fbi-proxy 1.9.0 → 1.10.0

package/dist/cli.js

@@ -132,7 +132,7 @@ async function hotMemo(fn, args = [], key = `_HOTMEMO_${g["_HOTMEMO_SALT_"]}_${S
 hotMemo.cache = cache;
 
 // ts/cli.ts
-import path2 from "path";
+import path3 from "path";
 
 // node_modules/yargs/lib/platform-shims/esm.mjs
 import { notStrictEqual, strictEqual } from "assert";
@@ -1414,8 +1414,7 @@ var parser = new YargsParser({
   require: (path) => {
     if (true) {
       return __require(path);
-    } else
-      ;
+    }
   }
 });
 var yargsParser = function Parser(args, opts) {
@@ -5035,10 +5034,7 @@ function tsaComposer(slotParser, compose = (...zipped) => zipped.join("")) {
 }
 
 // ts/dSpawn.ts
-var dSpawn = ({
-  cwd = process.cwd(),
-  env: env2 = process.env
-} = {}) => tsaComposer((slot) => typeof slot === "string" ? {
+var dSpawn = ({ cwd = process.cwd(), env: env2 = process.env } = {}) => tsaComposer((slot) => typeof slot === "string" ? {
   raw: String(slot)
 } : slot, (...slots) => {
   try {
@@ -5065,11 +5061,7 @@ var dSpawn = ({
     const codePromise = new Promise((resolve5) => {
       p.on("exit", (code) => resolve5(code || 0));
     });
-    const mainPromise = Promise.all([
-      outPromise,
-      errPromise,
-      codePromise
-    ]).then(([out, err, code]) => ({ out, err, code }));
+    const mainPromise = Promise.all([outPromise, errPromise, codePromise]).then(([out, err, code]) => ({ out, err, code }));
     const result = new Proxy(mainPromise, {
       get(target, prop) {
         if (prop === "out")
@@ -5118,10 +5110,7 @@ var $ = Object.assign(dSpawn(), {
 
 // ts/buildFbiProxy.ts
 if (false) {}
-async function getFbiProxyBinary({
-  rebuild = false,
-  originalCwd = ""
-} = {}) {
+async function getFbiProxyBinary({ rebuild = false, originalCwd = "" } = {}) {
   const isWin = process.platform === "win32";
   const binaryName = getFbiProxyFilename();
   const binarySuffix = isWin ? ".exe" : "";
@@ -5157,10 +5146,7 @@ async function getFbiProxyBinary({
 
 // ts/dSpawn.ts
 import { spawn as spawn2 } from "child_process";
-var dSpawn2 = ({
-  cwd = process.cwd(),
-  env: env2 = process.env
-} = {}) => tsaComposer((slot) => typeof slot === "string" ? {
+var dSpawn2 = ({ cwd = process.cwd(), env: env2 = process.env } = {}) => tsaComposer((slot) => typeof slot === "string" ? {
   raw: String(slot)
 } : slot, (...slots) => {
   try {
@@ -5187,11 +5173,7 @@ var dSpawn2 = ({
     const codePromise = new Promise((resolve5) => {
       p.on("exit", (code) => resolve5(code || 0));
     });
-    const mainPromise = Promise.all([
-      outPromise,
-      errPromise,
-      codePromise
-    ]).then(([out, err, code]) => ({ out, err, code }));
+    const mainPromise = Promise.all([outPromise, errPromise, codePromise]).then(([out, err, code]) => ({ out, err, code }));
     const result = new Proxy(mainPromise, {
       get(target, prop) {
         if (prop === "out")
@@ -5238,14 +5220,686 @@ var $2 = Object.assign(dSpawn2(), {
   cwd: (path2) => dSpawn2({ cwd: path2 })
 });
 
+// ts/auth/authConfig.ts
+import { homedir } from "node:os";
+import { join, dirname as dirname3 } from "node:path";
+import { existsSync as existsSync2 } from "node:fs";
+import { mkdir, writeFile as writeFile2, chmod as chmod2, readFile } from "node:fs/promises";
+import { randomBytes } from "node:crypto";
+function defaultConfigPath() {
+  return process.env.FBI_AUTH_CONFIG_PATH ?? join(process.env.XDG_CONFIG_HOME ?? join(homedir(), ".config"), "fbi-proxy", "auth.json");
+}
+async function readConfigOrNull(path2 = defaultConfigPath()) {
+  if (!existsSync2(path2))
+    return null;
+  try {
+    return JSON.parse(await readFile(path2, "utf8"));
+  } catch {
+    return null;
+  }
+}
+async function writeConfig(cfg, path2 = defaultConfigPath()) {
+  await mkdir(dirname3(path2), { recursive: true });
+  await writeFile2(path2, JSON.stringify(cfg, null, 2), "utf8");
+  await chmod2(path2, 384);
