workos 0.15.2 → 0.17.0

package/dist/lib/scaffold/index.js

@@ -0,0 +1,2 @@
+export { CREATE_NEXT_APP_VERSION, SAFE_EMPTY_FILES, buildCreateNextAppArgs, isScaffoldableEmptyDir, resolvePackageManager, runCreateNextApp, } from './scaffold.js';
+//# sourceMappingURL=index.js.map

package/dist/lib/scaffold/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/lib/scaffold/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,uBAAuB,EACvB,gBAAgB,EAChB,sBAAsB,EACtB,sBAAsB,EACtB,qBAAqB,EACrB,gBAAgB,GAEjB,MAAM,eAAe,CAAC","sourcesContent":["export {\n  CREATE_NEXT_APP_VERSION,\n  SAFE_EMPTY_FILES,\n  buildCreateNextAppArgs,\n  isScaffoldableEmptyDir,\n  resolvePackageManager,\n  runCreateNextApp,\n  type PackageManager,\n} from './scaffold.js';\n"]}

package/dist/lib/scaffold/scaffold.d.ts

@@ -0,0 +1,66 @@
+import type { InstallerEventEmitter } from '../events.js';
+export type PackageManager = 'npm' | 'pnpm' | 'yarn' | 'bun';
+/**
+ * The `create-next-app` major we pin to. Matches `authkit-nextjs/examples/next`
+ * (Next 16). A major float (`@16`) keeps the pinned flag set stable while still
+ * receiving patch/minor updates. Re-pin when AuthKit bumps its supported Next major.
+ * `@latest` is intentionally avoided — it would reintroduce the flag-drift
+ * non-determinism this deterministic step exists to prevent.
+ */
+export declare const CREATE_NEXT_APP_VERSION = "16";
+/**
+ * Files that may be present in a directory we still consider "scaffoldable empty".
+ *
+ * INVARIANT: this MUST stay a subset of create-next-app's own `validFiles`
+ * (verified against the v{@link CREATE_NEXT_APP_VERSION} tag). If ours is
+ * stricter, we simply scaffold less often (safe). If ours were looser,
+ * create-next-app would accept our offer and then refuse mid-run.
+ *
+ * We omit `docs` and `mkdocs.yml` from the upstream list on purpose — their
+ * presence usually signals real project content, so we err toward NOT scaffolding.
+ * We also omit `README.md`/`.vscode`: they are NOT in create-next-app's list, so a
+ * directory containing them is left to the normal (non-scaffold) install path.
+ */
+export declare const SAFE_EMPTY_FILES: ReadonlySet<string>;
+/**
+ * True iff `dir` is empty or contains only {@link SAFE_EMPTY_FILES} entries.
+ *
+ * Because no project manifest (`package.json`, `go.mod`, `Gemfile`, etc.) appears
+ * in {@link SAFE_EMPTY_FILES}, the presence of any manifest makes this return
+ * false — i.e. an existing project always takes the normal install path.
+ */
+export declare function isScaffoldableEmptyDir(dir: string): Promise<boolean>;
+/**
+ * Resolve the package manager for the scaffolded app.
+ *
+ * Precedence: validated `--pm` override > `npm_config_user_agent` parse > `npm`.
+ * An empty directory has no lockfile, so lockfile-based detection does not apply;
+ * we read the runner from the user agent instead (e.g. `pnpm dlx` → `pnpm`).
+ */
+export declare function resolvePackageManager(opts: {
+    pm?: string;
+    userAgent?: string;
+}): PackageManager;
+/**
+ * The pinned `create-next-app` flag set. Kept pure so a unit test can assert the
+ * exact array — flag drift across a pinned major is the primary failure mode.
+ *
+ * v1 scaffolds Next.js only. Multi-framework scaffolding (e.g. a Vite React app
+ * via its own `create-*` tool) is a tracked follow-up, not implemented.
+ *
+ * App Router + TypeScript + ESLint + Tailwind + `src/` + `@/*` alias, installed
+ * with the resolved package manager. `--yes` accepts all remaining defaults
+ * (including the major's Turbopack default) and prevents interactive hangs.
+ */
+export declare function buildCreateNextAppArgs(pm: PackageManager): string[];
+/**
+ * Spawn `create-next-app@<pinned> .` in `installDir` via the resolved package
+ * manager's runner, streaming output as `scaffold:progress` events. Resolves on
+ * exit 0; rejects on non-zero exit or spawn error so the state machine can route
+ * to its error state.
+ */
+export declare function runCreateNextApp(opts: {
+    installDir: string;
+    packageManager: PackageManager;
+    emitter: InstallerEventEmitter;
+}): Promise<void>;

