@portl/cli 0.1.0

package/bin/portl.js

@@ -0,0 +1,1837 @@
+#!/usr/bin/env node
+/* global console, fetch */
+
+import { promises as fs } from 'node:fs';
+import { spawn } from 'node:child_process';
+import path from 'node:path';
+import process from 'node:process';
+import readline from 'node:readline/promises';
+import { stdin as input, stdout as output } from 'node:process';
+import { URL, URLSearchParams } from 'node:url';
+import { runInit } from '../src/commands/init.js';
+
+const [, , command, ...args] = process.argv;
+const SUPPORTED_PROVIDER_IDS = new Set([
+  'postgres.generic',
+  'supabase',
+  'neon',
+  's3.generic',
+  'r2',
+]);
+
+const ANSI = {
+  reset: '\x1b[0m',
+  bold: '\x1b[1m',
+  cyan: '\x1b[36m',
+  green: '\x1b[32m',
+  yellow: '\x1b[33m',
+  red: '\x1b[31m',
+  dim: '\x1b[2m',
+};
+
+const PORTL_ASCII = `
+██████╗  ██████╗ ██████╗ ████████╗██╗
+██╔══██╗██╔═══██╗██╔══██╗╚══██╔══╝██║
+██████╔╝██║   ██║██████╔╝   ██║   ██║
+██╔═══╝ ██║   ██║██╔══██╗   ██║   ██║
+██║     ╚██████╔╝██║  ██║   ██║   ███████╗
+╚═╝      ╚═════╝ ╚═╝  ╚═╝   ╚═╝   ╚══════╝
+`;
+
+function c(text, color) {
+  return `${color}${text}${ANSI.reset}`;
+}
+
+function showHelp() {
+  console.log(`${c('Portl CLI', ANSI.bold)} - Bring your infra. Ship with AI.
+
+Usage:
+  ${c('portl init', ANSI.cyan)}                    Interactive setup wizard
+  ${c('portl connect supabase', ANSI.cyan)}        Connect Supabase via OAuth
+  ${c('portl bootstrap github-actions', ANSI.cyan)} Generate GitHub workflow
+  ${c('portl bootstrap stripe-webhook', ANSI.cyan)} Setup Stripe webhooks
+  ${c('portl --help', ANSI.cyan)}                  Show this help
+
+Examples:
+  ${c('portl init', ANSI.dim)}                              # Start the setup wizard
+  ${c('portl connect supabase --project-id my-app', ANSI.dim)}  # Connect Supabase OAuth
+  ${c('portl bootstrap github-actions --repository owner/repo', ANSI.dim)}
+
+The ${c('init', ANSI.bold)} command walks you through:
+  • Database setup (PostgreSQL, Supabase, Neon)
+  • File storage (S3, Cloudflare R2)
+  • Payments (Stripe, Mercado Pago)
+  • CI/CD (GitHub Actions)
+
+For more information, visit: ${c('https://portl.dev', ANSI.cyan)}
+`);
+}
+
+function isYes(value, defaultYes = true) {
+  if (!value || !value.trim()) {
+    return defaultYes;
+  }
+
+  const normalized = value.trim().toLowerCase();
+  return normalized === 'y' || normalized === 'yes' || normalized === 's' || normalized === 'si';
+}
+
+function getArgValue(flag) {
+  const index = args.indexOf(flag);
+  if (index < 0 || index === args.length - 1) {
+    return null;
+  }
+  return args[index + 1];
+}
+
+function hasFlag(flag) {
+  return args.includes(flag);
+}
+
+function resolveApiOrigin(apiBaseUrl) {
+  try {
+    const parsed = new URL(apiBaseUrl);
+    return `${parsed.protocol}//${parsed.host}`;
+  } catch {
+    return 'http://localhost:7130';
+  }
+}
+
+function formatTerminalLink(label, url) {
+  // OSC 8 hyperlink; supported in many modern terminals.
+  return `\u001B]8;;${url}\u0007${label}\u001B]8;;\u0007`;
+}
+
+async function tryOpenBrowser(url) {
+  const command =
+    process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';
+
+  const child = spawn(command, [url], {
+    stdio: 'ignore',
+    detached: process.platform !== 'win32',
+    shell: process.platform === 'win32',
+  });
+
+  return new Promise((resolve) => {
+    let done = false;
+    const finish = (result) => {
+      if (!done) {
+        done = true;
+        resolve(result);
+      }
+    };
+
+    child.on('error', (error) => {
+      finish({
+        opened: false,
+        command,
+        error: error instanceof Error ? error.message : String(error),
+      });
+    });
+
+    child.on('exit', (code) => {
+      if (code === 0 || code === null) {
+        finish({ opened: true, command });
+      } else {
+        finish({ opened: false, command, error: `exit code ${code}` });
+      }
+    });
+
+    globalThis.setTimeout(() => {
+      finish({ opened: true, command });
+    }, 900);
+  });
+}
+
+async function sleep(ms) {
+  await new Promise((resolve) => {
+    globalThis.setTimeout(resolve, ms);
+  });
+}
+
+function parseDotEnv(content) {
+  const values = {};
+  const lines = content.split('\n');
+  for (const rawLine of lines) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith('#')) {
+      continue;
+    }
+    const separatorIndex = line.indexOf('=');
+    if (separatorIndex <= 0) {
+      continue;
+    }
+    const key = line.slice(0, separatorIndex).trim();
+    const value = line.slice(separatorIndex + 1).trim();
+    values[key] = value;
+  }
+  return values;
+}
+
+async function getLocalEnvValue(key, cwd) {
+  const envPath = path.join(cwd, '.env');
+  try {
+    const envContent = await fs.readFile(envPath, 'utf8');
+    const envValues = parseDotEnv(envContent);
+    const value = envValues[key];
+    return value && value.trim() ? value.trim() : null;
+  } catch {
+    return null;
+  }
+}
+
+async function resolveBackendApiKey(cwd) {
+  const fromProcess = process.env.ACCESS_API_KEY;
+  if (fromProcess && fromProcess.trim()) {
+    return fromProcess.trim();
+  }
+
+  return getLocalEnvValue('ACCESS_API_KEY', cwd);
+}
+
+async function readExistingPortlConfig(cwd) {
+  const configPath = path.join(cwd, 'portl.config.json');
+  try {
+    const raw = await fs.readFile(configPath, 'utf8');
+    const parsed = JSON.parse(raw);
+    return parsed && typeof parsed === 'object' ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+
+function findExistingIntegration(existingConfig, category) {
+  const integrations = Array.isArray(existingConfig?.integrations)
+    ? existingConfig.integrations
+    : [];
+  return integrations.find((integration) => integration?.category === category) || null;
+}
+
+function buildReuseIntegration(existingIntegration) {
+  return {
+    providerId: existingIntegration.providerId,
+    category: existingIntegration.category,
+    connectable: false,
+    config: existingIntegration.config || {},
+    envTemplate: {},
+  };
+}
+
+async function maybeReuseExistingIntegration(rl, label, existingIntegration) {
+  if (!existingIntegration) {
+    return null;
+  }
+
+  const reuse = isYes(
+    await ask(rl, `Reuse existing ${label} config (${existingIntegration.providerId})? [Y/n]`, 'y')
+  );
+
+  return reuse ? buildReuseIntegration(existingIntegration) : null;
+}
+
+async function ask(rl, question, defaultValue) {
+  const suffix = defaultValue ? ` ${c(`(${defaultValue})`, ANSI.dim)}` : '';
+  const answer = await rl.question(`${question}${suffix}: `);
+  const trimmed = answer.trim();
+  return trimmed || defaultValue || '';
+}
+
+async function askNonEmpty(rl, question, defaultValue) {
+  while (true) {
+    const value = await ask(rl, question, defaultValue);
+    if (value.trim()) {
+      return value.trim();
+    }
+    console.log(c('Value cannot be empty. Try again.', ANSI.yellow));
