instant-cli 1.0.22 → 1.0.23-branch-cli-codex-update.25390498340.1

package/dist/commands/auth/client/add.js

@@ -1,16 +1,21 @@
 import { Effect, Match, Option, Schema } from 'effect';
-import { FileSystem } from '@effect/platform';
 import { BadArgsError } from "../../../errors.js";
 import { GlobalOpts } from "../../../context/globalOpts.js";
-import { optOrPrompt, optOrPromptBoolean, runUIEffect, stripFirstBlankLine, validateRequired, } from "../../../lib/ui.js";
-import { addOAuthClient, findName, getClientNameAndProvider, getOrCreateProvider, } from "../../../lib/oauth.js";
-import { DEFAULT_OAUTH_CALLBACK_URL, GOOGLE_AUTHORIZATION_ENDPOINT, GOOGLE_DISCOVERY_ENDPOINT, GOOGLE_TOKEN_ENDPOINT, APPLE_AUTHORIZATION_ENDPOINT, APPLE_DISCOVERY_ENDPOINT, APPLE_TOKEN_ENDPOINT, LINKEDIN_AUTHORIZATION_ENDPOINT, LINKEDIN_DISCOVERY_ENDPOINT, LINKEDIN_TOKEN_ENDPOINT, } from '@instantdb/platform';
+import { optOrPrompt, optOrPromptBoolean, runUIEffect, validateRequired, } from "../../../lib/ui.js";
+import { addOAuthClient, findName, getClientNameAndProvider, getOrCreateProvider, GoogleAppTypeSchema, OAuthClient, } from "../../../lib/oauth.js";
+import { DEFAULT_OAUTH_CALLBACK_URL, GOOGLE_AUTHORIZATION_ENDPOINT, GOOGLE_DISCOVERY_ENDPOINT, GOOGLE_TOKEN_ENDPOINT, APPLE_AUTHORIZATION_ENDPOINT, APPLE_DISCOVERY_ENDPOINT, APPLE_TOKEN_ENDPOINT, clerkDomainFromPublishableKey, LINKEDIN_AUTHORIZATION_ENDPOINT, LINKEDIN_DISCOVERY_ENDPOINT, LINKEDIN_TOKEN_ENDPOINT, } from '@instantdb/platform';
 import { UI } from "../../../ui/index.js";
 import chalk from 'chalk';
 import boxen from 'boxen';
 import { link } from "../../../logging.js";
+import { appleKeyIdPrompt, applePrivateKeyFilePrompt, appleServicesIdPrompt, appleTeamIdPrompt, clerkPublishableKeyPrompt, clientIdPrompt, clientSecretPrompt, firebaseDiscoveryEndpoint, firebaseProjectIdPrompt, getFlag, hasAnyFlag, isTrueFlag, readPrivateKeyFile, redirectSetupMessages, redirectUriPrompt, validateFirebaseProjectId, } from "./shared.js";
 export const ClientTypeSchema = Schema.Literal('google', 'github', 'apple', 'linkedin', 'clerk', 'firebase');
-const GoogleAppTypeSchema = Schema.Literal('web', 'ios', 'android', 'button-for-web');
+const googleConsoleUrl = 'https://console.developers.google.com/apis/credentials';
+const githubDeveloperUrl = 'https://github.com/settings/developers';
+const linkedinDeveloperUrl = 'https://www.linkedin.com/developers/apps';
+const optionalRedirectPrompt = redirectUriPrompt({
+    heading: 'Custom redirect URI (optional):',
+});
 const selectGoogleAppType = (value) => Effect.gen(function* () {
     const { yes } = yield* GlobalOpts;
     return yield* Option.fromNullable(value).pipe(Effect.catchTag('NoSuchElementException', () => {
@@ -40,10 +45,100 @@ const selectGoogleAppType = (value) => Effect.gen(function* () {
         message: 'Invalid app-type, must be one of: web, ios, android, button-for-web',
     })));
 });
+const selectGoogleCredentialMode = Effect.fn(function* () {
+    return yield* runUIEffect(new UI.Select({
+        options: [
+            {
+                label: 'Use dev credentials' +
+                    chalk.dim(' (works on localhost and Expo, no Google setup)'),
+                value: 'dev',
+            },
+            {
+                label: 'Use my own credentials' +
+                    chalk.dim(' (client ID and secret from Google Console)'),
+                value: 'custom',
+            },
+        ],
+        promptText: 'Select Google credential mode:',
+        modifyOutput: UI.modifiers.piped([
