agent-cards-admin 0.3.13 → 0.3.15

package/dist/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-cards-admin",
-  "version": "0.3.13",
+  "version": "0.3.15",
   "description": "Admin CLI for managing B2B organizations, API keys, and members",
   "type": "module",
   "bin": {

package/dist/src/commands/wizard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"wizard.d.ts","sourceRoot":"","sources":["../../../src/commands/wizard.ts"],"names":[],"mappings":"AAWA,MAAM,WAAW,aAAa;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAqJtE"}
+{"version":3,"file":"wizard.d.ts","sourceRoot":"","sources":["../../../src/commands/wizard.ts"],"names":[],"mappings":"AAcA,MAAM,WAAW,aAAa;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CA6KtE"}

package/dist/src/commands/wizard.js

@@ -1,11 +1,14 @@
-import { resolve } from 'path';
+import { resolve, basename } from 'path';
 import inquirer from 'inquirer';
 import chalk from 'chalk';
 import ora from 'ora';
-import { requireAuth, getApiUrl, getJwt, getMode, setMode } from '../lib/config.js';
+import { getApiUrl, getJwt } from '../lib/config.js';
 import { detectRepo } from '../lib/wizard/detect.js';
 import { INTEGRATION_PLAYBOOK, buildInitialPrompt } from '../lib/wizard/playbook.js';
 import { runIntegrationAgent } from '../lib/wizard/agent.js';
+import { ensureOnboarded } from '../lib/wizard/onboard.js';
+import { writeAgentcardEnv } from '../lib/wizard/secrets.js';
+import { banner, note, ui, glyph, outroSuccess, outroError } from '../lib/wizard/theme.js';
 const MODEL = 'claude-opus-4-8';
 /**
  * `agent-cards-admin wizard` — runs an AI agent (the Claude Agent SDK, on OUR
@@ -14,46 +17,63 @@ const MODEL = 'claude-opus-4-8';
  * real card issues in SANDBOX.
  */
 export async function wizardCommand(opts) {
-    await requireAuth();
     const repoRoot = resolve(opts.path ?? process.cwd());
-    const jwt = getJwt();
-    if (!jwt) {
-        console.log(chalk.red('Not logged in. Run: agent-cards-admin login'));
-        process.exit(1);
-    }
-    console.log();
-    console.log(chalk.bold('Agentcard integration wizard'));
-    console.log(chalk.dim('Implements Connect with Agentcard (OAuth 2.1 + PKCE) + per-user card issuance via MCP.'));
-    console.log();
-    // v1 always verifies against sandbox — make sure we're in sandbox mode.
-    if (getMode() !== 'sandbox') {
-        console.log(chalk.yellow('This wizard runs against SANDBOX. Switching mode to sandbox for this run.'));
-        setMode('sandbox');
-    }
-    // Detect the repo and show the partner what we found before they consent.
+    const appName = basename(repoRoot);
+    banner('Agentcard integration wizard', [
+        'Sets up your account + credentials, then wires Connect with Agentcard',
+        "(OAuth 2.1 + PKCE) + per-user cards via MCP into this repo.",
+        "Runs on Agentcard's tokens — your secrets go to a local .env, never to the AI.",
+    ]);
+    // Detect the repo up front (also gives us the app name for provisioning).
     const detection = detectRepo(repoRoot);
-    console.log(chalk.bold('Target repo: ') + repoRoot);
-    console.log(detection.summary);
+    // Phase 1 — Onboard: account → org → confidential OAuth client → sandbox key.
+    // ensureOnboarded runs the signup/login flow first if there's no session yet.
+    const prov = await ensureOnboarded(appName);
+    note('Provisioned in sandbox', [
+        `org       ${prov.orgName}`,
+        `client    ${prov.clientId}`,
+        `api key   ${prov.apiKeyPrefix}`,
+        `callback  ${prov.redirectUri}`,
+    ]);
+    // Phase 2 — Integrate. Show the repo + consent before writing ANY files (the env
+    // write below mutates the repo, so it must be gated by this consent too).
     console.log();
+    console.log(`${ui.accent(glyph.diamond)} ${ui.bold('Integrate')} ${ui.muted('·')} ${repoRoot}`);
+    for (const l of detection.summary.split('\n'))
+        console.log(`${ui.muted(glyph.gutter)} ${ui.dim(l)}`);
+    console.log(ui.muted(glyph.gutter));
     if (!opts.yes) {
         const { proceed } = await inquirer.prompt([
             {
                 type: 'confirm',
                 name: 'proceed',
-                message: chalk.yellow(`An AI agent will READ and MODIFY files in ${repoRoot} to add the Agentcard integration. Continue?`),
+                message: chalk.yellow(`An AI agent will READ and MODIFY files in ${repoRoot} to add the Agentcard integration (and write your AGENTCARD_* secrets to a local env file). Continue?`),
                 default: false,
             },
         ]);
         if (!proceed) {
-            console.log(chalk.dim('Aborted. No changes made.'));
+            console.log(chalk.dim('Aborted. Credentials were provisioned in your Agentcard org, but no files in the repo were modified.'));
             return;
         }
     }
+    const jwt = getJwt(); // ensureOnboarded guarantees a session
+    // Secret-vault: now that the user has consented to repo changes, write the
+    // provisioned credentials into the app's env so the agent never sees the secrets
+    // (its code reads process.env). Non-secret values may go in the prompt;
+    // AGENTCARD_OAUTH_CLIENT_SECRET / AGENTCARD_API_KEY never do.
+    const envFile = writeAgentcardEnv(repoRoot, {
+        AGENTCARD_API_URL: 'https://mcp.agentcard.sh',
+        AGENTCARD_PUBLIC_URL: prov.appBaseUrl,
+        AGENTCARD_OAUTH_CLIENT_ID: prov.clientId,
+        ...(prov.clientSecret ? { AGENTCARD_OAUTH_CLIENT_SECRET: prov.clientSecret } : {}),
+        AGENTCARD_API_KEY: prov.apiKey,
+    });
+    console.log(`${ui.muted(glyph.gutter)} ${ui.success(glyph.check)} secrets written to ${ui.bold(envFile)} ${ui.dim('(kept out of the AI prompt)')}`);
     const gatewayUrl = `${getApiUrl()}/wizard`;
     console.log();
-    console.log(chalk.dim(`Running the integration agent (on Agentcard's tokens via ${gatewayUrl}).`));
-    console.log(chalk.dim('It will explore, edit files, and verify the integration. This can take several minutes.'));
-    console.log(chalk.dim('Press ') + chalk.bold('Ctrl+B') + chalk.dim(' anytime to toggle detailed logs (full tool inputs + outputs).'));
+    console.log(`${ui.accent(glyph.diamond)} ${ui.bold('Running the integration agent')}`);
+    console.log(`${ui.muted(glyph.gutter)} ${ui.dim('Explores, edits files, and verifies the integration. This can take several minutes.')}`);
+    console.log(`${ui.muted(glyph.gutter)} ${ui.dim('Press')} ${ui.bold('Ctrl+B')} ${ui.dim('to toggle detailed logs (full tool inputs + outputs).')}`);
     console.log();
     // Live status: a spinner whose text ticks every second with the current action
     // and elapsed time, so long model-thinking pauses never look hung. The agent's
@@ -109,7 +129,11 @@ export async function wizardCommand(opts) {
             jwt,
             model: MODEL,
             systemPromptAppend: INTEGRATION_PLAYBOOK,
-            initialPrompt: buildInitialPrompt(detection.summary),
+            initialPrompt: buildInitialPrompt(detection.summary, {
+                clientId: prov.clientId,
+                redirectUri: prov.redirectUri,
+                envFile,
+            }),
             onText: (text) => {
                 const t = text.trim();
                 if (t)
@@ -118,13 +142,13 @@ export async function wizardCommand(opts) {
             },
             onToolStart: (name, summary, detail) => {
                 action = summary ? `${name} ${chalk.dim(summary)}` : name;
-                log(`${chalk.cyan('→')} ${chalk.bold(name)}${summary ? ' ' + chalk.dim(summary) : ''}`);
+                log(`${ui.accent(glyph.arrow)} ${ui.bold(name)}${summary ? ' ' + ui.dim(summary) : ''}`);
                 if (verbose)
                     showDetail(detail);
             },
             onToolEnd: (name, isError, resultText) => {
                 if (isError)
-                    log(`${chalk.red('✗')} ${chalk.dim(`${name} failed`)}`);
+                    log(`${ui.error(glyph.cross)} ${ui.dim(`${name} failed`)}`);
                 if (verbose && resultText)
                     showDetail(resultText);
                 action = 'thinking';
@@ -140,23 +164,24 @@ export async function wizardCommand(opts) {
             stdin.pause();
         }
     }
-    console.log();
-    if (result.outcome === 'success') {
-        console.log(chalk.green('✓ Integration agent finished.'));
-    }
-    else {
-        console.log(chalk.red('✗ Integration agent stopped with an error.'));
-    }
     if (result.finalText) {
         console.log();
         console.log(result.finalText);
     }
-    if (typeof result.numTurns === 'number') {
-        console.log(chalk.dim(`\n(${result.numTurns} turns)`));
+    const turns = typeof result.numTurns === 'number' ? `${result.numTurns} turns. ` : '';
+    if (result.outcome === 'success') {
+        outroSuccess({
+            message: 'Agentcard integration complete',
+            nextSteps: [
+                `Issue a live card: open ${ui.primary(`${prov.appBaseUrl}/api/agentcard/connect?user=<id>`)} in a browser to connect a user`,
+                'Review the diff and commit when you are happy',
+            ],
+            reviewNote: `${turns}Re-run \`wizard\` to continue or fix up.`,
+        });
     }
-    console.log();
-    console.log(chalk.dim('Review the diff, then commit when you are happy. Re-run `wizard` to continue or fix up.'));
-    if (result.outcome !== 'success')
+    else {
+        outroError('Integration agent stopped with an error', `${turns}See the log above; re-run \`wizard\` to retry.`);
         process.exit(1);
+    }
 }
 //# sourceMappingURL=wizard.js.map

