instant-cli 1.0.21-branch-cli-codex.25190871505.1 → 1.0.21-branch-cli-codex-update.25190875900.1

package/src/commands/auth/client/update.ts

@@ -0,0 +1,806 @@
+import { Effect } from 'effect';
+import { FileSystem } from '@effect/platform';
+import type { authClientUpdateDef, OptsFromCommand } from '../../../index.ts';
+import { BadArgsError } from '../../../errors.ts';
+import { GlobalOpts } from '../../../context/globalOpts.ts';
+import { optOrPrompt, runUIEffect, validateRequired } from '../../../lib/ui.ts';
+import {
+  findClientByIdOrName,
+  getAppsAuth,
+  updateOAuthClient,
+  type OAuthClient,
+} from '../../../lib/oauth.ts';
+import { UI } from '../../../ui/index.ts';
+import { DEFAULT_OAUTH_CALLBACK_URL } from '@instantdb/platform';
+import chalk from 'chalk';
+import boxen from 'boxen';
+import { link } from '../../../logging.ts';
+
+type OAuthClientRow = OAuthClient;
+
+type ProviderRow = {
+  id: string;
+  provider_name: string;
+};
+
+const camelize = (flag: string) =>
+  flag.replace(/-([a-z])/g, (_, c: string) => c.toUpperCase());
+
+const getFlag = (opts: Record<string, unknown>, flag: string) =>
+  opts[flag] ?? opts[camelize(flag)];
+
+const hasFlag = (opts: Record<string, unknown>, flag: string) =>
+  getFlag(opts, flag) !== undefined;
+
+const hasAnyFlag = (opts: Record<string, unknown>, flags: string[]) =>
+  flags.some((flag) => hasFlag(opts, flag));
+
+const isTrueFlag = (value: unknown) => value === true || value === 'true';
+
+const metaString = (client: OAuthClientRow, key: string) => {
+  if (!client.meta || typeof client.meta !== 'object') return undefined;
+  const value = (client.meta as Record<string, unknown>)[key];
+  return typeof value === 'string' ? value : undefined;
+};
+
+const promptFlag = (
+  opts: Record<string, unknown>,
+  flag: string,
+  params: {
+    promptIf: boolean;
+    required?: boolean;
+    prompt: UI.TextInputProps;
+  },
+) =>
+  Effect.gen(function* () {
+    const value = getFlag(opts, flag);
+    if (value === undefined && !params.promptIf) return undefined;
+    return yield* optOrPrompt(value, {
+      simpleName: `--${flag}`,
+      required: params.required ?? params.promptIf,
+      skipIf: false,
+      prompt: params.prompt,
+    });
+  });
+
+const clientIdPrompt = (provider: string) => ({
+  prompt: `Client ID: ${chalk.dim(`(from ${provider})`)}`,
+  validate: validateRequired,
+  modifyOutput: UI.modifiers.piped([
+    UI.modifiers.topPadding,
+    UI.modifiers.dimOnComplete,
+  ]),
+});
+
+const clientSecretPrompt = (provider: string) => ({
+  prompt: `Client Secret: ${chalk.dim(`(from ${provider})`)}`,
+  validate: validateRequired,
+  sensitive: true,
+  modifyOutput: UI.modifiers.piped([
+    UI.modifiers.topPadding,
+    UI.modifiers.dimOnComplete,
+  ]),
+});
+
+const makeRedirectPrompt = (heading: string) => ({
+  prompt: '',
+  placeholder: 'https://yoursite.com/oauth/callback',
+  modifyOutput: UI.modifiers.piped([
+    (output, status) => {
+      if (status === 'idle') {
+        return (
+          `\n${heading}
+${chalk.dim('With a custom redirect URI, users will see "Redirecting to yoursite.com..." for a more branded experience.')}
+${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all query parameters preserved.`)}\n\n` +
+          output.replace(/^\n/, '')
+        );
+      }
+      return `\n${heading}\n${output.replace(/^\n/, '')}`;
+    },
+    UI.modifiers.dimOnComplete,
+  ]),
+});
+
+const redirectPrompt = makeRedirectPrompt('Custom redirect URI (optional):');
+const newRedirectPrompt = makeRedirectPrompt('New redirect URI:');
+
+const readPrivateKeyFile = Effect.fn('readPrivateKeyFile')(function* (
