latchkey 1.0.1 → 2.1.0

package/dist/tests/cli.test.js

@@ -1,15 +1,23 @@
 import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
-import { mkdtempSync, rmSync, existsSync } from 'node:fs';
+import { mkdtempSync, readFileSync, rmSync, writeFileSync, existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { tmpdir } from 'node:os';
 import { execSync } from 'node:child_process';
 import { Command } from 'commander';
-import { extractUrlFromCurlArguments, registerCommands, } from '../src/cliCommands.js';
-import { BrowserFlowsNotSupportedError } from '../src/playwrightUtils.js';
+import { registerCommands } from '../src/cliCommands.js';
+import { extractUrlFromCurlArguments } from '../src/curl.js';
 import { EncryptedStorage } from '../src/encryptedStorage.js';
 import { Config } from '../src/config.js';
 import { Registry } from '../src/registry.js';
-import { SlackApiCredentials, ApiCredentialStatus } from '../src/apiCredentials.js';
+import { ApiCredentialStatus } from '../src/apiCredentials.js';
+import { SlackApiCredentials } from '../src/services/slack.js';
+import { NoCurlCredentialsNotSupportedError, Service } from '../src/services/core/base.js';
+import { RegisteredService } from '../src/services/core/registered.js';
+import { GITLAB } from '../src/services/gitlab.js';
+import { GITHUB } from '../src/services/github.js';
+import { TELEGRAM } from '../src/services/telegram.js';
+import { deleteRegisteredService, loadRegisteredServices, saveRegisteredService, } from '../src/configDataStore.js';
+import { loadRegisteredServicesIntoRegistry } from '../src/registry.js';
 // Use a fixed test key for deterministic test behavior (32 bytes = 256 bits, base64 encoded)
 const TEST_ENCRYPTION_KEY = 'dGVzdGtleXRlc3RrZXl0ZXN0a2V5dGVzdGtleXRlc3Q=';
 function writeSecureFile(path, content) {
@@ -115,10 +123,18 @@ describe('CLI commands with dependency injection', () => {
     let exitCode;
     function createMockConfig(overrides = {}) {
         const defaultConfig = new Config(() => undefined);
+        const directory = overrides.directory ?? tempDir;
         return {
-            credentialStorePath: overrides.credentialStorePath ?? join(tempDir, 'credentials.json'),
-            browserStatePath: overrides.browserStatePath ?? join(tempDir, 'browser_state.json'),
-            configPath: overrides.configPath ?? join(tempDir, 'config.json'),
+            directory,
+            get credentialStorePath() {
+                return join(directory, 'credentials.json');
+            },
+            get browserStatePath() {
+                return join(directory, 'browser_state.json');
+            },
+            get configPath() {
+                return join(directory, 'config.json');
+            },
             curlCommand: overrides.curlCommand ?? defaultConfig.curlCommand,
             encryptionKeyOverride: overrides.encryptionKeyOverride ?? TEST_ENCRYPTION_KEY,
             serviceName: overrides.serviceName ?? defaultConfig.serviceName,
@@ -137,6 +153,12 @@ describe('CLI commands with dependency injection', () => {
             info: 'Test info for Slack service.',
             credentialCheckCurlArguments: ['https://slack.com/api/auth.test'],
             checkApiCredentials: vi.fn().mockReturnValue(ApiCredentialStatus.Valid),
+            setCredentialsExample(serviceName) {
+                return `latchkey auth set ${serviceName} -H "Authorization: Bearer xoxb-your-token"`;
+            },
+            getCredentialsNoCurl() {
+                throw new NoCurlCredentialsNotSupportedError('slack');
+            },
             getSession: vi.fn().mockReturnValue({
                 login: vi.fn().mockResolvedValue(new SlackApiCredentials('xoxc-test-token', 'test-cookie')),
             }),
@@ -195,19 +217,39 @@ describe('CLI commands with dependency injection', () => {
             const services = JSON.parse(logs[0] ?? '');
             expect(services).toContain('slack');
         });
+        it('should include registered services by default', async () => {
+            const registeredService = new RegisteredService('my-gitlab', 'https://gitlab.example.com');
+            const deps = createMockDependencies();
+            deps.registry.addService(registeredService);
+            await runCommand(['services', 'list'], deps);
+            expect(logs).toHaveLength(1);
+            const services = JSON.parse(logs[0] ?? '');
+            expect(services).toContain('slack');
+            expect(services).toContain('my-gitlab');
+        });
+        it('should exclude registered services with --built-in-only', async () => {
+            const registeredService = new RegisteredService('my-gitlab', 'https://gitlab.example.com');
+            const deps = createMockDependencies();
+            deps.registry.addService(registeredService);
+            await runCommand(['services', 'list', '--built-in-only'], deps);
+            expect(logs).toHaveLength(1);
+            const services = JSON.parse(logs[0] ?? '');
+            expect(services).toContain('slack');
+            expect(services).not.toContain('my-gitlab');
+        });
     });
     describe('services info command', () => {
         it('should show login options, credentials status, and developer notes', async () => {
             const storePath = join(tempDir, 'credentials.json');
             writeSecureFile(storePath, '{}');
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
+            const deps = createMockDependencies();
             await runCommand(['services', 'info', 'slack'], deps);
             expect(logs).toHaveLength(1);
             const info = JSON.parse(logs[0] ?? '');
+            expect(info.type).toBe('built-in');
             expect(info.authOptions).toEqual(['browser', 'set']);
             expect(info.credentialStatus).toBe('missing');
+            expect(info.setCredentialsExample).toBe('latchkey auth set slack -H "Authorization: Bearer xoxb-your-token"');
             expect(info.developerNotes).toBe('Test info for Slack service.');
         });
         it('should show auth set only for services without browser login', async () => {
@@ -221,10 +263,15 @@ describe('CLI commands with dependency injection', () => {
                 info: 'A service without browser login support.',
                 credentialCheckCurlArguments: [],
                 checkApiCredentials: vi.fn().mockReturnValue(ApiCredentialStatus.Missing),
+                setCredentialsExample(serviceName) {
+                    return `latchkey auth set ${serviceName} -H "Authorization: Bearer <token>"`;
+                },
+                getCredentialsNoCurl() {
+                    throw new NoCurlCredentialsNotSupportedError('nologin');
+                },
             };
             const deps = createMockDependencies({
                 registry: new Registry([noLoginService]),
-                config: createMockConfig({ credentialStorePath: storePath }),
             });
             await runCommand(['services', 'info', 'nologin'], deps);
             const info = JSON.parse(logs[0] ?? '');
@@ -234,7 +281,7 @@ describe('CLI commands with dependency injection', () => {
             const storePath = join(tempDir, 'credentials.json');
             writeSecureFile(storePath, '{}');
             const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath, browserDisabled: true }),
+                config: createMockConfig({ browserDisabled: true }),
             });
             await runCommand(['services', 'info', 'slack'], deps);
             const info = JSON.parse(logs[0] ?? '');
@@ -245,9 +292,7 @@ describe('CLI commands with dependency injection', () => {
             writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'test-token', dCookie: 'test-cookie' },
             }));