package/dist/src/commands/wizard.js.map

@@ -1 +1 @@
-{"version":3,"file":"wizard.js","sourceRoot":"","sources":["../../../src/commands/wizard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC/B,OAAO,QAAQ,MAAM,UAAU,CAAC;AAChC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AACpF,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AACrD,OAAO,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AACrF,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAE7D,MAAM,KAAK,GAAG,iBAAiB,CAAC;AAOhC;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAAmB;IACrD,MAAM,WAAW,EAAE,CAAC;IAEpB,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IACrD,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;IACrB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC,CAAC;QACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC,CAAC;IACxD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,wFAAwF,CAAC,CAAC,CAAC;IACjH,OAAO,CAAC,GAAG,EAAE,CAAC;IAEd,wEAAwE;IACxE,IAAI,OAAO,EAAE,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,2EAA2E,CAAC,CAAC,CAAC;QACvG,OAAO,CAAC,SAAS,CAAC,CAAC;IACrB,CAAC;IAED,0EAA0E;IAC1E,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IACvC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,QAAQ,CAAC,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAC/B,OAAO,CAAC,GAAG,EAAE,CAAC;IAEd,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;QACd,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;YACxC;gBACE,IAAI,EAAE,SAAS;gBACf,IAAI,EAAE,SAAS;gBACf,OAAO,EAAE,KAAK,CAAC,MAAM,CACnB,6CAA6C,QAAQ,8CAA8C,CACpG;gBACD,OAAO,EAAE,KAAK;aACf;SACF,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC,CAAC;YACpD,OAAO;QACT,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,SAAS,EAAE,SAAS,CAAC;IAC3C,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,4DAA4D,UAAU,IAAI,CAAC,CAAC,CAAC;IACnG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,yFAAyF,CAAC,CAAC,CAAC;IAClH,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC,CAAC;IACtI,OAAO,CAAC,GAAG,EAAE,CAAC;IAEd,+EAA+E;IAC/E,+EAA+E;IAC/E,2EAA2E;IAC3E,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,OAAO,GAAG,GAAG,EAAE;QACnB,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC;QACtD,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;IACpE,CAAC,CAAC;IACF,IAAI,MAAM,GAAG,aAAa,CAAC;IAC3B,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,MAAM,OAAO,GAAG,GAAG,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC;IAC9C,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,EAAE;QAC9B,OAAO,CAAC,IAAI,GAAG,GAAG,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,OAAO,EAAE,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IACtG,CAAC,EAAE,IAAI,CAAC,CAAC;IACT,sDAAsD;IACtD,MAAM,GAAG,GAAG,CAAC,IAAY,EAAE,EAAE;QAC3B,OAAO,CAAC,IAAI,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAClB,OAAO,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC,CAAC;IACF,4EAA4E;IAC5E,MAAM,UAAU,GAAG,CAAC,IAAY,EAAE,EAAE;QAClC,IAAI,CAAC,IAAI;YAAE,OAAO;QAClB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IACvE,CAAC,CAAC;IAEF,2EAA2E;IAC3E,kFAAkF;IAClF,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC5B,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,UAAU,KAAK,UAAU,CAAC;IAClF,MAAM,KAAK,GAAG,CAAC,CAAS,EAAE,EAAE;QAC1B,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;YACf,OAAO,GAAG,CAAC,OAAO,CAAC;YACnB,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,mBAAmB,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC;QAC1E,CAAC;aAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;YACtB,OAAO,CAAC,IAAI,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC;YAC9C,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC;IACH,CAAC,CAAC;IACF,IAAI,UAAU,EAAE,CAAC;QACf,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACvB,KAAK,CAAC,MAAM,EAAE,CAAC;QACf,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC1B,CAAC;IAED,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,mBAAmB,CAAC;YACjC,QAAQ;YACR,UAAU;YACV,GAAG;YACH,KAAK,EAAE,KAAK;YACZ,kBAAkB,EAAE,oBAAoB;YACxC,aAAa,EAAE,kBAAkB,CAAC,SAAS,CAAC,OAAO,CAAC;YACpD,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;gBACf,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBACtB,IAAI,CAAC;oBAAE,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC3B,MAAM,GAAG,UAAU,CAAC;YACtB,CAAC;YACD,WAAW,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE;gBACrC,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;gBAC1D,GAAG,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACxF,IAAI,OAAO;oBAAE,UAAU,CAAC,MAAM,CAAC,CAAC;YAClC,CAAC;YACD,SAAS,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE;gBACvC,IAAI,OAAO;oBAAE,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,GAAG,IAAI,SAAS,CAAC,EAAE,CAAC,CAAC;gBACrE,IAAI,OAAO,IAAI,UAAU;oBAAE,UAAU,CAAC,UAAU,CAAC,CAAC;gBAClD,MAAM,GAAG,UAAU,CAAC;YACtB,CAAC;SACF,CAAC,CAAC;IACL,CAAC;YAAS,CAAC;QACT,aAAa,CAAC,MAAM,CAAC,CAAC;QACtB,OAAO,CAAC,IAAI,EAAE,CAAC;QACf,IAAI,UAAU,EAAE,CAAC;YACf,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YACzB,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YACxB,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAC;IAC5D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC,CAAC;IACvE,CAAC;IACD,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAChC,CAAC;IACD,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,MAAM,CAAC,QAAQ,SAAS,CAAC,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,yFAAyF,CAAC,CAAC,CAAC;IAElH,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS;QAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACpD,CAAC"}
