kasy-cli 1.31.14 → 1.34.0

package/bin/kasy.js

@@ -9,6 +9,8 @@ const { runFeatures } = require('../lib/commands/features');
 const { runValidate } = require('../lib/commands/validate');
 const { runDeployCommand } = require('../lib/commands/deploy');
 const { runConfigure } = require('../lib/commands/configure');
+const { runAppleWeb } = require('../lib/commands/apple-web');
+const { runFacebook } = require('../lib/commands/facebook');
 const { runCheck } = require('../lib/commands/check');
 const { runRun } = require('../lib/commands/run');
 const { runReset } = require('../lib/commands/reset');
@@ -336,6 +338,46 @@ function buildProgram(language) {
     t
   );
 
+  applyLocalizedHelp(
+    program
+      .command('apple-web')
+      .argument('[directory]', 'Project folder (default: current directory)', '.')
+      .option('--service-id <id>', 'Apple Service ID (the OAuth client_id), e.g. com.acme.app.signin')
+      .option('--team-id <id>', 'Apple Developer Team ID')
+      .option('--key-id <id>', 'Key ID of the .p8')
+      .option('--p8 <path>', 'Path to the Sign In with Apple .p8 private key')
+      .description(t('cli.command.appleWeb.description'))
+      .action(async (directory, options) => {
+        await runAppleWeb(directory, {
+          language,
+          serviceId: options.serviceId,
+          teamId: options.teamId,
+          keyId: options.keyId,
+          p8: options.p8,
+        });
+      }),
+    t
+  );
+
+  applyLocalizedHelp(
+    program
+      .command('facebook')
+      .argument('[directory]', 'Project folder (default: current directory)', '.')
+      .option('--app-id <id>', 'Meta App ID')
+      .option('--client-token <token>', 'Meta Client Token (Settings → Advanced)')
+      .option('--app-secret <secret>', 'Meta App Secret (for the Firebase/Supabase provider)')
+      .description(t('cli.command.facebook.description'))
+      .action(async (directory, options) => {
+        await runFacebook(directory, {
+          language,
+          appId: options.appId,
+          clientToken: options.clientToken,
+          appSecret: options.appSecret,
+        });
+      }),
+    t
+  );
+
   applyLocalizedHelp(
     program
       .command('check')