+}
+function configFromEnv(domain) {
+  const provider = process.env.FBI_AUTH_PROVIDER ?? "google";
+  const clientId = process.env.FBI_AUTH_CLIENT_ID;
+  const firebaseProjectId = process.env.FBI_AUTH_FIREBASE_PROJECT_ID;
+  if (provider === "firebase") {
+    if (!firebaseProjectId)
+      return null;
+  } else {
+    if (!clientId)
+      return null;
+  }
+  const d = domain.startsWith(".") ? domain.slice(1) : domain;
+  return {
+    version: 1,
+    domain: d,
+    cookieDomain: `.${d}`,
+    ssoHost: `sso.${d}`,
+    provider,
+    clientId,
+    clientSecret: process.env.FBI_AUTH_CLIENT_SECRET,
+    firebase: firebaseProjectId ? {
+      projectId: firebaseProjectId,
+      apiKey: process.env.FBI_AUTH_FIREBASE_API_KEY,
+      authDomain: process.env.FBI_AUTH_FIREBASE_AUTH_DOMAIN
+    } : undefined,
+    sessionSecret: process.env.FBI_AUTH_SESSION_SECRET ?? randomBytes(32).toString("base64url"),
+    allowlist: parseAllowlistEnv()
+  };
+}
+function parseAllowlistEnv() {
+  const emails = process.env.FBI_AUTH_ALLOW_EMAILS?.split(",").map((s) => s.trim()).filter(Boolean);
+  const domains = process.env.FBI_AUTH_ALLOW_DOMAINS?.split(",").map((s) => s.trim()).filter(Boolean);
+  const anySignedIn = process.env.FBI_AUTH_ALLOW_ANY === "true";
+  if (!emails?.length && !domains?.length && !anySignedIn) {
+    return { anySignedIn: true };
+  }
+  return { emails, domains, anySignedIn };
+}
+function helpfulSetupMessage(domain, path2) {
+  return [
+    "",
+    "fbi-auth requires a config file but none was found.",
+    `Expected at: ${path2}`,
+    "",
+    "Quick setup (Phase 1 — manual; setup wizard arrives in Phase 2):",
+    "",
+    "  1. Create a Google OAuth Web client at https://console.cloud.google.com/apis/credentials",
+    `     - Authorized redirect URI: https://sso.${domain}/callback`,
+    `     - Authorized JS origin:    https://sso.${domain}`,
+    "",
+    "  2. Either write the config file directly:",
+    `     mkdir -p $(dirname ${path2}) && cat > ${path2} <<EOF`,
+    "     {",
+    '       "version": 1,',
+    `       "domain": "${domain}",`,
+    `       "cookieDomain": ".${domain}",`,
+    `       "ssoHost": "sso.${domain}",`,
+    '       "provider": "google",',
+    '       "clientId": "<your-client-id>",',
+    '       "clientSecret": "<your-client-secret>",',
+    '       "sessionSecret": "<32+ random chars, base64url preferred>",',
+    '       "allowlist": { "anySignedIn": true }',
+    "     }",
+    "     EOF",
+    "",
+    "  3. Or use env vars (auto-creates the config on first run):",
+    `     FBI_AUTH_CLIENT_ID=...  FBI_AUTH_CLIENT_SECRET=...  bunx fbi-proxy --with-auth --domain ${domain}`,
+    ""
+  ].join(`
+`);
+}
+
+// ts/auth/spawnFbiAuth.ts
+import path2 from "node:path";
+
+// node_modules/get-port/index.js
+import net2 from "node:net";
+import os2 from "node:os";
+
+class Locked2 extends Error {
+  constructor(port) {
+    super(`${port} is locked`);
+  }
+}
+var lockedPorts2 = {
+  old: new Set,
+  young: new Set
+};
+var releaseOldLockedPortsIntervalMs2 = 1000 * 15;
+var timeout2;
+var getLocalHosts2 = () => {
+  const interfaces = os2.networkInterfaces();
+  const results = new Set([undefined, "0.0.0.0"]);
+  for (const _interface of Object.values(interfaces)) {
+    for (const config of _interface) {
+      results.add(config.address);
+    }
+  }
+  return results;
+};
+var checkAvailablePort2 = (options) => new Promise((resolve5, reject) => {
+  const server = net2.createServer();
+  server.unref();
+  server.on("error", reject);
+  server.listen(options, () => {
+    const { port } = server.address();
+    server.close(() => {
+      resolve5(port);
+    });
+  });
+});
+var getAvailablePort2 = async (options, hosts) => {
+  if (options.host || options.port === 0) {
+    return checkAvailablePort2(options);
+  }
+  for (const host of hosts) {
+    try {