+{"version":3,"file":"wizard.js","sourceRoot":"","sources":["../../../src/commands/wizard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,MAAM,CAAC;AACzC,OAAO,QAAQ,MAAM,UAAU,CAAC;AAChC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AACrD,OAAO,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AACrF,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAE3F,MAAM,KAAK,GAAG,iBAAiB,CAAC;AAOhC;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAAmB;IACrD,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IACrD,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAEnC,MAAM,CAAC,8BAA8B,EAAE;QACrC,uEAAuE;QACvE,6DAA6D;QAC7D,gFAAgF;KACjF,CAAC,CAAC;IAEH,0EAA0E;IAC1E,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAEvC,8EAA8E;IAC9E,8EAA8E;IAC9E,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,CAAC;IAC5C,IAAI,CAAC,wBAAwB,EAAE;QAC7B,aAAa,IAAI,CAAC,OAAO,EAAE;QAC3B,aAAa,IAAI,CAAC,QAAQ,EAAE;QAC5B,aAAa,IAAI,CAAC,YAAY,EAAE;QAChC,aAAa,IAAI,CAAC,WAAW,EAAE;KAChC,CAAC,CAAC;IAEH,iFAAiF;IACjF,0EAA0E;IAC1E,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,QAAQ,EAAE,CAAC,CAAC;IAChG,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC;QAAE,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACrG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;IAEpC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;QACd,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;YACxC;gBACE,IAAI,EAAE,SAAS;gBACf,IAAI,EAAE,SAAS;gBACf,OAAO,EAAE,KAAK,CAAC,MAAM,CACnB,6CAA6C,QAAQ,uGAAuG,CAC7J;gBACD,OAAO,EAAE,KAAK;aACf;SACF,CAAC,CAAC;QACH,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,sGAAsG,CAAC,CAAC,CAAC;YAC/H,OAAO;QACT,CAAC;IACH,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,EAAG,CAAC,CAAC,uCAAuC;IAE9D,2EAA2E;IAC3E,iFAAiF;IACjF,wEAAwE;IACxE,8DAA8D;IAC9D,MAAM,OAAO,GAAG,iBAAiB,CAAC,QAAQ,EAAE;QAC1C,iBAAiB,EAAE,0BAA0B;QAC7C,oBAAoB,EAAE,IAAI,CAAC,UAAU;QACrC,yBAAyB,EAAE,IAAI,CAAC,QAAQ;QACxC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,6BAA6B,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAClF,iBAAiB,EAAE,IAAI,CAAC,MAAM;KAC/B,CAAC,CAAC;IACH,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,uBAAuB,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,6BAA6B,CAAC,EAAE,CAAC,CAAC;IAEpJ,MAAM,UAAU,GAAG,GAAG,SAAS,EAAE,SAAS,CAAC;IAC3C,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,+BAA+B,CAAC,EAAE,CAAC,CAAC;IACvF,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,qFAAqF,CAAC,EAAE,CAAC,CAAC;IAC1I,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,uDAAuD,CAAC,EAAE,CAAC,CAAC;IACpJ,OAAO,CAAC,GAAG,EAAE,CAAC;IAEd,+EAA+E;IAC/E,+EAA+E;IAC/E,2EAA2E;IAC3E,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,OAAO,GAAG,GAAG,EAAE;QACnB,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC;QACtD,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;IACpE,CAAC,CAAC;IACF,IAAI,MAAM,GAAG,aAAa,CAAC;IAC3B,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,MAAM,OAAO,GAAG,GAAG,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC;IAC9C,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,EAAE;QAC9B,OAAO,CAAC,IAAI,GAAG,GAAG,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,OAAO,EAAE,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IACtG,CAAC,EAAE,IAAI,CAAC,CAAC;IACT,sDAAsD;IACtD,MAAM,GAAG,GAAG,CAAC,IAAY,EAAE,EAAE;QAC3B,OAAO,CAAC,IAAI,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAClB,OAAO,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC,CAAC;IACF,4EAA4E;IAC5E,MAAM,UAAU,GAAG,CAAC,IAAY,EAAE,EAAE;QAClC,IAAI,CAAC,IAAI;YAAE,OAAO;QAClB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IACvE,CAAC,CAAC;IAEF,2EAA2E;IAC3E,kFAAkF;IAClF,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC5B,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,UAAU,KAAK,UAAU,CAAC;IAClF,MAAM,KAAK,GAAG,CAAC,CAAS,EAAE,EAAE;QAC1B,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;YACf,OAAO,GAAG,CAAC,OAAO,CAAC;YACnB,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,mBAAmB,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC;QAC1E,CAAC;aAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;YACtB,OAAO,CAAC,IAAI,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC;YAC9C,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC;IACH,CAAC,CAAC;IACF,IAAI,UAAU,EAAE,CAAC;QACf,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACvB,KAAK,CAAC,MAAM,EAAE,CAAC;QACf,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC1B,CAAC;IAED,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,mBAAmB,CAAC;YACjC,QAAQ;YACR,UAAU;YACV,GAAG;YACH,KAAK,EAAE,KAAK;YACZ,kBAAkB,EAAE,oBAAoB;YACxC,aAAa,EAAE,kBAAkB,CAAC,SAAS,CAAC,OAAO,EAAE;gBACnD,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,OAAO;aACR,CAAC;YACF,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;gBACf,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBACtB,IAAI,CAAC;oBAAE,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC3B,MAAM,GAAG,UAAU,CAAC;YACtB,CAAC;YACD,WAAW,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE;gBACrC,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;gBAC1D,GAAG,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACzF,IAAI,OAAO;oBAAE,UAAU,CAAC,MAAM,CAAC,CAAC;YAClC,CAAC;YACD,SAAS,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,EAAE;gBACvC,IAAI,OAAO;oBAAE,GAAG,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,GAAG,IAAI,SAAS,CAAC,EAAE,CAAC,CAAC;gBACzE,IAAI,OAAO,IAAI,UAAU;oBAAE,UAAU,CAAC,UAAU,CAAC,CAAC;gBAClD,MAAM,GAAG,UAAU,CAAC;YACtB,CAAC;SACF,CAAC,CAAC;IACL,CAAC;YAAS,CAAC;QACT,aAAa,CAAC,MAAM,CAAC,CAAC;QACtB,OAAO,CAAC,IAAI,EAAE,CAAC;QACf,IAAI,UAAU,EAAE,CAAC;YACf,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YACzB,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YACxB,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAChC,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,QAAQ,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;IACtF,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QACjC,YAAY,CAAC;YACX,OAAO,EAAE,gCAAgC;YACzC,SAAS,EAAE;gBACT,2BAA2B,EAAE,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,UAAU,kCAAkC,CAAC,iCAAiC;gBAC5H,+CAA+C;aAChD;YACD,UAAU,EAAE,GAAG,KAAK,0CAA0C;SAC/D,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,UAAU,CAAC,yCAAyC,EAAE,GAAG,KAAK,gDAAgD,CAAC,CAAC;QAChH,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/src/lib/wizard/onboard.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Wizard onboarding (Phase 1) — provisions everything the integration needs on a
+ * user's FIRST interaction with the Agentcard admin tool, then hands the credentials
+ * to the integration (Phase 2). Idempotent where it can be: reuses the user's org;
+ * always mints a fresh confidential OAuth client (the client_secret is shown once and
+ * can't be re-fetched, so we can't "reuse" one) + a sandbox API key.
+ *
+ * Everything is provisioned in SANDBOX. The client_secret + api key it returns are
+ * written to the app's .env by the caller and never put in the LLM prompt.
+ */
+export interface Provisioning {
+    orgId: string;
+    orgName: string;
+    appBaseUrl: string;
+    redirectUri: string;
+    clientId: string;
+    clientSecret?: string;
+    apiKey: string;
+    apiKeyPrefix: string;
+}
+/** The fixed callback path the integration implements; the OAuth client is registered with it. */
+export declare const CALLBACK_PATH = "/api/agentcard/callback";
+export declare function ensureOnboarded(appName: string): Promise<Provisioning>;
+//# sourceMappingURL=onboard.d.ts.map

