fastpass-cli 0.1.2 → 0.2.0

package/README.md

@@ -1,148 +1,150 @@
 # fastpass
 
-Cloudflare Access in 60 seconds.
+A CLI for rapdily configuring [Cloudflare Access](https://www.cloudflare.com/products/zero-trust/access/) — add authentication to internal apps without touching your application code. Creates Access Applications, Identity Providers, and policies via the Cloudflare API.
 
-## What you want → What it does
+**Requirements:** Node 18+, Cloudflare account with the domain on your account, Cloudflare Zero Trust (Access) enabled.
 
-| You want...                        | Cloudflare calls it...         | fastpass handles it |
-|------------------------------------|--------------------------------|----------------------|
-| A login page on my app             | Self-hosted Access Application | `protect`            |
-| GitHub/Google login                | Identity Provider (IdP)        | `--auth github`      |
-| "Only my team can access this"     | Access Policy (Allow rule)     | `--allow`            |
-| "Only my GitHub org"               | GitHub Organization rule       | `--allow "org:name"` |
-| Email-based login, no passwords    | One-Time PIN (OTP)             | `--auth email`       |
-| The wall that checks your identity | Cloudflare Access              | all of it            |
-
-## Quickstart
+## Installation
 
 ```sh
 npx fastpass-cli
 ```
 
-That's it. The interactive wizard walks you through everything.
+No global install. Use `npx` to run the latest version.
 
-## One-liners
+## Quick start
 
 ```sh
-# Protect with email login (zero config)
-npx fastpass-cli protect staging.myapp.com --auth email --allow "me@gmail.com"
+# Interactive wizard (prompts for domain, auth method, and access rules)
+npx fastpass-cli
 
-# Protect with GitHub login, allow anyone at your company
-npx fastpass-cli protect staging.myapp.com --auth github --allow "*@company.com"
+# Or one-liner
+npx fastpass-cli protect staging.myapp.com --auth email --allow "me@example.com"
+```
 
-# Protect with GitHub login, restrict to a GitHub org
-npx fastpass-cli protect staging.myapp.com --auth github --allow "org:my-github-org"
+## Commands
 
-# Protect with Google login, allow everyone (just require login)
-npx fastpass-cli protect admin.myapp.com --auth google --allow "everyone"
+| Command | Description |
+|---------|-------------|
+| `protect [domain]` | Create an Access Application. Default command when no subcommand is given. |
+| `list` | List all protected domains (self-hosted Access apps). |
+| `remove [domain]` | Delete Access protection from a domain. |
+| `status` | Overview of team, apps, IdPs, and recent access activity. |
+| `logs [domain]` | Recent access events (default: last 25). |
+| `inspect [domain]` | Detailed configuration for an Access Application. |
 
-# List protected domains
-npx fastpass-cli list
+## Protect options
 
-# Remove protection
-npx fastpass-cli remove staging.myapp.com
+```
+protect [domain] [options]
 
-# Overview dashboard — team, apps, IdPs, recent activity
-npx fastpass-cli status
+Options:
+  --auth <method>   email | github | google (comma-separated for multiple)
+  --allow <rule>    Access rule (see below)
+```
 
-# Recent access events (last 25)
-npx fastpass-cli logs
+### `--allow` rule syntax
 
-# Filter events to one domain, last 10
-npx fastpass-cli logs staging.myapp.com --limit 10
+| Rule | Meaning | Example |
+|------|---------|---------|
+| Email address(es) | Specific users (comma-separated) | `me@example.com` or `a@b.com,b@b.com` |
+| `*@domain.com` | Anyone with that email domain | `*@company.com` |
+| `org:name` | Members of a GitHub organization | `org:my-org` |
+| `everyone` | Any authenticated user | `everyone` |
 
-# Events since a specific date
-npx fastpass-cli logs --since 2025-01-15
+### Auth methods
 
-# Detailed config for a specific app
-npx fastpass-cli inspect staging.myapp.com
+- **email** — One-time PIN (OTP) sent to email. No external setup; built into Cloudflare.
+- **github** — OAuth. You create an app at [GitHub Developer Settings](https://github.com/settings/developers) and provide Client ID + Secret when prompted.
+- **google** — OAuth. Same flow via Google Cloud Console.
 
-# Interactive app picker
-npx fastpass-cli inspect
-```
+## Credentials
 
-## Prerequisites
+fastpass needs Cloudflare API access. It checks, in order:
 
-### 1. Enable Cloudflare Access (one-time)
+1. `CLOUDFLARE_API_TOKEN` environment variable
+2. Wrangler OAuth token from `~/.wrangler/config/default.toml` (from `npx wrangler login`)
 
-Before fastpass can do anything, Access needs to be turned on for your account:
+**Recommended:** Use an API token with:
 
-1. Go to [https://one.dash.cloudflare.com](https://one.dash.cloudflare.com) (Zero Trust dashboard)
-2. You'll be prompted to select the **Free** plan ($0) — confirm it
-3. Pick a **team name** (e.g. `myteam`) — this becomes `myteam.cloudflareaccess.com`, the login domain for all your protected apps
+- **Access: Organizations, Identity Providers, and Groups** — Edit
+- **Access: Apps and Policies** — Edit
+- **Zone: Zone** — Read (for domain validation)
 
-This only needs to happen once per account.
+Create tokens at [dash.cloudflare.com/profile/api-tokens](https://dash.cloudflare.com/profile/api-tokens).
 
-### 2. API credentials
+```sh
+export CLOUDFLARE_API_TOKEN="your-token"
 
-You need a Cloudflare API token. Pick one:
+# Optional, if you have multiple accounts:
+export CLOUDFLARE_ACCOUNT_ID="your-account-id"
+```
 
-### Option A: API Token (recommended)
+**Note:** Wrangler’s OAuth token typically does not include Access scopes. If `wrangler login` works for Workers but fastpass fails with permission errors, use a dedicated API token with the permissions above.
 
-1. Go to https://dash.cloudflare.com/profile/api-tokens
-2. Create a token with these permissions:
-   - **Access: Organizations, Identity Providers, and Groups** — Edit
-   - **Access: Apps and Policies** — Edit
-   - **Zone: Zone** — Read
-3. Set the env var:
+**Logs:** The `logs` and `status` commands fetch access events. If they fail, your token may need **Access: Audit Logs** — Read.
 
-```sh
-export CLOUDFLARE_API_TOKEN="your-token"
-```
+## Prerequisites
 
-Optionally set `CLOUDFLARE_ACCOUNT_ID` if you have multiple accounts.
+1. **Cloudflare Access enabled** — In [Zero Trust](https://one.dash.cloudflare.com), select the Free plan and set a team name (e.g. `myteam` → `myteam.cloudflareaccess.com`). This is a one-time setup per account.
 
-### Option B: Wrangler login
+2. **Domain in Cloudflare** — The domain you protect must exist as a zone in your Cloudflare account. fastpass validates this before creating the Access Application.
 
-If you already use wrangler:
+## Example usage
 
