@vibecodemax/cli 0.1.7 → 0.1.9

package/dist/cli.js

@@ -1,7 +1,8 @@
 #!/usr/bin/env node
 import * as fs from "node:fs";
 import * as path from "node:path";
-import { spawnSync } from "node:child_process";
+import { spawn, spawnSync } from "node:child_process";
+import { randomBytes } from "node:crypto";
 import { checkS3Context, setupS3Storage } from "./storageS3.js";
 const SETUP_STATE_PATH = path.join(".vibecodemax", "setup-state.json");
 const SETUP_CONFIG_PATH = path.join(".vibecodemax", "setup-config.json");
@@ -23,6 +24,30 @@ const STORAGE_MIME_TYPES_BY_CATEGORY = {
     video: ["video/mp4", "video/webm", "video/quicktime"],
 };
 const STORAGE_DEFAULT_MIME_CATEGORIES = ["images"];
+const STRIPE_EVENTS = [
+    "checkout.session.completed",
+    "customer.subscription.created",
+    "customer.subscription.updated",
+    "customer.subscription.deleted",
+    "invoice.payment_succeeded",
+    "invoice.payment_failed",
+];
+const CONCURRENTLY_VERSION = "^9.2.1";
+const TRIGGER_DEV_ALL_SCRIPT = 'concurrently -k -n app,jobs -c cyan,yellow "npm run dev" "npm run trigger:dev"';
+const TRIGGER_STRIPE_DEV_ALL_SCRIPT = 'concurrently -k -n app,jobs,payments -c cyan,yellow,magenta "npm run dev" "npm run trigger:dev" "npm run stripe:listen"';
+const STRIPE_ONLY_DEV_ALL_SCRIPT = 'concurrently -k -n app,payments -c cyan,magenta "npm run dev" "npm run stripe:listen"';
+const LEMON_EVENTS = [
+    "order_created",
+    "subscription_created",
+    "subscription_updated",
+    "subscription_cancelled",
+    "subscription_resumed",
+    "subscription_expired",
+    "subscription_paused",
+    "subscription_unpaused",
+    "subscription_payment_failed",
+    "subscription_payment_success",
+];
 function printJson(value) {
     process.stdout.write(`${JSON.stringify(value)}\n`);
 }
@@ -48,7 +73,7 @@ function parseArgs(argv) {
     let subcommand;
     const flags = {};
     let index = 0;
-    if ((command === "admin" || command === "storage") && rest[0] && !rest[0].startsWith("--")) {
+    if ((command === "admin" || command === "storage" || command === "payments") && rest[0] && !rest[0].startsWith("--")) {
         subcommand = rest[0];
         index = 1;
     }
@@ -630,6 +655,13 @@ function getSupabaseRunner(dependencyManager) {
         return "yarn supabase";
     return "npx supabase";
 }
+function getDependencyInstallCommand(dependencyManager, packageName) {
+    if (dependencyManager === "pnpm")
+        return `pnpm add -D ${packageName}`;
+    if (dependencyManager === "yarn")
+        return `yarn add -D ${packageName}`;
+    return `npm install --save-dev ${packageName}`;
+}
 function runShellCommand(command, cwd) {
     const result = spawnSync(process.env.SHELL || "/bin/zsh", ["-lc", command], {
         cwd,
@@ -658,6 +690,17 @@ function runLinkedSupabaseCommand(command, cwd, failureCode, fallbackMessage) {
     }
     return typeof result.stdout === "string" ? result.stdout.trim() : "";
 }
+function ensureStripeCliInstalled(cwd) {
+    const result = spawnSync(process.env.SHELL || "/bin/zsh", ["-lc", "stripe --version"], {
+        cwd,
+        env: process.env,
+        encoding: "utf8",
+    });
+    if (result.status !== 0) {
+        fail("STRIPE_CLI_MISSING", "Stripe CLI is not installed. Install it from https://docs.stripe.com/stripe-cli/install before continuing Stripe localhost setup.");
+    }
+    return typeof result.stdout === "string" ? result.stdout.trim() : "";
+}
 function isMigrationOrderingConflict(message) {
     return /Found local migration files to be inserted before the last migration on remote database\./i.test(message);
 }
@@ -973,6 +1016,571 @@ async function setupSupabaseStorage(flags) {
         envWritten: ["SUPABASE_PUBLIC_BUCKET", "SUPABASE_PRIVATE_BUCKET"],
