npm - komplian - Versions diffs - 0.7.0 → 0.7.2 - Mend

komplian 0.7.0 → 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/komplian-setup.mjs CHANGED Viewed

@@ -1,13 +1,13 @@
 #!/usr/bin/env node
 /**
- * Komplian setup — un solo comando: onboard → postman → mcp-tools → db:all:dev → localhost.
- * Por defecto abre el navegador en localhost para datos sensibles (Postman API key, URLs Neon dev)
- * con texto de ayuda; alternativa: --terminal-only (sin navegador).
+ * Komplian setup — one flow: onboard → postman → mcp-tools → db:all:dev → localhost.
+ * Local browser UI (127.0.0.1 only) for secrets; optional Neon OAuth when env is configured.
+ * Postman’s HTTP API uses API keys only (no OAuth); the UI links to key creation.
  */
 import { spawnSync } from "node:child_process";
 import { createServer } from "node:http";
-import { randomBytes } from "node:crypto";
+import { createHash, randomBytes } from "node:crypto";
 import { existsSync, mkdirSync } from "node:fs";
 import { dirname, join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
@@ -41,12 +41,123 @@ const c = {
   yellow: "\x1b[33m",
 };
-function log(s = "") {
+function out(s = "") {
   console.log(s);
 }
+function errLine(s = "") {
+  console.error(s);
+}
 const PLACEHOLDER = "komplian_localhost_placeholder";
+function b64url(buf) {
+  return Buffer.from(buf)
+    .toString("base64")
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/g, "");
+}
+function newPkce() {
+  const verifier = b64url(randomBytes(32));
+  const challenge = b64url(createHash("sha256").update(verifier).digest());
+  return { verifier, challenge };
+}
+function neonOAuthEnvReady() {
+  const id = process.env.KOMPLIAN_NEON_OAUTH_CLIENT_ID?.trim();
+  const sec = process.env.KOMPLIAN_NEON_OAUTH_CLIENT_SECRET?.trim();
+  const redir = process.env.KOMPLIAN_NEON_OAUTH_REDIRECT_URI?.trim();
+  const a = process.env.KOMPLIAN_NEON_OAUTH_PROJECT_ID_APP?.trim();
+  const b = process.env.KOMPLIAN_NEON_OAUTH_PROJECT_ID_ADMIN?.trim();
+  const w = process.env.KOMPLIAN_NEON_OAUTH_PROJECT_ID_WEB?.trim();
+  return !!(id && sec && redir && a && b && w);
+}
+function parseListenFromRedirectUri() {
+  const u = process.env.KOMPLIAN_NEON_OAUTH_REDIRECT_URI?.trim();
+  if (!u) return null;
+  try {
+    const x = new URL(u);
+    if (x.hostname !== "127.0.0.1" && x.hostname !== "localhost") return null;
+    const port = Number(x.port || (x.protocol === "https:" ? 443 : 80));
+    if (!Number.isFinite(port) || port <= 0) return null;
+    return { host: "127.0.0.1", port, pathname: x.pathname || "/" };
+  } catch {
+    return null;
+  }
+}
+async function neonExchangeCode(clientId, clientSecret, redirectUri, code, verifier) {
+  const body = new URLSearchParams({
+    client_id: clientId,
+    client_secret: clientSecret,
+    grant_type: "authorization_code",
+    code,
+    redirect_uri: redirectUri,
+    code_verifier: verifier,
+  });
+  const r = await fetch("https://oauth2.neon.tech/oauth2/token", {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body,
+  });
+  const j = await r.json().catch(() => ({}));
+  if (!r.ok) {
+    return {
+      ok: false,
+      error: typeof j.error_description === "string" ? j.error_description : "Neon token exchange failed.",
+    };
+  }
+  if (!j.access_token) return { ok: false, error: "No access_token from Neon." };
+  return { ok: true, access_token: j.access_token };
+}
+async function neonFetchConnectionUri(accessToken, projectId) {
+  const h = {
+    Authorization: `Bearer ${accessToken}`,
+    Accept: "application/json",
+  };
+  const br = await fetch(
+    `https://console.neon.tech/api/v2/projects/${encodeURIComponent(projectId)}/branches`,
+    { headers: h }
+  );
+  const bj = await br.json().catch(() => ({}));
+  const branches = Array.isArray(bj.branches)
+    ? bj.branches
+    : Array.isArray(bj.data?.branches)
+      ? bj.data.branches
+      : [];
+  const branch = branches.find((x) => x.default === true) || branches[0];
+  if (!branch?.id) return { ok: false, error: "No default branch for project." };
+  const cr = await fetch(