 ```sh
-npx wrangler login
-npx fastpass-cli
-```
-
-> **Note:** Wrangler's default OAuth token does not include Access scopes. If you use `wrangler login` for deploying Workers but get permission errors from fastpass, you'll need a dedicated API token (Option A). The wrangler OAuth scopes cover Workers, KV, D1, Pages, etc. — but not Cloudflare Access.
+# Email OTP, only you
+npx fastpass-cli protect staging.myapp.com --auth email --allow "me@gmail.com"
 
-## Auth methods
+# GitHub, anyone at your company
+npx fastpass-cli protect staging.myapp.com --auth github --allow "*@company.com"
 
-### Email code (OTP)
+# GitHub, restrict to a specific org
+npx fastpass-cli protect staging.myapp.com --auth github --allow "org:my-github-org"
 
-The easiest option. No external setup required. Users get a one-time code sent to their email.
+# Google, any logged-in user
+npx fastpass-cli protect admin.myapp.com --auth google --allow "everyone"
 
-### GitHub
+# Multiple login methods (email + GitHub), shows Cloudflare's provider picker
+npx fastpass-cli protect staging.myapp.com --auth email,github --allow "*@company.com"
 
-fastpass walks you through creating a GitHub OAuth app. You'll need to:
-1. Create an OAuth app at https://github.com/settings/developers
-2. Paste the Client ID and Secret when prompted
+# List apps, view status, inspect config
+npx fastpass-cli list
+npx fastpass-cli status
+npx fastpass-cli inspect staging.myapp.com
 