package/lib/commands/apple-web.js

@@ -0,0 +1,222 @@
+/**
+ * `kasy apple-web` — configure "Sign in with Apple" on the WEB.
+ *
+ * Apple web in-app is Firebase-only for now. Native iOS/macOS is already enabled by
+ * `kasy new` on every backend. The web flow needs a Service ID + a `.p8`, created
+ * once on developer.apple.com (no API for that — stays manual). This command:
+ *   - Firebase: writes the Apple provider's codeFlowConfig (Service ID + Team ID +
+ *     Key ID + `.p8`) and flips withAppleWebSignin true. Firebase re-signs the secret
+ *     itself, so it never expires.
+ *   - Supabase / API: web Apple isn't wired in the app yet (roadmap, see ROADMAP.md).
+ *     The command only prints a note and configures nothing / flips no flag.
+ *
+ * The inputs are cached in ~/.kasy/apple-web.json so future Firebase projects
+ * configure web Apple without asking again.
+ *
+ * Note: enableAppleWebSignIn() in supabase/deploy.js is a tested roadmap helper for
+ * the future Supabase web flow; it is not invoked by this command yet.
+ */
+
+const path = require('node:path');
+const os = require('node:os');
+const fs = require('fs-extra');
+const kleur = require('kleur');
+const ui = require('../utils/ui');
+const { printCompactHeader } = require('../utils/brand');
+const { createTranslator, detectDefaultLanguage } = require('../utils/i18n');
+const { loadAppleWebCreds, saveAppleWebCreds } = require('../utils/apple-web');
+const { configureFirebaseAppleWeb } = require('../scaffold/backends/firebase/setup-from-scratch');
+
+/** Expand a leading ~ to the user's home directory. */
+function expandHome(p) {
+  if (!p) return p;
+  return p.startsWith('~') ? path.join(os.homedir(), p.slice(1)) : p;
+}
+
+/** Set `withAppleWebSignin` to the given boolean in the project's features.dart. */
+async function setAppleWebFlag(projectDir, value) {
+  const file = path.join(projectDir, 'lib', 'core', 'config', 'features.dart');
+  if (!(await fs.pathExists(file))) return { ok: false, missing: true };
+  let content = await fs.readFile(file, 'utf8');
+  const re = /const bool withAppleWebSignin\s*=\s*(?:true|false)\s*;/;
+  if (!re.test(content)) return { ok: false, missing: true };
+  content = content.replace(re, `const bool withAppleWebSignin = ${value};`);
+  await fs.writeFile(file, content, 'utf8');
+  return { ok: true };
+}
+
+/**
+ * Resolve the four Apple inputs: from CLI flags, then the cache, then prompts.
+ * Reads the `.p8` from a file path when given. Returns null on any read failure.
+ */
+async function resolveCreds(options, t) {
+  const cached = await loadAppleWebCreds();
+
+  // Non-interactive / flag-driven path.
+  if (options.serviceId || options.teamId || options.keyId || options.p8) {
+    const privateKey = options.p8
+      ? await fs.readFile(expandHome(options.p8), 'utf8').catch(() => null)
+      : cached?.privateKey;
+    if (options.p8 && !privateKey) {
+      ui.log.error(t('appleWeb.p8ReadError'));
+      return null;
+    }
+    return {
+      serviceId: options.serviceId || cached?.serviceId,
+      teamId: options.teamId || cached?.teamId,
+      keyId: options.keyId || cached?.keyId,
+      privateKey,
+    };
+  }
+
+  // Reuse the cache without asking, unless the user wants to replace it.
+  if (cached) {
+    const reuse = await ui.confirm({
+      message: t('appleWeb.useSaved').replace('{id}', cached.serviceId),
+      initialValue: true,
+    });
+    if (reuse) return cached;
+  }
+
+  // Interactive prompts.
+  const serviceId = await ui.text({
+    message: t('appleWeb.serviceIdPrompt'),
+    placeholder: 'com.acme.app.signin',
+    validate: (v) => (v && v.trim() ? undefined : t('appleWeb.required')),
+  });
+  const teamId = await ui.text({
+    message: t('appleWeb.teamIdPrompt'),
+    placeholder: 'ABCDE12345',
+    validate: (v) => (v && v.trim() ? undefined : t('appleWeb.required')),
+  });
+  const keyId = await ui.text({
+    message: t('appleWeb.keyIdPrompt'),
+    placeholder: '6RR89XG535',
+    validate: (v) => (v && v.trim() ? undefined : t('appleWeb.required')),
+  });
+  const p8Path = await ui.text({
+    message: t('appleWeb.p8Prompt'),
+    placeholder: '~/Downloads/AuthKey_6RR89XG535.p8',
+    validate: (v) => (v && v.trim() ? undefined : t('appleWeb.required')),
+  });