+    `https://console.neon.tech/api/v2/projects/${encodeURIComponent(projectId)}/connection_uri?branch_id=${encodeURIComponent(branch.id)}&database_name=neondb`,
+    { headers: h }
+  );
+  const cj = await cr.json().catch(() => ({}));
+  const uri = cj.uri || cj.connection_uri;
+  if (!cr.ok || typeof uri !== "string" || !uri.startsWith("postgres")) {
+    return { ok: false, error: "Could not read connection URI from Neon API." };
+  }
+  return { ok: true, uri };
+}
+async function neonBuildTriplet(accessToken) {
+  const appId = process.env.KOMPLIAN_NEON_OAUTH_PROJECT_ID_APP?.trim();
+  const adminId = process.env.KOMPLIAN_NEON_OAUTH_PROJECT_ID_ADMIN?.trim();
+  const webId = process.env.KOMPLIAN_NEON_OAUTH_PROJECT_ID_WEB?.trim();
+  const [ra, rb, rw] = await Promise.all([
+    neonFetchConnectionUri(accessToken, appId),
+    neonFetchConnectionUri(accessToken, adminId),
+    neonFetchConnectionUri(accessToken, webId),
+  ]);
+  if (!ra.ok) return { ok: false, error: ra.error };
+  if (!rb.ok) return { ok: false, error: rb.error };
+  if (!rw.ok) return { ok: false, error: rw.error };
+  return { ok: true, db: { app: ra.uri, admin: rb.uri, web: rw.uri } };
+}
 function isValidPostgresUrl(s) {
   const t = (s || "").trim();
   if (!t.startsWith("postgresql://") && !t.startsWith("postgres://")) return false;
@@ -85,126 +196,211 @@ function openBrowserSync(url) {
       spawnSync("xdg-open", [url], { stdio: "ignore" });
     }
   } catch {
-    log(`${c.yellow}○${c.reset} No se pudo abrir el navegador. Abre manualmente: ${c.bold}${url}${c.reset}`);
+    errLine(`${c.yellow}○${c.reset} Open this URL in your browser: ${url}`);
   }
 }
-function buildSetupPageHtml(token, { needsPostmanKey, needsDbUrls, emailDomain }) {
-  const esc = (s) =>
-    String(s)
-      .replace(/&/g, "&amp;")
-      .replace(/</g, "&lt;")
-      .replace(/"/g, "&quot;");
-  const postmanBlock = needsPostmanKey
-    ? `
-    <section class="card">
-      <h2>1. Postman API key</h2>
-      <p class="help">Crea una clave en Postman → <strong>Settings</strong> → <strong>API keys</strong> → Generate. Cuenta con email <strong>@${esc(emailDomain)}</strong>. Se guarda en <code>~/.komplian/postman-api-key</code>. Si la dejas vacía, la terminal te la pedirá en el paso Postman.</p>
-      <label for="postman_api_key">API key (opcional aquí)</label>
-      <input type="password" id="postman_api_key" name="postman_api_key" autocomplete="off" placeholder="PMAK-…" />
+const LOGO_SVG = `<svg xmlns="http://www.w3.org/2000/svg" width="132" height="28" viewBox="0 0 132 28" fill="none" aria-hidden="true"><text x="0" y="20" fill="#fafafa" font-family="system-ui,-apple-system,sans-serif" font-size="18" font-weight="600">Komplian</text><circle cx="124" cy="14" r="4" fill="#22c55e"/></svg>`;
+function buildSetupPageHtml(token, opts) {
+  const { needsPostmanKey, needsDbUrls, emailDomain, neonOAuth } = opts;
+  const postmanSection = needsPostmanKey
+    ? `<section class="card">
+      <p class="fine">Postman does not provide OAuth for API keys. Open your account, create a key, paste it once.</p>
+      <a class="btn secondary" href="https://go.postman.co/settings/me/api-keys" target="_blank" rel="noopener">Open Postman</a>
+      <label>API key · @${emailDomain.replace(/"/g, "")}</label>
+      <input type="password" id="postman_api_key" autocomplete="off" placeholder="••••••••" />
     </section>`
     : "";
-  const dbBlock = needsDbUrls
-    ? `
-    <section class="card">
-      <h2>${needsPostmanKey ? "2" : "1"}. Bases de datos (solo desarrollo)</h2>
-      <p class="help">Pega las connection strings <strong>postgresql://…</strong> de Neon (rama <em>development</em> u homólogo). Tres bases: <strong>app</strong> (también usa la API), <strong>admin</strong> y <strong>web</strong> (pilot). Se escriben en <code>~/.komplian/dev-databases.json</code> y en cada <code>.env.local</code> del monorepo.</p>
-      <label for="db_app">URL APP (app + API)</label>
-      <textarea id="db_app" name="db_app" rows="2" placeholder="postgresql://…"></textarea>