-### Google
+# Logs
+npx fastpass-cli logs
+npx fastpass-cli logs staging.myapp.com --limit 10
+npx fastpass-cli logs --since 2025-01-15
 
-Same as GitHub — fastpass guides you through the Google Cloud Console OAuth setup.
+# Remove protection
+npx fastpass-cli remove staging.myapp.com
+```
 
 ## How it works
 
-Under the hood, fastpass calls the Cloudflare API to:
+fastpass calls the Cloudflare API to:
 
-1. **Validate** your domain exists in your CF account
-2. **Create an Identity Provider** (email OTP, GitHub, or Google OAuth)
-3. **Create an Access Application** on your domain with an allow policy
-4. Your domain now shows a login page before granting access
+1. Check that the domain exists in your account (zone lookup).
+2. Create or reuse an Identity Provider (email OTP, GitHub, or Google).
+3. Create an Access Application (self-hosted) with an allow policy.
+4. Visitors hit your domain and see Cloudflare’s login page before access.
 
-All of this maps to Cloudflare's [Zero Trust Access](https://developers.cloudflare.com/cloudflare-one/policies/access/) product — fastpass just removes the complexity.
+All of this maps to Cloudflare Zero Trust Access. fastpass automates the setup; advanced configuration is done in the [Zero Trust dashboard](https://one.dash.cloudflare.com).
 
 ## FAQ
 
-**Does this cost money?**
-Cloudflare Access is free for up to 50 users.
+**Cost?** Cloudflare Access is free for up to 50 users.
+
+**Existing IdPs?** fastpass reuses Identity Providers already configured in your account (e.g. Email Login, GitHub, Google).
+
+**Existing Access setup?** If you already have Access apps and IdPs, fastpass will use them where applicable. It does not modify existing apps; `protect` creates new ones.
 
-**Can I use multiple auth methods?**
-Run `protect` again on the same domain with a different `--auth` flag, or configure additional IdPs in the CF dashboard.
+**Multiple auth methods per app?** Use `--auth email,github` to wire multiple IdPs in one command. When multiple methods are set, visitors see Cloudflare's provider picker instead of auto-redirecting.
 
-**What if I already have Access set up?**
-fastpass detects existing identity providers and reuses them.
+**Need to change policies or users?** Use the [Zero Trust dashboard](https://one.dash.cloudflare.com).
 
-**How do I see what's going on?**
-Run `npx fastpass-cli status` for an overview, `npx fastpass-cli logs` for recent events, or `npx fastpass-cli inspect <domain>` for detailed app config.
+## License
 
-**How do I manage users/policies after setup?**
-Use the [Cloudflare Zero Trust dashboard](https://one.dash.cloudflare.com).
+MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fastpass-cli",
-  "version": "0.1.2",
+  "version": "0.2.0",
   "description": "Cloudflare Access in 60 seconds.",
   "type": "module",
   "bin": {
@@ -29,6 +29,11 @@
   "bugs": {
     "url": "https://github.com/corywilkerson/fastpass/issues"
   },
+  "scripts": {
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage"
+  },
   "engines": {
     "node": ">=18"
   },
@@ -36,6 +41,11 @@
     "@inquirer/prompts": "^7.0.0",
     "commander": "^13.0.0",
     "open": "^10.0.0",
+    "ora": "^9.3.0",
     "picocolors": "^1.1.0"
+  },
+  "devDependencies": {
+    "@vitest/coverage-v8": "^4.0.18",
+    "vitest": "^4.0.18"
   }
 }

package/src/auth.js

@@ -1,57 +1,77 @@
-import { execSync } from 'node:child_process';
+import { readFile } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
 import pc from 'picocolors';
+import { spin } from './ui.js';
 