package/dist/src/lib/wizard/onboard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"onboard.d.ts","sourceRoot":"","sources":["../../../../src/lib/wizard/onboard.ts"],"names":[],"mappings":"AAQA;;;;;;;;;GASG;AACH,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;CACtB;AAoBD,kGAAkG;AAClG,eAAO,MAAM,aAAa,4BAA4B,CAAC;AAgBvD,wBAAsB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAsG5E"}

package/dist/src/lib/wizard/onboard.js

@@ -0,0 +1,124 @@
+import inquirer from 'inquirer';
+import ora from 'ora';
+import chalk from 'chalk';
+import { api } from '../api.js';
+import { getJwt, getEmail, setMode, getApiUrl, clearAuth } from '../config.js';
+import { login } from '../../commands/login.js';
+import { step, line, row, ui } from './theme.js';
+/** The fixed callback path the integration implements; the OAuth client is registered with it. */
+export const CALLBACK_PATH = '/api/agentcard/callback';
+/** Sentinel value for the "create a new organization" choice in the org picker. */
+const CREATE_ORG = '__create_org__';
+/** Prompt for a name and create a new organization. */
+async function createOrgInteractive(defaultName) {
+    const { name } = await inquirer.prompt([
+        { type: 'input', name: 'name', message: 'New organization name:', default: defaultName, validate: (v) => v.trim().length > 0 || 'Required' },
+    ]);
+    const spinner = ora('Creating organization…').start();
+    const org = await api('/orgs', { method: 'POST', body: { name: String(name).trim(), billingEmail: getEmail() } });
+    spinner.succeed(chalk.green(`Organization "${org.name}" created`));
+    return org;
+}
+export async function ensureOnboarded(appName) {
+    // --- Step 1: account (signup / login) ---
+    // Validate any stored session first. Gate on a validity FLAG, not on getJwt() being
+    // falsy: a bare getJwt() can't tell a fresh token from an expired one, and a stale
+    // token exported via AGENT_CARDS_ADMIN_JWT can't be cleared (clearAuth only deletes
+    // the config-file token). When invalid we always run login(), which writes a fresh
+    // config token that takes precedence over the env var in getJwt().
+    let sessionValid = false;
+    const stored = getJwt();
+    if (stored) {
+        try {
+            const res = await fetch(`${getApiUrl()}/auth/me`, {
+                headers: { Authorization: `Bearer ${stored}` },
+                signal: AbortSignal.timeout(5_000),
+            });
+            if (res.status === 401 || res.status === 403) {
+                clearAuth();
+            }
+            else {
+                sessionValid = true; // usable (or a transient non-auth error the real call will surface)
+            }
+        }
+        catch {
+            sessionValid = true; // network blip — keep the token; the real call surfaces issues
+        }
+    }
+    step(1, 4, 'Account');
+    if (!sessionValid) {
+        line(ui.dim('First time? This creates your account via a magic link.'));
+        await login();
+        if (!getJwt()) {
+            line(ui.error('Sign-in did not complete. Run the wizard again once you have clicked the magic link.'));
+            process.exit(1);
+        }
+    }
+    else {
+        row('Signed in', getEmail() ?? 'your account');
+    }
+    // Everything below is provisioned in sandbox.
+    setMode('sandbox');
+    // --- Step 2: organization (reuse an existing one or create a new one) ---
+    step(2, 4, 'Organization');
+    const { organizations } = await api('/orgs');
+    let org;
+    if (organizations.length === 0) {
+        // No org yet → create one.
+        org = await createOrgInteractive(appName);
+    }
+    else {
+        // Has org(s) → let them reuse one OR create a new org for this app.
+        const { picked } = await inquirer.prompt([
+            {
+                type: 'list',
+                name: 'picked',
+                message: 'Which organization is this app for?',
+                choices: [
+                    ...organizations.map((o) => ({ name: `${o.name}${o.billingEmail ? ` (${o.billingEmail})` : ''}`, value: o.id })),
+                    new inquirer.Separator(),
+                    { name: '＋ Create a new organization', value: CREATE_ORG },
+                ],
+            },
+        ]);
+        org = picked === CREATE_ORG ? await createOrgInteractive(appName) : organizations.find((o) => o.id === picked);
+    }
+    // --- Step 3: OAuth client (confidential) ---
+    step(3, 4, 'Register a Connect-with-Agentcard client');
+    const { appBaseUrl } = await inquirer.prompt([
+        {
+            type: 'input',
+            name: 'appBaseUrl',
+            message: `Your app's base URL (used for the OAuth callback ${CALLBACK_PATH}):`,
+            default: 'http://localhost:3000',
+            validate: (v) => /^https?:\/\/.+/.test(v.trim()) || 'Enter a URL like http://localhost:3000',
+        },
+    ]);
+    const base = String(appBaseUrl).trim().replace(/\/+$/, '');
+    const redirectUri = `${base}${CALLBACK_PATH}`;
+    const spinner3 = ora('Creating confidential OAuth client…').start();
+    const client = await api(`/orgs/${org.id}/oauth-clients`, {
+        method: 'POST',
+        body: { name: `${appName} (wizard)`, redirectUris: [redirectUri], public: false },
+    });
+    spinner3.succeed(chalk.green(`OAuth client created (${client.clientId})`));
+    // --- Step 4: sandbox API key ---
+    step(4, 4, 'Create a sandbox API key');
+    const spinner4 = ora('Creating sandbox API key…').start();
+    const key = await api(`/orgs/${org.id}/keys`, {
+        method: 'POST',
+        body: { name: `${appName} wizard key`, mode: 'sandbox' },
+    });
+    spinner4.succeed(chalk.green(`Sandbox API key created (${key.keyPrefix})`));
+    return {
+        orgId: org.id,
+        orgName: org.name,
+        appBaseUrl: base,
+        redirectUri,
+        clientId: client.clientId,
+        clientSecret: client.clientSecret,
+        apiKey: key.key,
+        apiKeyPrefix: key.keyPrefix,
+    };
+}
+//# sourceMappingURL=onboard.js.map

