@selvajs/cli 2.0.0

package/src/env.js

@@ -0,0 +1,93 @@
+// Minimal .env parser / serializer.
+//
+// We don't pull in dotenv: the runtime already loads .env via node --env-file,
+// and the CLI's needs are simpler than dotenv supports (no shell expansion, no
+// multiline values). Keeping it in-tree means one less dep to vet.
+
+import { readFileSync, writeFileSync, existsSync } from 'node:fs';
+
+// Parse a .env file into { key: value }. Preserves nothing else.
+export function parseEnv(text) {
+	const out = {};
+	for (const rawLine of text.split(/\r?\n/)) {
+		const line = rawLine.trim();
+		if (!line || line.startsWith('#')) continue;
+		const eq = line.indexOf('=');
+		if (eq === -1) continue;
+		const key = line.slice(0, eq).trim();
+		let value = line.slice(eq + 1).trim();
+		if (
+			(value.startsWith('"') && value.endsWith('"')) ||
+			(value.startsWith("'") && value.endsWith("'"))
+		) {
+			value = value.slice(1, -1);
+		}
+		out[key] = value;
+	}
+	return out;
+}
+
+export function readEnvFile(path) {
+	if (!existsSync(path)) return {};
+	return parseEnv(readFileSync(path, 'utf8'));
+}
+
+// Re-serialize a .env file. Comments + section structure from `template` are
+// preserved; lines whose key appears in `values` get rewritten in-place. Keys
+// in `values` but absent from the template are appended at the end.
+//
+// Lines beginning with `# KEY=...` (commented examples) are treated as
+// suggestions and left alone; the actual value (if any) goes uncommented.
+export function mergeEnv(template, values) {
+	const seen = new Set();
+	const lines = template.split(/\r?\n/);
+	const out = [];
+
+	for (const line of lines) {
+		const stripped = line.trim();
+		if (!stripped || stripped.startsWith('#')) {
+			out.push(line);
+			continue;
+		}
+		const eq = stripped.indexOf('=');
+		if (eq === -1) {
+			out.push(line);
+			continue;
+		}
+		const key = stripped.slice(0, eq).trim();
+		if (Object.prototype.hasOwnProperty.call(values, key)) {
+			out.push(`${key}=${quoteIfNeeded(values[key])}`);
+			seen.add(key);
+		} else {
+			out.push(line);
+		}
+	}
+
+	const appended = [];
+	for (const [key, value] of Object.entries(values)) {
+		if (seen.has(key)) continue;
+		if (value === undefined || value === null || value === '') continue;
+		appended.push(`${key}=${quoteIfNeeded(value)}`);
+	}
+
+	if (appended.length > 0) {
+		if (out.length > 0 && out[out.length - 1].trim() !== '') out.push('');
+		out.push('# ============================================================================');
+		out.push('# Additional values written by the Selva CLI');
+		out.push('# ============================================================================');
+		out.push(...appended);
+	}
+
+	return out.join('\n');
+}
+
+export function writeEnvFile(path, template, values) {
+	writeFileSync(path, mergeEnv(template, values), 'utf8');
+}
+
+function quoteIfNeeded(value) {
+	const s = String(value);
+	if (s === '') return '""';
+	if (/[\s"'#=]/.test(s)) return JSON.stringify(s);
+	return s;
+}

package/src/paths.js

@@ -0,0 +1,32 @@
+import { existsSync, readdirSync } from 'node:fs';
+import { resolve, join } from 'node:path';
+
+// A deployment directory must contain an .env and an ecosystem.config.cjs.
+// Anything else (selva.config.js, node_modules) is "should be there" but the
+// CLI doesn't require it — `selva init` is allowed to fix a partial install.