 /**
  * Resolve Cloudflare credentials.
  *
  * Priority:
  *  1. CLOUDFLARE_API_TOKEN env var
- *  2. `wrangler auth token` fallback (OAuth token)
+ *  2. Wrangler OAuth token from ~/.wrangler/config/default.toml
  *
  * Account ID:
  *  1. CLOUDFLARE_ACCOUNT_ID env var
  *  2. Fetched from /accounts API
  */
 export async function getCredentials() {
+  const s = spin('Checking Cloudflare credentials');
+
   let token = process.env.CLOUDFLARE_API_TOKEN;
 
   if (!token) {
-    token = tryWranglerToken();
+    s.text = 'Checking Cloudflare credentials (trying wrangler)';
+    token = await tryWranglerToken();
   }
 
   if (!token) {
-    console.error(pc.red('\nCould not find Cloudflare credentials.\n'));
-    console.error('Set one of the following:\n');
-    console.error(`  ${pc.bold('CLOUDFLARE_API_TOKEN')}  — API token (recommended)`);
-    console.error(`                         Create one at https://dash.cloudflare.com/profile/api-tokens`);
-    console.error(`                         Needs ${pc.cyan('Access: Organizations, Identity Providers, and Groups — Edit')}`);
-    console.error(`                         and   ${pc.cyan('Access: Apps and Policies — Edit')}\n`);
-    console.error(`  Or install ${pc.bold('wrangler')} and run ${pc.cyan('npx wrangler login')} first.\n`);
+    s.fail('No Cloudflare credentials found');
+    console.error('');
+    console.error(`  ${pc.bold('How to fix — pick one:')}`);
+    console.error('');
+    console.error(`  ${pc.cyan('1.')} Set an API token (recommended):`);
+    console.error('');
+    console.error(`     ${pc.bold('export CLOUDFLARE_API_TOKEN=<your-token>')}`);
+    console.error('');
+    console.error(`     Create one at: ${pc.dim('https://dash.cloudflare.com/profile/api-tokens')}`);
+    console.error('     Required permissions:');
+    console.error(`       ${pc.dim('•')} Access: Organizations, Identity Providers, and Groups — Edit`);
+    console.error(`       ${pc.dim('•')} Access: Apps and Policies — Edit`);
+    console.error('');
+    console.error(`  ${pc.cyan('2.')} Log in with wrangler:`);
+    console.error('');
+    console.error(`     ${pc.bold('npx wrangler login')}`);
+    console.error('');
     process.exit(1);
   }
 
   let accountId = process.env.CLOUDFLARE_ACCOUNT_ID;
 
   if (!accountId) {
+    s.text = 'Fetching account info';
     accountId = await fetchAccountId(token);
   }
 
+  s.succeed('Credentials OK');
   return { token, accountId };
 }
 
-function tryWranglerToken() {
+async function tryWranglerToken() {
   try {
-    const result = execSync('npx wrangler --version 2>/dev/null && npx wrangler auth token 2>/dev/null', {
-      encoding: 'utf-8',
-      timeout: 15000,
-      stdio: ['pipe', 'pipe', 'pipe'],
-    });
-    const trimmed = result.trim();
-    if (trimmed && !trimmed.includes('Error') && !trimmed.includes('error')) {
-      return trimmed;
+    const configPath = join(homedir(), '.wrangler', 'config', 'default.toml');
+    const content = await readFile(configPath, 'utf-8');
+    const match = content.match(/^oauth_token\s*=\s*"(.+)"/m);
+    if (match?.[1]) {
+      // Check if token is expired
+      const expMatch = content.match(/^expiration_time\s*=\s*"(.+)"/m);
+      if (expMatch?.[1] && new Date(expMatch[1]) < new Date()) {
+        return null; // expired
+      }
+      return match[1];
     }
   } catch {
-    // wrangler not available or not logged in
+    // config file not found — wrangler not logged in
   }
   return null;
 }

package/src/cli.js

@@ -15,13 +15,13 @@ export function run() {
   program
     .name('fastpass-cli')
     .description('Cloudflare Access in 60 seconds.')
-    .version('0.1.0');
+    .version('0.2.0');
 
   // Default action (no subcommand) — run the protect wizard
   program
     .command('protect [domain]', { isDefault: true })
     .description('Protect a domain with Cloudflare Access')
-    .option('--auth <method>', 'Auth method: email, github, or google')
+    .option('--auth <method>', 'Auth method(s): email, github, google (comma-separated for multiple)')
     .option('--allow <rule>', 'Who can access: email, *@domain.com, or "everyone"')
     .action(async (domain, opts) => {
       printBanner();

package/src/commands/inspect.js

@@ -1,16 +1,20 @@
 import pc from 'picocolors';
 import { select } from '@inquirer/prompts';
 import { handleApiError } from '../api.js';
+import { withSpinner, heading } from '../ui.js';
 
