@iqauth/sdk 2.0.0

package/dist/chunk-X3K3WOBR.mjs

@@ -0,0 +1,64 @@
+// src/cli/util.ts
+import { readFile, access } from "fs/promises";
+function parseFlags(argv) {
+  const flags = /* @__PURE__ */ new Map();
+  const bools = /* @__PURE__ */ new Set();
+  const positional = [];
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg.startsWith("--")) {
+      const key = arg.slice(2);
+      const next = argv[i + 1];
+      if (next && !next.startsWith("--")) {
+        flags.set(key, next);
+        i++;
+      } else {
+        bools.add(key);
+      }
+    } else {
+      positional.push(arg);
+    }
+  }
+  return { flags, bools, positional };
+}
+async function loadEnv(path = ".env") {
+  try {
+    await access(path);
+  } catch {
+    return { ...process.env };
+  }
+  const raw = await readFile(path, "utf8");
+  const out = { ...process.env };
+  for (const line of raw.split(/\r?\n/)) {
+    const m = line.match(/^([A-Z_][A-Z0-9_]*)=(.*)$/);
+    if (!m) continue;
+    let val = m[2];
+    if (val.startsWith('"') && val.endsWith('"') || val.startsWith("'") && val.endsWith("'")) {
+      val = val.slice(1, -1);
+    }
+    if (out[m[1]] === void 0) out[m[1]] = val;
+  }
+  return out;
+}
+async function callApi(baseUrl, path, init = {}) {
+  const headers = { "Content-Type": "application/json", ...init.headers };
+  if (init.token) headers["Authorization"] = `Bearer ${init.token}`;
+  const res = await fetch(`${baseUrl.replace(/\/+$/, "")}${path}`, { ...init, headers });
+  const json = await res.json().catch(() => ({}));
+  if (!res.ok || json.success === false) {
+    const code = json.error?.code || res.status;
+    const msg = json.error?.message || res.statusText;
+    throw new Error(`${path} \u2192 ${code}: ${msg}`);
+  }
+  return json.data ?? json;
+}
+function symbol(ok) {
+  return ok ? "\u2713" : "\u2717";
+}
+
+export {
+  parseFlags,
+  loadEnv,
+  callApi,
+  symbol
+};

package/dist/chunk-Y6FXYEAI.mjs

@@ -0,0 +1,10 @@
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+export {
+  __require
+};

package/dist/cli/index.d.mts

@@ -0,0 +1 @@
+#!/usr/bin/env node

package/dist/cli/index.d.ts

@@ -0,0 +1 @@
+#!/usr/bin/env node

package/dist/cli/index.js

@@ -0,0 +1,581 @@
+#!/usr/bin/env node
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/cli/init.ts
+var init_exports = {};
+function parseArgs(argv) {
+  const get = (key, def) => {
+    const idx = argv.indexOf(`--${key}`);
+    if (idx >= 0 && argv[idx + 1] && !argv[idx + 1].startsWith("--")) return argv[idx + 1];
+    return def;
+  };
+  const has = (key) => argv.includes(`--${key}`);
+  const baseUrl = get("base-url") || process.env.IQAUTH_BASE_URL;
+  const email = get("email");
+  const password = get("password");
+  const appName = get("app");
+  const redirect = get("redirect");
+  const origin = get("origin");
+  if (!baseUrl || !email || !password || !appName || !redirect || !origin) {
+    console.error("Usage: iqauth init --base-url URL --email EMAIL --password PW --app NAME --redirect URL --origin URL [--org NAME] [--mode test|live] [--env-file .env] [--rotate] [--yes]");
+    process.exit(1);
+  }
+  return {
+    baseUrl: baseUrl.replace(/\/$/, ""),
+    email,
+    password,
+    org: get("org"),
+    appName,
+    redirect,
+    origin,
+    mode: get("mode", "test") || "test",
+    envFile: get("env-file", ".env"),
+    rotate: has("rotate"),
+    yes: has("yes") || has("y")
+  };
+}
+async function http(url, init) {
+  const headers = { "Content-Type": "application/json", ...init.headers };
+  if (init.token) headers["Authorization"] = `Bearer ${init.token}`;
+  const res = await fetch(url, { ...init, headers });
+  const json = await res.json().catch(() => ({}));
+  if (!res.ok || json?.success === false) {
