@executor-js/emulate 0.6.0

package/dist/index.js

@@ -0,0 +1,3005 @@
+#!/usr/bin/env node
+import {
+  importPKCS8,
+  jwtVerify
+} from "./chunk-D6EKRYGP.js";
+
+// src/index.ts
+import { Command } from "commander";
+
+// ../@emulators/core/dist/index.js
+import { createServer as createNodeServer } from "http";
+import { createHmac } from "crypto";
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import { dirname, join } from "path";
+function serializeValue(value) {
+  if (value instanceof Map) {
+    return { __type: "Map", entries: [...value.entries()].map(([k, v]) => [k, serializeValue(v)]) };
+  }
+  if (value instanceof Set) {
+    return { __type: "Set", values: [...value.values()] };
+  }
+  return value;
+}
+function deserializeValue(value) {
+  if (value !== null && typeof value === "object" && "__type" in value) {
+    const tagged = value;
+    if (tagged.__type === "Map") {
+      const entries = tagged.entries;
+      return new Map(entries.map(([k, v]) => [k, deserializeValue(v)]));
+    }
+    if (tagged.__type === "Set") {
+      return new Set(tagged.values);
+    }
+  }
+  return value;
+}
+var Collection = class {
+  constructor(indexFields = []) {
+    this.indexFields = indexFields;
+    this.fieldNames = indexFields.map(String).sort();
+    for (const field of indexFields) {
+      this.indexes.set(String(field), /* @__PURE__ */ new Map());
+    }
+  }
+  items = /* @__PURE__ */ new Map();
+  indexes = /* @__PURE__ */ new Map();
+  autoId = 1;
+  fieldNames;
+  addToIndex(item) {
+    for (const field of this.indexFields) {
+      const value = item[field];
+      if (value === void 0 || value === null) continue;
+      const indexMap = this.indexes.get(String(field));
+      const key = String(value);
+      if (!indexMap.has(key)) {
+        indexMap.set(key, /* @__PURE__ */ new Set());
+      }
+      indexMap.get(key).add(item.id);
+    }
+  }
+  removeFromIndex(item) {
+    for (const field of this.indexFields) {
+      const value = item[field];
+      if (value === void 0 || value === null) continue;
+      const indexMap = this.indexes.get(String(field));
+      const key = String(value);
+      indexMap.get(key)?.delete(item.id);
+    }
+  }
+  insert(data) {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const explicitId = data.id != null && data.id > 0 ? data.id : void 0;
+    const id = explicitId ?? this.autoId++;
+    if (id >= this.autoId) {
+      this.autoId = id + 1;
+    }
+    const item = {
+      ...data,
+      id,
+      created_at: now,
+      updated_at: now
+    };
+    this.items.set(id, item);
+    this.addToIndex(item);
+    return item;
+  }
+  get(id) {
+    return this.items.get(id);
+  }
+  findBy(field, value) {
+    if (this.indexes.has(String(field))) {
+      const ids = this.indexes.get(String(field)).get(String(value));
+      if (!ids) return [];
+      return Array.from(ids).map((id) => this.items.get(id)).filter(Boolean);
+    }
+    return this.all().filter((item) => item[field] === value);
+  }
+  findOneBy(field, value) {
+    return this.findBy(field, value)[0];
+  }
+  update(id, data) {
+    const existing = this.items.get(id);
+    if (!existing) return void 0;
+    this.removeFromIndex(existing);
+    const updated = {
+      ...existing,
+      ...data,
+      id,
+      updated_at: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.items.set(id, updated);
+    this.addToIndex(updated);
+    return updated;
+  }
+  delete(id) {
+    const existing = this.items.get(id);
+    if (!existing) return false;
+    this.removeFromIndex(existing);
+    return this.items.delete(id);
+  }
+  all() {
+    return Array.from(this.items.values());
+  }
+  query(options = {}) {
+    let results = this.all();
+    if (options.filter) {
+      results = results.filter(options.filter);
+    }
+    const total_count = results.length;
+    if (options.sort) {
+      results.sort(options.sort);
+    }
+    const page = options.page ?? 1;
+    const per_page = Math.min(options.per_page ?? 30, 100);
+    const start = (page - 1) * per_page;
+    const paged = results.slice(start, start + per_page);
+    return {
+      items: paged,
+      total_count,
+      page,
+      per_page,
+      has_next: start + per_page < total_count,
+      has_prev: page > 1
+    };
+  }
+  count(filter) {
+    if (!filter) return this.items.size;
+    return this.all().filter(filter).length;
+  }
+  clear() {
+    this.items.clear();
+    for (const indexMap of this.indexes.values()) {
+      indexMap.clear();
+    }
+    this.autoId = 1;
+  }
+  snapshot() {
+    return {
+      items: this.all(),
+      autoId: this.autoId,
+      indexFields: this.fieldNames
+    };
+  }
+  restore(snap) {
+    this.clear();
+    this.autoId = snap.autoId;
+    for (const item of snap.items) {
+      this.items.set(item.id, item);
+      this.addToIndex(item);
+    }
+  }
+};
+var Store = class {
+  collections = /* @__PURE__ */ new Map();
+  _data = /* @__PURE__ */ new Map();
+  collection(name, indexFields = []) {
+    const existing = this.collections.get(name);
+    if (existing) {
+      if (indexFields.length > 0) {
+        const requested = indexFields.map(String).sort();
+        if (existing.fieldNames.length !== requested.length || existing.fieldNames.some((f, i) => f !== requested[i])) {
+          throw new Error(
+            `Collection "${name}" already exists with indexes [${existing.fieldNames}] but was requested with [${requested}]`
+          );
+        }
+      }
+      return existing;
+    }
+    const col = new Collection(indexFields);
+    this.collections.set(name, col);
+    return col;
+  }
+  getData(key) {
+    return this._data.get(key);
+  }
+  setData(key, value) {
+    this._data.set(key, value);
+  }
+  reset() {
+    for (const collection of this.collections.values()) {
+      collection.clear();
+    }
+    this._data.clear();
+  }
+  snapshot() {
+    const collections = {};
+    for (const [name, col] of this.collections) {
+      collections[name] = col.snapshot();
+    }
+    const data = {};
+    for (const [key, value] of this._data) {
+      data[key] = serializeValue(value);
+    }
+    return { collections, data };
+  }
+  restore(snap) {
+    const snapshotNames = new Set(Object.keys(snap.collections));
+    for (const name of this.collections.keys()) {
+      if (!snapshotNames.has(name)) {
+        this.collections.delete(name);
+      }
+    }
+    for (const [name, colSnap] of Object.entries(snap.collections)) {
+      const indexFields = colSnap.indexFields;
+      const col = this.collection(name, indexFields);
+      col.restore(colSnap);
+    }
+    this._data.clear();
+    for (const [key, value] of Object.entries(snap.data)) {
+      this._data.set(key, deserializeValue(value));
+    }
+  }
+};
+var HonoRequest = class {
+  constructor(request, params, routePath) {
+    this.params = params;
+    this.raw = request;
+    this.url = request.url;
+    this.method = request.method;
+    this.path = new URL(request.url).pathname;
+    this.routePath = routePath;
+  }
+  raw;
+  url;
+  method;
+  path;
+  /** The matched route pattern (e.g. /repos/:owner/:repo), when a route matched. */
+  routePath;
+  header(name) {
+    if (name) return this.raw.headers.get(name) ?? void 0;
+    const headers = {};
+    this.raw.headers.forEach((value, key) => {
+      headers[key] = value;
+    });
+    return headers;
+  }
+  query(name) {
+    return new URL(this.url).searchParams.get(name) ?? void 0;
+  }
+  queries(name) {
+    const values = new URL(this.url).searchParams.getAll(name);
+    return values.length > 0 ? values : void 0;
+  }
+  param(name) {
+    if (!name) return { ...this.params };
+    return this.params[name] ?? "";
+  }
+  json() {
+    return this.raw.json();
+  }
+  text() {
+    return this.raw.text();
+  }
+  arrayBuffer() {
+    return this.raw.arrayBuffer();
+  }
+  async parseBody() {
+    const contentType = this.header("Content-Type") ?? "";
+    if (contentType.includes("multipart/form-data")) {
+      return formDataToObject(await this.raw.formData());
+    }
+    if (contentType.includes("application/x-www-form-urlencoded")) {
+      const params = new URLSearchParams(await this.raw.text());
+      const out = {};
+      for (const [key, value] of params) {
+        appendBodyValue(out, key, value);
+      }
+      return out;
+    }
+    if (contentType.includes("application/json")) {
+      const body = await this.raw.json().catch(() => ({}));
+      return body && typeof body === "object" && !Array.isArray(body) ? body : {};
+    }
+    return {};
+  }
+};
+var Context = class {
+  constructor(request, params, notFoundHandler, routePath) {
+    this.notFoundHandler = notFoundHandler;
+    this.req = new HonoRequest(request, params, routePath);
+  }
+  req;
+  vars = /* @__PURE__ */ new Map();
+  responseHeaders = new Headers();
+  responseStatus = 200;
+  get(key) {
+    return this.vars.get(key);
+  }
+  set(key, value) {
+    this.vars.set(key, value);
+  }
+  header(name, value) {
+    this.responseHeaders.set(name, value);
+  }
+  status(status) {
+    this.responseStatus = status;
+  }
+  json(data, status, headers) {
+    return this.response(JSON.stringify(data), status, defaultContentType(headers, "application/json; charset=UTF-8"));
+  }
+  text(text, status, headers) {
+    return this.response(text, status, defaultContentType(headers, "text/plain; charset=UTF-8"));
+  }
+  html(html, status, headers) {
+    return this.response(html, status, defaultContentType(headers, "text/html; charset=UTF-8"));
+  }
+  body(body, status, headers) {
+    return this.response(body, status, headers);
+  }
+  redirect(location, status = 302) {
+    return this.response(null, status, { Location: location });
+  }
+  notFound() {
+    return this.notFoundHandler(this);
+  }
+  finalize(response) {
+    if (!hasHeaders(this.responseHeaders)) return response;
+    const headers = new Headers(response.headers);
+    this.responseHeaders.forEach((value, key) => {
+      headers.set(key, value);
+    });
+    return new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers
+    });
+  }
+  response(body, status, headers) {
+    const merged = new Headers(headers);
+    this.responseHeaders.forEach((value, key) => {
+      merged.set(key, value);
+    });
+    return new Response(body, {
+      status: status ?? this.responseStatus,
+      headers: merged
+    });
+  }
+};
+var Hono = class {
+  middleware = [];
+  routes = [];
+  errorHandler = (err) => {
+    const message = err instanceof Error ? err.message : "Internal Server Error";
+    return new Response(message, { status: 500 });
+  };
+  notFoundHandler = () => new Response("404 Not Found", { status: 404 });
+  use(pathOrHandler, ...handlers) {
+    if (typeof pathOrHandler === "string") {
+      this.middleware.push({ method: "ALL", compiled: compilePath(pathOrHandler), handlers });
+    } else {
+      this.middleware.push({ method: "ALL", compiled: compilePath("*"), handlers: [pathOrHandler, ...handlers] });
+    }
+    return this;
+  }
+  on(method, path, ...handlers) {
+    this.routes.push({ method: method.toUpperCase(), compiled: compilePath(path), handlers });
+    return this;
+  }
+  get(path, ...handlers) {
+    return this.on("GET", path, ...handlers);
+  }
+  post(path, ...handlers) {
+    return this.on("POST", path, ...handlers);
+  }
+  put(path, ...handlers) {
+    return this.on("PUT", path, ...handlers);
+  }
+  patch(path, ...handlers) {
+    return this.on("PATCH", path, ...handlers);
+  }
+  delete(path, ...handlers) {
+    return this.on("DELETE", path, ...handlers);
+  }
+  onError(handler) {
+    this.errorHandler = handler;
+    return this;
+  }
+  notFound(handler) {
+    this.notFoundHandler = handler;
+    return this;
+  }
+  async request(input, init) {
+    if (input instanceof Request) return this.fetch(input);
+    const url = input.startsWith("/") ? `http://localhost${input}` : input;
+    return this.fetch(new Request(url, init));
+  }
+  fetch = async (request) => {
+    const url = new URL(request.url);
+    const path = url.pathname;
+    const method = request.method.toUpperCase();
+    const matched = this.match(method, path);
+    const context = new Context(request, matched.params, this.notFoundHandler, matched.routePattern);
+    try {
+      const response = await this.dispatch(context, matched.handlers);
+      return context.finalize(response ?? await this.notFoundHandler(context));
+    } catch (err) {
+      return context.finalize(await this.errorHandler(err, context));
+    }
+  };
+  match(method, path) {
+    const handlers = [];
+    const params = {};
+    for (const route2 of this.middleware) {
+      const match = matchPath(route2.compiled, path);
+      if (!match) continue;
+      Object.assign(params, match);
+      for (const handler of route2.handlers) {
+        handlers.push({ handler, params: match });
+      }
+    }
+    const route = this.routes.find((candidate) => candidate.method === method && matchPath(candidate.compiled, path) != null) ?? (method === "HEAD" ? this.routes.find((candidate) => candidate.method === "GET" && matchPath(candidate.compiled, path) != null) : void 0);
+    if (route) {
+      const match = matchPath(route.compiled, path) ?? {};
+      Object.assign(params, match);
+      for (const handler of route.handlers) {