+  }
+}
+
+async function chooseOption(rl, title, options) {
+  console.log(`\n${c(title, ANSI.bold)}`);
+  options.forEach((option, index) => {
+    console.log(`  ${index + 1}. ${option.label} ${c(`(${option.value})`, ANSI.dim)}`);
+  });
+
+  while (true) {
+    const answer = await rl.question('Select an option number: ');
+    const selected = Number.parseInt(answer.trim(), 10);
+    if (!Number.isNaN(selected) && selected >= 1 && selected <= options.length) {
+      return options[selected - 1];
+    }
+
+    console.log(c('Invalid option number. Try again.', ANSI.yellow));
+  }
+}
+
+async function chooseNamedOption(rl, title, options) {
+  console.log(`\n${c(title, ANSI.bold)}`);
+  options.forEach((option, index) => {
+    console.log(`  ${index + 1}. ${option.label}`);
+  });
+
+  while (true) {
+    const answer = await rl.question('Select an option number: ');
+    const selected = Number.parseInt(answer.trim(), 10);
+    if (!Number.isNaN(selected) && selected >= 1 && selected <= options.length) {
+      return options[selected - 1];
+    }
+
+    console.log(c('Invalid option number. Try again.', ANSI.yellow));
+  }
+}
+
+async function chooseMultipleOptions(rl, title, options, defaultValues = []) {
+  console.log(`\n${c(title, ANSI.bold)}`);
+  options.forEach((option, index) => {
+    console.log(`  ${index + 1}. ${option.label} ${c(`(${option.value})`, ANSI.dim)}`);
+  });
+
+  const defaultIndices = options
+    .map((option, index) => (defaultValues.includes(option.value) ? String(index + 1) : null))
+    .filter(Boolean)
+    .join(',');
+
+  while (true) {
+    const answer = await ask(rl, 'Select option numbers (comma separated)', defaultIndices || '1');
+    const tokens = answer
+      .split(',')
+      .map((token) => token.trim())
+      .filter(Boolean);
+
+    if (tokens.length === 0) {
+      console.log(c('Select at least one option.', ANSI.yellow));
+      continue;
+    }
+
+    const parsed = tokens.map((token) => Number.parseInt(token, 10));
+    const allValid = parsed.every(
+      (value) => !Number.isNaN(value) && value >= 1 && value <= options.length
+    );
+
+    if (!allValid) {
+      console.log(c('Invalid option list. Example: 1,2,4', ANSI.yellow));
+      continue;
+    }
+
+    const uniqueSorted = [...new Set(parsed)];
+    return uniqueSorted.map((index) => options[index - 1]);
+  }
+}
+
+async function portlRequest(baseUrl, endpoint, method, apiKey, body) {
+  const normalizedBaseUrl = baseUrl.replace(/\/+$/, '');
+  const response = await fetch(`${normalizedBaseUrl}${endpoint}`, {
+    method,
+    headers: {
+      'Content-Type': 'application/json',
+      ...(apiKey ? { 'x-api-key': apiKey } : {}),
+    },
+    body: body ? JSON.stringify(body) : undefined,
+  });
+
+  const text = await response.text();
+  let data = null;
+
+  try {
+    data = text ? JSON.parse(text) : null;
+  } catch {
+    data = text;
+  }
+
+  if (!response.ok) {
+    const message =
+      (data && typeof data === 'object' && data.message) ||
+      (data && typeof data === 'object' && data.error) ||
+      `HTTP ${response.status}`;
+    throw new Error(String(message));
+  }
+
+  return data;
+}
+
+async function startSupabaseOAuthRequest({
+  apiBaseUrl,
+  apiKey,
+  projectId,
+  redirectUri,
+  organizationSlug,
+}) {
+  const query = new URLSearchParams({
+    projectId,
+    redirectUri,
+    ...(organizationSlug ? { organizationSlug } : {}),
+  }).toString();
+
+  return portlRequest(apiBaseUrl, `/providers/oauth/supabase/start?${query}`, 'GET', apiKey);
+}
+
+async function waitForSupabaseOAuthConnection({
+  apiBaseUrl,
+  apiKey,
+  projectId,
+  startedAt,
+  timeoutMs = 120000,
+  pollMs = 2000,
+}) {
+  const deadline = Date.now() + timeoutMs;
+
+  while (Date.now() < deadline) {
+    try {
+      const statusResponse = await portlRequest(
+        apiBaseUrl,
+        `/providers/oauth/status?projectId=${encodeURIComponent(projectId)}`,
+        'GET',
+        apiKey
+      );
+      const connections = Array.isArray(statusResponse?.connections)
+        ? statusResponse.connections
+        : [];
+      const supabaseConnection = connections.find((entry) => entry.providerId === 'supabase');
+
+      if (supabaseConnection) {
+        const updatedAtMs = Date.parse(supabaseConnection.updatedAt || '');
+        if (Number.isNaN(updatedAtMs) || updatedAtMs >= startedAt - 1000) {
+          return supabaseConnection;
+        }
+      }
+    } catch {
+      // ignore transient polling errors while waiting for callback completion
+    }
+
+    await sleep(pollMs);
+  }
+
+  return null;
+}
+
+async function fetchSupabaseProjects({ apiBaseUrl, apiKey, projectId }) {
+  return portlRequest(
+    apiBaseUrl,
+    `/providers/oauth/supabase/projects?projectId=${encodeURIComponent(projectId)}`,
+    'GET',
+    apiKey
+  );
+}
+
+async function selectSupabaseProject({ apiBaseUrl, apiKey, projectId, projectRef }) {
+  return portlRequest(apiBaseUrl, '/providers/oauth/supabase/select-project', 'POST', apiKey, {
+    projectId,
+    projectRef,
+  });
+}
+
+async function fetchSupabaseOAuthStatus({ apiBaseUrl, apiKey, projectId }) {
+  return portlRequest(
+    apiBaseUrl,
+    `/providers/oauth/status?projectId=${encodeURIComponent(projectId)}`,
+    'GET',
+    apiKey
+  );
+}
+
+async function fetchProviderInstances({ apiBaseUrl, apiKey, projectId }) {
+  return portlRequest(
+    apiBaseUrl,
+    `/providers/instances?projectId=${encodeURIComponent(projectId)}`,
+    'GET',
+    apiKey
+  );
+}
+
+function normalizeUrl(value) {
+  return value.replace(/\/+$/, '');
+}
+
+function normalizeR2Endpoint(accountId, endpointInput, bucket) {
+  const defaultEndpoint = `https://${accountId}.r2.cloudflarestorage.com`;
+  const raw = endpointInput.trim() || defaultEndpoint;
+  const withProtocol = /^https?:\/\//i.test(raw) ? raw : `https://${raw}`;
+
+  try {
+    const parsed = new URL(withProtocol);
+    const pathSegments = parsed.pathname.split('/').filter(Boolean);
+    if (pathSegments.length > 0) {
+      const firstPath = pathSegments[0];
+      if (firstPath === bucket) {
+        console.log(
+          c('Detected bucket in R2 endpoint path. Auto-fixing to account endpoint.', ANSI.yellow)
+        );
+      } else {
+        console.log(
+          c(
+            `Detected extra path "${parsed.pathname}" in endpoint. Using account endpoint only.`,
+            ANSI.yellow
+          )
+        );
+      }
+      parsed.pathname = '/';
+    }
+    return normalizeUrl(parsed.toString());
+  } catch {
+    return normalizeUrl(withProtocol);
+  }
+}
+
+// ============================================================================
+// DEPRECATED FUNCTIONS - TO BE REMOVED
+// The following functions are from the old init flow and are no longer used.
+// They are kept temporarily for reference but will be removed after testing.