 /**
  * Inspect a specific Access application's detailed configuration.
  */
 export async function inspect(api, opts = {}) {
   try {
-    const [{ result: apps }, { result: idps }] = await Promise.all([
-      api.get('/access/apps'),
-      api.get('/access/identity_providers'),
-    ]);
+    const [{ result: apps }, { result: idps }] = await withSpinner(
+      'Loading application details',
+      () => Promise.all([
+        api.get('/access/apps'),
+        api.get('/access/identity_providers'),
+      ]),
+    );
 
     const selfHosted = apps?.filter((a) => a.type === 'self_hosted') || [];
 
@@ -44,16 +48,14 @@ export async function inspect(api, opts = {}) {
     }
 
     // --- App details ---
-    console.log(`\n  ${pc.bold('Application')}`);
-    console.log(pc.dim(`  ${'─'.repeat(50)}`));
+    heading('Application');
     console.log(`  Domain:           ${target.domain || 'n/a'}`);
     console.log(`  Type:             ${target.type || 'n/a'}`);
     console.log(`  Session duration: ${target.session_duration || 'default'}`);
     console.log(`  App ID:           ${pc.dim(target.id)}`);
 
     // --- Allowed IdPs ---
-    console.log(`\n  ${pc.bold('Identity Providers')}`);
-    console.log(pc.dim(`  ${'─'.repeat(50)}`));
+    heading('Identity Providers');
     if (target.allowed_idps?.length) {
       for (const idpId of target.allowed_idps) {
         const idp = idpMap.get(idpId);
@@ -68,8 +70,7 @@ export async function inspect(api, opts = {}) {
     }
 
     // --- Policies ---
-    console.log(`\n  ${pc.bold('Policies')}`);
-    console.log(pc.dim(`  ${'─'.repeat(50)}`));
+    heading('Policies');
     if (target.policies?.length) {
       for (const policy of target.policies) {
         console.log(`  ${pc.cyan(policy.name || 'Unnamed')} — ${policy.decision || 'n/a'}`);
@@ -89,7 +90,7 @@ export async function inspect(api, opts = {}) {
   }
 }
 
-function describeRule(rule) {
+export function describeRule(rule) {
   if (rule.email?.email) {
     return rule.email.email;
   }

package/src/commands/list.js

@@ -1,12 +1,16 @@
 import pc from 'picocolors';
 import { handleApiError } from '../api.js';
+import { withSpinner } from '../ui.js';
 
 /**
  * List all Access applications in the account.
  */
 export async function list(api) {
   try {
-    const { result } = await api.get('/access/apps');
+    const { result } = await withSpinner(
+      'Fetching protected domains',
+      () => api.get('/access/apps'),
+    );
 
     if (!result?.length) {
       console.log(pc.dim('\n  No Access applications found.\n'));

package/src/commands/logs.js

@@ -1,5 +1,6 @@
 import pc from 'picocolors';
 import { handleApiError } from '../api.js';
+import { withSpinner } from '../ui.js';
 
 /**
  * Show recent access log events, optionally filtered by domain.
@@ -20,8 +21,9 @@ export async function logs(api, opts = {}) {
       sinceParam = `&since=${parsed.toISOString()}`;
     }
 
-    const { result } = await api.get(
-      `/access/logs/access_requests?limit=${limit}&direction=desc${sinceParam}`,
+    const { result } = await withSpinner(
+      'Fetching access events',
+      () => api.get(`/access/logs/access_requests?limit=${limit}&direction=desc${sinceParam}`),
     );
 
     if (!result?.length) {

package/src/commands/protect.js

@@ -5,6 +5,7 @@ import { ensureEmailOtp } from '../idp/email-otp.js';
 import { ensureGitHub } from '../idp/github.js';
 import { ensureGoogle } from '../idp/google.js';
 import { handleApiError } from '../api.js';
+import { spin, withSpinner } from '../ui.js';
 
 const AUTH_CHOICES = {
   email: { label: 'Email code (easiest, no setup)', setup: ensureEmailOtp },
@@ -31,46 +32,55 @@ export async function protect(api, opts = {}) {
     });
 