-      <label for="db_admin">URL ADMIN</label>
-      <textarea id="db_admin" name="db_admin" rows="2" placeholder="postgresql://…"></textarea>
-      <label for="db_web">URL WEB (pilot)</label>
-      <textarea id="db_web" name="db_web" rows="2" placeholder="postgresql://…"></textarea>
-    </section>`
+  const neonBtn = neonOAuth && needsDbUrls
+    ? `<button type="button" class="btn secondary" id="neon_oauth">Connect Neon</button>
+       <p id="neon_status" class="fine hidden">Linked.</p>`
     : "";
+  const dbFields = `<label>APP + API</label><textarea id="db_app" rows="2" autocomplete="off"></textarea>
+      <label>ADMIN</label><textarea id="db_admin" rows="2" autocomplete="off"></textarea>
+      <label>WEB</label><textarea id="db_web" rows="2" autocomplete="off"></textarea>`;
+  const dbManual =
+    needsDbUrls && !neonOAuth
+      ? `<section class="card">${dbFields}</section>`
+      : needsDbUrls && neonOAuth
+        ? `<section class="card"><details class="fine" style="margin:0"><summary style="cursor:pointer;outline:none">Paste URLs</summary>${dbFields}</details></section>`
+        : "";
   return `<!DOCTYPE html>
-<html lang="es">
+<html lang="en">
 <head>
   <meta charset="utf-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <title>Komplian setup</title>
+  <title>Komplian</title>
   <style>
-    :root { font-family: system-ui, sans-serif; background: #0a0a0a; color: #e5e5e5; }
-    body { max-width: 640px; margin: 2rem auto; padding: 0 1rem; }
-    h1 { font-size: 1.25rem; font-weight: 600; }
-    .card { background: #171717; border: 1px solid #262626; border-radius: 10px; padding: 1.25rem; margin-bottom: 1.25rem; }
-    .help { color: #a3a3a3; font-size: 0.9rem; line-height: 1.5; margin: 0 0 1rem; }
-    label { display: block; font-size: 0.8rem; color: #737373; margin: 0.75rem 0 0.35rem; }
-    input, textarea { width: 100%; box-sizing: border-box; padding: 0.6rem 0.75rem; border-radius: 8px; border: 1px solid #404040; background: #0a0a0a; color: #fafafa; font-family: ui-monospace, monospace; font-size: 0.85rem; }
-    button { margin-top: 1.25rem; width: 100%; padding: 0.85rem; border: none; border-radius: 8px; background: #fafafa; color: #0a0a0a; font-weight: 600; cursor: pointer; font-size: 1rem; }
-    button:disabled { opacity: 0.5; cursor: not-allowed; }
-    .err { color: #f87171; font-size: 0.9rem; margin-top: 0.75rem; white-space: pre-wrap; }
-    .ok { color: #4ade80; margin-top: 1rem; }
-    code { font-size: 0.8em; background: #262626; padding: 0.1em 0.35em; border-radius: 4px; }
+    :root { --bg:#0a0a0a; --fg:#fafafa; --muted:#737373; --line:#262626; --card:#111; --accent:#22c55e; }
+    * { box-sizing: border-box; }
+    body { margin:0; min-height:100vh; font-family:system-ui,-apple-system,sans-serif; background:var(--bg); color:var(--fg);
+      display:flex; align-items:center; justify-content:center; padding:1.5rem; }
+    .wrap { width:100%; max-width:380px; }
+    .logo { margin-bottom:1.75rem; }
+    .card { background:var(--card); border:1px solid var(--line); border-radius:12px; padding:1.25rem; margin-bottom:1rem; }
+    label { display:block; font-size:0.7rem; letter-spacing:0.06em; text-transform:uppercase; color:var(--muted); margin:1rem 0 0.4rem; }
+    input, textarea { width:100%; padding:0.65rem 0.75rem; border-radius:8px; border:1px solid var(--line); background:#0a0a0a; color:var(--fg); font-family:ui-monospace,monospace; font-size:0.8rem; }
+    .btn { display:block; width:100%; margin-top:0.75rem; padding:0.75rem; border:none; border-radius:8px; font-weight:600; font-size:0.9rem; cursor:pointer; text-align:center; text-decoration:none; }
+    .btn.primary { background:var(--fg); color:var(--bg); }
+    .btn.secondary { background:transparent; color:var(--fg); border:1px solid var(--line); }
+    .btn:disabled { opacity:0.45; cursor:not-allowed; }
+    .fine { font-size:0.75rem; color:var(--muted); line-height:1.45; margin:0 0 0.75rem; }
+    .err { color:#f87171; font-size:0.8rem; margin-top:0.75rem; display:none; }
+    .hidden { display:none !important; }
   </style>
 </head>