package/dist/src/lib/wizard/onboard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"onboard.js","sourceRoot":"","sources":["../../../../src/lib/wizard/onboard.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,UAAU,CAAC;AAChC,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,GAAG,EAAE,MAAM,WAAW,CAAC;AAChC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC/E,OAAO,EAAE,KAAK,EAAE,MAAM,yBAAyB,CAAC;AAChD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE,MAAM,YAAY,CAAC;AAyCjD,kGAAkG;AAClG,MAAM,CAAC,MAAM,aAAa,GAAG,yBAAyB,CAAC;AAEvD,mFAAmF;AACnF,MAAM,UAAU,GAAG,gBAAgB,CAAC;AAEpC,uDAAuD;AACvD,KAAK,UAAU,oBAAoB,CAAC,WAAmB;IACrD,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;QACrC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,wBAAwB,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,EAAE;KACrJ,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,GAAG,CAAC,wBAAwB,CAAC,CAAC,KAAK,EAAE,CAAC;IACtD,MAAM,GAAG,GAAG,MAAM,GAAG,CAAM,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,YAAY,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;IACvH,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,iBAAiB,GAAG,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC;IACnE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,OAAe;IACnD,2CAA2C;IAC3C,oFAAoF;IACpF,mFAAmF;IACnF,oFAAoF;IACpF,mFAAmF;IACnF,mEAAmE;IACnE,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,EAAE,UAAU,EAAE;gBAChD,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,MAAM,EAAE,EAAE;gBAC9C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;aACnC,CAAC,CAAC;YACH,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC7C,SAAS,EAAE,CAAC;YACd,CAAC;iBAAM,CAAC;gBACN,YAAY,GAAG,IAAI,CAAC,CAAC,oEAAoE;YAC3F,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,YAAY,GAAG,IAAI,CAAC,CAAC,+DAA+D;QACtF,CAAC;IACH,CAAC;IACD,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,SAAS,CAAC,CAAC;IACtB,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC,CAAC;QACxE,MAAM,KAAK,EAAE,CAAC;QACd,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;YACd,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,sFAAsF,CAAC,CAAC,CAAC;YACvG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;SAAM,CAAC;QACN,GAAG,CAAC,WAAW,EAAE,QAAQ,EAAE,IAAI,cAAc,CAAC,CAAC;IACjD,CAAC;IAED,8CAA8C;IAC9C,OAAO,CAAC,SAAS,CAAC,CAAC;IAEnB,2EAA2E;IAC3E,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,cAAc,CAAC,CAAC;IAC3B,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,GAAG,CAA2B,OAAO,CAAC,CAAC;IACvE,IAAI,GAAQ,CAAC;IACb,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,2BAA2B;QAC3B,GAAG,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,oEAAoE;QACpE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;YACvC;gBACE,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,qCAAqC;gBAC9C,OAAO,EAAE;oBACP,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBAChH,IAAI,QAAQ,CAAC,SAAS,EAAE;oBACxB,EAAE,IAAI,EAAE,6BAA6B,EAAE,KAAK,EAAE,UAAU,EAAE;iBAC3D;aACF;SACF,CAAC,CAAC;QACH,GAAG,GAAG,MAAM,KAAK,UAAU,CAAC,CAAC,CAAC,MAAM,oBAAoB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAE,CAAC;IAClH,CAAC;IAED,8CAA8C;IAC9C,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,0CAA0C,CAAC,CAAC;IACvD,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;QAC3C;YACE,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,YAAY;YAClB,OAAO,EAAE,oDAAoD,aAAa,IAAI;YAC9E,OAAO,EAAE,uBAAuB;YAChC,QAAQ,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,wCAAwC;SACrG;KACF,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC3D,MAAM,WAAW,GAAG,GAAG,IAAI,GAAG,aAAa,EAAE,CAAC;IAC9C,MAAM,QAAQ,GAAG,GAAG,CAAC,qCAAqC,CAAC,CAAC,KAAK,EAAE,CAAC;IACpE,MAAM,MAAM,GAAG,MAAM,GAAG,CAAc,SAAS,GAAG,CAAC,EAAE,gBAAgB,EAAE;QACrE,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,EAAE,IAAI,EAAE,GAAG,OAAO,WAAW,EAAE,YAAY,EAAE,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE;KAClF,CAAC,CAAC;IACH,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,yBAAyB,MAAM,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;IAE3E,kCAAkC;IAClC,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,0BAA0B,CAAC,CAAC;IACvC,MAAM,QAAQ,GAAG,GAAG,CAAC,2BAA2B,CAAC,CAAC,KAAK,EAAE,CAAC;IAC1D,MAAM,GAAG,GAAG,MAAM,GAAG,CAAoB,SAAS,GAAG,CAAC,EAAE,OAAO,EAAE;QAC/D,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,EAAE,IAAI,EAAE,GAAG,OAAO,aAAa,EAAE,IAAI,EAAE,SAAS,EAAE;KACzD,CAAC,CAAC;IACH,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,4BAA4B,GAAG,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC;IAE5E,OAAO;QACL,KAAK,EAAE,GAAG,CAAC,EAAE;QACb,OAAO,EAAE,GAAG,CAAC,IAAI;QACjB,UAAU,EAAE,IAAI;QAChB,WAAW;QACX,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,MAAM,EAAE,GAAG,CAAC,GAAG;QACf,YAAY,EAAE,GAAG,CAAC,SAAS;KAC5B,CAAC;AACJ,CAAC"}

package/dist/src/lib/wizard/playbook.d.ts

@@ -14,5 +14,12 @@
  */
 export declare const INTEGRATION_PLAYBOOK: string;
 /** The initial user turn that kicks the agent off inside the partner's repo. */
-export declare function buildInitialPrompt(detection: string): string;
+/** Details of a confidential OAuth client the wizard already provisioned + pinned to env. */
+export interface PinnedClient {
+    clientId: string;
+    redirectUri: string;
+    /** The env file the wizard wrote the secrets to (AGENTCARD_* are already set there). */
+    envFile: string;
+}
+export declare function buildInitialPrompt(detection: string, pinned?: PinnedClient): string;
 //# sourceMappingURL=playbook.d.ts.map

package/dist/src/lib/wizard/playbook.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"playbook.d.ts","sourceRoot":"","sources":["../../../../src/lib/wizard/playbook.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,oBAAoB,QA6HzB,CAAC;AAET,gFAAgF;AAChF,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAa5D"}
+{"version":3,"file":"playbook.d.ts","sourceRoot":"","sources":["../../../../src/lib/wizard/playbook.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,oBAAoB,QA+IzB,CAAC;AAET,gFAAgF;AAChF,6FAA6F;AAC7F,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,wFAAwF;IACxF,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,YAAY,GAAG,MAAM,CA+BnF"}

package/dist/src/lib/wizard/playbook.js

@@ -70,10 +70,18 @@ Part 3 - MCP (Streamable HTTP):
   POST https://mcp.agentcard.sh/mcp, headers Authorization: Bearer <user token>,
   Accept: application/json, text/event-stream. Handshake initialize ->
   notifications/initialized -> tools/list -> tools/call; echo Mcp-Session-Id.
-  Card tools: create_card({amount_cents}), list_cards, get_card_details({card_id}),
-  check_balance, close_card, approve_request, list_transactions, get_plan. Curate
-  the toolset (drop \`buy\`). Prefer the Vercel AI SDK MCP client over hand-rolling
-  JSON-RPC if the host already uses the AI SDK.
+  Expose EVERY tool the server advertises. Call tools/list at RUNTIME and register
+  ALL returned tools dynamically, deriving each tool's name, description, and
+  parameters from its advertised inputSchema. Do NOT hardcode a tool list and do NOT
+  curate/drop any tool - the integration must forward whatever tools/list returns so
+  that tools Agentcard adds later are supported automatically with ZERO code change.
+  (At the time of writing the server exposes create_card, list_cards,
+  get_card_details, check_balance, close_card, approve_request, list_transactions,
+  get_plan, buy, ... - treat that only as an example, never as a fixed allowlist.)
+  Prefer the Vercel AI SDK MCP client (\`experimental_createMCPClient(...).tools()\`
+  returns the full live toolset already mapped to the host's tool type) over
+  hand-rolling JSON-RPC if the host already uses the AI SDK. If a denylist is ever
+  needed it must be config/env-driven and default to EMPTY (all tools on).
 