+// ============================================================================
+
+async function collectDatabaseConfig(rl, options = {}) {
+  const reusedIntegration = await maybeReuseExistingIntegration(
+    rl,
+    'database',
+    options.existingIntegration
+  );
+  if (reusedIntegration) {
+    return reusedIntegration;
+  }
+
+  const provider = await chooseOption(rl, 'Database Provider', [
+    { label: 'PostgreSQL (generic)', value: 'postgres.generic' },
+    { label: 'Neon', value: 'neon' },
+    { label: 'Supabase', value: 'supabase' },
+    { label: 'Custom (manual template only)', value: 'custom.database' },
+  ]);
+
+  if (provider.value === 'supabase') {
+    if (options.apiKey) {
+      try {
+        const oauthStatus = await fetchSupabaseOAuthStatus({
+          apiBaseUrl: options.apiBaseUrl || 'http://localhost:7130/api',
+          apiKey: options.apiKey,
+          projectId: options.projectId || 'local',
+        });
+        const supabaseConnection = Array.isArray(oauthStatus?.connections)
+          ? oauthStatus.connections.find((entry) => entry.providerId === 'supabase')
+          : null;
+
+        if (supabaseConnection?.externalProjectRef) {
+          const reuseExisting = isYes(
+            await ask(
+              rl,
+              `Reuse connected Supabase project ${supabaseConnection.externalProjectRef}? [Y/n]`,
+              'y'
+            )
+          );
+
+          if (reuseExisting) {
+            return {
+              providerId: provider.value,
+              category: 'database',
+              connectable: false,
+              config: {
+                setupMode: 'oauth.reuse',
+                projectRef: supabaseConnection.externalProjectRef,
+              },
+              envTemplate: {
+                PORTL_DB_SUPABASE_SETUP_MODE: 'oauth.reuse',
+                PORTL_DB_SUPABASE_PROJECT_REF: supabaseConnection.externalProjectRef,
+              },
+            };
+          }
+        }
+      } catch {
+        // ignore status fetch errors and continue with normal setup flow
+      }
+    }
+
+    const setupMode = await chooseOption(rl, 'Supabase Setup Mode', [
+      { label: 'OAuth link (recommended)', value: 'oauth' },
+      { label: 'Manual keys (URL + service role key)', value: 'manual' },
+    ]);
+
+    if (setupMode.value === 'manual') {
+      const url = await askNonEmpty(rl, 'Supabase URL', 'https://YOUR-PROJECT.supabase.co');
+      const serviceRoleKey = await askNonEmpty(rl, 'Supabase service role key', '');
+      return {
+        providerId: provider.value,
+        category: 'database',
+        config: { url, serviceRoleKey, setupMode: 'manual' },
+        envTemplate: {
+          PORTL_DB_SUPABASE_SETUP_MODE: 'manual',
+          PORTL_DB_SUPABASE_URL: url,
+          PORTL_DB_SUPABASE_SERVICE_ROLE_KEY: serviceRoleKey,
+        },
+      };
+    }
+
+    let authorizeUrl = '';
+    let callbackUrl = '';
+
+    if (options.apiKey) {
+      try {
+        const resolvedApiBaseUrl = options.apiBaseUrl || 'http://localhost:7130/api';
+        const fallbackRedirectUri = `${resolveApiOrigin(resolvedApiBaseUrl)}/api/providers/oauth/cli/result`;
+        const oauthStart = await startSupabaseOAuthRequest({
+          apiBaseUrl: resolvedApiBaseUrl,
+          apiKey: options.apiKey,
+          projectId: options.projectId || 'local',
+          redirectUri:
+            options.redirectUri || process.env.PORTL_OAUTH_CLI_REDIRECT_URI || fallbackRedirectUri,
+        });
+        authorizeUrl = oauthStart.authorizeUrl || '';
+        callbackUrl = oauthStart.callbackUrl || '';
+
+        if (authorizeUrl) {
+          console.log(c('\nSupabase OAuth link generated in wizard:', ANSI.green));
+          console.log(formatTerminalLink('Open Supabase OAuth', authorizeUrl));
+          console.log(authorizeUrl);
+
+          if (options.autoOpenOAuth !== false) {
+            const openResult = await tryOpenBrowser(authorizeUrl);
+            if (openResult.opened) {
+              console.log(c('Opened your browser automatically.', ANSI.dim));
+            } else {
+              console.log(
+                c(
+                  `Could not open browser automatically (${openResult.command || 'open'}).`,
+                  ANSI.yellow
+                )
+              );
+              console.log(c('If it did not open, enter using this link:', ANSI.dim));
+              console.log(authorizeUrl);
+            }
+          }
+        }
+      } catch (error) {
+        const message = error instanceof Error ? error.message : 'OAuth start failed';
+        console.log(c(`Could not generate OAuth link now: ${message}`, ANSI.yellow));
+      }
+    } else {
+      console.log(
+        c('OAuth link not generated in files-only mode. Run: portl connect supabase', ANSI.dim)
+      );
+    }
+
+    return {
+      providerId: provider.value,
+      category: 'database',
+      connectable: false,
+      config: {
+        setupMode: 'oauth',
+        authorizeUrl: authorizeUrl || null,
+        callbackUrl: callbackUrl || null,
+      },
+      envTemplate: {
+        PORTL_DB_SUPABASE_SETUP_MODE: 'oauth',
+        PORTL_DB_SUPABASE_OAUTH_AUTHORIZE_URL: authorizeUrl,
+        PORTL_DB_SUPABASE_OAUTH_CALLBACK_URL: callbackUrl,
+      },
+    };
+  }
+
+  if (provider.value === 'custom.database') {
+    const notes = await ask(
+      rl,
+      'Custom database notes (optional)',
+      'Set your custom connection settings here'
+    );
+    return {
+      providerId: provider.value,
+      category: 'database',
+      config: { notes },
+      envTemplate: {
+        PORTL_DB_CUSTOM_NOTES: notes,
+      },
+    };
+  }
+
+  const connectionString = await askNonEmpty(
+    rl,
+    `${provider.label} connection string`,
+    'postgresql://postgres:postgres@localhost:5432/portl'
+  );
+
+  return {
+    providerId: provider.value,
+    category: 'database',
+    config: { connectionString },
+    envTemplate: {
+      PORTL_DB_CONNECTION_STRING: connectionString,
+    },
+  };
+}
+
+async function collectStorageConfig(rl, quickMode = true, options = {}) {
+  const reusedIntegration = await maybeReuseExistingIntegration(
+    rl,
+    'storage',
+    options.existingIntegration
+  );
+  if (reusedIntegration) {
+    return reusedIntegration;
+  }
+
+  if (quickMode) {
+    if (options.apiKey) {
+      try {
+        const instances = await fetchProviderInstances({
+          apiBaseUrl: options.apiBaseUrl || 'http://localhost:7130/api',
+          apiKey: options.apiKey,
+          projectId: options.projectId || 'local',
+        });
+        const existingR2 = Array.isArray(instances)
+          ? instances.find(
+              (instance) =>
+                instance.providerId === 'r2' && instance.connectionStatus === 'connected'
+            )
+          : null;
+
+        if (existingR2) {
+          const reuseExisting = isYes(
+            await ask(rl, 'Reuse connected Cloudflare R2 backend connection? [Y/n]', 'y')
+          );
+
+          if (reuseExisting) {
+            return {
+              providerId: 'r2',
+              category: 'storage',
+              connectable: false,
+              config: {
+                setupMode: 'reuse-existing',
+                providerId: 'r2',
+              },
+              envTemplate: {
+                PORTL_STORAGE_SETUP_MODE: 'reuse-existing',
+                PORTL_STORAGE_PROVIDER: 'r2',
+              },
+            };
+          }
+        }
+      } catch {
+        // ignore lookup errors and continue with normal flow
+      }
+    }
