@flui-cloud/cli 0.0.1 → 0.1.0

package/lib/cli/src/commands/env/update-firewall.js

@@ -8,12 +8,30 @@ const chalk_1 = __importDefault(require("chalk"));
 const ora_1 = __importDefault(require("ora"));
 const nest_app_1 = require("../../lib/nest-app");
 const nip_base_domain_util_1 = require("../../lib/nip-base-domain.util");
-const cli_observability_cluster_service_1 = require("../../services/cli-observability-cluster.service");
+const cli_control_cluster_service_1 = require("../../services/cli-control-cluster.service");
 const firewall_provider_factory_1 = require("../../../../src/modules/providers/core/factories/firewall-provider.factory");
 const ip_detection_1 = require("../../lib/utils/ip-detection");
 const cli_firewall_repository_1 = require("../../lib/repositories/cli-firewall.repository");
 const firewall_rules_1 = require("../../lib/templates/firewall-rules");
 const context_banner_1 = require("../../lib/context-banner");
+const isSshRule = (r) => r.direction === 'in' && r.protocol === 'tcp' && r.port === '22';
+/** Replace the SSH rule's source IPs in place; add one if absent (other rules untouched). */
+function withSshSource(baseRules, sshCidrs) {
+    const rules = baseRules.length ? baseRules : (0, firewall_rules_1.CONTROL_FIREWALL_RULES)(sshCidrs);
+    if (!rules.some(isSshRule)) {
+        return [
+            {
+                description: 'SSH access for server management',
+                direction: 'in',
+                protocol: 'tcp',
+                port: '22',
+                sourceIps: sshCidrs,
+            },
+            ...rules,
+        ];
+    }
+    return rules.map((r) => (isSshRule(r) ? { ...r, sourceIps: sshCidrs } : r));
+}
 class EnvUpdateFirewall extends core_1.Command {
     async run() {
         const { flags } = await this.parse(EnvUpdateFirewall);
@@ -21,14 +39,14 @@ class EnvUpdateFirewall extends core_1.Command {
         let spinner = (0, ora_1.default)('Loading cluster information...').start();
         try {
             const app = await (0, nest_app_1.getNestApp)();
-            const observabilityService = app.get(cli_observability_cluster_service_1.CliObservabilityClusterService);
+            const controlService = app.get(cli_control_cluster_service_1.CliControlClusterService);
             const ipService = app.get(ip_detection_1.IpDetectionService);
             const firewallFactory = app.get(firewall_provider_factory_1.FirewallProviderFactory);
             const firewallRepo = app.get(cli_firewall_repository_1.CliFirewallRepository);
-            const cluster = await observabilityService.getObservabilityCluster();
+            const cluster = await controlService.getControlCluster();
             if (!cluster) {
-                spinner.fail('No observability cluster found');
-                console.log(chalk_1.default.yellow('\n⚠️  No observability cluster exists.\n'));
+                spinner.fail('No control cluster found');
+                console.log(chalk_1.default.yellow('\n⚠️  No control cluster exists.\n'));
                 console.log(chalk_1.default.dim('Create one with:'));
                 console.log(`   ${chalk_1.default.cyan('flui env create')}\n`);
                 return;
@@ -37,149 +55,237 @@ class EnvUpdateFirewall extends core_1.Command {
             const providerEnum = (cluster.provider || '').toLowerCase();
             const firewallService = firewallFactory.getFirewallProviderOrFail(providerEnum);
             const providerLabel = providerEnum.toUpperCase();
-            let sourceCidrs;
-            if (flags.ip) {
-                sourceCidrs = ipService.parseCidrList(flags.ip);
-                console.log(chalk_1.default.blue(`\nUsing custom IP(s): ${sourceCidrs.join(', ')}`));
-            }
-            else {
-                spinner = (0, ora_1.default)('Detecting public IP...').start();
-                const publicIp = await ipService.getPublicIp();
-                sourceCidrs = [ipService.toCidr(publicIp)];
-                spinner.succeed(`Auto-detected IP: ${sourceCidrs[0]}`);
-            }
             spinner = (0, ora_1.default)('Finding firewall...').start();