     // Validate domain exists in CF
-    await validateDomain(api, domain.trim());
-
-    const authMethod = opts.auth || await select({
-      message: 'How should people log in?',
-      choices: Object.entries(AUTH_CHOICES).map(([value, { label }]) => ({ value, name: label })),
-    });
-
-    if (!AUTH_CHOICES[authMethod]) {
-      console.error(pc.red(`Unknown auth method: ${authMethod}. Use: email, github, or google`));
-      process.exit(1);
+    await withSpinner('Verifying domain...', () => validateDomain(api, domain.trim()));
+
+    // Parse auth methods: comma-separated string from CLI, or single interactive choice
+    const authMethods = opts.auth
+      ? opts.auth.split(',').map((m) => m.trim())
+      : [await select({
+          message: 'How should people log in?',
+          choices: Object.entries(AUTH_CHOICES).map(([value, { label }]) => ({ value, name: label })),
+        })];
+
+    for (const method of authMethods) {
+      if (!AUTH_CHOICES[method]) {
+        console.error(pc.red(`Unknown auth method: ${method}. Use: email, github, or google`));
+        process.exit(1);
+      }
     }
 
     // Resolve who gets access
     const { include, includeType } = await resolveAccess(opts.allow);
 
     // Get team name for OAuth callback URLs
-    const teamName = await getTeamName(api);
-    if (!teamName && authMethod !== 'email') {
+    const teamName = await withSpinner('Fetching team info', () => getTeamName(api));
+    if (!teamName && authMethods.some((m) => m !== 'email')) {
       console.error(pc.red('Could not determine your Access team name.'));
       console.error('Make sure Access is enabled in your Cloudflare dashboard.\n');
       process.exit(1);
     }
 
-    // Set up the identity provider
+    // Set up identity providers
     console.log('');
-    const idp = await AUTH_CHOICES[authMethod].setup(api, teamName);
+    const idpResults = [];
+    for (const method of authMethods) {
+      const idp = await AUTH_CHOICES[method].setup(api, teamName);
+      idpResults.push(idp);
+    }
 
     // Build the policy include rules
     const policyInclude = buildIncludeRules(include, includeType);
 
     // Create the access application with an inline policy
-    console.log(`  Protecting ${pc.bold(domain.trim())}...`);
+    const s = spin(`Creating Access application for ${pc.bold(domain.trim())}...`);
 
     const appBody = {
       name: domain.trim(),
       domain: domain.trim(),
       type: 'self_hosted',
       session_duration: '24h',
-      allowed_idps: [idp.id],
-      auto_redirect_to_identity: true,
+      allowed_idps: idpResults.map((idp) => idp.id),
+      auto_redirect_to_identity: idpResults.length === 1,
       policies: [
         {
           name: `Allow — ${domain.trim()}`,
@@ -83,7 +93,8 @@ export async function protect(api, opts = {}) {
 
     const { result: app } = await api.post('/access/apps', appBody);
 
-    console.log(pc.green('  Done!\n'));
+    s.succeed(`Protected ${pc.bold(domain.trim())}`);
+    console.log('');
     console.log(`  ${pc.bold('Your app is protected!')} Try visiting:`);
     console.log(`  ${pc.cyan(`https://${domain.trim()}`)}\n`);
     console.log(`  Manage it: ${pc.dim('https://one.dash.cloudflare.com')}`);
@@ -95,7 +106,7 @@ export async function protect(api, opts = {}) {
   }
 }
 
-async function validateDomain(api, domain) {
+export async function validateDomain(api, domain) {
   // Extract the root domain for zone lookup
   const parts = domain.split('.');
   const rootDomain = parts.slice(-2).join('.');
@@ -113,7 +124,7 @@ async function validateDomain(api, domain) {
   }
 }
 
-async function resolveAccess(allowFlag) {
+export async function resolveAccess(allowFlag) {
   // If --allow flag was passed, parse it
   if (allowFlag) {
     if (allowFlag.startsWith('*@')) {
@@ -171,7 +182,7 @@ async function resolveAccess(allowFlag) {
   }
 }
 
-function buildIncludeRules(include, includeType) {
+export function buildIncludeRules(include, includeType) {
   switch (includeType) {
     case 'emails':
       // CF API expects one rule per email: [{ email: { email: "a@b.com" } }, ...]

package/src/commands/remove.js

@@ -1,14 +1,17 @@
 import pc from 'picocolors';
 import { select, confirm } from '@inquirer/prompts';
 import { handleApiError } from '../api.js';
+import { spin, withSpinner } from '../ui.js';
 