+  }
+
+  const provider = await chooseOption(rl, 'Storage Provider', [
+    { label: 'S3 compatible (generic)', value: 's3.generic' },
+    { label: 'Cloudflare R2', value: 'r2' },
+    { label: 'Skip for now', value: 'none' },
+  ]);
+
+  if (provider.value === 'none') {
+    return null;
+  }
+
+  if (provider.value === 'r2') {
+    const accountId = await askNonEmpty(rl, 'R2 account ID', '');
+    const accessKeyId = await askNonEmpty(rl, 'R2 access key ID', '');
+    const secretAccessKey = await askNonEmpty(rl, 'R2 secret access key', '');
+    const bucket = await askNonEmpty(rl, 'R2 bucket', 'portl-assets');
+    const endpointInput = quickMode
+      ? ''
+      : await ask(
+          rl,
+          'R2 endpoint override (optional, leave blank to auto)',
+          `https://${accountId}.r2.cloudflarestorage.com`
+        );
+    const endpoint = normalizeR2Endpoint(accountId, endpointInput, bucket);
+    if (quickMode) {
+      console.log(c(`Using auto R2 endpoint: ${endpoint}`, ANSI.dim));
+    }
+
+    return {
+      providerId: provider.value,
+      category: 'storage',
+      config: {
+        accountId,
+        accessKeyId,
+        secretAccessKey,
+        bucket,
+        endpoint,
+      },
+      envTemplate: {
+        PORTL_STORAGE_R2_ACCOUNT_ID: accountId,
+        PORTL_STORAGE_R2_ACCESS_KEY_ID: accessKeyId,
+        PORTL_STORAGE_R2_SECRET_ACCESS_KEY: secretAccessKey,
+        PORTL_STORAGE_R2_BUCKET: bucket,
+        PORTL_STORAGE_R2_ENDPOINT: endpoint,
+      },
+    };
+  }
+
+  const accessKeyId = await askNonEmpty(rl, 'S3 access key ID', '');
+  const secretAccessKey = await askNonEmpty(rl, 'S3 secret access key', '');
+  const bucket = await askNonEmpty(rl, 'S3 bucket', 'portl-assets');
+  const region = await askNonEmpty(rl, 'S3 region', 'us-east-1');
+  const endpoint = quickMode
+    ? ''
+    : await ask(rl, 'S3 endpoint override (optional)', 'http://127.0.0.1:9000');
+  const forcePathStyleAnswer = quickMode ? 'y' : await ask(rl, 'Force path style? [Y/n]', 'y');
+
+  return {
+    providerId: provider.value,
+    category: 'storage',
+    config: {
+      accessKeyId,
+      secretAccessKey,
+      bucket,
+      region,
+      ...(endpoint ? { endpoint } : {}),
+      forcePathStyle: isYes(forcePathStyleAnswer, true),
+    },
+    envTemplate: {
+      PORTL_STORAGE_S3_ACCESS_KEY_ID: accessKeyId,
+      PORTL_STORAGE_S3_SECRET_ACCESS_KEY: secretAccessKey,
+      PORTL_STORAGE_S3_BUCKET: bucket,
+      PORTL_STORAGE_S3_REGION: region,
+      PORTL_STORAGE_S3_ENDPOINT: endpoint,
+      PORTL_STORAGE_S3_FORCE_PATH_STYLE: String(isYes(forcePathStyleAnswer, true)),
+    },
+  };
+}
+
+async function collectPaymentsConfig(rl, quickMode = true, options = {}) {
+  const reusedIntegration = await maybeReuseExistingIntegration(
+    rl,
+    'payments',
+    options.existingIntegration
+  );
+  if (reusedIntegration) {
+    return reusedIntegration;
+  }
+
+  const provider = await chooseOption(rl, 'Payments Provider', [
+    { label: 'Stripe', value: 'stripe' },
+    { label: 'MercadoPago', value: 'mercadopago' },
+    { label: 'Skip for now', value: 'none' },
+  ]);
+
+  if (provider.value === 'none') {
+    return null;
+  }
+
+  if (provider.value === 'stripe') {
+    const secretKey = await askNonEmpty(rl, 'Stripe secret key', '');
+    const publishableKey = await ask(rl, 'Stripe publishable key (optional)', '');
+    const webhookSecret = quickMode ? '' : await ask(rl, 'Stripe webhook secret (optional)', '');
+
+    return {
+      providerId: 'stripe',
+      category: 'payments',
+      config: {
+        provider: 'stripe',
+        secretKey,
+        publishableKey: publishableKey || null,
+        webhookSecret: webhookSecret || null,
+      },
+      envTemplate: {
+        PORTL_PAYMENTS_PROVIDER: 'stripe',
+        PORTL_PAYMENTS_STRIPE_SECRET_KEY: secretKey,
+        PORTL_PAYMENTS_STRIPE_PUBLISHABLE_KEY: publishableKey,
+        PORTL_PAYMENTS_STRIPE_WEBHOOK_SECRET: webhookSecret,
+      },
+    };
+  }
+
+  const accessToken = await askNonEmpty(rl, 'MercadoPago access token', '');
+  const publicKey = await ask(rl, 'MercadoPago public key (optional)', '');
+  const webhookSecret = quickMode ? '' : await ask(rl, 'MercadoPago webhook secret (optional)', '');
+
+  return {
+    providerId: 'mercadopago',
+    category: 'payments',
+    config: {
+      provider: 'mercadopago',
+      accessToken,
+      publicKey: publicKey || null,
+      webhookSecret: webhookSecret || null,
+    },
+    envTemplate: {
+      PORTL_PAYMENTS_PROVIDER: 'mercadopago',
+      PORTL_PAYMENTS_MP_ACCESS_TOKEN: accessToken,
+      PORTL_PAYMENTS_MP_PUBLIC_KEY: publicKey,
+      PORTL_PAYMENTS_MP_WEBHOOK_SECRET: webhookSecret,
+    },
+  };
+}
+
+async function collectCiCdConfig(rl, quickMode = true, options = {}) {
+  const reusedIntegration = await maybeReuseExistingIntegration(
+    rl,
+    'CI/CD',
+    options.existingIntegration
+  );
+  if (reusedIntegration) {
+    return reusedIntegration;
+  }
+
+  const provider = await chooseOption(rl, 'CI/CD Provider', [
+    { label: 'GitHub Actions', value: 'github.actions' },
+    { label: 'GitLab CI', value: 'gitlab.ci' },
+    { label: 'Skip for now', value: 'none' },
+  ]);
+
+  if (provider.value === 'none') {
+    return null;
+  }
+
+  const repository = await askNonEmpty(rl, 'Repository (owner/repo)', '');
+  const token = await ask(rl, `${provider.label} token (optional)`, '');
+  const workflowPath = quickMode
+    ? ''
+    : await ask(
+        rl,
+        provider.value === 'github.actions'
+          ? 'Workflow file path (optional)'
+          : 'Pipeline file path (optional)',
+        provider.value === 'github.actions' ? '.github/workflows/portl.yml' : '.gitlab-ci.yml'
+      );
+
+  return {
+    providerId: provider.value,
+    category: 'cicd',
+    config: {
+      repository,
+      token: token || null,
+      workflowPath: workflowPath || null,
+    },
+    envTemplate: {
+      PORTL_CICD_PROVIDER: provider.value,
+      PORTL_CICD_REPOSITORY: repository,
+      PORTL_CICD_TOKEN: token,
+      PORTL_CICD_WORKFLOW_PATH: workflowPath,
+    },
+  };
+}
+
+async function collectAuthConfig(rl, quickMode = true, options = {}) {
+  const reusedIntegration = await maybeReuseExistingIntegration(
+    rl,
+    'auth',
+    options.existingIntegration
+  );
+  if (reusedIntegration) {
+    return reusedIntegration;
+  }
+
+  const provider = await chooseOption(rl, 'Auth Provider', [
+    { label: 'Clerk', value: 'clerk' },
+    { label: 'Auth0', value: 'auth0' },
+    { label: 'Supabase Auth', value: 'supabase.auth' },
+    { label: 'Skip for now', value: 'none' },
+  ]);
+
+  if (provider.value === 'none') {
+    return null;
+  }
+
+  if (provider.value === 'clerk') {
+    const publishableKey = await askNonEmpty(rl, 'Clerk publishable key', '');
+    const secretKey = await askNonEmpty(rl, 'Clerk secret key', '');
+    return {
+      providerId: provider.value,
+      category: 'auth',
+      config: { publishableKey, secretKey },
+      envTemplate: {
+        PORTL_AUTH_PROVIDER: 'clerk',
+        PORTL_AUTH_CLERK_PUBLISHABLE_KEY: publishableKey,
+        PORTL_AUTH_CLERK_SECRET_KEY: secretKey,
+      },
+    };
+  }
+
+  if (provider.value === 'auth0') {
+    const domain = await askNonEmpty(rl, 'Auth0 domain', '');
+    const clientId = await askNonEmpty(rl, 'Auth0 client id', '');
+    const clientSecret = await askNonEmpty(rl, 'Auth0 client secret', '');
+    return {
+      providerId: provider.value,
+      category: 'auth',
+      config: { domain, clientId, clientSecret },