+        handlers.push({ handler, params: match });
+      }
+    }
+    return { handlers, params, routePattern: route?.compiled.pattern };
+  }
+  async dispatch(context, handlers) {
+    let index = -1;
+    const run = async (nextIndex) => {
+      if (nextIndex <= index) throw new Error("next() called multiple times");
+      index = nextIndex;
+      const matched = handlers[nextIndex];
+      if (!matched) return void 0;
+      const originalParams = context.req.param();
+      Object.assign(originalParams, matched.params);
+      let nextResponse = void 0;
+      let nextCalled = false;
+      const next = async () => {
+        nextCalled = true;
+        nextResponse = await run(nextIndex + 1);
+        return nextResponse;
+      };
+      const response = await matched.handler(context, next);
+      if (response instanceof Response) return response;
+      if (nextCalled) return nextResponse;
+      return response;
+    };
+    return run(0);
+  }
+};
+function cors(options = {}) {
+  const origin = options.origin ?? "*";
+  const allowMethods = options.allowMethods ?? ["GET", "HEAD", "PUT", "POST", "DELETE", "PATCH", "OPTIONS"];
+  return async (c, next) => {
+    c.header("Access-Control-Allow-Origin", origin);
+    if (options.credentials) c.header("Access-Control-Allow-Credentials", "true");
+    if (c.req.method.toUpperCase() === "OPTIONS") {
+      c.header("Access-Control-Allow-Methods", allowMethods.join(","));
+      const allowHeaders = options.allowHeaders?.join(",") ?? c.req.header("Access-Control-Request-Headers");
+      if (allowHeaders) c.header("Access-Control-Allow-Headers", allowHeaders);
+      if (options.maxAge != null) c.header("Access-Control-Max-Age", String(options.maxAge));
+      return c.body(null, 204);
+    }
+    await next();
+  };
+}
+function serve(options) {
+  const port = options.port ?? 3e3;
+  const server = createNodeServer(async (req, res) => {
+    try {
+      const request = nodeRequestToFetchRequest(req);
+      const response = await options.fetch(request);
+      await writeFetchResponse(res, response, req.method?.toUpperCase() === "HEAD");
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Internal Server Error";
+      res.statusCode = 500;
+      res.setHeader("Content-Type", "text/plain; charset=UTF-8");
+      res.end(message);
+    }
+  });
+  server.listen(port, options.hostname);
+  return server;
+}
+function compilePath(pattern) {
+  if (pattern === "*" || pattern === "/*") {
+    return { pattern, regex: /^.*$/, paramNames: [] };
+  }
+  const paramNames = [];
+  let source = "^";
+  for (let i = 0; i < pattern.length; i++) {
+    const char = pattern[i];
+    if (char !== ":") {
+      source += escapeRegex(char);
+      continue;
+    }
+    let name = "";
+    i++;
+    while (i < pattern.length && /[A-Za-z0-9_]/.test(pattern[i])) {
+      name += pattern[i];
+      i++;
+    }
+    i--;
+    paramNames.push(name);
+    if (pattern[i + 1] === "{") {
+      const close = pattern.indexOf("}", i + 2);
+      if (close < 0) throw new Error(`Invalid route pattern: ${pattern}`);
+      const expr = pattern.slice(i + 2, close);
+      source += `(${expr})`;
+      i = close;
+    } else {
+      source += "([^/]+)";
+    }
+  }
+  source += "$";
+  return { pattern, regex: new RegExp(source), paramNames };
+}
+function matchPath(compiled, path) {
+  const match = compiled.regex.exec(path);
+  if (!match) return null;
+  const params = {};
+  for (let i = 0; i < compiled.paramNames.length; i++) {
+    params[compiled.paramNames[i]] = decodePathParam(match[i + 1] ?? "");
+  }
+  return params;
+}
+function decodePathParam(value) {
+  try {
+    return decodeURIComponent(value);
+  } catch {
+    return value;
+  }
+}
+function escapeRegex(value) {
+  return value.replace(/[|\\{}()[\]^$+*?.]/g, "\\$&");
+}
+function hasHeaders(headers) {
+  for (const _ of headers) return true;
+  return false;
+}
+function defaultContentType(headers, contentType) {
+  const out = new Headers(headers);
+  if (!out.has("Content-Type")) {
+    out.set("Content-Type", contentType);
+  }
+  return out;
+}
+function formDataToObject(formData) {
+  const out = {};
+  for (const [key, value] of formData) {
+    appendBodyValue(out, key, value);
+  }
+  return out;
+}
+function appendBodyValue(target, key, value) {
+  const existing = target[key];
+  if (existing === void 0) {
+    target[key] = value;
+  } else if (Array.isArray(existing)) {
+    existing.push(value);
+  } else {
+    target[key] = [existing, value];
+  }
+}
+function nodeRequestToFetchRequest(req) {
+  const host = req.headers.host ?? "localhost";
+  const url = new URL(req.url ?? "/", `http://${host}`);
+  const headers = new Headers();
+  for (const [key, value] of Object.entries(req.headers)) {
+    if (value == null) continue;
+    if (Array.isArray(value)) {
+      for (const item of value) headers.append(key, item);
+    } else {
+      headers.set(key, value);
+    }
+  }
+  const method = req.method ?? "GET";
+  const hasBody = method !== "GET" && method !== "HEAD";
+  return new Request(url.toString(), {
+    method,
+    headers,
+    body: hasBody ? req : void 0,
+    duplex: "half"
+  });
+}
+async function writeFetchResponse(res, response, headOnly) {
+  res.statusCode = response.status;
+  res.statusMessage = response.statusText;
+  const headersWithCookies = response.headers;
+  const cookies = headersWithCookies.getSetCookie?.();
+  response.headers.forEach((value, key) => {
+    if (key.toLowerCase() === "set-cookie" && cookies && cookies.length > 0) return;
+    res.setHeader(key, value);
+  });
+  if (cookies && cookies.length > 0) {
+    res.setHeader("Set-Cookie", cookies);
+  }
+  if (headOnly || !response.body) {
+    res.end();
+    return;
+  }
+  const reader = response.body.getReader();
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      if (!res.write(value)) {
+        await new Promise((resolve3) => res.once("drain", resolve3));
+      }
+    }
+    res.end();
+  } catch (err) {
+    res.destroy(err instanceof Error ? err : void 0);
+  }
+}
+var MAX_DELIVERIES = 1e3;
+var WebhookDispatcher = class {
+  subscriptions = [];
+  deliveries = [];
+  subscriptionIdCounter = 1;
+  deliveryIdCounter = 1;
+  register(sub) {
+    const { id: explicitId, ...rest } = sub;
+    const id = explicitId !== void 0 ? explicitId : this.subscriptionIdCounter++;
+    if (id >= this.subscriptionIdCounter) {
+      this.subscriptionIdCounter = id + 1;
+    }
+    const subscription = { ...rest, id };
+    this.subscriptions.push(subscription);
+    return subscription;
+  }
+  unregister(id) {
+    const idx = this.subscriptions.findIndex((s) => s.id === id);
+    if (idx === -1) return false;
+    this.subscriptions.splice(idx, 1);
+    return true;
+  }
+  getSubscription(id) {
+    return this.subscriptions.find((s) => s.id === id);
+  }
+  getSubscriptions(owner, repo) {
+    return this.subscriptions.filter((s) => {
+      if (owner && s.owner !== owner) return false;
+      if (repo !== void 0 && s.repo !== repo) return false;
+      return true;
+    });
+  }
+  updateSubscription(id, data) {
+    const sub = this.subscriptions.find((s) => s.id === id);
+    if (!sub) return void 0;
+    Object.assign(sub, data);
+    return sub;
+  }
+  async dispatch(event, action, payload, owner, repo) {
+    const matchingSubs = this.subscriptions.filter((s) => {
+      if (!s.active) return false;
+      if (s.owner !== owner) return false;
+      if (repo !== void 0) {
+        if (s.repo !== repo) return false;
+      } else if (s.repo !== void 0) {
+        return false;
+      }
+      return event === "ping" || s.events.includes("*") || s.events.includes(event);
+    });
+    for (const sub of matchingSubs) {
+      const delivery = {
+        id: this.deliveryIdCounter++,
+        hook_id: sub.id,
+        event,
+        action,
+        payload,
+        status_code: null,
+        delivered_at: (/* @__PURE__ */ new Date()).toISOString(),
+        duration: null,
+        success: false
+      };
+      const body = JSON.stringify(payload);
+      const signatureHeaders = {};
+      if (sub.secret) {
+        const hmac = createHmac("sha256", sub.secret).update(body).digest("hex");
+        signatureHeaders["X-Hub-Signature-256"] = `sha256=${hmac}`;
+      }
+      try {
+        const start = Date.now();
+        const response = await fetch(sub.url, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            "X-GitHub-Event": event,
+            "X-GitHub-Delivery": String(delivery.id),
+            ...signatureHeaders
+          },
+          body,
+          signal: AbortSignal.timeout(1e4)
+        });
+        delivery.duration = Date.now() - start;
+        delivery.status_code = response.status;
+        delivery.success = response.ok;
+      } catch {
+        delivery.duration = 0;
+        delivery.success = false;
+      }
+      this.deliveries.push(delivery);
+      if (this.deliveries.length > MAX_DELIVERIES) {
+        this.deliveries.splice(0, this.deliveries.length - MAX_DELIVERIES);
+      }
+    }
+  }
+  getDeliveries(hookId) {
+    if (hookId !== void 0) {
+      return this.deliveries.filter((d) => d.hook_id === hookId);
+    }
+    return [...this.deliveries];
+  }
+  clear() {
+    this.subscriptions.length = 0;
+    this.deliveries.length = 0;
+    this.subscriptionIdCounter = 1;
+    this.deliveryIdCounter = 1;
+  }
+};
+var DEFAULT_DOCS_URL = "https://emulate.dev";
+function getDocsUrl(c) {
+  return c.get("docsUrl") ?? DEFAULT_DOCS_URL;
+}
+function errorStatus(err) {
+  if (err && typeof err === "object" && "status" in err) {
+    const s = err.status;
+    if (typeof s === "number" && Number.isFinite(s)) return s;
+  }
+  return 500;
+}
+function createApiErrorHandler(documentationUrl) {
+  return (err, c) => {
+    if (documentationUrl) {
+      c.set("docsUrl", documentationUrl);
+    }
+    const status = errorStatus(err);
+    const message = err instanceof Error ? err.message : "Internal Server Error";
+    return c.json(
+      {
+        message,
+        documentation_url: getDocsUrl(c)
+      },
+      status
+    );
+  };
+}
+function createErrorHandler(documentationUrl) {
+  return async (c, next) => {
+    if (documentationUrl) {
+      c.set("docsUrl", documentationUrl);
+    }
+    await next();
+  };
+}
+var errorHandler = createErrorHandler();
+var isDebug = typeof process !== "undefined" && (process.env.DEBUG === "1" || process.env.DEBUG === "true" || process.env.EMULATE_DEBUG === "1");
+function debug(label, ...args) {
+  if (isDebug) {
+    console.log(`[${label}]`, ...args);
+  }
+}
+function authMiddleware(tokens, appKeyResolver, fallbackUser) {
+  return async (c, next) => {
+    const authHeader = c.req.header("Authorization");
+    if (authHeader) {
+      const token = authHeader.replace(/^(Bearer|token)\s+/i, "").trim();
+      if (token.startsWith("eyJ") && appKeyResolver) {
+        try {
+          const [, payloadB64] = token.split(".");
+          const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+          const appId = typeof payload.iss === "string" ? parseInt(payload.iss, 10) : payload.iss;
+          if (typeof appId === "number" && !isNaN(appId)) {
+            const appInfo = appKeyResolver(appId);
+            if (appInfo) {
+              const key = await importPKCS8(appInfo.privateKey, "RS256");
+              await jwtVerify(token, key, { algorithms: ["RS256"] });
+              c.set("authApp", {
+                appId,
+                slug: appInfo.slug,
+                name: appInfo.name
+              });
+            }
+          }
+        } catch {
+        }
+      } else {
+        let user = tokens.get(token);
+        if (!user && fallbackUser && token.length > 0) {
+          debug("auth", "fallback user for unknown token", { login: fallbackUser.login, id: fallbackUser.id });
+          user = { login: fallbackUser.login, id: fallbackUser.id, scopes: fallbackUser.scopes };
+        }
+        if (user) {
+          c.set("authUser", user);
+          c.set("authToken", token);
+          c.set("authScopes", user.scopes);
+        }
+      }
+    }
+    await next();
+  };
+}
+var assetCache = /* @__PURE__ */ new Map();
+function loadAsset(name) {
+  if (assetCache.has(name)) return assetCache.get(name);
+  let buf = null;
+  try {
+    const dir = dirname(fileURLToPath(import.meta.url));
+    buf = readFileSync(join(dir, "fonts", name));
+  } catch {
+    buf = null;
+  }
+  assetCache.set(name, buf);
+  return buf;
+}
+var FONT_NAMES = /* @__PURE__ */ new Set(["geist-sans.woff2", "GeistPixel-Square.woff2"]);
+function registerFontRoutes(app) {
+  app.get("/_emulate/fonts/:name", (c) => {
+    const name = c.req.param("name");
+    if (!FONT_NAMES.has(name)) return c.notFound();
+    const buf = loadAsset(name);
+    if (!buf) return c.notFound();
+    return new Response(buf, {
+      headers: {
+        "Content-Type": "font/woff2",
+        "Cache-Control": "public, max-age=31536000, immutable",
+        "Access-Control-Allow-Origin": "*"
+      }
+    });
+  });
+  app.get("/_emulate/favicon.ico", (c) => {
+    const buf = loadAsset("favicon.ico");
+    if (!buf) return c.notFound();
+    return new Response(buf, {
+      headers: {
+        "Content-Type": "image/x-icon",
+        "Cache-Control": "public, max-age=31536000, immutable"