 /**
  * Remove Access protection from a domain.
  */
 export async function remove(api, opts = {}) {
   try {
+    const s = spin('Fetching applications...');
     const { result } = await api.get('/access/apps');
     const apps = result?.filter((app) => app.type === 'self_hosted') || [];
+    s.stop();
 
     if (!apps.length) {
       console.log(pc.dim('\n  No Access applications to remove.\n'));
@@ -44,9 +47,9 @@ export async function remove(api, opts = {}) {
       return;
     }
 
-    console.log(`  Removing ${pc.bold(target.domain || target.name)}...`);
-    await api.delete(`/access/apps/${target.id}`);
-    console.log(pc.green('  Removed.\n'));
+    const label = target.domain || target.name;
+    await withSpinner(`Removing ${label}`, () => api.delete(`/access/apps/${target.id}`));
+    console.log('');
   } catch (err) {
     handleApiError(err);
   }

package/src/commands/status.js

@@ -1,28 +1,30 @@
 import pc from 'picocolors';
 import { handleApiError } from '../api.js';
+import { withSpinner, heading } from '../ui.js';
 
 /**
  * Status dashboard — quick snapshot of Access configuration and recent activity.
  */
 export async function status(api) {
   try {
-    const [{ result: org }, { result: apps }, { result: idps }] = await Promise.all([
-      api.get('/access/organizations'),
-      api.get('/access/apps'),
-      api.get('/access/identity_providers'),
-    ]);
+    const [{ result: org }, { result: apps }, { result: idps }] = await withSpinner(
+      'Loading Access configuration',
+      () => Promise.all([
+        api.get('/access/organizations'),
+        api.get('/access/apps'),
+        api.get('/access/identity_providers'),
+      ]),
+    );
 
     // --- Team info ---
     const teamName = org?.auth_domain?.replace('.cloudflareaccess.com', '') || 'unknown';
-    console.log(`\n  ${pc.bold('Team')}`);
-    console.log(pc.dim(`  ${'─'.repeat(40)}`));
+    heading('Team');
     console.log(`  Auth domain: ${org?.auth_domain || 'n/a'}`);
     console.log(`  Team name:   ${teamName}`);
 
     // --- Protected apps ---
     const selfHosted = apps?.filter((a) => a.type === 'self_hosted') || [];
-    console.log(`\n  ${pc.bold('Protected Apps')} (${selfHosted.length})`);
-    console.log(pc.dim(`  ${'─'.repeat(40)}`));
+    heading(`Protected Apps (${selfHosted.length})`);
     if (selfHosted.length) {
       for (const app of selfHosted) {
         console.log(`  ${app.domain || app.name}`);
@@ -32,8 +34,7 @@ export async function status(api) {
     }
 
     // --- Identity providers ---
-    console.log(`\n  ${pc.bold('Identity Providers')} (${idps?.length || 0})`);
-    console.log(pc.dim(`  ${'─'.repeat(40)}`));
+    heading(`Identity Providers (${idps?.length || 0})`);
     if (idps?.length) {
       const maxName = Math.max(...idps.map((p) => (p.name || '').length), 4);
       console.log(`  ${pc.dim('Name'.padEnd(maxName + 2))}${pc.dim('Type')}`);
@@ -45,8 +46,7 @@ export async function status(api) {
     }
 
     // --- Recent activity (graceful fallback) ---
-    console.log(`\n  ${pc.bold('Recent Activity')}`);
-    console.log(pc.dim(`  ${'─'.repeat(40)}`));
+    heading('Recent Activity');
     try {
       const { result: logs } = await api.get('/access/logs/access_requests?limit=50&direction=desc');
       if (logs?.length) {

package/src/idp/email-otp.js

@@ -1,25 +1,27 @@
-import pc from 'picocolors';
+import { spin } from '../ui.js';
 
 /**
  * Ensure the One-Time PIN (email code) identity provider exists.
  * Returns the IdP object.
  */
 export async function ensureEmailOtp(api) {
+  const s = spin('Checking for Email Login');
+
   const { result } = await api.get('/access/identity_providers');
   const existing = result?.find((idp) => idp.type === 'onetimepin');
 
   if (existing) {
-    console.log(pc.green('  Email Login already configured.'));
+    s.succeed('Email Login already configured');
     return existing;
   }
 
