npm - @insforge/cli - Versions diffs - 0.1.78 → 0.1.80 - Mend

@insforge/cli 0.1.78 → 0.1.80

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
 // src/index.ts
-import { readFileSync as readFileSync14 } from "fs";
-import { join as join18, dirname as dirname3 } from "path";
+import { readFileSync as readFileSync12 } from "fs";
+import { join as join15, dirname as dirname2 } from "path";
 import { fileURLToPath } from "url";
 import { Command } from "commander";
 import * as clack18 from "@clack/prompts";
@@ -1172,7 +1172,7 @@ import * as clack5 from "@clack/prompts";
 // src/lib/analytics.ts
 import { PostHog } from "posthog-node";
-var POSTHOG_API_KEY = "";
+var POSTHOG_API_KEY = "phc_ueV1ii62wdBTkH7E70ugyeqHIHu8dFDdjs0qq3TZhJz";
 var POSTHOG_HOST = process.env.POSTHOG_HOST || "https://us.i.posthog.com";
 var client = null;
 function getClient() {
@@ -6961,7 +6961,7 @@ function registerDiagnoseCommands(diagnoseCmd2) {
         const s = !json ? clack15.spinner() : null;
         s?.start("Collecting diagnostic data...");
         const data2 = await collectDiagnosticData(projectId, ossMode, apiUrl);
-        const cliVersion = "0.1.78";
+        const cliVersion = "0.1.80";
         s?.stop("Data collected");
         if (!json) {
           console.log(`
@@ -8325,8 +8325,7 @@ function registerPaymentsCommands(paymentsCmd2) {
 }
 // src/commands/posthog/setup.ts
-import { existsSync as existsSync13, readFileSync as readFileSync10, writeFileSync as writeFileSync8, mkdirSync as mkdirSync3 } from "fs";
-import { join as join16, dirname as dirname2 } from "path";
+import { spawnSync as spawnSync2 } from "child_process";
 import * as clack16 from "@clack/prompts";
 import pc3 from "picocolors";
@@ -8492,200 +8491,19 @@ function sleep(ms, signal) {
   });
 }
-// src/lib/framework-detect.ts
-import { existsSync as existsSync10, readFileSync as readFileSync8 } from "fs";
-import { join as join14 } from "path";
-function contextFromCwd(cwd) {
-  let pkg2 = null;
-  const pkgPath = join14(cwd, "package.json");
-  if (existsSync10(pkgPath)) {
-    try {
-      pkg2 = JSON.parse(readFileSync8(pkgPath, "utf-8"));
-    } catch {
-      pkg2 = null;
-    }
-  }
-  return {
-    hasDir: (rel) => existsSync10(join14(cwd, rel)),
-    pkg: pkg2
-  };
-}
-function hasDep(pkg2, name) {
-  if (!pkg2) return false;
-  return Boolean(pkg2.dependencies?.[name] ?? pkg2.devDependencies?.[name]);
-}
-function detectFramework(ctx) {
-  if (hasDep(ctx.pkg, "next")) {
-    const hasApp = ctx.hasDir("app") || ctx.hasDir("src/app");
-    const hasPages = ctx.hasDir("pages") || ctx.hasDir("src/pages");
-    if (hasApp && !hasPages) return "next-app";
-    if (hasPages && !hasApp) return "next-pages";
-    if (hasApp && hasPages) return "next-app";
-    return "next-app";
-  }
-  if (hasDep(ctx.pkg, "vite") && hasDep(ctx.pkg, "react")) {
-    return "vite-react";
-  }
-  if (hasDep(ctx.pkg, "@sveltejs/kit")) {
-    return "sveltekit";
-  }
-  if (hasDep(ctx.pkg, "astro")) {
-    return "astro";
-  }
-  return null;
-}
-// src/lib/package-manager.ts
-import { existsSync as existsSync11 } from "fs";
-import { join as join15 } from "path";
-import { exec as exec4 } from "child_process";
-import { promisify as promisify5 } from "util";
-var execAsync4 = promisify5(exec4);
-function detectPackageManager(cwd) {
-  if (existsSync11(join15(cwd, "pnpm-lock.yaml"))) return "pnpm";
-  if (existsSync11(join15(cwd, "yarn.lock"))) return "yarn";
-  if (existsSync11(join15(cwd, "bun.lockb")) || existsSync11(join15(cwd, "bun.lock"))) {
-    return "bun";
-  }
-  return "npm";
-}
-function installCommand(pm, pkg2) {
-  switch (pm) {
-    case "pnpm":
-      return `pnpm add ${pkg2}`;
-    case "yarn":
-      return `yarn add ${pkg2}`;
-    case "bun":
-      return `bun add ${pkg2}`;
-    case "npm":
-    default:
-      return `npm install ${pkg2}`;
-  }
-}
-function hasPackage(pkg2, name) {
-  if (!pkg2) return false;
-  return Boolean(pkg2.dependencies?.[name] ?? pkg2.devDependencies?.[name]);
-}
-async function runInstall(pm, pkgName, cwd) {
-  const cmd = installCommand(pm, pkgName);
-  await execAsync4(cmd, { cwd, maxBuffer: 16 * 1024 * 1024 });
-}
-// src/lib/env-writer.ts
-import { existsSync as existsSync12, readFileSync as readFileSync9, writeFileSync as writeFileSync7 } from "fs";
-var KEY_LINE_RE = (key) => (
-  // Match `KEY=...` at the start of a line (allowing leading whitespace).
-  // Captures the value side; we only need the value portion to compare.