-            let existingFirewall = await firewallRepo.findByClusterId(cluster.id);
-            if (!existingFirewall) {
-                const byProvider = await firewallRepo.findByProvider(providerLabel);
-                if (byProvider.length === 1) {
-                    existingFirewall = byProvider[0];
-                    spinner.text = `Adopting unlinked ${providerLabel} firewall ${existingFirewall.name}`;
-                }
-                else if (byProvider.length > 1) {
-                    const masterIds = (cluster.nodes || [])
-                        .filter((n) => n.nodeType === 'master')
-                        .map((n) => {
-                        const raw = String(n.providerResourceId || '');
-                        const parts = raw.split(':');
-                        return parts.at(-1);
-                    })
-                        .filter(Boolean);
-                    spinner.text = `Disambiguating ${byProvider.length} firewall candidates by master attachment...`;
-                    const matches = [];
-                    for (const fw of byProvider) {
-                        const details = await firewallService
-                            .getFirewall(fw.id)
-                            .catch(() => null);
-                        if (!details)
-                            continue;
-                        const attached = new Set(details.appliedTo.map((a) => a.serverId));
-                        if (masterIds.some((m) => attached.has(m))) {
-                            matches.push(fw);
-                        }
-                    }
-                    if (matches.length === 1) {
-                        existingFirewall = matches[0];
-                        spinner.text = `Found attached firewall ${existingFirewall.name}`;
-                    }
-                    else if (matches.length === 0) {
-                        spinner.fail('No firewall currently attached to the cluster master');
-                        this.exit(1);
-                    }
-                    else {
-                        spinner.fail('Multiple firewalls attached, cannot disambiguate');
-                        for (const f of matches)
-                            this.log(`  - ${f.name} (${f.id})`);
-                        this.exit(1);
-                    }
-                }
-            }
-            if (existingFirewall) {
-                spinner.text = 'Updating firewall rules...';
-                const newRules = (0, firewall_rules_1.OBSERVABILITY_FIREWALL_RULES)(sourceCidrs);
-                await firewallService.updateFirewallRules(existingFirewall.id, newRules);
-                existingFirewall.clusterId = cluster.id;
-                existingFirewall.provider = providerLabel;
-                existingFirewall.sourceCidrs = sourceCidrs;
-                existingFirewall.rules = newRules;
-                await firewallRepo.save(existingFirewall);
-                spinner.succeed('Firewall updated successfully');
+            const existingFirewall = await this.findFirewall(firewallRepo, firewallService, cluster, providerLabel, spinner);
+            if (flags.list) {
+                await this.showAllowlist(firewallService, existingFirewall, spinner);
+                return;
             }
-            else {
-                spinner.text = 'Creating firewall...';
-                const firewallName = `flui-observability-${cluster.id}`;
-                const rules = (0, firewall_rules_1.OBSERVABILITY_FIREWALL_RULES)(sourceCidrs);
-                const result = await firewallService.createFirewall({
-                    name: firewallName,
-                    labels: [
-                        { key: 'managed-by', value: 'flui-cloud' },
-                        { key: 'flui-resource-type', value: 'firewall' },
-                        { key: 'flui-cluster-id', value: cluster.id },
-                        { key: 'flui-cluster-type', value: 'observability' },
-                    ],
-                    rules,
-                    applyToLabelSelector: `flui-cluster-id=${cluster.id}`,
-                });