+  path: string,
+) {
+  const fs = yield* FileSystem.FileSystem;
+  const normalizedPath =
+    process.platform === 'win32' ? path : path.replace(/\\(.)/g, '$1');
+  const contents = yield* fs.readFileString(normalizedPath, 'utf8').pipe(
+    Effect.mapError(
+      (e) =>
+        new BadArgsError({
+          message: `Could not read private key file at ${normalizedPath}: ${e.message}`,
+        }),
+    ),
+  );
+
+  const trimmed = contents.trim();
+  if (!trimmed) {
+    return yield* BadArgsError.make({
+      message: `Private key file at ${normalizedPath} is empty.`,
+    });
+  }
+  return trimmed;
+});
+
+const resolveClient = Effect.fn(function* (params: {
+  id?: string;
+  name?: string;
+  yes: boolean;
+  clients: OAuthClientRow[];
+}) {
+  if (params.id && params.name) {
+    return yield* BadArgsError.make({
+      message: 'Cannot specify both --id and --name',
+    });
+  }
+
+  if (params.id) {
+    const match = params.clients.find((client) => client.id === params.id);
+    if (!match) {
+      return yield* BadArgsError.make({
+        message: `OAuth client not found: ${params.id}`,
+      });
+    }
+    return match;
+  }
+
+  if (params.name) {
+    const match = params.clients.find(
+      (client) => client.client_name === params.name,
+    );
+    if (!match) {
+      return yield* BadArgsError.make({
+        message: `OAuth client not found: ${params.name}`,
+      });
+    }
+    return match;
+  }
+
+  if (params.yes) {
+    return yield* BadArgsError.make({ message: 'Must specify --id or --name' });
+  }
+
+  if (params.clients.length === 0) {
+    return yield* BadArgsError.make({
+      message: 'No OAuth clients found for this app.',
+    });
+  }
+
+  return yield* runUIEffect(
+    new UI.Select({
+      options: params.clients.map((client) => ({
+        label:
+          client.client_name +
+          (client.use_shared_credentials
+            ? chalk.dim(' (dev credentials)')
+            : '') +
+          chalk.dim(` (${client.id})`),
+        value: client,
+      })),
+      promptText: 'Select a client to update:',
+      modifyOutput: UI.modifiers.piped([UI.modifiers.dimOnComplete]),
+    }),
+  ).pipe(
+    Effect.catchTag('UIError', (e) =>
+      BadArgsError.make({ message: `UI error: ${e.message}` }),
+    ),
+  );
+});
+
+const selectUpdateAction = Effect.fn(function* <T extends string>(
+  options: { label: string; value: T }[],
+) {
+  return yield* runUIEffect(
+    new UI.Select({
+      options,
+      promptText: 'What do you want to update?',
+      modifyOutput: UI.modifiers.piped([UI.modifiers.dimOnComplete]),
+    }),
+  ).pipe(
+    Effect.catchTag('UIError', (e) =>
+      BadArgsError.make({ message: `UI error: ${e.message}` }),
+    ),
+  );
+});
+
+const updateGoogleToDevCredentials = Effect.fn(function* (
+  client: OAuthClientRow,
+) {
+  const response = yield* updateOAuthClient({
+    oauthClientId: client.id,
+    useSharedCredentials: true,
+    redirectTo: null,
+  });
+
+  yield* Effect.log(
+    boxen(
+      [
+        `Google OAuth client updated: ${response.client.client_name}`,
+        'Credentials: Instant dev credentials',
+        `ID: ${response.client.id}`,
+        '',
+        'No Google Console setup required.',
+        'Works on localhost and Expo during development.',
+      ].join('\n'),
+      { dimBorder: true, padding: { right: 1, left: 1 } },
+    ),
+  );
+});
+
+const handleGoogleUpdate = Effect.fn(function* (
+  opts: Record<string, unknown>,
+  client: OAuthClientRow,
+) {
+  const { yes } = yield* GlobalOpts;
+  const consoleUrl = link(
+    'https://console.developers.google.com/apis/credentials',
+  );
