manage-tuurio-id 0.1.0

package/README.md

@@ -0,0 +1,47 @@
+# manage-tuurio-id
+
+Interactive CLI wizard for scaffolding projects and provisioning Tuurio ID setup through short-lived tokens.
+
+## Run
+
+```bash
+npx manage-tuurio-id@latest
+```
+
+## Dev-only host override
+
+For local development only (source runtime), you can override the Tuurio host:
+
+```bash
+pnpm --dir create-tuurio-app dev -- --tuurio-host id.localhost:8080
+```
+
+The wizard asks for `tenantId` first and opens:
+`http://<tenantId>.id.localhost:8080/admin/provisioning/cli`
+(for localhost-style hosts).
+
+`--tuurio-host` is intentionally disabled in published builds.
+
+Wizard start flow:
+- `Do you already have a tenant ID?`
+- `yes` -> asks for tenant ID
+- `no` -> asks for organization/name/email/password/subdomain and uses subdomain as tenant host
+- For `no`, CLI runs a server-side signup preflight (`/cli/v1/provisioning/signup/preflight`) before opening browser
+- Browser entry uses `/login?sso=manual&return=/admin/provisioning/cli?mode=...&tenantId=...`
+- After login, the provisioning page auto-generates and displays the bootstrap token directly for copy
+
+## Generated credentials
+
+- SPA provisioning creates a new client and prints generated credentials (`client ID` and `client secret`).
+- After creation, the CLI asks if it should download the matching sample from:
+  - `https://github.com/Tuurio/auth_samples`
+- If you confirm, it downloads the framework sample (`React`, `Vue`, or `Angular`) and writes a local `.env`
+  populated with the values that were just generated.
+- Treat generated `.env` files as secrets and move values to your secret manager before production.
+
+## Security model
+
+- Provisioning requires a short-lived bootstrap token generated from the authenticated admin portal.
+- Bootstrap tokens are one-time and exchanged for short-lived session tokens.
+- Create operations require `Idempotency-Key` and are processed idempotently server-side.
+- CLI uses retry with exponential backoff for transient network and HTTP failures.

package/dist/index.d.ts

@@ -0,0 +1 @@
+#!/usr/bin/env node

package/dist/index.js

@@ -0,0 +1,1298 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { randomUUID } from "crypto";
+import { spawn } from "child_process";
+import { cp, mkdir, mkdtemp, readFile, readdir, rm, unlink, writeFile } from "fs/promises";
+import { homedir, tmpdir } from "os";
+import path from "path";
+import kleur2 from "kleur";
+import open from "open";
+import ora from "ora";
+import prompts from "prompts";
+import { z } from "zod";
+
+// src/http.ts
+import { fetch } from "undici";
+import kleur from "kleur";
+var RETRYABLE_STATUSES = /* @__PURE__ */ new Set([408, 409, 425, 429, 500, 502, 503, 504]);
+var RequestError = class extends Error {
+  retryable;
+  constructor(message, retryable = false) {
+    super(message);
+    this.retryable = retryable;
+  }
+};
+async function requestJson(opts) {
+  const retries = opts.retries ?? 4;
+  const headers = {
+    "content-type": "application/json",
+    ...opts.headers ?? {}
+  };
+  let attempt = 0;
+  while (true) {
+    attempt += 1;
+    try {
+      const res = await fetch(opts.url, {
+        method: opts.method,
+        headers,
+        body: opts.body === void 0 ? void 0 : JSON.stringify(opts.body)
+      });
+      const text = await res.text();
+      const parsed = text ? tryParseJson(text) : void 0;
+      if (!res.ok) {
+        const message = extractErrorMessage(parsed) ?? `${res.status} ${res.statusText}`;
+        const retryable = RETRYABLE_STATUSES.has(res.status);
+        if (attempt <= retries && retryable) {
+          await sleep(backoffDelayMs(attempt));
+          continue;
+        }
+        throw new RequestError(message, retryable);
+      }
+      if (parsed === void 0) {
+        throw new Error("Empty response payload");
+      }
+      const envelope = parsed;
+      return envelope.data ?? parsed;
+    } catch (err) {
+      if (err instanceof RequestError && !err.retryable) {
+        throw err;
+      }
+      if (attempt > retries) {
+        throw err;
+      }
+      const message = err instanceof Error ? err.message : String(err);
+      process.stderr.write(kleur.yellow(`Retrying request (${attempt}/${retries}) due to: ${message}
+`));
+      await sleep(backoffDelayMs(attempt));
+    }
+  }
+}
+function tryParseJson(raw) {
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return void 0;
+  }
+}
+function extractErrorMessage(parsed) {
+  if (!parsed || typeof parsed !== "object") return void 0;
+  const rec = parsed;
+  if (typeof rec.message === "string" && rec.message.trim()) return rec.message;
+  if (typeof rec.error === "string" && rec.error.trim()) return rec.error;
+  const data = rec.data;
+  if (data && typeof data.message === "string" && data.message.trim()) return data.message;
+  return void 0;
+}
+function backoffDelayMs(attempt) {
+  const base = 300 * Math.pow(2, attempt - 1);
+  const jitter = Math.floor(Math.random() * 120);
+  return Math.min(5e3, base + jitter);
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/index.ts
+var tokenSchema = z.string().min(12);
+var colorSchema = z.string().regex(/^#([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/, "Expected a valid hex color like #2563EB");
+var urlSchema = z.string().url();
+var tenantIdSchema = z.string().regex(/^[a-z0-9-]{6,30}$/, "Use 6-30 lowercase letters, numbers, or hyphens");
+var SESSION_FILE = path.join(homedir(), ".tuurio", "manage-tuurio-id-session.json");
+var AUTH_SAMPLES_REPO_URL = "https://github.com/Tuurio/auth_samples.git";
+async function main() {
+  printHeader();
+  const cliArgs = parseCliArgs(process.argv.slice(2));
+  const portalBaseUrl = cliArgs.tuurioHost ? buildPortalBaseUrlFromHost(cliArgs.tuurioHost) : "https://id.tuurio.com";
+  const apiBaseUrl = deriveApiBaseUrl(portalBaseUrl);
+  if (cliArgs.tuurioHost) {
+    process.stdout.write(kleur2.gray(`Using dev host override: ${portalBaseUrl}
+`));
+  }
+  const reusedSession = await resolveSavedSession(apiBaseUrl);
+  const activeSession = reusedSession ?? await runBootstrapStartMenu({
+    apiBaseUrl,
+    portalBaseUrl
+  });
+  if (!activeSession) {
+    process.stdout.write(kleur2.gray("Bye.\n"));
+    return;
+  }
+  await runMainMenu({
+    apiBaseUrl,
+    portalBaseUrl,
+    session: activeSession
+  });
+}
+async function runBootstrapStartMenu(args) {
+  for (; ; ) {
+    const { action } = await prompts(
+      {
+        type: "select",
+        name: "action",
+        message: "Get started",
+        choices: [
+          { title: "Login", value: "login" },
+          { title: "New", value: "new" },
+          { title: "Website", value: "website" },
+          { title: "Exit", value: "exit" }
+        ]
+      },
