConfig.customDomainBinding ?? false,
+        workersSubdomain,
+    });
     // Show summary
     console.log('');
     console.log(chalk.blue('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
@@ -1278,44 +1318,58 @@ async function runNormalSetup(options) {
     // Step 5: Tenant configuration
     console.log(chalk.blue('━━━ ' + t('tenant.title') + ' ━━━'));
     console.log('');
-    const multiTenant = await confirm({
-        message: t('tenant.multiTenantPrompt'),
-        default: false,
-    });
     let tenantName = 'default';
     let tenantDisplayName = 'Default Tenant';
     let baseDomain;
-    // Step 6: URL configuration (depends on tenant mode)
+    let primaryTenant;
+    let nakedDomain = false;
+    let userIdFormat = 'nanoid';
+    // Step 6: URL configuration
     let apiDomain = null;
     let loginUiDomain = null;
     let adminUiDomain = null;
-    if (multiTenant) {
-        // Multi-tenant mode: base domain is required, becomes the issuer base
-        console.log('');
-        console.log(chalk.blue('━━━ ' + t('tenant.multiTenantTitle') + ' ━━━'));
-        console.log('');
-        console.log(chalk.gray('  ' + t('tenant.multiTenantNote1')));
-        console.log(chalk.gray('    • ' + t('tenant.multiTenantNote2')));
-        console.log(chalk.gray('    • ' + t('tenant.multiTenantNote3')));
-        console.log(chalk.gray('    • ' + t('tenant.multiTenantNote4')));
-        console.log('');
-        baseDomain = await input({
-            message: t('tenant.baseDomainPrompt'),
-            validate: (value) => {
-                if (!value)
-                    return t('tenant.baseDomainRequired');
-                if (!/^[a-z0-9][a-z0-9.-]*\.[a-z]{2,}$/.test(value)) {
-                    return t('tenant.baseDomainValidation');
-                }
+    const fullDomainConfig = {};
+    // Base domain configuration
+    console.log('');
+    console.log(chalk.blue('━━━ ' + t('tenant.multiTenantTitle') + ' ━━━'));
+    console.log('');
+    console.log(chalk.gray('  Leave empty to use workers.dev and single-tenant mode.'));
+    console.log(chalk.gray('  With a custom domain:'));
+    console.log(chalk.gray('    • https://example.com (naked domain issuer)'));
+    console.log(chalk.gray('    • https://acme.example.com (tenant subdomain issuer)'));
+    console.log('');
+    baseDomain = await input({
+        message: t('tenant.baseDomainPrompt'),
+        validate: (value) => {
+            if (!value)
                 return true;
-            },
-        });
-        console.log('');
-        console.log(chalk.green('  ✓ ' + t('tenant.issuerFormat', { domain: baseDomain })));
-        console.log(chalk.gray('    ' + t('tenant.issuerExample', { domain: baseDomain })));
-        console.log('');
-        // API domain in multi-tenant is the base domain (or custom apex)
-        apiDomain = baseDomain;
+            if (!/^[a-z0-9][a-z0-9.-]*\.[a-z]{2,}$/.test(value)) {
+                return t('tenant.baseDomainValidation');
+            }
+            return true;
+        },
+    });
+    baseDomain = baseDomain || undefined;
+    console.log('');
+    if (baseDomain) {
+        console.log(chalk.green('  ✓ Base domain: ' + baseDomain));
+    }
+    else {
+        console.log(chalk.green('  ✓ Using workers.dev (single-tenant mode)'));
+    }
+    // Check Cloudflare zone for the base domain
+    if (baseDomain) {
+        try {
+            await checkAndPromptZone(baseDomain, fullDomainConfig);
+        }
+        catch {
+            // User cancelled - this is non-fatal, continue with setup
+        }
+    }
+    console.log('');
+    // API domain is the base domain
+    apiDomain = baseDomain || null;
+    if (baseDomain) {
         tenantName = await input({
             message: t('tenant.defaultTenantPrompt'),
             default: 'default',