+  const privateKey = await fs.readFile(expandHome(p8Path.trim()), 'utf8').catch(() => null);
+  if (!privateKey) {
+    ui.log.error(t('appleWeb.p8ReadError'));
+    return null;
+  }
+  return {
+    serviceId: serviceId.trim(),
+    teamId: teamId.trim(),
+    keyId: keyId.trim(),
+    privateKey,
+  };
+}
+
+async function runAppleWeb(directory, options = {}) {
+  const language = options.language || detectDefaultLanguage();
+  const t = createTranslator(language);
+  printCompactHeader(t);
+  ui.intro(kleur.bold(t('appleWeb.title')));
+
+  const projectDir = path.resolve(directory || '.');
+  const kitSetupPath = path.join(projectDir, 'kit_setup.json');
+  if (!(await fs.pathExists(kitSetupPath))) {
+    ui.cancel(t('appleWeb.notKasyProject'));
+    return;
+  }
+
+  let kit;
+  try {
+    kit = await fs.readJson(kitSetupPath);
+  } catch {
+    ui.cancel(t('appleWeb.notKasyProject'));
+    return;
+  }
+
+  const backend = kit.backendProvider || 'firebase';
+  const bundleId = kit.bundleId || null;
+
+  // Apple web in-app works on the Firebase backend only (signInWithPopup). On
+  // Supabase the web flow isn't wired in the app yet (roadmap) and the API backend
+  // owns its own auth — in both cases there's nothing to configure here for web Apple
+  // (native iOS is already set up by `kasy new`).
+  if (backend !== 'firebase') {
+    ui.note(t('appleWeb.notFirebase'), t('appleWeb.manualTitle'));
+    ui.outro(t('appleWeb.notFirebaseDone'));
+    return;
+  }
+
+  const projectId = kit.firebaseProjectId;
+  if (!projectId) {
+    ui.cancel(t('appleWeb.missingProjectId'));
+    return;
+  }
+
+  const creds = await resolveCreds(options, t);
+  if (!creds) return;
+  if (!creds.serviceId || !creds.teamId || !creds.keyId || !creds.privateKey) {
+    ui.cancel(t('appleWeb.incomplete'));
+    return;
+  }
+
+  // Cache for future projects.
+  await saveAppleWebCreds(creds);
+
+  const s = ui.spinner();
+  s.start(t('appleWeb.configuringFirebase'));
+  const result = await configureFirebaseAppleWeb({ projectId, bundleId, ...creds });
+  if (!result.ok) {
+    s.stop(t('appleWeb.failed'));
+    ui.log.error(result.error || 'unknown error');
+    return;
+  }
+  s.stop(t('appleWeb.firebaseOk'));
+
+  // Show the Apple button on web now that it actually works.
+  const flag = await setAppleWebFlag(projectDir, true);
+  if (flag.ok) ui.log.success(t('appleWeb.flagUpdated'));
+  else ui.log.warn(t('appleWeb.flagMissing'));
+
+  // Remind the developer of the manual Return URL their Service ID must carry.
+  const returnUrl = `https://${projectId}.firebaseapp.com/__/auth/handler`;
+  ui.note(`${t('appleWeb.returnUrlNote')}\n${kleur.cyan(returnUrl)}`, t('appleWeb.manualTitle'));
+  ui.outro(t('appleWeb.allDone'));
+}
+
+/**
+ * Called by `kasy new`: if the developer already saved Apple web credentials on a
+ * previous project (`kasy apple-web`), configure web Apple for the freshly created
+ * project automatically — same behavior in both quick and advanced modes. No
+ * prompts: it either applies (creds cached) or reports pending.
+ *
+ * @param {string} targetDir - the generated project directory
+ * @returns {{ applied: boolean, pending: boolean, backend?: string, error?: string }}
+ */
+async function autoApplyAppleWebIfCached(targetDir) {
+  let kit;
+  try {
+    kit = await fs.readJson(path.join(targetDir, 'kit_setup.json'));
+  } catch {
+    return { applied: false, pending: false };
+  }
+
+  const backend = kit.backendProvider || 'firebase';
+  // Apple web in-app is Firebase-only for now (Supabase web = roadmap, API = own
+  // server). On those backends there's nothing to apply and nothing pending.
+  if (backend !== 'firebase') return { applied: false, pending: false, backend };
+
+  const projectId = kit.firebaseProjectId;
+  if (!projectId) return { applied: false, pending: false, backend };
+
+  const creds = await loadAppleWebCreds();
+  if (!creds) return { applied: false, pending: true, backend };
+
+  const bundleId = kit.bundleId || null;
+  const result = await configureFirebaseAppleWeb({ projectId, bundleId, ...creds });
+  if (!result.ok) return { applied: false, pending: true, backend, error: result.error };
+
+  await setAppleWebFlag(targetDir, true);
+  return { applied: true, pending: false, backend };
+}
+
+module.exports = { runAppleWeb, setAppleWebFlag, autoApplyAppleWebIfCached };