+  const appType = metaString(client, 'appType');
+  const isWeb = appType === 'web' || appType === undefined;
+  const devCredentialsFlag = isTrueFlag(getFlag(opts, 'dev-credentials'));
+  const hasCustomCredentialFlag = hasAnyFlag(opts, [
+    'client-id',
+    'client-secret',
+    'custom-redirect-uri',
+  ]);
+
+  if (!isWeb) {
+    if (devCredentialsFlag) {
+      return yield* BadArgsError.make({
+        message: '--dev-credentials is only supported for Google web clients.',
+      });
+    }
+    if (
+      hasFlag(opts, 'client-secret') ||
+      hasFlag(opts, 'custom-redirect-uri')
+    ) {
+      return yield* BadArgsError.make({
+        message:
+          '--client-secret and --custom-redirect-uri are only supported for Google web clients.',
+      });
+    }
+  }
+
+  if (devCredentialsFlag && hasCustomCredentialFlag) {
+    return yield* BadArgsError.make({
+      message:
+        '--dev-credentials cannot be combined with --client-id, --client-secret, or --custom-redirect-uri.',
+    });
+  }
+
+  if (isWeb && devCredentialsFlag) {
+    return yield* updateGoogleToDevCredentials(client);
+  }
+
+  const hasAnyUpdateFlag = hasAnyFlag(opts, [
+    'client-id',
+    'client-secret',
+    'custom-redirect-uri',
+    'dev-credentials',
+  ]);
+
+  if (yes && !hasAnyUpdateFlag) {
+    return yield* BadArgsError.make({
+      message:
+        'Must specify at least one of --client-id, --client-secret, --custom-redirect-uri, or --dev-credentials.',
+    });
+  }
+
+  const switchingFromShared = Boolean(client.use_shared_credentials);
+
+  if (!hasAnyUpdateFlag && !yes) {
+    yield* Effect.log(
+      `\nCurrent mode: ${
+        switchingFromShared
+          ? chalk.bold('Instant dev credentials')
+          : 'custom credentials'
+      }`,
+    );
+
+    if (!switchingFromShared) {
+      const action = yield* selectUpdateAction([
+        { label: 'Rotate credentials', value: 'rotate' },
+        {
+          label:
+            'Switch to Instant dev credentials' +
+            chalk.dim(' (localhost and Expo, no Google setup)'),
+          value: 'dev-credentials',
+        },
+        { label: 'Update redirect URI', value: 'redirect' },
+      ]);
+
+      if (action === 'dev-credentials') {
+        return yield* updateGoogleToDevCredentials(client);
+      }
+
+      if (action === 'redirect') {
+        const redirectTo = yield* promptFlag(opts, 'custom-redirect-uri', {
+          promptIf: true,
+          required: true,
+          prompt: newRedirectPrompt,
+        });
+        const response = yield* updateOAuthClient({
+          oauthClientId: client.id,
+          redirectTo,
+        });
+        yield* Effect.log(
+          boxen(
+            [
+              `Google OAuth client updated: ${response.client.client_name}`,
+              `ID: ${response.client.id}`,
+              `Redirect URI: ${redirectTo}`,
+            ].join('\n'),
+            { dimBorder: true, padding: { right: 1, left: 1 } },
+          ),
+        );
+        return;
+      }
+    }
+  }
+
+  const promptCredentials = !hasAnyUpdateFlag && !yes;
+  const clientId = yield* promptFlag(opts, 'client-id', {
+    promptIf:
+      promptCredentials || (switchingFromShared && !hasFlag(opts, 'client-id')),
+    required: promptCredentials || switchingFromShared,
+    prompt: clientIdPrompt(consoleUrl),
+  });
+  const clientSecret = yield* promptFlag(opts, 'client-secret', {
+    promptIf:
+      isWeb &&
+      (promptCredentials ||
+        (switchingFromShared && !hasFlag(opts, 'client-secret'))),
+    required: isWeb && (promptCredentials || switchingFromShared),
+    prompt: clientSecretPrompt(consoleUrl),
+  });