+    const code = json?.error?.code || res.status;
+    const msg = json?.error?.message || res.statusText;
+    throw new Error(`${url} \u2192 ${code}: ${msg}`);
+  }
+  return json.data;
+}
+async function confirm(question) {
+  if (!process.stdin.isTTY) return false;
+  const rl = (0, import_node_readline.createInterface)({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve2) => {
+    rl.question(`${question} [y/N] `, (answer) => {
+      rl.close();
+      resolve2(/^y(es)?$/i.test(answer.trim()));
+    });
+  });
+}
+async function mergeEnv(path, updates) {
+  let existing = "";
+  try {
+    await (0, import_promises.access)(path);
+    existing = await (0, import_promises.readFile)(path, "utf8");
+  } catch {
+  }
+  const lines = existing.split(/\r?\n/);
+  const seen = /* @__PURE__ */ new Set();
+  const out = lines.map((line) => {
+    const m = line.match(/^([A-Z_][A-Z0-9_]*)=/);
+    if (!m) return line;
+    const key = m[1];
+    if (Object.prototype.hasOwnProperty.call(updates, key)) {
+      seen.add(key);
+      return `${key}=${updates[key]}`;
+    }
+    return line;
+  });
+  for (const [k, v] of Object.entries(updates)) {
+    if (!seen.has(k)) out.push(`${k}=${v}`);
+  }
+  while (out.length && out[out.length - 1] === "") out.pop();
+  await (0, import_promises.writeFile)(path, out.join("\n") + "\n", "utf8");
+}
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+  console.log(`\u2192 Signing in / creating account at ${args.baseUrl} ...`);
+  const signup = await http(
+    `${args.baseUrl}/api/v1/signup`,
+    { method: "POST", body: JSON.stringify({ email: args.email, password: args.password, name: args.email.split("@")[0], organizationName: args.org }) }
+  ).catch(async (err) => {
+    if (String(err.message).includes("EMAIL_IN_USE")) {
+      console.log("  account exists, signing in instead ...");
+      const login = await http(
+        `${args.baseUrl}/api/v1/auth/login`,
+        { method: "POST", body: JSON.stringify({ email: args.email, password: args.password }) }
+      );
+      return { accessToken: login.accessToken, tenant: login.tenants?.[0] || { id: "", slug: "" }, user: login.user };
+    }
+    throw err;
+  });
+  console.log(`  \u2713 signed in as ${signup.user.email}`);
+  const existing = await http(
+    `${args.baseUrl}/api/v1/apps`,
+    { method: "GET", token: signup.accessToken }
+  ).catch(() => []);
+  const match = existing.find((a) => a.name === args.appName);
+  let appOut;
+  let clientOut;
+  let pkOut;
+  let skOut;
+  if (match) {
+    console.log(`  \u26A0 app "${args.appName}" already exists (id=${match.id}, mode=${match.mode}).`);
+    if (!args.rotate) {
+      console.log("    re-using its existing keys is not possible (raw keys are only shown once).");
+      console.log("    pass --rotate to rotate the publishable + secret keys (24h grace window).");
+      process.exit(2);
+    }
+    const ok = args.yes || await confirm("    rotate publishable + secret keys for this app?");
+    if (!ok) {
+      console.log("    aborted.");
+      process.exit(2);
+    }
+    const keys = await http(
+      `${args.baseUrl}/api/v1/apps/${match.id}/keys`,
+      { method: "GET", token: signup.accessToken }
+    );
+    const pkKey = keys.find((k) => k.kind === "publishable" && k.mode === args.mode);
+    const skKey = keys.find((k) => k.kind === "secret" && k.mode === args.mode);
+    if (!pkKey || !skKey) {
+      console.error("    no existing pk_/sk_ pair found for this mode; cannot rotate.");
+      process.exit(3);
+    }
+    const pkRot = await http(
+      `${args.baseUrl}/api/v1/apps/${match.id}/keys/${pkKey.id}/rotate`,
+      { method: "POST", token: signup.accessToken }
+    );
+    const skRot = await http(
+      `${args.baseUrl}/api/v1/apps/${match.id}/keys/${skKey.id}/rotate`,