 ## Implementation steps (in order)
 0. Read discovery + confirm endpoints.
@@ -94,12 +102,14 @@ Part 3 - MCP (Streamable HTTP):
    /authorize) and GET /callback (exchange code -> store token). Same process as
    the brain; publicly reachable (tunnel for local dev). redirect_uri must equal
    <public-base>/callback exactly.
-6. Part 3: per user, build an MCP client with the user's token; expose a curated
-   toolset; refresh on near-expiry and on 401.
+6. Part 3: per user, build an MCP client with the user's token; expose ALL tools
+   returned by tools/list dynamically (no hardcoded allowlist, no curated subset);
+   refresh on near-expiry and on 401.
 7. Wire into the brain: look up the token; if none, hand the user the
-   /connect?user=<id> link; if present, expose card tools and let the model call
-   them in a multi-step loop.
-8. Clean up: curate tools, never log PAN/CVV, redact debug logging.
+   /connect?user=<id> link; if present, expose the full live toolset and let the
+   model call any of them in a multi-step loop.
+8. Clean up: never log PAN/CVV, redact debug logging. Do NOT prune the toolset -
+   forward every tool the server advertises.
 
 ## Gotchas (check every one)
 - resource param mandatory on /authorize AND /token (=https://mcp.agentcard.sh/mcp).
@@ -110,6 +120,11 @@ Part 3 - MCP (Streamable HTTP):
   approval_id; resolve with approve_request. Decide auto-approve vs ask-the-user.
 - Card isolation is per (client, user) - an empty list_cards on a new client is
   correct, not a bug.
+- Toolset is DYNAMIC: register every tool from tools/list and pass through each
+  tool's inputSchema; never hardcode tool names or a curated subset, so server-side
+  tool additions work without touching the integration. A verification step that
+  asserts "exactly these N tools" is WRONG - assert the live tools/list is forwarded
+  in full instead.
 - Connect server must be public + co-process with the store.
 - NEVER log PAN/CVV; redact tool-result logging.
 - Identify the user by a stable key.
@@ -120,7 +135,10 @@ Part 3 - MCP (Streamable HTTP):
 A. Offline unit tests: PKCE (challenge === base64url(sha256(verifier))); token
    exchange/refresh against a mock /token asserting grant_type, code_verifier,
    resource, and client_secret when confidential; MCP flow against a mock JSON-RPC
-   server incl. the approval-required -> approve_request path.
+   server incl. the approval-required -> approve_request path. Add a dynamic-toolset
+   test: point the mock server at an ARBITRARY tools/list (including an invented
+   future tool the code has never seen) and assert the integration registers ALL of
+   them - never assert a fixed/expected set of tool names.
 B. Discovery checks: curl the two .well-known endpoints; for confidential clients,
    prove refresh requires the secret (with -> 200, without -> 400 invalid_client).
 C. Live sandbox: register the client (DCR or org) with <public-base>/callback,
@@ -138,9 +156,8 @@ When you finish, end your final message with a short summary that begins with
 "INTEGRATION COMPLETE:" (or "INTEGRATION BLOCKED:" with the reason if you could
 not proceed), then list the files you created or changed.
 `.trim();
-/** The initial user turn that kicks the agent off inside the partner's repo. */
-export function buildInitialPrompt(detection) {
-    return [
+export function buildInitialPrompt(detection, pinned) {
+    const lines = [
         "Integrate Agentcard (the OAuth 2.1 + PKCE + MCP company integration described in",
         "your system prompt) into this repository. Your working directory IS the repo root;",
         "all file paths are relative to it. Use bash/grep to explore and the editor to make",
@@ -148,9 +165,11 @@ export function buildInitialPrompt(detection) {
         '',
         'What the wizard already detected about this repo:',
         detection,
-        '',
-        'Start with Step 0 (discovery) and Step 1/1b (scope the repo + mirror existing',
-        'OAuth/MCP patterns), then proceed through the playbook. Verify against SANDBOX.',
-    ].join('\n');
+    ];
+    if (pinned) {
+        lines.push('', 'IMPORTANT — a CONFIDENTIAL OAuth client is ALREADY provisioned for this app. Do', 'NOT register a new client (no DCR). Use the pinned credentials, which the wizard', `has ALREADY written to ${pinned.envFile}:`, '  AGENTCARD_OAUTH_CLIENT_ID, AGENTCARD_OAUTH_CLIENT_SECRET, AGENTCARD_API_KEY,', '  AGENTCARD_PUBLIC_URL.', `The client_id is ${pinned.clientId} and its registered redirect_uri is`, `${pinned.redirectUri} — so implement the OAuth callback at EXACTLY that path`, `(${pinned.redirectUri.replace(/^https?:\/\/[^/]+/, '')}). Read every secret from`, 'process.env — NEVER hardcode or log AGENTCARD_OAUTH_CLIENT_SECRET / AGENTCARD_API_KEY.', 'Confidential client: send client_secret on BOTH the token exchange and refresh.');
+    }
+    lines.push('', 'Start with Step 0 (discovery) and Step 1/1b (scope the repo + mirror existing', 'OAuth/MCP patterns), then proceed through the playbook. Verify against SANDBOX.');
+    return lines.join('\n');
 }
 //# sourceMappingURL=playbook.js.map