+  const customRedirectUri = isWeb
+    ? yield* promptFlag(opts, 'custom-redirect-uri', {
+        promptIf: switchingFromShared && promptCredentials,
+        required: false,
+        prompt: redirectPrompt,
+      })
+    : undefined;
+
+  const redirectTo = switchingFromShared
+    ? customRedirectUri || client.redirect_to || DEFAULT_OAUTH_CALLBACK_URL
+    : customRedirectUri;
+
+  const response = yield* updateOAuthClient({
+    oauthClientId: client.id,
+    clientId,
+    clientSecret,
+    redirectTo,
+    useSharedCredentials: switchingFromShared ? false : undefined,
+  });
+
+  const lines = [
+    `Google OAuth client updated: ${response.client.client_name}`,
+    'Credentials: custom',
+    `ID: ${response.client.id}`,
+  ];
+
+  if (switchingFromShared) {
+    lines.push('', 'This client no longer uses Instant dev credentials.');
+  }
+  if (isWeb && redirectTo) {
+    lines.push(
+      '',
+      chalk.bold(`Add this redirect URI in Google Console:\n${redirectTo}`),
+    );
+  }
+
+  yield* Effect.log(
+    boxen(lines.join('\n'), {
+      dimBorder: true,
+      padding: { right: 1, left: 1 },
+    }),
+  );
+});
+
+const handleClientIdSecretUpdate = Effect.fn(function* (params: {
+  opts: Record<string, unknown>;
+  client: OAuthClientRow;
+  providerLabel: string;
+  providerUrl: string;
+}) {
+  const { yes } = yield* GlobalOpts;
+  const hasAnyUpdateFlag = hasAnyFlag(params.opts, [
+    'client-id',
+    'client-secret',
+    'custom-redirect-uri',
+  ]);
+  if (yes && !hasAnyUpdateFlag) {
+    return yield* BadArgsError.make({
+      message:
+        'Must specify at least one of --client-id, --client-secret, or --custom-redirect-uri.',
+    });
+  }
+
+  let promptCredentials = false;
+  let promptRedirect = false;
+
+  if (!hasAnyUpdateFlag && !yes) {
+    const action = yield* selectUpdateAction([
+      { label: 'Rotate credentials', value: 'rotate' },
+      { label: 'Update redirect URI', value: 'redirect' },
+    ]);
+    promptCredentials = action === 'rotate';
+    promptRedirect = action === 'redirect';
+  }
+
+  const clientId = yield* promptFlag(params.opts, 'client-id', {
+    promptIf: promptCredentials,
+    required: promptCredentials,
+    prompt: clientIdPrompt(link(params.providerUrl)),
+  });
+  const clientSecret = yield* promptFlag(params.opts, 'client-secret', {
+    promptIf: promptCredentials,
+    required: promptCredentials,
+    prompt: clientSecretPrompt(link(params.providerUrl)),
+  });
+  const customRedirectUri = yield* promptFlag(
+    params.opts,
+    'custom-redirect-uri',
+    {
+      promptIf: promptRedirect,
+      required: promptRedirect,
+      prompt: promptRedirect ? newRedirectPrompt : redirectPrompt,
+    },
+  );
+
+  const response = yield* updateOAuthClient({
+    oauthClientId: params.client.id,
+    clientId,
+    clientSecret,
+    redirectTo: customRedirectUri,
+  });
+
+  yield* Effect.log(
+    boxen(
+      [
+        `${params.providerLabel} OAuth client updated: ${response.client.client_name}`,
+        `ID: ${response.client.id}`,
+      ].join('\n'),
+      { dimBorder: true, padding: { right: 1, left: 1 } },
+    ),
+  );
+});
+
+const handleAppleUpdate = Effect.fn(function* (
+  opts: Record<string, unknown>,
+  client: OAuthClientRow,
+) {
+  const { yes } = yield* GlobalOpts;
+  const webFlags = [
+    'team-id',
+    'key-id',
+    'private-key-file',
+    'custom-redirect-uri',
+  ];
+  const updateFlags = ['services-id', ...webFlags];
+  const hasAnyUpdateFlag = hasAnyFlag(opts, updateFlags);
+  if (yes && !hasAnyUpdateFlag) {
+    return yield* BadArgsError.make({
+      message:
+        'Must specify at least one of --services-id, --team-id, --key-id, --private-key-file, or --custom-redirect-uri.',
+    });
+  }
+
+  const existingWeb = Boolean(
+    metaString(client, 'teamId') ||
+      metaString(client, 'keyId') ||
+      client.redirect_to,
+  );
+  const promptAll = !hasAnyUpdateFlag && !yes;
+  const configureWeb = promptAll
+    ? yield* runUIEffect(
+        new UI.Confirmation({
+          promptText:
+            'Configure web redirect flow? ' +
+            chalk.dim(
+              '(requires Team ID, Key ID, and a .p8 private key from Apple)',
+            ),
+          defaultValue: existingWeb,
+        }),
+      ).pipe(
+        Effect.catchTag('UIError', (e) =>
+          BadArgsError.make({ message: `UI error: ${e.message}` }),
+        ),
+      )
+    : hasAnyFlag(opts, webFlags);
+
+  const servicesId = yield* promptFlag(opts, 'services-id', {
+    promptIf: promptAll,
+    required: promptAll,
+    prompt: {
+      prompt: `Services ID ${chalk.dim(`(from ${link('https://developer.apple.com/account/resources/identifiers/list/serviceId')})`)}`,
+      validate: validateRequired,
+      modifyOutput: UI.modifiers.piped([
+        UI.modifiers.topPadding,
+        UI.modifiers.dimOnComplete,
+      ]),
+    },
+  });
+
+  const teamId = configureWeb
+    ? yield* promptFlag(opts, 'team-id', {
+        promptIf: promptAll,
+        required: promptAll,
+        prompt: {
+          prompt: `Team ID ${chalk.dim(`(from ${link('https://developer.apple.com/account#MembershipDetailsCard')})`)}`,
+          validate: validateRequired,
+          modifyOutput: UI.modifiers.piped([
+            UI.modifiers.topPadding,
+            UI.modifiers.dimOnComplete,
+          ]),
+        },
+      })
+    : undefined;
+  const keyId = configureWeb
+    ? yield* promptFlag(opts, 'key-id', {
+        promptIf: promptAll,
+        required: promptAll,
+        prompt: {
+          prompt: `Key ID ${chalk.dim(`(from ${link('https://developer.apple.com/account/resources/authkeys/list')})`)}`,
+          validate: validateRequired,
+          modifyOutput: UI.modifiers.piped([
+            UI.modifiers.topPadding,
+            UI.modifiers.dimOnComplete,
+          ]),
+        },
+      })
+    : undefined;
+  const privateKeyPath = configureWeb
+    ? yield* promptFlag(opts, 'private-key-file', {
+        promptIf: promptAll,
+        required: promptAll,
+        prompt: {
+          prompt: `Path to .p8 private key file ${chalk.dim('(downloaded from Apple)')}`,
+          validate: validateRequired,
+          modifyOutput: UI.modifiers.piped([
+            UI.modifiers.topPadding,
+            UI.modifiers.dimOnComplete,
+          ]),
+        },
+      })
+    : undefined;
+  const privateKey = privateKeyPath
+    ? yield* readPrivateKeyFile(privateKeyPath)
+    : undefined;
+  const customRedirectUri = configureWeb
+    ? yield* promptFlag(opts, 'custom-redirect-uri', {
+        promptIf: promptAll,
+        required: false,
+        prompt: redirectPrompt,
+      })
+    : undefined;
+
+  const meta: Record<string, string> = {};
+  if (teamId) meta.teamId = teamId;
+  if (keyId) meta.keyId = keyId;
+
+  const response = yield* updateOAuthClient({
+    oauthClientId: client.id,
+    clientId: servicesId,
+    clientSecret: privateKey,
+    redirectTo:
+      configureWeb && privateKey
+        ? customRedirectUri || client.redirect_to || DEFAULT_OAUTH_CALLBACK_URL
+        : customRedirectUri,
+    meta: Object.keys(meta).length ? meta : undefined,
+  });
+
+  yield* Effect.log(
+    boxen(
+      [
+        `Apple OAuth client updated: ${response.client.client_name}`,
+        `ID: ${response.client.id}`,