+      }
+    });
+  });
+}
+var DEFAULT_MAX_ENTRIES = 1e3;
+var DEFAULT_MAX_BODY_CHARS = 2e4;
+var REDACTED = "[redacted]";
+var SENSITIVE_HEADERS = /* @__PURE__ */ new Set([
+  "authorization",
+  "cookie",
+  "set-cookie",
+  "x-api-key",
+  "x-github-token",
+  "stripe-signature"
+]);
+var SENSITIVE_KEYS = /token|secret|password|authorization|api[_-]?key|client[_-]?secret|private[_-]?key/i;
+var RequestLedger = class {
+  constructor(options = {}) {
+    this.options = options;
+  }
+  entries = [];
+  counter = 1;
+  add(entry) {
+    const saved = { ...entry, id: `req_${this.counter++}` };
+    this.entries.push(saved);
+    const max = this.options.maxEntries ?? DEFAULT_MAX_ENTRIES;
+    if (this.entries.length > max) {
+      this.entries.splice(0, this.entries.length - max);
+    }
+    return saved;
+  }
+  list(limit) {
+    const all = [...this.entries].reverse();
+    return limit != null ? all.slice(0, limit) : all;
+  }
+  clear() {
+    this.entries.length = 0;
+    this.counter = 1;
+  }
+  /** Serialize for durable persistence (e.g. a Cloudflare Durable Object). */
+  serialize() {
+    return { entries: [...this.entries], counter: this.counter };
+  }
+  restore(snapshot) {
+    if (!snapshot) return;
+    this.entries = Array.isArray(snapshot.entries) ? [...snapshot.entries] : [];
+    this.counter = typeof snapshot.counter === "number" ? snapshot.counter : this.entries.length + 1;
+  }
+};
+function correlationIdFor(headers) {
+  const provided = headers["x-correlation-id"] ?? headers["x-request-id"];
+  if (provided && provided.length <= 200) return provided;
+  return `cor_${crypto.randomUUID().replace(/-/g, "")}`;
+}
+function createLedgerMiddleware(ledger, options = {}) {
+  const maxBodyChars = options.maxBodyChars ?? DEFAULT_MAX_BODY_CHARS;
+  const webhooks = options.webhooks;
+  return async (c, next) => {
+    if (c.req.path.startsWith("/_emulate")) {
+      await next();
+      return;
+    }
+    const started = Date.now();
+    const url = new URL(c.req.url);
+    const rawHeaders = c.req.header();
+    const correlationId = correlationIdFor(rawHeaders);
+    c.set("correlationId", correlationId);
+    c.set("ledgerEffects", []);
+    c.header("X-Correlation-Id", correlationId);
+    const requestBody = await readBody(c.req.raw.clone(), maxBodyChars);
+    const requestHeaders = redactHeaders(rawHeaders);
+    const beforeDeliveryIds = webhooks ? new Set(webhooks.getDeliveries().map((d) => d.id)) : void 0;
+    const response = await next();
+    if (!response) return;
+    const responseBody = await readBody(response.clone(), maxBodyChars);
+    const route = c.req.routePath;
+    const operationId = c.get("operationId");
+    const sideEffects = c.get("ledgerEffects") ?? [];
+    const webhookDeliveries = webhooks && beforeDeliveryIds ? webhooks.getDeliveries().filter((d) => !beforeDeliveryIds.has(d.id)).map((d) => ({
+      id: d.id,
+      hook_id: d.hook_id,
+      event: d.event,
+      action: d.action,
+      status_code: d.status_code,
+      success: d.success
+    })) : [];
+    ledger.add({
+      correlationId,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      method: c.req.method.toUpperCase(),
+      host: url.host,
+      path: url.pathname,
+      query: url.search,
+      route,
+      operationId,
+      request: {
+        headers: requestHeaders,
+        ...requestBody
+      },
+      identity: {
+        user: c.get("authUser"),
+        app: c.get("authApp")
+      },
+      response: {
+        status: response.status,
+        headers: redactHeaders(headersToRecord(response.headers)),
+        ...responseBody
+      },
+      summary: `${c.req.method.toUpperCase()} ${route ?? url.pathname} -> ${response.status}`,
+      sideEffects,
+      webhookDeliveries,
+      durationMs: Date.now() - started
+    });
+    return response;
+  };
+}
+async function readBody(responseOrRequest, maxChars) {
+  const method = responseOrRequest instanceof Request ? responseOrRequest.method.toUpperCase() : void 0;
+  if (method === "GET" || method === "HEAD") return {};
+  const contentType = responseOrRequest.headers.get("content-type") ?? "";
+  if (responseOrRequest instanceof Response && responseOrRequest.status === 204) return {};
+  let text;
+  try {
+    text = await responseOrRequest.text();
+  } catch {
+    return {};
+  }
+  if (!text) return {};
+  const truncated = text.length > maxChars;
+  const clipped = truncated ? text.slice(0, maxChars) : text;
+  if (contentType.includes("application/json")) {
+    try {
+      return { body: redactValue(JSON.parse(clipped)), bodyTruncated: truncated || void 0 };
+    } catch {
+      return { body: clipped, bodyTruncated: truncated || void 0 };
+    }
+  }
+  if (contentType.includes("application/x-www-form-urlencoded")) {
+    const params = {};
+    for (const [key, value] of new URLSearchParams(clipped)) {
+      params[key] = SENSITIVE_KEYS.test(key) ? REDACTED : value;
+    }
+    return { body: params, bodyTruncated: truncated || void 0 };
+  }
+  return { body: clipped, bodyTruncated: truncated || void 0 };
+}
+function headersToRecord(headers) {
+  const out = {};
+  headers.forEach((value, key) => {
+    out[key] = value;
+  });
+  return out;
+}
+function redactHeaders(headers) {
+  const out = {};
+  for (const [key, value] of Object.entries(headers)) {
+    out[key] = SENSITIVE_HEADERS.has(key.toLowerCase()) ? REDACTED : value;
+  }
+  return out;
+}
+function redactValue(value) {
+  if (Array.isArray(value)) return value.map(redactValue);
+  if (!value || typeof value !== "object") return value;
+  const out = {};
+  for (const [key, child] of Object.entries(value)) {
+    out[key] = SENSITIVE_KEYS.test(key) ? REDACTED : redactValue(child);
+  }
+  return out;
+}
+var CORE_RESET_BEHAVIOR = {
+  description: "Resets the instance to its seeded baseline.",
+  reseeds: true,
+  clearsLedger: true,
+  clearsWebhooks: true
+};
+function coreLedgerCapabilities(persistent) {
+  return {
+    description: "Recent provider requests with sensitive headers and fields redacted.",
+    recordsFields: [
+      "timestamp",
+      "method",
+      "host",
+      "path",
+      "route",
+      "operationId",
+      "correlationId",
+      "identity",
+      "request",
+      "response",
+      "summary",
+      "sideEffects",
+      "webhookDeliveries",
+      "durationMs"
+    ],
+    redactsSensitive: true,
+    correlationId: true,
+    webhookDeliveries: true,
+    sideEffects: true,
+    persistent,
+    maxEntries: 1e3
+  };
+}
+function coreInspectorTabs(manifest) {
+  const tabs = [
+    {
+      id: "overview",
+      title: "Overview",
+      kind: "landing",
+      description: "Service surfaces, base URLs, and connection snippets."
+    },
+    {
+      id: "ledger",
+      title: "Ledger",
+      kind: "ledger",
+      description: "Recent provider requests recorded by the emulator."
+    },
+    { id: "state", title: "State", kind: "state", description: "Current seeded and mutated instance state." },
+    {
+      id: "credentials",
+      title: "Credentials",
+      kind: "credentials",
+      description: "Mint tokens, API keys, or OAuth clients."
+    }
+  ];
+  if (manifest.seedSchema || manifest.scenarios && manifest.scenarios.length > 0) {
+    tabs.push({ id: "seed", title: "Seed", kind: "seed", description: "Seed state or load a scenario." });
+  }
+  if (manifest.specs.some((s) => s.kind === "openapi" || s.kind === "graphql")) {
+    tabs.push({ id: "spec", title: "Spec", kind: "spec", description: "OpenAPI / GraphQL spec sources and coverage." });
+  }
+  if (manifest.surfaces.some((s) => s.kind === "webhooks")) {
+    tabs.push({
+      id: "logs",
+      title: "Webhooks",
+      kind: "logs",
+      description: "Webhook deliveries dispatched by the emulator."
+    });
+  }
+  return tabs;
+}
+function coreConnections() {
+  return [
+    {
+      id: "base-url",
+      title: "Base URL (env)",
+      kind: "env",
+      language: "bash",
+      description: "Point your SDK or app at the emulator instead of the real provider.",
+      template: "{{SERVICE_UPPER}}_BASE_URL={{baseUrl}}"
+    },
+    {
+      id: "create-credential",
+      title: "Create a credential",
+      kind: "curl",
+      language: "bash",
+      description: "Mint a working credential for this instance.",
+      template: `curl -s -X POST {{controlBaseUrl}}/credentials \\
+  -H "content-type: application/json" \\
+  -d '{"type":"{{defaultAuthType}}"}'`
+    },
+    {
+      id: "inspect-ledger",
+      title: "Inspect requests",
+      kind: "curl",
+      language: "bash",
+      description: "Read the request ledger to validate how your app called the service.",
+      template: "curl -s {{controlBaseUrl}}/ledger"
+    }
+  ];
+}
+function enrichManifest(manifest, opts = {}) {
+  return {
+    ...manifest,
+    resetBehavior: manifest.resetBehavior ?? CORE_RESET_BEHAVIOR,
+    ledger: manifest.ledger ?? coreLedgerCapabilities(opts.ledgerPersistent ?? false),
+    inspectorTabs: manifest.inspectorTabs ?? coreInspectorTabs(manifest),
+    connections: [...manifest.connections ?? [], ...coreConnections()]
+  };
+}
+function resolveConnections(connections, vars) {
+  const map = {
+    baseUrl: vars.baseUrl,
+    providerBaseUrl: vars.providerBaseUrl,
+    controlBaseUrl: vars.controlBaseUrl,
+    service: vars.service,
+    SERVICE_UPPER: vars.service.toUpperCase().replace(/[^A-Z0-9]+/g, "_"),
+    instance: vars.instance ?? "default",
+    token: vars.token ?? "<token>",
+    clientId: vars.clientId ?? "<client_id>",
+    clientSecret: vars.clientSecret ?? "<client_secret>",
+    defaultAuthType: vars.defaultAuthType ?? "bearer-token"
+  };
+  return connections.map((snippet) => ({
+    ...snippet,
+    body: snippet.template.replace(/\{\{(\w+)\}\}/g, (_, key) => map[key] ?? `{{${key}}}`)
+  }));
+}
+function coverageReport(manifest) {
+  const operations = [];
+  const summary = {
+    generated: 0,
+    "hand-authored": 0,
+    partial: 0,
+    unsupported: 0
+  };
+  const specs = manifest.specs.map((spec) => {
+    const ops = spec.operations ?? [];
+    for (const op of ops) {
+      operations.push(op);
+      summary[op.status] += 1;
+    }
+    return { kind: spec.kind, title: spec.title, coverage: spec.coverage, operationCount: ops.length };
+  });
+  return { operations, summary, specs };
+}
+function createDefaultManifest(service) {
+  return {
+    id: service,
+    name: service,
+    description: `Stateful ${service} API emulator.`,
+    surfaces: [{ id: "rest", kind: "rest", title: "REST API", status: "partial" }],
+    auth: [{ id: "bearer", title: "Bearer token", type: "bearer-token", status: "partial" }],
+    specs: [{ kind: "manual", title: "Hand-authored emulator behavior", coverage: "partial" }]
+  };
+}
+function escapeHtml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+var CSS = `
+@font-face{
+  font-family:'Geist';font-style:normal;font-weight:100 900;font-display:swap;
+  src:url('/_emulate/fonts/geist-sans.woff2') format('woff2');
+}
+@font-face{
+  font-family:'Geist Pixel';font-style:normal;font-weight:400;font-display:swap;
+  src:url('/_emulate/fonts/GeistPixel-Square.woff2') format('woff2');
+}
+*{box-sizing:border-box;margin:0;padding:0}
+body{
+  font-family:'Geist',-apple-system,BlinkMacSystemFont,sans-serif;
+  background:#000;color:#33ff00;min-height:100vh;
+  -webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;
+}
+.emu-bar{
+  border-bottom:1px solid #0a3300;padding:10px 20px;
+  display:flex;align-items:center;gap:10px;font-size:.8125rem;color:#1a8c00;
+}
+.emu-bar-title{font-weight:600;color:#33ff00;font-family:'Geist Pixel',monospace;}
+.emu-bar-links{margin-left:auto;display:flex;gap:16px;}
+.emu-bar-links a{
+  color:#1a8c00;font-size:.75rem;text-decoration:none;transition:color .15s;
+}
+.emu-bar-links a:hover{color:#33ff00;}
+.emu-bar-links a .full{display:inline;}
+.emu-bar-links a .short{display:none;}
+@media(max-width:600px){
+  .emu-bar-links a .full{display:none;}
+  .emu-bar-links a .short{display:inline;}
+}
+
+.content{
+  display:flex;align-items:center;justify-content:center;
+  min-height:calc(100vh - 42px);padding:24px 16px;
+}
+.content-inner{width:100%;max-width:420px;}
+.card-title{
+  font-family:'Geist Pixel',monospace;
+  font-size:1.125rem;font-weight:600;margin-bottom:4px;color:#33ff00;
+}
+.card-subtitle{color:#1a8c00;font-size:.8125rem;margin-bottom:18px;line-height:1.45;}
+.powered-by{
+  position:fixed;bottom:0;left:0;right:0;
+  text-align:center;padding:12px;font-size:.6875rem;color:#0a3300;
+  font-family:'Geist Pixel',monospace;
+}
+.powered-by a{color:#1a8c00;text-decoration:none;transition:color .15s;}
+.powered-by a:hover{color:#33ff00;}
+
+.error-title{
+  font-family:'Geist Pixel',monospace;
+  color:#ff4444;font-size:1.125rem;font-weight:600;margin-bottom:8px;
+}
+.error-msg{color:#1a8c00;font-size:.875rem;line-height:1.5;}
+.error-card{text-align:center;}
+
+.user-form{margin-bottom:8px;}
+.user-form:last-of-type{margin-bottom:0;}
+.user-btn{
+  width:100%;display:flex;align-items:center;gap:12px;
+  padding:10px 12px;border:1px solid #0a3300;border-radius:8px;
+  background:#000;color:inherit;cursor:pointer;text-align:left;
+  font:inherit;transition:border-color .15s;
+}
+.user-btn:hover{border-color:#33ff00;}
+.avatar{