-                const serverIds = (cluster.nodes || [])
-                    .map((n) => n.providerResourceId)
-                    .filter((x) => typeof x === 'string' && x.length > 0);
-                if (serverIds.length > 0) {
-                    await firewallService.applyToServers(result.firewallId, serverIds);
-                }
-                await firewallRepo.save({
-                    id: result.firewallId,
-                    name: firewallName,
-                    provider: providerLabel,
-                    clusterId: cluster.id,
-                    rules,
-                    appliedToServerIds: serverIds,
-                    sourceCidrs,
-                    labels: [
-                        { key: 'managed-by', value: 'flui-cloud' },
-                        { key: 'flui-cluster-id', value: cluster.id },
-                    ],
-                });
-                spinner.succeed('Firewall created successfully');
+            if ((flags.add || flags.remove) && !existingFirewall) {
+                spinner.fail('No firewall found for this cluster');
+                console.log(chalk_1.default.dim('\nRun `flui env update-firewall` (no flags) to create one first.\n'));
+                return;
             }
-            console.log(chalk_1.default.cyan('\n📋 Firewall Configuration:\n'));
-            console.log(`   ${chalk_1.default.bold('Provider:')}   ${providerLabel}`);
-            console.log(`   ${chalk_1.default.bold('Cluster:')}    ${cluster.name}`);
-            console.log(`   ${chalk_1.default.bold('Source IP:')}  ${sourceCidrs.join(', ')}`);
-            console.log('');
-            console.log(chalk_1.default.bold('Exposed Services:'));
-            console.log(`   SSH:         ${cluster.masterIpAddress}:22`);
-            const baseDomain = (0, nip_base_domain_util_1.buildNipBaseDomain)(cluster.masterIpAddress, cluster.nipHostnameToken);
-            console.log(`   Flui API:    https://api.${baseDomain}`);
-            console.log(`   Dashboard:   https://app.${baseDomain}`);
-            console.log(`   Grafana/Prometheus/Loki: cluster-internal (kubectl port-forward)`);
-            console.log('');
+            const sourceCidrs = await this.resolveSourceCidrs(ipService, flags.ip, spinner);
+            const finalSshCidrs = existingFirewall
+                ? await this.updateAllowlist(firewallService, firewallRepo, existingFirewall, cluster, providerLabel, sourceCidrs, flags)
+                : await this.createFirewall(firewallService, firewallRepo, cluster, providerLabel, sourceCidrs);
+            if (!finalSshCidrs)
+                return; // a guard (no-change / lockout) already reported
+            this.printSummary(cluster, providerLabel, finalSshCidrs);
         }
         catch (error) {
             spinner.fail('Failed to configure firewall');
             console.log(chalk_1.default.red('\n❌ Error:\n'));
-            if (error instanceof Error) {
-                console.log(`   ${error.message}\n`);
-            }
-            else {
-                console.log(`   ${String(error)}\n`);
-            }
+            console.log(`   ${error instanceof Error ? error.message : String(error)}\n`);
             this.exit(1);
         }
         finally {
             await (0, nest_app_1.closeNestApp)();
         }
     }
+    /** Locate the cluster firewall, adopting/disambiguating unlinked ones by master attachment. */
+    async findFirewall(firewallRepo, firewallService, cluster, providerLabel, spinner) {
+        const linked = await firewallRepo.findByClusterId(cluster.id);
+        if (linked)
+            return linked;
+        const byProvider = await firewallRepo.findByProvider(providerLabel);
+        if (byProvider.length === 0)
+            return null;
+        if (byProvider.length === 1) {
+            spinner.text = `Adopting unlinked ${providerLabel} firewall ${byProvider[0].name}`;
+            return byProvider[0];
+        }
+        const masterIds = (cluster.nodes || [])
+            .filter((n) => n.nodeType === 'master')
+            .map((n) => String(n.providerResourceId || '')