@@ -1326,80 +1380,78 @@ async function runNormalSetup(options) {
                 return true;
             },
         });
-        tenantDisplayName = await input({
-            message: t('tenant.displayNamePrompt'),
-            default: 'Default Tenant',
-        });
-        // UI domains for multi-tenant
-        console.log('');
-        console.log(chalk.blue('━━━ ' + t('tenant.uiDomainTitle') + ' ━━━'));
-        console.log('');
-        const useCustomUiDomain = await confirm({
-            message: t('tenant.customUiDomainPrompt'),
-            default: false,
-        });
-        if (useCustomUiDomain) {
-            loginUiDomain = await input({
-                message: t('tenant.loginUiDomain'),
-                default: '',
-            });
-            adminUiDomain = await input({
-                message: t('tenant.adminUiDomain'),
-                default: '',
-            });
-        }
     }
     else {
-        // Single-tenant mode
-        console.log('');
-        console.log(chalk.blue('━━━ ' + t('tenant.singleTenantTitle') + ' ━━━'));
-        console.log('');
-        console.log(chalk.gray('  ' + t('tenant.singleTenantNote1')));
-        console.log(chalk.gray('    • ' + t('tenant.singleTenantNote2')));
-        console.log(chalk.gray('    • ' + t('tenant.singleTenantNote3')));
-        console.log('');
-        tenantDisplayName = await input({
-            message: t('tenant.organizationName'),
-            default: 'Default Tenant',
-        });
-        const useCustomDomain = await confirm({
-            message: t('domain.prompt'),
+        tenantName = 'default';
+    }
+    tenantDisplayName = await input({
+        message: t('tenant.displayNamePrompt'),
+        default: 'Default Tenant',
+    });
+    if (baseDomain) {
+        nakedDomain = await confirm({
+            message: 'Use naked domain as the issuer for the primary tenant?',
             default: false,
         });
-        if (useCustomDomain) {
-            console.log('');
-            console.log(chalk.gray('  ' + t('domain.enterDomains')));
-            console.log('');
-            apiDomain = await input({
-                message: t('domain.apiDomain'),
+        if (nakedDomain) {
+            primaryTenant = await input({
+                message: 'Primary tenant ID for naked domain (leave empty for default tenant)',
+                default: '',
                 validate: (value) => {
-                    if (!value)
+                    if (!value) {
                         return true;
-                    if (!/^[a-z0-9][a-z0-9.-]*\.[a-z]{2,}$/.test(value)) {
-                        return t('domain.customValidation');
+                    }
+                    if (!/^[a-z][a-z0-9-]*$/.test(value)) {
+                        return 'Tenant ID must start with a letter and contain only lowercase letters, numbers, and hyphens';
                     }
                     return true;
                 },
             });
-            loginUiDomain = await input({
-                message: t('domain.loginUiDomain'),
-                default: '',
-            });
-            adminUiDomain = await input({
-                message: t('domain.adminUiDomain'),
-                default: '',
-            });
-        }
-        if (apiDomain) {
-            console.log('');
-            console.log(chalk.green('  ✓ ' + t('domain.issuerUrl', { url: 'https://' + apiDomain })));
-        }
-        else {
-            console.log('');
-            console.log(chalk.green('  ✓ ' + t('domain.issuerUrl', { url: getWorkersDevUrl(envPrefix + '-ar-router') })));
-            console.log(chalk.gray('    ' + t('domain.usingWorkersDev')));
+            primaryTenant = primaryTenant || undefined;
         }
     }
+    // User ID format selection
+    console.log('');
+    console.log(chalk.blue('━━━ ' + t('userId.title') + ' ━━━'));