+  width:36px;height:36px;border-radius:50%;
+  background:#0a3300;color:#33ff00;font-weight:600;font-size:.875rem;
+  display:flex;align-items:center;justify-content:center;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.user-text{min-width:0;}
+.user-login{font-weight:600;font-size:.875rem;display:block;color:#33ff00;}
+.user-meta{color:#1a8c00;font-size:.75rem;margin-top:1px;}
+.user-email{font-size:.6875rem;color:#116600;word-break:break-all;margin-top:1px;}
+
+.settings-layout{
+  max-width:920px;margin:0 auto;padding:28px 20px;
+  display:flex;gap:28px;
+}
+.settings-sidebar{width:200px;flex-shrink:0;}
+.settings-sidebar a{
+  display:block;padding:6px 10px;border-radius:6px;color:#1a8c00;
+  text-decoration:none;font-size:.8125rem;transition:color .15s;
+}
+.settings-sidebar a:hover{color:#33ff00;}
+.settings-sidebar a.active{color:#33ff00;font-weight:600;}
+.settings-main{flex:1;min-width:0;}
+
+.s-card{
+  padding:18px 0;margin-bottom:14px;border-bottom:1px solid #0a3300;
+}
+.s-card:last-child{border-bottom:none;}
+.s-card-header{display:flex;align-items:center;gap:14px;margin-bottom:14px;}
+.s-icon{
+  width:42px;height:42px;border-radius:8px;
+  background:#0a3300;display:flex;align-items:center;justify-content:center;
+  font-size:1.125rem;font-weight:700;color:#116600;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.s-title{
+  font-family:'Geist Pixel',monospace;
+  font-size:1.25rem;font-weight:600;color:#33ff00;
+}
+.s-subtitle{font-size:.75rem;color:#1a8c00;margin-top:2px;}
+.section-heading{
+  font-size:.9375rem;font-weight:600;margin-bottom:10px;color:#33ff00;
+  display:flex;align-items:center;justify-content:space-between;
+}
+.perm-list{list-style:none;}
+.perm-list li{padding:5px 0;font-size:.8125rem;display:flex;align-items:center;gap:6px;color:#1a8c00;}
+.check{color:#33ff00;}
+.org-row{
+  display:flex;align-items:center;gap:8px;padding:7px 0;
+  border-bottom:1px solid #0a3300;font-size:.8125rem;
+}
+.org-row:last-child{border-bottom:none;}
+.org-icon{
+  width:22px;height:22px;border-radius:4px;background:#0a3300;
+  display:flex;align-items:center;justify-content:center;
+  font-size:.625rem;font-weight:700;color:#116600;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;
+}
+.org-name{font-weight:600;color:#33ff00;}
+.badge{font-size:.6875rem;padding:1px 7px;border-radius:999px;font-weight:500;}
+.badge-granted{background:#0a3300;color:#33ff00;}
+.badge-denied{background:#1a0a0a;color:#ff4444;}
+.badge-requested{background:#0a3300;color:#1a8c00;}
+.btn-revoke{
+  display:inline-block;padding:5px 14px;border-radius:6px;
+  border:1px solid #0a3300;background:transparent;color:#ff4444;
+  font-size:.75rem;font-weight:600;cursor:pointer;transition:border-color .15s;
+}
+.btn-revoke:hover{border-color:#ff4444;}
+.info-text{color:#1a8c00;font-size:.75rem;line-height:1.5;margin-top:10px;}
+.info-text a,.section-heading a{color:#1a8c00;text-decoration:none;transition:color .15s;}
+.info-text a:hover,.section-heading a:hover{color:#33ff00;}
+code{font-family:'Geist Mono','SF Mono',ui-monospace,monospace;font-size:.8125rem;color:#33ff00;word-break:break-all;}
+.code-block{
+  background:#020;border:1px solid #0a3300;border-radius:6px;padding:10px 12px;
+  margin:8px 0 12px;overflow-x:auto;
+}
+.code-block code{white-space:pre;word-break:normal;display:block;line-height:1.5;}
+.app-link{
+  display:flex;align-items:center;gap:12px;padding:12px;
+  border:1px solid #0a3300;border-radius:8px;background:#000;
+  text-decoration:none;color:inherit;margin-bottom:8px;transition:border-color .15s;
+}
+.app-link:hover{border-color:#33ff00;}
+.app-link-name{font-weight:600;font-size:.875rem;color:#33ff00;}
+.app-link-scopes{font-size:.6875rem;color:#1a8c00;margin-top:1px;}
+.empty{color:#1a8c00;text-align:center;padding:28px 0;font-size:.875rem;}
+
+.inspector-layout{max-width:960px;margin:0 auto;padding:28px 20px;}
+.inspector-tabs{display:flex;gap:4px;margin-bottom:20px;}
+.inspector-tabs a{
+  padding:7px 16px;border-radius:6px;text-decoration:none;
+  font-size:.8125rem;color:#1a8c00;border:1px solid transparent;
+  transition:color .15s,border-color .15s;
+}
+.inspector-tabs a:hover{color:#33ff00;}
+.inspector-tabs a.active{color:#33ff00;font-weight:600;border-color:#0a3300;background:#0a3300;}
+.inspector-section{margin-bottom:24px;}
+.inspector-section h2{
+  font-family:'Geist Pixel',monospace;
+  font-size:1rem;font-weight:600;color:#33ff00;margin-bottom:10px;
+}
+.inspector-section h3{
+  font-family:'Geist Pixel',monospace;
+  font-size:.875rem;font-weight:600;color:#1a8c00;margin:16px 0 8px;
+}
+.inspector-table{width:100%;border-collapse:collapse;margin-bottom:12px;}
+.inspector-table th,.inspector-table td{
+  text-align:left;padding:8px 12px;border-bottom:1px solid #0a3300;
+  font-size:.8125rem;
+}
+.inspector-table th{color:#1a8c00;font-weight:600;font-size:.75rem;text-transform:uppercase;letter-spacing:.04em;}
+.inspector-table td{color:#33ff00;}
+.inspector-table tbody tr{transition:background .1s;}
+.inspector-table tbody tr:hover{background:#0a3300;}
+.inspector-empty{color:#1a8c00;text-align:center;padding:20px 0;font-size:.8125rem;}
+
+.checkout-layout{
+  display:flex;min-height:calc(100vh - 42px);
+}
+.checkout-summary{
+  flex:1;background:#020;padding:48px 40px 48px 10%;
+  display:flex;flex-direction:column;justify-content:center;
+  border-right:1px solid #0a3300;
+}
+.checkout-form-side{
+  flex:1;background:#000;padding:48px 10% 48px 40px;
+  display:flex;flex-direction:column;justify-content:center;
+}
+.checkout-merchant{
+  display:flex;align-items:center;gap:10px;margin-bottom:6px;
+}
+.checkout-merchant-name{
+  font-family:'Geist Pixel',monospace;
+  font-size:.9375rem;font-weight:600;color:#33ff00;
+}
+.checkout-test-badge{
+  font-size:.625rem;font-weight:700;letter-spacing:.04em;text-transform:uppercase;
+  background:#0a3300;color:#1a8c00;padding:2px 8px;border-radius:4px;
+}
+.checkout-total{
+  font-family:'Geist Pixel',monospace;
+  font-size:2rem;font-weight:700;color:#33ff00;margin:8px 0 28px;
+}
+.checkout-line-item{
+  display:flex;align-items:center;gap:14px;padding:14px 0;
+  border-bottom:1px solid #0a3300;
+}
+.checkout-line-item:first-child{border-top:1px solid #0a3300;}
+.checkout-item-icon{
+  width:42px;height:42px;border-radius:6px;background:#0a3300;
+  display:flex;align-items:center;justify-content:center;flex-shrink:0;
+  font-family:'Geist Pixel',monospace;font-size:.875rem;font-weight:700;color:#116600;
+}
+.checkout-item-details{flex:1;min-width:0;}
+.checkout-item-name{font-size:.875rem;font-weight:600;color:#33ff00;}
+.checkout-item-qty{font-size:.75rem;color:#1a8c00;margin-top:2px;}
+.checkout-item-price{
+  font-size:.875rem;font-weight:600;color:#33ff00;text-align:right;white-space:nowrap;
+}
+.checkout-item-unit{font-size:.6875rem;color:#1a8c00;text-align:right;margin-top:2px;}
+.checkout-totals{margin-top:20px;}
+.checkout-totals-row{
+  display:flex;justify-content:space-between;padding:6px 0;
+  font-size:.8125rem;color:#1a8c00;
+}
+.checkout-totals-row.total{
+  border-top:1px solid #0a3300;margin-top:8px;padding-top:14px;
+  font-size:.9375rem;font-weight:600;color:#33ff00;
+}
+.checkout-form-section{margin-bottom:24px;}
+.checkout-form-label{
+  font-size:.8125rem;font-weight:600;color:#33ff00;margin-bottom:8px;display:block;
+}
+.checkout-input{
+  width:100%;padding:10px 12px;border:1px solid #0a3300;border-radius:6px;
+  background:#020;color:#33ff00;font:inherit;font-size:.875rem;
+  transition:border-color .15s;outline:none;
+}
+.checkout-input:focus{border-color:#33ff00;}
+.checkout-input::placeholder{color:#116600;}
+.checkout-card-box{
+  border:1px solid #0a3300;border-radius:6px;padding:14px;
+  background:#020;
+}
+.checkout-card-row{
+  display:flex;gap:12px;margin-top:10px;
+}
+.checkout-card-row .checkout-input{flex:1;}
+.checkout-sim-note{
+  font-size:.6875rem;color:#1a8c00;margin-top:10px;text-align:center;
+  font-style:italic;
+}
+.checkout-pay-btn{
+  width:100%;padding:14px;border:none;border-radius:8px;
+  background:#33ff00;color:#000;font:inherit;font-size:.9375rem;font-weight:700;
+  cursor:pointer;transition:background .15s;
+  font-family:'Geist Pixel',monospace;
+}
+.checkout-pay-btn:hover{background:#44ff22;}
+.checkout-cancel{
+  text-align:center;margin-top:14px;
+}
+.checkout-cancel a{
+  color:#1a8c00;text-decoration:none;font-size:.8125rem;
+  transition:color .15s;
+}
+.checkout-cancel a:hover{color:#33ff00;}
+@media(max-width:768px){
+  .checkout-layout{flex-direction:column;}
+  .checkout-summary{padding:32px 20px;border-right:none;border-bottom:1px solid #0a3300;}
+  .checkout-form-side{padding:32px 20px;}
+}
+`;
+var POWERED_BY = `<div class="powered-by">Powered by <a href="https://emulate.dev" target="_blank" rel="noopener">emulate</a></div>`;
+function emuBar(service) {
+  const title = service ? `${escapeHtml(service)} Emulator` : "Emulator";
+  return `<div class="emu-bar">
+  <span class="emu-bar-title">${title}</span>
+  <nav class="emu-bar-links">
+    <a href="https://github.com/vercel-labs/emulate/issues" target="_blank" rel="noopener"><span class="full">Report Issue</span><span class="short">Report</span></a>
+    <a href="https://github.com/vercel-labs/emulate" target="_blank" rel="noopener"><span class="full">Source Code</span><span class="short">Source</span></a>
+    <a href="https://emulate.dev" target="_blank" rel="noopener"><span class="full">Learn More</span><span class="short">Learn</span></a>
+  </nav>
+</div>`;
+}
+function head(title) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8"/>
+<meta name="viewport" content="width=device-width,initial-scale=1"/>
+<link rel="icon" href="/_emulate/favicon.ico"/>
+<title>${escapeHtml(title)} | emulate</title>
+<style>${CSS}</style>
+</head>`;
+}
+function renderCardPage(title, subtitle, body, service) {
+  return `${head(title)}
+<body>
+${emuBar(service)}
+<div class="content">
+  <div class="content-inner">
+    <div class="card-title">${escapeHtml(title)}</div>
+    <div class="card-subtitle">${subtitle}</div>
+    ${body}
+  </div>
+</div>
+${POWERED_BY}
+</body></html>`;
+}
+var INSTANCE_NOTES = "Hosted deployments create instances lazily when the returned URL is first used.";
+function buildInstanceCreation(args) {
+  return {
+    service: args.service,
+    instance: args.instance,
+    providerBaseUrl: args.providerBaseUrl,
+    controlBaseUrl: `${args.providerBaseUrl}/_emulate`,
+    pathUrl: `${args.pathOrigin}/${args.service}/${args.instance}`,
+    hostHint: `${args.service}.${args.instance}.${args.hostSuffix}`,
+    notes: INSTANCE_NOTES
+  };
+}
+function connectionVars(manifest, instance, overrides) {
+  return {
+    baseUrl: instance.providerBaseUrl,
+    providerBaseUrl: instance.providerBaseUrl,
+    controlBaseUrl: instance.controlBaseUrl,
+    service: manifest.id,
+    instance: instance.instance,
+    defaultAuthType: manifest.auth[0]?.type ?? "bearer-token",
+    ...overrides
+  };
+}
+function registerControlPlane(app, options) {
+  const { instance, store, webhooks, ledger } = options;
+  const manifest = enrichManifest(options.manifest, { ledgerPersistent: options.ledgerPersistent });
+  const hostSuffix = options.hostSuffix ?? "emulators.dev";
+  app.get("/_emulate", (c) => c.html(renderLandingPage(manifest, instance)));
+  app.get(
+    "/_emulate/manifest",
+    (c) => c.json({
+      manifest,
+      instance,
+      connections: resolveConnections(manifest.connections ?? [], connectionVars(manifest, instance))
+    })
+  );
+  app.get("/_emulate/quickstart", (c) => c.text(renderQuickstart(manifest, instance)));
+  app.get("/_emulate/specs", (c) => c.json({ specs: manifest.specs, surfaces: manifest.surfaces }));
+  app.get("/_emulate/coverage", (c) => c.json(coverageReport(manifest)));
+  app.get("/_emulate/connections", (c) => {
+    const overrides = {};
+    const token = c.req.query("token");
+    const clientId = c.req.query("client_id");
+    const clientSecret = c.req.query("client_secret");
+    if (token) overrides.token = token;
+    if (clientId) overrides.clientId = clientId;
+    if (clientSecret) overrides.clientSecret = clientSecret;
+    return c.json({
+      connections: resolveConnections(manifest.connections ?? [], connectionVars(manifest, instance, overrides))
+    });
+  });
+  app.get("/_emulate/openapi", (c) => redirectToSpec(c, manifest, instance, "openapi"));
+  app.get("/_emulate/graphql", (c) => endpointForSurface(c, manifest, instance, "graphql"));
+  app.get("/_emulate/mcp", (c) => endpointForSurface(c, manifest, instance, "mcp"));
+  app.get("/_emulate/state", (c) => c.json(store.snapshot()));
+  app.get("/_emulate/ledger", (c) => {
+    const limitParam = c.req.query("limit");
+    const limit = limitParam ? Number.parseInt(limitParam, 10) : void 0;
+    return c.json({ entries: ledger.list(Number.isFinite(limit) ? limit : void 0) });
+  });
+  app.delete("/_emulate/ledger", (c) => {
+    ledger.clear();
+    return c.json({ ok: true });
+  });
+  app.get("/_emulate/logs", (c) => c.json({ webhooks: webhooks.getDeliveries(), requests: ledger.list(100) }));
+  app.post("/_emulate/reset", async (c) => {
+    if (options.reset) {
+      await options.reset();
+    } else {
+      store.reset();
+      webhooks.clear();
+      ledger.clear();
+    }
+    return c.json({ ok: true });
+  });