package/lib/commands/configure.js

@@ -20,6 +20,7 @@ const kleur = require('kleur');
 const ui = require('../utils/ui');
 const { printCompactHeader } = require('../utils/brand');
 const { createTranslator, detectDefaultLanguage } = require('../utils/i18n');
+const { readFacebookState, writeFacebookCredentials } = require('../utils/facebook');
 
 const PLACEHOLDER_REGEX = /^(YOUR_|TODO|CHANGE_ME|<.*>$)/i;
 
@@ -261,97 +262,8 @@ async function updateEnvFile(envPath, updates) {
   await fs.outputFile(envPath, updated.join('\n'), 'utf8');
 }
 
-// ── Facebook patches ──────────────────────────────────────────────────────
-// Facebook needs the same values in two build-time files: iOS Info.plist and
-// Android strings.xml. Both ship with placeholder zeros; we replace them in
-// place so the user only types each value once.
-
-function readFacebookCurrent(content, kind) {
-  if (kind === 'plist') {
-    const appId = content.match(/<key>FacebookAppID<\/key>\s*<string>([^<]*)<\/string>/);
-    const token = content.match(/<key>FacebookClientToken<\/key>\s*<string>([^<]*)<\/string>/);
-    return { appId: (appId?.[1] || '').trim(), token: (token?.[1] || '').trim() };
-  }
-  // strings.xml
-  const appId = content.match(/<string name="facebook_app_id"[^>]*>([^<]*)<\/string>/);
-  const token = content.match(/<string name="facebook_client_token"[^>]*>([^<]*)<\/string>/);
-  return { appId: (appId?.[1] || '').trim(), token: (token?.[1] || '').trim() };
-}
-
-function isFacebookPlaceholder(value) {
-  return !value || /^0+$/.test(value);
-}
-
-async function readFacebookState(projectDir) {
-  const plistPath = path.join(projectDir, 'ios', 'Runner', 'Info.plist');
-  const stringsPath = path.join(projectDir, 'android', 'app', 'src', 'main', 'res', 'values', 'strings.xml');
-  const state = { appId: '', token: '', plistExists: false, stringsExists: false };
-  if (await fs.pathExists(plistPath)) {
-    state.plistExists = true;
-    const plistRead = readFacebookCurrent(await fs.readFile(plistPath, 'utf8'), 'plist');
-    if (!isFacebookPlaceholder(plistRead.appId)) state.appId = plistRead.appId;
-    if (!isFacebookPlaceholder(plistRead.token)) state.token = plistRead.token;
-  }
-  if (await fs.pathExists(stringsPath)) {
-    state.stringsExists = true;
-    const stringsRead = readFacebookCurrent(await fs.readFile(stringsPath, 'utf8'), 'strings');
-    // Prefer plist value when both exist; only fall back if plist was placeholder.
-    if (!state.appId && !isFacebookPlaceholder(stringsRead.appId)) state.appId = stringsRead.appId;
-    if (!state.token && !isFacebookPlaceholder(stringsRead.token)) state.token = stringsRead.token;
-  }
-  return state;
-}
-
-async function writeFacebookCredentials(projectDir, appId, clientToken) {
-  const plistPath = path.join(projectDir, 'ios', 'Runner', 'Info.plist');
-  const stringsPath = path.join(projectDir, 'android', 'app', 'src', 'main', 'res', 'values', 'strings.xml');
-  const results = { plist: 'skipped', strings: 'skipped' };
-
-  if (appId && await fs.pathExists(plistPath)) {
-    let plist = await fs.readFile(plistPath, 'utf8');
-    plist = plist.replace(
-      /(<key>FacebookAppID<\/key>\s*<string>)[^<]*(<\/string>)/,
-      `$1${appId}$2`
-    );
-    if (clientToken) {
-      plist = plist.replace(
-        /(<key>FacebookClientToken<\/key>\s*<string>)[^<]*(<\/string>)/,
-        `$1${clientToken}$2`
-      );
-    }
-    // CFBundleURLSchemes — replace `fb<zeros>` with `fb<appId>` so deep links work.
-    plist = plist.replace(/<string>fb0+<\/string>/, `<string>fb${appId}</string>`);
-    await fs.outputFile(plistPath, plist, 'utf8');
-    results.plist = 'ok';
-  } else if (appId) {
-    results.plist = 'missing_file';
-  }
-
-  if (appId && await fs.pathExists(stringsPath)) {
-    let xml = await fs.readFile(stringsPath, 'utf8');
-    xml = xml.replace(
-      /(<string name="facebook_app_id"[^>]*>)[^<]*(<\/string>)/,
-      `$1${appId}$2`
-    );
-    if (clientToken) {
-      xml = xml.replace(
-        /(<string name="facebook_client_token"[^>]*>)[^<]*(<\/string>)/,
-        `$1${clientToken}$2`
-      );
-    }
-    // fb_login_protocol_scheme — set if present.
-    xml = xml.replace(
-      /(<string name="fb_login_protocol_scheme"[^>]*>)[^<]*(<\/string>)/,
-      `$1fb${appId}$2`
-    );
-    await fs.outputFile(stringsPath, xml, 'utf8');
-    results.strings = 'ok';
-  } else if (appId) {
-    results.strings = 'missing_file';
-  }
-
-  return results;
-}
+// Facebook native build-time files (Info.plist + strings.xml) read/write moved to
+// lib/utils/facebook.js so `kasy configure` and `kasy facebook` share one source.
 