+            UI.modifiers.topPadding,
+            UI.modifiers.dimOnComplete,
+        ]),
+        defaultValue: 'dev',
+    })).pipe(Effect.catchTag('UIError', (e) => BadArgsError.make({ message: `UI error: ${e.message}` })));
+});
+const resolveGoogleCredentialMode = Effect.fn(function* ({ appType, opts, }) {
+    const { yes } = yield* GlobalOpts;
+    const devCredentialsFlag = isTrueFlag(getFlag(opts, 'dev-credentials'));
+    const hasProvidedSomeCustomCredentials = hasAnyFlag(opts, [
+        'client-id',
+        'client-secret',
+        'custom-redirect-uri',
+    ]);
+    if (devCredentialsFlag && appType !== 'web') {
+        return yield* BadArgsError.make({
+            message: '--dev-credentials is only supported for --app-type web. Native Google clients need credentials from Google.',
+        });
+    }
+    if (devCredentialsFlag && hasProvidedSomeCustomCredentials) {
+        return yield* BadArgsError.make({
+            message: '--dev-credentials cannot be combined with --client-id, --client-secret, or --custom-redirect-uri.',
+        });
+    }
+    if (appType !== 'web') {
+        return 'custom';
+    }
+    if (hasProvidedSomeCustomCredentials) {
+        return 'custom';
+    }
+    if (devCredentialsFlag) {
+        return 'dev';
+    }
+    if (yes) {
+        return 'dev';
+    }
+    return yield* selectGoogleCredentialMode();
+});
+const printGoogleDevCredentialsClient = Effect.fn(function* ({ appType, client, }) {
+    yield* Effect.log(boxen([
+        `Google OAuth client created: ${client.client_name}`,
+        `App type: ${appType}`,
+        `Credentials: Instant dev credentials`,
+        `ID: ${client.id}`,
+        '',
+        'No Google Console setup required.',
+        'Works on localhost and Expo during development.',
+        '',
+        chalk.bold('Ready for production? Run:'),
+        `  instant-cli auth client update --name ${client.client_name} --client-id <id> --client-secret <secret>`,
+    ].join('\n'), { dimBorder: true, padding: { right: 1, left: 1 } }));
+});
+const printGoogleCustomCredentialsClient = Effect.fn(function* ({ appType, client, clientId, customRedirectUri, redirectUri, }) {
+    const redirectMessages = [];
+    if (appType === 'web' && redirectUri) {
+        redirectMessages.push(...redirectSetupMessages({
+            prompt: 'Add this redirect URI in Google Console',
+            redirectUri,
+            showCustomRedirectInstructions: Boolean(customRedirectUri),
+        }));
+    }
+    yield* Effect.log(boxen([
+        `Google OAuth client created: ${client.client_name}`,
+        `App type: ${appType}`,
+        `ID: ${client.id}`,
+        `Google Client ID: ${client.client_id ?? clientId}`,
+        ...redirectMessages,
+    ].join('\n'), { dimBorder: true, padding: { right: 1, left: 1 } }));
+});
 const handleGoogleClient = Effect.fn(function* (opts) {
     // This one requires special logic for getting client name
     // because the suggested name includes the app type
     const appType = yield* selectGoogleAppType(opts['app-type']);
+    const credentialMode = yield* resolveGoogleCredentialMode({
+        appType,
+        opts,
+    });
+    const useSharedCredentials = credentialMode === 'dev';
     const { auth, provider } = yield* getOrCreateProvider('google');
     const usedClientNames = new Set((auth.oauth_clients ?? []).map((client) => client.client_name));
     const suggestedClientName = findName(`google-${appType}`, usedClientNames);
@@ -56,7 +151,10 @@ const handleGoogleClient = Effect.fn(function* (opts) {