+      { onCancel: () => process.exit(1) }
+    );
+    if (action === "login") {
+      return performLoginFlow(args);
+    }
+    if (action === "new") {
+      return performNewTenantSignupFlow(args);
+    }
+    if (action === "website") {
+      await openPortal(args.portalBaseUrl);
+      continue;
+    }
+    if (action === "exit") {
+      return null;
+    }
+  }
+}
+async function runMainMenu(args) {
+  let activeSession = args.session;
+  for (; ; ) {
+    printSessionInfo(activeSession.status);
+    const { action } = await prompts(
+      {
+        type: "select",
+        name: "action",
+        message: "Choose an action",
+        choices: [
+          { title: "Create new SPA client", value: "createSpa" },
+          { title: "Create server-side web app client", value: "createServerWeb" },
+          {
+            title: "Edit tenant settings",
+            value: "editTenantSettings",
+            disabled: !activeSession.status.canEditTenantSettings ? "Missing org:admin permission" : void 0
+          },
+          { title: "More settings (open admin portal)", value: "moreSettings" },
+          { title: "Refresh session status", value: "refreshStatus" },
+          { title: "Logout", value: "logout" },
+          { title: "Exit", value: "exit" }
+        ]
+      },
+      { onCancel: () => process.exit(1) }
+    );
+    if (action === "createSpa") {
+      await createSpaClient(activeSession, args.apiBaseUrl);
+      continue;
+    }
+    if (action === "createServerWeb") {
+      await createServerWebAppClient(activeSession, args.apiBaseUrl);
+      continue;
+    }
+    if (action === "editTenantSettings") {
+      await editTenantSettings(activeSession, args.apiBaseUrl);
+      continue;
+    }
+    if (action === "moreSettings") {
+      await openMoreSettings(activeSession.status.tenantAdminEditUrl);
+      continue;
+    }
+    if (action === "refreshStatus") {
+      activeSession = await refreshActiveSession(args.apiBaseUrl, activeSession.sessionToken);
+      await saveSession({
+        sessionToken: activeSession.sessionToken,
+        apiBaseUrl: args.apiBaseUrl,
+        savedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        lastKnownExpiresAt: activeSession.status.expiresAt,
+        tenantId: activeSession.status.tenantId
+      });
+      continue;
+    }
+    if (action === "logout") {
+      await logout(args.apiBaseUrl, activeSession.sessionToken);
+      await clearSavedSession();
+      process.stdout.write(kleur2.green("Logged out. Local session removed.\n"));
+      return;
+    }
+    if (action === "exit") {
+      process.stdout.write(kleur2.gray("Bye.\n"));
+      return;
+    }
+  }
+}
+async function createSpaClient(activeSession, apiBaseUrl) {
+  const { targetSpa } = await prompts(
+    {
+      type: "select",
+      name: "targetSpa",
+      message: "Which SPA sample do you want to create?",
+      choices: [
+        { title: "Angular SPA", value: "ANGULAR_SPA" },
+        { title: "Vue SPA", value: "VUE_SPA" },
+        { title: "React SPA", value: "REACT_SPA" }
+      ]
+    },
+    { onCancel: () => process.exit(1) }
+  );
+  const framework = targetSpa;
+  const frameworkSlug = frameworkSlugFor(framework);
+  const { projectName } = await prompts(
+    {
+      type: "text",
+      name: "projectName",
+      message: "Project name for generated sample",
+      initial: `${activeSession.status.tenantId}-${frameworkSlug}-sample`,
+      validate: (value) => value.trim().length >= 2 ? true : "Project name is required"
+    },
+    { onCancel: () => process.exit(1) }
+  );
+  const spinner = ora(`Creating ${frameworkSlug} client + sample scaffold...`).start();
+  let scaffold;
+  try {
+    scaffold = await requestJson({
+      method: "POST",
+      url: `${apiBaseUrl}/cli/v1/provisioning/scaffold`,
+      headers: {
+        Authorization: `Bearer ${activeSession.sessionToken}`,
+        "Idempotency-Key": randomUUID()
+      },
+      body: {
+        projectName: projectName.trim(),
+        frameworks: [framework],
+        enableWebhooks: false,
+        addApiIntegration: false
+      }
+    });
+    spinner.succeed("Client created.");
+  } catch (err) {
+    spinner.fail("SPA client creation failed.");
+    throw err;
+  }
+  const envPath = `apps/${frameworkSlug}/.env`;
+  const envFile = scaffold.files.find((file) => file.path === envPath);
+  const envMap = parseEnvFile(envFile?.content ?? "");
+  const clientId = envMap.TUURIO_CLIENT_ID ?? "";
+  process.stdout.write(`
+${kleur2.bold("Generated SPA client")}
+`);
+  process.stdout.write(`Client ID: ${kleur2.cyan(clientId || "(not returned)")}
+`);
+  process.stdout.write(kleur2.gray("Client secret is intentionally not shown for SPA templates.\n"));
+  const { shouldWriteSample } = await prompts(
+    {
+      type: "toggle",
+      name: "shouldWriteSample",
+      message: "Download matching auth_samples template from GitHub and configure .env?",
+      initial: true,
+      active: "yes",
+      inactive: "no"
+    },
+    { onCancel: () => process.exit(1) }
+  );
+  if (!shouldWriteSample) {
+    process.stdout.write(kleur2.gray("Skipped sample download.\n"));
+    return;
+  }
+  const { outputDir } = await prompts(
+    {
+      type: "text",
+      name: "outputDir",
+      message: "Output directory",
+      initial: `./${activeSession.status.tenantId}-${frameworkSlug}-sample`
+    },
+    { onCancel: () => process.exit(1) }
+  );
+  const outputRoot = path.resolve(process.cwd(), outputDir.trim());
+  await downloadSampleFromGithub(framework, outputRoot);
+  await writeSpaSampleEnvFile(outputRoot, framework, envMap);
+  process.stdout.write(kleur2.green(`Sample downloaded and configured at ${outputRoot}
+`));
+}
+async function createServerWebAppClient(activeSession, apiBaseUrl) {
+  const { targetServer } = await prompts(
+    {
+      type: "select",
+      name: "targetServer",
+      message: "Which server-side web sample do you want to create?",
+      choices: [
+        { title: "Node.js", value: "NODE_JS_WEB" },
+        { title: "Python", value: "PYTHON_WEB" },
+        { title: "Java / Spring", value: "SPRING_WEB" },
+        { title: "Go", value: "GO_WEB" },
+        { title: "PHP", value: "PHP_WEB" }
+      ]
+    },
+    { onCancel: () => process.exit(1) }
+  );
+  const framework = targetServer;
+  const frameworkSlug = frameworkSlugFor(framework);
+  const { projectName } = await prompts(
+    {
+      type: "text",
+      name: "projectName",
+      message: "Project name for generated sample",
+      initial: `${activeSession.status.tenantId}-${frameworkSlug}-sample`,
+      validate: (value) => value.trim().length >= 2 ? true : "Project name is required"
+    },
+    { onCancel: () => process.exit(1) }
+  );
+  const { enableWebhooks } = await prompts(