+      envTemplate: {
+        PORTL_AUTH_PROVIDER: 'auth0',
+        PORTL_AUTH_AUTH0_DOMAIN: domain,
+        PORTL_AUTH_AUTH0_CLIENT_ID: clientId,
+        PORTL_AUTH_AUTH0_CLIENT_SECRET: clientSecret,
+      },
+    };
+  }
+
+  const url = await askNonEmpty(rl, 'Supabase auth URL', 'https://YOUR-PROJECT.supabase.co');
+  const anonKey = await askNonEmpty(rl, 'Supabase anon key', '');
+  const serviceRoleKey = quickMode ? '' : await ask(rl, 'Supabase service role key (optional)', '');
+
+  return {
+    providerId: provider.value,
+    category: 'auth',
+    config: {
+      url,
+      anonKey,
+      serviceRoleKey: serviceRoleKey || null,
+    },
+    envTemplate: {
+      PORTL_AUTH_PROVIDER: 'supabase.auth',
+      PORTL_AUTH_SUPABASE_URL: url,
+      PORTL_AUTH_SUPABASE_ANON_KEY: anonKey,
+      PORTL_AUTH_SUPABASE_SERVICE_ROLE_KEY: serviceRoleKey,
+    },
+  };
+}
+
+function buildConfigFile({ projectId, apiBaseUrl, integrations }) {
+  return {
+    $schema: 'https://docs.portl.dev/schema/portl.config.json',
+    projectId,
+    generatedAt: new Date().toISOString(),
+    api: {
+      baseUrl: apiBaseUrl,
+    },
+    integrations: integrations.map((integration) => ({
+      key: integration.category,
+      providerId: integration.providerId,
+      category: integration.category,
+      config: integration.config,
+    })),
+  };
+}
+
+function buildEnvTemplate({ apiBaseUrl, apiKey, projectId, envEntries }) {
+  const lines = [];
+  lines.push('# Portl environment template');
+  lines.push('# Generated by: npx @portl/cli init (or `finns init`)');
+  lines.push('');
+  lines.push(`PORTL_API_BASE_URL=${apiBaseUrl}`);
+  lines.push(`PORTL_PROJECT_ID=${projectId}`);
+  lines.push(`PORTL_API_KEY=${apiKey || 'ik_replace_with_your_key'}`);
+  lines.push('');
+  lines.push('# Integrations');
+
+  for (const [key, value] of Object.entries(envEntries)) {
+    lines.push(`${key}=${value ?? ''}`);
+  }
+
+  lines.push('');
+  lines.push('# Security note: rotate secrets before production use.');
+  return `${lines.join('\n')}\n`;
+}
+
+async function writeFiles(cwd, configData, envTemplate) {
+  const configPath = path.join(cwd, 'portl.config.json');
+  const envTemplatePath = path.join(cwd, '.env.portl.template');
+
+  await fs.writeFile(configPath, `${JSON.stringify(configData, null, 2)}\n`, 'utf8');
+  await fs.writeFile(envTemplatePath, envTemplate, 'utf8');
+
+  return { configPath, envTemplatePath };
+}
+
+function resolveDefaultWebhookUrl(providerSlug) {
+  const base =
+    process.env.PORTL_WEBHOOK_BASE_URL ||
+    process.env.PORTL_PUBLIC_URL ||
+    process.env.PORTL_APP_URL ||
+    process.env.API_BASE_URL ||
+    'http://localhost:7130';
+
+  const normalizedBase = String(base)
+    .replace(/\/+$/, '')
+    .replace(/\/api$/, '');
+  return `${normalizedBase}/api/webhooks/${providerSlug}`;
+}
+
+async function updateEnvTemplateValues(cwd, entries) {
+  const envTemplatePath = path.join(cwd, '.env.portl.template');
+  let existing = '';
+
+  try {
+    existing = await fs.readFile(envTemplatePath, 'utf8');
+  } catch {
+    existing = '# Portl environment template\n\n';
+  }
+
+  const lines = existing.split('\n');
+  const lineIndexByKey = new Map();
+
+  lines.forEach((line, index) => {
+    const separatorIndex = line.indexOf('=');
+    if (separatorIndex > 0) {
+      lineIndexByKey.set(line.slice(0, separatorIndex).trim(), index);
+    }
+  });
+
+  for (const [key, value] of Object.entries(entries)) {
+    const formatted = `${key}=${value ?? ''}`;
+    const existingIndex = lineIndexByKey.get(key);
+    if (existingIndex !== undefined) {
+      lines[existingIndex] = formatted;
+    } else {
+      lines.push(formatted);
+    }
+  }
+
+  await fs.writeFile(envTemplatePath, `${lines.join('\n').replace(/\n+$/, '\n')}\n`, 'utf8');
+  return envTemplatePath;
+}
+
+async function updatePortlIntegrationConfig(cwd, category, providerId, configPatch) {
+  const configPath = path.join(cwd, 'portl.config.json');
+
+  try {
+    const raw = await fs.readFile(configPath, 'utf8');
+    const configData = JSON.parse(raw);
+
+    if (!Array.isArray(configData.integrations)) {
+      return null;
+    }
+
+    const integration = configData.integrations.find(
+      (entry) => entry?.category === category || entry?.providerId === providerId
+    );
+
+    if (!integration) {
+      return null;
+    }
+
+    integration.providerId = providerId;
+    integration.category = category;
+    integration.config = {
+      ...(integration.config || {}),
+      ...configPatch,
+    };
+
+    await fs.writeFile(configPath, `${JSON.stringify(configData, null, 2)}\n`, 'utf8');
+    return configPath;
+  } catch {
+    return null;
+  }
+}
+
+function buildGitHubActionsWorkflow({ repository, branch, workflowPath, nodeVersion = '22' }) {
+  const defaultBranch = branch?.trim() || 'main';
+  const targetRepository = repository?.trim() || 'owner/repo';
+  const targetPath = workflowPath?.trim() || '.github/workflows/portl.yml';
+
+  return `name: Portl CI
+
+on:
+  push:
+    branches: ["${defaultBranch}"]
+  pull_request:
+    branches: ["${defaultBranch}"]
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${nodeVersion}
+          cache: npm
+      - name: Install dependencies
+        run: npm install
+      - name: Build
+        run: npm run build
+
+# Generated by Portl for ${targetRepository}
+# Save as ${targetPath}
+`;
+}
+
+function resolveGitHubActionsIntegrationConfig(configData) {
+  const integrations = Array.isArray(configData?.integrations) ? configData.integrations : [];
+  return integrations.find((integration) => integration?.providerId === 'github.actions') || null;
+}
+
+function resolvePaymentsIntegrationConfig(configData, providerId) {
+  const integrations = Array.isArray(configData?.integrations) ? configData.integrations : [];
+  return integrations.find((integration) => integration?.providerId === providerId) || null;
+}
+
+async function writeGitHubActionsWorkflow(cwd, workflowPath, content, { force = false } = {}) {
+  const normalizedPath = workflowPath?.trim() || '.github/workflows/portl.yml';
+  const absolutePath = path.resolve(cwd, normalizedPath);
+  const directory = path.dirname(absolutePath);
+
+  await fs.mkdir(directory, { recursive: true });
+
+  let existed = false;
+  if (!force) {
+    try {
+      await fs.access(absolutePath);
+      existed = true;
+    } catch {
+      existed = false;
+    }
+  }
+
+  await fs.writeFile(absolutePath, content, 'utf8');
+  return { absolutePath, existed };
+}
+
+async function maybeBootstrapGitHubActionsFromInit(rl, cwd, integrations) {
+  const cicdIntegration = integrations.find(
+    (integration) => integration.providerId === 'github.actions'
+  );
+  if (!cicdIntegration) {
+    return null;
+  }
+
+  const repository = String(cicdIntegration.config?.repository || '').trim();
+  const workflowPath =
+    String(cicdIntegration.config?.workflowPath || '').trim() || '.github/workflows/portl.yml';
+  const branch = String(cicdIntegration.config?.branch || '').trim() || 'main';
+
+  const shouldWrite = isYes(await ask(rl, `Write ${workflowPath} into this repo now? [Y/n]`, 'y'));
+
+  if (!shouldWrite) {
+    return null;
+  }
+
+  let force = false;
+  try {
+    await fs.access(path.resolve(cwd, workflowPath));
+    force = isYes(await ask(rl, `${workflowPath} already exists. Overwrite it? [y/N]`, 'n'), false);
+    if (!force) {
+      console.log(c(`Skipped workflow write for ${workflowPath}.`, ANSI.dim));
+      return null;
+    }
+  } catch {
+    // File does not exist; continue.