             defaultValue: suggestedClientName,
             placeholder: suggestedClientName,
             validate: validateRequired,
-            modifyOutput: UI.modifiers.piped([UI.modifiers.dimOnComplete]),
+            modifyOutput: UI.modifiers.piped([
+                UI.modifiers.topPadding,
+                UI.modifiers.dimOnComplete,
+            ]),
         },
     });
     if (usedClientNames.has(clientName || '')) {
@@ -66,62 +164,41 @@ const handleGoogleClient = Effect.fn(function* (opts) {
     }
     const clientId = yield* optOrPrompt(opts['client-id'], {
         simpleName: '--client-id',
-        required: true,
-        skipIf: false,
-        prompt: {
-            prompt: `Client ID: ${chalk.dim(`(from ${link('https://console.developers.google.com/apis/credentials')})`)}`,
-            modifyOutput: UI.modifiers.piped([
-                UI.modifiers.topPadding,
-                UI.modifiers.dimOnComplete,
-            ]),
-            validate: validateRequired,
-        },
+        required: !useSharedCredentials,
+        skipIf: useSharedCredentials,
+        skipMessage: '--client-id is not compatible with --dev-credentials. Drop one or the other.',
+        prompt: clientIdPrompt({ providerUrl: googleConsoleUrl }),
     });
+    const usesCustomWebCredentials = !useSharedCredentials && appType === 'web';
     const clientSecret = yield* optOrPrompt(opts['client-secret'], {
-        required: appType === 'web',
-        skipIf: appType !== 'web',
+        required: usesCustomWebCredentials,
+        skipIf: !usesCustomWebCredentials,
         simpleName: '--client-secret',
-        prompt: {
-            prompt: `Client Secret: ${chalk.dim(`(from ${link('https://console.developers.google.com/apis/credentials')})`)}`,
-            validate: validateRequired,
-            sensitive: true,
-            modifyOutput: UI.modifiers.piped([
-                UI.modifiers.topPadding,
-                UI.modifiers.dimOnComplete,
-            ]),
-        },
+        skipMessage: useSharedCredentials
+            ? '--client-secret is not compatible with --dev-credentials. Drop one or the other.'
+            : undefined,
+        prompt: clientSecretPrompt({ providerUrl: googleConsoleUrl }),
     });
     const customRedirectUri = yield* optOrPrompt(opts['custom-redirect-uri'], {
         required: false,
-        prompt: {
-            prompt: '',
-            placeholder: 'https://yoursite.com/oauth/callback',
-            modifyOutput: UI.modifiers.piped([
-                (output, status) => {
-                    if (status === 'idle') {
-                        return (`\nCustom redirect URI (optional):
-${chalk.dim('With a custom redirect URI, users will see "Redirecting to yoursite.com..." for a more branded experience.')}
-${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all query parameters preserved.`)}\n\n` +
-                            stripFirstBlankLine(output));
-                    }
-                    return `\nCustom redirect URI (optional):\n${stripFirstBlankLine(output)}`;
-                },
-                UI.modifiers.dimOnComplete,
-            ]),
-        },
+        prompt: optionalRedirectPrompt,
         simpleName: '--custom-redirect-uri',
-        skipIf: appType !== 'web',
-        skipMessage: 'Provided custom redirect URI when not using web app type.',
+        skipIf: !usesCustomWebCredentials,
+        skipMessage: useSharedCredentials
+            ? '--custom-redirect-uri is not compatible with --dev-credentials.'