+            .split(':')
+            .at(-1))
+            .filter(Boolean);
+        spinner.text = `Disambiguating ${byProvider.length} firewall candidates by master attachment...`;
+        const matches = [];
+        for (const fw of byProvider) {
+            const details = await firewallService
+                .getFirewall(fw.id)
+                .catch(() => null);
+            if (!details)
+                continue;
+            const attached = new Set(details.appliedTo.map((a) => a.serverId));
+            if (masterIds.some((m) => attached.has(m)))
+                matches.push(fw);
+        }
+        if (matches.length === 1) {
+            spinner.text = `Found attached firewall ${matches[0].name}`;
+            return matches[0];
+        }
+        if (matches.length === 0) {
+            spinner.fail('No firewall currently attached to the cluster master');
+            this.exit(1);
+        }
+        spinner.fail('Multiple firewalls attached, cannot disambiguate');
+        for (const f of matches)
+            this.log(`  - ${f.name} (${f.id})`);
+        this.exit(1);
+    }
+    async sshSourceOf(firewallService, firewall) {
+        const live = await firewallService
+            .getFirewall(firewall.id)
+            .catch(() => null);
+        const rules = (live?.rules?.length ? live.rules : firewall.rules) ?? [];
+        return { rules, sshCidrs: rules.find(isSshRule)?.sourceIps ?? [] };
+    }
+    async showAllowlist(firewallService, firewall, spinner) {
+        if (!firewall) {
+            spinner.fail('No firewall found for this cluster');
+            return;
+        }
+        spinner.text = 'Reading current firewall rules...';
+        const { sshCidrs } = await this.sshSourceOf(firewallService, firewall);
+        spinner.succeed(`Firewall ${firewall.name}`);
+        console.log(chalk_1.default.cyan('\n📋 SSH allowlist (port 22):\n'));
+        if (sshCidrs.length === 0) {
+            console.log(chalk_1.default.yellow('   (empty — no source ranges, SSH is unreachable)'));
+        }
+        else {
+            for (const c of sshCidrs)
+                console.log(`   ${c}`);
+        }
+        console.log('');
+    }
+    async resolveSourceCidrs(ipService, ip, spinner) {
+        if (ip) {
+            const cidrs = ipService.parseCidrList(ip);
+            spinner.info(`Using IP(s): ${cidrs.join(', ')}`);
+            return cidrs;
+        }
+        spinner.stop();
+        const detectSpinner = (0, ora_1.default)('Detecting public IP...').start();
+        const publicIp = await ipService.getPublicIp();
+        const cidr = ipService.toCidr(publicIp);
+        detectSpinner.succeed(`Auto-detected IP: ${cidr}`);
+        return [cidr];
+    }
+    /** Apply add/remove/replace to the SSH allowlist. Returns null when nothing was written. */
+    async updateAllowlist(firewallService, firewallRepo, firewall, cluster, providerLabel, sourceCidrs, flags) {
+        const spinner = (0, ora_1.default)('Reading current firewall rules...').start();
+        const { rules: baseRules, sshCidrs: currentSsh } = await this.sshSourceOf(firewallService, firewall);
+        let finalSshCidrs;
+        if (flags.add) {
+            finalSshCidrs = [...new Set([...currentSsh, ...sourceCidrs])];
+            if (finalSshCidrs.length === currentSsh.length) {
+                spinner.info('SSH allowlist already contains the given IP(s) — no change');
+                return null;
+            }
+        }
+        else if (flags.remove) {
+            finalSshCidrs = currentSsh.filter((c) => !sourceCidrs.includes(c));
+            if (finalSshCidrs.length === currentSsh.length) {
+                spinner.info('None of the given IP(s) were in the allowlist — no change');
+                return null;
+            }
+        }
+        else {
+            finalSshCidrs = sourceCidrs;
+        }
+        if (finalSshCidrs.length === 0) {
+            spinner.fail('Refusing to leave SSH with no allowed source ranges');
+            console.log(chalk_1.default.yellow('\n⚠️  That change would lock out all SSH access (port 22).\n'));