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
+            const deps = createMockDependencies();
             await runCommand(['services', 'info', 'slack'], deps);
             const info = JSON.parse(logs[0] ?? '');
             expect(info.credentialStatus).toBe('valid');
@@ -256,7 +301,17 @@ describe('CLI commands with dependency injection', () => {
             const deps = createMockDependencies();
             await runCommand(['services', 'info', 'unknown-service'], deps);
             expect(exitCode).toBe(1);
-            expect(errorLogs.some((log) => log.includes('Unknown service'))).toBe(true);
+            expect(errorLogs.length).toBeGreaterThan(0);
+        });
+        it('should show type as registered for registered services', async () => {
+            const storePath = join(tempDir, 'credentials.json');
+            writeSecureFile(storePath, '{}');
+            const registeredService = new RegisteredService('my-gitlab', 'https://gitlab.example.com');
+            const deps = createMockDependencies();
+            deps.registry.addService(registeredService);
+            await runCommand(['services', 'info', 'my-gitlab'], deps);
+            const info = JSON.parse(logs[0] ?? '');
+            expect(info.type).toBe('user-registered');
         });
     });
     describe('clear command', () => {
@@ -265,37 +320,16 @@ describe('CLI commands with dependency injection', () => {
             writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'test-token', dCookie: 'test-cookie' },
             }));
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
+            const deps = createMockDependencies();
             await runCommand(['auth', 'clear', 'slack'], deps);
-            expect(logs.some((log) => log.includes('have been cleared'))).toBe(true);
             const storedData = JSON.parse(readSecureFile(storePath) ?? '{}');
             expect(storedData.slack).toBeUndefined();
         });
-        it('should report no credentials found when service has no stored credentials', async () => {
-            const storePath = join(tempDir, 'credentials.json');
-            writeSecureFile(storePath, '{}');
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
-            await runCommand(['auth', 'clear', 'slack'], deps);
-            expect(logs.some((log) => log.includes('No API credentials found'))).toBe(true);
-        });
         it('should return error for unknown service', async () => {
-            const storePath = join(tempDir, 'credentials.json');
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
+            const deps = createMockDependencies();
             await runCommand(['auth', 'clear', 'unknown-service'], deps);
             expect(exitCode).toBe(1);
-            expect(errorLogs.some((log) => log.includes('Unknown service'))).toBe(true);
-        });
-        it('should use default config paths', async () => {
-            const deps = createMockDependencies();
-            await runCommand(['auth', 'clear', 'slack'], deps);
-            // With default paths, should report no credentials found (not error about missing env var)
-            expect(logs.some((log) => log.includes('No API credentials found'))).toBe(true);
+            expect(errorLogs.length).toBeGreaterThan(0);
         });
         it('should preserve other services when clearing one', async () => {
             const storePath = join(tempDir, 'credentials.json');
@@ -303,9 +337,7 @@ describe('CLI commands with dependency injection', () => {
                 slack: { objectType: 'slack', token: 'slack-token', dCookie: 'slack-cookie' },
                 discord: { objectType: 'authorizationBare', token: 'discord-token' },
             }));
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
+            const deps = createMockDependencies();
             await runCommand(['auth', 'clear', 'slack'], deps);
             const storedData = JSON.parse(readSecureFile(storePath) ?? '{}');
             expect(storedData.slack).toBeUndefined();
@@ -317,23 +349,10 @@ describe('CLI commands with dependency injection', () => {
             const browserStatePath = join(tempDir, 'browser_state.json');
             writeSecureFile(storePath, JSON.stringify({ slack: { objectType: 'slack', token: 'test', dCookie: 'test' } }));
             writeSecureFile(browserStatePath, '{}');
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath, browserStatePath }),
-            });
+            const deps = createMockDependencies();
             await runCommand(['auth', 'clear', '-y'], deps);
             expect(existsSync(storePath)).toBe(false);
             expect(existsSync(browserStatePath)).toBe(false);
-            expect(logs.some((log) => log.includes('Deleted credentials store'))).toBe(true);
-            expect(logs.some((log) => log.includes('Deleted browser state'))).toBe(true);
-        });
-        it('should report no files to delete when none exist', async () => {
-            const storePath = join(tempDir, 'nonexistent_store.json');
-            const browserStatePath = join(tempDir, 'nonexistent_browser_state.json');
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath, browserStatePath }),
-            });
-            await runCommand(['auth', 'clear', '-y'], deps);
-            expect(logs.some((log) => log.includes('No files to delete'))).toBe(true);
         });
     });
     describe('auth list command', () => {
@@ -342,9 +361,7 @@ describe('CLI commands with dependency injection', () => {
             writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'test-token', dCookie: 'test-cookie' },
             }));
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
+            const deps = createMockDependencies();
             await runCommand(['auth', 'list'], deps);
             expect(logs).toHaveLength(1);
             const entries = JSON.parse(logs[0] ?? '');
@@ -356,9 +373,7 @@ describe('CLI commands with dependency injection', () => {
         it('should output empty object when no credentials are stored', async () => {
             const storePath = join(tempDir, 'credentials.json');
             writeSecureFile(storePath, '{}');
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
+            const deps = createMockDependencies();
             await runCommand(['auth', 'list'], deps);
             expect(logs).toHaveLength(1);
             const entries = JSON.parse(logs[0] ?? '');
@@ -369,9 +384,7 @@ describe('CLI commands with dependency injection', () => {
             writeSecureFile(storePath, JSON.stringify({
                 unknown: { objectType: 'rawCurl', curlArguments: ['-H', 'X-Token: secret'] },
             }));
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
+            const deps = createMockDependencies();
             await runCommand(['auth', 'list'], deps);
             expect(logs).toHaveLength(1);
             const entries = JSON.parse(logs[0] ?? '');
@@ -385,9 +398,7 @@ describe('CLI commands with dependency injection', () => {
         it('should store raw curl credentials', async () => {
             const storePath = join(tempDir, 'credentials.json');
             writeSecureFile(storePath, '{}');
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
+            const deps = createMockDependencies();
             await runCommand(['auth', 'set', 'slack', '-H', 'X-Token: secret', '-H', 'X-Other: value'], deps);
             expect(logs).toContain('Credentials stored.');
             const storedData = JSON.parse(readSecureFile(storePath) ?? '{}');
@@ -400,30 +411,23 @@ describe('CLI commands with dependency injection', () => {
             const deps = createMockDependencies();
             await runCommand(['auth', 'set', 'slack'], deps);
             expect(exitCode).toBe(1);