+export function isDeploymentDir(dir) {
+	return existsSync(join(dir, '.env')) || existsSync(join(dir, 'ecosystem.config.cjs'));
+}
+
+export function requireDeploymentDir(dir) {
+	if (!isDeploymentDir(dir)) {
+		throw new Error(
+			`Not a Selva deployment directory: ${dir}\n` +
+				`Expected to find .env or ecosystem.config.cjs here. ` +
+				`Run \`npx @selvajs/cli <dir>\` first, or cd into an existing deployment.`
+		);
+	}
+}
+
+export function resolveDeploymentDir(cwd = process.cwd()) {
+	return resolve(cwd);
+}
+
+export function isEmptyOrMissing(dir) {
+	if (!existsSync(dir)) return true;
+	try {
+		return readdirSync(dir).length === 0;
+	} catch {
+		return false;
+	}
+}

package/src/prompts.js

@@ -0,0 +1,575 @@
+// Shared prompt flow used by both `create` (fresh scaffold) and
+// `selva init` (reconfigure existing install). The two callers differ only in
+// what defaults are passed in and what gets written afterwards.
+
+import * as p from '@clack/prompts';
+import pc from 'picocolors';
+
+const TRUTHY = new Set(['true', '1', 'yes']);
+
+function envBool(v) {
+	if (v === undefined) return false;
+	return TRUTHY.has(String(v).toLowerCase());
+}
+
+// Non-interactive sibling of `collectConfig`. Reads everything from `env`
+// (defaults to process.env) so unattended bootstraps — Terraform startup
+// scripts, CI, Docker entrypoints — never touch a prompt. Same output shape
+// as `collectConfig` so the caller code in create.js doesn't branch further.
+//
+// Validation mirrors collectConfig's prompt-time checks. Anything missing or
+// malformed throws with the offending var name so the boot log makes the
+// fix obvious. We deliberately do NOT fall back to a "safe default" for
+// security-relevant fields (BOOTSTRAP_INSTANCE_ADMIN_EMAIL for header-auth /
+// multi-tenant, SUPABASE_SERVICE_ROLE_KEY when supabase is selected) — a
+// silently-misconfigured deploy is worse than a loud failure.
+export function collectConfigFromEnv(env = process.env) {
+	const tenancy = pick(env.SELVA_TENANCY, ['single', 'multi'], 'single', 'SELVA_TENANCY');
+	const auth = pick(
+		env.SELVA_AUTH_PROVIDER,
+		['local', 'supabase', 'header'],
+		'local',
+		'SELVA_AUTH_PROVIDER'
+	);
+	// Default data/storage to auth — matches the prompt's "use same provider
+	// for all three" default. Header-auth has no data layer, so it falls
+	// through to local unless explicitly overridden.
+	const dataDefault = auth === 'header' ? 'local' : auth;
+	const data = pick(
+		env.SELVA_DATA_PROVIDER,
+		['local', 'supabase'],
+		dataDefault,
+		'SELVA_DATA_PROVIDER'
+	);
+	const storage = pick(
+		env.SELVA_STORAGE_PROVIDER,
+		['local', 'supabase'],
+		dataDefault,
+		'SELVA_STORAGE_PROVIDER'
+	);
+
+	const values = {
+		SELVA_TENANCY: tenancy,
+		SELVA_AUTH_PROVIDER: auth,
+		SELVA_DATA_PROVIDER: data,
+		SELVA_STORAGE_PROVIDER: storage
+	};
+
+	// ── Provider-specific config ──────────────────────────────────────────
+	if (auth === 'local' || data === 'local' || storage === 'local') {
+		values.DATA_PATH = env.DATA_PATH || './.selva-data';
+	}
+
+	if (auth === 'supabase' || data === 'supabase' || storage === 'supabase') {
+		const url = requireEnv(env, 'SUPABASE_URL');
+		try {
+			new URL(url);
+		} catch {
+			throw new Error('SUPABASE_URL must be a valid URL.');
+		}
+		values.SUPABASE_URL = url;
+		values.SUPABASE_ANON_KEY = requireEnv(env, 'SUPABASE_ANON_KEY');
+		values.SUPABASE_SERVICE_ROLE_KEY = requireEnv(env, 'SUPABASE_SERVICE_ROLE_KEY');
+	}
+
+	if (auth === 'header') {
+		// Same loopback default as the prompt — header-auth without network
+		// isolation is the documented worst-case footgun.