-  new RegExp(`^\\s*${key.replace(/[$.*+?^()[\\]{}|]/g, "\\$&")}\\s*=\\s*(.*)$`, "m")
-);
-function stripQuotes(v) {
-  const t = v.trim();
-  if (t.startsWith('"') && t.endsWith('"') && t.length >= 2 || t.startsWith("'") && t.endsWith("'") && t.length >= 2) {
-    return t.slice(1, -1);
-  }
-  const hash = t.indexOf(" #");
-  return hash >= 0 ? t.slice(0, hash).trimEnd() : t;
-}
-function upsertEnvFile(path6, entries) {
-  const exists = existsSync12(path6);
-  let content = exists ? readFileSync9(path6, "utf-8") : "";
-  const result = { added: [], skipped: [], mismatched: [] };
-  const additions = [];
-  for (const [key, value] of Object.entries(entries)) {
-    const re = KEY_LINE_RE(key);
-    const match = content.match(re);
-    if (match) {
-      const existingValue = stripQuotes(match[1] ?? "");
-      if (existingValue === value) {
-        result.skipped.push(key);
-      } else {
-        result.mismatched.push({ key, existingValue, newValue: value });
-      }
-      continue;
-    }
-    additions.push(`${key}=${value}`);
-    result.added.push(key);
-  }
-  if (additions.length > 0) {
-    if (content.length > 0 && !content.endsWith("\n")) {
-      content += "\n";
-    }
-    content += additions.join("\n") + "\n";
-    writeFileSync7(path6, content);
-  } else if (!exists) {
-  }
-  return result;
-}
-// src/templates/posthog/next-app/posthog-provider.tsx.txt
-var posthog_provider_tsx_default = "'use client';\n\nimport { useEffect } from 'react';\nimport posthog from 'posthog-js';\n\n// PostHog client-side provider for the Next.js App Router.\n// Initialises posthog-js exactly once on the client; SSR is skipped because\n// `useEffect` only runs in the browser.\nexport function PostHogProvider({ children }: { children: React.ReactNode }) {\n  useEffect(() => {\n    if (typeof window === 'undefined') return;\n    if (posthog.__loaded) return;\n\n    const key = process.env.NEXT_PUBLIC_POSTHOG_KEY;\n    if (!key) {\n      // Fail closed in production: missing env var \u2192 no init, no events.\n      // Avoids accidentally firing events without a key in CI/preview builds.\n      return;\n    }\n\n    posthog.init(key, {\n      api_host: process.env.NEXT_PUBLIC_POSTHOG_HOST || '{{HOST}}',\n      capture_pageview: true,\n      capture_pageleave: true,\n    });\n  }, []);\n\n  return <>{children}</>;\n}\n";
-// src/templates/posthog/next-app/layout-snippet.tsx.txt
-var layout_snippet_tsx_default = `// Wrap your <body> children with <PostHogProvider> in app/layout.tsx:
-//
-//   import { PostHogProvider } from './posthog-provider';
-//
-//   export default function RootLayout({ children }: { children: React.ReactNode }) {
-//     return (
-//       <html lang="en">
-//         <body>
-//           <PostHogProvider>{children}</PostHogProvider>
-//         </body>
-//       </html>
-//     );
-//   }
-`;
-// src/templates/posthog/next-pages/_app.tsx.txt
-var app_tsx_default = "import type { AppProps } from 'next/app';\nimport { useEffect } from 'react';\nimport posthog from 'posthog-js';\n\nif (typeof window !== 'undefined') {\n  const key = process.env.NEXT_PUBLIC_POSTHOG_KEY;\n  if (key && !posthog.__loaded) {\n    posthog.init(key, {\n      api_host: process.env.NEXT_PUBLIC_POSTHOG_HOST || '{{HOST}}',\n      capture_pageview: true,\n      capture_pageleave: true,\n    });\n  }\n}\n\nexport default function App({ Component, pageProps }: AppProps) {\n  useEffect(() => {\n    // Capture pageviews on client-side route changes.\n    const handleRouteChange = () => posthog.capture('$pageview');\n    if (typeof window !== 'undefined') {\n      window.addEventListener('popstate', handleRouteChange);\n      return () => window.removeEventListener('popstate', handleRouteChange);\n    }\n  }, []);\n\n  return <Component {...pageProps} />;\n}\n";
-// src/templates/posthog/vite-react/main-snippet.tsx.txt
-var main_snippet_tsx_default = "// Add this near the top of src/main.tsx, before ReactDOM.createRoot:\nimport posthog from 'posthog-js';\n\nconst posthogKey = import.meta.env.VITE_PUBLIC_POSTHOG_KEY;\nif (posthogKey) {\n  posthog.init(posthogKey, {\n    api_host: import.meta.env.VITE_PUBLIC_POSTHOG_HOST || '{{HOST}}',\n    capture_pageview: true,\n    capture_pageleave: true,\n  });\n}\n";
-// src/templates/posthog/sveltekit/hooks.client.ts.txt
-var hooks_client_ts_default = "import posthog from 'posthog-js';\nimport { browser } from '$app/environment';\nimport { PUBLIC_POSTHOG_KEY, PUBLIC_POSTHOG_HOST } from '$env/static/public';\n\n// `hooks.client.ts` only runs in the browser, so we don't need an explicit\n// `typeof window` guard. The `browser` import is included so future edits\n// (e.g. moving init to a non-client hook) don't accidentally fire on the server.\nif (browser && PUBLIC_POSTHOG_KEY) {\n  posthog.init(PUBLIC_POSTHOG_KEY, {\n    api_host: PUBLIC_POSTHOG_HOST || '{{HOST}}',\n    capture_pageview: true,\n    capture_pageleave: true,\n  });\n}\n\nexport const handleError = ({ error }: { error: unknown }) => {\n  posthog.capture('$exception', { error: String(error) });\n};\n";
-// src/templates/posthog/astro/posthog-init.ts.txt
-var posthog_init_ts_default = "import posthog from 'posthog-js';\n\n// PostHog client init for Astro. This module runs only in the browser bundle\n// (Astro inlines `client:load` / `<script>` imports into client JS). We still\n// guard with `typeof window` because the same file may be transitively\n// imported during SSR \u2014 the guard prevents init from accidentally running on\n// the server during static generation.\nif (typeof window !== 'undefined') {\n  const key = import.meta.env.PUBLIC_POSTHOG_KEY;\n  if (key) {\n    posthog.init(key, {\n      api_host: import.meta.env.PUBLIC_POSTHOG_HOST || '{{HOST}}',\n      capture_pageview: 'history_change',\n      capture_pageleave: true,\n    });\n  }\n}\n";
-// src/templates/posthog/index.ts
-var templates = {
-  "next-app": {
-    provider: posthog_provider_tsx_default,
-    layoutSnippet: layout_snippet_tsx_default
-  },
-  "next-pages": {
-    app: app_tsx_default
-  },
-  "vite-react": {
-    mainSnippet: main_snippet_tsx_default
-  },
-  sveltekit: {
-    hooks: hooks_client_ts_default
-  },
-  astro: {
-    init: posthog_init_ts_default
-  }
-};
-function renderTemplate(raw, vars) {
-  return raw.replace(/\{\{([A-Z0-9_]+)\}\}/g, (match, key) => {
-    return Object.prototype.hasOwnProperty.call(vars, key) ? vars[key] : match;
-  });
-}
 // src/commands/posthog/setup.ts
 var POLL_INTERVAL_MS4 = 2e3;
 var POLL_TIMEOUT_MS4 = 15 * 60 * 1e3;
 var MAX_TRANSIENT_RETRIES = 5;
+var NPX_COMMAND = process.platform === "win32" ? "npx.cmd" : "npx";
+var WIZARD_COMMAND = `${NPX_COMMAND} -y @posthog/wizard@latest`;
 function registerPosthogSetupCommand(program2) {
-  program2.command("setup").description("Install the PostHog SDK into the current directory app").option("--framework <name>", "Force framework (next-app|next-pages|vite-react|sveltekit|astro)").option("--skip-install", "Do not run the package manager install step").option("--skip-browser", "Do not auto-open the browser; only print the URL").action(async (opts, cmd) => {
+  program2.command("setup").description("Connect PostHog to your InsForge dashboard, then run the official PostHog wizard to wire it into your app").option("--skip-browser", "Do not auto-open the browser for OAuth; only print the URL").action(async (opts, cmd) => {
     const { json, apiUrl } = getRootOpts(cmd);
     try {
       const result = await runSetup({
         json,
         apiUrl,
-        forceFramework: opts.framework,
-        skipInstall: Boolean(opts.skipInstall),
         skipBrowser: Boolean(opts.skipBrowser)
       });
       if (json) {
@@ -8709,62 +8527,60 @@ async function runSetup(opts) {
     clack16.intro("PostHog setup");
     outputSuccess(`Linked to InsForge project: ${proj.project_name} (${proj.project_id})`);
   }
-  const startResult = await startPosthogCliFlow(proj.project_id, token, opts.apiUrl);
-  let conn;
+  const dashboardConnection = await ensureDashboardConnection(proj.project_id, token, opts);
+  if (opts.json) {
+    return {
+      dashboardConnection,
+      wizardSkipped: true,
+      wizardCommand: WIZARD_COMMAND
+    };
+  }
+  outputInfo("Running the official PostHog setup wizard to wire PostHog into your app...");
+  outputInfo(
+    pc3.dim("(it will open a browser for OAuth and let you pick a PostHog project)")
+  );
+  const wizardResult = spawnSync2(NPX_COMMAND, ["-y", "@posthog/wizard@latest"], {
+    stdio: "inherit",
+    env: process.env
+  });
+  if (wizardResult.error) {
+    throw new CLIError(`Failed to launch PostHog wizard: ${wizardResult.error.message}`);
+  }
+  const exitCode = wizardResult.status ?? 1;
+  if (wizardResult.signal === "SIGINT" || exitCode === 130) {
+    clack16.outro("Setup cancelled.");
+    return {
+      dashboardConnection,
+      wizardSkipped: false,
+      wizardExitCode: exitCode
+    };
+  }
+  if (exitCode !== 0) {
+    throw new CLIError(`PostHog wizard exited with code ${exitCode}.`);
+  }
+  clack16.outro("Done. Open the Analytics page in your InsForge dashboard to view data.");
+  return {
+    dashboardConnection,
+    wizardSkipped: false,
+    wizardExitCode: exitCode
+  };
+}
+async function ensureDashboardConnection(projectId, token, opts) {
+  const startResult = await startPosthogCliFlow(projectId, token, opts.apiUrl);
   if (startResult.type === "connected") {
     if (!opts.json) {
-      outputSuccess("PostHog already connected (or auto-provisioned for new user). Continuing...");
+      outputSuccess("PostHog is already connected to your InsForge dashboard.");
     }
-    const fetchResult = await fetchPosthogConnection(proj.project_id, token, opts.apiUrl);
+    const fetchResult = await fetchPosthogConnection(projectId, token, opts.apiUrl);
     if (fetchResult.kind !== "connected") {
       throw new CLIError(
         "cli-start reported connected, but /connection returned not-connected. Try again, or check the dashboard."