-            expect(errorLogs.some((log) => log.includes("don't look like valid curl options"))).toBe(true);
-            expect(errorLogs.some((log) => log.includes('Authorization: Bearer'))).toBe(true);
         });
         it('should return error when arguments lack curl switches', async () => {
             const deps = createMockDependencies();
             await runCommand(['auth', 'set', 'slack', 'my-raw-token-value'], deps);
             expect(exitCode).toBe(1);
-            expect(errorLogs.some((log) => log.includes("don't look like valid curl options"))).toBe(true);
-            expect(errorLogs.some((log) => log.includes('Authorization: Bearer'))).toBe(true);
         });
         it('should return error for unknown service', async () => {
             const deps = createMockDependencies();
             await runCommand(['auth', 'set', 'unknown-service', '-H', 'X-Token: secret'], deps);
             expect(exitCode).toBe(1);
-            expect(errorLogs.some((log) => log.includes('Unknown service'))).toBe(true);
         });
         it('should overwrite existing credentials', async () => {
             const storePath = join(tempDir, 'credentials.json');
             writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'old-token', dCookie: 'old-cookie' },
             }));
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
+            const deps = createMockDependencies();
             await runCommand(['auth', 'set', 'slack', '-H', 'X-Token: new-secret'], deps);
             expect(logs).toContain('Credentials stored.');
             const storedData = JSON.parse(readSecureFile(storePath) ?? '{}');
@@ -433,15 +437,53 @@ describe('CLI commands with dependency injection', () => {
             });
         });
     });
+    describe('auth set-nocurl command', () => {
+        it('should store telegram bot credentials', async () => {
+            const storePath = join(tempDir, 'credentials.json');
+            writeSecureFile(storePath, '{}');
+            const deps = createMockDependencies({
+                registry: new Registry([TELEGRAM]),
+            });
+            await runCommand(['auth', 'set-nocurl', 'telegram', '123456:ABC-DEF'], deps);
+            expect(logs).toContain('Credentials stored.');
+            const storedData = JSON.parse(readSecureFile(storePath) ?? '{}');
+            expect(storedData.telegram).toEqual({
+                objectType: 'telegramBot',
+                token: '123456:ABC-DEF',
+            });
+        });
+        it('should return error for unknown service', async () => {
+            const deps = createMockDependencies();
+            await runCommand(['auth', 'set-nocurl', 'unknown-service', 'some-arg'], deps);
+            expect(exitCode).toBe(1);
+        });
+        it('should return error when service does not support set-nocurl', async () => {
+            const deps = createMockDependencies();
+            await runCommand(['auth', 'set-nocurl', 'slack', 'some-token'], deps);
+            expect(exitCode).toBe(1);
+        });
+        it('should return error when telegram token is missing', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([TELEGRAM]),
+            });
+            await runCommand(['auth', 'set-nocurl', 'telegram'], deps);
+            expect(exitCode).toBe(1);
+        });
+        it('should return error when telegram token format is invalid', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([TELEGRAM]),
+            });
+            await runCommand(['auth', 'set-nocurl', 'telegram', 'not-a-valid-token'], deps);
+            expect(exitCode).toBe(1);
+        });
+    });
     describe('curl command', () => {
         it('should pass arguments to subprocess', async () => {
             const storePath = join(tempDir, 'credentials.json');
             writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'stored-token', dCookie: 'stored-cookie' },
             }));
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
+            const deps = createMockDependencies();
             await runCommand(['curl', 'https://slack.com/api/test'], deps);
             expect(capturedArgs).toEqual([
                 '-H',
@@ -457,9 +499,7 @@ describe('CLI commands with dependency injection', () => {
             writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'rawCurl', curlArguments: ['-H', 'X-Custom: header'] },
             }));
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
+            const deps = createMockDependencies();
             await runCommand(['curl', 'https://slack.com/api/test'], deps);
             expect(capturedArgs).toEqual(['-H', 'X-Custom: header', 'https://slack.com/api/test']);
             expect(exitCode).toBe(0);
@@ -469,9 +509,7 @@ describe('CLI commands with dependency injection', () => {
             writeSecureFile(storePath, JSON.stringify({
                 slack: { objectType: 'slack', token: 'stored-token', dCookie: 'stored-cookie' },
             }));
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
+            const deps = createMockDependencies();
             await runCommand([
                 'curl',
                 '--',
@@ -494,7 +532,6 @@ describe('CLI commands with dependency injection', () => {
                 slack: { objectType: 'slack', token: 'stored-token', dCookie: 'stored-cookie' },
             }));
             const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
                 runCurl: () => ({ returncode: 42, stdout: '', stderr: '' }),
             });
             await runCommand(['curl', 'https://slack.com/api/test'], deps);
@@ -504,26 +541,11 @@ describe('CLI commands with dependency injection', () => {
             const deps = createMockDependencies();
             await runCommand(['curl', '--', '-X', 'POST'], deps);
             expect(exitCode).toBe(1);
-            expect(errorLogs.some((log) => log.includes('Could not extract URL'))).toBe(true);
         });
         it('should return error for unknown service', async () => {
             const deps = createMockDependencies();
             await runCommand(['curl', 'https://unknown-api.example.com'], deps);
             expect(exitCode).toBe(1);
-            expect(errorLogs.some((log) => log.includes('No service matches URL'))).toBe(true);
-        });
-        it('should inject credentials with verbose flag', async () => {
-            const storePath = join(tempDir, 'credentials.json');
-            writeSecureFile(storePath, JSON.stringify({
-                slack: { objectType: 'slack', token: 'stored-token', dCookie: 'stored-cookie' },
-            }));
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
-            await runCommand(['curl', '--', '-v', 'https://slack.com/api/conversations.list'], deps);
-            expect(capturedArgs).toContain('-v');
-            expect(capturedArgs).toContain('Authorization: Bearer stored-token');
-            expect(capturedArgs).toContain('https://slack.com/api/conversations.list');
         });
         it('should read credentials from store and not call login', async () => {
             const storePath = join(tempDir, 'credentials.json');
@@ -539,11 +561,16 @@ describe('CLI commands with dependency injection', () => {
                 info: 'Test info for Slack service.',
                 credentialCheckCurlArguments: [],
                 checkApiCredentials: vi.fn(),
+                setCredentialsExample(serviceName) {
+                    return `latchkey auth set ${serviceName} -H "Authorization: Bearer xoxb-your-token"`;
+                },
+                getCredentialsNoCurl() {
+                    throw new NoCurlCredentialsNotSupportedError('slack');
+                },
                 getSession: vi.fn().mockReturnValue({ login: mockLogin }),
