@insforge/cli 0.1.73 → 0.1.76

package/dist/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import { readFileSync as readFileSync11 } from "fs";
+import { readFileSync as readFileSync13 } from "fs";
 import { join as join17, dirname as dirname3 } from "path";
 import { fileURLToPath } from "url";
 import { Command } from "commander";
@@ -41,8 +41,8 @@ var LineReader = class {
     this.output.write(prompt);
     if (this.queue.length > 0) return this.queue.shift();
     if (this.closed) return null;
-    return new Promise((resolve5) => {
-      this.waiter = resolve5;
+    return new Promise((resolve8) => {
+      this.waiter = resolve8;
     });
   }
   close() {
@@ -424,8 +424,8 @@ function startCallbackServer() {
   return new Promise((resolveServer) => {
     let resolveResult;
     let rejectResult;
-    const resultPromise = new Promise((resolve5, reject) => {
-      resolveResult = resolve5;
+    const resultPromise = new Promise((resolve8, reject) => {
+      resolveResult = resolve8;
       rejectResult = reject;
     });
     const server = createServer((req, res) => {
@@ -1158,7 +1158,7 @@ function registerProjectsCommands(projectsCmd2) {
         }
         outputTable(
           ["ID", "Name", "Region", "Status", "AppKey"],
-          projects.map((p) => [p.id, p.name, p.region, p.status, p.appkey])
+          projects.map((p3) => [p3.id, p3.name, p3.region, p3.status, p3.appkey])
         );
       }
     } catch (err) {
@@ -1751,10 +1751,14 @@ ${missing.join("\n")}
 `;
   appendFileSync(gitignorePath, block);
 }
-async function installSkills(json) {
+var AGENT_FLAGS = "-a antigravity -a augment -a claude-code -a cline -a codex -a cursor -a gemini-cli -a github-copilot -a kilo -a qoder -a qwen-code -a roo -a trae -a windsurf";
+var PROVIDER_SKILLS = {
+  "better-auth": { repo: "better-auth/skills", label: "Better Auth skills" }
+};
+async function installSkills(json, authProvider) {
   try {
     if (!json) clack9.log.info("Installing InsForge agent skills (global)...");
-    await execAsync("npx skills add insforge/agent-skills -g -y -a antigravity -a augment -a claude-code -a cline -a codex -a cursor -a gemini-cli -a github-copilot -a kilo -a qoder -a qwen-code -a roo -a trae -a windsurf", {
+    await execAsync(`npx skills add insforge/agent-skills -g -y ${AGENT_FLAGS}`, {
       cwd: process.cwd(),
       timeout: SKILL_INSTALL_TIMEOUT_MS
     });
@@ -1778,6 +1782,22 @@ async function installSkills(json) {
       clack9.log.info("Run `npx skills add https://github.com/vercel-labs/skills --skill find-skills` once resolved.");
     }
   }
+  const providerEntry = authProvider ? PROVIDER_SKILLS[authProvider] : void 0;
+  if (providerEntry) {
+    try {
+      if (!json) clack9.log.info(`Installing ${providerEntry.label} (global)...`);
+      await execAsync(`npx skills add ${providerEntry.repo} -g -y ${AGENT_FLAGS}`, {
+        cwd: process.cwd(),
+        timeout: SKILL_INSTALL_TIMEOUT_MS
+      });
+      if (!json) clack9.log.success(`${providerEntry.label} installed.`);
+    } catch (err) {
+      if (!json) {
+        clack9.log.warn(`Could not install ${providerEntry.label}: ${describeExecError(err)}`);
+        clack9.log.info(`Run \`npx skills add ${providerEntry.repo}\` once resolved to see the full output.`);
+      }
+    }
+  }
   try {
     updateGitignore();
   } catch {
@@ -1868,18 +1888,34 @@ async function getJwtSecret() {
 function spliceDatabasePassword(maskedUrl, password3) {
   return maskedUrl.replace(/^(postgresql:\/\/[^:]+:)[^@]+(@)/, `$1${password3}$2`);
 }
+function isMaskedDatabasePassword(value) {
+  return /^\*+$/.test(value);
+}
+async function fetchDatabasePasswordOnce() {
+  try {
+    const res = await ossFetch("/api/metadata/database-password");
+    const body = await res.json();
+    const pw = body.databasePassword;
+    if (typeof pw !== "string" || !pw || isMaskedDatabasePassword(pw)) return null;
+    return pw;
+  } catch {
+    return null;
+  }
+}
 async function getDatabaseConnectionString() {
   try {
-    const [urlRes, pwRes] = await Promise.all([
-      ossFetch("/api/metadata/database-connection-string"),
-      ossFetch("/api/metadata/database-password")
-    ]);