+    {
+      type: "toggle",
+      name: "enableWebhooks",
+      message: "Create active webhook (API key header auth + all events)?",
+      initial: true,
+      active: "yes",
+      inactive: "no"
+    },
+    { onCancel: () => process.exit(1) }
+  );
+  const spinner = ora(`Creating ${frameworkSlug} client${enableWebhooks ? " + webhook" : ""}...`).start();
+  let scaffold;
+  try {
+    scaffold = await requestJson({
+      method: "POST",
+      url: `${apiBaseUrl}/cli/v1/provisioning/scaffold`,
+      headers: {
+        Authorization: `Bearer ${activeSession.sessionToken}`,
+        "Idempotency-Key": randomUUID()
+      },
+      body: {
+        projectName: projectName.trim(),
+        frameworks: [framework],
+        enableWebhooks: Boolean(enableWebhooks),
+        addApiIntegration: false
+      }
+    });
+    spinner.succeed("Server-side web app client created.");
+  } catch (err) {
+    spinner.fail("Server-side web app client creation failed.");
+    throw err;
+  }
+  const envPath = `apps/${frameworkSlug}/.env`;
+  const envFile = scaffold.files.find((file) => file.path === envPath);
+  const envMap = parseEnvFile(envFile?.content ?? "");
+  const clientId = envMap.TUURIO_CLIENT_ID ?? "";
+  const clientSecret = envMap.TUURIO_CLIENT_SECRET ?? "";
+  process.stdout.write(`
+${kleur2.bold("Generated client credentials")}
+`);
+  process.stdout.write(`Client ID: ${kleur2.cyan(clientId || "(not returned)")}
+`);
+  process.stdout.write(`Client Secret: ${kleur2.cyan(clientSecret || "(not returned)")}
+`);
+  if (enableWebhooks) {
+    process.stdout.write(`
+${kleur2.bold("Generated webhook configuration")}
+`);
+    process.stdout.write(`Webhook ID: ${kleur2.cyan(envMap.TUURIO_WEBHOOK_ID ?? "(not returned)")}
+`);
+    process.stdout.write(`Auth header: ${kleur2.cyan(envMap.TUURIO_WEBHOOK_API_KEY_HEADER ?? "(not returned)")}
+`);
+    process.stdout.write(`Auth value: ${kleur2.cyan(envMap.TUURIO_WEBHOOK_API_KEY ?? "(not returned)")}
+`);
+    process.stdout.write(`Edit URL: ${kleur2.cyan(envMap.TUURIO_WEBHOOK_EDIT_URL ?? "(not returned)")}
+`);
+    process.stdout.write(
+      kleur2.yellow(
+        "Webhook endpoint URL must be updated after deployment in the admin UI (edit URL above).\n"
+      )
+    );
+  }
+  const { shouldWriteSample } = await prompts(
+    {
+      type: "toggle",
+      name: "shouldWriteSample",
+      message: "Download matching auth_samples template from GitHub and configure .env?",
+      initial: true,
+      active: "yes",
+      inactive: "no"
+    },
+    { onCancel: () => process.exit(1) }
+  );
+  if (!shouldWriteSample) {
+    process.stdout.write(kleur2.gray("Skipped sample download.\n"));
+    return;
+  }
+  const { outputDir } = await prompts(
+    {
+      type: "text",
+      name: "outputDir",
+      message: "Output directory",
+      initial: `./${activeSession.status.tenantId}-${frameworkSlug}-sample`
+    },
+    { onCancel: () => process.exit(1) }
+  );
+  const outputRoot = path.resolve(process.cwd(), outputDir.trim());
+  await downloadSampleFromGithub(framework, outputRoot);
+  await writeServerSampleEnvFile(outputRoot, framework, envMap);
+  process.stdout.write(kleur2.green(`Sample downloaded and configured at ${outputRoot}
+`));
+}
+async function editTenantSettings(activeSession, apiBaseUrl) {
+  const current = await requestJson({
+    method: "GET",
+    url: `${apiBaseUrl}/cli/v1/provisioning/tenant/settings`,
+    headers: {
+      Authorization: `Bearer ${activeSession.sessionToken}`
+    }
+  });
+  const answers = await prompts(
+    [
+      {
+        type: "text",
+        name: "name",
+        message: "Tenant name",
+        initial: current.name ?? ""
+      },
+      {
+        type: "text",
+        name: "headline",
+        message: "Login headline",
+        initial: current.headline ?? ""
+      },
+      {
+        type: "text",
+        name: "logoUrl",
+        message: "Logo URL (optional)",
+        initial: current.logoUrl ?? "",
+        validate: (value) => {
+          const trimmed = value.trim();
+          if (!trimmed) return true;
+          return urlSchema.safeParse(trimmed).success ? true : "Enter a valid URL";
+        }
+      },
+      {
+        type: "text",
+        name: "primaryColor",
+        message: "Primary color (hex)",
+        initial: current.primaryColor,
+        validate: (value) => colorSchema.safeParse(value.trim()).success ? true : "Expected #RRGGBB or #RGB"
+      },
+      {
+        type: "toggle",
+        name: "registrationAllowed",
+        message: "Allow public registration?",
+        initial: current.registrationAllowed,
+        active: "yes",
+        inactive: "no"
+      },
+      {
+        type: "toggle",
+        name: "fourEyesPrinciple",
+        message: "Enable 4-eyes principle (admin approval required)?",
+        initial: current.fourEyesPrinciple,
+        active: "yes",
+        inactive: "no"
+      },
+      {
+        type: "number",
+        name: "passwordMinLength",
+        message: "Minimum password length",
+        initial: current.passwordMinLength,
+        validate: (value) => {
+          if (!Number.isFinite(value)) return "Enter a valid number";
+          if (value < 8 || value > 128) return "Value must be between 8 and 128";
+          return true;
+        }
+      }
+    ],
+    { onCancel: () => process.exit(1) }
+  );
+  const payload = {
+    name: toNullableString(answers.name),
+    headline: toNullableString(answers.headline),
+    logoUrl: toNullableString(answers.logoUrl),
+    primaryColor: String(answers.primaryColor).trim(),
+    registrationAllowed: Boolean(answers.registrationAllowed),
+    fourEyesPrinciple: Boolean(answers.fourEyesPrinciple),
+    passwordMinLength: Number(answers.passwordMinLength)
+  };
+  const spinner = ora("Saving tenant settings...").start();
+  let updated;
+  try {
+    updated = await requestJson({
+      method: "PUT",
+      url: `${apiBaseUrl}/cli/v1/provisioning/tenant/settings`,
+      headers: {
+        Authorization: `Bearer ${activeSession.sessionToken}`
+      },
+      body: payload
+    });
+    spinner.succeed("Tenant settings updated.");
+  } catch (err) {
+    spinner.fail("Updating tenant settings failed.");
+    throw err;
+  }
+  process.stdout.write(`Updated tenant: ${kleur2.bold(updated.tenantId)}
+`);
+}
+async function resolveSavedSession(apiBaseUrl) {
+  const stored = await loadSession();
+  if (!stored) {
+    return null;
+  }
+  if (normalizeBaseUrl(stored.apiBaseUrl) !== normalizeBaseUrl(apiBaseUrl)) {
+    process.stdout.write(kleur2.gray("Stored session belongs to a different Tuurio host. Ignoring it.\n"));
+    return null;
+  }
+  try {
+    const active = await refreshActiveSession(apiBaseUrl, stored.sessionToken);