+            console.log(chalk_1.default.dim('   Keep at least one IP/CIDR, or pass --ip to set a new one.\n'));
+            return null;
+        }
+        const newRules = withSshSource(baseRules, finalSshCidrs);
+        spinner.text = 'Updating SSH allowlist...';
+        await firewallService.updateFirewallRules(firewall.id, newRules);
+        firewall.clusterId = cluster.id;
+        firewall.provider = providerLabel;
+        firewall.sourceCidrs = finalSshCidrs;
+        firewall.rules = newRules;
+        await firewallRepo.save(firewall);
+        spinner.succeed('SSH allowlist updated');
+        return finalSshCidrs;
+    }
+    async createFirewall(firewallService, firewallRepo, cluster, providerLabel, sourceCidrs) {
+        const spinner = (0, ora_1.default)('Creating firewall...').start();
+        const firewallName = `flui-control-${cluster.id}`;
+        const rules = (0, firewall_rules_1.CONTROL_FIREWALL_RULES)(sourceCidrs);
+        const result = await firewallService.createFirewall({
+            name: firewallName,
+            labels: [
+                { key: 'managed-by', value: 'flui-cloud' },
+                { key: 'flui-resource-type', value: 'firewall' },
+                { key: 'flui-cluster-id', value: cluster.id },
+                { key: 'flui-cluster-type', value: 'control' },
+            ],
+            rules,
+            applyToLabelSelector: `flui-cluster-id=${cluster.id}`,
+        });
+        const serverIds = (cluster.nodes || [])
+            .map((n) => n.providerResourceId)
+            .filter((x) => typeof x === 'string' && x.length > 0);
+        if (serverIds.length > 0) {
+            await firewallService.applyToServers(result.firewallId, serverIds);
+        }
+        await firewallRepo.save({
+            id: result.firewallId,
+            name: firewallName,
+            provider: providerLabel,
+            clusterId: cluster.id,
+            rules,
+            appliedToServerIds: serverIds,
+            sourceCidrs,
+            labels: [
+                { key: 'managed-by', value: 'flui-cloud' },
+                { key: 'flui-cluster-id', value: cluster.id },
+            ],
+        });
+        spinner.succeed('Firewall created successfully');
+        return sourceCidrs;
+    }
+    printSummary(cluster, providerLabel, finalSshCidrs) {
+        console.log(chalk_1.default.cyan('\n📋 Firewall Configuration:\n'));
+        console.log(`   ${chalk_1.default.bold('Provider:')}      ${providerLabel}`);
+        console.log(`   ${chalk_1.default.bold('Cluster:')}       ${cluster.name}`);
+        console.log(`   ${chalk_1.default.bold('SSH allowlist:')} ${finalSshCidrs.join(', ')}`);
+        console.log('');
+        console.log(chalk_1.default.bold('Exposed Services:'));
+        console.log(`   SSH:         ${cluster.masterIpAddress}:22`);
+        const baseDomain = (0, nip_base_domain_util_1.buildNipBaseDomain)(cluster.masterIpAddress, cluster.nipHostnameToken);
+        console.log(`   Flui API:    https://api.${baseDomain}`);
+        console.log(`   Dashboard:   https://app.${baseDomain}`);
+        console.log(`   Grafana/Prometheus/Loki: cluster-internal (kubectl port-forward)`);
+        console.log('');
+    }
 }
-EnvUpdateFirewall.description = 'Create or update firewall IP ranges for observability cluster';
+EnvUpdateFirewall.description = 'Manage SSH access (port 22) on the control cluster firewall. ' +
+    'Updates only the SSH source IPs — every other rule is left untouched. ' +
+    'Runs directly against the cloud provider, so it works even when your ' +
+    'current IP is locked out.';
 EnvUpdateFirewall.examples = [
     '<%= config.bin %> <%= command.id %>',
     '<%= config.bin %> <%= command.id %> --ip 203.0.113.42',
-    '<%= config.bin %> <%= command.id %> --ip "203.0.113.0/24,198.51.100.5/32"',
+    '<%= config.bin %> <%= command.id %> --add --ip 203.0.113.42',
+    '<%= config.bin %> <%= command.id %> --remove --ip 198.51.100.5/32',
+    '<%= config.bin %> <%= command.id %> --list',
 ];
 EnvUpdateFirewall.flags = {
     ip: core_1.Flags.string({