 async function setFirebaseSecret(projectDir, key, value, t) {
   // Use a tmp file to avoid newline injection / shell escaping issues.

package/lib/commands/doctor.js

@@ -151,6 +151,26 @@ async function runIosReleaseChecks(projectDir, t, language, config = {}) {
     ui.log.warn(`${t('doctor.ios.appleSignInEntitlementMissing')}\n${kleur.dim(appleEntitlement.error)}`);
   }
 
+  // Apple Sign-In on the WEB (Firebase/Supabase). Native iOS is covered above; the
+  // web button only ships once configured, so surface whether it's done or pending.
+  if (config.backendProvider === 'firebase' || config.backendProvider === 'supabase') {
+    let webConfigured = false;
+    try {
+      const featuresContent = await fs.readFile(
+        path.join(projectDir, 'lib', 'core', 'config', 'features.dart'),
+        'utf8',
+      );
+      webConfigured = /const bool withAppleWebSignin\s*=\s*true\s*;/.test(featuresContent);
+    } catch {
+      // features.dart not found — leave as not configured.
+    }
+    if (webConfigured) {
+      ui.log.success(t('doctor.appleWeb.ok'));
+    } else {
+      ui.log.message(kleur.dim(`– ${t('doctor.appleWeb.pending')}`));
+    }
+  }
+
   if (config.withFacebookPixel) {
     const facebook = await validateFacebookInfoPlist(projectDir);
     if (facebook.skipped) {