     });
 }
+function normalizePaymentsMode(value) {
+    return value === "production" ? "production" : "test";
+}
+function isStripePublishableKey(value) {
+    return isNonEmptyString(value) && /^pk_(test|live)_[A-Za-z0-9_]+$/.test(value.trim());
+}
+function isStripeSecretKey(value) {
+    return isNonEmptyString(value) && /^sk_(test|live)_[A-Za-z0-9_]+$/.test(value.trim());
+}
+function isStripeWebhookSecret(value) {
+    return isNonEmptyString(value) && /^whsec_[A-Za-z0-9]+$/.test(value.trim());
+}
+function isNumericStoreId(value) {
+    return isNonEmptyString(value) && /^\d+$/.test(value.trim());
+}
+function requireWebhookUrl(value, expectedPath, provider) {
+    const trimmed = value.trim();
+    if (!trimmed) {
+        fail("INVALID_WEBHOOK_URL", `${provider} webhook URL is required.`);
+    }
+    try {
+        const parsed = new URL(trimmed);
+        const isHttps = parsed.protocol === "https:";
+        const isLocalhost = parsed.protocol === "http:" && parsed.hostname === "localhost";
+        if ((!isHttps && !isLocalhost) || parsed.pathname !== expectedPath) {
+            fail("INVALID_WEBHOOK_URL", `${provider} webhook URL must be an https URL ending in ${expectedPath}, or http://localhost ending in ${expectedPath}.`);
+        }
+    }
+    catch {
+        fail("INVALID_WEBHOOK_URL", `${provider} webhook URL must be a valid https URL ending in ${expectedPath}, or http://localhost ending in ${expectedPath}.`);
+    }
+    return trimmed;
+}
+function requirePackageJson(cwd) {
+    const packageJsonPath = path.join(cwd, "package.json");
+    if (!fs.existsSync(packageJsonPath)) {
+        fail("MISSING_PACKAGE_JSON", "package.json is missing in the project root.");
+    }
+    try {
+        const parsed = JSON.parse(fs.readFileSync(packageJsonPath, "utf8"));
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+            fail("INVALID_PACKAGE_JSON", "package.json must contain a JSON object.");
+        }
+        return { packageJsonPath, packageJson: parsed };
+    }
+    catch {
+        fail("INVALID_PACKAGE_JSON", "package.json is not valid JSON.");
+    }
+}
+function writePackageJson(packageJsonPath, packageJson) {
+    fs.writeFileSync(packageJsonPath, `${JSON.stringify(packageJson, null, 2)}\n`, "utf8");
+}
+function buildStripeListenScript(localhostUrl) {
+    return `stripe listen --events ${STRIPE_EVENTS.join(",")} --forward-to ${localhostUrl}/api/webhooks/stripe`;
+}
+function ensureStripeLocalScripts(cwd, dependencyManager, localhostUrl) {
+    const { packageJsonPath, packageJson } = requirePackageJson(cwd);
+    const scripts = packageJson.scripts && typeof packageJson.scripts === "object" && !Array.isArray(packageJson.scripts)
+        ? { ...packageJson.scripts }
+        : {};
+    const devDependencies = packageJson.devDependencies && typeof packageJson.devDependencies === "object" && !Array.isArray(packageJson.devDependencies)
+        ? { ...packageJson.devDependencies }
+        : {};
+    const dependencies = packageJson.dependencies && typeof packageJson.dependencies === "object" && !Array.isArray(packageJson.dependencies)
+        ? packageJson.dependencies
+        : {};
+    const stripeListenScript = buildStripeListenScript(localhostUrl);
+    const changedScripts = [];
+    let installConcurrently = false;
+    if (scripts["stripe:listen"] !== stripeListenScript) {
+        scripts["stripe:listen"] = stripeListenScript;
+        changedScripts.push("stripe:listen");
+    }
+    const currentDevAll = typeof scripts["dev:all"] === "string" ? scripts["dev:all"] : "";
+    if (!currentDevAll) {
+        scripts["dev:all"] = STRIPE_ONLY_DEV_ALL_SCRIPT;
+        changedScripts.push("dev:all");