       );
     }
-    conn = fetchResult.connection;
-  } else {
-    conn = await runConnectFlow(proj.project_id, token, startResult.authorizeUrl, opts);
+    return "already-connected";
   }
-  if (!conn.apiKey) {
-    throw new CLIError(
-      "Connection succeeded but cloud-backend returned no apiKey. Try again or check the dashboard."
-    );
-  }
-  const framework = resolveFramework(opts);
-  if (framework === null) {
-    return reportNoFramework(conn, opts);
-  }
-  if (!opts.json) outputSuccess(`Detected framework: ${frameworkLabel(framework)}`);
-  const cwd = process.cwd();
-  const ctx = contextFromCwd(cwd);
-  const pm = detectPackageManager(cwd);
-  const alreadyInstalled = hasPackage(ctx.pkg, "posthog-js");
-  let installedSdk = false;
-  if (alreadyInstalled) {
-    if (!opts.json) outputInfo(pc3.dim("posthog-js is already installed \u2014 skipping install."));
-  } else if (opts.skipInstall) {
-    if (!opts.json) {
-      outputInfo(pc3.yellow(`Skipping install. Run manually: ${installCommand(pm, "posthog-js")}`));
-    }
-  } else {
-    installedSdk = await installSdk(pm, cwd, opts);
-  }
-  const filesWritten = [];
-  const notes = [];
-  const envResult = writeForFramework(framework, conn, cwd, filesWritten, notes, opts);
-  if (!opts.json) {
-    if (notes.length > 0) {
-      for (const n of notes) clack16.log.info(n);
-    }
-    clack16.outro("Done. Run your dev server to start sending events.");
-  }
-  return {
-    framework,
-    installedSdk,
-    filesWritten,
-    envWritten: envResult,
-    notes
-  };
+  await runConnectFlow(projectId, token, startResult.authorizeUrl, opts);
+  return "newly-connected";
 }
 async function runConnectFlow(projectId, token, authorizeUrl, opts) {
   if (opts.json) {
@@ -8772,7 +8588,7 @@ async function runConnectFlow(projectId, token, authorizeUrl, opts) {
 `);
     process.stderr.write("Your browser should open automatically. If not, copy the URL above.\n");
   } else {
-    clack16.log.info("PostHog is not connected to this project yet.");
+    clack16.log.info("PostHog is not yet connected to your InsForge dashboard.");
     outputInfo("");
     outputInfo(`Open this URL to authorize PostHog:
   ${pc3.cyan(pc3.underline(authorizeUrl))}`);
@@ -8786,9 +8602,9 @@ async function runConnectFlow(projectId, token, authorizeUrl, opts) {
     }
   }
   const spinner11 = !opts.json && isInteractive ? clack16.spinner() : null;
-  spinner11?.start("Waiting for connection... (timeout: 15 minutes)");
+  spinner11?.start("Waiting for InsForge dashboard connection... (timeout: 15 minutes)");
   try {
-    const conn = await pollPosthogConnection(
+    await pollPosthogConnection(
       projectId,
       token,
       {
@@ -8800,262 +8616,21 @@ async function runConnectFlow(projectId, token, authorizeUrl, opts) {
             const secs = Math.floor(elapsed / 1e3);
             const mins = Math.floor(secs / 60);
             const remaining = `${mins}m ${secs % 60}s elapsed`;
-            spinner11.message(`Waiting for connection... (${remaining})`);
+            spinner11.message(`Waiting for InsForge dashboard connection... (${remaining})`);
           }
         }
       },
       opts.apiUrl
     );
-    spinner11?.stop("Connection received from PostHog.");
-    return conn;
+    spinner11?.stop("InsForge dashboard connection received.");
   } catch (err) {
-    spinner11?.stop("Connection wait failed.");
+    spinner11?.stop("InsForge dashboard connection wait failed.");
     throw err;
   }
 }
-function resolveFramework(opts) {
-  if (opts.forceFramework) {
-    const valid = ["next-app", "next-pages", "vite-react", "sveltekit", "astro"];
-    if (!valid.includes(opts.forceFramework)) {
-      throw new CLIError(
-        `Invalid --framework "${opts.forceFramework}". Valid: ${valid.join(", ")}`
-      );
-    }
-    return opts.forceFramework;
-  }
-  return detectFramework(contextFromCwd(process.cwd()));
-}
-async function installSdk(pm, cwd, opts) {
-  const cmd = installCommand(pm, "posthog-js");
-  const spinner11 = !opts.json && isInteractive ? clack16.spinner() : null;
-  spinner11?.start(`Installing posthog-js (${cmd})...`);
-  try {
-    await runInstall(pm, "posthog-js", cwd);
-    spinner11?.stop("Installed posthog-js.");
-    return true;
-  } catch (err) {
-    spinner11?.stop("Install failed.");
-    if (!opts.json) {
-      clack16.log.warn(
-        `Could not run \`${cmd}\` automatically: ${err.message}
-Run it manually, then re-run \`insforge posthog setup\`.`
-      );
-    }
-    return false;
-  }
-}
-function writeForFramework(framework, conn, cwd, filesWritten, notes, opts) {
-  const host = conn.host || "https://us.posthog.com";
-  const phc = conn.apiKey ?? "";
-  switch (framework) {
-    case "next-app":
-      return writeNextApp(cwd, phc, host, filesWritten, notes, opts);
-    case "next-pages":
-      return writeNextPages(cwd, phc, host, filesWritten, notes, opts);
-    case "vite-react":
-      return writeViteReact(cwd, phc, host, filesWritten, notes, opts);
-    case "sveltekit":
-      return writeSveltekit(cwd, phc, host, filesWritten, notes, opts);
-    case "astro":
-      return writeAstro(cwd, phc, host, filesWritten, notes, opts);
-  }
-}
-function writeNextApp(cwd, phc, host, filesWritten, notes, opts) {
-  const appDir = existsSync13(join16(cwd, "src/app")) ? "src/app" : "app";
-  const providerPath = join16(cwd, appDir, "posthog-provider.tsx");
-  writeIfMissing(
-    providerPath,
-    renderTemplate(templates["next-app"].provider, { HOST: host }),
-    filesWritten,
-    notes,
-    opts
-  );
-  notes.push(
-    `Add the provider to your ${appDir}/layout.tsx:
-${templates["next-app"].layoutSnippet}`
-  );
-  const envFile = ".env.local";
-  return writeEnv(
-    cwd,
-    envFile,
-    {
-      NEXT_PUBLIC_POSTHOG_KEY: phc,
-      NEXT_PUBLIC_POSTHOG_HOST: host
-    },
-    opts
-  );
-}
-function writeNextPages(cwd, phc, host, filesWritten, notes, opts) {
-  const pagesDir = existsSync13(join16(cwd, "src/pages")) ? "src/pages" : "pages";
-  const appPath = join16(cwd, pagesDir, "_app.tsx");
-  writeIfMissing(
-    appPath,
-    renderTemplate(templates["next-pages"].app, { HOST: host }),
-    filesWritten,
-    notes,
-    opts,
-    "pages/_app.tsx already exists. Open it and add `posthog.init(...)` near the top \u2014 see PostHog Next.js docs."