package/lib/commands/facebook.js

@@ -0,0 +1,189 @@
+/**
+ * `kasy facebook` — guided Facebook Login setup.
+ *
+ * Facebook needs a Meta app (created manually on developers.facebook.com — no API
+ * for that, like Apple). This command guides that manual part (opens the Meta link,
+ * tells you exactly what to grab and which redirect URIs to register) and then
+ * automates everything that CAN be automated:
+ *   - writes App ID + Client Token into iOS Info.plist + Android strings.xml
+ *   - enables the Facebook provider on the backend: Firebase (Identity Toolkit) or
+ *     Supabase (Management API), using App ID + App Secret
+ *   - API backend: writes native files only (auth lives on your server)
+ *
+ * Credentials are cached in ~/.kasy/facebook.json so future projects reuse them
+ * (the `kasy new` auto-apply uses the same cache).
+ */
+
+const path = require('node:path');
+const fs = require('fs-extra');
+const kleur = require('kleur');
+const ui = require('../utils/ui');
+const { printCompactHeader } = require('../utils/brand');
+const { createTranslator, detectDefaultLanguage } = require('../utils/i18n');
+const { promptOpenBrowser } = require('../utils/browser');
+const { loadFacebookCreds, saveFacebookCreds, writeFacebookCredentials, setFacebookWebFlag } = require('../utils/facebook');
+const { configureFirebaseFacebook } = require('../scaffold/backends/firebase/setup-from-scratch');
+const { enableFacebookSignIn } = require('../scaffold/backends/supabase/deploy');
+
+const META_APPS_URL = 'https://developers.facebook.com/apps';
+
+/** Resolve App ID / Client Token / App Secret from flags, then cache, then prompts. */
+async function resolveFbCreds(options, backend, t) {
+  const cached = await loadFacebookCreds();
+  const needsSecret = backend === 'firebase' || backend === 'supabase';
+
+  if (options.appId || options.clientToken || options.appSecret) {
+    return {
+      appId: options.appId || cached?.appId,
+      clientToken: options.clientToken || cached?.clientToken,
+      appSecret: options.appSecret || cached?.appSecret,
+    };
+  }
+
+  if (cached) {
+    const reuse = await ui.confirm({
+      message: t('facebook.useSaved').replace('{id}', cached.appId),
+      initialValue: true,
+    });
+    if (reuse) return cached;
+  }
+
+  const req = (v) => (v && v.trim() ? undefined : t('facebook.required'));
+  const appId = await ui.text({ message: t('facebook.appIdPrompt'), placeholder: '1234567890', validate: req });
+  const clientToken = await ui.text({ message: t('facebook.clientTokenPrompt'), validate: req });
+  let appSecret = '';
+  if (needsSecret) {
+    appSecret = await ui.text({ message: t('facebook.appSecretPrompt'), validate: req });
+  }
+  return { appId: appId.trim(), clientToken: clientToken.trim(), appSecret: (appSecret || '').trim() };
+}
+
+/** Push the Facebook provider config to the project's backend. */
+async function applyBackend(backend, projectId, creds, t, s) {
+  if (backend === 'firebase') {
+    s.start(t('facebook.configuringFirebase'));
+    const r = await configureFirebaseFacebook({ projectId, appId: creds.appId, appSecret: creds.appSecret });
+    s.stop(r.ok ? t('facebook.firebaseOk') : t('facebook.backendFailed'));
+    return r;
+  }
+  if (backend === 'supabase') {
+    s.start(t('facebook.configuringSupabase'));
+    const r = await enableFacebookSignIn(projectId, { appId: creds.appId, appSecret: creds.appSecret });
+    s.stop(r.ok ? t('facebook.supabaseOk') : t('facebook.backendFailed'));
+    return r;
+  }
+  return { ok: false, skipped: true };
+}
+
+async function runFacebook(directory, options = {}) {
+  const language = options.language || detectDefaultLanguage();
+  const t = createTranslator(language);
+  printCompactHeader(t);
+  ui.intro(kleur.bold(t('facebook.title')));
+
+  const projectDir = path.resolve(directory || '.');
+  let kit;
+  try {
+    kit = await fs.readJson(path.join(projectDir, 'kit_setup.json'));
+  } catch {
+    ui.cancel(t('facebook.notKasyProject'));
+    return;
+  }
+
+  const backend = kit.backendProvider || 'firebase';