+    process.stdout.write(
+      kleur2.green(
+        `Reused saved session for tenant '${active.status.tenantId}'. Expires: ${active.status.expiresAt}
+`
+      )
+    );
+    return active;
+  } catch (err) {
+    await clearSavedSession();
+    const message = err instanceof Error ? err.message : String(err);
+    process.stdout.write(kleur2.yellow(`Saved session is no longer valid: ${message}
+`));
+    return null;
+  }
+}
+async function performLoginFlow(args) {
+  process.stdout.write(kleur2.gray("Generate a bootstrap token for an existing tenant.\n"));
+  const { tenantId } = await prompts(
+    {
+      type: "text",
+      name: "tenantId",
+      message: "Tenant ID (subdomain)",
+      validate: (value) => tenantIdSchema.safeParse(normalizeTenantId(value)).success ? true : "Use 6-30 lowercase letters, numbers, or hyphens"
+    },
+    { onCancel: () => process.exit(1) }
+  );
+  const normalizedTenantId = normalizeTenantId(tenantId);
+  const loginUrl = buildProvisioningLoginUrl(args.portalBaseUrl, "EXISTING", normalizedTenantId);
+  await openPortal(loginUrl);
+  const bootstrapToken = await promptBootstrapTokenFromBrowser();
+  return establishSessionFromBootstrap(args.apiBaseUrl, bootstrapToken);
+}
+async function performNewTenantSignupFlow(args) {
+  const profileAnswers = await prompts(
+    [
+      {
+        type: "text",
+        name: "organizationName",
+        message: "Company name",
+        validate: (value) => value.trim().length >= 2 ? true : "Company name must be at least 2 characters"
+      },
+      {
+        type: "text",
+        name: "firstName",
+        message: "First name",
+        validate: (value) => value.trim().length >= 2 ? true : "First name must be at least 2 characters"
+      },
+      {
+        type: "text",
+        name: "lastName",
+        message: "Last name",
+        validate: (value) => value.trim().length >= 2 ? true : "Last name must be at least 2 characters"
+      },
+      {
+        type: "text",
+        name: "email",
+        message: "Email",
+        validate: (value) => z.string().email().safeParse(value.trim()).success ? true : "Enter a valid email"
+      },
+      {
+        type: "password",
+        name: "password",
+        message: "Password",
+        validate: (value) => value.trim().length >= 8 ? true : "Password must be at least 8 characters"
+      }
+    ],
+    { onCancel: () => process.exit(1) }
+  );
+  const { passwordRepeat } = await prompts(
+    {
+      type: "password",
+      name: "passwordRepeat",
+      message: "Repeat password",
+      validate: (value) => String(profileAnswers.password ?? "") === value ? true : "Passwords do not match"
+    },
+    { onCancel: () => process.exit(1) }
+  );
+  const accountEmail = String(profileAnswers.email).trim().toLowerCase();
+  const tenantSetupAnswers = await prompts(
+    [
+      {
+        type: "text",
+        name: "primaryColor",
+        message: "Primary color (hex)",
+        initial: "#3b82f6",
+        validate: (value) => colorSchema.safeParse(value.trim()).success ? true : "Expected #RRGGBB or #RGB"
+      },
+      {
+        type: "toggle",
+        name: "registrationAllowed",
+        message: "Registration available?",
+        initial: false,
+        active: "yes",
+        inactive: "no"
+      },
+      {
+        type: (_prev, values) => values.registrationAllowed ? "toggle" : null,
+        name: "fourEyesPrinciple",
+        message: "Admin approval required?",
+        initial: true,
+        active: "yes",
+        inactive: "no"
+      },
+      {
+        type: "text",
+        name: "imprintUrl",
+        message: "Imprint URL (optional)",
+        validate: validateOptionalUrlPrompt
+      },
+      {
+        type: "text",
+        name: "privacyUrl",
+        message: "Privacy URL (optional)",
+        validate: validateOptionalUrlPrompt
+      },
+      {
+        type: (_prev, values) => toNullableString(values.privacyUrl) ? "text" : null,
+        name: "privacyVersion",
+        message: "Privacy version (optional)",
+        validate: (value) => value.trim().length <= 100 ? true : "Privacy version must be <= 100 characters"
+      },
+      {
+        type: "text",
+        name: "termsUrl",
+        message: "Terms URL (optional)",
+        validate: validateOptionalUrlPrompt
+      },
+      {
+        type: (_prev, values) => toNullableString(values.termsUrl) ? "text" : null,
+        name: "termsVersion",
+        message: "Terms version (optional)",
+        validate: (value) => value.trim().length <= 100 ? true : "Terms version must be <= 100 characters"
+      },
+      {
+        type: "text",
+        name: "supportEmail",
+        message: "Contact support email (leave empty to use account email)",
+        initial: accountEmail,
+        validate: (value) => {
+          const normalized = value.trim();
+          if (!normalized) return true;
+          return z.string().email().safeParse(normalized).success ? true : "Enter a valid email";
+        }
+      }
+    ],
+    { onCancel: () => process.exit(1) }
+  );
+  const tenantSetup = {
+    name: String(profileAnswers.organizationName).trim(),
+    primaryColor: String(tenantSetupAnswers.primaryColor).trim(),
+    registrationAllowed: Boolean(tenantSetupAnswers.registrationAllowed),
+    fourEyesPrinciple: Boolean(tenantSetupAnswers.registrationAllowed) && Boolean(tenantSetupAnswers.fourEyesPrinciple),
+    imprintUrl: toNullableString(tenantSetupAnswers.imprintUrl),
+    privacyUrl: toNullableString(tenantSetupAnswers.privacyUrl),
+    privacyVersion: toNullableString(tenantSetupAnswers.privacyVersion),
+    termsUrl: toNullableString(tenantSetupAnswers.termsUrl),
+    termsVersion: toNullableString(tenantSetupAnswers.termsVersion),
+    supportEmail: toNullableString(tenantSetupAnswers.supportEmail) ?? accountEmail
+  };
+  if (!tenantSetup.privacyUrl) {
+    tenantSetup.privacyVersion = null;
+  }
+  if (!tenantSetup.termsUrl) {
+    tenantSetup.termsVersion = null;
+  }
+  for (; ; ) {
+    const { tenantId } = await prompts(
+      {
+        type: "text",
+        name: "tenantId",
+        message: "Subdomain / tenant ID",
+        validate: (value) => tenantIdSchema.safeParse(normalizeTenantId(value)).success ? true : "Use 6-30 lowercase letters, numbers, or hyphens"
+      },
+      { onCancel: () => process.exit(1) }
+    );
+    const normalizedTenantId = normalizeTenantId(String(tenantId));
+    const availability = await requestJson({
+      method: "POST",
+      url: `${args.apiBaseUrl}/cli/v1/provisioning/tenant/check`,
+      body: { tenantId: normalizedTenantId }
+    });
+    if (!availability.available) {
+      process.stdout.write(
+        kleur2.yellow(`Subdomain '${normalizedTenantId}' is already taken. Please choose another one.