 <body>
-  <h1>Komplian — asistente de setup</h1>
-  <p class="help">Esta ventana es local (solo tu ordenador). Rellena lo que pida el asistente y pulsa <strong>Continuar</strong>. Puedes cerrar la pestaña después del mensaje de éxito.</p>
-  ${postmanBlock}
-  ${dbBlock}
-  <div id="err" class="err" style="display:none"></div>
-  <div id="ok" class="ok" style="display:none"></div>
-  <button type="button" id="go">Continuar</button>
+  <div class="wrap">
+    <div class="logo">${LOGO_SVG}</div>
+    ${postmanSection}
+    ${needsDbUrls ? `<section class="card">${neonBtn}</section>` : ""}
+    ${dbManual}
+    <div id="err" class="err"></div>
+    <button type="button" class="btn primary" id="go">Continue</button>
+  </div>
   <script>
     const TOKEN = ${JSON.stringify(token)};
     const needsPostman = ${JSON.stringify(needsPostmanKey)};
     const needsDb = ${JSON.stringify(needsDbUrls)};
+    const neonOAuth = ${JSON.stringify(!!neonOAuth)};
+    function showErr(t) {
+      const e = document.getElementById("err");
+      e.textContent = t;
+      e.style.display = "block";
+    }
+    async function submitBody(body) {
+      const r = await fetch("/submit", { method:"POST", headers:{ "Content-Type":"application/json" }, body: JSON.stringify(body) });
+      const j = await r.json().catch(() => ({}));
+      if (!r.ok || !j.ok) { showErr(j.error || "Try again."); return false; }
+      return true;
+    }
+    let pollTimer;
+    if (neonOAuth && needsDb) {
+      pollTimer = setInterval(async () => {
+        try {
+          const r = await fetch("/neon/status");
+          const j = await r.json();
+          if (j.ready) {
+            clearInterval(pollTimer);
+            document.getElementById("neon_status")?.classList.remove("hidden");
+          }
+        } catch {}
+      }, 900);
+      document.getElementById("neon_oauth")?.addEventListener("click", () => { location.href = "/neon/start"; });
+    }
     document.getElementById("go").onclick = async () => {
-      const err = document.getElementById("err");
-      const ok = document.getElementById("ok");
-      err.style.display = "none";
-      ok.style.display = "none";
+      document.getElementById("err").style.display = "none";
       const body = { token: TOKEN };
-      if (needsPostman) body.postman_api_key = (document.getElementById("postman_api_key") || {}).value || "";
+      if (needsPostman) body.postman_api_key = (document.getElementById("postman_api_key")||{}).value || "";
       if (needsDb) {
-        body.db_app = (document.getElementById("db_app") || {}).value || "";
-        body.db_admin = (document.getElementById("db_admin") || {}).value || "";
-        body.db_web = (document.getElementById("db_web") || {}).value || "";
+        body.db_app = (document.getElementById("db_app")||{}).value || "";
+        body.db_admin = (document.getElementById("db_admin")||{}).value || "";
+        body.db_web = (document.getElementById("db_web")||{}).value || "";
       }
       const btn = document.getElementById("go");
       btn.disabled = true;
-      try {
-        const r = await fetch("/submit", {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify(body),
-        });
-        const j = await r.json().catch(() => ({}));
-        if (!r.ok || !j.ok) {
-          err.textContent = j.error || "Error al validar. Revisa los datos.";
-          err.style.display = "block";
-          btn.disabled = false;
-          return;
-        }
-        ok.textContent = "Listo. Vuelve a la terminal; puedes cerrar esta pestaña.";
-        ok.style.display = "block";
-      } catch (e) {
-        err.textContent = "No se pudo enviar. ¿Sigues en la misma red local?";
-        err.style.display = "block";
-        btn.disabled = false;
-      }
+      if (await submitBody(body)) {
+        setTimeout(() => { try { window.close(); } catch(_){} window.location.href = "about:blank"; }, 400);
+      } else btn.disabled = false;
     };
   </script>
 </body>
 </html>`;
 }
-/**
- * Servidor solo en 127.0.0.1. Devuelve { postmanKey?, db } según lo pedido.