+    const urlRes = await ossFetch("/api/metadata/database-connection-string");
     const urlBody = await urlRes.json();
-    const pwBody = await pwRes.json();
     const masked = urlBody.connectionURL;
-    const password3 = pwBody.databasePassword;
     if (typeof masked !== "string" || !masked) return null;
-    if (typeof password3 !== "string" || !password3) return null;
+    let password3 = await fetchDatabasePasswordOnce();
+    const POLL_ATTEMPTS = 9;
+    const POLL_DELAY_MS = 2e3;
+    for (let attempt = 0; password3 === null && attempt < POLL_ATTEMPTS; attempt++) {
+      await new Promise((r) => setTimeout(r, POLL_DELAY_MS));
+      password3 = await fetchDatabasePasswordOnce();
+    }
+    if (password3 === null) return null;
     return spliceDatabasePassword(masked, password3);
   } catch {
     return null;
@@ -1918,8 +1954,8 @@ ${err.nextActions}`;
 // src/auth-providers/apply.ts
 var execFileAsync = promisify2(execFile);
 var VALID_AUTH_PROVIDERS = ["better-auth"];
-function pathExists(p) {
-  return fs.stat(p).then(() => true, () => false);
+function pathExists(p3) {
+  return fs.stat(p3).then(() => true, () => false);
 }
 function deepMergeKeepBase(base, patch) {
   const out = { ...base };
@@ -2310,11 +2346,11 @@ async function collectDeploymentFiles(sourceDir) {
   return files;
 }
 async function createZipBuffer(sourceDir) {
-  return new Promise((resolve5, reject) => {
+  return new Promise((resolve8, reject) => {
     const archive = archiver("zip", { zlib: { level: 9 } });
     const chunks = [];
     archive.on("data", (chunk) => chunks.push(chunk));
-    archive.on("end", () => resolve5(Buffer.concat(chunks)));
+    archive.on("end", () => resolve8(Buffer.concat(chunks)));
     archive.on("error", (err) => reject(err));
     archive.directory(sourceDir, false, (entry) => {
       if (shouldExclude(entry.name)) return false;
@@ -2396,7 +2432,7 @@ async function pollDeployment(deploymentId, spinner10, syncBeforeRead) {
   const startTime = Date.now();
   let deployment = null;
   while (Date.now() - startTime < POLL_TIMEOUT_MS3) {
-    await new Promise((resolve5) => setTimeout(resolve5, POLL_INTERVAL_MS3));
+    await new Promise((resolve8) => setTimeout(resolve8, POLL_INTERVAL_MS3));
     try {
       if (syncBeforeRead) {
         await ossFetch(`/api/deployments/${deploymentId}/sync`, { method: "POST" });
@@ -2877,7 +2913,7 @@ function registerCreateCommand(program2) {
             else clack12.log.warn(msg);
           }
         }
-        await installSkills(json);
+        await installSkills(json, opts.auth);
         trackCommand("create", orgId);
         await reportCliUsage("cli.create", true, 6);
         const templateDownloaded = hasTemplate ? await fs4.stat(path4.join(process.cwd(), "package.json")).catch(() => null) : null;
@@ -2962,7 +2998,7 @@ function registerCreateCommand(program2) {
             clack12.note(
               `Open your coding agent (Claude Code, Codex, Cursor, etc.) and try:
 
-${prompts.map((p) => `\u2022 "${p}"`).join("\n")}`,
+${prompts.map((p3) => `\u2022 "${p3}"`).join("\n")}`,
               "Start building"
             );
           }
@@ -3147,7 +3183,7 @@ async function runNpmSetupIfPresent() {
   }
 }
 function registerProjectLinkCommand(program2) {
-  program2.command("link").description("Link current directory to an InsForge project").option("--project-id <id>", "Project ID to link").option("--org-id <id>", "Organization ID").option("--template <template>", "Download a template after linking: react, nextjs, chatbot, crm, e-commerce, todo").option("--auth <provider>", "Wire a third-party auth provider into the chosen template (currently: better-auth)").option("--api-base-url <url>", "API Base URL for direct linking (OSS/Self-hosted)").option("--api-key <key>", "API Key for direct linking (OSS/Self-hosted)").action(async (opts, cmd) => {
+  program2.command("link").description("Link current directory to an InsForge project (no args: installs agent skills only)").option("--project-id <id>", "Project ID to link").option("--org-id <id>", "Organization ID").option("--template <template>", "Download a template after linking: react, nextjs, chatbot, crm, e-commerce, todo").option("--auth <provider>", "Wire a third-party auth provider into the chosen template (currently: better-auth)").option("--api-base-url <url>", "API Base URL for direct linking (OSS/Self-hosted)").option("--api-key <key>", "API Key for direct linking (OSS/Self-hosted)").action(async (opts, cmd) => {