+            : 'Provided custom redirect URI when not using web app type.',
     });
     if (!clientName) {
         return yield* BadArgsError.make({ message: 'Client name is required.' }); // Should never reach this
     }
-    const redirectUri = customRedirectUri || DEFAULT_OAUTH_CALLBACK_URL;
+    const redirectUri = useSharedCredentials
+        ? undefined
+        : customRedirectUri || DEFAULT_OAUTH_CALLBACK_URL;
     const response = yield* addOAuthClient({
         providerId: provider.id,
         clientName,
-        clientId,
-        clientSecret: clientSecret,
+        clientId: useSharedCredentials ? undefined : clientId,
+        clientSecret: useSharedCredentials ? undefined : clientSecret,
         authorizationEndpoint: GOOGLE_AUTHORIZATION_ENDPOINT,
         tokenEndpoint: GOOGLE_TOKEN_ENDPOINT,
         discoveryEndpoint: GOOGLE_DISCOVERY_ENDPOINT,
@@ -130,22 +207,22 @@ ${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all que
             appType,
             skipNonceChecks: true,
         },
+        useSharedCredentials,
     });
-    const redirectMessages = [];
-    if (appType === 'web') {
-        redirectMessages.push(chalk.bold(`\nAdd this redirect URI in Google Console:\n${redirectUri}\n`));
-        if (customRedirectUri) {
-            redirectMessages.push(`Your custom redirect must forward to ${chalk.bold(DEFAULT_OAUTH_CALLBACK_URL)} with all query parameters preserved.`);
-            redirectMessages.push(`You can test it by visiting: ${chalk.bold(redirectUri + '?test-redirect=true')}`);
-        }
+    if (useSharedCredentials) {
+        yield* printGoogleDevCredentialsClient({
+            appType,
+            client: response.client,
+        });
+        return;
     }
-    yield* Effect.log(boxen([
-        `Google OAuth client created: ${response.client.client_name}`,
-        `App type: ${appType}`,
-        `ID: ${response.client.id}`,
-        `Google Client ID: ${response.client.client_id ?? clientId}`,
-        ...redirectMessages,
-    ].join('\n'), { dimBorder: true, padding: { right: 1, left: 1 } }));
+    yield* printGoogleCustomCredentialsClient({
+        appType,
+        client: response.client,
+        clientId,
+        customRedirectUri,
+        redirectUri,
+    });
 });
 const handleGithubClient = Effect.fn(function* (opts) {
     const { clientName, provider } = yield* getClientNameAndProvider('github', opts);
@@ -153,49 +230,19 @@ const handleGithubClient = Effect.fn(function* (opts) {
         simpleName: '--client-id',
         required: true,
         skipIf: false,
-        prompt: {
-            prompt: `Client ID ${chalk.dim(`(from ${link('https://github.com/settings/developers')})`)}`,
-            modifyOutput: UI.modifiers.piped([
-                UI.modifiers.topPadding,
-                UI.modifiers.dimOnComplete,
-            ]),
-            validate: validateRequired,
-        },
+        prompt: clientIdPrompt({ providerUrl: githubDeveloperUrl }),
     });
     const clientSecret = yield* optOrPrompt(opts['client-secret'], {
         required: true,
         skipIf: false,
         simpleName: '--client-secret',
-        prompt: {
-            prompt: `Client Secret: ${chalk.dim(`(from ${link('https://github.com/settings/developers')})`)}`,
-            validate: validateRequired,
-            sensitive: true,
-            modifyOutput: UI.modifiers.piped([
-                UI.modifiers.topPadding,
-                UI.modifiers.dimOnComplete,
-            ]),
-        },
+        prompt: clientSecretPrompt({ providerUrl: githubDeveloperUrl }),
     });
     const customRedirectUri = yield* optOrPrompt(opts['custom-redirect-uri'], {
         required: false,
         simpleName: '--custom-redirect-uri',
         skipIf: false,
-        prompt: {
-            prompt: '',
-            placeholder: 'https://yoursite.com/oauth/callback',
-            modifyOutput: UI.modifiers.piped([
-                (output, status) => {
-                    if (status === 'idle') {
-                        return (`\nCustom redirect URI (optional):
-${chalk.dim('With a custom redirect URI, users will see "Redirecting to yoursite.com..." for a more branded experience.')}
-${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all query parameters preserved.`)}\n\n` +
-                            stripFirstBlankLine(output));
-                    }
-                    return `\nCustom redirect URI (optional):\n${stripFirstBlankLine(output)}`;
-                },
-                UI.modifiers.dimOnComplete,
-            ]),
-        },
+        prompt: optionalRedirectPrompt,
     });
     if (!clientName) {
         return yield* BadArgsError.make({ message: 'Client name is required.' });