+		values.HOST = env.HOST || '127.0.0.1';
+		if (data !== 'local') {
+			values.HEADER_AUTH_DATA_DIR = requireEnv(env, 'HEADER_AUTH_DATA_DIR');
+		} else if (env.HEADER_AUTH_DATA_DIR) {
+			values.HEADER_AUTH_DATA_DIR = env.HEADER_AUTH_DATA_DIR;
+		}
+		if (env.HEADER_AUTH_UPN_HEADER) values.HEADER_AUTH_UPN_HEADER = env.HEADER_AUTH_UPN_HEADER;
+		if (env.HEADER_AUTH_EMAIL_HEADER)
+			values.HEADER_AUTH_EMAIL_HEADER = env.HEADER_AUTH_EMAIL_HEADER;
+		if (env.HEADER_AUTH_DISPLAY_NAME_HEADER)
+			values.HEADER_AUTH_DISPLAY_NAME_HEADER = env.HEADER_AUTH_DISPLAY_NAME_HEADER;
+	}
+
+	// ── Bootstrap admin ──────────────────────────────────────────────────
+	const adminRequired = auth === 'header' || tenancy === 'multi';
+	const adminEmail = env.BOOTSTRAP_INSTANCE_ADMIN_EMAIL || '';
+	if (adminRequired && !adminEmail) {
+		throw new Error(
+			`BOOTSTRAP_INSTANCE_ADMIN_EMAIL is required for ${auth === 'header' ? 'header-auth' : 'multi-tenant'} deployments.`
+		);
+	}
+	if (adminEmail && !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(adminEmail)) {
+		throw new Error('BOOTSTRAP_INSTANCE_ADMIN_EMAIL is not a valid email.');
+	}
+	values.BOOTSTRAP_INSTANCE_ADMIN_EMAIL = adminEmail;
+
+	// ── Reverse proxy ────────────────────────────────────────────────────
+	const origin = env.ORIGIN || '';
+	if (origin) {
+		try {
+			new URL(origin);
+		} catch {
+			throw new Error('ORIGIN must be a valid URL.');
+		}
+		if (origin.endsWith('/')) {
+			throw new Error('ORIGIN must not have a trailing slash.');
+		}
+	}
+	values.ORIGIN = origin;
+
+	// ── Feature flags ────────────────────────────────────────────────────
+	// Pass-through: any SELVA_FLAG_* var set on the environment is written
+	// verbatim. Unset flags get an empty string so the .env file still has
+	// a row for them (operator can flip later without editing structure).
+	const flagNames = [
+		'ALLOW_ORG_CREATION',
+		'ALLOW_CROSS_ORG_PUBLIC',
+		'ALLOW_ORG_COMPUTE_OVERRIDE',
+		'ENABLE_SHARING'
+	];
+	for (const f of flagNames) {
+		const key = `SELVA_FLAG_${f}`;
+		values[key] = envBool(env[key]) ? 'true' : '';
+	}
+
+	return values;
+}
+
+function pick(value, allowed, fallback, name) {
+	if (!value) return fallback;
+	if (!allowed.includes(value)) {
+		throw new Error(`${name} must be one of: ${allowed.join(', ')} (got "${value}").`);
+	}
+	return value;
+}
+
+function requireEnv(env, name) {
+	const v = env[name];
+	if (!v) throw new Error(`${name} is required.`);
+	return v;
+}
+
+// Runs the full interactive prompt sequence and returns a flat object of
+// env-var-name → value (string). The caller decides whether to merge with an
+// existing .env or write fresh.
+//
+// `defaults` is an existing env map (from .env, or {}). Anything present there
+// pre-populates the prompt so re-running is cheap.
+export async function collectConfig({ defaults = {}, mode = 'create' } = {}) {
+	const isInit = mode === 'init';
+
+	p.intro(pc.bgCyan(pc.black(isInit ? ' selva init ' : ' Selva — new deployment ')));
+
+	// Brand prompts (SELVA_BRAND_NAME / COPYRIGHT_NAME / TAGLINE / DESCRIPTION)
+	// are skipped for now — the runtime falls back to "Selva" defaults when
+	// these env vars are absent. To re-enable, add a brand prompt block here
+	// and write the values into `values` below.