     const { json, apiUrl } = getRootOpts(cmd);
     const validTemplates = ["react", "nextjs", "chatbot", "crm", "e-commerce", "todo"];
     if (opts.auth && !VALID_AUTH_PROVIDERS.includes(opts.auth)) {
@@ -3157,6 +3193,28 @@ function registerProjectLinkCommand(program2) {
       if (opts.template && !validTemplates.includes(opts.template)) {
         throw new CLIError(`Invalid template "${opts.template}". Valid options: ${validTemplates.join(", ")}`);
       }
+      const isSkillsOnly = opts.projectId === void 0 && opts.orgId === void 0 && opts.template === void 0 && opts.auth === void 0 && opts.apiBaseUrl === void 0 && opts.apiKey === void 0;
+      if (isSkillsOnly) {
+        try {
+          await installSkills(json);
+          trackCommand("link", "skills-only", { skills_only: true });
+          await reportCliUsage("cli.link_skills_only", true, 1);
+          if (json) {
+            outputJson({ success: true, skills_only: true });
+          } else {
+            clack13.note(
+              `Open your coding agent (Claude Code, Codex, Cursor, etc.) and ask it to build something. It will walk you through provisioning an InsForge project when needed.`,
+              "What's next"
+            );
+          }
+          return;
+        } catch (err) {
+          await reportCliUsage("cli.link_skills_only", false);
+          await shutdownAnalytics();
+          handleError(err, json);
+          return;
+        }
+      }
       if (opts.apiBaseUrl || opts.apiKey) {
         try {
           if (!opts.apiBaseUrl || !opts.apiKey) {
@@ -3235,7 +3293,7 @@ function registerProjectLinkCommand(program2) {
                 await runNpmSetupIfPresent();
               }
             }
-            await installSkills(json);
+            await installSkills(json, opts.auth);
             trackCommand("link", "oss-org", { direct: true, template: template2 });
             await reportCliUsage("cli.link_direct", true, 6, projectConfig2);
             try {
@@ -3282,7 +3340,7 @@ function registerProjectLinkCommand(program2) {
             }
           }
           trackCommand("link", "oss-org", { direct: true });
-          await installSkills(json);
+          await installSkills(json, opts.auth);
           await reportCliUsage("cli.link_direct", true, 6, projectConfig2);
           try {
             const urlMatch = opts.apiBaseUrl.match(/^https?:\/\/([^.]+)\.[^.]+\.insforge\.app/);
@@ -3337,9 +3395,9 @@ function registerProjectLinkCommand(program2) {
         }
         const selected = await select2({
           message: "Select a project to link:",
-          options: projects.map((p) => ({
-            value: p.id,
-            label: `${p.name} (${p.region}, ${p.status})`
+          options: projects.map((p3) => ({
+            value: p3.id,
+            label: `${p3.name} (${p3.region}, ${p3.status})`
           }))
         });
         if (isCancel2(selected)) process.exit(0);
@@ -3432,7 +3490,7 @@ function registerProjectLinkCommand(program2) {
             await runNpmSetupIfPresent();
           }
         }
-        await installSkills(json);
+        await installSkills(json, opts.auth);
         await reportCliUsage("cli.link", true, 6, projectConfig);
         if (!json) {
           const dashboardUrl = `${getFrontendUrl()}/dashboard/project/${project.id}`;
@@ -3465,7 +3523,7 @@ function registerProjectLinkCommand(program2) {
             else clack13.log.warn(msg);
           }
         }
-        await installSkills(json);
+        await installSkills(json, opts.auth);
         await reportCliUsage("cli.link", true, 6, projectConfig);
         if (!json) {
           const dashboardUrl = `${getFrontendUrl()}/dashboard/project/${project.id}`;
@@ -3478,7 +3536,7 @@ function registerProjectLinkCommand(program2) {
           clack13.note(
             `Open your coding agent (Claude Code, Codex, Cursor, etc.) and try:
 
-${prompts.map((p) => `\u2022 "${p}"`).join("\n")}`,