-  );
-  const envFile = ".env.local";
-  return writeEnv(
-    cwd,
-    envFile,
-    {
-      NEXT_PUBLIC_POSTHOG_KEY: phc,
-      NEXT_PUBLIC_POSTHOG_HOST: host
-    },
-    opts
-  );
-}
-function writeViteReact(cwd, phc, host, _filesWritten, notes, opts) {
-  notes.push(
-    `Add this snippet near the top of src/main.tsx:
-${renderTemplate(templates["vite-react"].mainSnippet, { HOST: host })}`
-  );
-  const envFile = ".env";
-  return writeEnv(
-    cwd,
-    envFile,
-    {
-      VITE_PUBLIC_POSTHOG_KEY: phc,
-      VITE_PUBLIC_POSTHOG_HOST: host
-    },
-    opts
-  );
-}
-function writeSveltekit(cwd, phc, host, filesWritten, notes, opts) {
-  const hooksPath = join16(cwd, "src/hooks.client.ts");
-  writeIfMissing(
-    hooksPath,
-    renderTemplate(templates.sveltekit.hooks, { HOST: host }),
-    filesWritten,
-    notes,
-    opts,
-    "src/hooks.client.ts already exists. Add `posthog.init(...)` to it \u2014 see PostHog SvelteKit docs."
-  );
-  const envFile = ".env";
-  return writeEnv(
-    cwd,
-    envFile,
-    {
-      PUBLIC_POSTHOG_KEY: phc,
-      PUBLIC_POSTHOG_HOST: host
-    },
-    opts
-  );
-}
-function writeAstro(cwd, phc, host, filesWritten, notes, opts) {
-  const initPath = join16(cwd, "src/lib/posthog.ts");
-  writeIfMissing(
-    initPath,
-    renderTemplate(templates.astro.init, { HOST: host }),
-    filesWritten,
-    notes,
-    opts,
-    "src/lib/posthog.ts already exists. Add `posthog.init(...)` per PostHog Astro docs."
-  );
-  notes.push(
-    `Import the init module from your layout to load it on the client:
-  // src/layouts/Layout.astro (inside <head> or <body>)
-  <script>import '../lib/posthog';</script>`
-  );
-  const envFile = ".env";
-  return writeEnv(
-    cwd,
-    envFile,
-    {
-      PUBLIC_POSTHOG_KEY: phc,
-      PUBLIC_POSTHOG_HOST: host
-    },
-    opts
-  );
-}
-function writeIfMissing(filePath, contents, filesWritten, notes, opts, conflictNote) {
-  if (existsSync13(filePath)) {
-    const existing = readFileSync10(filePath, "utf-8");
-    if (existing.includes("posthog.init")) {
-      if (!opts.json) {
-        outputInfo(pc3.dim(`${relative3(filePath)} already calls posthog.init \u2014 leaving it alone.`));
-      }
-      return;
-    }
-    if (conflictNote) notes.push(conflictNote);
-    if (!opts.json) {
-      outputInfo(
-        pc3.yellow(
-          `${relative3(filePath)} exists. Skipped writing \u2014 see notes below for manual changes.`
-        )
-      );
-    }
-    return;
-  }
-  mkdirSync3(dirname2(filePath), { recursive: true });
-  writeFileSync8(filePath, contents);
-  filesWritten.push(filePath);
-  if (!opts.json) outputSuccess(`Wrote ${relative3(filePath)}`);
-}
-function writeEnv(cwd, envFile, entries, opts) {
-  const path6 = join16(cwd, envFile);
-  const r = upsertEnvFile(path6, entries);
-  if (!opts.json) {
-    if (r.added.length > 0) {
-      outputSuccess(`Wrote ${envFile}: ${r.added.join(", ")}`);
-    }
-    if (r.skipped.length > 0) {
-      outputInfo(
-        pc3.dim(`${envFile}: ${r.skipped.join(", ")} already set (matching) \u2014 left as-is.`)
-      );
-    }
-    for (const m of r.mismatched) {
-      clack16.log.warn(
-        `${envFile} has ${m.key}=${pc3.dim(m.existingValue)}, expected ${m.newValue}. Left existing value untouched.`
-      );
-    }
-  }
-  return {
-    file: envFile,
-    added: r.added,
-    mismatched: r.mismatched.map((m) => m.key)
-  };
-}
-function reportNoFramework(conn, opts) {
-  if (!opts.json) {
-    clack16.log.warn("No supported framework detected in this directory.");
-    outputInfo("");
-    outputInfo(`Your PostHog public key:  ${pc3.cyan(conn.apiKey ?? "(missing)")}`);
-    outputInfo(`Your PostHog host:        ${conn.host ?? "https://us.posthog.com"}`);
-    outputInfo("");
-    outputInfo("See https://posthog.com/docs/libraries to install the SDK manually.");
-    clack16.outro("Done.");
-  }
-  return {
-    framework: null,
-    installedSdk: false,
-    filesWritten: [],
-    envWritten: { file: "", added: [], mismatched: [] },
-    notes: ["No supported framework detected."]