             };
             const deps = createMockDependencies({
                 registry: new Registry([mockSlackService]),
-                config: createMockConfig({ credentialStorePath: storePath }),
             });
             await runCommand(['curl', 'https://slack.com/api/test'], deps);
             expect(mockLogin).not.toHaveBeenCalled();
@@ -552,14 +579,21 @@ describe('CLI commands with dependency injection', () => {
         it('should return error when no credentials in store', async () => {
             const storePath = join(tempDir, 'credentials.json');
             writeSecureFile(storePath, '{}');
-            const deps = createMockDependencies({
-                config: createMockConfig({ credentialStorePath: storePath }),
-            });
+            const deps = createMockDependencies();
             await runCommand(['curl', 'https://slack.com/api/test'], deps);
             expect(exitCode).toBe(1);
-            expect(errorLogs.some((log) => log.includes('No credentials found for slack'))).toBe(true);
-            expect(errorLogs.some((log) => log.includes('auth browser'))).toBe(true);
-            expect(errorLogs.some((log) => log.includes('auth set'))).toBe(true);
+        });
+        it('should inject telegram bot token into URL path', async () => {
+            const storePath = join(tempDir, 'credentials.json');
+            writeSecureFile(storePath, JSON.stringify({
+                telegram: { objectType: 'telegramBot', token: '123456:ABC-DEF' },
+            }));
+            const deps = createMockDependencies({
+                registry: new Registry([TELEGRAM]),
+            });
+            await runCommand(['curl', 'https://api.telegram.org/getMe'], deps);
+            expect(capturedArgs).toEqual(['https://api.telegram.org/bot123456:ABC-DEF/getMe']);
+            expect(exitCode).toBe(0);
         });
         it('should work when service does not have getSession but credentials exist', async () => {
             const storePath = join(tempDir, 'credentials.json');
@@ -574,11 +608,16 @@ describe('CLI commands with dependency injection', () => {
                 info: 'A service without browser login support.',
                 credentialCheckCurlArguments: [],
                 checkApiCredentials: vi.fn().mockReturnValue(ApiCredentialStatus.Valid),
+                setCredentialsExample(serviceName) {
+                    return `latchkey auth set ${serviceName} -H "Authorization: Bearer <token>"`;
+                },
+                getCredentialsNoCurl() {
+                    throw new NoCurlCredentialsNotSupportedError('nologin');
+                },
                 // No getSession - service doesn't support browser login
             };
             const deps = createMockDependencies({
                 registry: new Registry([noLoginService]),
-                config: createMockConfig({ credentialStorePath: storePath }),
             });
             await runCommand(['curl', 'https://nologin.example.com/api/test'], deps);
             expect(exitCode).toBe(0);
@@ -596,6 +635,11 @@ describe('CLI commands with dependency injection', () => {
                 info: 'A service without browser login support.',
                 credentialCheckCurlArguments: [],
                 checkApiCredentials: vi.fn(),
+                setCredentialsExample(serviceName) {
+                    return `latchkey auth set ${serviceName} -H "Authorization: Bearer <token>"`;
+                },
+                // eslint-disable-next-line @typescript-eslint/unbound-method
+                getCredentialsNoCurl: Service.prototype.getCredentialsNoCurl,
                 // No getSession - service doesn't support browser login
             };
             const deps = createMockDependencies({
@@ -603,174 +647,630 @@ describe('CLI commands with dependency injection', () => {
             });
             await runCommand(['auth', 'browser', 'nologin'], deps);
             expect(exitCode).toBe(1);
-            const expectedMessage = new BrowserFlowsNotSupportedError('nologin').message;
-            expect(errorLogs.some((log) => log.includes(expectedMessage))).toBe(true);
+        });
+        it('should suggest set-nocurl when service supports nocurl credentials', async () => {
+            const nocurlService = {
+                name: 'nocurl-only',
+                displayName: 'NoCurl Only Service',
+                baseApiUrls: ['https://nocurl.example.com/api/'],
+                loginUrl: 'https://nocurl.example.com',
+                info: 'A service with nocurl credentials but no browser login.',
+                credentialCheckCurlArguments: [],
+                checkApiCredentials: vi.fn(),
+                setCredentialsExample(serviceName) {
+                    return `latchkey auth set-nocurl ${serviceName} <some-arg>`;
+                },
+                getCredentialsNoCurl(arguments_) {
+                    if (arguments_.length !== 1) {
+                        throw new Error('Expected exactly one argument');
+                    }
+                    return { objectType: 'test', injectIntoCurlCall: vi.fn(), isExpired: () => false };
+                },
+                // No getSession - service doesn't support browser login
+            };
+            const deps = createMockDependencies({
+                registry: new Registry([nocurlService]),
+            });
+            await runCommand(['auth', 'browser', 'nocurl-only'], deps);
+            expect(exitCode).toBe(1);
+        });
+    });
+    describe('services register command', () => {
+        it('should register a new service', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            await runCommand([
+                'services',
+                'register',
+                'my-gitlab',
+                '--base-api-url',
+                'https://gitlab.mycompany.com/api/',
+                '--service-family',
+                'gitlab',
+            ], deps);
+            expect(exitCode).toBeNull();
+            expect(logs).toContain("Service 'my-gitlab' registered.");
+            // Should be findable by name
+            expect(deps.registry.getByName('my-gitlab')).not.toBeNull();
+            // Should be findable by URL
+            expect(deps.registry.getByUrl('https://gitlab.mycompany.com/api/v4/user')).not.toBeNull();
+        });
+        it('should persist registration to config.json', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            await runCommand([
+                'services',
+                'register',
+                'my-gitlab',
+                '--base-api-url',
+                'https://gitlab.mycompany.com/api/',
+                '--service-family',
+                'gitlab',
+            ], deps);
+            const configPath = deps.config.configPath;
+            const entries = loadRegisteredServices(configPath);
+            expect(entries.get('my-gitlab')).toEqual({
+                baseApiUrl: 'https://gitlab.mycompany.com/api/',
+                serviceFamily: 'gitlab',
+            });
+        });
+        it('should reject unknown service family', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            await runCommand([
+                'services',
+                'register',
+                'my-service',
+                '--base-api-url',
+                'https://example.com/api/',
+                '--service-family',
+                'nonexistent',
+            ], deps);
+            expect(exitCode).toBe(1);
+            expect(errorLogs[0]).toContain('Unknown service family');
+        });
+        it('should reject duplicate service name', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            await runCommand([
+                'services',
+                'register',