package/dist/src/lib/wizard/playbook.js.map

@@ -1 +1 @@
-{"version":3,"file":"playbook.js","sourceRoot":"","sources":["../../../../src/lib/wizard/playbook.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6HnC,CAAC,IAAI,EAAE,CAAC;AAET,gFAAgF;AAChF,MAAM,UAAU,kBAAkB,CAAC,SAAiB;IAClD,OAAO;QACL,kFAAkF;QAClF,oFAAoF;QACpF,oFAAoF;QACpF,oDAAoD;QACpD,EAAE;QACF,mDAAmD;QACnD,SAAS;QACT,EAAE;QACF,+EAA+E;QAC/E,iFAAiF;KAClF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC"}
+{"version":3,"file":"playbook.js","sourceRoot":"","sources":["../../../../src/lib/wizard/playbook.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+InC,CAAC,IAAI,EAAE,CAAC;AAWT,MAAM,UAAU,kBAAkB,CAAC,SAAiB,EAAE,MAAqB;IACzE,MAAM,KAAK,GAAG;QACZ,kFAAkF;QAClF,oFAAoF;QACpF,oFAAoF;QACpF,oDAAoD;QACpD,EAAE;QACF,mDAAmD;QACnD,SAAS;KACV,CAAC;IACF,IAAI,MAAM,EAAE,CAAC;QACX,KAAK,CAAC,IAAI,CACR,EAAE,EACF,iFAAiF,EACjF,kFAAkF,EAClF,0BAA0B,MAAM,CAAC,OAAO,GAAG,EAC3C,gFAAgF,EAChF,yBAAyB,EACzB,oBAAoB,MAAM,CAAC,QAAQ,qCAAqC,EACxE,GAAG,MAAM,CAAC,WAAW,yDAAyD,EAC9E,IAAI,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC,2BAA2B,EAClF,wFAAwF,EACxF,iFAAiF,CAClF,CAAC;IACJ,CAAC;IACD,KAAK,CAAC,IAAI,CACR,EAAE,EACF,+EAA+E,EAC/E,iFAAiF,CAClF,CAAC;IACF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/src/lib/wizard/secrets.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Write the provisioned Agentcard credentials into the app's local env file so the
+ * agent never sees the secrets — it writes code that reads `process.env.AGENTCARD_*`,
+ * and we put the actual `client_secret` / API key here (secret-vault pattern).
+ *
+ * Picks the env file by the repo's convention: an existing .env.local / .env, else
+ * .env.local when a `.env.local.example` is present (Next.js style), else .env.
+ * Upserts each key (replaces an existing line, appends otherwise). Returns the file.
+ */
+export declare function writeAgentcardEnv(repoRoot: string, vars: Record<string, string>): string;
+//# sourceMappingURL=secrets.d.ts.map

package/dist/src/lib/wizard/secrets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../../../../src/lib/wizard/secrets.ts"],"names":[],"mappings":"AAGA;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAgCxF"}

package/dist/src/lib/wizard/secrets.js

@@ -0,0 +1,49 @@
+import { readFileSync, writeFileSync, existsSync, chmodSync } from 'fs';
+import { join } from 'path';
+/**
+ * Write the provisioned Agentcard credentials into the app's local env file so the
+ * agent never sees the secrets — it writes code that reads `process.env.AGENTCARD_*`,
+ * and we put the actual `client_secret` / API key here (secret-vault pattern).
+ *
+ * Picks the env file by the repo's convention: an existing .env.local / .env, else
+ * .env.local when a `.env.local.example` is present (Next.js style), else .env.
+ * Upserts each key (replaces an existing line, appends otherwise). Returns the file.
+ */
+export function writeAgentcardEnv(repoRoot, vars) {
+    const pick = () => {
+        for (const f of ['.env.local', '.env', '.env.development.local']) {
+            if (existsSync(join(repoRoot, f)))
+                return f;
+        }
+        return existsSync(join(repoRoot, '.env.local.example')) ? '.env.local' : '.env';
+    };
+    const file = pick();
+    const path = join(repoRoot, file);
+    let content = existsSync(path) ? readFileSync(path, 'utf8') : '';
+    if (content && !content.endsWith('\n'))
+        content += '\n';
+    for (const [k, v] of Object.entries(vars)) {
+        if (v == null)
+            continue;
+        const line = `${k}=${v}`;
+        const re = new RegExp(`^${k}=.*$`, 'm');
+        if (re.test(content)) {
+            content = content.replace(re, line);
+        }
+        else {
+            content += `${line}\n`;
+        }
+    }
+    writeFileSync(path, content, { mode: 0o600 });
+    // `mode` on writeFileSync only applies when CREATING the file — an existing env
+    // file keeps its (often 0644) perms. We just wrote a client_secret + API key into
+    // it, so restrict it explicitly.
+    try {
+        chmodSync(path, 0o600);
+    }
+    catch {
+        // Best-effort (e.g. unusual filesystems); the secrets are still written.
+    }
+    return file;
+}
+//# sourceMappingURL=secrets.js.map

package/dist/src/lib/wizard/secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../../../src/lib/wizard/secrets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAgB,EAAE,IAA4B;IAC9E,MAAM,IAAI,GAAG,GAAW,EAAE;QACxB,KAAK,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,MAAM,EAAE,wBAAwB,CAAC,EAAE,CAAC;YACjE,IAAI,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;gBAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,oBAAoB,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC;IAClF,CAAC,CAAC;IACF,MAAM,IAAI,GAAG,IAAI,EAAE,CAAC;IACpB,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAClC,IAAI,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACjE,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,IAAI,CAAC;IAExD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,IAAI,CAAC,IAAI,IAAI;YAAE,SAAS;QACxB,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACxC,IAAI,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACrB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QACtC,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,GAAG,IAAI,IAAI,CAAC;QACzB,CAAC;IACH,CAAC;IACD,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9C,gFAAgF;IAChF,kFAAkF;IAClF,iCAAiC;IACjC,IAAI,CAAC;QACH,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,yEAAyE;IAC3E,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/src/lib/wizard/theme.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Small presentation theme for the wizard, inspired by PostHog's setup wizard:
+ * a brand banner, an accent color, status icons, a connected left gutter, and a
+ * structured outro. Layered on top of chalk/inquirer/ora — no UI-framework rewrite.
+ */
+export declare const ui: {
+    primary: import("chalk").ChalkInstance;
+    accent: import("chalk").ChalkInstance;
+    success: import("chalk").ChalkInstance;
+    error: import("chalk").ChalkInstance;
+    warn: import("chalk").ChalkInstance;
+    muted: import("chalk").ChalkInstance;
+    bold: import("chalk").ChalkInstance;
+    dim: import("chalk").ChalkInstance;
+};
+export declare const glyph: {
+    check: string;
+    cross: string;
+    warn: string;
+    diamond: string;
+    diamondOpen: string;
+    sqOpen: string;
+    sqFilled: string;
+    play: string;
+    pointer: string;
+    bullet: string;
+    arrow: string;
+    gutter: string;
+};
+/** Branded intro banner: three brand blocks + title + dim subtitle lines. */
+export declare function banner(title: string, subtitle?: string[]): void;
+/** A numbered step header, with a blank gutter line under it for grouping. */
+export declare function step(n: number, total: number, title: string): void;
+/** A line inside the current step, hung under the gutter. */
+export declare function line(text?: string): void;
+/** A "label ✔ value" detection/summary row, under the gutter. */
+export declare function row(label: string, value: string): void;
+/** A boxed-ish note: a titled block hung under the gutter (clack-style left rail). */
+export declare function note(title: string, lines: string[]): void;
+/** A success outro: green header, optional "what changed" + "next steps" + review note. */
+export declare function outroSuccess(opts: {
+    message: string;
+    changes?: string[];
+    nextSteps?: string[];
+    reviewNote?: string;
+}): void;
+/** An error outro: red header + optional body. */
+export declare function outroError(message: string, body?: string): void;
+//# sourceMappingURL=theme.d.ts.map