+      await checkAvailablePort2({ port: options.port, host });
+    } catch (error) {
+      if (!["EADDRNOTAVAIL", "EINVAL"].includes(error.code)) {
+        throw error;
+      }
+    }
+  }
+  return options.port;
+};
+var portCheckSequence2 = function* (ports) {
+  if (ports) {
+    yield* ports;
+  }
+  yield 0;
+};
+async function getPorts2(options) {
+  let ports;
+  let exclude = new Set;
+  if (options) {
+    if (options.port) {
+      ports = typeof options.port === "number" ? [options.port] : options.port;
+    }
+    if (options.exclude) {
+      const excludeIterable = options.exclude;
+      if (typeof excludeIterable[Symbol.iterator] !== "function") {
+        throw new TypeError("The `exclude` option must be an iterable.");
+      }
+      for (const element of excludeIterable) {
+        if (typeof element !== "number") {
+          throw new TypeError("Each item in the `exclude` option must be a number corresponding to the port you want excluded.");
+        }
+        if (!Number.isSafeInteger(element)) {
+          throw new TypeError(`Number ${element} in the exclude option is not a safe integer and can't be used`);
+        }
+      }
+      exclude = new Set(excludeIterable);
+    }
+  }
+  if (timeout2 === undefined) {
+    timeout2 = setTimeout(() => {
+      timeout2 = undefined;
+      lockedPorts2.old = lockedPorts2.young;
+      lockedPorts2.young = new Set;
+    }, releaseOldLockedPortsIntervalMs2);
+    if (timeout2.unref) {
+      timeout2.unref();
+    }
+  }
+  const hosts = getLocalHosts2();
+  for (const port of portCheckSequence2(ports)) {
+    try {
+      if (exclude.has(port)) {
+        continue;
+      }
+      let availablePort = await getAvailablePort2({ ...options, port }, hosts);
+      while (lockedPorts2.old.has(availablePort) || lockedPorts2.young.has(availablePort)) {
+        if (port !== 0) {
+          throw new Locked2(port);
+        }
+        availablePort = await getAvailablePort2({ ...options, port }, hosts);
+      }
+      lockedPorts2.young.add(availablePort);
+      return availablePort;
+    } catch (error) {
+      if (!["EADDRINUSE", "EACCES"].includes(error.code) && !(error instanceof Locked2)) {
+        throw error;
+      }
+    }
+  }
+  throw new Error("No available ports found");
+}
+
+// ts/auth/spawnFbiAuth.ts
+async function spawnFbiAuth(opts) {
+  const port = await getPorts2({ port: opts.preferredPort ?? 2433 });
+  const entry = path2.resolve(import.meta.dir, "..", "..", "lib", "fbi-auth", "src", "server.ts");
+  const proc = $.opt({
+    env: {
+      ...process.env,
+      FBI_AUTH_PORT: String(port),
+      FBI_AUTH_CONFIG_PATH: opts.configPath
+    }
+  })`bun ${entry}`.process;
+  proc.on("exit", (code) => {
+    console.log(`[fbi-auth] exited with code ${code}`);
+  });
+  return {
+    port,
+    pid: proc.pid,
+    kill: () => proc.kill?.()
+  };
+}
+
+// ts/auth/setupWizard.ts
+import * as readline from "node:readline/promises";
+import { stdin, stdout } from "node:process";
+import { randomBytes as randomBytes2 } from "node:crypto";
+async function runWizard(prompter, opts) {
+  prompter.print("");
+  prompter.print("fbi-auth setup wizard");
+  prompter.print("─────────────────────");
+  prompter.print("");
+  const domain = await prompter.ask("Domain to gate", opts.domain);
+  const cleanDomain = domain.replace(/^\.+/, "").trim();
+  const providerIdx = await prompter.askChoice("Identity provider", [
+    "Google OAuth (BYO client ID + secret)",
+    "Firebase Auth (BYO project ID)",
+    "Snolab default (zero-config; supported domains only)"
+  ]);
+  const provider = providerIdx === 0 ? "google" : providerIdx === 1 ? "firebase" : "snolab";
+  let clientId;
+  let clientSecret;
+  let firebase;
+  if (provider === "google") {
+    clientId = await prompter.ask("Google OAuth Client ID", opts.existing?.provider === "google" ? opts.existing.clientId : undefined);