package/dist/lib/scaffold/scaffold.js

@@ -0,0 +1,156 @@
+import { spawn } from 'node:child_process';
+import { readdir } from 'node:fs/promises';
+import { SPAWN_OPTS } from '../../utils/platform.js';
+/**
+ * The `create-next-app` major we pin to. Matches `authkit-nextjs/examples/next`
+ * (Next 16). A major float (`@16`) keeps the pinned flag set stable while still
+ * receiving patch/minor updates. Re-pin when AuthKit bumps its supported Next major.
+ * `@latest` is intentionally avoided — it would reintroduce the flag-drift
+ * non-determinism this deterministic step exists to prevent.
+ */
+export const CREATE_NEXT_APP_VERSION = '16';
+const VALID_PACKAGE_MANAGERS = new Set(['npm', 'pnpm', 'yarn', 'bun']);
+/**
+ * Files that may be present in a directory we still consider "scaffoldable empty".
+ *
+ * INVARIANT: this MUST stay a subset of create-next-app's own `validFiles`
+ * (verified against the v{@link CREATE_NEXT_APP_VERSION} tag). If ours is
+ * stricter, we simply scaffold less often (safe). If ours were looser,
+ * create-next-app would accept our offer and then refuse mid-run.
+ *
+ * We omit `docs` and `mkdocs.yml` from the upstream list on purpose — their
+ * presence usually signals real project content, so we err toward NOT scaffolding.
+ * We also omit `README.md`/`.vscode`: they are NOT in create-next-app's list, so a
+ * directory containing them is left to the normal (non-scaffold) install path.
+ */
+export const SAFE_EMPTY_FILES = new Set([
+    '.DS_Store',
+    '.git',
+    '.gitattributes',
+    '.gitignore',
+    '.gitlab-ci.yml',
+    '.hg',
+    '.hgcheck',
+    '.hgignore',
+    '.idea',
+    '.npmignore',
+    '.travis.yml',
+    'LICENSE',
+    'Thumbs.db',
+    'npm-debug.log',
+    'yarn-debug.log',
+    'yarn-error.log',
+    'yarnrc.yml',
+    '.yarn',
+]);
+/**
+ * True iff `dir` is empty or contains only {@link SAFE_EMPTY_FILES} entries.
+ *
+ * Because no project manifest (`package.json`, `go.mod`, `Gemfile`, etc.) appears
+ * in {@link SAFE_EMPTY_FILES}, the presence of any manifest makes this return
+ * false — i.e. an existing project always takes the normal install path.
+ */
+export async function isScaffoldableEmptyDir(dir) {
+    const entries = await readdir(dir);
+    return entries.every((entry) => SAFE_EMPTY_FILES.has(entry));
+}
+/**
+ * Resolve the package manager for the scaffolded app.
+ *
+ * Precedence: validated `--pm` override > `npm_config_user_agent` parse > `npm`.
+ * An empty directory has no lockfile, so lockfile-based detection does not apply;
+ * we read the runner from the user agent instead (e.g. `pnpm dlx` → `pnpm`).
+ */
+export function resolvePackageManager(opts) {
+    const { pm, userAgent } = opts;
+    // `--pm` is validated by yargs `choices` upstream; guard again defensively and
+    // fall through on anything unexpected rather than throwing here.
+    if (pm && VALID_PACKAGE_MANAGERS.has(pm)) {
+        return pm;
+    }
+    if (userAgent) {
+        // e.g. "pnpm/8.6.0 npm/? node/v20.0.0 darwin arm64" → "pnpm"
+        const name = userAgent.split(/\s+/)[0]?.split('/')[0];
+        if (name && VALID_PACKAGE_MANAGERS.has(name)) {
+            return name;
+        }
+    }
+    return 'npm';
+}
+/**
+ * The pinned `create-next-app` flag set. Kept pure so a unit test can assert the