+      ].join('\n'),
+      { dimBorder: true, padding: { right: 1, left: 1 } },
+    ),
+  );
+});
+
+const handleClerkUpdate = Effect.fn(function* (
+  opts: Record<string, unknown>,
+  client: OAuthClientRow,
+) {
+  const { yes } = yield* GlobalOpts;
+  const publishableKey = yield* promptFlag(opts, 'publishable-key', {
+    promptIf: !yes && !hasFlag(opts, 'publishable-key'),
+    required: true,
+    prompt: {
+      prompt: `Clerk publishable key ${chalk.dim(`(from ${link('https://dashboard.clerk.com/last-active?path=api-keys')})`)}`,
+      placeholder:
+        'pk_********************************************************',
+      validate: (val) => {
+        if (!val) return 'Publishable key is required';
+        if (!val.startsWith('pk_')) {
+          return 'Invalid publishable key. It should start with "pk_".';
+        }
+      },
+      modifyOutput: UI.modifiers.piped([
+        UI.modifiers.topPadding,
+        UI.modifiers.dimOnComplete,
+      ]),
+    },
+  });
+
+  if (!publishableKey) {
+    return yield* BadArgsError.make({
+      message: 'Missing required value for --publishable-key',
+    });
+  }
+
+  const domain = domainFromClerkKey(publishableKey);
+  if (!domain) {
+    return yield* BadArgsError.make({
+      message: 'Invalid publishable key. Could not extract domain.',
+    });
+  }
+
+  const response = yield* updateOAuthClient({
+    oauthClientId: client.id,
+    discoveryEndpoint: `https://${domain}/.well-known/openid-configuration`,
+    meta: { clerkPublishableKey: publishableKey },
+  });
+
+  yield* Effect.log(
+    boxen(
+      [
+        `Clerk OAuth client updated: ${response.client.client_name}`,
+        `ID: ${response.client.id}`,
+        `Clerk Domain: https://${domain}`,
+      ].join('\n'),
+      { dimBorder: true, padding: { right: 1, left: 1 } },
+    ),
+  );
+});
+
+const handleFirebaseUpdate = Effect.fn(function* (
+  opts: Record<string, unknown>,
+  client: OAuthClientRow,
+) {
+  const { yes } = yield* GlobalOpts;
+  const projectId = yield* promptFlag(opts, 'project-id', {
+    promptIf: !yes && !hasFlag(opts, 'project-id'),
+    required: true,
+    prompt: {
+      prompt: `Firebase project ID: (From Project Settings page on ${link('https://console.firebase.google.com/')})`,
+      validate: validateFirebaseProjectId,
+      modifyOutput: UI.modifiers.piped([
+        UI.modifiers.topPadding,
+        UI.modifiers.dimOnComplete,
+      ]),
+    },
+  });
+
+  const validationError = validateFirebaseProjectId(projectId ?? '');
+  if (validationError) {
+    return yield* BadArgsError.make({ message: validationError });
+  }
+
+  const response = yield* updateOAuthClient({
+    oauthClientId: client.id,
+    discoveryEndpoint: firebaseDiscoveryEndpoint(projectId!),
+  });
+
+  yield* Effect.log(
+    boxen(
+      [
+        `Firebase OAuth client updated: ${response.client.client_name}`,
+        `ID: ${response.client.id}`,
+        `Firebase Project ID: ${projectId}`,
+      ].join('\n'),
+      { dimBorder: true, padding: { right: 1, left: 1 } },
+    ),
+  );
+});
+
+export const authClientUpdateCmd = Effect.fn(
+  function* (
+    opts: OptsFromCommand<typeof authClientUpdateDef> & Record<string, unknown>,
+  ) {
+    const { yes } = yield* GlobalOpts;
+    const id = getFlag(opts, 'id') as string | undefined;
+    const name = getFlag(opts, 'name') as string | undefined;
+    const { auth, client } =
+      id || name
+        ? yield* findClientByIdOrName({ id, name })
+        : {
+            auth: yield* getAppsAuth(),
+            client: undefined as OAuthClientRow | undefined,
+          };
+    const resolvedClient =
+      client ??