+    clientSecret = await prompter.ask("Google OAuth Client Secret", opts.existing?.provider === "google" ? opts.existing.clientSecret : undefined);
+    prompter.print("");
+    prompter.print(`  → Add this redirect URI in Google Cloud Console: https://sso.${cleanDomain}/callback`);
+    prompter.print("");
+  } else if (provider === "firebase") {
+    const projectId = await prompter.ask("Firebase Project ID", opts.existing?.firebase?.projectId);
+    const apiKey = await prompter.ask("Firebase Web API Key (optional)", opts.existing?.firebase?.apiKey ?? "");
+    const authDomain = await prompter.ask("Firebase Auth Domain", opts.existing?.firebase?.authDomain ?? `${projectId}.firebaseapp.com`);
+    firebase = {
+      projectId: projectId.trim(),
+      apiKey: apiKey.trim() || undefined,
+      authDomain: authDomain.trim() || undefined
+    };
+  } else {
+    prompter.print("");
+    prompter.print(`  → Snolab default IdP — no credentials needed. Domain '${cleanDomain}'`);
+    prompter.print(`    will be checked against SNOLAB_SUPPORTED_DOMAINS at startup.`);
+    prompter.print("");
+  }
+  const allowIdx = await prompter.askChoice("Allowlist policy", [
+    "Anyone who completes sign-in",
+    "Specific email addresses",
+    "Specific email domain(s)"
+  ]);
+  let allowlist = { anySignedIn: true };
+  if (allowIdx === 1) {
+    const raw = await prompter.ask("Allowed emails (comma-separated)");
+    allowlist = {
+      emails: raw.split(",").map((s) => s.trim()).filter(Boolean),
+      anySignedIn: false
+    };
+  } else if (allowIdx === 2) {
+    const raw = await prompter.ask("Allowed email domains (comma-separated)");
+    allowlist = {
+      domains: raw.split(",").map((s) => s.trim()).filter(Boolean),
+      anySignedIn: false
+    };
+  }
+  const cfg = {
+    version: 1,
+    domain: cleanDomain,
+    cookieDomain: `.${cleanDomain}`,
+    ssoHost: `sso.${cleanDomain}`,
+    provider,
+    clientId,
+    clientSecret,
+    firebase,
+    sessionSecret: opts.existing?.sessionSecret ?? randomBytes2(32).toString("base64url"),
+    allowlist
+  };
+  prompter.print("");
+  prompter.print("Config preview:");
+  prompter.print(JSON.stringify(redact(cfg), null, 2));
+  prompter.print("");
+  return cfg;
+}
+function redact(c) {
+  return {
+    ...c,
+    clientSecret: c.clientSecret ? "***" : undefined,
+    sessionSecret: "***"
+  };
+}
+function readlinePrompter() {
+  const rl = readline.createInterface({ input: stdin, output: stdout });
+  return {
+    async ask(question, defaultValue) {
+      const hint = defaultValue !== undefined && defaultValue !== "" ? ` [${defaultValue}]` : "";
+      const answer = (await rl.question(`? ${question}${hint}: `)).trim();
+      return answer || defaultValue || "";
+    },
+    async askChoice(question, choices) {
+      this.print(`? ${question}:`);
+      choices.forEach((c, i) => this.print(`    ${i + 1}) ${c}`));
+      while (true) {
+        const raw = (await rl.question("> ")).trim();
+        const idx = Number(raw) - 1;
+        if (Number.isInteger(idx) && idx >= 0 && idx < choices.length)
+          return idx;
+        this.print(`  (enter 1-${choices.length})`);
+      }
+    },
+    print(line) {
+      stdout.write(line + `
+`);
+    }
+  };
+}
+function isTty() {
+  return Boolean(stdin.isTTY && stdout.isTTY);
+}
+
+// ts/auth/caddyfileGen.ts
+import { homedir as homedir2 } from "node:os";
+import { dirname as dirname4, join as join2 } from "node:path";
+import { mkdir as mkdir2, writeFile as writeFile3, chmod as chmod3 } from "node:fs/promises";
+function generateCaddyfile(opts) {
+  const domain = stripLeadingDot(opts.domain);
+  const tlsMode = opts.tlsMode ?? "auto";
+  const withAuth = opts.withAuth ?? false;
+  const tlsStanza = tlsMode === "internal" ? `  tls internal
+` : "";
+  const sections = [];
+  if (opts.acmeEmail && opts.acmeEmail.trim() !== "") {
+    sections.push(`{