+ * exact array — flag drift across a pinned major is the primary failure mode.
+ *
+ * v1 scaffolds Next.js only. Multi-framework scaffolding (e.g. a Vite React app
+ * via its own `create-*` tool) is a tracked follow-up, not implemented.
+ *
+ * App Router + TypeScript + ESLint + Tailwind + `src/` + `@/*` alias, installed
+ * with the resolved package manager. `--yes` accepts all remaining defaults
+ * (including the major's Turbopack default) and prevents interactive hangs.
+ */
+export function buildCreateNextAppArgs(pm) {
+    return ['.', '--ts', '--app', '--eslint', '--tailwind', '--src-dir', '--import-alias', '@/*', `--use-${pm}`, '--yes'];
+}
+/**
+ * Each package manager's own package runner. Running create-next-app through the
+ * resolved PM's runner (instead of always `npx`) means we don't require npm/npx
+ * to be on PATH — e.g. a bun-only machine has no `npx`. `yarn dlx` assumes
+ * Yarn >= 2 (Berry); a Yarn 1 user would need `--pm npm`.
+ */
+const PM_RUNNER = {
+    npm: { bin: 'npx', args: ['--yes'] },
+    pnpm: { bin: 'pnpm', args: ['dlx'] },
+    yarn: { bin: 'yarn', args: ['dlx'] },
+    bun: { bin: 'bunx', args: [] },
+};
+/**
+ * Spawn `create-next-app@<pinned> .` in `installDir` via the resolved package
+ * manager's runner, streaming output as `scaffold:progress` events. Resolves on
+ * exit 0; rejects on non-zero exit or spawn error so the state machine can route
+ * to its error state.
+ */
+export function runCreateNextApp(opts) {
+    const { installDir, packageManager, emitter } = opts;
+    const runner = PM_RUNNER[packageManager];
+    const args = [
+        ...runner.args,
+        `create-next-app@${CREATE_NEXT_APP_VERSION}`,
+        ...buildCreateNextAppArgs(packageManager),
+    ];
+    return new Promise((resolve, reject) => {
+        const child = spawn(runner.bin, args, {
+            cwd: installDir,
+            env: process.env,
+            ...SPAWN_OPTS,
+        });
+        let stderr = '';
+        const stream = (data) => {
+            emitter.emit('scaffold:progress', { text: data.toString() });
+        };
+        child.stdout?.on('data', stream);
+        child.stderr?.on('data', (data) => {
+            // Bound the buffer at collection time so a pathological failure (e.g. a full
+            // npm resolution trace) can't accumulate hundreds of KB. Progress still streams.
+            if (stderr.length < 2000) {
+                stderr += data.toString();
+            }
+            stream(data);
+        });
+        child.on('close', (code, signal) => {
+            if (code === 0) {
+                resolve();
+            }
+            else {
+                const detail = stderr ? `: ${stderr.trim().slice(0, 2000)}` : '';
+                // code is null when the process was killed by a signal (e.g. SIGTERM from a
+                // timeout layer); surface that instead of masking it as "exited with code 1".
+                const exitInfo = code !== null ? `exited with code ${code}` : `was killed by signal ${signal ?? 'unknown'}`;
+                reject(new Error(`create-next-app ${exitInfo}${detail}`));
+            }
+        });
+        child.on('error', (err) => {
+            reject(err);
+        });
+    });
+}
+//# sourceMappingURL=scaffold.js.map