@@ -211,13 +258,11 @@ ${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all que
         redirectTo: redirectUri,
         meta: { providerName: 'github' },
     });
-    const redirectMessages = [
-        chalk.bold(`\nAdd this callback URL in your GitHub OAuth App settings:\n${redirectUri}\n`),
-    ];
-    if (customRedirectUri) {
-        redirectMessages.push(`Your custom redirect must forward to ${chalk.bold(DEFAULT_OAUTH_CALLBACK_URL)} with all query parameters preserved.`);
-        redirectMessages.push(`You can test it by visiting: ${chalk.bold(redirectUri + '?test-redirect=true')}`);
-    }
+    const redirectMessages = redirectSetupMessages({
+        prompt: 'Add this callback URL in your GitHub OAuth App settings',
+        redirectUri,
+        showCustomRedirectInstructions: Boolean(customRedirectUri),
+    });
     yield* Effect.log(boxen([
         `GitHub OAuth client created: ${response.client.client_name}`,
         `ID: ${response.client.id}`,
@@ -231,49 +276,19 @@ const handleLinkedInClient = Effect.fn(function* (opts) {
         simpleName: '--client-id',
         required: true,
         skipIf: false,
-        prompt: {
-            prompt: `Client ID: ${chalk.dim(`(from ${link('https://www.linkedin.com/developers/apps')})`)}`,
-            modifyOutput: UI.modifiers.piped([
-                UI.modifiers.topPadding,
-                UI.modifiers.dimOnComplete,
-            ]),
-            validate: validateRequired,
-        },
+        prompt: clientIdPrompt({ providerUrl: linkedinDeveloperUrl }),
     });
     const clientSecret = yield* optOrPrompt(opts['client-secret'], {
         required: true,
         skipIf: false,
         simpleName: '--client-secret',
-        prompt: {
-            prompt: `Client Secret: ${chalk.dim(`(from ${link('https://www.linkedin.com/developers/apps')})`)}`,
-            validate: validateRequired,
-            sensitive: true,
-            modifyOutput: UI.modifiers.piped([
-                UI.modifiers.topPadding,
-                UI.modifiers.dimOnComplete,
-            ]),
-        },
+        prompt: clientSecretPrompt({ providerUrl: linkedinDeveloperUrl }),
     });
     const customRedirectUri = yield* optOrPrompt(opts['custom-redirect-uri'], {
         required: false,
         simpleName: '--custom-redirect-uri',
         skipIf: false,
-        prompt: {
-            prompt: '',
-            placeholder: 'https://yoursite.com/oauth/callback',
-            modifyOutput: UI.modifiers.piped([
-                (output, status) => {
-                    if (status === 'idle') {
-                        return (`\nCustom redirect URI (optional):
-${chalk.dim('With a custom redirect URI, users will see "Redirecting to yoursite.com..." for a more branded experience.')}
-${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all query parameters preserved.`)}\n\n` +
-                            stripFirstBlankLine(output));
-                    }
-                    return `\nCustom redirect URI (optional):\n${stripFirstBlankLine(output)}`;
-                },
-                UI.modifiers.dimOnComplete,
-            ]),
-        },
+        prompt: optionalRedirectPrompt,
     });
     if (!clientName) {
         return yield* BadArgsError.make({ message: 'Client name is required.' });
@@ -289,13 +304,11 @@ ${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all que
         discoveryEndpoint: LINKEDIN_DISCOVERY_ENDPOINT,
         redirectTo: redirectUri,
     });
-    const redirectMessages = [
-        chalk.bold(`\nAdd this redirect URI in your LinkedIn app settings:\n${redirectUri}\n`),
-    ];
-    if (customRedirectUri) {
-        redirectMessages.push(`Your custom redirect must forward to ${chalk.bold(DEFAULT_OAUTH_CALLBACK_URL)} with all query parameters preserved.`);
-        redirectMessages.push(`You can test it by visiting: ${chalk.bold(redirectUri + '?test-redirect=true')}`);
-    }
+    const redirectMessages = redirectSetupMessages({
+        prompt: 'Add this redirect URI in your LinkedIn app settings',
+        redirectUri,
+        showCustomRedirectInstructions: Boolean(customRedirectUri),
+    });
     yield* Effect.log(boxen([
         `LinkedIn OAuth client created: ${response.client.client_name}`,
         `ID: ${response.client.id}`,
@@ -303,22 +316,6 @@ ${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all que
         ...redirectMessages,
     ].join('\n'), { dimBorder: true, padding: { right: 1, left: 1 } }));
 });
-const readPrivateKeyFile = Effect.fn('readPrivateKeyFile')(function* (path) {
-    const fs = yield* FileSystem.FileSystem;
-    // Strip shell-escape backslashes so paths like "file\ (2).p8" resolve correctly.