+  const projectId = backend === 'firebase' ? kit.firebaseProjectId : kit.supabaseProjectId;
+
+  // 1. Guide the manual Meta part (no API to automate it).
+  ui.note(t('facebook.metaIntro'), t('facebook.metaTitle'));
+  await promptOpenBrowser({
+    url: META_APPS_URL,
+    label: t('facebook.metaOpenLabel'),
+    confirmMessage: t('facebook.metaOpenConfirm'),
+    t,
+  });
+
+  // 2. Collect credentials (cache-aware).
+  const creds = await resolveFbCreds(options, backend, t);
+  if (!creds.appId) {
+    ui.cancel(t('facebook.incomplete'));
+    return;
+  }
+  await saveFacebookCreds(creds);
+
+  // 3. Write the native build-time files (same for every backend).
+  const native = await writeFacebookCredentials(projectDir, creds.appId, creds.clientToken);
+  if (native.plist === 'ok' || native.strings === 'ok') ui.log.success(t('facebook.nativeOk'));
+  else ui.log.warn(t('facebook.nativeMissing'));
+
+  // 4. Enable the backend provider (Firebase/Supabase). API backend has no managed auth.
+  let backendEnabled = false;
+  if (backend === 'api') {
+    ui.note(t('facebook.backendApi'), t('facebook.metaTitle'));
+  } else if (!projectId) {
+    ui.log.warn(t('facebook.missingProjectId'));
+  } else if (!creds.appSecret) {
+    ui.log.warn(t('facebook.noSecret'));
+  } else {
+    const s = ui.spinner();
+    const r = await applyBackend(backend, projectId, creds, t, s);
+    backendEnabled = !!r.ok;
+    if (!r.ok && !r.skipped) ui.log.error(r.error || 'unknown error');
+  }
+
+  // 5. Web: Facebook on the web works on the Firebase backend (signInWithPopup).
+  // Only flip the flag (which shows the web button) AFTER the provider was actually
+  // enabled — otherwise the button would be a dead button. On Supabase the web flow
+  // isn't wired in the app yet (roadmap), so we never flip it there.
+  if (backend === 'firebase' && backendEnabled) {
+    const flag = await setFacebookWebFlag(projectDir, true);
+    if (flag.ok) ui.log.success(t('facebook.flagUpdated'));
+    const redirectUrl = `https://${projectId}.firebaseapp.com/__/auth/handler`;
+    ui.note(`${t('facebook.redirectNote')}\n${kleur.cyan(redirectUrl)}`, t('facebook.metaTitle'));
+  } else if (backend === 'supabase') {
+    ui.log.info(t('facebook.webRoadmap'));
+  }
+
+  ui.outro(t('facebook.allDone'));
+}
+
+/**
+ * Called by `kasy new`: if Facebook login is enabled in the project AND credentials
+ * were saved before (`kasy facebook`), configure it for the fresh project (native
+ * files + backend provider) without prompting. Returns status for the success card.
+ *
+ * @returns {{ applied: boolean, pending: boolean }}
+ */
+async function autoApplyFacebookIfCached(targetDir) {
+  let kit;
+  try {
+    kit = await fs.readJson(path.join(targetDir, 'kit_setup.json'));
+  } catch {
+    return { applied: false, pending: false };
+  }
+  // The 'facebook' module drives both the login button and the Pixel flag.
+  if (!kit.withFacebookPixel) return { applied: false, pending: false };
+
+  const creds = await loadFacebookCreds();
+  if (!creds) return { applied: false, pending: true };
+
+  // Native files (App ID + Client Token) apply to every backend — Facebook native
+  // works on iOS/Android on Firebase and Supabase alike.
+  await writeFacebookCredentials(targetDir, creds.appId, creds.clientToken);
+
+  const backend = kit.backendProvider || 'firebase';
+  const projectId = backend === 'firebase' ? kit.firebaseProjectId : kit.supabaseProjectId;
+  if ((backend === 'firebase' || backend === 'supabase') && projectId && creds.appSecret) {
+    if (backend === 'firebase') {
+      await configureFirebaseFacebook({ projectId, appId: creds.appId, appSecret: creds.appSecret });
+    } else {
+      await enableFacebookSignIn(projectId, { appId: creds.appId, appSecret: creds.appSecret });
+    }
+  }
+  // Show the web Facebook button only where it works in-app (Firebase popup).
+  if (backend === 'firebase' && projectId && creds.appSecret) {
+    await setFacebookWebFlag(targetDir, true);
+  }
+  return { applied: true, pending: false };
+}
+
+module.exports = { runFacebook, autoApplyFacebookIfCached };