package/dist/lib/scaffold/scaffold.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scaffold.js","sourceRoot":"","sources":["../../../src/lib/scaffold/scaffold.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAKrD;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,IAAI,CAAC;AAE5C,MAAM,sBAAsB,GAAwB,IAAI,GAAG,CAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;AAE5G;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC;IAC3D,WAAW;IACX,MAAM;IACN,gBAAgB;IAChB,YAAY;IACZ,gBAAgB;IAChB,KAAK;IACL,UAAU;IACV,WAAW;IACX,OAAO;IACP,YAAY;IACZ,aAAa;IACb,SAAS;IACT,WAAW;IACX,eAAe;IACf,gBAAgB;IAChB,gBAAgB;IAChB,YAAY;IACZ,OAAO;CACR,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,GAAW;IACtD,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAyC;IAC7E,MAAM,EAAE,EAAE,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC;IAE/B,+EAA+E;IAC/E,iEAAiE;IACjE,IAAI,EAAE,IAAI,sBAAsB,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;QACzC,OAAO,EAAoB,CAAC;IAC9B,CAAC;IAED,IAAI,SAAS,EAAE,CAAC;QACd,6DAA6D;QAC7D,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACtD,IAAI,IAAI,IAAI,sBAAsB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7C,OAAO,IAAsB,CAAC;QAChC,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,sBAAsB,CAAC,EAAkB;IACvD,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,gBAAgB,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;AACxH,CAAC;AAED;;;;;GAKG;AACH,MAAM,SAAS,GAA4D;IACzE,GAAG,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,OAAO,CAAC,EAAE;IACpC,IAAI,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE;IACpC,IAAI,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE;IACpC,GAAG,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE;CAC/B,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAIhC;IACC,MAAM,EAAE,UAAU,EAAE,cAAc,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IACrD,MAAM,MAAM,GAAG,SAAS,CAAC,cAAc,CAAC,CAAC;IACzC,MAAM,IAAI,GAAG;QACX,GAAG,MAAM,CAAC,IAAI;QACd,mBAAmB,uBAAuB,EAAE;QAC5C,GAAG,sBAAsB,CAAC,cAAc,CAAC;KAC1C,CAAC;IAEF,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE;YACpC,GAAG,EAAE,UAAU;YACf,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,UAAU;SACd,CAAC,CAAC;QAEH,IAAI,MAAM,GAAG,EAAE,CAAC;QAEhB,MAAM,MAAM,GAAG,CAAC,IAAY,EAAQ,EAAE;YACpC,OAAO,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC/D,CAAC,CAAC;QAEF,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YACxC,6EAA6E;YAC7E,iFAAiF;YACjF,IAAI,MAAM,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;gBACzB,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,CAAC;QACf,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;YACjC,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;gBACf,OAAO,EAAE,CAAC;YACZ,CAAC;iBAAM,CAAC;gBACN,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjE,4EAA4E;gBAC5E,8EAA8E;gBAC9E,MAAM,QAAQ,GAAG,IAAI,KAAK,IAAI,CAAC,CAAC,CAAC,oBAAoB,IAAI,EAAE,CAAC,CAAC,CAAC,wBAAwB,MAAM,IAAI,SAAS,EAAE,CAAC;gBAC5G,MAAM,CAAC,IAAI,KAAK,CAAC,mBAAmB,QAAQ,GAAG,MAAM,EAAE,CAAC,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["import { spawn } from 'node:child_process';\nimport { readdir } from 'node:fs/promises';\nimport { SPAWN_OPTS } from '../../utils/platform.js';\nimport type { InstallerEventEmitter } from '../events.js';\n\nexport type PackageManager = 'npm' | 'pnpm' | 'yarn' | 'bun';\n\n/**\n * The `create-next-app` major we pin to. Matches `authkit-nextjs/examples/next`\n * (Next 16). A major float (`@16`) keeps the pinned flag set stable while still\n * receiving patch/minor updates. Re-pin when AuthKit bumps its supported Next major.\n * `@latest` is intentionally avoided — it would reintroduce the flag-drift\n * non-determinism this deterministic step exists to prevent.\n */\nexport const CREATE_NEXT_APP_VERSION = '16';\n\nconst VALID_PACKAGE_MANAGERS: ReadonlySet<string> = new Set<PackageManager>(['npm', 'pnpm', 'yarn', 'bun']);\n\n/**\n * Files that may be present in a directory we still consider \"scaffoldable empty\".\n *\n * INVARIANT: this MUST stay a subset of create-next-app's own `validFiles`\n * (verified against the v{@link CREATE_NEXT_APP_VERSION} tag). If ours is\n * stricter, we simply scaffold less often (safe). If ours were looser,\n * create-next-app would accept our offer and then refuse mid-run.\n *\n * We omit `docs` and `mkdocs.yml` from the upstream list on purpose — their\n * presence usually signals real project content, so we err toward NOT scaffolding.\n * We also omit `README.md`/`.vscode`: they are NOT in create-next-app's list, so a\n * directory containing them is left to the normal (non-scaffold) install path.\n */\nexport const SAFE_EMPTY_FILES: ReadonlySet<string> = new Set([\n  '.DS_Store',\n  '.git',\n  '.gitattributes',\n  '.gitignore',\n  '.gitlab-ci.yml',\n  '.hg',\n  '.hgcheck',\n  '.hgignore',\n  '.idea',\n  '.npmignore',\n  '.travis.yml',\n  'LICENSE',\n  'Thumbs.db',\n  'npm-debug.log',\n  'yarn-debug.log',\n  'yarn-error.log',\n  'yarnrc.yml',\n  '.yarn',\n]);\n\n/**\n * True iff `dir` is empty or contains only {@link SAFE_EMPTY_FILES} entries.