+      (yield* resolveClient({
+        yes,
+        clients: (auth.oauth_clients ?? []) as OAuthClientRow[],
+      }));
+    const provider = (auth.oauth_service_providers ?? []).find(
+      (entry: ProviderRow) => entry.id === resolvedClient.provider_id,
+    );
+
+    if (!provider) {
+      return yield* BadArgsError.make({
+        message: `OAuth provider not found for client: ${resolvedClient.client_name}`,
+      });
+    }
+
+    switch (provider.provider_name) {
+      case 'google':
+        return yield* handleGoogleUpdate(opts, resolvedClient);
+      case 'github':
+        return yield* handleClientIdSecretUpdate({
+          opts,
+          client: resolvedClient,
+          providerLabel: 'GitHub',
+          providerUrl: 'https://github.com/settings/developers',
+        });
+      case 'linkedin':
+        return yield* handleClientIdSecretUpdate({
+          opts,
+          client: resolvedClient,
+          providerLabel: 'LinkedIn',
+          providerUrl: 'https://www.linkedin.com/developers/apps',
+        });
+      case 'apple':
+        return yield* handleAppleUpdate(opts, resolvedClient);
+      case 'clerk':
+        return yield* handleClerkUpdate(opts, resolvedClient);
+      case 'firebase':
+        return yield* handleFirebaseUpdate(opts, resolvedClient);
+      default:
+        return yield* BadArgsError.make({
+          message: `Updating ${provider.provider_name} OAuth clients is not supported.`,
+        });
+    }
+  },
+  Effect.catchTag('BadArgsError', (e) =>
+    Effect.gen(function* () {
+      yield* Effect.logError(e.message);
+      yield* Effect.log(
+        chalk.dim(
+          'hint: run `instant-cli auth client update --help` for available arguments',
+        ),
+      );
+    }),
+  ),
+);
+
+function domainFromClerkKey(key: string): string | null {
+  try {
+    const parts = key.split('_');
+    const domainPartB64 = parts[parts.length - 1];
+    const domainPart = base64Decode(domainPartB64);
+    return domainPart.replace('$', '');
+  } catch {
+    return null;
+  }
+}
+
+function base64Decode(s: string) {
+  try {
+    return Buffer.from(s, 'base64').toString('utf-8');
+  } catch {
+    return Buffer.from(s, 'base64url').toString('utf-8');
+  }
+}
+
+function validateFirebaseProjectId(value: string) {
+  const projectIdRegex = /^[a-z][a-z0-9-]{4,28}[a-z0-9]$/;
+  if (!value) return 'Project ID is required';
+  if (!projectIdRegex.test(value)) {
+    return 'Invalid Firebase project ID. It must be 6-30 characters, start with a lowercase letter, contain only lowercase letters, digits, and hyphens, and not end with a hyphen.';
+  }
+}
+
+function firebaseDiscoveryEndpoint(projectId: string) {
+  return `https://securetoken.google.com/${encodeURIComponent(projectId)}/.well-known/openid-configuration`;
+}