+${prompts.map((p3) => `\u2022 "${p3}"`).join("\n")}`,
             "Start building"
           );
         }
@@ -3635,13 +3693,13 @@ function registerDbPoliciesCommand(dbCmd2) {
         }
         outputTable(
           ["Table", "Policy Name", "Command", "Roles", "Qual", "With Check"],
-          policies.map((p) => [
-            String(p.tableName ?? "-"),
-            String(p.policyName ?? "-"),
-            String(p.cmd ?? "-"),
-            Array.isArray(p.roles) ? p.roles.join(", ") : String(p.roles ?? "-"),
-            String(p.qual ?? "-"),
-            String(p.withCheck ?? "-")
+          policies.map((p3) => [
+            String(p3.tableName ?? "-"),
+            String(p3.policyName ?? "-"),
+            String(p3.cmd ?? "-"),
+            Array.isArray(p3.roles) ? p3.roles.join(", ") : String(p3.roles ?? "-"),
+            String(p3.qual ?? "-"),
+            String(p3.withCheck ?? "-")
           ])
         );
       }
@@ -4787,10 +4845,10 @@ function registerStorageDeleteBucketCommand(storageCmd2) {
     try {
       await requireAuth();
       if (!yes && !json) {
-        const confirm6 = await confirm2({
+        const confirm8 = await confirm2({
           message: `Delete bucket "${name}" and all its objects? This cannot be undone.`
         });
-        if (isCancel2(confirm6) || !confirm6) {
+        if (isCancel2(confirm8) || !confirm8) {
           process.exit(0);
         }
       }
@@ -4937,12 +4995,12 @@ function registerListCommand(program2) {
             id: org.id,
             name: org.name,
             type: org.type ?? null,
-            projects: projects.map((p) => ({
-              id: p.id,
-              name: p.name,
-              region: p.region,
-              status: p.status,
-              appkey: p.appkey
+            projects: projects.map((p3) => ({
+              id: p3.id,
+              name: p3.name,
+              region: p3.region,
+              status: p3.status,
+              appkey: p3.appkey
             }))
           }))
         );
@@ -4954,13 +5012,13 @@ function registerListCommand(program2) {
           rows.push([org.name, "-", "-", "-", "-"]);
         } else {
           for (let i = 0; i < projects.length; i++) {
-            const p = projects[i];
+            const p3 = projects[i];
             rows.push([
               i === 0 ? org.name : "",
-              p.name,
-              p.region,
-              p.status,
-              p.appkey
+              p3.name,
+              p3.region,
+              p3.status,
+              p3.appkey
             ]);
           }
         }
@@ -5341,10 +5399,10 @@ function registerSecretsDeleteCommand(secretsCmd2) {
     try {
       await requireAuth();
       if (!yes && !json) {
-        const confirm6 = await confirm2({
+        const confirm8 = await confirm2({
           message: `Delete secret "${key}"? This cannot be undone.`
         });
-        if (isCancel2(confirm6) || !confirm6) {
+        if (isCancel2(confirm8) || !confirm8) {
           process.exit(0);
         }
       }
@@ -5532,10 +5590,10 @@ function registerSchedulesDeleteCommand(schedulesCmd2) {
     try {
       await requireAuth();
       if (!yes && !json) {
-        const confirm6 = await confirm2({
+        const confirm8 = await confirm2({
           message: `Delete schedule "${id}"? This cannot be undone.`
         });
-        if (isCancel2(confirm6) || !confirm6) {
+        if (isCancel2(confirm8) || !confirm8) {
           process.exit(0);
         }
       }
@@ -5757,6 +5815,8 @@ function registerComputeUpdateCommand(computeCmd2) {
         outputJson(service);
       } else {
         outputSuccess(`Service "${service.name}" updated [${service.status}]`);
+        if (service.endpointUrl) console.log(`  Endpoint: ${service.endpointUrl}`);
+        if (service.port !== void 0) console.log(`  Port: ${service.port} (container must listen on this port)`);
       }
       await reportCliUsage("cli.compute.update", true);
     } catch (err) {
@@ -5957,7 +6017,7 @@ primary_region = "${opts.region}"
   };
 }
 function flyctlBuildAndPush(opts) {
-  return new Promise((resolve5, reject) => {
+  return new Promise((resolve8, reject) => {
     const cleanupStub = ensureFlyTomlStub({