-  };
-}
-function frameworkLabel(framework) {
-  switch (framework) {
-    case "next-app":
-      return "Next.js (App Router)";
-    case "next-pages":
-      return "Next.js (Pages Router)";
-    case "vite-react":
-      return "Vite + React";
-    case "sveltekit":
-      return "SvelteKit";
-    case "astro":
-      return "Astro";
-  }
-}
-function relative3(p3) {
-  return p3.replace(process.cwd() + "/", "");
-}
 // src/commands/config/export.ts
-import { writeFileSync as writeFileSync9, existsSync as existsSync14 } from "fs";
+import { writeFileSync as writeFileSync7, existsSync as existsSync10 } from "fs";
 import { resolve as resolve5 } from "path";
 import * as p from "@clack/prompts";
 import pc4 from "picocolors";
@@ -9190,9 +8765,67 @@ function validateAuth(input) {
     }
     out.allowed_redirect_urls = v;
   }
+  if ("require_email_verification" in obj) {
+    if (typeof obj.require_email_verification !== "boolean") {
+      throw new ConfigValidationError(
+        "auth.require_email_verification",
+        "must be a boolean"
+      );
+    }
+    out.require_email_verification = obj.require_email_verification;
+  }
+  if ("verify_email_method" in obj) {
+    out.verify_email_method = validateVerificationMethod(
+      "auth.verify_email_method",
+      obj.verify_email_method
+    );
+  }
+  if ("reset_password_method" in obj) {
+    out.reset_password_method = validateVerificationMethod(
+      "auth.reset_password_method",
+      obj.reset_password_method
+    );
+  }
+  if ("password" in obj) out.password = validatePassword(obj.password);
   if ("smtp" in obj) out.smtp = validateSmtp(obj.smtp);
   return out;
 }
+function validateVerificationMethod(path6, value) {
+  if (value !== "code" && value !== "link") {
+    throw new ConfigValidationError(path6, 'must be "code" or "link"');
+  }
+  return value;
+}
+function validatePassword(input) {
+  if (input === null || typeof input !== "object" || Array.isArray(input)) {
+    throw new ConfigValidationError("auth.password", "must be a table");
+  }
+  const obj = input;
+  const out = {};
+  if ("min_length" in obj) {
+    if (typeof obj.min_length !== "number" || !Number.isInteger(obj.min_length) || obj.min_length < 4 || obj.min_length > 128) {
+      throw new ConfigValidationError(
+        "auth.password.min_length",
+        "must be an integer between 4 and 128"
+      );
+    }
+    out.min_length = obj.min_length;
+  }
+  for (const key of [
+    "require_number",
+    "require_lowercase",
+    "require_uppercase",
+    "require_special_char"
+  ]) {
+    if (key in obj) {
+      if (typeof obj[key] !== "boolean") {
+        throw new ConfigValidationError(`auth.password.${key}`, "must be a boolean");
+      }
+      out[key] = obj[key];
+    }
+  }
+  return out;
+}
 function validateSmtp(input) {
   if (input === null || typeof input !== "object" || Array.isArray(input)) {
     throw new ConfigValidationError("auth.smtp", "must be a table");
@@ -9275,11 +8908,13 @@ function stringifyConfigToml(config) {
   }
   if (config.auth) {
     lines.push("[auth]");
-    if (config.auth.allowed_redirect_urls !== void 0) {
-      const urls = config.auth.allowed_redirect_urls.map((u) => JSON.stringify(u)).join(", ");
-      lines.push(`allowed_redirect_urls = [${urls}]`);
-    }
+    renderAuthFlatFields(config.auth, lines);
     lines.push("");
+    if (config.auth.password !== void 0) {
+      lines.push("[auth.password]");
+      renderPasswordFields(config.auth.password, lines);
+      lines.push("");
+    }
     if (config.auth.smtp !== void 0) {
       lines.push("[auth.smtp]");
       renderSmtpFields(config.auth.smtp, lines);
@@ -9295,6 +8930,34 @@ function stringifyConfigToml(config) {
   }
   return lines.join("\n").replace(/\n+$/, "\n");
 }
+function renderAuthFlatFields(auth, lines) {
+  if (auth.allowed_redirect_urls !== void 0) {
+    const urls = auth.allowed_redirect_urls.map((u) => JSON.stringify(u)).join(", ");
+    lines.push(`allowed_redirect_urls = [${urls}]`);
+  }
+  if (auth.require_email_verification !== void 0) {
+    lines.push(`require_email_verification = ${auth.require_email_verification}`);
+  }
+  if (auth.verify_email_method !== void 0) {
+    lines.push(`verify_email_method = ${JSON.stringify(auth.verify_email_method)}`);
+  }
+  if (auth.reset_password_method !== void 0) {
+    lines.push(`reset_password_method = ${JSON.stringify(auth.reset_password_method)}`);
+  }
+}
+function renderPasswordFields(pw, lines) {
+  if (pw.min_length !== void 0) lines.push(`min_length = ${pw.min_length}`);
+  if (pw.require_number !== void 0) lines.push(`require_number = ${pw.require_number}`);
+  if (pw.require_lowercase !== void 0) {
+    lines.push(`require_lowercase = ${pw.require_lowercase}`);
+  }
+  if (pw.require_uppercase !== void 0) {
+    lines.push(`require_uppercase = ${pw.require_uppercase}`);
+  }
+  if (pw.require_special_char !== void 0) {
+    lines.push(`require_special_char = ${pw.require_special_char}`);
+  }
+}
 function renderSmtpFields(smtp, lines) {
   if (smtp.enabled !== void 0) lines.push(`enabled = ${smtp.enabled}`);
   if (smtp.host !== void 0) lines.push(`host = ${JSON.stringify(smtp.host)}`);
@@ -9318,6 +8981,132 @@ function renderSmtpFields(smtp, lines) {
   }
 }
+// src/lib/config-metadata.ts
+function liveFromMetadata(raw) {
+  const live = { auth: {} };
+  const a = isPlainObject(raw.auth) ? raw.auth : void 0;
+  if (a && "allowedRedirectUrls" in a) {
+    live.auth.allowed_redirect_urls = asStringArray(a.allowedRedirectUrls) ?? [];
+  }
+  if (a && "requireEmailVerification" in a) {
+    live.auth.require_email_verification = a.requireEmailVerification ?? false;
+  }
+  if (a && "verifyEmailMethod" in a && (a.verifyEmailMethod === "code" || a.verifyEmailMethod === "link")) {
+    live.auth.verify_email_method = a.verifyEmailMethod;
+  }
+  if (a && "resetPasswordMethod" in a && (a.resetPasswordMethod === "code" || a.resetPasswordMethod === "link")) {
+    live.auth.reset_password_method = a.resetPasswordMethod;
+  }
+  if (a && ("passwordMinLength" in a || "requireNumber" in a || "requireLowercase" in a || "requireUppercase" in a || "requireSpecialChar" in a)) {
+    live.auth.password = {