+        if (!isNonEmptyString(devDependencies.concurrently) && !isNonEmptyString(dependencies.concurrently)) {
+            devDependencies.concurrently = CONCURRENTLY_VERSION;
+            installConcurrently = true;
+        }
+    }
+    else if (currentDevAll === TRIGGER_DEV_ALL_SCRIPT) {
+        scripts["dev:all"] = TRIGGER_STRIPE_DEV_ALL_SCRIPT;
+        changedScripts.push("dev:all");
+    }
+    else if (currentDevAll === STRIPE_ONLY_DEV_ALL_SCRIPT || currentDevAll === TRIGGER_STRIPE_DEV_ALL_SCRIPT) {
+        // already configured
+    }
+    else if (currentDevAll.includes("npm run stripe:listen")) {
+        // preserve user-updated script if Stripe listener is already included
+    }
+    else {
+        fail("DEV_ALL_CONFLICT", "package.json already defines dev:all in an unexpected shape. Update it manually to include npm run stripe:listen, or reset it to the generated Trigger pattern before retrying.");
+    }
+    packageJson.scripts = scripts;
+    if (Object.keys(devDependencies).length > 0) {
+        packageJson.devDependencies = devDependencies;
+    }
+    writePackageJson(packageJsonPath, packageJson);
+    if (installConcurrently) {
+        runShellCommand(getDependencyInstallCommand(dependencyManager, "concurrently"), cwd);
+    }
+    return {
+        changedScripts,
+        installConcurrently,
+        scripts,
+    };
+}
+function waitForStripeListenSecret(command, cwd) {
+    return new Promise((resolve, reject) => {
+        const child = spawn(process.env.SHELL || "/bin/zsh", ["-lc", command], {
+            cwd,
+            env: process.env,
+            stdio: ["ignore", "pipe", "pipe"],
+            detached: true,
+        });
+        let buffer = "";
+        let settled = false;
+        const timeoutId = setTimeout(() => {
+            if (!settled) {
+                finish(new Error("Timed out waiting for Stripe CLI to print a webhook signing secret."));
+            }
+        }, 15000);
+        const finish = (error, secret = "") => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timeoutId);
+            try {
+                process.kill(-child.pid, "SIGTERM");
+            }
+            catch { }
+            if (error)
+                reject(error);
+            else
+                resolve(secret);
+        };
+        const inspectChunk = (chunk) => {
+            buffer += typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8");
+            const match = buffer.match(/whsec_[A-Za-z0-9]+/);
+            if (match) {
+                finish(null, match[0]);
+            }
+        };
+        child.stdout?.on("data", inspectChunk);
+        child.stderr?.on("data", inspectChunk);
+        child.on("error", (error) => finish(error));
+        child.on("close", (code) => {
+            if (!settled) {
+                const message = buffer.trim() || `stripe listen exited with code ${String(code ?? "")}`.trim();
+                finish(new Error(message || "Failed to capture Stripe webhook signing secret from stripe listen."));
+            }
+        });
+    });
+}
+function formEncode(value, prefix = "") {
+    const entries = [];
+    if (Array.isArray(value)) {
+        value.forEach((item, index) => {
+            entries.push(...formEncode(item, `${prefix}[${index}]`));
+        });
+        return entries;
+    }
+    if (value && typeof value === "object") {
+        for (const [key, nested] of Object.entries(value)) {
+            entries.push(...formEncode(nested, prefix ? `${prefix}[${key}]` : key));
+        }
+        return entries;
+    }
+    if (value === null || value === undefined)
+        return entries;
+    entries.push([prefix, String(value)]);
+    return entries;