       dir: opts.dir,
       appId: opts.appId,
@@ -6013,7 +6073,7 @@ function flyctlBuildAndPush(opts) {
           )
         );
       }
-      resolve5({ imageRef: `registry.fly.io/${opts.appId}@${m[1]}` });
+      resolve8({ imageRef: `registry.fly.io/${opts.appId}@${m[1]}` });
     });
   });
 }
@@ -6112,6 +6172,7 @@ function registerComputeDeployCommand(computeCmd2) {
           const verb = existing2 ? "updated" : "deployed";
           outputSuccess(`Service "${service2.name}" ${verb} [${service2.status}]`);
           if (service2.endpointUrl) console.log(`  Endpoint: ${service2.endpointUrl}`);
+          if (service2.port !== void 0) console.log(`  Port: ${service2.port} (container must listen on this port)`);
         }
         await reportCliUsage("cli.compute.deploy", true);
         return;
@@ -6207,6 +6268,7 @@ function registerComputeDeployCommand(computeCmd2) {
         const verb = existing ? "updated" : "deployed";
         outputSuccess(`Service "${service.name}" ${verb} [${service.status}]`);
         if (service.endpointUrl) console.log(`  Endpoint: ${service.endpointUrl}`);
+        if (service.port !== void 0) console.log(`  Port: ${service.port} (container must listen on this port)`);
         console.log(`  Image: ${imageRef} (built remotely; no local image to clean up)`);
       }
       await reportCliUsage("cli.compute.deploy", true);
@@ -6896,7 +6958,7 @@ function registerDiagnoseCommands(diagnoseCmd2) {
         const s = !json ? clack15.spinner() : null;
         s?.start("Collecting diagnostic data...");
         const data2 = await collectDiagnosticData(projectId, ossMode, apiUrl);
-        const cliVersion = "0.1.73";
+        const cliVersion = "0.1.76";
         s?.stop("Data collected");
         if (!json) {
           console.log(`
@@ -7530,10 +7592,10 @@ function registerPaymentsConfigCommand(paymentsCmd2) {
         throw new CLIError("Use --yes with --json to remove a Stripe key non-interactively.");
       }
       if (!yes) {
-        const confirm6 = await confirm2({
+        const confirm8 = await confirm2({
           message: `Remove Stripe ${environment} key? Payment sync and mutations for this environment will stop.`
         });
-        if (isCancel2(confirm6) || !confirm6) process.exit(0);
+        if (isCancel2(confirm8) || !confirm8) process.exit(0);
       }
       const data = await removeStripeSecretKey(environment);
       if (json) {
@@ -8056,10 +8118,10 @@ function registerPaymentsProductsCommand(paymentsCmd2) {
         );
       }
       if (!yes) {
-        const confirm6 = await confirm2({
+        const confirm8 = await confirm2({
           message: `Delete Stripe ${environment} product "${productId}"?`
         });
-        if (isCancel2(confirm6) || !confirm6) process.exit(0);
+        if (isCancel2(confirm8) || !confirm8) process.exit(0);
       }
       const data = await deletePaymentProduct(environment, productId);
       if (json) {
@@ -8410,14 +8472,14 @@ async function startPosthogCliFlow(projectId, jwt, apiUrl) {
   throw new CLIError("PostHog cli-start returned an unexpected response shape.");
 }
 function sleep(ms, signal) {
-  return new Promise((resolve5, reject) => {
+  return new Promise((resolve8, reject) => {
     if (signal?.aborted) {
       reject(new CLIError("Connection wait cancelled."));
       return;
     }
     const timer = setTimeout(() => {
       signal?.removeEventListener("abort", onAbort);
-      resolve5();
+      resolve8();
     }, ms);
     const onAbort = () => {
       clearTimeout(timer);
@@ -8985,13 +9047,373 @@ function frameworkLabel(framework) {
       return "Astro";
   }
 }
-function relative3(p) {
-  return p.replace(process.cwd() + "/", "");
+function relative3(p3) {
+  return p3.replace(process.cwd() + "/", "");
+}
+
+// src/commands/config/export.ts
+import { writeFileSync as writeFileSync9, existsSync as existsSync14 } from "fs";
+import { resolve as resolve5 } from "path";
+import * as p from "@clack/prompts";
+import pc4 from "picocolors";
+
+// src/lib/config-toml.ts
+import * as smolToml from "smol-toml";
+
+// src/lib/config-schema.ts
+var ConfigValidationError = class extends Error {
+  constructor(path6, message) {