+`)
+      );
+      continue;
+    }
+    const spinner = ora("Creating tenant and admin account...").start();
+    let signup;
+    try {
+      signup = await requestJson({
+        method: "POST",
+        url: `${args.apiBaseUrl}/cli/v1/provisioning/signup`,
+        body: {
+          tenantId: normalizedTenantId,
+          organizationName: String(profileAnswers.organizationName).trim(),
+          firstName: String(profileAnswers.firstName).trim(),
+          lastName: String(profileAnswers.lastName).trim(),
+          email: String(profileAnswers.email).trim().toLowerCase(),
+          password: String(profileAnswers.password),
+          passwordRepeat: String(passwordRepeat)
+        }
+      });
+      spinner.succeed("Tenant created.");
+    } catch (err) {
+      spinner.fail("Tenant creation failed.");
+      throw err;
+    }
+    const activeSession = await establishSessionFromBootstrap(args.apiBaseUrl, signup.bootstrapToken);
+    await applyNewFlowTenantSettings(activeSession, args.apiBaseUrl, tenantSetup);
+    process.stdout.write(kleur2.gray("Bootstrap token exchanged automatically. No web login required.\n"));
+    return activeSession;
+  }
+}
+async function applyNewFlowTenantSettings(activeSession, apiBaseUrl, tenantSetup) {
+  const current = await requestJson({
+    method: "GET",
+    url: `${apiBaseUrl}/cli/v1/provisioning/tenant/settings`,
+    headers: {
+      Authorization: `Bearer ${activeSession.sessionToken}`
+    }
+  });
+  const payload = {
+    name: tenantSetup.name,
+    headline: current.headline ?? null,
+    logoUrl: current.logoUrl ?? null,
+    imprintUrl: tenantSetup.imprintUrl,
+    privacyUrl: tenantSetup.privacyUrl,
+    privacyVersion: tenantSetup.privacyUrl ? tenantSetup.privacyVersion : null,
+    termsUrl: tenantSetup.termsUrl,
+    termsVersion: tenantSetup.termsUrl ? tenantSetup.termsVersion : null,
+    supportEmail: tenantSetup.supportEmail,
+    primaryColor: tenantSetup.primaryColor,
+    registrationAllowed: tenantSetup.registrationAllowed,
+    fourEyesPrinciple: tenantSetup.registrationAllowed ? tenantSetup.fourEyesPrinciple : false,
+    passwordMinLength: current.passwordMinLength
+  };
+  const spinner = ora("Applying tenant setup...").start();
+  try {
+    await requestJson({
+      method: "PUT",
+      url: `${apiBaseUrl}/cli/v1/provisioning/tenant/settings`,
+      headers: {
+        Authorization: `Bearer ${activeSession.sessionToken}`
+      },
+      body: payload
+    });
+    spinner.succeed("Tenant setup applied.");
+  } catch (err) {
+    spinner.fail("Applying tenant setup failed.");
+    throw err;
+  }
+}
+async function promptBootstrapTokenFromBrowser() {
+  const { bootstrapToken } = await prompts(
+    {
+      type: "password",
+      name: "bootstrapToken",
+      message: "Paste bootstrap token from browser",
+      validate: (value) => tokenSchema.safeParse(value.trim()).success ? true : "Token looks too short"
+    },
+    { onCancel: () => process.exit(1) }
+  );
+  return String(bootstrapToken).trim();
+}
+async function establishSessionFromBootstrap(apiBaseUrl, bootstrapToken) {
+  const exchange = await exchangeBootstrap(apiBaseUrl, bootstrapToken.trim());
+  const activeSession = await refreshActiveSession(apiBaseUrl, exchange.sessionToken);
+  await saveSession({
+    sessionToken: exchange.sessionToken,
+    apiBaseUrl,
+    savedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    lastKnownExpiresAt: activeSession.status.expiresAt,
+    tenantId: activeSession.status.tenantId
+  });
+  process.stdout.write(
+    kleur2.green(
+      `Session established for tenant '${activeSession.status.tenantId}'. Expires: ${activeSession.status.expiresAt}
+`
+    )
+  );
+  return activeSession;
+}
+async function refreshActiveSession(apiBaseUrl, sessionToken) {
+  const status = await requestJson({
+    method: "GET",
+    url: `${apiBaseUrl}/cli/v1/provisioning/session/status`,
+    headers: {
+      Authorization: `Bearer ${sessionToken}`
+    }
+  });
+  return { sessionToken, status };
+}
+async function exchangeBootstrap(baseUrl, bootstrapToken) {
+  const spinner = ora("Exchanging bootstrap token...").start();
+  try {
+    const response = await requestJson({
+      method: "POST",
+      url: `${baseUrl}/cli/v1/provisioning/session/exchange`,
+      body: { bootstrapToken }
+    });
+    spinner.succeed("Bootstrap token exchanged.");
+    return response;
+  } catch (err) {
+    spinner.fail("Bootstrap token exchange failed.");
+    throw err;
+  }
+}
+async function openMoreSettings(url) {
+  const spinner = ora("Opening tenant settings in browser...").start();
+  try {
+    await open(url);
+    spinner.succeed("Browser opened.");
+  } catch {
+    spinner.warn(`Could not open browser automatically. Open manually: ${url}`);
+  }
+}
+async function openPortal(portalUrl) {
+  const spinner = ora("Opening browser...").start();
+  try {
+    await open(portalUrl);
+    spinner.succeed("Browser opened. Login and generate your bootstrap token.");
+  } catch {
+    spinner.warn(`Could not open browser automatically. Open this URL manually: ${portalUrl}`);
+  }
+}
+async function logout(apiBaseUrl, sessionToken) {
+  try {
+    const response = await requestJson({
+      method: "POST",