+
+	// ── Tenancy ─────────────────────────────────────────────────────────
+	const tenancy = await p.select({
+		message: 'Tenancy mode',
+		initialValue: defaults.SELVA_TENANCY ?? 'single',
+		options: [
+			{
+				value: 'single',
+				label: 'single',
+				hint: 'one org per deployment (white-label)'
+			},
+			{
+				value: 'multi',
+				label: 'multi',
+				hint: 'orgs are first-class (SaaS-style)'
+			}
+		]
+	});
+	cancelOn(tenancy);
+
+	// ── Auth provider ───────────────────────────────────────────────────
+	const auth = await p.select({
+		message: 'Auth backend',
+		initialValue: defaults.SELVA_AUTH_PROVIDER ?? 'local',
+		options: [
+			{ value: 'local', label: 'local', hint: 'filesystem + HMAC sessions' },
+			{ value: 'supabase', label: 'supabase', hint: 'managed auth + Postgres + storage' },
+			{
+				value: 'header',
+				label: 'header',
+				hint: 'forward-auth via reverse proxy (Entra, oauth2-proxy, …)'
+			}
+		]
+	});
+	cancelOn(auth);
+
+	// Header-auth is auth-only — it has no data/storage to share. The user
+	// MUST pick a separate backend for those. Local is the sensible default
+	// pairing (same filesystem as the allowlist).
+	let data;
+	let storage;
+	if (auth === 'header') {
+		p.note(headerAuthSecurityWarning(), pc.yellow('⚠ Read before deploying'));
+
+		const dataChoice = await p.select({
+			message: 'Data backend (header-auth has none — pair with local or supabase)',
+			initialValue: defaults.SELVA_DATA_PROVIDER ?? 'local',
+			options: [
+				{ value: 'local', label: 'local', hint: 'filesystem JSON' },
+				{ value: 'supabase', label: 'supabase', hint: 'Postgres' }
+			]
+		});
+		cancelOn(dataChoice);
+		data = dataChoice;
+
+		const storageChoice = await p.select({
+			message: 'Storage backend',
+			initialValue: defaults.SELVA_STORAGE_PROVIDER ?? data,
+			options: [
+				{ value: 'local', label: 'local', hint: 'filesystem' },
+				{ value: 'supabase', label: 'supabase', hint: 'Supabase Storage' }
+			]
+		});
+		cancelOn(storageChoice);
+		storage = storageChoice;
+	} else {
+		// In practice operators almost always want data + storage on the same
+		// backend as auth. Ask once, default the others; let advanced users
+		// override.
+		const mixProviders = await p.confirm({
+			message: `Use ${pc.cyan(auth)} for data and storage too?`,
+			initialValue: pickSameProviderDefault(defaults, auth)
+		});
+		cancelOn(mixProviders);
+
+		data = auth;
+		storage = auth;
+		if (!mixProviders) {
+			const dataChoice = await p.select({
+				message: 'Data backend',
+				initialValue: defaults.SELVA_DATA_PROVIDER ?? auth,
+				options: [
+					{ value: 'local', label: 'local' },
+					{ value: 'supabase', label: 'supabase' }
+				]
+			});
+			cancelOn(dataChoice);
+			data = dataChoice;
+
+			const storageChoice = await p.select({
+				message: 'Storage backend',
+				initialValue: defaults.SELVA_STORAGE_PROVIDER ?? auth,
+				options: [
+					{ value: 'local', label: 'local' },
+					{ value: 'supabase', label: 'supabase' }
+				]
+			});
+			cancelOn(storageChoice);
+			storage = storageChoice;
+		}
+	}
+
+	// ── Provider-specific config ───────────────────────────────────────
+	const providerValues = {};
+	if (auth === 'local' || data === 'local' || storage === 'local') {
+		const dataPath = await p.text({
+			message: 'DATA_PATH — directory for users/orgs JSON + uploaded .gh files',
+			placeholder: './.selva-data',
+			initialValue: defaults.DATA_PATH ?? './.selva-data'
+		});
+		cancelOn(dataPath);
+		providerValues.DATA_PATH = String(dataPath);
+	}
+
+	if (auth === 'supabase' || data === 'supabase' || storage === 'supabase') {
+		const supabaseUrl = await p.text({
+			message: 'SUPABASE_URL',
+			placeholder: 'https://<project-ref>.supabase.co',
+			initialValue: defaults.SUPABASE_URL ?? '',
+			validate: (v) => {
+				if (!v) return 'Required for the Supabase provider.';
+				try {
+					new URL(v);
+				} catch {
+					return 'Must be a valid URL.';
+				}
+				return undefined;
+			}
+		});
+		cancelOn(supabaseUrl);
+
+		const supabaseAnon = await p.text({
+			message: 'SUPABASE_ANON_KEY (publishable)',
+			placeholder: 'sb_publishable_…',
+			initialValue: defaults.SUPABASE_ANON_KEY ?? '',
+			validate: (v) => (v ? undefined : 'Required.')