         description: 'Source IP/CIDR or comma-separated list (default: auto-detect current IP)',
         required: false,
     }),
+    add: core_1.Flags.boolean({
+        description: 'Add the IP(s) to the existing SSH allowlist (keeps current entries)',
+        default: false,
+        exclusive: ['remove', 'list'],
+    }),
+    remove: core_1.Flags.boolean({
+        description: 'Remove the IP(s) from the SSH allowlist',
+        default: false,
+        exclusive: ['add', 'list'],
+    }),
+    list: core_1.Flags.boolean({
+        description: 'Show the current SSH allowlist and exit (no changes)',
+        default: false,
+        exclusive: ['add', 'remove'],
+    }),
 };
 exports.default = EnvUpdateFirewall;

package/lib/cli/src/commands/integration/connect.d.ts

@@ -9,5 +9,6 @@ export default class IntegrationConnect extends Command {
         headless: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
     };
     run(): Promise<void>;
+    private handleInstallUrlError;
     private waitForCallback;
 }

package/lib/cli/src/commands/integration/connect.js

@@ -67,7 +67,7 @@ class IntegrationConnect extends core_1.Command {
         }
         catch (error) {
             spinner.fail('Failed to get install URL');
-            console.log(chalk_1.default.red(`  ${error.message}`));
+            this.handleInstallUrlError(error, apiUrl);
             this.exit(1);
         }
         if (install.alreadyConnected) {
@@ -104,6 +104,24 @@ class IntegrationConnect extends core_1.Command {
         console.log(chalk_1.default.red(`\n  ✖ Connection failed: ${result.error}\n`));
         this.exit(1);
     }
+    handleInstallUrlError(error, apiUrl) {
+        const isNotConfigured = error instanceof api_client_1.ApiError &&
+            (error.statusCode === 400 ||
+                error.statusCode === 404 ||
+                error.statusCode === 503) &&
+            /not configured|callback url|client_id|not yet configured/i.test(error.message);
+        if (!isNotConfigured) {
+            console.log(chalk_1.default.red(`  ${error.message}`));
+            return;
+        }
+        const dashboardHint = apiUrl.replace(/\/api(\/v1)?$/, '');
+        console.log('');
+        console.log(chalk_1.default.yellow("  This Flui instance doesn't have a GitHub integration configured yet."));
+        console.log('');
+        console.log(`  Run: ${chalk_1.default.cyan('flui integration setup github')}`);
+        console.log(chalk_1.default.dim(`  Or visit: ${dashboardHint}/apps/repositories/github-setup`));
+        console.log('');
+    }
     waitForCallback(port) {
         return new Promise((resolve) => {
             const timer = setTimeout(() => {

package/lib/cli/src/commands/integration/reset.d.ts

@@ -0,0 +1,13 @@
+import { Command } from '@oclif/core';
+export default class IntegrationReset extends Command {
+    static readonly description = "Remove the instance-wide GitHub integration (admin). Clears the stored config plus all per-user tokens and App installations. Users will need to reconnect afterwards.";
+    static readonly examples: string[];
+    static readonly args: {
+        provider: import("@oclif/core/lib/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    static readonly flags: {
+        yes: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+    };
+    run(): Promise<void>;
+    private printApiError;
+}

package/lib/cli/src/commands/integration/reset.js

@@ -0,0 +1,95 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const core_1 = require("@oclif/core");
+const chalk_1 = __importDefault(require("chalk"));
+const ora_1 = __importDefault(require("ora"));
+const api_client_1 = require("../../lib/api-client");
+const config_storage_1 = require("../../lib/config-storage");
+const prompts_1 = require("../../lib/prompts");
+class IntegrationReset extends core_1.Command {
+    async run() {
+        const { args, flags } = await this.parse(IntegrationReset);
+        if (args.provider !== 'github') {
+            this.error(`Unknown provider "${args.provider}"`, { exit: 1 });
+        }
+        const configStorage = new config_storage_1.ConfigStorage();