- */
 function runSetupBrowserForm(opts) {
   const {
     needsPostmanKey,
     needsDbUrls,
     emailDomain,
+    neonOAuth,
+    listenHost,
+    listenPort,
     timeoutMs = 600_000,
   } = opts;
   return new Promise((resolvePromise, rejectPromise) => {
     const token = randomBytes(24).toString("hex");
+    const ctx = {
+      token,
+      neonPkce: null,
+      neonTriplet: null,
+      needsPostmanKey,
+      needsDbUrls,
+      emailDomain,
+    };
     const server = createServer(async (req, res) => {
-      const url = new URL(req.url || "/", `http://127.0.0.1`);
+      const url = new URL(req.url || "/", "http://127.0.0.1");
+      if (req.method === "GET" && url.pathname === "/neon/status") {
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ ready: !!ctx.neonTriplet && isValidTriplet(ctx.neonTriplet) }));
+        return;
+      }
+      if (req.method === "GET" && url.pathname === "/neon/start" && neonOAuth) {
+        const { verifier, challenge } = newPkce();
+        const state = b64url(randomBytes(16));
+        ctx.neonPkce = { verifier, state };
+        const clientId = process.env.KOMPLIAN_NEON_OAUTH_CLIENT_ID.trim();
+        const redirectUri = process.env.KOMPLIAN_NEON_OAUTH_REDIRECT_URI.trim();
+        const scope = [
+          "openid",
+          "offline",
+          "offline_access",
+          "urn:neoncloud:projects:read",
+        ].join(" ");
+        const auth = new URL("https://oauth2.neon.tech/oauth2/auth");
+        auth.searchParams.set("client_id", clientId);
+        auth.searchParams.set("redirect_uri", redirectUri);
+        auth.searchParams.set("response_type", "code");
+        auth.searchParams.set("scope", scope);
+        auth.searchParams.set("state", state);
+        auth.searchParams.set("code_challenge", challenge);
+        auth.searchParams.set("code_challenge_method", "S256");
+        res.writeHead(302, { Location: auth.toString() });
+        res.end();
+        return;
+      }
+      if (req.method === "GET" && url.pathname === "/neon/callback" && neonOAuth) {
+        const code = url.searchParams.get("code");
+        const state = url.searchParams.get("state");
+        const st = ctx.neonPkce;
+        if (!code || !st || state !== st.state) {
+          res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+          res.end("<!DOCTYPE html><html><body style='background:#0a0a0a;color:#fafafa;font-family:system-ui;padding:2rem'>Invalid OAuth state. Close this tab.</body></html>");
+          return;
+        }
+        const clientId = process.env.KOMPLIAN_NEON_OAUTH_CLIENT_ID.trim();
+        const clientSecret = process.env.KOMPLIAN_NEON_OAUTH_CLIENT_SECRET.trim();
+        const redirectUri = process.env.KOMPLIAN_NEON_OAUTH_REDIRECT_URI.trim();
+        const ex = await neonExchangeCode(clientId, clientSecret, redirectUri, code, st.verifier);
+        if (!ex.ok) {
+          res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+          res.end(`<!DOCTYPE html><html><body style='background:#0a0a0a;color:#f87171;font-family:system-ui;padding:2rem'>${String(ex.error).replace(/</g, "")}</body></html>`);
+          return;
+        }
+        const trip = await neonBuildTriplet(ex.access_token);
+        if (!trip.ok) {
+          res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+          res.end(`<!DOCTYPE html><html><body style='background:#0a0a0a;color:#f87171;font-family:system-ui;padding:2rem'>${String(trip.error).replace(/</g, "")}</body></html>`);
+          return;
+        }
+        ctx.neonTriplet = trip.db;
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(`<!DOCTYPE html><html><body style='background:#0a0a0a;color:#fafafa;font-family:system-ui;padding:2rem;text-align:center'>
+          <p>Neon connected.</p>
+          <script>setTimeout(function(){ try{window.close();}catch(e){} }, 300);</script>
+        </body></html>`);
+        return;
+      }