+    console.log('');
+    console.log(chalk.gray('  ' + t('userId.note')));
+    console.log('');
+    userIdFormat = await select({
+        message: t('userId.prompt'),
+        choices: [
+            {
+                name: t('userId.nanoid'),
+                value: 'nanoid',
+                description: t('userId.nanoidDesc'),
+            },
+            {
+                name: t('userId.uuid'),
+                value: 'uuid',
+                description: t('userId.uuidDesc'),
+            },
+        ],
+        default: 'nanoid',
+    });
+    console.log('');
+    console.log(chalk.green('  ✓ ' + t('userId.selected', { format: userIdFormat })));
+    // UI domains
+    console.log('');
+    console.log(chalk.blue('━━━ ' + t('tenant.uiDomainTitle') + ' ━━━'));
+    console.log('');
+    const useCustomUiDomain = await confirm({
+        message: t('tenant.customUiDomainPrompt'),
+        default: false,
+    });
+    if (useCustomUiDomain) {
+        loginUiDomain = await input({
+            message: t('tenant.loginUiDomain'),
+            default: '',
+        });
+        adminUiDomain = await input({
+            message: t('tenant.adminUiDomain'),
+            default: '',
+        });
+    }
     // Step 5: Optional components
     console.log('');
     console.log(chalk.blue('━━━ ' + t('components.title') + ' ━━━'));
@@ -1660,8 +1712,11 @@ async function runNormalSetup(options) {
     config.tenant = {
         name: tenantName,
         displayName: tenantDisplayName,
-        multiTenant,
+        multiTenant: !!baseDomain,
         baseDomain,
+        userIdFormat,
+        primaryTenant,
+        nakedDomain,
     };
     config.components = {
         ...config.components,
@@ -1671,22 +1726,15 @@ async function runNormalSetup(options) {
         bridge: true, // Standard component
         policy: true, // Standard component
     };
-    config.urls = {
-        api: {
-            custom: apiDomain || null,
-            auto: getWorkersDevUrl(envPrefix + '-ar-router'),
-        },
-        loginUi: {
-            custom: loginUiDomain || null,
-            auto: getPagesDevUrl(envPrefix + '-ar-login-ui'),
-            sameAsApi: false,
-        },
-        adminUi: {
-            custom: adminUiDomain || null,
-            auto: getPagesDevUrl(envPrefix + '-ar-admin-ui'),
-            sameAsApi: false,
-        },
-    };
+    config.urls = buildUrlsConfig({
+        env: envPrefix,
+        apiDomain,
+        loginUiDomain,
+        adminUiDomain,
+        zoneId: fullDomainConfig.zoneId ?? null,
+        customDomainBinding: fullDomainConfig.customDomainBinding ?? false,
+        workersSubdomain,
+    });
     config.oidc = {
         ...config.oidc,
         accessTokenTtl,
@@ -1729,14 +1777,17 @@ async function runNormalSetup(options) {
     console.log('');
     // Tenant mode and Issuer
     console.log(chalk.bold('Tenant & Issuer:'));
-    console.log(`  Mode:          ${multiTenant ? chalk.cyan('Multi-tenant') : chalk.cyan('Single-tenant')}`);
-    if (multiTenant && baseDomain) {
+    console.log(`  Mode:          ${chalk.cyan(baseDomain ? 'Multi-tenant' : 'Single-tenant')}`);
+    if (baseDomain) {
         console.log(`  Base Domain:   ${chalk.cyan(baseDomain)}`);
-        console.log(`  Issuer Format: ${chalk.cyan('https://{tenant}.' + baseDomain)}`);
-        console.log(`  Example:       ${chalk.gray('https://acme.' + baseDomain)}`);
+        console.log(`  Domain Pattern: ${chalk.cyan('{tenant}.' + baseDomain)}`);
+        console.log(`  Example:       ${chalk.gray(nakedDomain ? 'https://' + baseDomain : 'https://acme.' + baseDomain)}`);
+        if (nakedDomain) {
+            console.log(`  Naked Domain:  ${chalk.cyan(primaryTenant || tenantName)} ${chalk.gray('(primary tenant issuer)')}`);
+        }
     }
     else {