+      min_length: a.passwordMinLength ?? 8,
+      require_number: a.requireNumber ?? false,
+      require_lowercase: a.requireLowercase ?? false,
+      require_uppercase: a.requireUppercase ?? false,
+      require_special_char: a.requireSpecialChar ?? false
+    };
+  }
+  if (isPlainObject(a?.smtpConfig)) {
+    const s = a.smtpConfig;
+    live.auth.smtp = {
+      enabled: s.enabled ?? false,
+      host: s.host ?? "",
+      port: s.port ?? 587,
+      username: s.username ?? "",
+      hasPassword: s.hasPassword ?? false,
+      sender_email: s.senderEmail ?? "",
+      sender_name: s.senderName ?? "",
+      min_interval_seconds: s.minIntervalSeconds ?? 60
+    };
+  }
+  const d = isPlainObject(raw.deployments) ? raw.deployments : void 0;
+  if (d) {
+    live.deployments = {
+      subdomain: typeof d.customSlug === "string" && d.customSlug ? d.customSlug : null
+    };
+  }
+  return live;
+}
+function isPlainObject(v) {
+  return v !== null && typeof v === "object" && !Array.isArray(v);
+}
+function asStringArray(v) {
+  return Array.isArray(v) && v.every((x) => typeof x === "string") ? v : null;
+}
+function configFromMetadata(raw) {
+  const config = {};
+  const skipped = [];
+  const a = isPlainObject(raw.auth) ? raw.auth : void 0;
+  if (a && "allowedRedirectUrls" in a) {
+    config.auth = config.auth ?? {};
+    config.auth.allowed_redirect_urls = asStringArray(a.allowedRedirectUrls) ?? [];
+  } else {
+    skipped.push("auth.allowed_redirect_urls");
+  }
+  if (a && "requireEmailVerification" in a) {
+    config.auth = config.auth ?? {};
+    config.auth.require_email_verification = a.requireEmailVerification ?? false;
+  } else {
+    skipped.push("auth.require_email_verification");
+  }
+  if (a && "verifyEmailMethod" in a && (a.verifyEmailMethod === "code" || a.verifyEmailMethod === "link")) {
+    config.auth = config.auth ?? {};
+    config.auth.verify_email_method = a.verifyEmailMethod;
+  } else {
+    skipped.push("auth.verify_email_method");
+  }
+  if (a && "resetPasswordMethod" in a && (a.resetPasswordMethod === "code" || a.resetPasswordMethod === "link")) {
+    config.auth = config.auth ?? {};
+    config.auth.reset_password_method = a.resetPasswordMethod;
+  } else {
+    skipped.push("auth.reset_password_method");
+  }
+  if (a && ("passwordMinLength" in a || "requireNumber" in a || "requireLowercase" in a || "requireUppercase" in a || "requireSpecialChar" in a)) {
+    config.auth = config.auth ?? {};
+    config.auth.password = {};
+    if ("passwordMinLength" in a) config.auth.password.min_length = a.passwordMinLength ?? 8;
+    if ("requireNumber" in a) config.auth.password.require_number = a.requireNumber ?? false;
+    if ("requireLowercase" in a) config.auth.password.require_lowercase = a.requireLowercase ?? false;
+    if ("requireUppercase" in a) config.auth.password.require_uppercase = a.requireUppercase ?? false;
+    if ("requireSpecialChar" in a) {
+      config.auth.password.require_special_char = a.requireSpecialChar ?? false;
+    }
+  } else {
+    skipped.push("auth.password");
+  }
+  if (a && "smtpConfig" in a) {
+    const s = a.smtpConfig;
+    if (isPlainObject(s)) {
+      config.auth = config.auth ?? {};
+      config.auth.smtp = {
+        enabled: s.enabled ?? false,
+        host: s.host ?? "",
+        port: s.port ?? 587,
+        username: s.username ?? "",
+        // When backend has a password set, emit a deterministic env() placeholder
+        // so the user knows which secret to define. We do NOT round-trip the
+        // value (it never leaves the backend). Re-applying this TOML force-resends
+        // from the secrets store — see config-diff.ts for the force-resend rationale.
+        ...s.hasPassword ? { password: "env(SMTP_PASSWORD)" } : {},
+        sender_email: s.senderEmail ?? "",
+        sender_name: s.senderName ?? "",
+        min_interval_seconds: s.minIntervalSeconds ?? 60
+      };
+    }
+  } else {
+    skipped.push("auth.smtp");
+  }
+  const d = isPlainObject(raw.deployments) ? raw.deployments : void 0;
+  if (d) {
+    if (typeof d.customSlug === "string" && d.customSlug) {
+      config.deployments = { subdomain: d.customSlug };
+    }
+  } else {
+    skipped.push("deployments.subdomain");
+  }
+  return { config, skipped };
+}
 // src/commands/config/export.ts
 function registerConfigExportCommand(cfg) {
   cfg.command("export").description("Pull live project config and write insforge.toml").option("--out <path>", "output path", "insforge.toml").option("--force", "overwrite without confirmation").action(async (opts, cmd) => {
@@ -9325,7 +9114,7 @@ function registerConfigExportCommand(cfg) {
     try {
       await requireAuth();
       const target = resolve5(process.cwd(), opts.out);
-      if (existsSync14(target) && !opts.force) {
+      if (existsSync10(target) && !opts.force) {
         if (json) {
           throw new CLIError(
             `${opts.out} exists. Re-run with --force to overwrite.`,
@@ -9344,46 +9133,9 @@ function registerConfigExportCommand(cfg) {
       }
       const res = await ossFetch("/api/metadata");
       const raw = await res.json();
-      const config = {};
-      const skipped = [];
-      const authSlice = raw?.auth;
-      if (authSlice && typeof authSlice === "object" && "allowedRedirectUrls" in authSlice) {
-        config.auth = config.auth ?? {};
-        config.auth.allowed_redirect_urls = authSlice.allowedRedirectUrls ?? [];
-      } else {
-        skipped.push("auth.allowed_redirect_urls");
-      }
-      if (authSlice && typeof authSlice === "object" && "smtpConfig" in authSlice && authSlice.smtpConfig) {
-        const s = authSlice.smtpConfig;
-        config.auth = config.auth ?? {};
-        config.auth.smtp = {
-          enabled: s.enabled ?? false,
-          host: s.host ?? "",
-          port: s.port ?? 587,
-          username: s.username ?? "",
-          // When backend has a password set, emit a deterministic env()
-          // placeholder so the user knows which secret to define. We do
-          // NOT round-trip the value (it never leaves the backend).
-          // Re-applying this TOML force-resends from the secrets store
-          // — see config-diff.ts for the force-resend rationale.