+  app.post("/_emulate/seed", async (c) => {
+    if (!options.seed) {
+      return c.json({ error: "unsupported", message: "This emulator does not support runtime seeding." }, 501);
+    }
+    const body = await c.req.json().catch(() => void 0);
+    try {
+      await options.seed(body);
+    } catch (err) {
+      return c.json({ error: "invalid_seed", message: err instanceof Error ? err.message : "Seed failed." }, 400);
+    }
+    return c.json({ ok: true });
+  });
+  app.post("/_emulate/credentials", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    try {
+      if (options.issueCredential) {
+        const credential2 = await options.issueCredential(body);
+        return c.json({ credential: credential2 });
+      }
+      const credential = issueDefaultCredential(body, manifest, options.tokenMap);
+      if (!credential) {
+        return c.json({ error: "unsupported", message: "This emulator cannot create that credential type." }, 501);
+      }
+      return c.json({ credential });
+    } catch (err) {
+      return c.json(
+        { error: "unsupported", message: err instanceof Error ? err.message : "Credential creation failed." },
+        400
+      );
+    }
+  });
+  app.post("/_emulate/instances", async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const nextInstance = slug(body.instance ?? `${manifest.id}-${randomId().slice(0, 8)}`);
+    const service = slug(body.service ?? manifest.id);
+    const origin = new URL(instance.providerBaseUrl).origin;
+    return c.json(
+      buildInstanceCreation({
+        service,
+        instance: nextInstance,
+        providerBaseUrl: `${origin}/${service}/${nextInstance}`,
+        pathOrigin: origin,
+        hostSuffix
+      })
+    );
+  });
+}
+function renderLandingPage(manifest, instance) {
+  const surfaces = manifest.surfaces.map(
+    (surface) => `<tr><td>${escapeHtml(surface.title)}</td><td><span class="badge">${escapeHtml(surface.status)}</span></td><td><code>${escapeHtml(surface.basePath ?? "")}</code></td></tr>`
+  ).join("");
+  const auth = manifest.auth.map((cap) => `<li><span class="badge">${escapeHtml(cap.status)}</span> ${escapeHtml(cap.title)}</li>`).join("");
+  const connections = resolveConnections(manifest.connections ?? [], connectionVars(manifest, instance));
+  const instanceLabel = instance.instance ? ` \xB7 instance <code>${escapeHtml(instance.instance)}</code>` : "";
+  return renderCardPage(
+    `${manifest.name} Emulator`,
+    escapeHtml(manifest.description),
+    `
+      <div class="s-card">
+        <div class="section-heading">Base URLs${instanceLabel}</div>
+        <p class="info-text">Provider: <code>${escapeHtml(instance.providerBaseUrl)}</code></p>
+        <p class="info-text">Control: <code>${escapeHtml(instance.controlBaseUrl)}</code></p>
+      </div>
+      <div class="s-card">
+        <div class="section-heading">Surfaces</div>
+        <table class="inspector-table">
+          <thead><tr><th>Surface</th><th>Status</th><th>Path</th></tr></thead>
+          <tbody>${surfaces}</tbody>
+        </table>
+      </div>
+      <div class="s-card">
+        <div class="section-heading">Credentials</div>
+        <ul class="perm-list">${auth}</ul>
+      </div>
+      ${renderConnectionsHtml(connections)}
+      <div class="s-card">
+        <div class="section-heading">Control API</div>
+        <p class="info-text">${controlLinks()}</p>
+      </div>
+    `,
+    manifest.id
+  );
+}
+function renderConnectionsHtml(connections) {
+  if (connections.length === 0) return "";
+  const blocks = connections.map(
+    (c) => `<div class="section-heading">${escapeHtml(c.title)}</div><pre class="code-block"><code>${escapeHtml(c.body)}</code></pre>`
+  ).join("");
+  return `<div class="s-card"><div class="section-heading">Connect</div>${blocks}</div>`;
+}
+function controlLinks() {
+  const routes = ["manifest", "quickstart", "specs", "coverage", "connections", "state", "ledger", "logs"];
+  return routes.map((r) => `<a href="/_emulate/${r}">${r}</a>`).join(" | ");
+}
+function renderQuickstart(manifest, instance) {
+  const connections = resolveConnections(manifest.connections ?? [], connectionVars(manifest, instance));
+  const lines = [
+    `# ${manifest.name} Emulator`,
+    "",
+    manifest.description,
+    "",
+    `Provider base URL: ${instance.providerBaseUrl}`,
+    `Control base URL: ${instance.controlBaseUrl}`,
+    "",
+    "Supported surfaces:",
+    ...manifest.surfaces.map((s) => `- ${s.title}: ${s.status}${s.basePath ? ` at ${s.basePath}` : ""}`),
+    "",
+    "Control endpoints:",
+    `- ${instance.controlBaseUrl}/manifest`,
+    `- ${instance.controlBaseUrl}/coverage`,
+    `- ${instance.controlBaseUrl}/connections`,
+    `- ${instance.controlBaseUrl}/state`,
+    `- ${instance.controlBaseUrl}/ledger`,
+    `- POST ${instance.controlBaseUrl}/credentials`,
+    `- POST ${instance.controlBaseUrl}/seed`,
+    `- POST ${instance.controlBaseUrl}/reset`,
+    "",
+    "Connect:",
+    ...connections.flatMap((c) => ["", `## ${c.title}`, c.body])
+  ];
+  return lines.join("\n");
+}
+function issueDefaultCredential(request, manifest, tokenMap) {
+  const type = request.type ?? manifest.auth[0]?.type ?? "bearer-token";
+  if (type !== "bearer-token" && type !== "api-key") return null;
+  if (!tokenMap) return null;
+  const token = typeof request.token === "string" && request.token ? request.token : `emu_${manifest.id}_${randomId()}`;
+  const login = request.login ?? "admin";
+  const scopes = Array.isArray(request.scopes) ? request.scopes.filter((s) => typeof s === "string") : [];
+  tokenMap.set(token, { login, id: Date.now(), scopes });
+  return { type, token, login, scopes };
+}
+function redirectToSpec(c, manifest, instance, kind) {
+  const spec = manifest.specs.find((s) => s.kind === kind && s.url);
+  if (spec?.url) return c.redirect(resolveUrl(instance.providerBaseUrl, spec.url));
+  const advertised = manifest.specs.some((s) => s.kind === kind);
+  if (kind === "openapi" && advertised) return c.redirect(`${instance.providerBaseUrl}/openapi.json`);
+  return c.json({ error: "not_found", message: `No ${kind} spec is advertised for this emulator.` }, 404);
+}
+function endpointForSurface(c, manifest, instance, kind) {
+  const surface = manifest.surfaces.find((s) => s.kind === kind && s.basePath);
+  if (!surface?.basePath) {
+    return c.json({ error: "not_found", message: `No ${kind} surface is advertised for this emulator.` }, 404);
+  }
+  return c.json({ endpoint: resolveUrl(instance.providerBaseUrl, surface.basePath), surface });
+}
+function resolveUrl(baseUrl, pathOrUrl) {
+  if (/^https?:\/\//i.test(pathOrUrl)) return pathOrUrl;
+  return `${baseUrl}${pathOrUrl.startsWith("/") ? "" : "/"}${pathOrUrl}`;
+}
+function randomId() {
+  return crypto.randomUUID().replace(/-/g, "");
+}
+function slug(value) {
+  return value.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
+}
+function createServer(plugin, options = {}) {
+  const port = options.port ?? 4e3;
+  const baseUrl = options.baseUrl ?? `http://localhost:${port}`;
+  const app = new Hono();
+  const store = new Store();
+  const webhooks = new WebhookDispatcher();
+  const ledger = new RequestLedger();
+  const tokenMap = /* @__PURE__ */ new Map();
+  if (options.tokens) {
+    for (const [token, user] of Object.entries(options.tokens)) {
+      tokenMap.set(token, {
+        login: user.login,
+        id: user.id,
+        scopes: user.scopes ?? ["repo", "user", "admin:org", "admin:repo_hook"]
+      });
+    }
+  }
+  const docsUrl = options.docsUrl ?? `https://docs.emulators.dev/${plugin.name}`;
+  registerFontRoutes(app);
+  app.onError(createApiErrorHandler(docsUrl));
+  app.use("*", cors());
+  app.use("*", createErrorHandler(docsUrl));
+  app.use("*", authMiddleware(tokenMap, options.appKeyResolver, options.fallbackUser));
+  if (options.enableControlPlane !== false) {
+    const manifest = options.manifest ?? createDefaultManifest(plugin.name);
+    registerControlPlane(app, {
+      manifest,
+      instance: {
+        service: manifest.id,
+        instance: options.instance,
+        baseUrl,
+        providerBaseUrl: baseUrl,
+        controlBaseUrl: `${baseUrl}/_emulate`
+      },
+      store,
+      webhooks,
+      ledger,
+      tokenMap,
+      ledgerPersistent: options.ledgerPersistent,
+      hostSuffix: options.hostSuffix,
+      reset: options.reset,
+      seed: options.seed,
+      issueCredential: options.issueCredential
+    });
+  }
+  app.use("*", createLedgerMiddleware(ledger, { webhooks }));
+  const rateLimitCounters = /* @__PURE__ */ new Map();
+  let lastPruneAt = Math.floor(Date.now() / 1e3);
+  app.use("*", async (c, next) => {
+    const token = c.get("authToken") ?? "__anonymous__";
+    const now = Math.floor(Date.now() / 1e3);
+    if (now - lastPruneAt > 3600) {
+      for (const [key, val] of rateLimitCounters) {
+        if (val.resetAt <= now) rateLimitCounters.delete(key);
+      }
+      lastPruneAt = now;
+    }
+    let counter = rateLimitCounters.get(token);
+    if (!counter || counter.resetAt <= now) {
+      counter = { remaining: 5e3, resetAt: now + 3600 };
+      rateLimitCounters.set(token, counter);
+    }
+    counter.remaining = Math.max(0, counter.remaining - 1);
+    c.header("X-RateLimit-Limit", "5000");
+    c.header("X-RateLimit-Remaining", String(counter.remaining));
+    c.header("X-RateLimit-Reset", String(counter.resetAt));
+    c.header("X-RateLimit-Resource", "core");
+    if (counter.remaining === 0) {
+      return c.json(
+        {
+          message: "API rate limit exceeded",
+          documentation_url: docsUrl
+        },
+        403
+      );
+    }
+    await next();
+  });
+  plugin.register(app, store, webhooks, baseUrl, tokenMap);
+  app.notFound(
+    (c) => c.json(
+      {
+        message: "Not Found",
+        documentation_url: docsUrl
+      },
+      404
+    )
+  );
+  return { app, store, webhooks, ledger, port, baseUrl, tokenMap };
+}
+
+// src/registry.ts
+var SERVICE_NAME_LIST = [
+  "vercel",
+  "github",
+  "google",
+  "slack",
+  "apple",
+  "microsoft",
+  "okta",
+  "aws",
+  "resend",
+  "stripe",
+  "mongoatlas",
+  "clerk",
+  "spotify",
+  "x",
+  "workos",
+  "autumn"
+];
+var SERVICE_NAMES = SERVICE_NAME_LIST;
+function issueServiceCredential(service, loaded, store, baseUrl, tokenMap, request, webhooks) {
+  if (loaded.issueCredential) {
+    return loaded.issueCredential(store, baseUrl, tokenMap, request, webhooks);
+  }
+  const type = request.type ?? loaded.manifest.auth[0]?.type ?? "bearer-token";
+  if (type === "bearer-token" || type === "api-key") {
+    const login = request.login ?? "admin";
+    const scopes = Array.isArray(request.scopes) ? request.scopes.filter((s) => typeof s === "string") : [];
+    const id = loaded.ensureUser?.(store, baseUrl, login) ?? Date.now();
+    const token = typeof request.token === "string" && request.token.length > 0 ? request.token : defaultToken(service, type);
+    tokenMap.set(token, { login, id, scopes });
+    return { type, token, login, scopes };
+  }
+  if (type === "oauth-authorization-code" || type === "oauth-client-credentials" || type === "dynamic-client-registration") {
+    if (!loaded.seedFromConfig) throw new Error(`Credential type ${type} is not supported by ${service}`);
+    const clientId = request.client_id ?? defaultClientId(service);
+    const clientSecret = request.client_secret ?? defaultClientSecret(service);
+    const redirectUris = normalizeRedirectUris(request.redirect_uris);
+    const name = request.name ?? `${SERVICE_REGISTRY[service].label.replace(/ emulator$/i, "")} Client`;
+    const seed = credentialSeed(service, { clientId, clientSecret, redirectUris, name, request });
+    if (!seed) throw new Error(`Credential type ${type} is not supported by ${service}`);
+    loaded.seedFromConfig(store, baseUrl, seed, webhooks);
+    return {
+      type,
+      client_id: clientId,
+      client_secret: clientSecret,
+      redirect_uris: redirectUris,
+      authorization_url: authorizationUrlFor(service, baseUrl),
+      token_url: tokenUrlFor(service, baseUrl)
+    };
+  }
+  throw new Error(`Credential type ${type} is not supported by ${service}`);
+}
+function defaultToken(service, type) {
+  const prefix = type === "api-key" ? apiKeyPrefix(service) : `emu_${service}`;
+  return `${prefix}_${randomId2()}`;
+}
+function apiKeyPrefix(service) {
+  if (service === "stripe") return "sk_test";
+  if (service === "resend") return "re";
+  if (service === "clerk") return "sk_test";
+  return `emu_${service}`;
+}
+function defaultClientId(service) {
+  if (service === "spotify") return `app_${randomId2().slice(0, 18)}`;
+  if (service === "github") return `Iv1.${randomId2().slice(0, 16)}`;
+  if (service === "google") return `${randomId2().slice(0, 24)}.apps.googleusercontent.com`;
+  return `${service}_${randomId2().slice(0, 18)}`;
+}
+function defaultClientSecret(service) {
+  if (service === "google") return `GOCSPX-${randomId2().slice(0, 24)}`;
+  return `secret_${randomId2()}`;
+}
+function normalizeRedirectUris(value) {
+  if (Array.isArray(value)) {
+    const uris = value.filter((uri) => typeof uri === "string" && uri.length > 0);
+    if (uris.length > 0) return uris;
+  }
+  return ["http://localhost:3000/callback"];
+}
+function credentialSeed(service, args) {