+		});
+		cancelOn(supabaseAnon);
+
+		const supabaseService = await p.password({
+			message: 'SUPABASE_SERVICE_ROLE_KEY (secret, server-only)',
+			validate: (v) => (v || defaults.SUPABASE_SERVICE_ROLE_KEY ? undefined : 'Required.')
+		});
+		cancelOn(supabaseService);
+
+		providerValues.SUPABASE_URL = String(supabaseUrl);
+		providerValues.SUPABASE_ANON_KEY = String(supabaseAnon);
+		providerValues.SUPABASE_SERVICE_ROLE_KEY = String(
+			supabaseService || defaults.SUPABASE_SERVICE_ROLE_KEY || ''
+		);
+	}
+
+	if (auth === 'header') {
+		// HEADER_AUTH_DATA_DIR is where header-allowlist.json lives. When the
+		// data provider is local, DATA_PATH is the natural home and we let
+		// the provider fall back to it. Only ask explicitly if data isn't
+		// local — otherwise there's no obvious default.
+		if (data !== 'local') {
+			const dataDir = await p.text({
+				message: 'HEADER_AUTH_DATA_DIR — directory for header-allowlist.json',
+				placeholder: './.selva-data',
+				initialValue: defaults.HEADER_AUTH_DATA_DIR ?? './.selva-data',
+				validate: (v) => (v ? undefined : 'Required when data provider is not local.')
+			});
+			cancelOn(dataDir);
+			providerValues.HEADER_AUTH_DATA_DIR = String(dataDir);
+		} else if (defaults.HEADER_AUTH_DATA_DIR) {
+			// Preserve an explicit override if the operator set one previously.
+			providerValues.HEADER_AUTH_DATA_DIR = defaults.HEADER_AUTH_DATA_DIR;
+		}
+
+		const customizeHeaders = await p.confirm({
+			message: 'Customize the trusted header names?',
+			initialValue: Boolean(
+				defaults.HEADER_AUTH_UPN_HEADER ||
+				defaults.HEADER_AUTH_EMAIL_HEADER ||
+				defaults.HEADER_AUTH_DISPLAY_NAME_HEADER
+			)
+		});
+		cancelOn(customizeHeaders);
+
+		if (customizeHeaders) {
+			const upn = await p.text({
+				message: 'HEADER_AUTH_UPN_HEADER',
+				placeholder: 'SELVA-UserPrincipalName',
+				initialValue: defaults.HEADER_AUTH_UPN_HEADER ?? ''
+			});
+			cancelOn(upn);
+			const email = await p.text({
+				message: 'HEADER_AUTH_EMAIL_HEADER',
+				placeholder: 'SELVA-Email',
+				initialValue: defaults.HEADER_AUTH_EMAIL_HEADER ?? ''
+			});
+			cancelOn(email);
+			const display = await p.text({
+				message: 'HEADER_AUTH_DISPLAY_NAME_HEADER',
+				placeholder: 'SELVA-DisplayName',
+				initialValue: defaults.HEADER_AUTH_DISPLAY_NAME_HEADER ?? ''
+			});
+			cancelOn(display);
+
+			providerValues.HEADER_AUTH_UPN_HEADER = stringValue(upn);
+			providerValues.HEADER_AUTH_EMAIL_HEADER = stringValue(email);
+			providerValues.HEADER_AUTH_DISPLAY_NAME_HEADER = stringValue(display);
+		}
+
+		// Header-auth deployments MUST bind to loopback. We don't force it
+		// (the operator might run inside a Docker network where the proxy
+		// reaches the container by service name), but we set HOST=127.0.0.1
+		// as the default and let them override.