+}
+async function stripeRequest(params) {
+    const url = new URL(`https://api.stripe.com${params.path}`);
+    if (params.query) {
+        for (const [key, value] of formEncode(params.query)) {
+            url.searchParams.append(key, value);
+        }
+    }
+    const headers = {
+        Authorization: `Bearer ${params.secretKey}`,
+    };
+    let body;
+    if (params.body) {
+        headers["Content-Type"] = "application/x-www-form-urlencoded";
+        body = new URLSearchParams(formEncode(params.body));
+    }
+    const response = await fetch(url.toString(), {
+        method: params.method,
+        headers,
+        body,
+    });
+    const json = await response.json().catch(() => null);
+    if (!response.ok) {
+        const message = extractErrorMessage(json?.error) || extractErrorMessage(json) || `Stripe returned ${response.status}`;
+        fail("STRIPE_API_ERROR", message, 1, { status: response.status });
+    }
+    return json;
+}
+async function lemonRequest(params) {
+    const url = new URL(`https://api.lemonsqueezy.com/v1${params.path}`);
+    if (params.query) {
+        for (const [key, value] of Object.entries(params.query)) {
+            url.searchParams.set(key, value);
+        }
+    }
+    const response = await fetch(url.toString(), {
+        method: params.method,
+        headers: {
+            Accept: "application/vnd.api+json",
+            Authorization: `Bearer ${params.apiKey}`,
+            ...(params.body ? { "Content-Type": "application/vnd.api+json" } : {}),
+        },
+        body: params.body ? JSON.stringify(params.body) : undefined,
+    });
+    const json = await response.json().catch(() => null);
+    if (!response.ok) {
+        const detail = Array.isArray(json?.errors)
+            ? (json.errors[0]?.detail)
+            : null;
+        const message = isNonEmptyString(detail) ? detail : (extractErrorMessage(json) || `Lemon Squeezy returned ${response.status}`);
+        fail("LEMONSQUEEZY_API_ERROR", message, 1, { status: response.status });
+    }
+    return json;
+}
+function checkStripeKeys(flags) {
+    const { values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const publishableKey = values.NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY;
+    const secretKey = values.STRIPE_SECRET_KEY;
+    const expectedPublishablePrefix = mode === "test" ? "pk_test_" : "pk_live_";
+    const expectedSecretPrefix = mode === "test" ? "sk_test_" : "sk_live_";
+    const missingKeys = [];
+    const invalidKeys = [];
+    const mistakes = [];
+    if (!isNonEmptyString(publishableKey)) {
+        missingKeys.push("NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY");
+    }
+    else if (!isStripePublishableKey(publishableKey)) {
+        invalidKeys.push("NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY");
+    }
+    else if (!publishableKey.startsWith(expectedPublishablePrefix)) {
+        mistakes.push(`NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY does not match ${mode} mode.`);
+    }
+    if (!isNonEmptyString(secretKey)) {
+        missingKeys.push("STRIPE_SECRET_KEY");
+    }
+    else if (!isStripeSecretKey(secretKey)) {
+        invalidKeys.push("STRIPE_SECRET_KEY");
+    }
+    else if (!secretKey.startsWith(expectedSecretPrefix)) {
+        mistakes.push(`STRIPE_SECRET_KEY does not match ${mode} mode.`);
+    }
+    if (isNonEmptyString(publishableKey) && isNonEmptyString(secretKey)) {
+        if (publishableKey.startsWith("pk_live_") && secretKey.startsWith("sk_test_")) {
+            mistakes.push("Publishable and secret keys are from different Stripe modes (pk_live with sk_test).");
+        }
+        if (publishableKey.startsWith("pk_test_") && secretKey.startsWith("sk_live_")) {