+    super(`config.${path6}: ${message}`);
+    this.path = path6;
+    this.name = "ConfigValidationError";
+  }
+};
+function validateConfig(input) {
+  if (input === null || typeof input !== "object" || Array.isArray(input)) {
+    throw new ConfigValidationError("", "must be an object");
+  }
+  const obj = input;
+  const out = {};
+  if ("project_id" in obj) {
+    if (typeof obj.project_id !== "string") {
+      throw new ConfigValidationError("project_id", "must be a string");
+    }
+    out.project_id = obj.project_id;
+  }
+  if ("auth" in obj) out.auth = validateAuth(obj.auth);
+  return out;
+}
+function validateAuth(input) {
+  if (input === null || typeof input !== "object" || Array.isArray(input)) {
+    throw new ConfigValidationError("auth", "must be an object");
+  }
+  const obj = input;
+  const out = {};
+  if ("allowed_redirect_urls" in obj) {
+    const v = obj.allowed_redirect_urls;
+    if (!Array.isArray(v) || !v.every((u) => typeof u === "string")) {
+      throw new ConfigValidationError(
+        "auth.allowed_redirect_urls",
+        "must be an array of strings"
+      );
+    }
+    out.allowed_redirect_urls = v;
+  }
+  return out;
+}
+
+// src/lib/config-toml.ts
+function parseConfigToml(input) {
+  let parsed;
+  try {
+    parsed = smolToml.parse(input);
+  } catch (err) {
+    throw new Error(`TOML parse error: ${err.message}`, { cause: err });
+  }
+  return validateConfig(parsed);
+}
+function stringifyConfigToml(config) {
+  const lines = [];
+  if (config.project_id !== void 0) {
+    lines.push(`project_id = ${JSON.stringify(config.project_id)}`);
+    lines.push("");
+  }
+  if (config.auth) {
+    lines.push("[auth]");
+    if (config.auth.allowed_redirect_urls !== void 0) {
+      const urls = config.auth.allowed_redirect_urls.map((u) => JSON.stringify(u)).join(", ");
+      lines.push(`allowed_redirect_urls = [${urls}]`);
+    }
+    lines.push("");
+  }
+  return lines.join("\n").replace(/\n+$/, "\n");
+}
+
+// src/commands/config/export.ts
+function registerConfigExportCommand(cfg) {
+  cfg.command("export").description("Pull live project config and write insforge.toml").option("--out <path>", "output path", "insforge.toml").option("--force", "overwrite without confirmation").action(async (opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      await requireAuth();
+      const target = resolve5(process.cwd(), opts.out);
+      if (existsSync14(target) && !opts.force) {
+        if (json) {
+          throw new CLIError(
+            `${opts.out} exists. Re-run with --force to overwrite.`,
+            1,
+            "OUTPUT_EXISTS"
+          );
+        }
+        const ok = await p.confirm({
+          message: `${opts.out} exists. Overwrite?`,
+          initialValue: false
+        });
+        if (!ok || p.isCancel(ok)) {
+          console.log("Aborted.");
+          return;
+        }
+      }
+      const res = await ossFetch("/api/metadata");
+      const raw = await res.json();
+      const config = {};
+      const skipped = [];
+      const authSlice = raw?.auth;
+      if (authSlice && typeof authSlice === "object" && "allowedRedirectUrls" in authSlice) {
+        config.auth = {
+          allowed_redirect_urls: authSlice.allowedRedirectUrls ?? []
+        };
+      } else {
+        skipped.push("auth.allowed_redirect_urls");
+      }
+      const toml = stringifyConfigToml(config);
+      writeFileSync9(target, toml, "utf8");
+      if (json) {
+        console.log(JSON.stringify({ written: target, config, skipped }, null, 2));
+      } else {
+        console.log(`${pc4.green("\u2713")} Wrote ${target}`);
+        if (skipped.length) {
+          console.warn(
+            pc4.yellow(
+              `\u26A0 Skipped ${skipped.length} section(s) not supported by this backend:`
+            ) + "\n" + skipped.map((k) => `  - ${k}`).join("\n")
+          );
+        }
+      }
+      await reportCliUsage("cli.config.export", true);
+    } catch (err) {
+      await reportCliUsage("cli.config.export", false);
+      handleError(err, json);
+    }
+  });
+}
+
+// src/commands/config/plan.ts
+import { readFileSync as readFileSync11 } from "fs";
+import { resolve as resolve6 } from "path";