package/dist/src/lib/wizard/theme.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"theme.d.ts","sourceRoot":"","sources":["../../../../src/lib/wizard/theme.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,eAAO,MAAM,EAAE;;;;;;;;;CASd,CAAC;AAEF,eAAO,MAAM,KAAK;;;;;;;;;;;;;CAajB,CAAC;AAIF,6EAA6E;AAC7E,wBAAgB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAM,EAAO,GAAG,IAAI,CAKnE;AAED,8EAA8E;AAC9E,wBAAgB,IAAI,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAIlE;AAED,6DAA6D;AAC7D,wBAAgB,IAAI,CAAC,IAAI,SAAK,GAAG,IAAI,CAEpC;AAED,iEAAiE;AACjE,wBAAgB,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAEtD;AAED,sFAAsF;AACtF,wBAAgB,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,CAIzD;AAED,2FAA2F;AAC3F,wBAAgB,YAAY,CAAC,IAAI,EAAE;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GAAG,IAAI,CAiBP;AAED,kDAAkD;AAClD,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAI/D"}

package/dist/src/lib/wizard/theme.js

@@ -0,0 +1,89 @@
+import chalk from 'chalk';
+/**
+ * Small presentation theme for the wizard, inspired by PostHog's setup wizard:
+ * a brand banner, an accent color, status icons, a connected left gutter, and a
+ * structured outro. Layered on top of chalk/inquirer/ora — no UI-framework rewrite.
+ */
+export const ui = {
+    primary: chalk.cyan,
+    accent: chalk.hex('#F59E0B'), // warm amber accent (focus / step markers)
+    success: chalk.green,
+    error: chalk.red,
+    warn: chalk.yellow,
+    muted: chalk.gray,
+    bold: chalk.bold,
+    dim: chalk.dim,
+};
+export const glyph = {
+    check: '✔',
+    cross: '✘',
+    warn: '⚠',
+    diamond: '◆',
+    diamondOpen: '◇',
+    sqOpen: '◻',
+    sqFilled: '◼',
+    play: '▶',
+    pointer: '▸',
+    bullet: '•',
+    arrow: '→',
+    gutter: '│',
+};
+const g = () => ui.muted(glyph.gutter);
+/** Branded intro banner: three brand blocks + title + dim subtitle lines. */
+export function banner(title, subtitle = []) {
+    const blocks = chalk.cyan('█') + chalk.hex('#F59E0B')('█') + chalk.magentaBright('█');
+    console.log();
+    console.log(`${blocks} ${ui.bold(title)}`);
+    for (const s of subtitle)
+        console.log(`  ${ui.dim(s)}`);
+}
+/** A numbered step header, with a blank gutter line under it for grouping. */
+export function step(n, total, title) {
+    console.log();
+    console.log(`${ui.accent(glyph.diamond)} ${ui.bold(`Step ${n}/${total}`)} ${ui.muted('·')} ${title}`);
+    console.log(g());
+}
+/** A line inside the current step, hung under the gutter. */
+export function line(text = '') {
+    console.log(`${g()}  ${text}`);
+}
+/** A "label ✔ value" detection/summary row, under the gutter. */
+export function row(label, value) {
+    console.log(`${g()}  ${label} ${ui.success(glyph.check)} ${value}`);
+}
+/** A boxed-ish note: a titled block hung under the gutter (clack-style left rail). */
+export function note(title, lines) {
+    console.log(g());
+    console.log(`${g()}  ${ui.bold(title)}`);
+    for (const l of lines)
+        console.log(`${g()}    ${ui.dim(l)}`);
+}
+/** A success outro: green header, optional "what changed" + "next steps" + review note. */
+export function outroSuccess(opts) {
+    console.log();
+    console.log(`${ui.success(glyph.check)} ${ui.success.bold(opts.message)}`);
+    if (opts.changes?.length) {
+        console.log();
+        console.log(ui.primary.bold('What the agent did:'));
+        for (const c of opts.changes)
+            console.log(`  ${ui.muted(glyph.bullet)} ${c}`);
+    }
+    if (opts.nextSteps?.length) {
+        console.log();
+        console.log(ui.primary.bold('Next steps:'));
+        for (const s of opts.nextSteps)
+            console.log(`  ${ui.muted(glyph.bullet)} ${s}`);
+    }
+    if (opts.reviewNote) {
+        console.log();
+        console.log(ui.dim(opts.reviewNote));
+    }
+}
+/** An error outro: red header + optional body. */
+export function outroError(message, body) {
+    console.log();
+    console.log(`${ui.error(glyph.cross)} ${ui.error.bold(message)}`);
+    if (body)
+        console.log(ui.dim(body));
+}
+//# sourceMappingURL=theme.js.map

package/dist/src/lib/wizard/theme.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"theme.js","sourceRoot":"","sources":["../../../../src/lib/wizard/theme.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B;;;;GAIG;AACH,MAAM,CAAC,MAAM,EAAE,GAAG;IAChB,OAAO,EAAE,KAAK,CAAC,IAAI;IACnB,MAAM,EAAE,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,2CAA2C;IACzE,OAAO,EAAE,KAAK,CAAC,KAAK;IACpB,KAAK,EAAE,KAAK,CAAC,GAAG;IAChB,IAAI,EAAE,KAAK,CAAC,MAAM;IAClB,KAAK,EAAE,KAAK,CAAC,IAAI;IACjB,IAAI,EAAE,KAAK,CAAC,IAAI;IAChB,GAAG,EAAE,KAAK,CAAC,GAAG;CACf,CAAC;AAEF,MAAM,CAAC,MAAM,KAAK,GAAG;IACnB,KAAK,EAAE,GAAG;IACV,KAAK,EAAE,GAAG;IACV,IAAI,EAAE,GAAG;IACT,OAAO,EAAE,GAAG;IACZ,WAAW,EAAE,GAAG;IAChB,MAAM,EAAE,GAAG;IACX,QAAQ,EAAE,GAAG;IACb,IAAI,EAAE,GAAG;IACT,OAAO,EAAE,GAAG;IACZ,MAAM,EAAE,GAAG;IACX,KAAK,EAAE,GAAG;IACV,MAAM,EAAE,GAAG;CACZ,CAAC;AAEF,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AAEvC,6EAA6E;AAC7E,MAAM,UAAU,MAAM,CAAC,KAAa,EAAE,WAAqB,EAAE;IAC3D,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;IACtF,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,QAAQ;QAAE,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AAC1D,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,IAAI,CAAC,CAAS,EAAE,KAAa,EAAE,KAAa;IAC1D,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,KAAK,EAAE,CAAC,CAAC;IACtG,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC;AACnB,CAAC;AAED,6DAA6D;AAC7D,MAAM,UAAU,IAAI,CAAC,IAAI,GAAG,EAAE;IAC5B,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;AACjC,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,GAAG,CAAC,KAAa,EAAE,KAAa;IAC9C,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,KAAK,KAAK,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,EAAE,CAAC,CAAC;AACtE,CAAC;AAED,sFAAsF;AACtF,MAAM,UAAU,IAAI,CAAC,KAAa,EAAE,KAAe;IACjD,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC;IACjB,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACzC,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AAC/D,CAAC;AAED,2FAA2F;AAC3F,MAAM,UAAU,YAAY,CAAC,IAK5B;IACC,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC3E,IAAI,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC;QACpD,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAChF,CAAC;IACD,IAAI,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC;QAC3B,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC;QAC5C,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAClF,CAAC;IACD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACpB,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED,kDAAkD;AAClD,MAAM,UAAU,UAAU,CAAC,OAAe,EAAE,IAAa;IACvD,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAClE,IAAI,IAAI;QAAE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;AACtC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-cards-admin",
-  "version": "0.3.13",
+  "version": "0.3.15",
   "description": "Admin CLI for managing B2B organizations, API keys, and members",
   "type": "module",
   "bin": {