+  }
+
+  const workflowContent = buildGitHubActionsWorkflow({
+    repository,
+    branch,
+    workflowPath,
+  });
+
+  const result = await writeGitHubActionsWorkflow(cwd, workflowPath, workflowContent, { force });
+  console.log(
+    `  ${c('✓', ANSI.green)} GitHub Actions workflow: ${path.relative(cwd, result.absolutePath)}`
+  );
+  return result;
+}
+
+async function createStripeWebhookEndpoint({ secretKey, webhookUrl, enabledEvents, description }) {
+  const form = new URLSearchParams();
+  form.set('url', webhookUrl);
+  form.set('description', description);
+
+  for (const eventName of enabledEvents) {
+    form.append('enabled_events[]', eventName);
+  }
+
+  const response = await fetch('https://api.stripe.com/v1/webhook_endpoints', {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${secretKey}`,
+      'Content-Type': 'application/x-www-form-urlencoded',
+    },
+    body: form.toString(),
+  });
+
+  const text = await response.text();
+  const data = text ? JSON.parse(text) : null;
+
+  if (!response.ok) {
+    const message =
+      data?.error?.message || `Stripe webhook create failed with status ${response.status}`;
+    throw new Error(message);
+  }
+
+  return data;
+}
+
+async function OLD_runInit_DEPRECATED() {
+  const rl = readline.createInterface({ input, output });
+
+  try {
+    console.log(c(PORTL_ASCII, ANSI.cyan));
+    console.log(`${c('Portl setup wizard', ANSI.bold)} ${c('- Fase 2', ANSI.dim)}\n`);
+
+    const quickMode = isYes(await ask(rl, 'Quick mode (recommended, fewer fields)? [Y/n]', 'y'));
+    const existingConfig = await readExistingPortlConfig(process.cwd());
+    const projectId = await askNonEmpty(rl, 'Project name/id', 'local');
+    const apiBaseUrl = quickMode
+      ? 'http://localhost:7130/api'
+      : await askNonEmpty(rl, 'Portl API base URL', 'http://localhost:7130/api');
+    if (quickMode) {
+      console.log(c(`Using default Portl API base URL: ${apiBaseUrl}`, ANSI.dim));
+    }
+    const runMode = await chooseOption(rl, 'Execution mode', [
+      { label: 'Generate files only (recommended)', value: 'files-only' },
+      { label: 'Generate + validate/connect live in backend', value: 'connect-live' },
+    ]);
+
+    let shouldConnectNow = runMode.value === 'connect-live';
+    let apiKey = '';
+    if (shouldConnectNow) {
+      const detectedApiKey = await resolveBackendApiKey(process.cwd());
+      if (detectedApiKey) {
+        apiKey = detectedApiKey;
+        console.log(c('Using ACCESS_API_KEY from shell or local .env', ANSI.dim));
+      } else {
+        console.log(
+          c(
+            'No ACCESS_API_KEY found in local .env. You can paste one now, or continue files-only.',
+            ANSI.yellow
+          )
+        );
+        const enteredApiKey = await ask(rl, 'ACCESS_API_KEY (optional, press Enter to skip)', '');
+        if (enteredApiKey.trim()) {
+          apiKey = enteredApiKey.trim();
+        } else {
+          shouldConnectNow = false;
+          console.log(c('Continuing in files-only mode.', ANSI.dim));
+        }
+      }
+    } else {
+      const detectedApiKey = await resolveBackendApiKey(process.cwd());
+      if (detectedApiKey) {
+        apiKey = detectedApiKey;
+      }
+    }
+
+    const selectedCapabilities = await chooseMultipleOptions(
+      rl,
+      'Capabilities to configure',
+      [
+        { label: 'Database', value: 'database' },
+        { label: 'Storage', value: 'storage' },
+        { label: 'Payments (paywall/checkouts)', value: 'payments' },
+        { label: 'CI/CD', value: 'cicd' },
+        { label: 'Auth', value: 'auth' },
+      ],
+      ['database', 'storage']
+    );
+
+    const collectors = {
+      database: {
+        label: 'Database',
+        run: () =>
+          collectDatabaseConfig(rl, {
+            enableLiveActions: shouldConnectNow,
+            apiKey,
+            apiBaseUrl,
+            projectId,
+            redirectUri:
+              process.env.PORTL_OAUTH_CLI_REDIRECT_URI ||
+              process.env.PROVIDERS_OAUTH_DEFAULT_REDIRECT_URI,
+            autoOpenOAuth: true,
+            existingIntegration: findExistingIntegration(existingConfig, 'database'),
+          }),
+      },
+      storage: {
+        label: 'Storage',
+        run: () =>
+          collectStorageConfig(rl, quickMode, {
+            apiKey,
+            apiBaseUrl,
+            projectId,
+            existingIntegration: findExistingIntegration(existingConfig, 'storage'),
+          }),
+      },
+      payments: {
+        label: 'Payments',
+        run: () =>
+          collectPaymentsConfig(rl, quickMode, {
+            existingIntegration: findExistingIntegration(existingConfig, 'payments'),
+          }),
+      },
+      cicd: {
+        label: 'CI/CD',
+        run: () =>
+          collectCiCdConfig(rl, quickMode, {
+            existingIntegration: findExistingIntegration(existingConfig, 'cicd'),
+          }),
+      },
+      auth: {
+        label: 'Auth',
+        run: () =>
+          collectAuthConfig(rl, quickMode, {
+            existingIntegration: findExistingIntegration(existingConfig, 'auth'),
+          }),
+      },
+    };
+
+    const integrations = [];
+    const totalSteps = selectedCapabilities.length + 1;
+    let currentStep = 1;
+
+    for (const capability of selectedCapabilities) {
+      const collector = collectors[capability.value];
+      if (!collector) {
+        continue;
+      }
+
+      console.log(`\n${c(`Step ${currentStep}/${totalSteps}`, ANSI.bold)} - ${collector.label}`);
+      currentStep += 1;
+      const integration = await collector.run();
+      if (integration) {
+        integrations.push(integration);
+      }
+    }
+
+    const envEntries = integrations.reduce((acc, integration) => {
+      return { ...acc, ...integration.envTemplate };
+    }, {});
+
+    console.log(`\n${c(`Step ${totalSteps}/${totalSteps}`, ANSI.bold)} - Summary`);
+    if (integrations.length === 0) {
+      console.log(`  - ${c('No integrations selected (or all skipped).', ANSI.yellow)}`);
+    } else {
+      integrations.forEach((integration) => {
+        const isConnectable =
+          SUPPORTED_PROVIDER_IDS.has(integration.providerId) && integration.connectable !== false;
+        console.log(
+          `  - ${integration.category}: ${c(integration.providerId, ANSI.bold)} ${
+            isConnectable ? c('connectable', ANSI.green) : c('template-only', ANSI.yellow)
+          }`
+        );
+      });
+    }
+
+    const connectableIntegrations = integrations.filter(
+      (integration) =>
+        SUPPORTED_PROVIDER_IDS.has(integration.providerId) && integration.connectable !== false
+    );
+
+    let validationResults = [];
+    if (shouldConnectNow && apiKey && connectableIntegrations.length > 0) {
+      const shouldValidate = isYes(await ask(rl, 'Validate providers against API now? [Y/n]', 'y'));
+
+      if (shouldValidate) {
+        console.log(`\n${c('Validating integrations...', ANSI.bold)}`);
+        validationResults = await Promise.all(
+          connectableIntegrations.map(async (integration) => {
+            try {