+  email ${opts.acmeEmail.trim()}
+}`);
+  }
+  if (withAuth) {
+    const ssoHost = opts.ssoHost ?? `sso.${domain}`;
+    const fbiAuthPort = opts.fbiAuthPort;
+    if (fbiAuthPort === undefined) {
+      throw new Error("generateCaddyfile: fbiAuthPort is required when withAuth is true");
+    }
+    sections.push(`${ssoHost} {
+` + `  reverse_proxy 127.0.0.1:${fbiAuthPort}
+` + tlsStanza + `}`);
+    sections.push(`*.${domain} {
+` + `  @notauth not path /api/auth/* /login /callback /logout
+` + `  forward_auth @notauth 127.0.0.1:${fbiAuthPort} {
+` + `    uri /api/auth/verify
+` + `    copy_headers Remote-User Remote-Email Remote-Name
+` + `    header_up X-Forwarded-Host {host}
+` + `    header_up X-Forwarded-Uri {uri}
+` + `  }
+` + `  reverse_proxy 127.0.0.1:${opts.fbiProxyPort}
+` + tlsStanza + `}`);
+  } else {
+    sections.push(`*.${domain} {
+` + `  reverse_proxy 127.0.0.1:${opts.fbiProxyPort}
+` + tlsStanza + `}`);
+  }
+  return sections.join(`
+
+`) + `
+`;
+}
+function defaultCaddyfilePath() {
+  return process.env.FBI_PROXY_CADDYFILE_PATH ?? join2(process.env.XDG_CONFIG_HOME ?? join2(homedir2(), ".config"), "fbi-proxy", "Caddyfile");
+}
+async function writeCaddyfile(opts, path3 = defaultCaddyfilePath()) {
+  const content = generateCaddyfile(opts);
+  await mkdir2(dirname4(path3), { recursive: true });
+  await writeFile3(path3, content, "utf8");
+  await chmod3(path3, 420);
+  return { content, path: path3 };
+}
+function stripLeadingDot(d) {
+  return d.startsWith(".") ? d.slice(1) : d;
+}
+
+// ts/auth/spawnCaddy.ts
+import { existsSync as existsSync4 } from "node:fs";
+import { access } from "node:fs/promises";
+import { constants as fsConstants } from "node:fs";
+import { homedir as homedir4 } from "node:os";
+import { join as join4 } from "node:path";
+
+// ts/auth/downloadCaddy.ts
+import {
+  mkdir as mkdir3,
+  writeFile as writeFile4,
+  rm,
+  chmod as chmod4,
+  rename,
+  copyFile
+} from "node:fs/promises";
+import { existsSync as existsSync3 } from "node:fs";
+import { createHash } from "node:crypto";
+import { join as join3 } from "node:path";
+import { homedir as homedir3, tmpdir } from "node:os";
+function detectPlatform(platform = process.platform, arch = process.arch) {
+  const osMap = {
+    linux: "linux",
+    darwin: "darwin",
+    win32: "windows"
+  };
+  const archMap = {
+    x64: "amd64",
+    arm64: "arm64"
+  };
+  const os3 = osMap[platform];
+  if (!os3)
+    throw new Error(`Unsupported OS: ${platform}`);
+  const mappedArch = archMap[arch];
+  if (!mappedArch)
+    throw new Error(`Unsupported arch: ${arch}`);
+  return { os: os3, arch: mappedArch, ext: os3 === "windows" ? "zip" : "tar.gz" };
+}
+function buildAssetName(version, p) {
+  const v = version.replace(/^v/, "");
+  return `caddy_${v}_${p.os}_${p.arch}.${p.ext}`;
+}
+function buildAssetUrl(version, name) {
+  const tag = version.startsWith("v") ? version : `v${version}`;
+  return `https://github.com/caddyserver/caddy/releases/download/${tag}/${name}`;
+}
+function buildChecksumsUrl(version) {
+  const v = version.replace(/^v/, "");
+  const tag = version.startsWith("v") ? version : `v${version}`;
+  return `https://github.com/caddyserver/caddy/releases/download/${tag}/caddy_${v}_checksums.txt`;
+}
+async function fetchLatestVersion(signal) {
+  const res = await fetch("https://api.github.com/repos/caddyserver/caddy/releases/latest", { signal, headers: { "User-Agent": "fbi-proxy" } });
+  if (!res.ok) {
+    throw new Error(`GitHub API ${res.status} ${res.statusText} for latest release`);
+  }
+  const data = await res.json();
+  if (!data.tag_name)
+    throw new Error("GitHub API: response is missing tag_name");
+  return data.tag_name;
+}
+function parseChecksums(text) {
+  const out = new Map;
+  for (const line of text.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#"))
+      continue;
+    const m = trimmed.match(/^([a-fA-F0-9]+)\s+\*?(.+)$/);