+		const bindLoopback = await p.confirm({
+			message: 'Bind the app to 127.0.0.1 only? (recommended for header-auth)',
+			initialValue: !defaults.HOST || defaults.HOST === '127.0.0.1' || defaults.HOST === 'localhost'
+		});
+		cancelOn(bindLoopback);
+		providerValues.HOST = bindLoopback ? '127.0.0.1' : stringValue(defaults.HOST);
+	}
+
+	// ── Bootstrap admin ────────────────────────────────────────────────
+	// Two roles in one env var: (1) gate the "first-signup-becomes-admin"
+	// path to a specific email — required for multi-tenant so a random
+	// signup doesn't get Selva staff perms; (2) break-glass recovery if
+	// admin is lost to a backup restore / manual DB edit. The check ONLY
+	// runs while no admin exists yet, so leaving it set permanently is
+	// safe. Phrase the prompt differently per tenancy/auth-provider because
+	// the security implications differ.
+	if (auth === 'header') {
+		p.note(
+			[
+				'Header-auth has no /setup form. The first proxy-authenticated visit whose',
+				'email matches this var becomes ' +
+					pc.bold('instance admin') +
+					' automatically. Set it now so you',
+				'can claim admin on first visit — otherwise you will need to hand-edit JSON',
+				'files on the server to bootstrap.',
+				'',
+				pc.dim('Only consulted while no admin exists yet — safe to leave permanently set.')
+			].join('\n'),
+			'Bootstrap admin (required for header-auth)'
+		);
+	} else if (tenancy === 'multi') {
+		p.note(
+			[
+				'On a public multi-tenant instance, the FIRST user to sign in becomes',
+				pc.bold('Selva staff') + ' (every platform permission) unless you lock the bootstrap',
+				'to a specific email. Strongly recommended to set this — leave blank only',
+				'if you know what you are doing.',
+				'',
+				pc.dim('Also doubles as the recovery email if admin is ever lost.')
+			].join('\n'),
+			'Bootstrap admin'
+		);
+	} else {
+		p.note(
+			[
+				'OPTIONAL — leave blank to let the first user who completes /setup become',
+				'admin. Set it if you want only a specific email to be eligible (useful when',
+				'the URL is shared before setup, or as a recovery handle if admin is ever lost).',
+				'',
+				pc.dim('Only consulted while no admin exists yet — safe to leave permanently set.')
+			].join('\n'),
+			'Bootstrap admin (optional)'
+		);
+	}
+
+	const adminRequired = auth === 'header' || tenancy === 'multi';
+	const adminEmail = await p.text({
+		message: adminRequired
+			? 'Email allowed to claim admin on first signup'
+			: 'Email allowed to claim admin (leave blank to skip)',
+		placeholder: adminRequired ? 'you@your-org.com' : '(press Enter to skip)',
+		initialValue: defaults.BOOTSTRAP_INSTANCE_ADMIN_EMAIL ?? '',
+		validate: (v) => {
+			if (!v) {
+				// Blank is allowed in single-tenant non-header. Header-auth and
+				// multi-tenant both need the email — without it there is no
+				// supported path to first-admin (header-auth) or the first
+				// random signup gets staff perms (multi-tenant).