+            mistakes.push("Publishable and secret keys are from different Stripe modes (pk_test with sk_live).");
+        }
+    }
+    if (missingKeys.length > 0 || invalidKeys.length > 0 || mistakes.length > 0) {
+        fail("INVALID_PAYMENTS_ENV", "Stripe keys are missing, malformed, or inconsistent with the selected mode.", 1, { missingKeys, invalidKeys, mistakes });
+    }
+    printJson({
+        ok: true,
+        command: "payments check-stripe-keys",
+        mode,
+        verified: true,
+        presentKeys: ["NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY", "STRIPE_SECRET_KEY"],
+        checks: ["presence", "format", "mode_consistency"],
+    });
+}
+function checkStripeCli() {
+    const version = ensureStripeCliInstalled(process.cwd());
+    printJson({
+        ok: true,
+        command: "payments check-stripe-cli",
+        ready: true,
+        version,
+    });
+}
+function loginStripeCli(flags) {
+    const { values } = loadLocalEnv();
+    ensureStripeCliInstalled(process.cwd());
+    const authMode = readStringFlag(flags, "auth-mode") === "api_key" ? "api_key" : "tty";
+    const command = authMode === "api_key"
+        ? `stripe login --api-key ${shellQuote(requireEnvValue(values, "STRIPE_SECRET_KEY", ".env.local"))}`
+        : "stripe login";
+    runShellCommand(command, process.cwd());
+    printJson({
+        ok: true,
+        command: "payments login-stripe-cli",
+        authMode,
+        authenticated: true,
+    });
+}
+function checkLemonKeys(flags) {
+    const { values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const apiKey = values.LEMONSQUEEZY_API_KEY;
+    const storeId = values.LEMONSQUEEZY_STORE_ID;
+    const missingKeys = [];
+    const invalidKeys = [];
+    if (!isNonEmptyString(apiKey)) {
+        missingKeys.push("LEMONSQUEEZY_API_KEY");
+    }
+    if (!isNonEmptyString(storeId)) {
+        missingKeys.push("LEMONSQUEEZY_STORE_ID");
+    }
+    else if (!isNumericStoreId(storeId)) {
+        invalidKeys.push("LEMONSQUEEZY_STORE_ID");
+    }
+    if (missingKeys.length > 0 || invalidKeys.length > 0) {
+        fail("INVALID_PAYMENTS_ENV", "Lemon Squeezy API key or store ID is missing or malformed.", 1, { missingKeys, invalidKeys });
+    }
+    printJson({
+        ok: true,
+        command: "payments check-lemonsqueezy-keys",
+        mode,
+        verified: true,
+        presentKeys: ["LEMONSQUEEZY_API_KEY", "LEMONSQUEEZY_STORE_ID"],
+        checks: ["presence", "store_id_format"],
+    });
+}
+async function createStripeWebhook(flags) {
+    const { envLocalPath, values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const webhookUrl = requireWebhookUrl(readStringFlag(flags, "webhook-url"), "/api/webhooks/stripe", "Stripe");
+    const secretKey = values.STRIPE_SECRET_KEY;
+    if (!isStripeSecretKey(secretKey)) {
+        fail("INVALID_PAYMENTS_ENV", "STRIPE_SECRET_KEY is missing or malformed in .env.local.");
+    }
+    const listed = await stripeRequest({
+        secretKey,
+        method: "GET",
+        path: "/v1/webhook_endpoints",
+        query: { limit: 100 },
+    });
+    const existing = Array.isArray(listed.data)
+        ? listed.data.find((endpoint) => {
+            const url = typeof endpoint.url === "string" ? endpoint.url : "";
+            const events = Array.isArray(endpoint.enabled_events) ? endpoint.enabled_events : [];
+            return url === webhookUrl && JSON.stringify([...events].sort()) === JSON.stringify([...STRIPE_EVENTS].sort());
+        })
+        : null;
+    if (existing && isStripeWebhookSecret(values.STRIPE_WEBHOOK_SECRET)) {
+        printJson({
+            ok: true,
+            command: "payments create-stripe-webhook",