-    // Only on POSIX — Windows uses backslashes as path separators.
-    const normalizedPath = process.platform === 'win32' ? path : path.replace(/\\(.)/g, '$1');
-    const contents = yield* fs.readFileString(normalizedPath, 'utf8').pipe(Effect.mapError((e) => new BadArgsError({
-        message: `Could not read private key file at ${normalizedPath}: ${e.message}`,
-    })));
-    const trimmed = contents.trim();
-    if (!trimmed) {
-        return yield* BadArgsError.make({
-            message: `Private key file at ${normalizedPath} is empty.`,
-        });
-    }
-    return trimmed;
-});
 const handleAppleClient = Effect.fn(function* (opts) {
     const { yes } = yield* GlobalOpts;
     const { clientName, provider } = yield* getClientNameAndProvider('apple', opts);
@@ -326,14 +323,7 @@ const handleAppleClient = Effect.fn(function* (opts) {
         simpleName: '--services-id',
         required: true,
         skipIf: false,
-        prompt: {
-            prompt: `Services ID ${chalk.dim(`(from ${link('https://developer.apple.com/account/resources/identifiers/list/serviceId')})`)}`,
-            modifyOutput: UI.modifiers.piped([
-                UI.modifiers.topPadding,
-                UI.modifiers.dimOnComplete,
-            ]),
-            validate: validateRequired,
-        },
+        prompt: appleServicesIdPrompt({}),
     });
     // If any web-flow flag is provided, enable web flow; otherwise ask
     // (non-interactively with --yes we default to native-only).
@@ -359,42 +349,21 @@ const handleAppleClient = Effect.fn(function* (opts) {
         required: true,
         skipIf: skipWeb,
         skipMessage: `--team-id ${webSkipMessage}`,
-        prompt: {
-            prompt: `Team ID ${chalk.dim(`(from ${link('https://developer.apple.com/account#MembershipDetailsCard')})`)}`,
-            validate: validateRequired,
-            modifyOutput: UI.modifiers.piped([
-                UI.modifiers.topPadding,
-                UI.modifiers.dimOnComplete,
-            ]),
-        },
+        prompt: appleTeamIdPrompt({}),
     });
     const keyId = yield* optOrPrompt(opts['key-id'], {
         simpleName: '--key-id',
         required: true,
         skipIf: skipWeb,
         skipMessage: `--key-id ${webSkipMessage}`,
-        prompt: {
-            prompt: `Key ID ${chalk.dim(`(from ${link('https://developer.apple.com/account/resources/authkeys/list')})`)}`,
-            validate: validateRequired,
-            modifyOutput: UI.modifiers.piped([
-                UI.modifiers.topPadding,
-                UI.modifiers.dimOnComplete,
-            ]),
-        },
+        prompt: appleKeyIdPrompt({}),
     });
     const privateKeyPath = yield* optOrPrompt(opts['private-key-file'], {
         simpleName: '--private-key-file',
         required: true,
         skipIf: skipWeb,
         skipMessage: `--private-key-file ${webSkipMessage}`,
-        prompt: {
-            prompt: `Path to .p8 private key file ${chalk.dim('(downloaded from Apple)')}`,
-            validate: validateRequired,
-            modifyOutput: UI.modifiers.piped([
-                UI.modifiers.topPadding,
-                UI.modifiers.dimOnComplete,
-            ]),
-        },
+        prompt: applePrivateKeyFilePrompt({}),
     });
     const privateKey = privateKeyPath
         ? yield* readPrivateKeyFile(privateKeyPath)
@@ -404,22 +373,7 @@ const handleAppleClient = Effect.fn(function* (opts) {
         simpleName: '--custom-redirect-uri',
         skipIf: skipWeb,
         skipMessage: `--custom-redirect-uri ${webSkipMessage}`,
-        prompt: {