+import pc5 from "picocolors";
+
+// src/lib/config-diff.ts
+function diffConfig({ live, file }) {
+  const changes = [];
+  const fileAuth = file.auth;
+  const liveAuth = live.auth ?? {};
+  if (fileAuth && "allowed_redirect_urls" in fileAuth) {
+    const fromV = normalizeUrlList(liveAuth.allowed_redirect_urls);
+    const toV = normalizeUrlList(fileAuth.allowed_redirect_urls);
+    if (!arrayEquals(fromV, toV)) {
+      changes.push({
+        section: "auth",
+        op: "modify",
+        key: "allowed_redirect_urls",
+        from: fromV,
+        to: toV
+      });
+    }
+  }
+  return { changes, summary: summarize(changes) };
+}
+function summarize(changes) {
+  const s = { add: 0, modify: 0, remove: 0, kept: 0 };
+  for (const c of changes) {
+    if (c.op === "modify") s.modify++;
+  }
+  return s;
+}
+function normalizeUrlList(input) {
+  return Array.from(new Set(input ?? [])).sort();
+}
+function arrayEquals(a, b) {
+  if (a.length !== b.length) return false;
+  return a.every((v, i) => v === b[i]);
+}
+
+// src/lib/config-format.ts
+function formatPlan(result) {
+  if (result.changes.length === 0) {
+    return "No changes. Live state matches insforge.toml.";
+  }
+  const bySection = /* @__PURE__ */ new Map();
+  for (const c of result.changes) {
+    const arr = bySection.get(c.section) ?? [];
+    arr.push(c);
+    bySection.set(c.section, arr);
+  }
+  const lines = [];
+  for (const [section, changes] of bySection) {
+    lines.push(`  ${section}:`);
+    for (const c of changes) {
+      lines.push(`    ${formatChange(c)}`);
+    }
+    lines.push("");
+  }
+  const s = result.summary;
+  lines.push(
+    `${s.add} add, ${s.modify} modify, ${s.remove} remove, ${s.kept} untracked kept.`
+  );
+  return lines.join("\n");
+}
+function formatChange(c) {
+  return `~ ${c.key}: ${JSON.stringify(c.from)} \u2192 ${JSON.stringify(c.to)}`;
+}
+
+// src/lib/config-capabilities.ts
+function metadataSupports(raw, change) {
+  if (change.section === "auth" && change.key === "allowed_redirect_urls") {
+    return raw?.auth !== void 0 && raw.auth !== null && typeof raw.auth === "object" && "allowedRedirectUrls" in raw.auth;
+  }
+  return false;
+}
+function changePath(change) {
+  return `${change.section}.${change.key}`;
+}
+
+// src/commands/config/plan.ts
+function registerConfigPlanCommand(cfg) {
+  cfg.command("plan").description("Show diff between insforge.toml and live project state").option("--file <path>", "path to insforge.toml", "insforge.toml").action(async (opts, cmd) => {
+    const { json } = getRootOpts(cmd);
+    try {
+      await requireAuth();
+      const tomlPath = resolve6(process.cwd(), opts.file);
+      const tomlSource = readFileSync11(tomlPath, "utf8");
+      const file = parseConfigToml(tomlSource);
+      const res = await ossFetch("/api/metadata");
+      const raw = await res.json();
+      const live = {
+        auth: { allowed_redirect_urls: raw.auth?.allowedRedirectUrls ?? [] }
+      };
+      const result = diffConfig({ live, file });
+      const skipped = result.changes.filter((c) => !metadataSupports(raw, c)).map((c) => changePath(c));
+      if (json) {
+        console.log(JSON.stringify({ ...result, skipped }, null, 2));
+      } else {
+        console.log(`Plan for insforge.toml (file: ${opts.file}):
+`);
+        console.log(formatPlan(result));
+        if (skipped.length) {
+          console.warn(
+            "\n" + pc5.yellow(`\u26A0 Apply will skip ${skipped.length} section(s) \u2014 backend doesn't support them yet:`) + "\n" + skipped.map((k) => `  - ${k}`).join("\n")
+          );
+        }
+      }
+      await reportCliUsage("cli.config.plan", true);
+    } catch (err) {
+      await reportCliUsage("cli.config.plan", false);
+      handleError(err, json);
+    }
+  });
+}
+
+// src/commands/config/apply.ts
+import { readFileSync as readFileSync12 } from "fs";
+import { resolve as resolve7 } from "path";
+import * as p2 from "@clack/prompts";
+import pc6 from "picocolors";
+function registerConfigApplyCommand(cfg) {
+  cfg.command("apply").description("Apply insforge.toml to the live project").option("--file <path>", "path to insforge.toml", "insforge.toml").option("--dry-run", "show plan, do not apply").option("--auto-approve", "skip confirmation prompt").action(async (opts, cmd) => {