+  const { clientId, clientSecret, redirectUris, name, request } = args;
+  if (service === "github") {
+    return { oauth_apps: [{ client_id: clientId, client_secret: clientSecret, name, redirect_uris: redirectUris }] };
+  }
+  if (service === "google" || service === "apple" || service === "microsoft") {
+    return { oauth_clients: [{ client_id: clientId, client_secret: clientSecret, name, redirect_uris: redirectUris }] };
+  }
+  if (service === "okta") {
+    return {
+      oauth_clients: [
+        {
+          client_id: clientId,
+          client_secret: clientSecret,
+          name,
+          redirect_uris: redirectUris,
+          auth_server_id: typeof request.auth_server_id === "string" ? request.auth_server_id : "default"
+        }
+      ]
+    };
+  }
+  if (service === "slack") {
+    return {
+      oauth_apps: [
+        {
+          client_id: clientId,
+          client_secret: clientSecret,
+          name,
+          redirect_uris: redirectUris,
+          scopes: Array.isArray(request.scopes) ? request.scopes : ["chat:write", "channels:read", "users:read"],
+          user_scopes: Array.isArray(request.user_scopes) ? request.user_scopes : []
+        }
+      ]
+    };
+  }
+  if (service === "vercel") {
+    return { integrations: [{ client_id: clientId, client_secret: clientSecret, name, redirect_uris: redirectUris }] };
+  }
+  if (service === "spotify") {
+    return { clients: [{ client_id: clientId, client_secret: clientSecret, name }] };
+  }
+  if (service === "clerk") {
+    return {
+      oauth_applications: [{ client_id: clientId, client_secret: clientSecret, name, redirect_uris: redirectUris }]
+    };
+  }
+  if (service === "x") {
+    return {
+      oauth_clients: [
+        {
+          client_id: clientId,
+          client_secret: clientSecret,
+          client_type: "confidential",
+          name,
+          redirect_uris: redirectUris
+        }
+      ]
+    };
+  }
+  return null;
+}
+function tokenUrlFor(service, baseUrl) {
+  const paths = {
+    github: "/login/oauth/access_token",
+    google: "/token",
+    apple: "/auth/token",
+    microsoft: "/oauth2/v2.0/token",
+    okta: "/oauth2/default/v1/token",
+    slack: "/api/oauth.v2.access",
+    vercel: "/v2/oauth/access_token",
+    spotify: "/api/token",
+    clerk: "/oauth/token",
+    x: "/2/oauth2/token"
+  };
+  const path = paths[service];
+  return path ? `${baseUrl}${path}` : void 0;
+}
+function authorizationUrlFor(service, baseUrl) {
+  const paths = {
+    github: "/login/oauth/authorize",
+    google: "/o/oauth2/v2/auth",
+    apple: "/auth/authorize",
+    microsoft: "/oauth2/v2.0/authorize",
+    okta: "/oauth2/default/v1/authorize",
+    slack: "/oauth/v2/authorize",
+    vercel: "/integrations/oauth/authorize",
+    clerk: "/oauth/authorize",
+    x: "/2/oauth2/authorize"
+  };
+  const path = paths[service];
+  return path ? `${baseUrl}${path}` : void 0;
+}
+function randomId2() {
+  return crypto.randomUUID().replace(/-/g, "");
+}
+var SERVICE_REGISTRY = {
+  vercel: {
+    label: "Vercel REST API emulator",
+    endpoints: "projects, deployments, domains, env vars, users, teams, file uploads, protection bypass",
+    async load() {
+      const mod = await import("./dist-P3SBBRFR.js");
+      return {
+        plugin: mod.vercelPlugin,
+        manifest: mod.manifest,
+        seedFromConfig: mod.seedFromConfig,
+        ensureUser(store, baseUrl, login) {
+          mod.seedFromConfig(store, baseUrl, { users: [{ username: login }] });
+          return mod.getVercelStore(store).users.findOneBy("username", login)?.id ?? 1;
+        }
+      };
+    },
+    defaultFallback(cfg) {
+      const firstLogin = cfg?.users?.[0]?.username ?? "admin";
+      return { login: firstLogin, id: 1, scopes: [] };
+    },
+    initConfig: {
+      vercel: {
+        users: [{ username: "developer", name: "Developer", email: "dev@example.com" }],
+        teams: [{ slug: "my-team", name: "My Team" }],
+        projects: [{ name: "my-app", team: "my-team", framework: "nextjs" }],
+        integrations: [
+          {
+            client_id: "oac_example_client_id",
+            client_secret: "example_client_secret",
+            name: "My Vercel App",
+            redirect_uris: ["http://localhost:3000/api/auth/callback/vercel"]
+          }
+        ]
+      }
+    }
+  },
+  github: {
+    label: "GitHub REST API emulator",
+    endpoints: "users, repos, issues, PRs, comments, reviews, labels, milestones, branches, git data, orgs, teams, releases, webhooks, search, actions, checks, rate limit",
+    async load() {
+      const mod = await import("./dist-7FDUSG5I.js");
+      return {
+        plugin: mod.githubPlugin,
+        manifest: mod.manifest,
+        seedFromConfig: mod.seedFromConfig,
+        createAppKeyResolver(store) {
+          return (appId) => {
+            try {
+              const gh = mod.getGitHubStore(store);
+              const ghApp = gh.apps.all().find((a) => a.app_id === appId);
+              if (!ghApp) return null;
+              return { privateKey: ghApp.private_key, slug: ghApp.slug, name: ghApp.name };
+            } catch {
+              return null;
+            }
+          };
+        },
+        ensureUser(store, baseUrl, login) {
+          mod.seedFromConfig(store, baseUrl, { users: [{ login }] });
+          return mod.getGitHubStore(store).users.findOneBy("login", login)?.id ?? 1;
+        }
+      };
+    },
+    defaultFallback(cfg) {
+      const firstLogin = cfg?.users?.[0]?.login ?? "admin";
+      return { login: firstLogin, id: 1, scopes: ["repo", "user", "admin:org", "admin:repo_hook"] };
+    },
+    initConfig: {
+      github: {
+        users: [
+          {
+            login: "octocat",
+            name: "The Octocat",
+            email: "octocat@github.com",
+            bio: "I am the Octocat",
+            company: "GitHub",
+            location: "San Francisco"
+          }
+        ],
+        orgs: [{ login: "my-org", name: "My Organization", description: "A test organization" }],
+        repos: [
+          {
+            owner: "octocat",
+            name: "hello-world",
+            description: "My first repository",
+            language: "JavaScript",
+            topics: ["hello", "world"],
+            auto_init: true
+          },
+          {
+            owner: "my-org",
+            name: "org-repo",
+            description: "An organization repository",
+            language: "TypeScript",
+            auto_init: true
+          }
+        ],
+        oauth_apps: [
+          {
+            client_id: "Iv1.example_client_id",
+            client_secret: "example_client_secret",
+            name: "My App",
+            redirect_uris: ["http://localhost:3000/api/auth/callback/github"]
+          }
+        ]
+      }
+    }
+  },
+  google: {
+    label: "Google OAuth 2.0 / OpenID Connect + Gmail, Calendar, and Drive emulator",
+    endpoints: "OAuth authorize, token exchange, userinfo, OIDC discovery, token revocation, Gmail messages/drafts/threads/labels/history/settings, Calendar lists/events/freebusy, Drive files/uploads",
+    async load() {
+      const mod = await import("./dist-XVVIYXQG.js");
+      return { plugin: mod.googlePlugin, manifest: mod.manifest, seedFromConfig: mod.seedFromConfig };
+    },
+    defaultFallback(cfg) {
+      const firstEmail = cfg?.users?.[0]?.email ?? "testuser@gmail.com";
+      return { login: firstEmail, id: 1, scopes: ["openid", "email", "profile"] };
+    },
+    initConfig: {
+      google: {
+        users: [
+          {
+            email: "testuser@example.com",
+            name: "Test User",
+            picture: "https://lh3.googleusercontent.com/a/default-user",
+            email_verified: true
+          }
+        ],
+        oauth_clients: [
+          {
+            client_id: "example-client-id.apps.googleusercontent.com",
+            client_secret: "GOCSPX-example_secret",
+            name: "Code App (Google)",
+            redirect_uris: ["http://localhost:3000/api/auth/callback/google"]
+          }
+        ],
+        labels: [
+          {
+            id: "Label_ops",
+            user_email: "testuser@example.com",
+            name: "Ops/Review",
+            color_background: "#DDEEFF",
+            color_text: "#111111"
+          }
+        ],
+        messages: [
+          {
+            id: "msg_welcome",
+            user_email: "testuser@example.com",
+            from: "welcome@example.com",
+            to: "testuser@example.com",
+            subject: "Welcome to the Gmail emulator",
+            body_text: "You can now test Gmail, Calendar, and Drive flows locally.",
+            label_ids: ["INBOX", "UNREAD", "CATEGORY_UPDATES"],
+            date: "2025-01-04T10:00:00.000Z"
+          }
+        ],
+        calendars: [
+          {
+            id: "primary",
+            user_email: "testuser@example.com",
+            summary: "testuser@example.com",
+            primary: true,
+            selected: true,
+            time_zone: "UTC"
+          }
+        ],
+        calendar_events: [
+          {
+            id: "evt_kickoff",
+            user_email: "testuser@example.com",
+            calendar_id: "primary",
+            summary: "Project Kickoff",
+            start_date_time: "2025-01-10T09:00:00.000Z",
+            end_date_time: "2025-01-10T09:30:00.000Z"
+          }
+        ],
+        drive_items: [
+          {
+            id: "drv_docs",
+            user_email: "testuser@example.com",
+            name: "Docs",
+            mime_type: "application/vnd.google-apps.folder",
+            parent_ids: ["root"]
+          }
+        ]
+      }
+    }
+  },
+  slack: {
+    label: "Slack API emulator",
+    endpoints: "auth, chat, conversations, users, profiles, presence, files, pins, bookmarks, views, reactions, team, OAuth, incoming webhooks, inspector",
+    async load() {
+      const mod = await import("./dist-YPRJYQHW.js");
+      return { plugin: mod.slackPlugin, manifest: mod.manifest, seedFromConfig: mod.seedFromConfig };
+    },
+    defaultFallback() {
+      return {
+        login: "U000000001",
+        id: 1,
+        scopes: []
+      };
+    },
+    initConfig: {
+      slack: {
+        team: { name: "My Workspace", domain: "my-workspace" },
+        users: [
+          {
+            name: "developer",
+            real_name: "Developer",
+            email: "dev@example.com",
+            profile: {
+              title: "Local Developer",
+              status_text: "Testing locally",
+              status_emoji: ":computer:"
+            },
+            presence: "active"
+          }
+        ],
+        channels: [
+          { name: "general", topic: "General discussion" },
+          { name: "random", topic: "Random stuff" }
+        ],
+        bots: [{ name: "my-bot" }],
+        oauth_apps: [
+          {
+            client_id: "12345.67890",
+            client_secret: "example_client_secret",
+            app_id: "A000000001",
+            name: "My Slack App",
+            redirect_uris: ["http://localhost:3000/api/auth/callback/slack"],
+            scopes: [
+              "chat:write",
+              "channels:read",
+              "channels:history",
+              "channels:join",
+              "channels:manage",
+              "channels:write",
+              "groups:read",
+              "groups:history",
+              "groups:write",
+              "im:read",
+              "im:history",
+              "im:write",
+              "mpim:read",
+              "mpim:history",
+              "mpim:write",
+              "users:read",
+              "users:read.email",
+              "users.profile:read",
+              "users.profile:write",
+              "users:write",
+              "files:read",
+              "files:write",
+              "pins:read",
+              "pins:write",
+              "bookmarks:read",
+              "bookmarks:write",
+              "reactions:read",
+              "reactions:write",
+              "team:read"
+            ],
+            user_scopes: ["users:read", "users.profile:read"],
+            bot_name: "my-bot"
+          }
+        ],
+        strict_scopes: false
+      }
+    }
+  },
+  apple: {
+    label: "Apple Sign In / OAuth emulator",
+    endpoints: "OAuth authorize, token exchange, JWKS",
+    async load() {
+      const mod = await import("./dist-ZEC77OKZ.js");
+      return { plugin: mod.applePlugin, manifest: mod.manifest, seedFromConfig: mod.seedFromConfig };
+    },
+    defaultFallback(cfg) {
+      const firstEmail = cfg?.users?.[0]?.email ?? "testuser@icloud.com";
+      return { login: firstEmail, id: 1, scopes: ["openid", "email", "name"] };
+    },
+    initConfig: {
+      apple: {
+        users: [{ email: "testuser@icloud.com", name: "Test User" }],
+        oauth_clients: [
+          {
+            client_id: "com.example.app",
+            team_id: "TEAM001",
+            name: "My Apple App",
+            redirect_uris: ["http://localhost:3000/api/auth/callback/apple"]
+          }
+        ]
+      }
+    }
+  },
+  microsoft: {
+    label: "Microsoft Entra ID OAuth 2.0 / OpenID Connect emulator",
+    endpoints: "OAuth authorize, token exchange, userinfo, OIDC discovery, Graph /me, logout, token revocation",
+    async load() {