+              const data = await portlRequest(apiBaseUrl, '/providers/validate', 'POST', apiKey, {
+                providerId: integration.providerId,
+                config: integration.config,
+              });
+              console.log(
+                `  ${c('✓', ANSI.green)} ${integration.providerId}: ${data.status || 'connected'}`
+              );
+              return { providerId: integration.providerId, ok: data.status === 'connected' };
+            } catch (error) {
+              const message = error instanceof Error ? error.message : 'Validation failed';
+              console.log(`  ${c('x', ANSI.red)} ${integration.providerId}: ${message}`);
+              return { providerId: integration.providerId, ok: false, error: message };
+            }
+          })
+        );
+      }
+    }
+
+    if (shouldConnectNow && apiKey && connectableIntegrations.length > 0) {
+      const allValid =
+        validationResults.length === 0 || validationResults.every((result) => result.ok);
+      const shouldConnect = allValid
+        ? isYes(await ask(rl, 'Connect providers in Portl backend now? [Y/n]', 'y'))
+        : isYes(await ask(rl, 'Some validations failed. Try connect anyway? [y/N]', 'n'), false);
+
+      if (shouldConnect) {
+        console.log(`\n${c('Connecting providers...', ANSI.bold)}`);
+        for (const integration of connectableIntegrations) {
+          try {
+            const response = await portlRequest(apiBaseUrl, '/providers/connect', 'POST', apiKey, {
+              providerId: integration.providerId,
+              projectId,
+              config: integration.config,
+            });
+            const status = response?.instance?.connectionStatus || 'connected';
+            console.log(`  ${c('✓', ANSI.green)} ${integration.providerId}: ${status}`);
+          } catch (error) {
+            const message = error instanceof Error ? error.message : 'Connection failed';
+            console.log(`  ${c('x', ANSI.red)} ${integration.providerId}: ${message}`);
+          }
+        }
+      }
+    }
+
+    if (!shouldConnectNow) {
+      console.log(
+        c(
+          '\nSkipped live backend validation/connect. You can connect later from UI or rerun with ACCESS_API_KEY.',
+          ANSI.dim
+        )
+      );
+    }
+
+    const configFile = buildConfigFile({
+      projectId,
+      apiBaseUrl,
+      integrations,
+    });
+    const envTemplate = buildEnvTemplate({
+      apiBaseUrl,
+      apiKey,
+      projectId,
+      envEntries,
+    });
+
+    const { configPath, envTemplatePath } = await writeFiles(
+      process.cwd(),
+      configFile,
+      envTemplate
+    );
+
+    await maybeBootstrapGitHubActionsFromInit(rl, process.cwd(), integrations);
+
+    console.log(`\n${c('Done.', ANSI.green)} Files generated:`);
+    console.log(`  - ${path.basename(configPath)}`);
+    console.log(`  - ${path.basename(envTemplatePath)}`);
+    console.log(`\n${c('Next:', ANSI.bold)} connect your agent with MCP and start building.`);
+  } finally {
+    rl.close();
+  }
+}
+
+function runLink() {
+  const projectId =
+    getArgValue('--project-id') || getArgValue('-p') || process.env.PORTL_PROJECT_ID || null;
+
+  if (!projectId) {
+    console.error(c('Missing --project-id for `portl link`.', ANSI.red));
+    process.exit(1);
+  }
+
+  console.log(c('Portl project linked', ANSI.green));
+  console.log(`Project ID: ${projectId}`);
+  console.log('Use `portl init` (or `finns init`) to configure providers.');
+}
+
+async function runConnect() {
+  const target = (args[0] || '').trim().toLowerCase();
+  if (target !== 'supabase') {
+    console.error(
+      c(
+        'Usage: portl connect supabase [--project-id <id>] [--redirect-uri <url>] [--no-open] [--no-wait]',
+        ANSI.red
+      )
+    );
+    process.exit(1);
+  }
+
+  const cwd = process.cwd();
+  const projectId = getArgValue('--project-id') || process.env.PORTL_PROJECT_ID || 'local';
+  const apiBaseUrl =
+    getArgValue('--api-base-url') || process.env.PORTL_API_BASE_URL || 'http://localhost:7130/api';
+  const apiOrigin = resolveApiOrigin(apiBaseUrl);
+  const redirectUri =
+    getArgValue('--redirect-uri') ||
+    process.env.PORTL_OAUTH_CLI_REDIRECT_URI ||
+    `${apiOrigin}/api/providers/oauth/cli/result`;
+  const apiKey = getArgValue('--api-key') || (await resolveBackendApiKey(cwd));
+  const verbose = hasFlag('--verbose');
+  const shouldAutoOpen = !hasFlag('--no-open');
+  const shouldWait = !hasFlag('--no-wait');
+
+  if (!apiKey) {
+    console.error(c('Missing ACCESS_API_KEY for OAuth start.', ANSI.red));
+    console.error(
+      c(
+        'Set ACCESS_API_KEY in .env or pass --api-key <value>. This is your Portl backend key.',
+        ANSI.yellow
+      )
+    );
+    process.exit(1);
+  }
+
+  const startedAt = Date.now();
+  const response = await startSupabaseOAuthRequest({
+    apiBaseUrl,
+    apiKey,
+    projectId,
+    redirectUri,
+  });
+
+  console.log(c('Supabase OAuth link generated', ANSI.green));
+  console.log(formatTerminalLink('Open Supabase OAuth', response.authorizeUrl));
+  console.log(response.authorizeUrl);
+
+  if (shouldAutoOpen) {
+    const openResult = await tryOpenBrowser(response.authorizeUrl);
+    if (openResult.opened) {
+      console.log(c('Opened your browser automatically.', ANSI.dim));
+    } else {
+      console.log(
+        c(`Could not open browser automatically (${openResult.command || 'open'}).`, ANSI.yellow)
+      );
+      console.log(c('If it did not open, enter using this link:', ANSI.dim));
+      console.log(response.authorizeUrl);
+    }
+  } else {
+    console.log(c('Auto-open disabled (--no-open). Open the link manually.', ANSI.dim));
+  }
+
+  if (shouldWait) {
+    console.log(c('Waiting for OAuth callback confirmation...', ANSI.dim));
+    const connection = await waitForSupabaseOAuthConnection({
+      apiBaseUrl,
+      apiKey,
+      projectId,
+      startedAt,
+    });
+
+    if (connection) {
+      console.log(c('Supabase OAuth confirmed.', ANSI.green));
+      if (connection.externalProjectRef) {
+        console.log(`Project ref: ${connection.externalProjectRef}`);
+      }
+
+      const projectListing = await fetchSupabaseProjects({
+        apiBaseUrl,
+        apiKey,
+        projectId,
+      });
+      const projects = Array.isArray(projectListing?.projects) ? projectListing.projects : [];
+      if (projects.length > 1) {
+        const promptRl = readline.createInterface({ input, output });
+        try {
+          const selected = await chooseNamedOption(
+            promptRl,
+            'Choose Supabase project',
+            projects.map((project) => ({
+              value: project.ref || project.id || 'unknown',
+              label: `${project.name || project.ref || project.id || 'Unnamed'} ${c(`(${project.ref || project.id || 'unknown'})`, ANSI.dim)}`,
+            }))
+          );
+
+          const currentRef = projectListing?.selectedProjectRef || connection.externalProjectRef;
+          if (selected.value && selected.value !== currentRef) {
+            const selectionResult = await selectSupabaseProject({