       if (req.method === "GET" && url.pathname === "/") {
         res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
@@ -213,6 +409,7 @@ function runSetupBrowserForm(opts) {
             needsPostmanKey,
             needsDbUrls,
             emailDomain,
+            neonOAuth,
           })
         );
         return;
@@ -226,12 +423,12 @@ function runSetupBrowserForm(opts) {
           data = JSON.parse(raw || "{}");
         } catch {
           res.writeHead(400, { "Content-Type": "application/json" });
-          res.end(JSON.stringify({ ok: false, error: "JSON inválido." }));
+          res.end(JSON.stringify({ ok: false, error: "Bad JSON." }));
           return;
         }
         if (data.token !== token) {
           res.writeHead(403, { "Content-Type": "application/json" });
-          res.end(JSON.stringify({ ok: false, error: "Token inválido." }));
+          res.end(JSON.stringify({ ok: false, error: "Bad token." }));
           return;
         }
@@ -243,7 +440,7 @@ function runSetupBrowserForm(opts) {
             const v = await validatePostmanApiKeyForKomplian(pk, emailDomain);
             if (!v.ok) {
               res.writeHead(400, { "Content-Type": "application/json" });
-              res.end(JSON.stringify({ ok: false, error: v.error || "Postman inválido." }));
+              res.end(JSON.stringify({ ok: false, error: v.error || "Invalid Postman key." }));
               return;
             }
             out.postmanKey = pk;
@@ -251,23 +448,28 @@ function runSetupBrowserForm(opts) {
         }
         if (needsDbUrls) {
-          const triplet = {
-            app: String(data.db_app || "").trim(),
-            admin: String(data.db_admin || "").trim(),
-            web: String(data.db_web || "").trim(),
-          };
-          if (!isValidTriplet(triplet)) {
-            res.writeHead(400, { "Content-Type": "application/json" });
-            res.end(
-              JSON.stringify({
-                ok: false,
-                error:
-                  "Las tres URLs deben ser postgresql:// o postgres:// válidas (sin placeholder).",
-              })
-            );
-            return;
+          if (ctx.neonTriplet && isValidTriplet(ctx.neonTriplet)) {
+            out.db = ctx.neonTriplet;
+          } else {
+            const triplet = {
+              app: String(data.db_app || "").trim(),
+              admin: String(data.db_admin || "").trim(),
+              web: String(data.db_web || "").trim(),
+            };
+            if (!isValidTriplet(triplet)) {
+              res.writeHead(400, { "Content-Type": "application/json" });
+              res.end(
+                JSON.stringify({
+                  ok: false,
+                  error: neonOAuth
+                    ? "Connect Neon or paste three postgres URLs."
+                    : "Three valid postgres:// URLs required.",
+                })
+              );
+              return;
+            }
+            out.db = triplet;
           }
-          out.db = triplet;
         }
         res.writeHead(200, { "Content-Type": "application/json" });
@@ -286,27 +488,21 @@ function runSetupBrowserForm(opts) {
     const timer = setTimeout(() => {
       server.close();
-      rejectPromise(new Error("Tiempo agotado esperando el formulario en el navegador."));
+      rejectPromise(new Error("Browser setup timed out."));
     }, timeoutMs);
-    server.listen(0, "127.0.0.1", () => {
+    const onListen = () => {
       const addr = server.address();
-      const port = typeof addr === "object" && addr ? addr.port : 0;
-      const openUrl = `http://127.0.0.1:${port}/`;
-      log("");
-      log(
-        `${c.cyan}━━ Navegador (formulario local) ━━${c.reset} ${c.bold}${openUrl}${c.reset}`
-      );
-      log(
-        `${c.dim}Solo escucha en tu máquina (127.0.0.1). Cierra la pestaña tras el mensaje de éxito.${c.reset}`
-      );