+      { method: "POST", token: signup.accessToken }
+    );
+    pkOut = pkRot.rawKey;
+    skOut = skRot.rawKey;
+    appOut = match;
+    clientOut = { clientId: "" };
+    console.log("  \u2713 rotated keys (previous values valid for 24h)");
+  } else {
+    console.log(`\u2192 Creating app "${args.appName}" (${args.mode} mode) ...`);
+    const created = await http(`${args.baseUrl}/api/v1/apps`, {
+      method: "POST",
+      token: signup.accessToken,
+      body: JSON.stringify({
+        name: args.appName,
+        mode: args.mode,
+        redirectUris: [args.redirect],
+        allowedOrigins: [args.origin]
+      })
+    });
+    appOut = created.app;
+    clientOut = created.client;
+    pkOut = created.publishableKey.rawKey;
+    skOut = created.secretKey.rawKey;
+    console.log(`  \u2713 app ${created.app.key} created`);
+  }
+  const updates = {
+    IQAUTH_ISSUER: args.baseUrl,
+    IQAUTH_APP_ID: appOut.id,
+    IQAUTH_APP_KEY: appOut.key,
+    IQAUTH_TENANT_ID: signup.tenant.id || "",
+    IQAUTH_CLIENT_ID: clientOut.clientId || "",
+    IQAUTH_PUBLISHABLE_KEY: pkOut,
+    IQAUTH_SECRET_KEY: skOut,
+    IQAUTH_REDIRECT_URI: args.redirect
+  };
+  if (clientOut.clientSecret) updates.IQAUTH_CLIENT_SECRET = clientOut.clientSecret;
+  for (const k of Object.keys(updates)) if (!updates[k]) delete updates[k];
+  await mergeEnv(args.envFile, updates);
+  console.log(`
+\u2705 Wrote ${Object.keys(updates).length} IQAUTH_* variables to ${args.envFile}`);
+  console.log(`   Add ${args.envFile} to .gitignore \u2014 it contains your secret key.`);
+  console.log(`   Use IQAUTH_PUBLISHABLE_KEY in your front-end and IQAUTH_SECRET_KEY in your back-end.
+`);
+  void ENV_KEYS;
+}
+var import_promises, import_node_readline, ENV_KEYS;
+var init_init = __esm({
+  "src/cli/init.ts"() {
+    "use strict";
+    import_promises = require("fs/promises");
+    import_node_readline = require("readline");
+    ENV_KEYS = [
+      "IQAUTH_ISSUER",
+      "IQAUTH_APP_ID",
+      "IQAUTH_APP_KEY",
+      "IQAUTH_TENANT_ID",
+      "IQAUTH_CLIENT_ID",
+      "IQAUTH_CLIENT_SECRET",
+      "IQAUTH_PUBLISHABLE_KEY",
+      "IQAUTH_SECRET_KEY",
+      "IQAUTH_REDIRECT_URI"
+    ];
+    main().catch((err) => {
+      console.error("\n\u2717", err.message);
+      process.exit(1);
+    });
+  }
+});
+
+// src/cli/util.ts
+function parseFlags(argv) {
+  const flags = /* @__PURE__ */ new Map();
+  const bools = /* @__PURE__ */ new Set();
+  const positional = [];
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg.startsWith("--")) {
+      const key = arg.slice(2);
+      const next = argv[i + 1];
+      if (next && !next.startsWith("--")) {
+        flags.set(key, next);
+        i++;
+      } else {
+        bools.add(key);
+      }
+    } else {
+      positional.push(arg);
+    }
+  }
+  return { flags, bools, positional };
+}
+async function loadEnv(path = ".env") {
+  try {
+    await (0, import_promises2.access)(path);
+  } catch {
+    return { ...process.env };
+  }
+  const raw = await (0, import_promises2.readFile)(path, "utf8");
+  const out = { ...process.env };
+  for (const line of raw.split(/\r?\n/)) {
+    const m = line.match(/^([A-Z_][A-Z0-9_]*)=(.*)$/);
+    if (!m) continue;
+    let val = m[2];
+    if (val.startsWith('"') && val.endsWith('"') || val.startsWith("'") && val.endsWith("'")) {
+      val = val.slice(1, -1);
+    }
+    if (out[m[1]] === void 0) out[m[1]] = val;
+  }
+  return out;
+}
+async function callApi(baseUrl, path, init = {}) {
+  const headers = { "Content-Type": "application/json", ...init.headers };
+  if (init.token) headers["Authorization"] = `Bearer ${init.token}`;
+  const res = await fetch(`${baseUrl.replace(/\/+$/, "")}${path}`, { ...init, headers });