+                'gitlab',
+                '--base-api-url',
+                'https://gitlab.mycompany.com/api/',
+                '--service-family',
+                'gitlab',
+            ], deps);
+            expect(exitCode).toBe(1);
+            expect(errorLogs[0]).toContain('already exists');
+        });
+        it('should canonicalize service name to lowercase', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            await runCommand([
+                'services',
+                'register',
+                'My-GitLab',
+                '--base-api-url',
+                'https://gitlab.mycompany.com/api/',
+                '--service-family',
+                'gitlab',
+            ], deps);
+            expect(exitCode).toBeNull();
+            expect(logs).toContain("Service 'my-gitlab' registered.");
+            expect(deps.registry.getByName('my-gitlab')).not.toBeNull();
+        });
+        it('should convert spaces to hyphens in service name', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            await runCommand(['services', 'register', 'my api', '--base-api-url', 'https://api.example.com/'], deps);
+            expect(exitCode).toBeNull();
+            expect(logs).toContain("Service 'my-api' registered.");
+            expect(deps.registry.getByName('my-api')).not.toBeNull();
+        });
+        it('should reject service name with invalid characters', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            await runCommand(['services', 'register', 'my@service!', '--base-api-url', 'https://api.example.com/'], deps);
+            expect(exitCode).toBe(1);
+            expect(errorLogs[0]).toContain('Invalid service name');
+        });
+        it('should not expose browser auth without --login-url', async () => {
+            const storePath = join(tempDir, 'credentials.json');
+            writeSecureFile(storePath, '{}');
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            await runCommand([
+                'services',
+                'register',
+                'my-gitlab',
+                '--base-api-url',
+                'https://gitlab.mycompany.com/api/',
+                '--service-family',
+                'gitlab',
+            ], deps);
+            logs = [];
+            exitCode = null;
+            await runCommand(['services', 'info', 'my-gitlab'], deps);
+            const info = JSON.parse(logs[0] ?? '');
+            expect(info.authOptions).toEqual(['set']);
+        });
+        it('should persist and restore loginUrl', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITHUB]),
+            });
+            await runCommand([
+                'services',
+                'register',
+                'my-github',
+                '--base-api-url',
+                'https://github.mycompany.com/api/',
+                '--service-family',
+                'github',
+                '--login-url',
+                'https://github.mycompany.com/login',
+            ], deps);
+            const entries = loadRegisteredServices(deps.config.configPath);
+            expect(entries.get('my-github')?.loginUrl).toBe('https://github.mycompany.com/login');
+        });
+        it('should reject --login-url without --service-family', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([]),
+            });
+            await runCommand([
+                'services',
+                'register',
+                'my-service',
+                '--base-api-url',
+                'https://example.com/api/',
+                '--login-url',
+                'https://example.com/login',
+            ], deps);
+            expect(exitCode).toBe(1);
+            expect(errorLogs[0]).toContain('--login-url requires a --service-family');
+        });
+        it('should reject --login-url when service family does not support browser login', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            await runCommand([
+                'services',
+                'register',
+                'my-gitlab',
+                '--base-api-url',
+                'https://gitlab.mycompany.com/api/',
+                '--service-family',
+                'gitlab',
+                '--login-url',
+                'https://gitlab.mycompany.com/users/sign_in',
+            ], deps);
+            expect(exitCode).toBe(1);
+            expect(errorLogs[0]).toContain('does not support browser login');
+        });
+        it('should require --login-url when service family supports browser login', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITHUB]),
+            });
+            await runCommand([
+                'services',
+                'register',
+                'my-github',
+                '--base-api-url',
+                'https://github.mycompany.com/api/',
+                '--service-family',
+                'github',
+            ], deps);
+            expect(exitCode).toBe(1);
+            expect(errorLogs[0]).toContain('--login-url is required');
+        });
+        it('should make registered service usable with auth set', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            // Register the service
+            await runCommand([
+                'services',
+                'register',
+                'my-gitlab',
+                '--base-api-url',
+                'https://gitlab.mycompany.com/api/',
+                '--service-family',
+                'gitlab',
+            ], deps);
+            // Now store credentials for it
+            const storePath = join(tempDir, 'credentials.json');
+            writeSecureFile(storePath, '{}');
+            logs = [];
+            exitCode = null;
+            await runCommand(['auth', 'set', 'my-gitlab', '-H', 'PRIVATE-TOKEN: my-secret-token'], deps);
+            expect(exitCode).toBeNull();
+            expect(logs).toContain('Credentials stored.');
+        });
+        it('should register a service without --service-family', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            await runCommand(['services', 'register', 'my-api', '--base-api-url', 'https://api.example.com/'], deps);
+            expect(exitCode).toBeNull();
+            expect(logs).toContain("Service 'my-api' registered.");
+            // Should be findable by name
+            expect(deps.registry.getByName('my-api')).not.toBeNull();
+            // Should be findable by URL
+            expect(deps.registry.getByUrl('https://api.example.com/v1/users')).not.toBeNull();
+        });
+        it('should persist registration without service family to config.json', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            await runCommand(['services', 'register', 'my-api', '--base-api-url', 'https://api.example.com/'], deps);
+            const configPath = deps.config.configPath;
+            const entries = loadRegisteredServices(configPath);
+            expect(entries.get('my-api')).toEqual({
+                baseApiUrl: 'https://api.example.com/',
+            });
+        });
+        it('should not expose browser auth for service without family', async () => {
+            const storePath = join(tempDir, 'credentials.json');
+            writeSecureFile(storePath, '{}');
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            await runCommand(['services', 'register', 'my-api', '--base-api-url', 'https://api.example.com/'], deps);
+            logs = [];
+            exitCode = null;
+            await runCommand(['services', 'info', 'my-api'], deps);
+            const info = JSON.parse(logs[0] ?? '');
+            expect(info.authOptions).toEqual(['set']);
+        });
+        it('should make service without family usable with auth set and curl', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            // Register the service without family