+      url: `${apiBaseUrl}/cli/v1/provisioning/session/logout`,
+      headers: {
+        Authorization: `Bearer ${sessionToken}`
+      }
+    });
+    if (response.revoked) {
+      process.stdout.write(kleur2.gray("Server-side session revoked.\n"));
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    process.stdout.write(kleur2.yellow(`Logout request failed: ${message}
+`));
+  }
+}
+function printSessionInfo(status) {
+  process.stdout.write(`
+${kleur2.bold("Active tenant")}: ${status.tenantId}
+`);
+  process.stdout.write(`Tier: ${status.paymentTier}
+`);
+  process.stdout.write(`Session expires: ${status.expiresAt}
+`);
+  process.stdout.write(`Existing clients: ${status.existingClients.length}
+`);
+}
+function buildProvisioningLoginUrl(portalBaseUrl, mode, tenantId, options) {
+  const normalizedTenantId = normalizeTenantId(tenantId);
+  const tenantPortalBaseUrl = buildTenantPortalBaseUrl(portalBaseUrl, normalizedTenantId);
+  const returnUrl = new URL("/admin/provisioning/cli", tenantPortalBaseUrl);
+  returnUrl.searchParams.set("mode", mode);
+  returnUrl.searchParams.set("tenantId", normalizedTenantId);
+  const loginUrl = new URL("/login", tenantPortalBaseUrl);
+  loginUrl.searchParams.set("sso", "manual");
+  loginUrl.searchParams.set("tenantId", normalizedTenantId);
+  const returnPathAndQuery = options?.returnPathAndQuery ?? `${returnUrl.pathname}${returnUrl.search}`;
+  loginUrl.searchParams.set("return", returnPathAndQuery);
+  const prefillEmail = options?.prefillEmail?.trim();
+  if (prefillEmail) {
+    loginUrl.searchParams.set("email", prefillEmail);
+  }
+  return loginUrl.toString();
+}
+function normalizeTenantId(value) {
+  return value.trim().toLowerCase();
+}
+function buildTenantPortalBaseUrl(portalBaseUrl, tenantId) {
+  const parsed = new URL(normalizeBaseUrl(portalBaseUrl));
+  const hostname = parsed.hostname.trim();
+  if (!hostname) {
+    return normalizeBaseUrl(portalBaseUrl);
+  }
+  const isIpAddress = /^(?:\d{1,3}\.){3}\d{1,3}$/.test(hostname) || hostname === "localhost" || hostname.startsWith("127.") || hostname === "0.0.0.0";
+  const hostWithTenant = isIpAddress ? hostname : `${tenantId}.${hostname}`;
+  const host = parsed.port ? `${hostWithTenant}:${parsed.port}` : hostWithTenant;
+  return `${parsed.protocol}//${host}`;
+}
+function parseCliArgs(argv) {
+  let tuurioHost;
+  for (let index = 0; index < argv.length; index += 1) {
+    const arg = argv[index];
+    if (arg === "--tuurio-host") {
+      const value = argv[index + 1];
+      if (!value || value.startsWith("--")) {
+        throw new Error("Missing value for --tuurio-host");
+      }
+      tuurioHost = value.trim();
+      index += 1;
+      continue;
+    }
+    if (arg.startsWith("--tuurio-host=")) {
+      tuurioHost = arg.slice("--tuurio-host=".length).trim();
+    }
+  }
+  return { tuurioHost };
+}
+function buildPortalBaseUrlFromHost(hostOverride) {
+  if (!isDevRuntime()) {
+    throw new Error("--tuurio-host is only available in local dev runtime and disabled in published builds.");
+  }
+  const raw = hostOverride.trim();
+  if (!raw) {
+    throw new Error("Host override must not be empty.");
+  }
+  const hasScheme = /^[a-zA-Z][a-zA-Z\d+\-.]*:\/\//.test(raw);
+  const useHttp = /(localhost|127\.0\.0\.1|0\.0\.0\.0)/i.test(raw);
+  const candidate = hasScheme ? raw : `${useHttp ? "http" : "https"}://${raw}`;
+  if (!urlSchema.safeParse(candidate).success) {
+    throw new Error(`Invalid --tuurio-host value: '${hostOverride}'`);
+  }
+  const parsed = new URL(candidate);
+  const hostWithPort = parsed.port ? `${parsed.hostname}:${parsed.port}` : parsed.hostname;
+  return `${parsed.protocol}//${hostWithPort}`;
+}
+function isDevRuntime() {
+  if (process.env.TUURIO_CLI_DEV === "1") return true;
+  const argvEntry = process.argv[1] ?? "";
+  const fromSrcPath = /(^|[\\/])src([\\/]|$)/.test(argvEntry);
+  const fromSrcUrl = /(^|[\\/])src([\\/]|$)/.test(import.meta.url);
+  return fromSrcPath || fromSrcUrl;
+}
+function frameworkSlugFor(framework) {
+  switch (framework) {
+    case "ANGULAR_SPA":
+      return "angular-spa";
+    case "REACT_SPA":
+      return "react-spa";
+    case "VUE_SPA":
+      return "vue-spa";
+    default:
+      return framework.toLowerCase().replaceAll("_", "-");
+  }
+}
+function parseEnvFile(content) {
+  const parsed = {};
+  for (const line of content.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const separator = trimmed.indexOf("=");
+    if (separator <= 0) continue;
+    const key = trimmed.slice(0, separator).trim();
+    const value = trimmed.slice(separator + 1).trim();
+    parsed[key] = value;
+  }
+  return parsed;
+}
+function authSamplesDirectoryFor(framework) {
+  switch (framework) {
+    case "ANGULAR_SPA":
+      return "auth_samples_angular";
+    case "REACT_SPA":
+      return "auth_samples_react";
+    case "VUE_SPA":
+      return "auth_samples_vue3";
+    case "NODE_JS_WEB":
+      return "auth_samples_node";
+    case "PYTHON_WEB":
+      return "auth_samples_python";
+    case "SPRING_WEB":
+      return "auth_samples_java";
+    case "GO_WEB":
+      return "auth_samples_go";
+    case "PHP_WEB":
+      return "auth_samples_php";
+    default:
+      throw new Error(`Downloading auth_samples is not supported for framework ${framework}`);
+  }
+}