+      const mod = await import("./dist-M3GVASMR.js");
+      return { plugin: mod.microsoftPlugin, manifest: mod.manifest, seedFromConfig: mod.seedFromConfig };
+    },
+    defaultFallback(cfg) {
+      const firstEmail = cfg?.users?.[0]?.email ?? "testuser@outlook.com";
+      return { login: firstEmail, id: 1, scopes: ["openid", "email", "profile", "User.Read"] };
+    },
+    initConfig: {
+      microsoft: {
+        users: [{ email: "testuser@outlook.com", name: "Test User" }],
+        oauth_clients: [
+          {
+            client_id: "example-client-id",
+            client_secret: "example-client-secret",
+            name: "My Microsoft App",
+            redirect_uris: ["http://localhost:3000/api/auth/callback/microsoft-entra-id"]
+          }
+        ]
+      }
+    }
+  },
+  okta: {
+    label: "Okta OAuth 2.0 / OpenID Connect + management API emulator",
+    endpoints: "OIDC discovery, JWKS, OAuth authorize/token/userinfo/introspect/revoke/logout, users, groups, apps, authorization servers",
+    async load() {
+      const mod = await import("./dist-BTEY33DJ.js");
+      return { plugin: mod.oktaPlugin, manifest: mod.manifest, seedFromConfig: mod.seedFromConfig };
+    },
+    defaultFallback(cfg) {
+      const firstLogin = cfg?.users?.[0]?.login ?? cfg?.users?.[0]?.email ?? "testuser@okta.local";
+      return { login: firstLogin, id: 1, scopes: ["openid", "profile", "email", "groups"] };
+    },
+    initConfig: {
+      okta: {
+        users: [{ login: "testuser@okta.local", email: "testuser@okta.local", first_name: "Test", last_name: "User" }],
+        groups: [{ name: "Everyone", description: "All users", type: "BUILT_IN", okta_id: "00g_everyone" }],
+        authorization_servers: [{ id: "default", name: "default", audiences: ["api://default"] }],
+        oauth_clients: [
+          {
+            client_id: "okta-test-client",
+            client_secret: "okta-test-secret",
+            name: "Sample OIDC Client",
+            redirect_uris: ["http://localhost:3000/callback"],
+            auth_server_id: "default"
+          }
+        ]
+      }
+    }
+  },
+  aws: {
+    label: "AWS cloud service emulator",
+    endpoints: "S3 (buckets, objects), SQS (queues, messages), IAM (users, roles, access keys), STS (assume role, caller identity)",
+    async load() {
+      const mod = await import("./dist-7N4COJHK.js");
+      return {
+        plugin: mod.awsPlugin,
+        manifest: mod.manifest,
+        seedFromConfig: mod.seedFromConfig,
+        issueCredential(store, baseUrl, _tokenMap, request) {
+          const userName = request.login ?? "developer";
+          mod.seedFromConfig(store, baseUrl, { iam: { users: [{ user_name: userName, create_access_key: true }] } });
+          const user = mod.getAwsStore(store).iamUsers.findOneBy("user_name", userName);
+          const key = user?.access_keys.find((candidate) => candidate.status === "Active");
+          if (!user || !key) throw new Error("Failed to create AWS access key");
+          return {
+            type: "provider-specific",
+            provider: "aws",
+            user_name: user.user_name,
+            access_key_id: key.access_key_id,
+            secret_access_key: key.secret_access_key,
+            region: "us-east-1"
+          };
+        }
+      };
+    },
+    defaultFallback() {
+      return { login: "admin", id: 1, scopes: ["s3:*", "sqs:*", "iam:*", "sts:*"] };
+    },
+    initConfig: {
+      aws: {
+        region: "us-east-1",
+        s3: { buckets: [{ name: "my-app-bucket" }, { name: "my-app-uploads" }] },
+        sqs: { queues: [{ name: "my-app-events" }, { name: "my-app-dlq" }] },
+        iam: {
+          users: [{ user_name: "developer", create_access_key: true }],
+          roles: [{ role_name: "lambda-execution-role", description: "Role for Lambda function execution" }]
+        }
+      }
+    }
+  },
+  resend: {
+    label: "Resend email API emulator",
+    endpoints: "emails, domains, contacts, API keys, inbox UI",
+    async load() {
+      const mod = await import("./dist-XM5HSBDC.js");
+      return { plugin: mod.resendPlugin, manifest: mod.manifest, seedFromConfig: mod.seedFromConfig };
+    },
+    defaultFallback() {
+      return { login: "re_test_admin", id: 1, scopes: [] };
+    },
+    initConfig: {
+      resend: {
+        domains: [{ name: "example.com", region: "us-east-1" }],
+        contacts: [{ email: "test@example.com", first_name: "Test", last_name: "User" }]
+      }
+    }
+  },
+  stripe: {
+    label: "Stripe payments emulator",
+    endpoints: "customers, payment methods, customer sessions, payment intents, charges, products, prices, checkout sessions, webhooks",
+    async load() {
+      const mod = await import("./dist-K4CVTD6K.js");
+      return { plugin: mod.stripePlugin, manifest: mod.manifest, seedFromConfig: mod.seedFromConfig };
+    },
+    defaultFallback() {
+      return { login: "sk_test_admin", id: 1, scopes: [] };
+    },
+    initConfig: {
+      stripe: {
+        customers: [{ email: "test@example.com", name: "Test Customer" }],
+        products: [{ name: "Pro Plan", description: "Monthly pro subscription" }],
+        prices: [{ product_name: "Pro Plan", currency: "usd", unit_amount: 2e3 }]
+      }
+    }
+  },
+  mongoatlas: {
+    label: "MongoDB Atlas service emulator",
+    endpoints: "Atlas Admin API v2 (projects, clusters, database users, databases, collections), Atlas Data API v1 (findOne, find, insertOne, insertMany, updateOne, updateMany, deleteOne, deleteMany, aggregate)",
+    async load() {
+      const mod = await import("./dist-RMPDKZUA.js");
+      return { plugin: mod.mongoatlasPlugin, manifest: mod.manifest, seedFromConfig: mod.seedFromConfig };
+    },
+    defaultFallback() {
+      return { login: "admin", id: 1, scopes: [] };
+    },
+    initConfig: {
+      mongoatlas: {
+        projects: [{ name: "Project0" }],
+        clusters: [{ name: "Cluster0", project: "Project0" }],
+        database_users: [{ username: "admin", project: "Project0" }],
+        databases: [{ cluster: "Cluster0", name: "test", collections: ["items"] }]
+      }
+    }
+  },
+  clerk: {
+    label: "Clerk authentication and user management emulator",
+    endpoints: "OIDC discovery, JWKS, OAuth authorize/token/userinfo, users, email addresses, organizations, memberships, invitations, sessions",
+    async load() {
+      const mod = await import("./dist-WBKONLOE.js");
+      return { plugin: mod.clerkPlugin, manifest: mod.manifest, seedFromConfig: mod.seedFromConfig };
+    },
+    defaultFallback(cfg) {
+      const firstEmail = cfg?.users?.[0]?.email_addresses?.[0] ?? "test@example.com";
+      return { login: firstEmail, id: 1, scopes: [] };
+    },
+    initConfig: {
+      clerk: {
+        users: [
+          {
+            first_name: "Test",
+            last_name: "User",
+            email_addresses: ["test@example.com"],
+            password: "clerk_test_password"
+          }
+        ],
+        organizations: [
+          {
+            name: "My Company",
+            slug: "my-company",
+            members: [{ email: "test@example.com", role: "admin" }]
+          }
+        ],
+        oauth_applications: [
+          {
+            client_id: "clerk_emulate_client",
+            client_secret: "clerk_emulate_secret",
+            name: "Emulate App",
+            redirect_uris: ["http://localhost:3000/api/auth/callback/clerk"]
+          }
+        ]
+      }
+    }
+  },
+  spotify: {
+    label: "Spotify Web API emulator",
+    endpoints: "client credentials token endpoint, catalog search, artists, albums, and tracks",
+    async load() {
+      const mod = await import("./dist-DK26ESP2.js");
+      return { plugin: mod.spotifyPlugin, manifest: mod.manifest, seedFromConfig: mod.seedFromConfig };
+    },
+    defaultFallback() {
+      return { login: "spotify-app", id: 1, scopes: [] };
+    },
+    initConfig: {
+      spotify: {
+        clients: [{ client_id: "demo-client-id", client_secret: "demo-client-secret", name: "Demo App" }]
+      }
+    }
+  },
+  x: {
+    label: "X (Twitter) API v2 emulator",
+    endpoints: "OAuth 2.0 authorize/token/revoke (Authorization Code with PKCE + app-only client credentials), users, tweets",
+    async load() {
+      const mod = await import("./dist-OYYGWKZQ.js");
+      return {
+        plugin: mod.xPlugin,
+        manifest: mod.manifest,
+        seedFromConfig: mod.seedFromConfig,
+        ensureUser(store, baseUrl, login) {
+          mod.seedFromConfig(store, baseUrl, { users: [{ username: login }] });
+          return mod.getXStore(store).users.findOneBy("username", login.toLowerCase().replace(/^@/, ""))?.id ?? 1;
+        }
+      };
+    },
+    defaultFallback(cfg) {
+      const firstUsername = cfg?.users?.[0]?.username ?? "developer";
+      return { login: firstUsername, id: 1, scopes: ["tweet.read", "users.read"] };
+    },
+    initConfig: {
+      x: {
+        users: [
+          {
+            username: "developer",
+            name: "Developer",
+            description: "Building with the X API v2 emulator.",
+            verified: true,
+            followers_count: 1200,
+            following_count: 320
+          }
+        ],
+        oauth_clients: [
+          {
+            client_id: "x-confidential-client",
+            client_secret: "x-confidential-secret",
+            client_type: "confidential",
+            name: "My X App (confidential)",
+            redirect_uris: ["http://localhost:3000/api/auth/callback/twitter"]
+          },
+          {
+            client_id: "x-public-client",
+            client_type: "public",
+            name: "My X App (public)",
+            redirect_uris: ["http://localhost:3000/api/auth/callback/twitter"]
+          }
+        ],
+        tweets: [{ text: "Hello from the X API v2 emulator.", author: "developer", like_count: 42, retweet_count: 7 }]
+      }
+    }
+  },
+  workos: {
+    label: "WorkOS emulator",
+    endpoints: "AuthKit user management (hosted login, code/refresh grants, sealed-session JWKS), organizations, memberships, invitations, API keys, Vault KV, OAuth authorization server",
+    async load() {
+      const mod = await import("./dist-IYZPDKJW.js");
+      return {
+        plugin: mod.workosPlugin,
+        manifest: mod.manifest,
+        seedFromConfig: mod.seedFromConfig,
+        ensureUser(store, baseUrl, login) {
+          mod.seedFromConfig(store, baseUrl, { users: [{ email: login }] });
+          return mod.getWorkosStore(store).users.findOneBy("email", login)?.id ?? 1;
+        }
+      };
+    },
+    defaultFallback() {
+      return { login: "sk_emulate_admin", id: 1, scopes: [] };
+    },
+    initConfig: {
+      workos: {
+        users: [{ email: "admin@example.com", first_name: "Admin", last_name: "User" }],
+        organizations: [{ name: "Acme", members: ["admin@example.com"] }]
+      }
+    }
+  },
+  autumn: {
+    label: "Autumn billing emulator",
+    endpoints: "customers (get_or_create with seedable subscriptions), usage tracking, plans/features/events lists",
+    async load() {
+      const mod = await import("./dist-JJ2ZRCAX.js");
+      return {
+        plugin: mod.autumnPlugin,
+        manifest: mod.manifest,
+        seedFromConfig: mod.seedFromConfig
+      };
+    },
+    defaultFallback() {
+      return { login: "am_emulate_admin", id: 1, scopes: [] };
+    },
+    initConfig: {
+      autumn: {
+        customers: [{ id: "org_paid_example", subscriptions: [{ plan_id: "pro", status: "active" }] }]
+      }
+    }
+  }
+};
+var DEFAULT_TOKENS = {
+  tokens: {
+    test_token_admin: {
+      login: "admin",
+      scopes: ["repo", "user", "admin:org", "admin:repo_hook"]
+    },
+    test_token_user1: {
+      login: "octocat",
+      scopes: ["repo", "user"]
+    }
+  }
+};
+
+// src/commands/start.ts
+import { readFileSync as readFileSync2, existsSync } from "fs";
+import { resolve } from "path";
+import { parse as parseYaml } from "yaml";
+import pc from "picocolors";
+
+// src/portless.ts
+import { execSync, spawnSync } from "child_process";
+import { createInterface } from "readline";
+function isInteractive() {
+  return Boolean(process.stdin.isTTY) && !process.env.CI;
+}
+function hasPortless() {
+  const result = spawnSync("portless", ["--version"], { stdio: "ignore" });
+  return result.status === 0;
+}
+function promptYesNo(question) {
+  return new Promise((resolve3) => {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    rl.question(question, (answer) => {
+      rl.close();
+      const normalized = answer.trim().toLowerCase();
+      resolve3(normalized === "" || normalized === "y" || normalized === "yes");
+    });
+  });
+}
+function isProxyRunning() {
+  const result = spawnSync("portless", ["list"], { stdio: "ignore" });
+  return result.status === 0;
+}
+async function ensurePortless() {
+  if (!hasPortless()) {
+    if (!isInteractive()) {
+      console.error("portless is required but not installed. Run: npm i -g portless");
+      process.exit(1);
+    }
+    const yes = await promptYesNo("portless is not installed. Install it now? (npm i -g portless) [Y/n] ");
+    if (!yes) {
+      console.error("Cannot continue without portless.");
+      process.exit(1);
+    }
+    try {
+      execSync("npm i -g portless", { stdio: "inherit" });
+    } catch {