+            mode,
+            created: false,
+            reused: true,
+            endpointId: typeof existing.id === "string" ? existing.id : null,
+            webhookUrl,
+            enabledEvents: STRIPE_EVENTS,
+            envWritten: [],
+        });
+        return;
+    }
+    const created = await stripeRequest({
+        secretKey,
+        method: "POST",
+        path: "/v1/webhook_endpoints",
+        body: {
+            url: webhookUrl,
+            enabled_events: STRIPE_EVENTS,
+            description: "VibeCodeMax payments webhook",
+        },
+    });
+    if (!isStripeWebhookSecret(created.secret)) {
+        fail("STRIPE_WEBHOOK_CREATE_FAILED", "Stripe did not return a webhook signing secret.");
+    }
+    mergeEnvFile(envLocalPath, {
+        STRIPE_WEBHOOK_SECRET: created.secret.trim(),
+    });
+    printJson({
+        ok: true,
+        command: "payments create-stripe-webhook",
+        mode,
+        created: true,
+        reused: false,
+        endpointId: typeof created.id === "string" ? created.id : null,
+        webhookUrl: typeof created.url === "string" ? created.url : webhookUrl,
+        enabledEvents: STRIPE_EVENTS,
+        envWritten: ["STRIPE_WEBHOOK_SECRET"],
+    });
+}
+async function setupStripeLocalhost(flags) {
+    const cwd = process.cwd();
+    const dependencyManager = detectDependencyManager(cwd, flags);
+    const localhostUrl = normalizeLocalUrl(readStringFlag(flags, "localhost-url"));
+    const { envLocalPath, values } = loadLocalEnv(cwd);
+    const secretKey = values.STRIPE_SECRET_KEY;
+    if (!isStripeSecretKey(secretKey) || !secretKey.startsWith("sk_test_")) {
+        fail("INVALID_PAYMENTS_ENV", "STRIPE_SECRET_KEY must be a Stripe test secret key in .env.local for localhost Stripe setup.");
+    }
+    ensureStripeCliInstalled(cwd);
+    const scriptResult = ensureStripeLocalScripts(cwd, dependencyManager, localhostUrl);
+    const listenCommand = `stripe listen --api-key ${shellQuote(secretKey.trim())} --events ${STRIPE_EVENTS.join(",")} --forward-to ${localhostUrl}/api/webhooks/stripe`;
+    let signingSecret = "";
+    try {
+        signingSecret = await waitForStripeListenSecret(listenCommand, cwd);
+    }
+    catch (error) {
+        fail("STRIPE_LOCALHOST_SETUP_FAILED", error instanceof Error ? error.message : "Failed to capture Stripe localhost webhook signing secret.");
+    }
+    mergeEnvFile(envLocalPath, {
+        STRIPE_WEBHOOK_SECRET: signingSecret,
+    });
+    printJson({
+        ok: true,
+        command: "payments setup-stripe-localhost",
+        localhostUrl,
+        webhookUrl: `${localhostUrl}/api/webhooks/stripe`,
+        scriptsChanged: scriptResult.changedScripts,
+        installConcurrently: scriptResult.installConcurrently,
+        devAllScript: typeof scriptResult.scripts["dev:all"] === "string" ? scriptResult.scripts["dev:all"] : null,
+        stripeListenScript: typeof scriptResult.scripts["stripe:listen"] === "string" ? scriptResult.scripts["stripe:listen"] : null,
+        envWritten: ["STRIPE_WEBHOOK_SECRET"],
+    });
+}
+function checkStripeWebhookSecret(flags) {
+    const { values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const webhookUrl = requireWebhookUrl(readStringFlag(flags, "webhook-url"), "/api/webhooks/stripe", "Stripe");
+    const missingKeys = [];
+    const invalidKeys = [];
+    if (!isNonEmptyString(values.STRIPE_WEBHOOK_SECRET)) {
+        missingKeys.push("STRIPE_WEBHOOK_SECRET");
+    }
+    else if (!isStripeWebhookSecret(values.STRIPE_WEBHOOK_SECRET)) {
+        invalidKeys.push("STRIPE_WEBHOOK_SECRET");
+    }
+    if (missingKeys.length > 0 || invalidKeys.length > 0) {