-      openBrowserSync(openUrl);
-    });
+      const port = typeof addr === "object" && addr ? addr.port : listenPort;
+      openBrowserSync(`http://127.0.0.1:${port}/`);
+    };
     server.on("error", (e) => {
       clearTimeout(timer);
       rejectPromise(e);
     });
+    server.listen(listenPort, listenHost, onListen);
   });
 }
@@ -322,8 +518,7 @@ function parseArgs(argv) {
   };
   for (let i = 0; i < argv.length; i++) {
     const a = argv[i];
-    if (a === "--terminal-only" || a === "--no-browser")
-      out.terminalOnly = true;
+    if (a === "--terminal-only" || a === "--no-browser") out.terminalOnly = true;
     else if (a === "-w" || a === "--workspace") out.workspace = argv[++i] || "";
     else if (a === "-t" || a === "--team") out.team = argv[++i] || "";
     else if (a === "--ssh") out.ssh = true;
@@ -331,7 +526,7 @@ function parseArgs(argv) {
     else if (a === "--no-install") out.noInstall = true;
     else if (a === "-h" || a === "--help") out.help = true;
     else if (a.startsWith("-")) {
-      log(`${c.red}✗${c.reset} Opción desconocida: ${a}`);
+      errLine(`${c.red}✗${c.reset} Unknown option: ${a}`);
       process.exit(1);
     } else if (!out.workspace) out.workspace = a;
   }
@@ -339,22 +534,21 @@ function parseArgs(argv) {
 }
 function usage() {
-  log(`Uso: npx komplian setup [opciones] [carpeta-workspace]`);
-  log(``);
-  log(
-    `  Orden: ${c.bold}onboard${c.reset} → ${c.bold}postman${c.reset} → ${c.bold}mcp-tools${c.reset} → ${c.bold}db:all:dev${c.reset} → ${c.bold}localhost${c.reset}`
-  );
-  log(
-    `  Por defecto abre el ${c.bold}navegador${c.reset} para Postman API key (si falta) y las 3 URLs Neon dev (si faltan).`
-  );
-  log(``);
-  log(`  --terminal-only     Sin formulario web; postman/db usan terminal o env`);
-  log(`  -w, --workspace     Raíz del monorepo (destino del clone)`);
-  log(`  -t, --team          Equipo (komplian-team-repos.json)`);
-  log(`  --all-repos         Clonar todos los repos del JSON`);
-  log(`  --ssh               Clonar por SSH`);
-  log(`  --no-install        No npm install tras clone`);
-  log(`  -h, --help`);
+  out(`Usage: npx komplian setup [options] [workspace-dir]`);
+  out(``);
+  out(`  Runs: onboard → postman → mcp-tools → db:all:dev → localhost`);
+  out(`  Secrets: local browser on 127.0.0.1 (no URLs or DB strings printed).`);
+  out(`  Neon OAuth (optional): set KOMPLIAN_NEON_OAUTH_CLIENT_ID, _CLIENT_SECRET,`);
+  out(`  _REDIRECT_URI (http://127.0.0.1:<port>/neon/callback), and project IDs:`);
+  out(`  KOMPLIAN_NEON_OAUTH_PROJECT_ID_APP, _ADMIN, _WEB. Partner OAuth required from Neon.`);
+  out(``);
+  out(`  --terminal-only   No browser`);
+  out(`  -w, --workspace   Clone / monorepo root`);
+  out(`  -t, --team        Team slug (komplian-team-repos.json)`);
+  out(`  --all-repos       Clone all repos from JSON`);
+  out(`  --ssh             git@ clone`);
+  out(`  --no-install      Skip npm install`);
+  out(`  -h, --help`);
 }
 function runOnboardChild(args) {
@@ -363,6 +557,7 @@ function runOnboardChild(args) {
   const r = spawnSync(process.execPath, [script, ...argv], {
     stdio: "inherit",
     windowsHide: true,
+    env: { ...process.env, KOMPLIAN_CLI_QUIET: process.env.KOMPLIAN_CLI_QUIET || "1" },
   });
   return r.status === 0;
 }
@@ -374,24 +569,21 @@ export async function runSetup(argv) {
     return;
   }
+  process.env.KOMPLIAN_CLI_QUIET = "1";
   const nodeMajor = Number(process.versions.node.split(".")[0], 10);
   if (nodeMajor < 18) {
-    log(`${c.red}✗${c.reset} Hace falta Node 18+.`);
+    errLine(`${c.red}✗${c.reset} Node 18+ required.`);
     process.exit(1);
   }
   let workspaceArg = (opts.workspace || "").trim();
   if (!workspaceArg) workspaceArg = process.cwd();
-  const workspaceAbs = resolve(
-    workspaceArg.replace(/^~(?=$|[/\\])/, homedir())
-  );
+  const workspaceAbs = resolve(workspaceArg.replace(/^~(?=$|[/\\])/, homedir()));