+      console.error("Failed to install portless.");
+      process.exit(1);
+    }
+    if (!hasPortless()) {
+      console.error("portless was installed but could not be found on PATH.");
+      process.exit(1);
+    }
+  }
+  if (!isProxyRunning()) {
+    console.error("portless proxy is not running. Start it with: portless proxy start");
+    process.exit(1);
+  }
+}
+function registerAliases(aliases) {
+  const registered = [];
+  for (const { name, port } of aliases) {
+    const result = spawnSync("portless", ["alias", name, String(port), "--force"], {
+      stdio: "inherit"
+    });
+    if (result.status !== 0) {
+      if (registered.length > 0) {
+        removeAliases(registered);
+      }
+      throw new Error(`Failed to register portless alias: ${name} -> ${port}`);
+    }
+    registered.push({ name, port });
+  }
+}
+function removeAliases(aliases) {
+  for (const { name } of aliases) {
+    const result = spawnSync("portless", ["alias", "--remove", name], { stdio: "ignore" });
+    if (result.status !== 0) {
+      console.error(`Warning: failed to remove portless alias: ${name}`);
+    }
+  }
+}
+function portlessBaseUrl(serviceName) {
+  return `https://${serviceName}.emulate.localhost`;
+}
+
+// src/base-url.ts
+function resolveBaseUrl(opts) {
+  if (opts.seedBaseUrl) {
+    return opts.seedBaseUrl.replace(/\{service\}/g, opts.service);
+  }
+  if (opts.baseUrl) {
+    return opts.baseUrl.replace(/\{service\}/g, opts.service);
+  }
+  const envBaseUrl = process.env.EMULATE_BASE_URL;
+  if (envBaseUrl) {
+    return envBaseUrl.replace(/\{service\}/g, opts.service);
+  }
+  const portlessUrl = process.env.PORTLESS_URL;
+  if (portlessUrl) {
+    return portlessUrl.replace(/\{service\}/g, opts.service);
+  }
+  return `http://localhost:${opts.port}`;
+}
+
+// src/commands/start.ts
+var pkg = { version: "0.6.0" };
+function loadSeedConfig(seedPath) {
+  if (seedPath) {
+    const fullPath = resolve(seedPath);
+    if (!existsSync(fullPath)) {
+      console.error(`Seed file not found: ${fullPath}`);
+      process.exit(1);
+    }
+    const content = readFileSync2(fullPath, "utf-8");
+    try {
+      const config = fullPath.endsWith(".json") ? JSON.parse(content) : parseYaml(content);
+      return { config, source: seedPath };
+    } catch (err) {
+      console.error(`Failed to parse ${seedPath}: ${err instanceof Error ? err.message : err}`);
+      process.exit(1);
+    }
+  }
+  const autoFiles = [
+    "emulate.config.yaml",
+    "emulate.config.yml",
+    "emulate.config.json",
+    "service-emulator.config.yaml",
+    "service-emulator.config.yml",
+    "service-emulator.config.json"
+  ];
+  for (const file of autoFiles) {
+    const fullPath = resolve(file);
+    if (existsSync(fullPath)) {
+      const content = readFileSync2(fullPath, "utf-8");
+      try {
+        const config = fullPath.endsWith(".json") ? JSON.parse(content) : parseYaml(content);
+        return { config, source: file };
+      } catch (err) {
+        console.error(`Failed to parse ${file}: ${err instanceof Error ? err.message : err}`);
+        process.exit(1);
+      }
+    }
+  }
+  return null;
+}
+function inferServicesFromConfig(config) {
+  const found = SERVICE_NAMES.filter((k) => k in config);
+  return found.length > 0 ? [...found] : null;
+}
+async function startCommand(options) {
+  const { port: basePort } = options;
+  if (options.portless && options.baseUrl) {
+    console.error("--portless and --base-url are mutually exclusive.");
+    process.exit(1);
+  }
+  const loaded = loadSeedConfig(options.seed);
+  const seedConfig = loaded?.config ?? null;
+  const configSource = loaded?.source ?? null;
+  let services;
+  if (options.service) {
+    services = options.service.split(",").map((s) => s.trim());
+  } else if (seedConfig) {
+    services = inferServicesFromConfig(seedConfig) ?? [...SERVICE_NAMES];
+  } else {
+    services = [...SERVICE_NAMES];
+  }
+  for (const svc of services) {
+    if (!SERVICE_REGISTRY[svc]) {
+      console.error(`Unknown service: ${svc}`);
+      process.exit(1);
+    }
+  }
+  const tokens = {};
+  if (seedConfig?.tokens) {
+    let tokenId = 100;
+    for (const [token, user] of Object.entries(seedConfig.tokens)) {
+      tokens[token] = { login: user.login, id: tokenId++, scopes: user.scopes };
+    }
+  } else {
+    tokens["test_token_admin"] = { login: "admin", id: 2, scopes: ["repo", "user", "admin:org", "admin:repo_hook"] };
+  }
+  if (options.portless) {
+    await ensurePortless();
+  }
+  const portlessAliases = [];
+  const prepared = [];
+  for (let i = 0; i < services.length; i++) {
+    const svc = services[i];
+    const entry = SERVICE_REGISTRY[svc];
+    const loadedSvc = await entry.load();
+    const svcSeedConfig = seedConfig?.[svc];
+    const port = svcSeedConfig?.port ?? basePort + i;
+    if (options.portless) {
+      portlessAliases.push({ name: `${svc}.emulate`, port });
+    }
+    const seedBaseUrl = typeof svcSeedConfig?.baseUrl === "string" && svcSeedConfig.baseUrl.length > 0 ? svcSeedConfig.baseUrl : void 0;
+    const effectiveBaseUrl = options.portless ? portlessBaseUrl(svc) : options.baseUrl;
+    const baseUrl = resolveBaseUrl({ service: svc, port, baseUrl: effectiveBaseUrl, seedBaseUrl });
+    prepared.push({ svc, entry, loadedSvc, svcSeedConfig, port, baseUrl });
+  }
+  if (portlessAliases.length > 0) {
+    registerAliases(portlessAliases);
+  }
+  const serviceUrls = [];
+  const stores = [];
+  const httpServers = [];
+  for (const { svc, entry, loadedSvc, svcSeedConfig, port, baseUrl } of prepared) {
+    serviceUrls.push({ name: svc, url: baseUrl });
+    let cachedResolver;
+    const appKeyResolver = loadedSvc.createAppKeyResolver ? (appId) => cachedResolver(appId) : void 0;
+    const fallbackUser = entry.defaultFallback(svcSeedConfig);
+    let resetService = () => {
+    };
+    let applyRuntimeSeed = (_seed) => {
+    };
+    const { app, store, webhooks, ledger, tokenMap } = createServer(loadedSvc.plugin, {
+      port,
+      baseUrl,
+      tokens,
+      appKeyResolver,
+      fallbackUser,
+      manifest: loadedSvc.manifest,
+      instance: svc,
+      reset: () => resetService(),
+      seed: (seed) => applyRuntimeSeed(seed),
+      issueCredential: (request) => issueServiceCredential(svc, loadedSvc, store, baseUrl, tokenMap, request, webhooks)
+    });
+    cachedResolver = loadedSvc.createAppKeyResolver?.(store);
+    stores.push(store);
+    resetService = () => {
+      store.reset();
+      webhooks.clear();
+      ledger.clear();
+      loadedSvc.plugin.seed?.(store, baseUrl);
+      if (svcSeedConfig && loadedSvc.seedFromConfig) {
+        loadedSvc.seedFromConfig(store, baseUrl, svcSeedConfig, webhooks);
+      }
+    };
+    applyRuntimeSeed = (seed) => {
+      if (seed && loadedSvc.seedFromConfig) {
+        loadedSvc.seedFromConfig(store, baseUrl, seed, webhooks);
+      }
+    };
+    resetService();
+    const httpServer = serve({ fetch: app.fetch, port });
+    httpServers.push(httpServer);
+  }
+  printBanner(serviceUrls, tokens, configSource);
+  const shutdown = () => {
+    console.log(`
+${pc.dim("Shutting down...")}`);
+    if (portlessAliases.length > 0) {
+      removeAliases(portlessAliases);
+    }
+    for (const store of stores) {
+      store.reset();
+    }
+    for (const srv of httpServers) {
+      srv.close();
+    }
+    process.exit(0);
+  };
+  process.once("SIGINT", shutdown);
+  process.once("SIGTERM", shutdown);
+}
+function printBanner(services, tokens, configSource) {
+  const lines = [];
+  lines.push("");
+  lines.push(`  ${pc.bold("emulate")} ${pc.dim(`v${pkg.version}`)}`);
+  lines.push("");
+  const maxNameLen = Math.max(...services.map((s) => s.name.length));
+  for (const { name, url } of services) {
+    lines.push(`  ${pc.cyan(name.padEnd(maxNameLen + 2))}${pc.bold(url)}`);
+  }
+  lines.push("");
+  const tokenEntries = Object.entries(tokens);
+  if (tokenEntries.length > 0) {
+    lines.push(`  ${pc.dim("Tokens")}`);
+    for (const [token, user] of tokenEntries) {
+      lines.push(`  ${pc.dim(token)} ${pc.dim("->")} ${user.login}`);
+    }
+    lines.push("");
+  }
+  if (configSource) {
+    lines.push(`  ${pc.dim("Config:")} ${configSource}`);
+  } else {
+    lines.push(`  ${pc.dim("Config:")} defaults ${pc.dim("(run")} npx emulate init ${pc.dim("to customize)")}`);
+  }
+  lines.push("");
+  console.log(lines.join("\n"));
+}
+
+// src/commands/init.ts
+import { writeFileSync, existsSync as existsSync2 } from "fs";
+import { resolve as resolve2 } from "path";
+import { stringify as yamlStringify } from "yaml";
+function initCommand(options) {
+  const filename = "emulate.config.yaml";
+  const fullPath = resolve2(filename);
+  if (existsSync2(fullPath)) {
+    console.error(`Config file already exists: ${filename}`);
+    process.exit(1);
+  }
+  let config;
+  if (options.service === "all") {
+    config = { ...DEFAULT_TOKENS };
+    for (const name of SERVICE_NAMES) {
+      Object.assign(config, SERVICE_REGISTRY[name].initConfig);
+    }
+  } else {
+    const entry = SERVICE_REGISTRY[options.service];
+    if (!entry) {
+      console.error(`Unknown service: ${options.service}. Available: ${SERVICE_NAMES.join(", ")}, all`);
+      process.exit(1);
+    }
+    config = { ...DEFAULT_TOKENS, ...entry.initConfig };
+  }
+  const content = yamlStringify(config);
+  writeFileSync(fullPath, content, "utf-8");
+  console.log(`Created ${filename}`);
+  console.log(`
+Run 'npx emulate' to start the emulator.`);
+}
+
+// src/commands/list.ts
+function listCommand() {
+  console.log("\nAvailable services:\n");
+  for (const [name, entry] of Object.entries(SERVICE_REGISTRY)) {
+    console.log(`  ${name.padEnd(10)}${entry.label}`);
+    console.log(`            Endpoints: ${entry.endpoints}`);
+    console.log();
+  }
+}
+
+// src/index.ts
+var pkg2 = { version: "0.6.0" };
+var defaultPort = process.env.EMULATE_PORT ?? process.env.PORT ?? "4000";
+var program = new Command();
+program.name("emulate").description("Local drop-in replacement services for CI and no-network sandboxes").version(pkg2.version);
+program.command("start", { isDefault: true }).description("Start the emulator server").option("-p, --port <port>", "Base port", defaultPort).option("-s, --service <services>", "Comma-separated services to enable").option("--seed <file>", "Path to seed config file").option("--base-url <url>", "Override advertised base URL (supports {service} template)").option("--portless", "Serve over HTTPS via portless (auto-registers aliases)").addHelpText(
+  "after",
+  `
+
+Control plane (under /_emulate on each service):
+  GET  /_emulate              HTML landing page
+  GET  /_emulate/manifest     machine-readable service manifest
+  GET  /_emulate/quickstart   copy/paste getting-started snippet
+  GET  /_emulate/specs        spec sources and coverage status
+  GET  /_emulate/coverage     per-operation coverage and summary
+  GET  /_emulate/connections  copyable SDK, CLI, env, and curl snippets
+  GET  /_emulate/openapi      OpenAPI document (when supported)
+  GET  /_emulate/graphql      GraphQL surface (when supported)
+  GET  /_emulate/mcp          MCP surface (when supported)
+  GET  /_emulate/state        current emulator state
+  GET  /_emulate/ledger       request ledger (DELETE to clear)
+  GET  /_emulate/logs         webhook deliveries and recent requests
+  POST /_emulate/instances    create an instance
+  POST /_emulate/seed         seed state
+  POST /_emulate/reset        reset state
+  POST /_emulate/credentials  mint a credential (bearer token, API key, or
+                              OAuth client, depending on the service's auth)
+
+Global catalog:
+  GET /_emulate/services      machine-readable catalog of every hosted service
+
+  Use /_emulate/manifest and /_emulate/coverage to discover supported surfaces
+  and honest coverage, /_emulate/credentials to create credentials,
+  /_emulate/seed to load fixtures, and /_emulate/ledger to validate API calls.
+
+Hosted services:
+  All 13 services are available on emulators.dev: github, vercel, google, okta,
+  microsoft, spotify, slack, apple, aws, resend, stripe, mongoatlas, clerk,
+  x, workos, autumn.
+  Service host:    <service>.emulators.dev (useful without an instance; serves
+                   a service-level /_emulate control plane)
+  Instance host:   <service>.<instance>.emulators.dev
+  Local/path form: <origin>/<service>/<instance>
+
+  The apex emulators.dev is the catalog landing page that lists every emulator
+  and links to its host. Per-service docs live at https://docs.emulators.dev/
+  <service>.
+`
+).action(async (opts) => {
+  const port = parseInt(opts.port, 10);
+  if (Number.isNaN(port) || port < 1 || port > 65535) {
+    console.error(`Invalid port: ${opts.port}`);
+    process.exit(1);
+  }
+  await startCommand({
+    port,
+    service: opts.service,
+    seed: opts.seed,
+    baseUrl: opts.baseUrl,
+    portless: opts.portless
+  });
+});
+program.command("init").description("Generate a starter config file").option("-s, --service <service>", "Service to generate config for", "all").action((opts) => {
+  initCommand({ service: opts.service });
+});
+program.command("list").alias("list-services").description("List available services").action(() => {
+  listCommand();
+});
+program.parse();
+//# sourceMappingURL=index.js.map