+    if (m)
+      out.set(m[2].trim(), m[1].toLowerCase());
+  }
+  return out;
+}
+async function sha512OfPath(path3) {
+  const hash = createHash("sha512");
+  const f = Bun.file(path3);
+  const stream = f.stream();
+  for await (const chunk of stream)
+    hash.update(chunk);
+  return hash.digest("hex");
+}
+async function downloadCaddy(opts = {}) {
+  const log = opts.log ?? ((m) => console.log(`[caddy-download] ${m}`));
+  const platform = opts.platform ?? detectPlatform();
+  const destDir = opts.destDir ?? join3(homedir3(), ".fbi-proxy", "bin");
+  const binaryName = platform.os === "windows" ? "caddy.exe" : "caddy";
+  const destPath = join3(destDir, binaryName);
+  if (existsSync3(destPath)) {
+    log(`already installed: ${destPath}`);
+    return destPath;
+  }
+  const version = opts.version ?? await fetchLatestVersion(opts.signal);
+  log(`platform: ${platform.os}/${platform.arch}, version: ${version}`);
+  const assetName = buildAssetName(version, platform);
+  const assetUrl = buildAssetUrl(version, assetName);
+  const checksumsUrl = buildChecksumsUrl(version);
+  log(`fetching checksums: ${checksumsUrl}`);
+  const cksRes = await fetch(checksumsUrl, {
+    signal: opts.signal,
+    headers: { "User-Agent": "fbi-proxy" }
+  });
+  if (!cksRes.ok)
+    throw new Error(`checksums fetch failed: ${cksRes.status} ${cksRes.statusText}`);
+  const checksums = parseChecksums(await cksRes.text());
+  const expectedSum = checksums.get(assetName);
+  if (!expectedSum) {
+    throw new Error(`no checksum entry for '${assetName}' — release may not include this platform`);
+  }
+  await mkdir3(destDir, { recursive: true });
+  const tmpArchive = join3(tmpdir(), `fbi-proxy.${process.pid}.${assetName}`);
+  log(`downloading: ${assetUrl}`);
+  const dlRes = await fetch(assetUrl, {
+    signal: opts.signal,
+    headers: { "User-Agent": "fbi-proxy" }
+  });
+  if (!dlRes.ok)
+    throw new Error(`download failed: ${dlRes.status} ${dlRes.statusText}`);
+  const bytes = await dlRes.arrayBuffer();
+  await writeFile4(tmpArchive, Buffer.from(bytes));
+  log(`downloaded ${bytes.byteLength} bytes`);
+  const actualSum = await sha512OfPath(tmpArchive);
+  if (actualSum !== expectedSum) {
+    await rm(tmpArchive, { force: true });
+    throw new Error(`SHA-512 mismatch for ${assetName}
+  expected: ${expectedSum}
+  got:      ${actualSum}`);
+  }
+  log("checksum OK");
+  const tmpExtract = join3(tmpdir(), `fbi-proxy-extract.${process.pid}`);
+  await rm(tmpExtract, { recursive: true, force: true });
+  await mkdir3(tmpExtract, { recursive: true });
+  const tarCmd = platform.ext === "tar.gz" ? ["tar", "-xzf", tmpArchive, "-C", tmpExtract] : ["tar", "-xf", tmpArchive, "-C", tmpExtract];
+  log(`extracting: ${tarCmd.join(" ")}`);
+  const proc = Bun.spawn(tarCmd, { stdout: "inherit", stderr: "inherit" });
+  const code = await proc.exited;
+  if (code !== 0) {
+    await rm(tmpArchive, { force: true });
+    await rm(tmpExtract, { recursive: true, force: true });
+    throw new Error(`tar extraction exited with code ${code}`);
+  }
+  const extractedBinary = join3(tmpExtract, binaryName);
+  if (!existsSync3(extractedBinary)) {
+    await rm(tmpArchive, { force: true });
+    await rm(tmpExtract, { recursive: true, force: true });
+    throw new Error(`archive did not contain expected '${binaryName}' at top level`);
+  }
+  try {
+    await rename(extractedBinary, destPath);
+  } catch (err) {
+    if (err.code === "EXDEV") {
+      await copyFile(extractedBinary, destPath);
+    } else {
+      throw err;
+    }
+  }
+  if (platform.os !== "windows")
+    await chmod4(destPath, 493);
+  await rm(tmpArchive, { force: true });
+  await rm(tmpExtract, { recursive: true, force: true });
+  log(`installed: ${destPath}`);
+  return destPath;
+}
+
+// ts/auth/spawnCaddy.ts
+async function resolveCaddyBinary() {
+  const fromEnv = process.env.CADDY_BIN;