+  const json = await res.json().catch(() => ({}));
+  if (!res.ok || json.success === false) {
+    const code = json.error?.code || res.status;
+    const msg = json.error?.message || res.statusText;
+    throw new Error(`${path} \u2192 ${code}: ${msg}`);
+  }
+  return json.data ?? json;
+}
+function symbol(ok) {
+  return ok ? "\u2713" : "\u2717";
+}
+var import_promises2;
+var init_util = __esm({
+  "src/cli/util.ts"() {
+    "use strict";
+    import_promises2 = require("fs/promises");
+  }
+});
+
+// src/publishableKey.ts
+function b64urlDecode(input) {
+  const pad = input.length % 4 === 0 ? "" : "=".repeat(4 - input.length % 4);
+  const normalized = input.replace(/-/g, "+").replace(/_/g, "/") + pad;
+  if (typeof atob === "function") {
+    const bin = atob(normalized);
+    const bytes = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+    return new TextDecoder().decode(bytes);
+  }
+  const { Buffer: Buffer2 } = require("buffer");
+  return Buffer2.from(normalized, "base64").toString("utf8");
+}
+function parsePublishableKey(raw) {
+  if (typeof raw !== "string") return null;
+  const m = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
+  if (!m) return null;
+  try {
+    const json = JSON.parse(b64urlDecode(m[2]));
+    if (!json || typeof json !== "object") return null;
+    if (typeof json.iss !== "string" || typeof json.appId !== "string" || typeof json.tenantId !== "string" || typeof json.kid !== "string") {
+      return null;
+    }
+    return { mode: m[1], iss: json.iss, appId: json.appId, tenantId: json.tenantId, kid: json.kid, raw };
+  } catch {
+    return null;
+  }
+}
+var init_publishableKey = __esm({
+  "src/publishableKey.ts"() {
+    "use strict";
+  }
+});
+
+// src/cli/doctor.ts
+var doctor_exports = {};
+__export(doctor_exports, {
+  runDoctor: () => runDoctor
+});
+async function runDoctor(argv) {
+  const { flags } = parseFlags(argv);
+  const envFile = flags.get("env-file") || ".env";
+  const env = await loadEnv(envFile);
+  const probes = [];
+  const pkRaw = env.IQAUTH_PUBLISHABLE_KEY;
+  const issuerEnv = env.IQAUTH_ISSUER;
+  const redirect = env.IQAUTH_REDIRECT_URI;
+  probes.push({
+    name: ".env present",
+    ok: !!pkRaw,
+    detail: pkRaw ? `${envFile} loaded; IQAUTH_PUBLISHABLE_KEY=${pkRaw.slice(0, 10)}\u2026` : `IQAUTH_PUBLISHABLE_KEY missing in ${envFile}`
+  });
+  const parsed = pkRaw ? parsePublishableKey(pkRaw) : null;
+  probes.push({
+    name: "publishable key parses",
+    ok: !!parsed,
+    detail: parsed ? `mode=${parsed.mode} appId=${parsed.appId} tenantId=${parsed.tenantId} kid=${parsed.kid}` : "key did not match pk_<test|live>_<base64> format"
+  });
+  const issuer = (issuerEnv || (parsed?.iss.startsWith("http") ? parsed.iss : parsed ? `https://${parsed.iss}` : "")).replace(/\/+$/, "");
+  if (issuer) {
+    try {
+      const res = await fetch(`${issuer}/.well-known/openid-configuration`);
+      probes.push({
+        name: "issuer reachable",
+        ok: res.ok,
+        detail: `${issuer}/.well-known/openid-configuration \u2192 ${res.status}`
+      });
+    } catch (err) {
+      probes.push({
+        name: "issuer reachable",
+        ok: false,
+        detail: `fetch failed: ${err.message}`
+      });
+    }
+  } else {
+    probes.push({ name: "issuer reachable", ok: false, detail: "issuer URL unknown (no IQAUTH_ISSUER and no key)" });
+  }
+  if (issuer) {
+    try {
+      const res = await fetch(`${issuer}/.well-known/jwks.json`);
+      const json = await res.json().catch(() => ({}));
+      const keys = json.keys;
+      probes.push({
+        name: "JWKS reachable",
+        ok: res.ok && Array.isArray(keys) && keys.length > 0,
+        detail: `${issuer}/.well-known/jwks.json \u2192 ${res.status} (${Array.isArray(keys) ? keys.length : 0} keys)`