+    const { json, yes } = getRootOpts(cmd);
+    try {
+      await requireAuth();
+      const tomlPath = resolve7(process.cwd(), opts.file);
+      const tomlSource = readFileSync12(tomlPath, "utf8");
+      const file = parseConfigToml(tomlSource);
+      const res = await ossFetch("/api/metadata");
+      const raw = await res.json();
+      const live = {
+        auth: { allowed_redirect_urls: raw.auth?.allowedRedirectUrls ?? [] }
+      };
+      const result = diffConfig({ live, file });
+      const approved = opts.autoApprove || yes;
+      if (!json) {
+        console.log(formatPlan(result));
+      }
+      if (result.changes.length === 0 || opts.dryRun) {
+        if (json) {
+          console.log(
+            JSON.stringify({ plan: result, applied: false, dryRun: !!opts.dryRun }, null, 2)
+          );
+        }
+        await reportCliUsage("cli.config.apply", true);
+        return;
+      }
+      if (!approved) {
+        if (json) {
+          throw new CLIError(
+            "Refusing to apply in --json mode without --auto-approve or --yes.",
+            1,
+            "CONFIRMATION_REQUIRED"
+          );
+        }
+        const ok = await p2.confirm({
+          message: "Apply these changes?",
+          initialValue: false
+        });
+        if (!ok || p2.isCancel(ok)) {
+          console.log("Aborted.");
+          await reportCliUsage("cli.config.apply", true);
+          return;
+        }
+      }
+      const applied = [];
+      const skipped = [];
+      for (const change of result.changes) {
+        const path6 = changePath(change);
+        if (!metadataSupports(raw, change)) {
+          skipped.push({
+            key: path6,
+            reason: `your backend doesn't expose ${path6} \u2014 upgrade the project to apply this section`
+          });
+          continue;
+        }
+        await applyChange(change);
+        applied.push(change);
+      }
+      if (json) {
+        console.log(
+          JSON.stringify({ plan: result, applied, skipped }, null, 2)
+        );
+      } else {
+        if (skipped.length) {
+          console.warn(
+            pc6.yellow(`\u26A0 Skipped ${skipped.length} section(s):`) + "\n" + skipped.map((s) => `  - ${s.key}: ${s.reason}`).join("\n")
+          );
+        }
+        if (applied.length) {
+          console.log(
+            `${pc6.green("\u2713")} Applied ${applied.length} of ${result.changes.length} change(s).`
+          );
+        } else {
+          console.log("Nothing applied.");
+        }
+      }
+      await reportCliUsage("cli.config.apply", true);
+    } catch (err) {
+      await reportCliUsage("cli.config.apply", false);
+      handleError(err, json);
+    }
+  });
+}
+async function applyChange(change) {
+  if (change.section === "auth" && change.key === "allowed_redirect_urls") {
+    await ossFetch("/api/auth/config", {
+      method: "PUT",
+      body: JSON.stringify({ allowedRedirectUrls: change.to })
+    });
+    return;
+  }
+  throw new Error(`Unsupported change type: ${change.section}.${change.key}`);
+}
+
+// src/commands/config/index.ts
+function registerConfigCommand(program2) {
+  const cfg = program2.command("config").description("Manage insforge.toml (declarative project configuration)");
+  registerConfigExportCommand(cfg);
+  registerConfigPlanCommand(cfg);
+  registerConfigApplyCommand(cfg);
 }
 
 // src/index.ts
 var __dirname = dirname3(fileURLToPath(import.meta.url));
-var pkg = JSON.parse(readFileSync11(join17(__dirname, "../package.json"), "utf-8"));
+var pkg = JSON.parse(readFileSync13(join17(__dirname, "../package.json"), "utf-8"));
 var INSFORGE_LOGO = `
 \u2588\u2588\u2557\u2588\u2588\u2588\u2557   \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557
 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D
@@ -9082,6 +9504,7 @@ registerSchedulesCreateCommand(schedulesCmd);
 registerSchedulesUpdateCommand(schedulesCmd);
 registerSchedulesDeleteCommand(schedulesCmd);
 registerSchedulesLogsCommand(schedulesCmd);
+registerConfigCommand(program);
 if (process.argv.length <= 2 && process.stdout.isTTY) {
   await showInteractiveMenu();
 } else {