+  if (fromEnv && await isExecutable(fromEnv))
+    return fromEnv;
+  const fromPath = await whichCaddy();
+  if (fromPath)
+    return fromPath;
+  const downloaded = join4(homedir4(), ".fbi-proxy", "bin", "caddy");
+  if (existsSync4(downloaded) && await isExecutable(downloaded)) {
+    return downloaded;
+  }
+  if (process.env.FBI_CADDY_AUTO_DOWNLOAD === "false") {
+    return null;
+  }
+  try {
+    console.log("[caddy] no binary found — downloading the latest release from GitHub (~30 MB).");
+    console.log("[caddy] (set FBI_CADDY_AUTO_DOWNLOAD=false to opt out)");
+    const path3 = await downloadCaddy({
+      log: (m) => console.log(`[caddy-download] ${m}`)
+    });
+    return path3;
+  } catch (err) {
+    console.error(`[caddy] auto-download failed: ${err.message}`);
+    return null;
+  }
+}
+function caddyNotFoundMessage() {
+  return [
+    "",
+    "[fbi-proxy] --with-caddy was passed but Caddy could not be found or downloaded.",
+    "",
+    "Auto-download from GitHub Releases is the default — if you saw a",
+    "download error above, check your network or set FBI_CADDY_AUTO_DOWNLOAD=false",
+    "and install Caddy manually:",
+    "",
+    "  - macOS:    brew install caddy",
+    "  - Debian:   sudo apt install caddy   (or see https://caddyserver.com/docs/install)",
+    "  - Windows:  scoop install caddy      (or: winget install CaddyServer.Caddy)",
+    "  - Manual:   https://caddyserver.com/download",
+    "",
+    "Or point fbi-proxy at an existing binary:",
+    "  CADDY_BIN=/path/to/caddy bunx fbi-proxy --with-caddy --domain <your-domain>",
+    ""
+  ].join(`
+`);
+}
+async function spawnCaddy(opts) {
+  const binary = opts.binary ?? await resolveCaddyBinary();
+  if (!binary)
+    return null;
+  console.log(`[caddy] using binary: ${binary}`);
+  console.log(`[caddy] config: ${opts.caddyfilePath}`);
+  const proc = $`${binary} run --config ${opts.caddyfilePath} --adapter caddyfile`.process;
+  proc.on("exit", (code) => {
+    console.log(`[caddy] exited with code ${code}`);
+  });
+  return {
+    pid: proc.pid,
+    caddyfilePath: opts.caddyfilePath,
+    binary,
+    kill: () => proc.kill?.()
+  };
+}
+async function isExecutable(path3) {
+  try {
+    await access(path3, fsConstants.X_OK);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function whichCaddy() {
+  const result = await $`which caddy`.catch(() => null);
+  if (!result || result.code !== 0)
+    return null;
+  const out = result.out.trim();
+  return out.length > 0 ? out.split(`
+`)[0].trim() : null;
+}
+
 // ts/cli.ts
 var originalCwd = process.cwd();
-process.chdir(path2.resolve(import.meta.dir, ".."));
-await yargs_default(hideBin(process.argv)).option("dev", {
-  alias: "d",
+process.chdir(path3.resolve(import.meta.dir, ".."));
+var argv = await yargs_default(hideBin(process.argv)).option("dev", {
   type: "boolean",
   default: false,
   description: "Run in development mode"
+}).option("with-auth", {
+  type: "boolean",
+  default: false,
+  description: "Start the fbi-auth gateway alongside the proxy (Phase 1: Google OAuth)"
+}).option("with-caddy", {
+  type: "boolean",
+  default: false,
+  description: "Auto-generate a Caddyfile and spawn Caddy alongside the proxy"
+}).option("domain", {
+  type: "string",
+  default: "fbi.com",
+  description: "Domain to gate (default: fbi.com)"
+}).option("reconfigure", {
+  type: "boolean",
+  default: false,
+  description: "Run the interactive fbi-auth setup wizard to (re)write auth.json (requires a TTY)"
+}).option("acme-email", {
+  type: "string",
+  description: "Optional ACME account email for the generated Caddyfile (Let's Encrypt notifications)"
+}).option("tls-mode", {
+  type: "string",
+  choices: ["auto", "internal"],
+  description: "TLS strategy for --with-caddy. 'auto' uses ACME (Let's Encrypt); 'internal' uses Caddy's local CA. Defaults to 'internal' for fbi.com, 'auto' otherwise."