+      });
+    } catch (err) {
+      probes.push({ name: "JWKS reachable", ok: false, detail: `fetch failed: ${err.message}` });
+    }
+  }
+  if (redirect) {
+    try {
+      const res = await fetch(redirect, { method: "GET" });
+      probes.push({
+        name: "redirect URI reachable",
+        ok: res.status > 0 && res.status < 500,
+        detail: `${redirect} \u2192 ${res.status}`
+      });
+    } catch (err) {
+      probes.push({ name: "redirect URI reachable", ok: false, detail: `fetch failed: ${err.message}` });
+    }
+  } else {
+    probes.push({ name: "redirect URI reachable", ok: false, detail: "IQAUTH_REDIRECT_URI not set" });
+  }
+  let allOk = true;
+  for (const p of probes) {
+    console.log(`${symbol(p.ok)} ${p.name.padEnd(28)} ${p.detail}`);
+    if (!p.ok) allOk = false;
+  }
+  console.log("");
+  console.log(allOk ? "\u2705 All checks passed." : "\u274C One or more checks failed \u2014 see above.");
+  process.exit(allOk ? 0 : 1);
+}
+var init_doctor = __esm({
+  "src/cli/doctor.ts"() {
+    "use strict";
+    init_util();
+    init_publishableKey();
+  }
+});
+
+// src/cli/keys.ts
+var keys_exports = {};
+__export(keys_exports, {
+  runKeys: () => runKeys
+});
+async function getCtx(flags) {
+  const env = await loadEnv(flags.get("env-file") || ".env");
+  const baseUrl = flags.get("base-url") || env.IQAUTH_ISSUER;
+  const token = flags.get("token") || env.IQAUTH_ADMIN_TOKEN || env.IQAUTH_SECRET_KEY;
+  const app = flags.get("app") || env.IQAUTH_APP_ID || env.IQAUTH_APP_KEY;
+  if (!baseUrl) throw new Error("Missing --base-url (or IQAUTH_ISSUER in env).");
+  if (!token) throw new Error("Missing --token (or IQAUTH_ADMIN_TOKEN / IQAUTH_SECRET_KEY in env).");
+  if (!app) throw new Error("Missing --app <appId|appKey> (or IQAUTH_APP_ID in env).");
+  return { baseUrl, token, app };
+}
+async function runKeys(argv) {
+  const action = argv[0];
+  const { flags, bools } = parseFlags(argv.slice(1));
+  if (action === "list") {
+    const ctx = await getCtx(flags);
+    const keys = await callApi(ctx.baseUrl, `/api/v1/apps/${ctx.app}/keys`, { method: "GET", token: ctx.token });
+    const header = ["KIND", "MODE", "ID", "PREFIX", "CREATED", "REVOKED"].join("	");
+    console.log(header);
+    for (const k of keys) {
+      console.log([k.kind, k.mode, k.id, k.prefix || "", k.createdAt || "", k.revokedAt || "-"].join("	"));
+    }
+    return;
+  }
+  if (action === "rotate") {
+    const ctx = await getCtx(flags);
+    const keyId = flags.get("key-id");
+    if (!keyId) throw new Error("Missing --key-id <id>");
+    if (!bools.has("yes")) {
+      console.log(`Rotate key ${keyId} for app ${ctx.app}? Previous value valid 24h. Re-run with --yes to proceed.`);
+      process.exit(2);
+    }
+    const out = await callApi(ctx.baseUrl, `/api/v1/apps/${ctx.app}/keys/${keyId}/rotate`, { method: "POST", token: ctx.token });
+    console.log(`\u2713 rotated. New value:
+  ${out.rawKey}`);
+    console.log("  Old value remains valid for 24h.");
+    return;
+  }
+  if (action === "revoke") {
+    const ctx = await getCtx(flags);
+    const keyId = flags.get("key-id");
+    if (!keyId) throw new Error("Missing --key-id <id>");
+    if (!bools.has("yes")) {
+      console.log(`Revoke key ${keyId} for app ${ctx.app}? IMMEDIATE \u2014 there is no grace window. Re-run with --yes.`);
+      process.exit(2);
+    }
+    await callApi(ctx.baseUrl, `/api/v1/apps/${ctx.app}/keys/${keyId}`, { method: "DELETE", token: ctx.token });
+    console.log("\u2713 revoked.");
+    return;
+  }
+  console.error("Usage: iqauth keys <list|rotate|revoke> [--app <id>] [--key-id <id>] [--yes]");
+  process.exit(1);
+}
+var init_keys = __esm({
+  "src/cli/keys.ts"() {
+    "use strict";
+    init_util();
+  }