   mkdirSync(workspaceAbs, { recursive: true });
-  log(`${c.cyan}${c.bold}━━ Komplian setup ━━${c.reset}`);
-  log(`${c.dim}Workspace:${c.reset} ${workspaceAbs}`);
-  log("");
+  out(`${c.cyan}1/5${c.reset} repos`);
   const onboardArgs = ["--yes"];
   if (opts.team) onboardArgs.push("-t", opts.team);
   if (opts.allRepos) onboardArgs.push("--all-repos");
@@ -399,9 +591,8 @@ export async function runSetup(argv) {
   if (opts.noInstall) onboardArgs.push("--no-install");
   onboardArgs.push(workspaceAbs);
-  log(`${c.cyan}━━ 1/5 Onboard ━━${c.reset}`);
   if (!runOnboardChild(onboardArgs)) {
-    log(`${c.red}✗${c.reset} Onboard falló. Revisa GitHub CLI (gh) y permisos.`);
+    errLine(`${c.red}✗${c.reset} onboard failed`);
     process.exit(1);
   }
@@ -410,9 +601,7 @@ export async function runSetup(argv) {
     monorepoRoot = findWorkspaceRoot(workspaceAbs);
   }
   if (!existsSync(join(monorepoRoot, "api", "package.json"))) {
-    log(
-      `${c.red}✗${c.reset} No se encontró monorepo con api/package.json bajo ${workspaceAbs}.`
-    );
+    errLine(`${c.red}✗${c.reset} monorepo not found`);
     process.exit(1);
   }
@@ -429,49 +618,51 @@ export async function runSetup(argv) {
   const { key: existingPmKey } = resolveApiKey();
   const needsPostmanKey = !existingPmKey;
   const needsDbUrls = !envDbOk && !savedDbOk;
+  const neonOAuth = neonOAuthEnvReady();
+  if (neonOAuth && needsDbUrls) {
+    const lp = parseListenFromRedirectUri();
+    if (!lp || !/\/neon\/callback\/?$/.test(lp.pathname || "")) {
+      errLine(`${c.red}✗${c.reset} KOMPLIAN_NEON_OAUTH_REDIRECT_URI must be http://127.0.0.1:<port>/neon/callback`);
+      process.exit(1);
+    }
+  }
   if (useBrowser && (needsPostmanKey || needsDbUrls)) {
-    log(`${c.cyan}━━ Formulario en el navegador ━━${c.reset}`);
+    out(`${c.cyan}browser${c.reset} local form`);
     try {
+      const lp = neonOAuth && needsDbUrls ? parseListenFromRedirectUri() : null;
       const form = await runSetupBrowserForm({
         needsPostmanKey,
         needsDbUrls,
         emailDomain,
+        neonOAuth: !!(neonOAuth && needsDbUrls),
+        listenHost: lp?.host || "127.0.0.1",
+        listenPort: lp?.port ?? 0,
       });
-      if (form.postmanKey) {
-        savePostmanApiKeyToKomplianHome(form.postmanKey);
-        log(`${c.green}✓${c.reset} Postman API key guardada en ~/.komplian/`);
-      }
+      if (form.postmanKey) savePostmanApiKeyToKomplianHome(form.postmanKey);
       if (form.db) {
         process.env.KOMPLIAN_DEV_APP_DATABASE_URL = form.db.app;
         process.env.KOMPLIAN_DEV_ADMIN_DATABASE_URL = form.db.admin;
         process.env.KOMPLIAN_DEV_WEB_DATABASE_URL = form.db.web;
-        log(`${c.green}✓${c.reset} URLs de desarrollo recibidas desde el formulario.`);
       }
     } catch (e) {
-      log(
-        `${c.red}✗${c.reset} Formulario web: ${e?.message || e}. Prueba ${c.bold}--terminal-only${c.reset} o define variables de entorno.`
-      );
+      errLine(`${c.red}✗${c.reset} browser setup: ${e?.message || e}`);
       process.exit(1);
     }
   }
-  log(`${c.cyan}━━ 2/5 Postman ━━${c.reset}`);
+  out(`${c.cyan}2/5${c.reset} postman`);
   await runPostman(["--yes"]);
-  log(`${c.cyan}━━ 3/5 MCP tools ━━${c.reset}`);
+  out(`${c.cyan}3/5${c.reset} mcp`);
   await runMcpTools(["--yes"]);
-  log(`${c.cyan}━━ 4/5 Bases de datos (development) ━━${c.reset}`);
-  const dbArgs = ["--yes", "-w", monorepoRoot];
-  await runDbAllDev(dbArgs);
+  out(`${c.cyan}4/5${c.reset} databases`);
+  await runDbAllDev(["--yes", "-w", monorepoRoot]);
-  log(`${c.cyan}━━ 5/5 Localhost ━━${c.reset}`);
+  out(`${c.cyan}5/5${c.reset} dev`);
   await runLocalhost(["--yes"]);
-  log("");
-  log(`${c.green}✓${c.reset} ${c.bold}Setup completado.${c.reset}`);
-  log(
-    `${c.dim}Monorepo:${c.reset} ${monorepoRoot}  ${c.dim}· Cursor: File → Open Folder${c.reset}`
-  );
+  out(`${c.green}✓${c.reset} ready`);
 }