+        fail("INVALID_PAYMENTS_ENV", "Stripe webhook secret is missing or malformed in .env.local.", 1, { missingKeys, invalidKeys });
+    }
+    printJson({
+        ok: true,
+        command: "payments check-stripe-webhook-secret",
+        mode,
+        verified: true,
+        webhookUrl,
+        presentKeys: ["STRIPE_WEBHOOK_SECRET"],
+        checks: ["presence", "format", "webhook_url_format"],
+    });
+}
+async function createLemonWebhook(flags) {
+    const { envLocalPath, values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const webhookUrl = requireWebhookUrl(readStringFlag(flags, "webhook-url"), "/api/webhooks/lemonsqueezy", "Lemon Squeezy");
+    const apiKey = values.LEMONSQUEEZY_API_KEY;
+    const storeId = values.LEMONSQUEEZY_STORE_ID;
+    if (!isNonEmptyString(apiKey)) {
+        fail("INVALID_PAYMENTS_ENV", "LEMONSQUEEZY_API_KEY is missing in .env.local.");
+    }
+    if (!isNumericStoreId(storeId)) {
+        fail("INVALID_PAYMENTS_ENV", "LEMONSQUEEZY_STORE_ID is missing or malformed in .env.local.");
+    }
+    const listed = await lemonRequest({
+        apiKey,
+        method: "GET",
+        path: "/webhooks",
+        query: {
+            "filter[store_id]": storeId.trim(),
+            "page[size]": "100",
+        },
+    });
+    const existing = Array.isArray(listed.data)
+        ? listed.data.find((endpoint) => {
+            const attrs = endpoint.attributes && typeof endpoint.attributes === "object"
+                ? endpoint.attributes
+                : {};
+            const relationships = endpoint.relationships && typeof endpoint.relationships === "object"
+                ? endpoint.relationships
+                : {};
+            const endpointStoreId = typeof relationships.store?.data?.id === "string"
+                ? (relationships.store.data.id)
+                : "";
+            const events = Array.isArray(attrs.events) ? attrs.events : [];
+            return String(attrs.url || "") === webhookUrl
+                && endpointStoreId === storeId.trim()
+                && JSON.stringify([...events].sort()) === JSON.stringify([...LEMON_EVENTS].sort());
+        })
+        : null;
+    if (existing && isNonEmptyString(values.LEMONSQUEEZY_WEBHOOK_SECRET)) {
+        printJson({
+            ok: true,
+            command: "payments create-lemonsqueezy-webhook",
+            mode,
+            created: false,
+            reused: true,
+            endpointId: typeof existing.id === "string" ? existing.id : null,
+            webhookUrl,
+            storeId: storeId.trim(),
+            enabledEvents: LEMON_EVENTS,
+            envWritten: [],
+        });
+        return;
+    }
+    const generatedSecret = randomBytes(24).toString("hex");
+    const created = await lemonRequest({
+        apiKey,
+        method: "POST",
+        path: "/webhooks",
+        body: {
+            data: {
+                type: "webhooks",
+                attributes: {
+                    url: webhookUrl,
+                    events: LEMON_EVENTS,
+                    secret: generatedSecret,
+                    test_mode: mode === "test",
+                },
+                relationships: {
+                    store: {
+                        data: {
+                            type: "stores",
+                            id: storeId.trim(),
+                        },
+                    },
+                },
+            },
+        },
+    });
+    mergeEnvFile(envLocalPath, {
+        LEMONSQUEEZY_WEBHOOK_SECRET: generatedSecret,
+    });
+    printJson({
+        ok: true,
+        command: "payments create-lemonsqueezy-webhook",
+        mode,
+        created: true,
+        reused: false,