-          ...s.hasPassword ? { password: "env(SMTP_PASSWORD)" } : {},
-          sender_email: s.senderEmail ?? "",
-          sender_name: s.senderName ?? "",
-          min_interval_seconds: s.minIntervalSeconds ?? 60
-        };
-      } else {
-        skipped.push("auth.smtp");
-      }
-      const deploymentsSlice = raw?.deployments;
-      if (deploymentsSlice && typeof deploymentsSlice === "object") {
-        if (typeof deploymentsSlice.customSlug === "string" && deploymentsSlice.customSlug) {
-          config.deployments = { subdomain: deploymentsSlice.customSlug };
-        }
-      } else {
-        skipped.push("deployments.subdomain");
-      }
+      const { config, skipped } = configFromMetadata(raw);
       const toml = stringifyConfigToml(config);
-      writeFileSync9(target, toml, "utf8");
+      writeFileSync7(target, toml, "utf8");
       if (json) {
         console.log(JSON.stringify({ written: target, config, skipped }, null, 2));
       } else {
@@ -9405,7 +9157,7 @@ function registerConfigExportCommand(cfg) {
 }
 // src/commands/config/plan.ts
-import { readFileSync as readFileSync11 } from "fs";
+import { readFileSync as readFileSync8 } from "fs";
 import { resolve as resolve6 } from "path";
 import pc5 from "picocolors";
@@ -9427,6 +9179,48 @@ function diffConfig({ live, file }) {
       });
     }
   }
+  if (fileAuth && "require_email_verification" in fileAuth) {
+    const fromV = liveAuth.require_email_verification ?? false;
+    const toV = fileAuth.require_email_verification ?? false;
+    if (fromV !== toV) {
+      changes.push({
+        section: "auth",
+        op: "modify",
+        key: "require_email_verification",
+        from: fromV,
+        to: toV
+      });
+    }
+  }
+  if (fileAuth && "verify_email_method" in fileAuth && fileAuth.verify_email_method) {
+    const fromV = liveAuth.verify_email_method ?? "code";
+    const toV = fileAuth.verify_email_method;
+    if (fromV !== toV) {
+      changes.push({
+        section: "auth",
+        op: "modify",
+        key: "verify_email_method",
+        from: fromV,
+        to: toV
+      });
+    }
+  }
+  if (fileAuth && "reset_password_method" in fileAuth && fileAuth.reset_password_method) {
+    const fromV = liveAuth.reset_password_method ?? "code";
+    const toV = fileAuth.reset_password_method;
+    if (fromV !== toV) {
+      changes.push({
+        section: "auth",
+        op: "modify",
+        key: "reset_password_method",
+        from: fromV,
+        to: toV
+      });
+    }
+  }
+  if (fileAuth?.password) {
+    diffPassword(liveAuth.password, fileAuth.password, changes);
+  }
   if (fileAuth?.smtp !== void 0) {
     const smtpChange = diffSmtp(liveAuth.smtp, fileAuth.smtp);
     if (smtpChange) changes.push(smtpChange);
@@ -9436,7 +9230,7 @@ function diffConfig({ live, file }) {
   if (fileDeployments && "subdomain" in fileDeployments) {
     const fromV = liveDeployments.subdomain ?? null;
     const rawTo = fileDeployments.subdomain;
-    const toV = rawTo === null || rawTo === "" ? null : rawTo;
+    const toV = rawTo === null || rawTo === void 0 || rawTo === "" ? null : rawTo;
     if (fromV !== toV) {
       changes.push({
         section: "deployments",
@@ -9449,6 +9243,36 @@ function diffConfig({ live, file }) {
   }
   return { changes, summary: summarize(changes) };
 }
+function diffPassword(live, file, changes) {
+  const liveView = live ?? EMPTY_PASSWORD_POLICY;
+  if (file.min_length !== void 0 && liveView.min_length !== file.min_length) {
+    changes.push({
+      section: "auth.password",
+      op: "modify",
+      key: "min_length",
+      from: liveView.min_length,
+      to: file.min_length
+    });
+  }
+  for (const key of [
+    "require_number",
+    "require_lowercase",
+    "require_uppercase",
+    "require_special_char"
+  ]) {
+    const fromV = liveView[key];
+    const toV = file[key];
+    if (toV !== void 0 && fromV !== toV) {
+      changes.push({
+        section: "auth.password",
+        op: "modify",
+        key,
+        from: fromV,
+        to: toV
+      });
+    }
+  }
+}
 function diffSmtp(live, fileSmtp) {
   const livedView = renderLiveSmtp(live);
   const tomlView = renderFileSmtp(fileSmtp);
@@ -9507,6 +9331,13 @@ var EMPTY_SMTP_VIEW = {
   sender_name: "",
   min_interval_seconds: 60
 };
+var EMPTY_PASSWORD_POLICY = {
+  min_length: 8,
+  require_number: false,
+  require_lowercase: false,
+  require_uppercase: false,
+  require_special_char: false
+};
 function summarize(changes) {
   const s = { add: 0, modify: 0, remove: 0, kept: 0 };
   for (const c of changes) {
@@ -9582,10 +9413,22 @@ function formatChange(c) {
 // src/lib/config-capabilities.ts
 function metadataSupports(raw, change) {
   if (change.section === "auth" && change.key === "allowed_redirect_urls") {
-    return raw?.auth !== void 0 && raw.auth !== null && typeof raw.auth === "object" && "allowedRedirectUrls" in raw.auth;
+    return hasAuthKey(raw, "allowedRedirectUrls");
+  }
+  if (change.section === "auth" && change.key === "require_email_verification") {
+    return hasAuthKey(raw, "requireEmailVerification");
+  }
+  if (change.section === "auth" && change.key === "verify_email_method") {
+    return hasAuthKey(raw, "verifyEmailMethod");
+  }
+  if (change.section === "auth" && change.key === "reset_password_method") {
+    return hasAuthKey(raw, "resetPasswordMethod");
+  }
+  if (change.section === "auth.password") {
+    return hasAuthKey(raw, AUTH_PASSWORD_WIRE_KEY[change.key]);
   }
   if (change.section === "auth.smtp") {
-    return raw?.auth !== void 0 && raw.auth !== null && typeof raw.auth === "object" && "smtpConfig" in raw.auth;
+    return hasAuthKey(raw, "smtpConfig");
   }
   if (change.section === "deployments" && change.key === "subdomain") {
     return raw?.deployments !== void 0 && raw.deployments !== null && typeof raw.deployments === "object";
@@ -9594,10 +9437,24 @@ function metadataSupports(raw, change) {
   void _exhaustive;
   return false;
 }
+function hasAuthKey(raw, key) {
+  const auth = raw?.auth;
+  return auth !== void 0 && auth !== null && typeof auth === "object" && key in auth;
+}
+var AUTH_PASSWORD_WIRE_KEY = {
+  min_length: "passwordMinLength",
+  require_number: "requireNumber",
+  require_lowercase: "requireLowercase",
+  require_uppercase: "requireUppercase",
+  require_special_char: "requireSpecialChar"
+};
 function changePath(change) {
   if (change.section === "auth.smtp") return "auth.smtp";
   return `${change.section}.${change.key}`;
 }
+function authPasswordWireKey(key) {
+  return AUTH_PASSWORD_WIRE_KEY[key];
+}
 // src/commands/config/plan.ts
 function registerConfigPlanCommand(cfg) {
@@ -9606,13 +9463,11 @@ function registerConfigPlanCommand(cfg) {
     try {
       await requireAuth();
       const tomlPath = resolve6(process.cwd(), opts.file);
-      const tomlSource = readFileSync11(tomlPath, "utf8");
+      const tomlSource = readFileSync8(tomlPath, "utf8");
       const file = parseConfigToml(tomlSource);
       const res = await ossFetch("/api/metadata");
       const raw = await res.json();
-      const live = {
-        auth: { allowed_redirect_urls: raw.auth?.allowedRedirectUrls ?? [] }
-      };
+      const live = liveFromMetadata(raw);