-        const issuerUrl = config.urls.api.custom || config.urls.api.auto;
+        const issuerUrl = config.urls?.api?.custom || config.urls?.api?.auto;
         console.log(`  Issuer URL:    ${chalk.cyan(issuerUrl)}`);
     }
     console.log(`  Default Tenant: ${chalk.cyan(tenantName)}`);
@@ -1744,8 +1795,11 @@ async function runNormalSetup(options) {
     console.log('');
     // Public URLs
     console.log(chalk.bold('Public URLs:'));
-    if (multiTenant && baseDomain) {
+    if (baseDomain) {
         console.log(`  API Router:    ${chalk.cyan('*.' + baseDomain)} → ${chalk.gray(envPrefix + '-ar-router')}`);
+        if (nakedDomain) {
+            console.log(`  API Router:    ${chalk.cyan(baseDomain + ' (naked)')} → ${chalk.gray(envPrefix + '-ar-router')}`);
+        }
     }
     else {
         console.log(`  API Router:    ${chalk.cyan(config.urls.api.custom || config.urls.api.auto)}`);
@@ -1968,11 +2022,9 @@ async function executeSetup(config, cfApiToken, keepPath) {
     // Step 4.5: Generate ui.env for UI builds
     const uiEnvSpinner = ora('Generating UI environment file...').start();
     try {
-        const apiBaseUrl = config.urls?.api?.custom || config.urls?.api?.auto || '';
-        if (apiBaseUrl) {
-            await saveUiEnv(envPaths.uiEnv, {
-                PUBLIC_API_BASE_URL: apiBaseUrl,
-            });
+        const initialUiEnv = buildInitialUiEnvConfig(config);
+        if (initialUiEnv) {
+            await saveUiEnv(envPaths.uiEnv, initialUiEnv);
             uiEnvSpinner.succeed(`UI env saved (${envPaths.uiEnv})`);
         }
         else {
@@ -2366,7 +2418,7 @@ async function editUrls(config) {
     console.log('');
     const apiDomain = await input({
         message: 'API (issuer) domain (leave empty for workers.dev)',
-        default: config.urls.api?.custom || '',
+        default: stripProtocol(config.urls.api?.custom),
         validate: (value) => {
             if (!value)
                 return true;
@@ -2376,28 +2428,36 @@ async function editUrls(config) {
             return true;
         },
     });
+    // Check Cloudflare zone for the domain
+    const updateDomainConfig = {};
+    if (apiDomain) {
+        console.log('');
+        try {
+            await checkAndPromptZone(apiDomain, updateDomainConfig);
+        }
+        catch {
+            // User cancelled - non-fatal
+        }
+        console.log('');
+    }
     const loginUiDomain = await input({
         message: 'Login UI domain (leave empty for pages.dev)',
-        default: config.urls.loginUi?.custom || '',
+        default: stripProtocol(config.urls.loginUi?.custom),
     });
     const adminUiDomain = await input({
         message: 'Admin UI domain (leave empty for pages.dev)',
-        default: config.urls.adminUi?.custom || '',
+        default: stripProtocol(config.urls.adminUi?.custom),
+    });
+    config.urls = buildUrlsConfig({
+        env,
+        apiDomain,
+        loginUiDomain,
+        adminUiDomain,
+        zoneId: updateDomainConfig.zoneId,
+        customDomainBinding: updateDomainConfig.customDomainBinding,
+        workersSubdomain,
+        existingUrls: config.urls,
     });
-    config.urls.api = {
-        custom: apiDomain || null,
-        auto: config.urls.api?.auto || getWorkersDevUrl(env + '-ar-router'),
-    };
-    config.urls.loginUi = {
-        custom: loginUiDomain || null,
-        auto: config.urls.loginUi?.auto || getPagesDevUrl(env + '-ar-login-ui'),
-        sameAsApi: config.urls.loginUi?.sameAsApi ?? false,
-    };
-    config.urls.adminUi = {
-        custom: adminUiDomain || null,
-        auto: config.urls.adminUi?.auto || getPagesDevUrl(env + '-ar-admin-ui'),
-        sameAsApi: config.urls.adminUi?.sameAsApi ?? false,
-    };
     return true;
 }
 // =============================================================================