+        endpointId: typeof created.data?.id === "string" ? created.data.id : null,
+        webhookUrl: typeof created.data?.attributes?.url === "string" ? created.data.attributes.url : webhookUrl,
+        storeId: storeId.trim(),
+        enabledEvents: LEMON_EVENTS,
+        envWritten: ["LEMONSQUEEZY_WEBHOOK_SECRET"],
+    });
+}
+function checkLemonWebhookSecret(flags) {
+    const { values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const webhookUrl = requireWebhookUrl(readStringFlag(flags, "webhook-url"), "/api/webhooks/lemonsqueezy", "Lemon Squeezy");
+    const missingKeys = [];
+    if (!isNonEmptyString(values.LEMONSQUEEZY_WEBHOOK_SECRET)) {
+        missingKeys.push("LEMONSQUEEZY_WEBHOOK_SECRET");
+    }
+    if (missingKeys.length > 0) {
+        fail("INVALID_PAYMENTS_ENV", "Lemon Squeezy webhook secret is missing in .env.local.", 1, { missingKeys });
+    }
+    printJson({
+        ok: true,
+        command: "payments check-lemonsqueezy-webhook-secret",
+        mode,
+        verified: true,
+        webhookUrl,
+        presentKeys: ["LEMONSQUEEZY_WEBHOOK_SECRET"],
+        checks: ["presence", "webhook_url_format"],
+    });
+}
 async function main() {
     const { command, subcommand, flags } = parseArgs(process.argv.slice(2));
     if (!command || command === "--help" || command === "help") {
@@ -985,6 +1593,15 @@ async function main() {
                 "storage setup-supabase",
                 "storage check-s3-context",
                 "storage setup-s3",
+                "payments check-stripe-keys",
+                "payments check-stripe-cli",
+                "payments login-stripe-cli",
+                "payments setup-stripe-localhost",
+                "payments create-stripe-webhook",
+                "payments check-stripe-webhook-secret",
+                "payments check-lemonsqueezy-keys",
+                "payments create-lemonsqueezy-webhook",
+                "payments check-lemonsqueezy-webhook-secret",
                 "configure-site-redirects",
                 "configure-email-password",
                 "enable-google-provider",
@@ -1011,6 +1628,24 @@ async function main() {
         return checkS3Context(flags);
     if (command === "storage" && subcommand === "setup-s3")
         return setupS3Storage(flags);
+    if (command === "payments" && subcommand === "check-stripe-keys")
+        return checkStripeKeys(flags);
+    if (command === "payments" && subcommand === "check-stripe-cli")
+        return checkStripeCli();
+    if (command === "payments" && subcommand === "login-stripe-cli")
+        return loginStripeCli(flags);
+    if (command === "payments" && subcommand === "setup-stripe-localhost")
+        return setupStripeLocalhost(flags);
+    if (command === "payments" && subcommand === "create-stripe-webhook")
+        return createStripeWebhook(flags);
+    if (command === "payments" && subcommand === "check-stripe-webhook-secret")
+        return checkStripeWebhookSecret(flags);
+    if (command === "payments" && subcommand === "check-lemonsqueezy-keys")
+        return checkLemonKeys(flags);
+    if (command === "payments" && subcommand === "create-lemonsqueezy-webhook")
+        return createLemonWebhook(flags);
+    if (command === "payments" && subcommand === "check-lemonsqueezy-webhook-secret")
+        return checkLemonWebhookSecret(flags);
     if (command === "configure-site-redirects")
         return configureSiteRedirects(flags);
     if (command === "configure-email-password")

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibecodemax/cli",
-  "version": "0.1.7",
+  "version": "0.1.9",
   "description": "VibeCodeMax CLI — local provider setup for bootstrap and project configuration",
   "type": "module",
   "bin": {