+            await runCommand(['services', 'register', 'my-api', '--base-api-url', 'https://api.example.com/'], deps);
+            // Store credentials
+            const storePath = join(tempDir, 'credentials.json');
+            writeSecureFile(storePath, JSON.stringify({
+                'my-api': {
+                    objectType: 'rawCurl',
+                    curlArguments: ['-H', 'Authorization: Bearer my-token'],
+                },
+            }));
+            logs = [];
+            exitCode = null;
+            capturedArgs = [];
+            await runCommand(['curl', 'https://api.example.com/v1/users'], deps);
+            expect(exitCode).toBe(0);
+            expect(capturedArgs).toContain('-H');
+            expect(capturedArgs).toContain('Authorization: Bearer my-token');
+        });
+        it('should reject browser login for service without family', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            await runCommand(['services', 'register', 'my-api', '--base-api-url', 'https://api.example.com/'], deps);
+            logs = [];
+            errorLogs = [];
+            exitCode = null;
+            await runCommand(['auth', 'browser', 'my-api'], deps);
+            expect(exitCode).toBe(1);
+            expect(errorLogs[0]).toContain('does not support browser flows');
+        });
+        it('should reject set-nocurl for service without family', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            await runCommand(['services', 'register', 'my-api', '--base-api-url', 'https://api.example.com/'], deps);
+            logs = [];
+            errorLogs = [];
+            exitCode = null;
+            await runCommand(['auth', 'set-nocurl', 'my-api', 'some-token'], deps);
+            expect(exitCode).toBe(1);
+            expect(errorLogs[0]).toContain('does not support set-nocurl');
+        });
+        it('should make registered service usable with curl', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            // Register the service
+            await runCommand([
+                'services',
+                'register',
+                'my-gitlab',
+                '--base-api-url',
+                'https://gitlab.mycompany.com/api/',
+                '--service-family',
+                'gitlab',
+            ], deps);
+            // Store credentials
+            const storePath = join(tempDir, 'credentials.json');
+            writeSecureFile(storePath, JSON.stringify({
+                'my-gitlab': {
+                    objectType: 'rawCurl',
+                    curlArguments: ['-H', 'PRIVATE-TOKEN: my-secret-token'],
+                },
+            }));
+            logs = [];
+            exitCode = null;
+            capturedArgs = [];
+            await runCommand(['curl', 'https://gitlab.mycompany.com/api/v4/user'], deps);
+            expect(exitCode).toBe(0);
+            expect(capturedArgs).toContain('-H');
+            expect(capturedArgs).toContain('PRIVATE-TOKEN: my-secret-token');
+        });
+    });
+    describe('services deregister command', () => {
+        it('should deregister a registered service', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            // Register a service first
+            await runCommand([
+                'services',
+                'register',
+                'my-gitlab',
+                '--base-api-url',
+                'https://gitlab.mycompany.com/api/',
+                '--service-family',
+                'gitlab',
+            ], deps);
+            logs = [];
+            exitCode = null;
+            await runCommand(['services', 'deregister', 'my-gitlab'], deps);
+            expect(exitCode).toBeNull();
+            expect(logs).toContain("Service 'my-gitlab' deregistered.");
+        });
+        it('should remove service from config.json', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            await runCommand([
+                'services',
+                'register',
+                'my-gitlab',
+                '--base-api-url',
+                'https://gitlab.mycompany.com/api/',
+                '--service-family',
+                'gitlab',
+            ], deps);
+            logs = [];
+            exitCode = null;
+            await runCommand(['services', 'deregister', 'my-gitlab'], deps);
+            const entries = loadRegisteredServices(deps.config.configPath);
+            expect(entries.get('my-gitlab')).toBeUndefined();
+        });
+        it('should reject deregistering an unknown service', async () => {
+            const deps = createMockDependencies();
+            await runCommand(['services', 'deregister', 'nonexistent'], deps);
+            expect(exitCode).toBe(1);
+            expect(errorLogs[0]).toContain('Unknown service');
+        });
+        it('should reject deregistering a built-in service', async () => {
+            const deps = createMockDependencies();
+            await runCommand(['services', 'deregister', 'slack'], deps);
+            expect(exitCode).toBe(1);
+            expect(errorLogs[0]).toContain('built-in service');
+        });
+        it('should reject deregistering when credentials still exist', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            // Register a service
+            await runCommand([
+                'services',
+                'register',
+                'my-gitlab',
+                '--base-api-url',
+                'https://gitlab.mycompany.com/api/',
+                '--service-family',
+                'gitlab',
+            ], deps);
+            // Store credentials for it
+            const storePath = join(tempDir, 'credentials.json');
+            writeSecureFile(storePath, JSON.stringify({
+                'my-gitlab': {
+                    objectType: 'rawCurl',
+                    curlArguments: ['-H', 'PRIVATE-TOKEN: my-secret-token'],
+                },
+            }));
+            logs = [];
+            errorLogs = [];
+            exitCode = null;
+            await runCommand(['services', 'deregister', 'my-gitlab'], deps);
+            expect(exitCode).toBe(1);
+            expect(errorLogs[0]).toContain('Credentials still exist');
+            expect(errorLogs[0]).toContain('latchkey auth clear my-gitlab');
+            // Service should still be in config
+            const entries = loadRegisteredServices(deps.config.configPath);
+            expect(entries.get('my-gitlab')).toBeDefined();
+        });
+        it('should allow deregistering after credentials are cleared', async () => {
+            const deps = createMockDependencies({
+                registry: new Registry([GITLAB]),
+            });
+            // Register
+            await runCommand([
+                'services',
+                'register',
+                'my-gitlab',
+                '--base-api-url',
+                'https://gitlab.mycompany.com/api/',
+                '--service-family',
+                'gitlab',
+            ], deps);
+            // Store and then clear credentials
+            const storePath = join(tempDir, 'credentials.json');
+            writeSecureFile(storePath, JSON.stringify({
+                'my-gitlab': {
+                    objectType: 'rawCurl',
+                    curlArguments: ['-H', 'PRIVATE-TOKEN: my-secret-token'],
+                },
+            }));
+            logs = [];
+            errorLogs = [];
+            exitCode = null;
+            await runCommand(['auth', 'clear', 'my-gitlab'], deps);
+            expect(exitCode).toBeNull();
+            logs = [];
+            errorLogs = [];
+            exitCode = null;
+            await runCommand(['services', 'deregister', 'my-gitlab'], deps);
+            expect(exitCode).toBeNull();