+function spaEnvKeysFor(framework) {
+  switch (framework) {
+    case "ANGULAR_SPA":
+      return {
+        issuer: "TUURIO_ISSUER",
+        clientId: "TUURIO_CLIENT_ID",
+        redirectUri: "TUURIO_REDIRECT_URI",
+        postLogoutRedirectUri: "TUURIO_POST_LOGOUT_REDIRECT_URI",
+        scope: "TUURIO_SCOPE"
+      };
+    case "REACT_SPA":
+    case "VUE_SPA":
+      return {
+        issuer: "VITE_TUURIO_ISSUER",
+        clientId: "VITE_TUURIO_CLIENT_ID",
+        redirectUri: "VITE_TUURIO_REDIRECT_URI",
+        postLogoutRedirectUri: "VITE_TUURIO_POST_LOGOUT_REDIRECT_URI",
+        scope: "VITE_TUURIO_SCOPE"
+      };
+    default:
+      throw new Error(`Unsupported SPA framework for env mapping: ${framework}`);
+  }
+}
+async function downloadSampleFromGithub(framework, outputRoot) {
+  const sampleDir = authSamplesDirectoryFor(framework);
+  const spinner = ora(`Downloading ${sampleDir} from GitHub...`).start();
+  const tempRoot = await mkdtemp(path.join(tmpdir(), "manage-tuurio-id-"));
+  try {
+    await runCommand("git", [
+      "clone",
+      "--depth",
+      "1",
+      "--filter=blob:none",
+      "--sparse",
+      AUTH_SAMPLES_REPO_URL,
+      tempRoot
+    ]);
+    await runCommand("git", ["-C", tempRoot, "sparse-checkout", "set", sampleDir]);
+    const sourceDir = path.join(tempRoot, sampleDir);
+    await mkdir(outputRoot, { recursive: true });
+    await copyDirectoryContents(sourceDir, outputRoot);
+    spinner.succeed(`Downloaded ${sampleDir}.`);
+  } catch (err) {
+    spinner.fail("Downloading sample from GitHub failed.");
+    throw err;
+  } finally {
+    await rm(tempRoot, { recursive: true, force: true });
+  }
+}
+async function copyDirectoryContents(sourceDir, targetDir) {
+  const entries = await readdir(sourceDir);
+  for (const entry of entries) {
+    await cp(path.join(sourceDir, entry), path.join(targetDir, entry), {
+      recursive: true,
+      force: true
+    });
+  }
+}
+async function writeSpaSampleEnvFile(outputRoot, framework, generatedEnv) {
+  const keys = spaEnvKeysFor(framework);
+  const issuer = generatedEnv.TUURIO_ISSUER ?? "";
+  const clientId = generatedEnv.TUURIO_CLIENT_ID ?? "";
+  const redirectUri = generatedEnv.TUURIO_REDIRECT_URI ?? defaultRedirectUriFor(framework);
+  const postLogoutRedirectUri = generatedEnv.TUURIO_POST_LOGOUT_REDIRECT_URI ?? derivePostLogoutRedirectUri(redirectUri, defaultPostLogoutRedirectUriFor(framework));
+  const scope = generatedEnv.TUURIO_SCOPE ?? "openid profile email";
+  const envContent = [
+    `${keys.issuer}=${issuer}`,
+    `${keys.clientId}=${clientId}`,
+    `${keys.redirectUri}=${redirectUri}`,
+    `${keys.postLogoutRedirectUri}=${postLogoutRedirectUri}`,
+    `${keys.scope}=${scope}`
+  ].join("\n");
+  await writeFile(path.join(outputRoot, ".env"), envContent + "\n", { mode: 384 });
+}
+async function writeServerSampleEnvFile(outputRoot, framework, generatedEnv) {
+  const redirectUri = generatedEnv.TUURIO_REDIRECT_URI ?? defaultServerRedirectUriFor(framework);
+  const postLogoutRedirectUri = generatedEnv.TUURIO_POST_LOGOUT_REDIRECT_URI ?? derivePostLogoutRedirectUri(redirectUri, defaultServerPostLogoutRedirectUriFor(framework));
+  const envValues = {
+    TUURIO_ISSUER: generatedEnv.TUURIO_ISSUER ?? "",
+    TUURIO_CLIENT_ID: generatedEnv.TUURIO_CLIENT_ID ?? "",
+    TUURIO_CLIENT_SECRET: generatedEnv.TUURIO_CLIENT_SECRET ?? "",
+    TUURIO_REDIRECT_URI: redirectUri,
+    TUURIO_POST_LOGOUT_REDIRECT_URI: postLogoutRedirectUri,
+    TUURIO_SCOPE: generatedEnv.TUURIO_SCOPE ?? defaultServerScopeFor(framework),
+    TUURIO_WEBHOOK_ID: generatedEnv.TUURIO_WEBHOOK_ID ?? "",
+    TUURIO_WEBHOOK_SIGNING_SECRET: generatedEnv.TUURIO_WEBHOOK_SIGNING_SECRET ?? "",
+    TUURIO_WEBHOOK_URL: generatedEnv.TUURIO_WEBHOOK_URL ?? "",
+    TUURIO_WEBHOOK_EDIT_URL: generatedEnv.TUURIO_WEBHOOK_EDIT_URL ?? "",
+    TUURIO_WEBHOOK_LISTEN_PATH: generatedEnv.TUURIO_WEBHOOK_LISTEN_PATH ?? "/webhooks/tuurio",
+    TUURIO_WEBHOOK_API_KEY_HEADER: generatedEnv.TUURIO_WEBHOOK_API_KEY_HEADER ?? "X-Tuurio-Webhook-Key",
+    TUURIO_WEBHOOK_API_KEY: generatedEnv.TUURIO_WEBHOOK_API_KEY ?? ""
+  };
+  await writeEnvFileFromTemplate(outputRoot, envValues);
+}
+function defaultServerRedirectUriFor(framework) {
+  switch (framework) {
+    case "NODE_JS_WEB":
+      return "http://localhost:8082/auth/callback";
+    case "PYTHON_WEB":
+      return "http://localhost:8083/auth/callback";
+    case "GO_WEB":
+      return "http://localhost:8084/auth/callback";
+    case "SPRING_WEB":
+      return "http://localhost:8085/auth/callback";
+    case "PHP_WEB":
+      return "http://localhost:8080/auth/callback";
+    default:
+      return "http://localhost:8082/auth/callback";
+  }
+}
+function defaultServerPostLogoutRedirectUriFor(framework) {
+  switch (framework) {
+    case "NODE_JS_WEB":
+      return "http://localhost:8082/";
+    case "PYTHON_WEB":
+      return "http://localhost:8083/";
+    case "GO_WEB":
+      return "http://localhost:8084/";
+    case "SPRING_WEB":
+      return "http://localhost:8085/";
+    case "PHP_WEB":
+      return "http://localhost:8080/";
+    default:
+      return "http://localhost:8082/";
+  }
+}
+function defaultServerScopeFor(framework) {
+  if (framework === "SPRING_WEB") {
+    return "openid,profile,email";