+				return adminRequired ? 'Required for this configuration.' : undefined;
+			}
+			if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(v)) return 'Not a valid email.';
+			return undefined;
+		}
+	});
+	cancelOn(adminEmail);
+
+	// ── Reverse proxy ──────────────────────────────────────────────────
+	const behindProxy = await p.confirm({
+		message: 'Behind a reverse proxy (Caddy, nginx, etc.)?',
+		initialValue: Boolean(defaults.ORIGIN)
+	});
+	cancelOn(behindProxy);
+
+	let origin = '';
+	if (behindProxy) {
+		const value = await p.text({
+			message: 'Public-facing origin (no trailing slash) — sets ORIGIN',
+			placeholder: 'https://your-domain.com',
+			initialValue: defaults.ORIGIN ?? '',
+			validate: (v) => {
+				if (!v) return 'Required when behind a proxy.';
+				try {
+					new URL(v);
+				} catch {
+					return 'Must be a valid URL.';
+				}
+				if (v.endsWith('/')) return 'Drop the trailing slash.';
+				return undefined;
+			}
+		});
+		cancelOn(value);
+		origin = String(value);
+	}
+
+	// ── Platform flags ─────────────────────────────────────────────────
+	const flagOptions = [
+		{
+			value: 'ALLOW_ORG_CREATION',
+			label: 'Allow non-admin users to create their own orgs',
+			hint: 'multi-tenant self-service'
+		},
+		{
+			value: 'ALLOW_CROSS_ORG_PUBLIC',
+			label: 'Public projects visible across all orgs',
+			hint: 'instance-wide discovery'
+		},
+		{
+			value: 'ALLOW_ORG_COMPUTE_OVERRIDE',
+			label: 'Orgs can configure their own Rhino.Compute server',
+			hint: 'BYO compute'
+		},
+		{
+			value: 'ENABLE_SHARING',
+			label: 'Per-definition share links (anonymous external access)',
+			hint: 'tokenized URLs'
+		}
+	];
+
+	const flagDefaults = flagOptions
+		.map((o) => o.value)
+		.filter((v) => envBool(defaults[`SELVA_FLAG_${v}`]));
+
+	const flags = await p.multiselect({
+		message: 'Platform feature flags (space to toggle, enter to confirm)',
+		options: flagOptions,
+		initialValues: flagDefaults,
+		required: false
+	});
+	cancelOn(flags);
+
+	// ── Done ───────────────────────────────────────────────────────────
+	const values = {
+		SELVA_TENANCY: tenancy,
+		SELVA_AUTH_PROVIDER: auth,
+		SELVA_DATA_PROVIDER: data,
+		SELVA_STORAGE_PROVIDER: storage,
+		BOOTSTRAP_INSTANCE_ADMIN_EMAIL: stringValue(adminEmail),
+		ORIGIN: origin,
+		...providerValues
+	};
+
+	for (const opt of flagOptions) {
+		const enabled = Array.isArray(flags) && flags.includes(opt.value);
+		values[`SELVA_FLAG_${opt.value}`] = enabled ? 'true' : '';
+	}
+
+	return values;
+}
+
+// `selva init` should default to "yes, same provider for all three" only when
+// the current .env already reflects that. If the operator deliberately split
+// auth and data, don't re-merge them on reconfigure.
+function pickSameProviderDefault(defaults, auth) {
+	const data = defaults.SELVA_DATA_PROVIDER ?? auth;
+	const storage = defaults.SELVA_STORAGE_PROVIDER ?? auth;
+	if (!defaults.SELVA_DATA_PROVIDER && !defaults.SELVA_STORAGE_PROVIDER) return true;
+	return data === auth && storage === auth;
+}
+
+function cancelOn(v) {
+	// @clack/prompts returns Symbol(clack:cancel) when the user hits Ctrl+C.
+	// p.isCancel() is the official API for detecting it.
+	if (p.isCancel(v)) {
+		p.cancel('Cancelled.');
+		process.exit(0);
+	}
+}
+
+function stringValue(v) {
+	if (v === undefined || v === null) return '';
+	return String(v);
+}
+
+// Shown once when the operator picks header-auth. The provider's README is
+// emphatic that the deployment IS the security boundary — none of these
+// invariants can be enforced at runtime, so we surface them up front.
+function headerAuthSecurityWarning() {
+	return [
+		'Header-auth trusts identity headers from the upstream proxy. Anyone who',
+		'reaches the app process directly can spoof them. You MUST ensure:',
+		'',
+		`  ${pc.bold('1.')} Network isolation — bind to 127.0.0.1 (or use a Unix socket / firewall).`,
+		`  ${pc.bold('2.')} Proxy-side auth — the proxy authenticates every request against the IdP.`,
+		`  ${pc.bold('3.')} Header scrubbing — the proxy strips inbound SELVA-* headers before adding`,
+		'     its own, otherwise a browser can spoof them alongside the real ones.',
+		'',
+		pc.dim('See packages/providers/header-auth/README.md for the full deployment checklist.')
+	].join('\n');
+}
+
+export { p as prompts, pc as colors };