+        const apiUrl = configStorage.getApiUrlOrThrow();
+        const apiKey = configStorage.getApiKey();
+        if (!apiKey) {
+            this.error('Not logged in. Run `flui auth login` first.', { exit: 1 });
+        }
+        const api = new api_client_1.ApiClient({ baseUrl: apiUrl, apiKey });
+        let status = null;
+        try {
+            status = await api.get('/repositories/github/setup/status');
+        }
+        catch (error) {
+            this.printApiError(error);
+            this.exit(1);
+        }
+        if (!status?.configured) {
+            console.log('');
+            console.log(chalk_1.default.dim('  GitHub integration is not configured — nothing to reset.'));
+            console.log('');
+            return;
+        }
+        console.log('');
+        console.log(chalk_1.default.bold('  This will remove:'));
+        console.log(`    • Instance config (mode=${status.authMethod}${status.appSlug ? `, app=${status.appSlug}` : ''})`);
+        console.log('    • All per-user GitHub tokens stored by Flui');
+        console.log('    • All recorded GitHub App installations');
+        console.log('');
+        console.log(chalk_1.default.yellow('  Existing apps will keep deploying until their next event, but new repo syncs and webhooks will fail until the integration is reconfigured.'));
+        console.log('');
+        if (!flags.yes) {
+            const confirmed = await (0, prompts_1.confirmByTypingPrompt)(`  Type ${chalk_1.default.bold('reset')} to confirm`, 'reset');
+            if (!confirmed) {
+                console.log(chalk_1.default.dim('\n  Cancelled.\n'));
+                return;
+            }
+        }
+        const spinner = (0, ora_1.default)('Resetting GitHub integration…').start();
+        try {
+            await api.delete('/repositories/github/setup');
+            spinner.succeed('GitHub integration reset');
+        }
+        catch (error) {
+            spinner.fail('Reset failed');
+            this.printApiError(error);
+            this.exit(1);
+        }
+        console.log('');
+        console.log(chalk_1.default.dim('  Next: `flui integration setup github` to configure a fresh integration.'));
+        console.log('');
+    }
+    printApiError(error) {
+        if (error instanceof api_client_1.ApiError) {
+            console.log(chalk_1.default.red(`  ${error.statusCode}: ${error.message}`));
+        }
+        else {
+            console.log(chalk_1.default.red(`  ${error.message}`));
+        }
+    }
+}
+IntegrationReset.description = 'Remove the instance-wide GitHub integration (admin). Clears the stored config plus all per-user tokens and App installations. Users will need to reconnect afterwards.';
+IntegrationReset.examples = [
+    '<%= config.bin %> <%= command.id %> github',
+    '<%= config.bin %> <%= command.id %> github --yes',
+];
+IntegrationReset.args = {
+    provider: core_1.Args.string({
+        description: 'Integration provider (currently only `github`)',
+        required: true,
+        options: ['github'],
+    }),
+};
+IntegrationReset.flags = {
+    yes: core_1.Flags.boolean({
+        description: 'Skip the typed confirmation (for scripts / CI)',
+        default: false,
+    }),
+};
+exports.default = IntegrationReset;

package/lib/cli/src/commands/integration/setup.d.ts

@@ -0,0 +1,18 @@
+import { Command } from '@oclif/core';
+export default class IntegrationSetup extends Command {
+    static readonly description = "Guided GitHub integration setup (admin). Pick GitHub App (recommended, creates the App on GitHub via manifest flow) or Personal Access Token (validates and saves a token).";
+    static readonly examples: string[];
+    static readonly args: {
+        provider: import("@oclif/core/lib/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    static readonly flags: {
+        headless: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+    };
+    run(): Promise<void>;
+    private fetchStatus;
+    private runManifestFlow;
+    private startManifestSubmitServer;
+    private pollUntilConfigured;
+    private runPatFlow;
+    private printApiError;
+}