\n *\n * Because no project manifest (`package.json`, `go.mod`, `Gemfile`, etc.) appears\n * in {@link SAFE_EMPTY_FILES}, the presence of any manifest makes this return\n * false — i.e. an existing project always takes the normal install path.\n */\nexport async function isScaffoldableEmptyDir(dir: string): Promise<boolean> {\n  const entries = await readdir(dir);\n  return entries.every((entry) => SAFE_EMPTY_FILES.has(entry));\n}\n\n/**\n * Resolve the package manager for the scaffolded app.\n *\n * Precedence: validated `--pm` override > `npm_config_user_agent` parse > `npm`.\n * An empty directory has no lockfile, so lockfile-based detection does not apply;\n * we read the runner from the user agent instead (e.g. `pnpm dlx` → `pnpm`).\n */\nexport function resolvePackageManager(opts: { pm?: string; userAgent?: string }): PackageManager {\n  const { pm, userAgent } = opts;\n\n  // `--pm` is validated by yargs `choices` upstream; guard again defensively and\n  // fall through on anything unexpected rather than throwing here.\n  if (pm && VALID_PACKAGE_MANAGERS.has(pm)) {\n    return pm as PackageManager;\n  }\n\n  if (userAgent) {\n    // e.g. \"pnpm/8.6.0 npm/? node/v20.0.0 darwin arm64\" → \"pnpm\"\n    const name = userAgent.split(/\\s+/)[0]?.split('/')[0];\n    if (name && VALID_PACKAGE_MANAGERS.has(name)) {\n      return name as PackageManager;\n    }\n  }\n\n  return 'npm';\n}\n\n/**\n * The pinned `create-next-app` flag set. Kept pure so a unit test can assert the\n * exact array — flag drift across a pinned major is the primary failure mode.\n *\n * v1 scaffolds Next.js only. Multi-framework scaffolding (e.g. a Vite React app\n * via its own `create-*` tool) is a tracked follow-up, not implemented.\n *\n * App Router + TypeScript + ESLint + Tailwind + `src/` + `@/*` alias, installed\n * with the resolved package manager. `--yes` accepts all remaining defaults\n * (including the major's Turbopack default) and prevents interactive hangs.\n */\nexport function buildCreateNextAppArgs(pm: PackageManager): string[] {\n  return ['.', '--ts', '--app', '--eslint', '--tailwind', '--src-dir', '--import-alias', '@/*', `--use-${pm}`, '--yes'];\n}\n\n/**\n * Each package manager's own package runner. Running create-next-app through the\n * resolved PM's runner (instead of always `npx`) means we don't require npm/npx\n * to be on PATH — e.g. a bun-only machine has no `npx`. `yarn dlx` assumes\n * Yarn >= 2 (Berry); a Yarn 1 user would need `--pm npm`.\n */\nconst PM_RUNNER: Record<PackageManager, { bin: string; args: string[] }> = {\n  npm: { bin: 'npx', args: ['--yes'] },\n  pnpm: { bin: 'pnpm', args: ['dlx'] },\n  yarn: { bin: 'yarn', args: ['dlx'] },\n  bun: { bin: 'bunx', args: [] },\n};\n\n/**\n * Spawn `create-next-app@<pinned> .` in `installDir` via the resolved package\n * manager's runner, streaming output as `scaffold:progress` events. Resolves on\n * exit 0; rejects on non-zero exit or spawn error so the state machine can route\n * to its error state.\n */\nexport function runCreateNextApp(opts: {\n  installDir: string;\n  packageManager: PackageManager;\n  emitter: InstallerEventEmitter;\n}): Promise<void> {\n  const { installDir, packageManager, emitter } = opts;\n  const runner = PM_RUNNER[packageManager];\n  const args = [\n    ...runner.args,\n    `create-next-app@${CREATE_NEXT_APP_VERSION}`,\n    ...buildCreateNextAppArgs(packageManager),\n  ];\n\n  return new Promise<void>((resolve, reject) => {\n    const child = spawn(runner.bin, args, {\n      cwd: installDir,\n      env: process.env,\n      ...SPAWN_OPTS,\n    });\n\n    let stderr = '';\n\n    const stream = (data: Buffer): void => {\n      emitter.emit('scaffold:progress', { text: data.toString() });\n    };\n\n    child.stdout?.on('data', stream);\n    child.stderr?.on('data', (data: Buffer) => {\n      // Bound the buffer at collection time so a pathological failure (e.g. a full\n      // npm resolution trace) can't accumulate hundreds of KB. Progress still streams.\n      if (stderr.length < 2000) {\n        stderr += data.toString();\n      }\n      stream(data);\n    });\n\n    child.on('close', (code, signal) => {\n      if (code === 0) {\n        resolve();\n      } else {\n        const detail = stderr ? `: ${stderr.trim().slice(0, 2000)}` : '';\n        // code is null when the process was killed by a signal (e.g. SIGTERM from a\n        // timeout layer); surface that instead of masking it as \"exited with code 1\".\n        const exitInfo = code !== null ? `exited with code ${code}` : `was killed by signal ${signal ?? 'unknown'}`;\n        reject(new Error(`create-next-app ${exitInfo}${detail}`));\n      }\n    });\n\n    child.on('error', (err) => {\n      reject(err);\n    });\n  });\n}\n"]}