+            expect(logs).toContain("Service 'my-gitlab' deregistered.");
         });
     });
 });
-// Integration tests that run the actual CLI binary
-describe.skipIf(!cliPath)('CLI integration tests (subprocess)', () => {
+describe('registeredServiceStore', () => {
     let tempDir;
-    let testEnv;
     beforeEach(() => {
-        tempDir = mkdtempSync(join(tmpdir(), 'latchkey-cli-test-'));
-        testEnv = {
-            LATCHKEY_STORE: join(tempDir, 'credentials.json'),
-            LATCHKEY_BROWSER_STATE: join(tempDir, 'browser_state.json'),
-        };
+        tempDir = mkdtempSync(join(tmpdir(), 'latchkey-store-test-'));
     });
     afterEach(() => {
         rmSync(tempDir, { recursive: true, force: true });
     });
-    describe('curl command', () => {
-        it('should return error when curl has no arguments', () => {
-            const result = runCli(['curl'], testEnv);
-            expect(result.exitCode).toBe(1);
-            expect(result.stderr).toContain('Could not extract URL');
-        });
-        it('should return error when no URL found in curl arguments', () => {
-            const result = runCli(['curl', '--', '-X', 'POST'], testEnv);
-            expect(result.exitCode).toBe(1);
-            expect(result.stderr).toContain('Could not extract URL');
-        });
-        it('should return error for unknown service', () => {
-            const result = runCli(['curl', 'https://unknown-api.example.com'], testEnv);
-            expect(result.exitCode).toBe(1);
-            expect(result.stderr).toContain('No service matches URL');
-            expect(result.stderr).toContain('https://unknown-api.example.com');
-        });
-        it('should return error when no credentials exist', () => {
-            writeSecureFile(testEnv.LATCHKEY_STORE, '{}');
-            const result = runCli(['curl', 'https://slack.com/api/test'], testEnv);
-            expect(result.exitCode).toBe(1);
-            expect(result.stderr).toContain('No credentials found for slack');
-            expect(result.stderr).toContain('auth browser');
-            expect(result.stderr).toContain('auth set');
+    it('should save and load registered services', () => {
+        const configPath = join(tempDir, 'config.json');
+        saveRegisteredService(configPath, 'my-gitlab', {
+            baseApiUrl: 'https://gitlab.mycompany.com/api/',
+            serviceFamily: 'gitlab',
         });
-    });
-    describe('auth browser command', () => {
-        it('should return error when browser is disabled via LATCHKEY_DISABLE_BROWSER', () => {
-            const result = runCli(['auth', 'browser', 'slack'], {
-                ...testEnv,
-                LATCHKEY_DISABLE_BROWSER: '1',
-            });
-            expect(result.exitCode).toBe(1);
-            expect(result.stderr).toContain('Browser is disabled');
+        const entries = loadRegisteredServices(configPath);
+        expect(entries.size).toBe(1);
+        expect(entries.get('my-gitlab')).toEqual({
+            baseApiUrl: 'https://gitlab.mycompany.com/api/',
+            serviceFamily: 'gitlab',
         });
     });
-    describe('clear command', () => {
-        it('should delete credentials for a service', () => {
-            writeSecureFile(testEnv.LATCHKEY_STORE, JSON.stringify({
-                slack: { objectType: 'slack', token: 'test-token', dCookie: 'test-cookie' },
-            }));
-            const result = runCli(['auth', 'clear', 'slack'], testEnv);
-            expect(result.exitCode).toBe(0);
-            expect(result.stdout).toContain('API credentials for slack have been cleared');
-            const storedData = JSON.parse(readSecureFile(testEnv.LATCHKEY_STORE) ?? '{}');
-            expect(storedData.slack).toBeUndefined();
-        });
-        it('should report no credentials found when service has no stored credentials', () => {
-            writeSecureFile(testEnv.LATCHKEY_STORE, '{}');
-            const result = runCli(['auth', 'clear', 'slack'], testEnv);
-            expect(result.exitCode).toBe(0);
-            expect(result.stdout).toContain('No API credentials found for slack');
-        });
-        it('should return error for unknown service', () => {
-            const result = runCli(['auth', 'clear', 'unknown-service'], testEnv);
-            expect(result.exitCode).toBe(1);
-            expect(result.stderr).toContain('Unknown service: unknown-service');
+    it('should return empty map for nonexistent config file', () => {
+        const configPath = join(tempDir, 'nonexistent.json');
+        const entries = loadRegisteredServices(configPath);
+        expect(entries.size).toBe(0);
+    });
+    it('should preserve existing config data when saving', () => {
+        const configPath = join(tempDir, 'config.json');
+        writeFileSync(configPath, JSON.stringify({ browser: { executablePath: '/usr/bin/chrome' } }));
+        saveRegisteredService(configPath, 'my-gitlab', {
+            baseApiUrl: 'https://gitlab.mycompany.com/api/',
+            serviceFamily: 'gitlab',
         });
-        it('should preserve other services when clearing one', () => {
-            writeSecureFile(testEnv.LATCHKEY_STORE, JSON.stringify({
-                slack: { objectType: 'slack', token: 'slack-token', dCookie: 'slack-cookie' },
-                discord: { objectType: 'authorizationBare', token: 'discord-token' },
-            }));
-            const result = runCli(['auth', 'clear', 'slack'], testEnv);
-            expect(result.exitCode).toBe(0);
-            const storedData = JSON.parse(readSecureFile(testEnv.LATCHKEY_STORE) ?? '{}');
-            expect(storedData.slack).toBeUndefined();
-            expect(storedData.discord).toBeDefined();
-            expect(storedData.discord?.token).toBe('discord-token');
+        const content = JSON.parse(readFileSync(configPath, 'utf-8'));
+        expect(content.browser).toEqual({ executablePath: '/usr/bin/chrome' });
+        expect(content.registeredServices).toBeDefined();
+    });
+    it('should load registered services into registry', () => {
+        const configPath = join(tempDir, 'config.json');
+        saveRegisteredService(configPath, 'my-gitlab', {
+            baseApiUrl: 'https://gitlab.mycompany.com/api/',
+            serviceFamily: 'gitlab',
         });
-        it('should delete both store and browser state with -y flag', () => {
-            writeSecureFile(testEnv.LATCHKEY_STORE, JSON.stringify({ slack: { objectType: 'slack', token: 'test', dCookie: 'test' } }));
-            writeSecureFile(testEnv.LATCHKEY_BROWSER_STATE, '{}');
-            const result = runCli(['auth', 'clear', '-y'], testEnv);
-            expect(result.exitCode).toBe(0);
-            expect(existsSync(testEnv.LATCHKEY_STORE)).toBe(false);
-            expect(existsSync(testEnv.LATCHKEY_BROWSER_STATE)).toBe(false);
-            expect(result.stdout).toContain(`Deleted credentials store: ${testEnv.LATCHKEY_STORE}`);
-            expect(result.stdout).toContain(`Deleted browser state: ${testEnv.LATCHKEY_BROWSER_STATE}`);
-        });
-        it('should delete only existing files with -y flag', () => {
-            writeSecureFile(testEnv.LATCHKEY_STORE, '{}');
-            // browser_state does not exist
-            const result = runCli(['auth', 'clear', '-y'], testEnv);
-            expect(result.exitCode).toBe(0);
-            expect(existsSync(testEnv.LATCHKEY_STORE)).toBe(false);
-            expect(result.stdout).toContain(`Deleted credentials store: ${testEnv.LATCHKEY_STORE}`);
-            expect(result.stdout).not.toContain('browser state');
-        });
-        it('should report no files to delete when none exist', () => {
-            const result = runCli(['auth', 'clear', '-y'], testEnv);