-  console.log('  Setting up Email Login...');
+  s.text = 'Creating Email Login';
   const { result: created } = await api.post('/access/identity_providers', {
     type: 'onetimepin',
     name: 'Email Login',
     config: {},
   });
 
-  console.log(pc.green('  Email Login enabled.'));
+  s.succeed('Email Login enabled');
   return created;
 }

package/src/idp/github.js

@@ -1,20 +1,25 @@
 import pc from 'picocolors';
 import { input, confirm } from '@inquirer/prompts';
 import open from 'open';
+import { spin } from '../ui.js';
 
 /**
  * Ensure a GitHub OAuth identity provider exists.
  * Guides the user through creating a GitHub OAuth app if needed.
  */
 export async function ensureGitHub(api, teamName) {
+  const s = spin('Checking for GitHub login');
+
   const { result } = await api.get('/access/identity_providers');
   const existing = result?.find((idp) => idp.type === 'github');
 
   if (existing) {
-    console.log(pc.green('  GitHub login already configured.'));
+    s.succeed('GitHub login already configured');
     return existing;
   }
 
+  s.stop();
+
   const callbackUrl = `https://${teamName}.cloudflareaccess.com/cdn-cgi/access/callback`;
   const homepageUrl = `https://${teamName}.cloudflareaccess.com`;
 
@@ -49,7 +54,7 @@ export async function ensureGitHub(api, teamName) {
     validate: (v) => v.trim().length > 0 || 'Required',
   });
 
-  console.log('  Creating GitHub identity provider...');
+  const s2 = spin('Creating GitHub identity provider...');
   const { result: created } = await api.post('/access/identity_providers', {
     type: 'github',
     name: 'GitHub',
@@ -59,6 +64,6 @@ export async function ensureGitHub(api, teamName) {
     },
   });
 
-  console.log(pc.green('  GitHub login enabled.'));
+  s2.succeed('GitHub login enabled');
   return created;
 }

package/src/idp/google.js

@@ -1,20 +1,25 @@
 import pc from 'picocolors';
 import { input, confirm } from '@inquirer/prompts';
 import open from 'open';
+import { spin } from '../ui.js';
 
 /**
  * Ensure a Google OAuth identity provider exists.
  * Guides the user through creating a Google OAuth client if needed.
  */
 export async function ensureGoogle(api, teamName) {
+  const s = spin('Checking for Google login');
+
   const { result } = await api.get('/access/identity_providers');
   const existing = result?.find((idp) => idp.type === 'google');
 
   if (existing) {
-    console.log(pc.green('  Google login already configured.'));
+    s.succeed('Google login already configured');
     return existing;
   }
 
+  s.stop();
+
   const callbackUrl = `https://${teamName}.cloudflareaccess.com/cdn-cgi/access/callback`;
 
   console.log('');
@@ -47,7 +52,7 @@ export async function ensureGoogle(api, teamName) {
     validate: (v) => v.trim().length > 0 || 'Required',
   });
 
-  console.log('  Creating Google identity provider...');
+  const s2 = spin('Creating Google identity provider...');
   const { result: created } = await api.post('/access/identity_providers', {
     type: 'google',
     name: 'Google',
@@ -57,6 +62,6 @@ export async function ensureGoogle(api, teamName) {
     },
   });
 
-  console.log(pc.green('  Google login enabled.'));
+  s2.succeed('Google login enabled');
   return created;
 }

package/src/ui.js

@@ -0,0 +1,32 @@
+import ora from 'ora';
+import pc from 'picocolors';
+
+/**
+ * Start an ora spinner with consistent styling.
+ */
+export function spin(text) {
+  return ora({ text, indent: 2, color: 'cyan' }).start();
+}
+
+/**
+ * Wrap an async operation with an auto-succeed/fail spinner.
+ */
+export async function withSpinner(text, fn, successText) {
+  const s = spin(text);
+  try {
+    const result = await fn(s);
+    s.succeed(successText || text);
+    return result;
+  } catch (err) {
+    s.fail(text);
+    throw err;
+  }
+}
+
+/**
+ * Print a bold section heading with a separator line.
+ */
+export function heading(text) {
+  console.log(`\n  ${pc.bold(text)}`);
+  console.log(pc.dim(`  ${'─'.repeat(40)}`));
+}