package/dist/lib/settings.d.ts

@@ -9,6 +9,7 @@ export interface InstallerConfig {
         clientId: string;
         authkitDomain: string;
         llmGatewayUrl: string;
+        telemetryUrl: string;
     };
     telemetry: {
         enabled: boolean;
@@ -61,3 +62,8 @@ export declare function getAuthkitDomain(): string;
  * Env var overrides config default.
  */
 export declare function getLlmGatewayUrl(): string;
+/**
+ * Get the CLI telemetry URL.
+ * Env var overrides config default.
+ */
+export declare function getTelemetryUrl(): string;

package/dist/lib/settings.js

@@ -32,4 +32,11 @@ export function getAuthkitDomain() {
 export function getLlmGatewayUrl() {
     return process.env.WORKOS_LLM_GATEWAY_URL || config.workos.llmGatewayUrl;
 }
+/**
+ * Get the CLI telemetry URL.
+ * Env var overrides config default.
+ */
+export function getTelemetryUrl() {
+    return process.env.WORKOS_TELEMETRY_URL || config.workos.telemetryUrl;
+}
 //# sourceMappingURL=settings.js.map

package/dist/lib/settings.js.map

@@ -1 +1 @@
-{"version":3,"file":"settings.js","sourceRoot":"","sources":["../../src/lib/settings.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAEnD;;GAEG;AACH,MAAM,UAAU,UAAU;IACxB,OAAO,OAAO,CAAC;AACjB,CAAC;AA2CD;;GAEG;AACH,MAAM,UAAU,SAAS;IACvB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC;AAC1E,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC;AAC3E,CAAC","sourcesContent":["import { config, version } from '../cli.config.js';\n\n/**\n * Get version from package.json\n */\nexport function getVersion(): string {\n  return version;\n}\n\nexport interface InstallerConfig {\n  model: string;\n  doctorModel: string;\n  workos: {\n    clientId: string;\n    authkitDomain: string;\n    llmGatewayUrl: string;\n  };\n  telemetry: {\n    enabled: boolean;\n    eventName: string;\n  };\n  proxy: {\n    refreshThresholdMs: number;\n  };\n  nodeVersion: string;\n  logging: {\n    debugMode: boolean;\n  };\n  documentation: {\n    workosDocsUrl: string;\n    dashboardUrl: string;\n    issuesUrl: string;\n  };\n  frameworks: {\n    [key: string]: {\n      port: number;\n      callbackPath: string;\n    };\n  };\n  legacy: {\n    oauthPort: number;\n  };\n  branding: {\n    showAsciiArt: boolean;\n    asciiArt: string;\n    compactAsciiArt: string;\n    useCompact: boolean;\n  };\n}\n\n/**\n * Get config\n */\nexport function getConfig(): InstallerConfig {\n  return config;\n}\n\n/**\n * Get the CLI auth client ID.\n * Env var overrides config default.\n */\nexport function getCliAuthClientId(): string {\n  return config.workos.clientId;\n}\n\n/**\n * Get the AuthKit domain.\n * Env var overrides config default.\n */\nexport function getAuthkitDomain(): string {\n  return process.env.WORKOS_AUTHKIT_DOMAIN || config.workos.authkitDomain;\n}\n\n/**\n * Get the LLM gateway URL.\n * Env var overrides config default.\n */\nexport function getLlmGatewayUrl(): string {\n  return process.env.WORKOS_LLM_GATEWAY_URL || config.workos.llmGatewayUrl;\n}\n"]}
+{"version":3,"file":"settings.js","sourceRoot":"","sources":["../../src/lib/settings.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAEnD;;GAEG;AACH,MAAM,UAAU,UAAU;IACxB,OAAO,OAAO,CAAC;AACjB,CAAC;AA4CD;;GAEG;AACH,MAAM,UAAU,SAAS;IACvB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC;AAC1E,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC;AAC3E,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC;AACxE,CAAC","sourcesContent":["import { config, version } from '../cli.config.js';\n\n/**\n * Get version from package.json\n */\nexport function getVersion(): string {\n  return version;\n}\n\nexport interface InstallerConfig {\n  model: string;\n  doctorModel: string;\n  workos: {\n    clientId: string;\n    authkitDomain: string;\n    llmGatewayUrl: string;\n    telemetryUrl: string;\n  };\n  telemetry: {\n    enabled: boolean;\n    eventName: string;\n  };\n  proxy: {\n    refreshThresholdMs: number;\n  };\n  nodeVersion: string;\n  logging: {\n    debugMode: boolean;\n  };\n  documentation: {\n    workosDocsUrl: string;\n    dashboardUrl: string;\n    issuesUrl: string;\n  };\n  frameworks: {\n    [key: string]: {\n      port: number;\n      callbackPath: string;\n    };\n  };\n  legacy: {\n    oauthPort: number;\n  };\n  branding: {\n    showAsciiArt: boolean;\n    asciiArt: string;\n    compactAsciiArt: string;\n    useCompact: boolean;\n  };\n}\n\n/**\n * Get config\n */\nexport function getConfig(): InstallerConfig {\n  return config;\n}\n\n/**\n * Get the CLI auth client ID.\n * Env var overrides config default.\n */\nexport function getCliAuthClientId(): string {\n  return config.workos.clientId;\n}\n\n/**\n * Get the AuthKit domain.\n * Env var overrides config default.\n */\nexport function getAuthkitDomain(): string {\n  return process.env.WORKOS_AUTHKIT_DOMAIN || config.workos.authkitDomain;\n}\n\n/**\n * Get the LLM gateway URL.\n * Env var overrides config default.\n */\nexport function getLlmGatewayUrl(): string {\n  return process.env.WORKOS_LLM_GATEWAY_URL || config.workos.llmGatewayUrl;\n}\n\n/**\n * Get the CLI telemetry URL.\n * Env var overrides config default.\n */\nexport function getTelemetryUrl(): string {\n  return process.env.WORKOS_TELEMETRY_URL || config.workos.telemetryUrl;\n}\n"]}