+});
+
+// src/cli/dev.ts
+var dev_exports = {};
+__export(dev_exports, {
+  runDev: () => runDev
+});
+function getHere() {
+  const cjsDir = globalThis.__dirname;
+  if (typeof cjsDir === "string" && cjsDir.length > 0) return cjsDir;
+  try {
+    const url = import_meta?.url;
+    if (typeof url === "string" && url.length > 0) return (0, import_node_path.dirname)((0, import_node_url.fileURLToPath)(url));
+  } catch {
+  }
+  const argv1 = process.argv[1];
+  if (argv1) return (0, import_node_path.dirname)(argv1);
+  return process.cwd();
+}
+async function runDev(argv) {
+  const { flags } = parseFlags(argv);
+  const env = await loadEnv(flags.get("env-file") || ".env");
+  const pk = env.IQAUTH_PUBLISHABLE_KEY;
+  if (!pk) {
+    console.error("\u2717 IQAUTH_PUBLISHABLE_KEY missing in .env. Run `iqauth init` first.");
+    process.exit(1);
+  }
+  const here = getHere();
+  let example = flags.get("example");
+  if (!example) {
+    const candidates = [
+      (0, import_node_path.resolve)(here, "..", "..", "..", "..", "examples", "react-vite"),
+      (0, import_node_path.resolve)(here, "..", "..", "examples", "react-vite"),
+      (0, import_node_path.resolve)(process.cwd(), "examples", "react-vite")
+    ];
+    example = candidates.find((p) => (0, import_node_fs.existsSync)(p)) || candidates[0];
+  }
+  console.log(`\u2192 Starting example at ${example}`);
+  console.log(`  using IQAUTH_PUBLISHABLE_KEY=${pk.slice(0, 12)}\u2026`);
+  const child = (0, import_node_child_process.spawn)("npm", ["run", "dev"], {
+    cwd: example,
+    stdio: "inherit",
+    env: {
+      ...process.env,
+      VITE_IQAUTH_PUBLISHABLE_KEY: pk
+    }
+  });
+  child.on("exit", (code) => process.exit(code ?? 0));
+}
+var import_node_child_process, import_node_path, import_node_url, import_node_fs, import_meta;
+var init_dev = __esm({
+  "src/cli/dev.ts"() {
+    "use strict";
+    import_node_child_process = require("child_process");
+    import_node_path = require("path");
+    import_node_url = require("url");
+    import_node_fs = require("fs");
+    init_util();
+    import_meta = {};
+  }
+});
+
+// src/cli/index.ts
+var subcommand = process.argv[2];
+var rest = process.argv.slice(3);
+async function run() {
+  switch (subcommand) {
+    case void 0:
+    case "--help":
+    case "-h":
+    case "help":
+      printHelp();
+      return;
+    case "init": {
+      process.argv = [process.argv[0], process.argv[1], ...rest];
+      await Promise.resolve().then(() => (init_init(), init_exports));
+      return;
+    }
+    case "doctor": {
+      const { runDoctor: runDoctor2 } = await Promise.resolve().then(() => (init_doctor(), doctor_exports));
+      await runDoctor2(rest);
+      return;
+    }
+    case "keys": {
+      const { runKeys: runKeys2 } = await Promise.resolve().then(() => (init_keys(), keys_exports));
+      await runKeys2(rest);
+      return;
+    }
+    case "dev": {
+      const { runDev: runDev2 } = await Promise.resolve().then(() => (init_dev(), dev_exports));
+      await runDev2(rest);
+      return;
+    }
+    default:
+      console.error(`Unknown command: ${subcommand}`);
+      printHelp();
+      process.exit(1);
+  }
+}
+function printHelp() {
+  console.log(`iqauth \u2014 IQAuth integration CLI
+
+Usage:
+  iqauth <command> [options]
+
+Commands:
+  init      Bootstrap a new app and write IQAUTH_* keys to .env
+  doctor    Check your .env, issuer reachability, and publishable key
+  keys      Manage app publishable / secret keys (list / rotate / revoke)
+  dev       Run the bundled React example app against your IQAUTH_PUBLISHABLE_KEY
+
+Run \`iqauth <command> --help\` for command-specific help.`);
+}
+run().catch((err) => {
+  console.error("\n\u2717", err?.message || err);
+  process.exit(1);
+});