-            prompt: '',
-            placeholder: 'https://yoursite.com/oauth/callback',
-            modifyOutput: UI.modifiers.piped([
-                (output, status) => {
-                    if (status === 'idle') {
-                        return (`\nCustom redirect URI (optional):
-${chalk.dim('With a custom redirect URI, users will see "Redirecting to yoursite.com..." for a more branded experience.')}
-${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all query parameters preserved.`)}\n\n` +
-                            stripFirstBlankLine(output));
-                    }
-                    return `\nCustom redirect URI (optional):\n${stripFirstBlankLine(output)}`;
-                },
-                UI.modifiers.dimOnComplete,
-            ]),
-        },
+        prompt: optionalRedirectPrompt,
     });
     if (!clientName) {
         return yield* BadArgsError.make({ message: 'Client name is required.' });
@@ -448,14 +402,14 @@ ${chalk.dim(`Your URI must forward to ${DEFAULT_OAUTH_CALLBACK_URL} with all que
         `ID: ${response.client.id}`,
         `Services ID: ${response.client.client_id ?? servicesId}`,
     ];
-    if (privateKey) {
+    if (privateKey && redirectUri) {
         summaryLines.push(`Team ID: ${teamId}`);
         summaryLines.push(`Key ID: ${keyId}`);
-        summaryLines.push(chalk.bold(`\nAdd this return URL under your Services ID on ${link('https://developer.apple.com', 'developer.apple.com')}:\n${redirectUri}\n`));
-        if (customRedirectUri) {
-            summaryLines.push(`Your custom redirect must forward to ${chalk.bold(DEFAULT_OAUTH_CALLBACK_URL)} with all query parameters preserved.`);
-            summaryLines.push(`You can test it by visiting: ${chalk.bold(redirectUri + '?test-redirect=true')}`);
-        }
+        summaryLines.push(...redirectSetupMessages({
+            prompt: `Add this return URL under your Services ID on ${link('https://developer.apple.com', 'developer.apple.com')}`,
+            redirectUri,
+            showCustomRedirectInstructions: Boolean(customRedirectUri),
+        }));
     }
     yield* Effect.log(boxen(summaryLines.join('\n'), {
         dimBorder: true,
@@ -468,22 +422,7 @@ const handleClerkClient = Effect.fn(function* (opts) {
         simpleName: '--publishable-key',
         required: true,
         skipIf: false,
-        prompt: {
-            prompt: `Clerk publishable key ${chalk.dim(`(from ${link('https://dashboard.clerk.com/last-active?path=api-keys')})`)}`,
-            placeholder: 'pk_********************************************************',
-            modifyOutput: UI.modifiers.piped([
-                UI.modifiers.topPadding,
-                UI.modifiers.dimOnComplete,
-            ]),
-            validate: (val) => {
-                if (!val) {
-                    return 'Publishable key is required';
-                }
-                if (!val.startsWith('pk_')) {
-                    return 'Invalid publishable key. It should start with "pk_".';
-                }
-            },
-        },
+        prompt: clerkPublishableKeyPrompt({}),
     });
     if (!clientName) {
         return yield* BadArgsError.make({ message: 'Client name is required.' });
@@ -493,7 +432,7 @@ const handleClerkClient = Effect.fn(function* (opts) {
             message: 'Publishable key is required.',
         });
     }
-    const domain = domainFromClerkKey(publishableKey);
+    const domain = clerkDomainFromPublishableKey(publishableKey);
     if (!domain) {
         return yield* BadArgsError.make({