package/dist/lib/telemetry-notice.d.ts

@@ -0,0 +1,25 @@
+/**
+ * First-run telemetry notice.
+ *
+ * Prints a one-time, stderr-only box telling the user that anonymous CLI usage
+ * telemetry is being collected and how to turn it off. Shown at most once ever
+ * (backed by the persisted `noticeShownAt` timestamp in preferences.json), only
+ * in interactive human mode, and never on the machine-readable path.
+ *
+ * Mirrors the structural pattern of unclaimed-warning.ts: a per-session guard,
+ * a `!isJsonMode()` gate, the shared renderStderrBox helper, and a never-throws
+ * contract so it can never block command execution. The one structural
+ * difference is persistence — this notice writes `noticeShownAt` the first time
+ * it actually displays so it never re-shows across runs.
+ */
+/**
+ * Show the first-run telemetry notice if it has never been displayed.
+ *
+ * Gate order is load-bearing: every suppression check runs BEFORE
+ * markNoticeShown(), so a non-human first run (--json / piped / CI) never
+ * consumes the one-time display. The flag is set only when the box is actually
+ * rendered, so a real human eventually sees it. Never throws.
+ */
+export declare function maybeShowTelemetryNotice(): void;
+/** Reset session state (for testing). */
+export declare function resetTelemetryNoticeState(): void;

package/dist/lib/telemetry-notice.js

@@ -0,0 +1,56 @@
+/**
+ * First-run telemetry notice.
+ *
+ * Prints a one-time, stderr-only box telling the user that anonymous CLI usage
+ * telemetry is being collected and how to turn it off. Shown at most once ever
+ * (backed by the persisted `noticeShownAt` timestamp in preferences.json), only
+ * in interactive human mode, and never on the machine-readable path.
+ *
+ * Mirrors the structural pattern of unclaimed-warning.ts: a per-session guard,
+ * a `!isJsonMode()` gate, the shared renderStderrBox helper, and a never-throws
+ * contract so it can never block command execution. The one structural
+ * difference is persistence — this notice writes `noticeShownAt` the first time
+ * it actually displays so it never re-shows across runs.
+ */
+import chalk from 'chalk';
+import { isJsonMode } from '../utils/output.js';
+import { renderStderrBox } from '../utils/box.js';
+import { formatWorkOSCommand } from '../utils/command-invocation.js';
+import { isNoticeShown, markNoticeShown, isTelemetryOptedOut } from './preferences.js';
+let shownThisSession = false;
+/**
+ * Show the first-run telemetry notice if it has never been displayed.
+ *
+ * Gate order is load-bearing: every suppression check runs BEFORE
+ * markNoticeShown(), so a non-human first run (--json / piped / CI) never
+ * consumes the one-time display. The flag is set only when the box is actually
+ * rendered, so a real human eventually sees it. Never throws.
+ */
+export function maybeShowTelemetryNotice() {
+    try {
+        if (shownThisSession)
+            return;
+        if (isJsonMode())
+            return; // suppress in --json / non-TTY / CI (output auto-switches to json)
+        if (isTelemetryOptedOut())
+            return; // already opted out — nothing to inform
+        if (isNoticeShown())
+            return; // already shown once, ever
+        const optOut = chalk.cyan(formatWorkOSCommand('telemetry opt-out'));
+        const inner = ` ${chalk.cyan('ℹ')} WorkOS collects anonymous CLI usage telemetry. Run ${optOut} to disable it. `;
+        renderStderrBox(inner, chalk.cyan);
+        // Set the per-session guard and persist ONLY after a successful render, so a
+        // render failure (caught below) lets a later command in this process retry
+        // rather than silently suppressing the notice for the rest of the session.
+        shownThisSession = true;
+        markNoticeShown();
+    }
+    catch {
+        // Never block command execution.
+    }
+}
+/** Reset session state (for testing). */
+export function resetTelemetryNoticeState() {
+    shownThisSession = false;
+}
+//# sourceMappingURL=telemetry-notice.js.map