+              apiBaseUrl,
+              apiKey,
+              projectId,
+              projectRef: selected.value,
+            });
+            console.log(c('Supabase project selected.', ANSI.green));
+            console.log(`Project ref: ${selectionResult.projectRef}`);
+          }
+        } finally {
+          promptRl.close();
+        }
+      }
+    } else {
+      console.log(
+        c(
+          'Timeout waiting for callback. If consent is done, re-run status check from dashboard.',
+          ANSI.yellow
+        )
+      );
+    }
+  } else {
+    console.log(c('No wait mode enabled (--no-wait).', ANSI.dim));
+  }
+
+  if (verbose) {
+    console.log(`Project: ${projectId}`);
+    console.log(`Callback URL: ${response.callbackUrl}`);
+    console.log(`Redirect URL: ${redirectUri}`);
+  }
+  console.log(c('Complete consent in browser, then return to terminal.', ANSI.dim));
+}
+
+async function runBootstrap() {
+  const target = (args[0] || '').trim().toLowerCase();
+  if (
+    target !== 'github-actions' &&
+    target !== 'stripe-webhook' &&
+    target !== 'mercadopago-webhook'
+  ) {
+    console.error(
+      c('Usage: portl bootstrap github-actions|stripe-webhook|mercadopago-webhook ...', ANSI.red)
+    );
+    process.exit(1);
+  }
+
+  const cwd = process.cwd();
+  const existingConfig = await readExistingPortlConfig(cwd);
+  const force = hasFlag('--force');
+
+  if (target === 'github-actions') {
+    const existingIntegration = resolveGitHubActionsIntegrationConfig(existingConfig);
+    const repository =
+      getArgValue('--repository') ||
+      existingIntegration?.config?.repository ||
+      process.env.PORTL_CICD_REPOSITORY ||
+      '';
+    const workflowPath =
+      getArgValue('--workflow-path') ||
+      existingIntegration?.config?.workflowPath ||
+      process.env.PORTL_CICD_WORKFLOW_PATH ||
+      '.github/workflows/portl.yml';
+    const branch = getArgValue('--branch') || existingIntegration?.config?.branch || 'main';
+
+    if (!String(repository).trim()) {
+      console.error(
+        c(
+          'Missing repository. Pass --repository owner/repo or configure github.actions in portl.config.json.',
+          ANSI.red
+        )
+      );
+      process.exit(1);
+    }
+
+    const workflowContent = buildGitHubActionsWorkflow({
+      repository: String(repository),
+      branch: String(branch),
+      workflowPath: String(workflowPath),
+    });
+
+    if (!force) {
+      try {
+        await fs.access(path.resolve(cwd, String(workflowPath)));
+        console.error(
+          c(`${workflowPath} already exists. Re-run with --force to overwrite.`, ANSI.yellow)
+        );
+        process.exit(1);
+      } catch {
+        // File does not exist; continue.
+      }
+    }
+
+    const result = await writeGitHubActionsWorkflow(cwd, String(workflowPath), workflowContent, {
+      force,
+    });
+
+    console.log(c('GitHub Actions workflow generated', ANSI.green));
+    console.log(`Repository: ${repository}`);
+    console.log(`Path: ${path.relative(cwd, result.absolutePath)}`);
+    console.log(c('Next: commit the workflow and let your agent build on top of it.', ANSI.dim));
+    return;
+  }
+
+  if (target === 'stripe-webhook') {
+    const existingIntegration = resolvePaymentsIntegrationConfig(existingConfig, 'stripe');
+    const secretKey =
+      getArgValue('--secret-key') ||
+      existingIntegration?.config?.secretKey ||
+      process.env.PORTL_PAYMENTS_STRIPE_SECRET_KEY ||
+      '';
+    const webhookUrl =
+      getArgValue('--webhook-url') ||
+      existingIntegration?.config?.webhookUrl ||
+      resolveDefaultWebhookUrl('stripe');
+    const enabledEvents = (
+      getArgValue('--events') ||
+      'checkout.session.completed,checkout.session.async_payment_succeeded,payment_intent.succeeded,payment_intent.payment_failed'
+    )
+      .split(',')
+      .map((value) => value.trim())
+      .filter(Boolean);
+
+    if (!String(secretKey).trim()) {
+      console.error(
+        c(
+          'Missing Stripe secret key. Pass --secret-key or configure stripe in portl.config.json.',
+          ANSI.red
+        )
+      );
+      process.exit(1);
+    }
+
+    const webhook = await createStripeWebhookEndpoint({
+      secretKey: String(secretKey),
+      webhookUrl: String(webhookUrl),
+      enabledEvents,
+      description: 'Portl webhook endpoint',
+    });
+
+    await updatePortlIntegrationConfig(cwd, 'payments', 'stripe', {
+      webhookUrl: webhook.url,
+      webhookSecret: webhook.secret,
+      webhookEndpointId: webhook.id,
+      enabledEvents: webhook.enabled_events || enabledEvents,
+    });
+    await updateEnvTemplateValues(cwd, {
+      PORTL_PAYMENTS_STRIPE_WEBHOOK_URL: webhook.url,
+      PORTL_PAYMENTS_STRIPE_WEBHOOK_SECRET: webhook.secret || '',
+      PORTL_PAYMENTS_STRIPE_WEBHOOK_ID: webhook.id || '',
+    });
+
+    console.log(c('Stripe webhook created', ANSI.green));
+    console.log(`Webhook URL: ${webhook.url}`);
+    console.log(`Webhook ID: ${webhook.id}`);
+    console.log(c('Webhook secret synced into .env.portl.template.', ANSI.dim));
+    return;
+  }
+
+  const existingIntegration = resolvePaymentsIntegrationConfig(existingConfig, 'mercadopago');
+  const webhookUrl =
+    getArgValue('--webhook-url') ||
+    existingIntegration?.config?.webhookUrl ||
+    resolveDefaultWebhookUrl('mercadopago');
+  const topics = (getArgValue('--topics') || 'payment')
+    .split(',')
+    .map((value) => value.trim())
+    .filter(Boolean);
+
+  await updatePortlIntegrationConfig(cwd, 'payments', 'mercadopago', {
+    webhookUrl,
+    topics,
+  });
+  await updateEnvTemplateValues(cwd, {
+    PORTL_PAYMENTS_MP_WEBHOOK_URL: webhookUrl,
+    PORTL_PAYMENTS_MP_WEBHOOK_TOPICS: topics.join(','),
+  });
+
+  console.log(c('MercadoPago webhook scaffold prepared', ANSI.green));
+  console.log(`Webhook URL: ${webhookUrl}`);
+  console.log(`Topics: ${topics.join(', ')}`);
+  console.log(
+    c(
+      'Next: register this URL in Your Integrations > Notifications in Mercado Pago dashboard.',
+      ANSI.dim
+    )
+  );
+}
+
+async function main() {
+  if (!command || command === '--help' || command === '-h') {
+    showHelp();
+    process.exit(0);
+  }
+
+  if (command === 'init') {
+    const rl = readline.createInterface({ input, output });
+    try {
+      await runInit(rl);
+    } finally {
+      rl.close();
+    }
+    process.exit(0);
+  }
+
+  if (command === 'connect') {
+    await runConnect();
+    process.exit(0);
+  }
+
+  if (command === 'bootstrap') {
+    await runBootstrap();
+    process.exit(0);
+  }
+
+  if (command === 'link') {
+    runLink();
+    process.exit(0);
+  }
+
+  console.error(c(`Unknown command: ${command}`, ANSI.red));
+  showHelp();
+  process.exit(1);
+}
+
+main().catch((error) => {
+  console.error(
+    c(`\nPortl CLI failed: ${error instanceof Error ? error.message : String(error)}`, ANSI.red)
+  );
+  process.exit(1);
+});
+
+// Export utility functions for use by init command
+export { 
+  startSupabaseOAuthRequest, 
+  waitForSupabaseOAuthConnection,
+  tryOpenBrowser,
+};
+