             message: 'Invalid publishable key. Could not extract domain.',
@@ -520,27 +459,11 @@ const handleClerkClient = Effect.fn(function* (opts) {
 });
 const handleFirebaseClient = Effect.fn(function* (opts) {
     const { clientName, provider } = yield* getClientNameAndProvider('firebase', opts);
-    const firebaseProjectIdRegex = /^[a-z][a-z0-9-]{4,28}[a-z0-9]$/;
     const projectId = yield* optOrPrompt(opts['project-id'], {
         simpleName: '--project-id',
         required: true,
         skipIf: false,
-        prompt: {
-            prompt: `Firebase project ID: (From Project Settings page on ${link('https://console.firebase.google.com/')})`,
-            placeholder: '',
-            modifyOutput: UI.modifiers.piped([
-                UI.modifiers.topPadding,
-                UI.modifiers.dimOnComplete,
-            ]),
-            validate: (val) => {
-                if (!val) {
-                    return 'Project ID is required';
-                }
-                if (!firebaseProjectIdRegex.test(val)) {
-                    return 'Invalid Firebase project ID. It must be 6-30 characters, start with a lowercase letter, contain only lowercase letters, digits, and hyphens, and not end with a hyphen.';
-                }
-            },
-        },
+        prompt: firebaseProjectIdPrompt({}),
     });
     // typeguard
     if (!clientName || !projectId) {
@@ -548,15 +471,14 @@ const handleFirebaseClient = Effect.fn(function* (opts) {
             message: 'Missing required arguments',
         });
     }
-    if (!firebaseProjectIdRegex.test(projectId)) {
-        return yield* BadArgsError.make({
-            message: 'Invalid Firebase project ID. It must be 6-30 characters, start with a lowercase letter, contain only lowercase letters, digits, and hyphens, and not end with a hyphen.',
-        });
+    const validationError = validateFirebaseProjectId(projectId);
+    if (validationError) {
+        return yield* BadArgsError.make({ message: validationError });
     }
     const response = yield* addOAuthClient({
         providerId: provider.id,
         clientName,
-        discoveryEndpoint: `https://securetoken.google.com/${encodeURIComponent(projectId)}/.well-known/openid-configuration`,
+        discoveryEndpoint: firebaseDiscoveryEndpoint(projectId),
     });
     yield* Effect.log(boxen([
         `Firebase OAuth client created: ${response.client.client_name}`,
@@ -590,29 +512,4 @@ export const authClientAddCmd = Effect.fn(function* (opts) {
     yield* Effect.logError(e.message);
     yield* Effect.log(chalk.dim('hint: run `instant-cli auth client add --help` for the list of available arguments'));
 })));
-function domainFromClerkKey(key) {
-    try {
-        const parts = key.split('_');
-        const domainPartB64 = parts[parts.length - 1];
-        const domainPart = base64Decode(domainPartB64);
-        return domainPart.replace('$', '');
-    }
-    catch (e) {
-        console.error('Error getting domain from clerk key', e);
-        return null;
-    }
-}
-// Base64 decode, switching to url-safe decode if we hit an error
-// Can't be sure which method Clerk uses because you can't generate
-// `+` or `/` with characters that go in a normal host. Urls with
-// chinese characters exist, they might encode to `+` or `/`, and
-// Clerk might support them, so we'll be safe and do both.
-function base64Decode(s) {
-    try {
-        return Buffer.from(s, 'base64').toString('utf-8');
-    }
-    catch (e) {
-        return Buffer.from(s, 'base64url').toString('utf-8');
-    }
-}
 //# sourceMappingURL=add.js.map