       const result = diffConfig({ live, file });
       const skipped = result.changes.filter((c) => !metadataSupports(raw, c)).map((c) => changePath(c));
       if (json) {
@@ -9636,7 +9491,7 @@ function registerConfigPlanCommand(cfg) {
 }
 // src/commands/config/apply.ts
-import { readFileSync as readFileSync12 } from "fs";
+import { readFileSync as readFileSync9 } from "fs";
 import { resolve as resolve7 } from "path";
 import * as p2 from "@clack/prompts";
 import pc6 from "picocolors";
@@ -9646,7 +9501,7 @@ function registerConfigApplyCommand(cfg) {
     try {
       await requireAuth();
       const tomlPath = resolve7(process.cwd(), opts.file);
-      const tomlSource = readFileSync12(tomlPath, "utf8");
+      const tomlSource = readFileSync9(tomlPath, "utf8");
       const file = parseConfigToml(tomlSource);
       const res = await ossFetch("/api/metadata");
       const raw = await res.json();
@@ -9722,29 +9577,6 @@ function registerConfigApplyCommand(cfg) {
     }
   });
 }
-function liveFromMetadata(raw) {
-  const live = { auth: {} };
-  if (raw.auth?.allowedRedirectUrls !== void 0) {
-    live.auth.allowed_redirect_urls = raw.auth.allowedRedirectUrls;
-  }
-  if (raw.auth?.smtpConfig) {
-    const s = raw.auth.smtpConfig;
-    live.auth.smtp = {
-      enabled: s.enabled ?? false,
-      host: s.host ?? "",
-      port: s.port ?? 587,
-      username: s.username ?? "",
-      hasPassword: s.hasPassword ?? false,
-      sender_email: s.senderEmail ?? "",
-      sender_name: s.senderName ?? "",
-      min_interval_seconds: s.minIntervalSeconds ?? 60
-    };
-  }
-  if (raw.deployments) {
-    live.deployments = { subdomain: raw.deployments.customSlug ?? null };
-  }
-  return live;
-}
 async function applyChange(change) {
   if (change.section === "auth" && change.key === "allowed_redirect_urls") {
     await ossFetch("/api/auth/config", {
@@ -9753,6 +9585,35 @@ async function applyChange(change) {
     });
     return;
   }
+  if (change.section === "auth" && change.key === "require_email_verification") {
+    await ossFetch("/api/auth/config", {
+      method: "PUT",
+      body: JSON.stringify({ requireEmailVerification: change.to })
+    });
+    return;
+  }
+  if (change.section === "auth" && change.key === "verify_email_method") {
+    await ossFetch("/api/auth/config", {
+      method: "PUT",
+      body: JSON.stringify({ verifyEmailMethod: change.to })
+    });
+    return;
+  }
+  if (change.section === "auth" && change.key === "reset_password_method") {
+    await ossFetch("/api/auth/config", {
+      method: "PUT",
+      body: JSON.stringify({ resetPasswordMethod: change.to })
+    });
+    return;
+  }
+  if (change.section === "auth.password") {
+    const wireKey = authPasswordWireKey(change.key);
+    await ossFetch("/api/auth/config", {
+      method: "PUT",
+      body: JSON.stringify({ [wireKey]: change.to })
+    });
+    return;
+  }
   if (change.section === "auth.smtp") {
     const to = change.to;
     const body = {
@@ -9797,8 +9658,8 @@ function registerConfigCommand(program2) {
 }
 // src/commands/ai/setup.ts
-import { appendFileSync as appendFileSync2, existsSync as existsSync15, readFileSync as readFileSync13 } from "fs";
-import { isAbsolute, join as join17, relative as relative4, resolve as resolve8 } from "path";
+import { appendFileSync as appendFileSync2, existsSync as existsSync12, readFileSync as readFileSync11 } from "fs";
+import { isAbsolute, join as join14, relative as relative3, resolve as resolve8 } from "path";
 import * as clack17 from "@clack/prompts";
 import pc7 from "picocolors";
@@ -9819,6 +9680,52 @@ async function getOpenRouterApiKey() {
   };
 }
+// src/lib/env-writer.ts
+import { existsSync as existsSync11, readFileSync as readFileSync10, writeFileSync as writeFileSync8 } from "fs";
+var KEY_LINE_RE = (key) => (
+  // Match `KEY=...` at the start of a line (allowing leading whitespace).
+  // Captures the value side; we only need the value portion to compare.
+  new RegExp(`^\\s*${key.replace(/[$.*+?^()[\\]{}|]/g, "\\$&")}\\s*=\\s*(.*)$`, "m")
+);
+function stripQuotes(v) {
+  const t = v.trim();
+  if (t.startsWith('"') && t.endsWith('"') && t.length >= 2 || t.startsWith("'") && t.endsWith("'") && t.length >= 2) {
+    return t.slice(1, -1);
+  }
+  const hash = t.indexOf(" #");
+  return hash >= 0 ? t.slice(0, hash).trimEnd() : t;
+}
+function upsertEnvFile(path6, entries) {
+  const exists = existsSync11(path6);
+  let content = exists ? readFileSync10(path6, "utf-8") : "";
+  const result = { added: [], skipped: [], mismatched: [] };
+  const additions = [];
+  for (const [key, value] of Object.entries(entries)) {
+    const re = KEY_LINE_RE(key);
+    const match = content.match(re);
+    if (match) {
+      const existingValue = stripQuotes(match[1] ?? "");
+      if (existingValue === value) {
+        result.skipped.push(key);
+      } else {
+        result.mismatched.push({ key, existingValue, newValue: value });
+      }
+      continue;
+    }
+    additions.push(`${key}=${value}`);
+    result.added.push(key);
+  }
+  if (additions.length > 0) {
+    if (content.length > 0 && !content.endsWith("\n")) {
+      content += "\n";
+    }
+    content += additions.join("\n") + "\n";
+    writeFileSync8(path6, content);
+  } else if (!exists) {
+  }
+  return result;
+}
 // src/commands/ai/setup.ts
 var DEFAULT_ENV_FILE = ".env.local";
 var OPENROUTER_ENV_KEY = "OPENROUTER_API_KEY";
@@ -9910,7 +9817,7 @@ async function runAiSetup(opts) {
   };
 }
 function displayPath(path6) {
-  const rel = relative4(process.cwd(), path6);
+  const rel = relative3(process.cwd(), path6);
   if (!rel || rel.startsWith("..") || isAbsolute(rel)) {
     return path6;
   }
@@ -9924,12 +9831,12 @@ function isLocalEnvFile(envFile) {
 function ensureLocalEnvIgnored(cwd, envFile) {
   if (!isLocalEnvFile(envFile)) return false;
   const envPath = resolve8(cwd, envFile);
-  const relEnvPath = relative4(cwd, envPath);
+  const relEnvPath = relative3(cwd, envPath);
   if (!relEnvPath || relEnvPath.startsWith("..") || isAbsolute(relEnvPath)) {
     return false;
   }
-  const gitignorePath = join17(cwd, ".gitignore");
-  const existing = existsSync15(gitignorePath) ? readFileSync13(gitignorePath, "utf-8") : "";
+  const gitignorePath = join14(cwd, ".gitignore");
+  const existing = existsSync12(gitignorePath) ? readFileSync11(gitignorePath, "utf-8") : "";
   const lines = new Set(existing.split(/\r?\n/).map((line) => line.trim()));
   const envBasename = envFile.replace(/\\/g, "/").split("/").pop() ?? envFile;
   if (lines.has(".env*") || lines.has(".env.*") || lines.has(".env*.local") || lines.has(".env.local") && envBasename === ".env.local") {
@@ -9949,8 +9856,8 @@ function registerAiCommands(aiCmd2) {
 }
 // src/index.ts
-var __dirname = dirname3(fileURLToPath(import.meta.url));
-var pkg = JSON.parse(readFileSync14(join18(__dirname, "../package.json"), "utf-8"));
+var __dirname = dirname2(fileURLToPath(import.meta.url));
+var pkg = JSON.parse(readFileSync12(join15(__dirname, "../package.json"), "utf-8"));
 var INSFORGE_LOGO = `
 \u2588\u2588\u2557\u2588\u2588\u2588\u2557   \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557
 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D