+  }
+  return "openid profile email";
+}
+async function writeEnvFileFromTemplate(outputRoot, values) {
+  const templatePath = path.join(outputRoot, ".env.example");
+  let template = "";
+  try {
+    template = await readFile(templatePath, "utf8");
+  } catch {
+    template = "";
+  }
+  if (!template) {
+    const content = Object.entries(values).map(([key, value]) => `${key}=${value}`).join("\n");
+    await writeFile(path.join(outputRoot, ".env"), content + "\n", { mode: 384 });
+    return;
+  }
+  const seen = /* @__PURE__ */ new Set();
+  const lines = template.split(/\r?\n/);
+  const out = [];
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) {
+      out.push(line);
+      continue;
+    }
+    const separator = trimmed.indexOf("=");
+    if (separator <= 0) {
+      out.push(line);
+      continue;
+    }
+    const key = trimmed.slice(0, separator).trim();
+    if (Object.hasOwn(values, key)) {
+      out.push(`${key}=${values[key]}`);
+      seen.add(key);
+      continue;
+    }
+    out.push(line);
+  }
+  for (const [key, value] of Object.entries(values)) {
+    if (seen.has(key)) continue;
+    out.push(`${key}=${value}`);
+  }
+  const normalized = out.join("\n").replace(/\n*$/, "\n");
+  await writeFile(path.join(outputRoot, ".env"), normalized, { mode: 384 });
+}
+function defaultRedirectUriFor(framework) {
+  switch (framework) {
+    case "ANGULAR_SPA":
+      return "http://localhost:4200/auth/callback";
+    case "REACT_SPA":
+    case "VUE_SPA":
+      return "http://localhost:5173/auth/callback";
+    default:
+      return "http://localhost:5173/auth/callback";
+  }
+}
+function defaultPostLogoutRedirectUriFor(framework) {
+  switch (framework) {
+    case "ANGULAR_SPA":
+      return "http://localhost:4200/";
+    case "REACT_SPA":
+    case "VUE_SPA":
+      return "http://localhost:5173/";
+    default:
+      return "http://localhost:5173/";
+  }
+}
+function derivePostLogoutRedirectUri(redirectUri, fallback) {
+  try {
+    const parsed = new URL(redirectUri);
+    parsed.pathname = "/";
+    parsed.search = "";
+    parsed.hash = "";
+    return parsed.toString();
+  } catch {
+    return fallback;
+  }
+}
+async function runCommand(command, args) {
+  await new Promise((resolve, reject) => {
+    const child = spawn(command, args, {
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let stderr = "";
+    child.stderr.on("data", (chunk) => {
+      stderr += String(chunk);
+    });
+    child.on("error", (err) => {
+      reject(err);
+    });
+    child.on("close", (code) => {
+      if (code === 0) {
+        resolve();
+        return;
+      }
+      const suffix = stderr.trim() ? `: ${stderr.trim()}` : "";
+      reject(new Error(`${command} ${args.join(" ")} exited with code ${code}${suffix}`));
+    });
+  });
+}
+async function loadSession() {
+  try {
+    const raw = await readFile(SESSION_FILE, "utf8");
+    const parsed = JSON.parse(raw);
+    if (!parsed.sessionToken || !parsed.apiBaseUrl) {
+      return null;
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+async function saveSession(session) {
+  await mkdir(path.dirname(SESSION_FILE), { recursive: true });
+  await writeFile(SESSION_FILE, JSON.stringify(session, null, 2) + "\n", {
+    mode: 384
+  });
+}
+async function clearSavedSession() {
+  try {
+    await unlink(SESSION_FILE);
+  } catch {
+  }
+}
+function toNullableString(value) {
+  const normalized = String(value ?? "").trim();
+  return normalized.length > 0 ? normalized : null;
+}
+function validateOptionalUrlPrompt(value) {
+  const normalized = value.trim();
+  if (!normalized) return true;
+  return urlSchema.safeParse(normalized).success ? true : "Enter a valid URL";
+}
+function normalizeBaseUrl(value) {
+  return value.trim().replace(/\/+$/, "");
+}
+function deriveApiBaseUrl(portalBaseUrl) {
+  const parsed = new URL(normalizeBaseUrl(portalBaseUrl));
+  return `${parsed.protocol}//${parsed.host}`;
+}
+function printHeader() {
+  process.stdout.write(kleur2.bold().cyan("manage-tuurio-id\n"));
+  process.stdout.write(
+    kleur2.gray("Choose Login, New, or Website to start provisioning with Tuurio ID.\n\n")
+  );
+}
+main().catch((err) => {
+  const message = err instanceof Error ? err.message : String(err);
+  process.stderr.write(kleur2.red(`Error: ${message}
+`));
+  process.exit(1);
+});

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "manage-tuurio-id",
+  "version": "0.1.0",
+  "description": "Scaffold apps and provision Tuurio ID configuration via secure short-lived tokens.",
+  "type": "module",
+  "homepage": "https://id.tuurio.com",
+  "bin": {
+    "manage-tuurio-id": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format esm --dts --clean --target node18",
+    "dev": "tsx src/index.ts",
+    "dev:localhost": "tsx src/index.ts --tuurio-host id.localhost:8080",
+    "typecheck": "tsc --noEmit"
+  },
+  "keywords": [
+    "tuurio",
+    "oidc",
+    "scaffold",
+    "cli"
+  ],
+  "license": "MIT",
+  "dependencies": {
+    "kleur": "^4.1.5",
+    "open": "^10.2.0",
+    "ora": "^8.1.0",
+    "prompts": "^2.4.2",
+    "undici": "^7.13.0",
+    "zod": "^3.25.67"
+  },
+  "devDependencies": {
+    "@types/node": "^22.15.3",
+    "tsup": "^8.5.0",
+    "tsx": "^4.20.3",
+    "typescript": "^5.8.3"
+  }
+}