 }).help().argv;
 console.log("Preparing Binaries");
 var FBI_PROXY_PORT = process.env.FBI_PROXY_PORT || String(await getPorts({ port: 2432 }));
@@ -5264,11 +5918,31 @@ var proxyProcess = await hotMemo(async () => {
   });
   return p;
 });
-console.log("All services started successfully!");
 console.log(`Proxy server PID: ${proxyProcess.pid}`);
 console.log(`Proxy server running on port: ${FBI_PROXY_PORT}`);
+var authHandle;
+if (argv["with-auth"]) {
+  authHandle = await startFbiAuth({
+    domain: argv.domain,
+    reconfigure: argv.reconfigure
+  });
+}
+var caddyHandle;
+if (argv["with-caddy"]) {
+  caddyHandle = await startCaddy({
+    domain: argv.domain,
+    fbiProxyPort: Number(FBI_PROXY_PORT),
+    fbiAuthPort: authHandle?.port,
+    withAuth: Boolean(argv["with-auth"]),
+    acmeEmail: argv["acme-email"],
+    tlsMode: argv["tls-mode"] ?? undefined
+  }) ?? undefined;
+}
+console.log("All services started successfully!");
 var exit = () => {
   console.log("Shutting down...");
+  caddyHandle?.kill();
+  authHandle?.kill();
   proxyProcess?.kill?.();
   process.exit(0);
 };
@@ -5278,3 +5952,72 @@ process.on("uncaughtException", (err) => {
   console.error("Uncaught exception:", err);
   exit();
 });
+async function startFbiAuth(opts) {
+  const configPath = defaultConfigPath();
+  let cfg = await readConfigOrNull(configPath);
+  if (opts.reconfigure) {
+    if (!isTty()) {
+      console.error("[fbi-auth] --reconfigure requires a TTY (interactive terminal).");
+      return;
+    }
+    const prompter = readlinePrompter();
+    cfg = await runWizard(prompter, { domain: opts.domain, existing: cfg });
+    console.log(`[fbi-auth] writing config from wizard \u2192 ${configPath}`);
+    await writeConfig(cfg, configPath);
+  } else if (!cfg) {
+    if (isTty()) {
+      const prompter = readlinePrompter();
+      cfg = await runWizard(prompter, { domain: opts.domain, existing: null });
+      console.log(`[fbi-auth] writing config from wizard \u2192 ${configPath}`);
+      await writeConfig(cfg, configPath);
+    } else {
+      const fromEnv = configFromEnv(opts.domain);
+      if (fromEnv) {
+        console.log(`[fbi-auth] writing config from env vars \u2192 ${configPath}`);
+        await writeConfig(fromEnv, configPath);
+        cfg = fromEnv;
+      } else {
+        console.error(helpfulSetupMessage(opts.domain, configPath));
+        console.error("[fbi-auth] not started \u2014 --with-auth requires a config, env vars, or a TTY for the wizard.");
+        return;
+      }
+    }
+  }
+  console.log(`[fbi-auth] starting (domain=${cfg.domain}, provider=${cfg.provider})`);
+  const handle = await spawnFbiAuth({ configPath });
+  console.log(`[fbi-auth] PID ${handle.pid} listening on 127.0.0.1:${handle.port}`);
+  return handle;
+}
+async function startCaddy(opts) {
+  const binary = await resolveCaddyBinary();
+  if (!binary) {
+    console.error(caddyNotFoundMessage());
+    return null;
+  }
+  if (opts.withAuth && opts.fbiAuthPort === undefined) {
+    console.error("[caddy] --with-auth was requested but fbi-auth failed to start; refusing to spawn Caddy with a broken forward_auth target.");
+    return null;
+  }
+  const domain = opts.domain.startsWith(".") ? opts.domain.slice(1) : opts.domain;
+  const tlsMode = opts.tlsMode ?? (domain === "fbi.com" ? "internal" : "auto");
+  const caddyOpts = {
+    domain,
+    fbiProxyPort: opts.fbiProxyPort,
+    tlsMode,
+    acmeEmail: opts.acmeEmail,
+    withAuth: opts.withAuth,
+    ...opts.withAuth && opts.fbiAuthPort !== undefined ? {
+      ssoHost: `sso.${domain}`,
+      fbiAuthPort: opts.fbiAuthPort
+    } : {}
+  };
+  const caddyfilePath = defaultCaddyfilePath();
+  const { path: writtenPath } = await writeCaddyfile(caddyOpts, caddyfilePath);
+  console.log(`[caddy] wrote Caddyfile \u2192 ${writtenPath}`);
+  console.log(`[caddy] domain=${domain} tlsMode=${tlsMode} withAuth=${opts.withAuth}`);
+  const handle = await spawnCaddy({ caddyfilePath: writtenPath, binary });
+  if (handle) {
+    console.log(`[caddy] PID ${handle.pid}`);
+  }
+  return handle;
+}