-            expect(result.exitCode).toBe(0);
-            expect(result.stdout).toContain('No files to delete');
+        const registry = new Registry([GITLAB]);
+        loadRegisteredServicesIntoRegistry(configPath, registry);
+        const service = registry.getByName('my-gitlab');
+        expect(service).not.toBeNull();
+        expect(service.baseApiUrls).toEqual(['https://gitlab.mycompany.com/api/']);
+    });
+    it('should load registered service with loginUrl into registry', () => {
+        const configPath = join(tempDir, 'config.json');
+        saveRegisteredService(configPath, 'my-gitlab', {
+            baseApiUrl: 'https://gitlab.mycompany.com/api/',
+            serviceFamily: 'gitlab',
+            loginUrl: 'https://gitlab.mycompany.com/users/sign_in',
         });
+        const registry = new Registry([GITLAB]);
+        loadRegisteredServicesIntoRegistry(configPath, registry);
+        const service = registry.getByName('my-gitlab');
+        expect(service).not.toBeNull();
+        expect(service.loginUrl).toBe('https://gitlab.mycompany.com/users/sign_in');
     });
-    describe('auth list command', () => {
-        it('should list stored credentials as beautified JSON', () => {
-            writeSecureFile(testEnv.LATCHKEY_STORE, JSON.stringify({
-                slack: { objectType: 'slack', token: 'test-token', dCookie: 'test-cookie' },
-            }));
-            const result = runCli(['auth', 'list'], testEnv);
-            expect(result.exitCode).toBe(0);
-            const entries = JSON.parse(result.stdout);
-            expect(entries.slack).toBeDefined();
-            expect(entries.slack?.credentialType).toBe('slack');
-            expect(entries.slack?.credentialStatus).toEqual(expect.any(String));
-        });
-        it('should output empty object when no credentials are stored', () => {
-            writeSecureFile(testEnv.LATCHKEY_STORE, '{}');
-            const result = runCli(['auth', 'list'], testEnv);
-            expect(result.exitCode).toBe(0);
-            const entries = JSON.parse(result.stdout);
-            expect(Object.keys(entries)).toHaveLength(0);
+    it('should load registered service without family into registry', () => {
+        const configPath = join(tempDir, 'config.json');
+        saveRegisteredService(configPath, 'my-api', {
+            baseApiUrl: 'https://api.example.com/',
         });
+        const registry = new Registry([GITLAB]);
+        loadRegisteredServicesIntoRegistry(configPath, registry);
+        const service = registry.getByName('my-api');
+        expect(service).not.toBeNull();
+        expect(service.baseApiUrls).toEqual(['https://api.example.com/']);
+        expect(service.getSession).toBeUndefined(); // eslint-disable-line @typescript-eslint/unbound-method
+        expect(service.loginUrl).toBe('');
     });
-    describe('services list command', () => {
-        it('should list all services as JSON', () => {
-            const result = runCli(['services', 'list'], testEnv);
-            expect(result.exitCode).toBe(0);
-            const services = JSON.parse(result.stdout.trim());
-            expect(services).toContain('slack');
-            expect(services).toContain('discord');
-            expect(services).toContain('github');
-            expect(services).toContain('dropbox');
-            expect(services).toContain('linear');
+    it('should skip registered services with unknown family', () => {
+        const configPath = join(tempDir, 'config.json');
+        saveRegisteredService(configPath, 'my-unknown', {
+            baseApiUrl: 'https://unknown.example.com/api/',
+            serviceFamily: 'nonexistent',
         });
+        const registry = new Registry([GITLAB]);
+        loadRegisteredServicesIntoRegistry(configPath, registry);
+        expect(registry.getByName('my-unknown')).toBeNull();
     });
-    describe('services info command', () => {
-        it('should show login options, credentials status, and developer notes as JSON', () => {
-            writeSecureFile(testEnv.LATCHKEY_STORE, '{}');
-            const result = runCli(['services', 'info', 'slack'], testEnv);
-            expect(result.exitCode).toBe(0);
-            const info = JSON.parse(result.stdout);
-            expect(info.authOptions).toEqual(['browser', 'set']);
-            expect(info.credentialStatus).toBe('missing');
-            expect(info.developerNotes).toEqual(expect.any(String));
+    it('should delete a registered service from config', () => {
+        const configPath = join(tempDir, 'config.json');
+        saveRegisteredService(configPath, 'my-gitlab', {
+            baseApiUrl: 'https://gitlab.mycompany.com/api/',
+            serviceFamily: 'gitlab',
         });
-        it('should show auth set only for services without browser login', () => {
-            writeSecureFile(testEnv.LATCHKEY_STORE, '{}');
-            const result = runCli(['services', 'info', 'mailchimp'], testEnv);
-            expect(result.exitCode).toBe(0);
-            const info = JSON.parse(result.stdout);
-            expect(info.authOptions).toEqual(['set']);
+        saveRegisteredService(configPath, 'my-github', {
+            baseApiUrl: 'https://github.mycompany.com/api/',
+            serviceFamily: 'github',
+        });
+        deleteRegisteredService(configPath, 'my-gitlab');
+        const entries = loadRegisteredServices(configPath);
+        expect(entries.get('my-gitlab')).toBeUndefined();
+        expect(entries.get('my-github')).toBeDefined();
+    });
+    it('should preserve other config data when deleting', () => {
+        const configPath = join(tempDir, 'config.json');
+        writeFileSync(configPath, JSON.stringify({ browser: { executablePath: '/usr/bin/chrome' } }));
+        saveRegisteredService(configPath, 'my-gitlab', {
+            baseApiUrl: 'https://gitlab.mycompany.com/api/',
+            serviceFamily: 'gitlab',
         });
-        it('should return error for unknown service', () => {
-            const result = runCli(['services', 'info', 'unknown-service'], testEnv);
-            expect(result.exitCode).toBe(1);
-            expect(result.stderr).toContain('Unknown service');
+        deleteRegisteredService(configPath, 'my-gitlab');
+        const content = JSON.parse(readFileSync(configPath, 'utf-8'));
+        expect(content.browser).toEqual({ executablePath: '/usr/bin/chrome' });
+    });
+});
+// Integration tests that run the actual CLI binary.
+// Only tests that exercise behavior not covered by the DI unit tests above.
+describe.skipIf(!cliPath)('CLI integration tests (subprocess)', () => {
+    let tempDir;
+    let testEnv;
+    beforeEach(() => {
+        tempDir = mkdtempSync(join(tmpdir(), 'latchkey-cli-test-'));
+        testEnv = {
+            LATCHKEY_DIRECTORY: tempDir,
+        };
+    });
+    afterEach(() => {
+        rmSync(tempDir, { recursive: true, force: true });
+    });
+    it('should return non-zero exit code for unknown service URL', () => {
+        const result = runCli(['curl', 'https://unknown-api.example.com'], testEnv);
+        expect(result.exitCode).toBe(1);
+    });
+    it('should return error when browser is disabled via LATCHKEY_DISABLE_BROWSER', () => {
+        const result = runCli(['auth', 'browser', 'slack'], {
+            ...testEnv,
+            LATCHKEY_DISABLE_BROWSER: '1',
         });
+        expect(result.exitCode).toBe(1);
+    });
+    it('should list services as JSON', () => {
+        const result = runCli(['services', 'list'], testEnv);
+        expect(result.exitCode).toBe(0);
+        const services = JSON.parse(result.stdout.trim());
+        expect(services).toContain('slack');
+        expect(services).toContain('github');
     });
 });
 //# sourceMappingURL=cli.test.js.map