package/dist/lib/telemetry-notice.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"telemetry-notice.js","sourceRoot":"","sources":["../../src/lib/telemetry-notice.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAEvF,IAAI,gBAAgB,GAAG,KAAK,CAAC;AAE7B;;;;;;;GAOG;AACH,MAAM,UAAU,wBAAwB;IACtC,IAAI,CAAC;QACH,IAAI,gBAAgB;YAAE,OAAO;QAC7B,IAAI,UAAU,EAAE;YAAE,OAAO,CAAC,mEAAmE;QAC7F,IAAI,mBAAmB,EAAE;YAAE,OAAO,CAAC,wCAAwC;QAC3E,IAAI,aAAa,EAAE;YAAE,OAAO,CAAC,2BAA2B;QAExD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,mBAAmB,CAAC,CAAC,CAAC;QACpE,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,uDAAuD,MAAM,kBAAkB,CAAC;QACjH,eAAe,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,6EAA6E;QAC7E,2EAA2E;QAC3E,2EAA2E;QAC3E,gBAAgB,GAAG,IAAI,CAAC;QACxB,eAAe,EAAE,CAAC;IACpB,CAAC;IAAC,MAAM,CAAC;QACP,iCAAiC;IACnC,CAAC;AACH,CAAC;AAED,yCAAyC;AACzC,MAAM,UAAU,yBAAyB;IACvC,gBAAgB,GAAG,KAAK,CAAC;AAC3B,CAAC","sourcesContent":["/**\n * First-run telemetry notice.\n *\n * Prints a one-time, stderr-only box telling the user that anonymous CLI usage\n * telemetry is being collected and how to turn it off. Shown at most once ever\n * (backed by the persisted `noticeShownAt` timestamp in preferences.json), only\n * in interactive human mode, and never on the machine-readable path.\n *\n * Mirrors the structural pattern of unclaimed-warning.ts: a per-session guard,\n * a `!isJsonMode()` gate, the shared renderStderrBox helper, and a never-throws\n * contract so it can never block command execution. The one structural\n * difference is persistence — this notice writes `noticeShownAt` the first time\n * it actually displays so it never re-shows across runs.\n */\n\nimport chalk from 'chalk';\nimport { isJsonMode } from '../utils/output.js';\nimport { renderStderrBox } from '../utils/box.js';\nimport { formatWorkOSCommand } from '../utils/command-invocation.js';\nimport { isNoticeShown, markNoticeShown, isTelemetryOptedOut } from './preferences.js';\n\nlet shownThisSession = false;\n\n/**\n * Show the first-run telemetry notice if it has never been displayed.\n *\n * Gate order is load-bearing: every suppression check runs BEFORE\n * markNoticeShown(), so a non-human first run (--json / piped / CI) never\n * consumes the one-time display. The flag is set only when the box is actually\n * rendered, so a real human eventually sees it. Never throws.\n */\nexport function maybeShowTelemetryNotice(): void {\n  try {\n    if (shownThisSession) return;\n    if (isJsonMode()) return; // suppress in --json / non-TTY / CI (output auto-switches to json)\n    if (isTelemetryOptedOut()) return; // already opted out — nothing to inform\n    if (isNoticeShown()) return; // already shown once, ever\n\n    const optOut = chalk.cyan(formatWorkOSCommand('telemetry opt-out'));\n    const inner = ` ${chalk.cyan('ℹ')} WorkOS collects anonymous CLI usage telemetry. Run ${optOut} to disable it. `;\n    renderStderrBox(inner, chalk.cyan);\n    // Set the per-session guard and persist ONLY after a successful render, so a\n    // render failure (caught below) lets a later command in this process retry\n    // rather than silently suppressing the notice for the rest of the session.\n    shownThisSession = true;\n    markNoticeShown();\n  } catch {\n    // Never block command execution.\n  }\n}\n\n/** Reset session state (for testing). */\nexport function resetTelemetryNoticeState(): void {\n  shownThisSession = false;\n}\n"]}

package/dist/run.d.ts

@@ -1,6 +1,4 @@
-import type { Integration } from './lib/constants.js';
 export type InstallerArgs = {
-    integration?: Integration;
     debug?: boolean;
     forceInstall?: boolean;
     installDir?: string;
@@ -24,6 +22,8 @@ export type InstallerArgs = {
     noGitCheck?: boolean;
     gitCheck?: boolean;
     direct?: boolean;
+    scaffold?: boolean;
+    pm?: string;
 };
 /**
  * Main entry point for the wizard CLI.

package/dist/run.js

@@ -31,7 +31,6 @@ function buildOptions(argv) {
         homepageUrl: merged.homepageUrl,
         redirectUri: merged.redirectUri,
         dashboard: merged.dashboard ?? false,
-        integration: merged.integration,
         inspect: merged.inspect ?? false,
         noValidate: merged.noValidate ?? merged.validate === false,
         noCommit: merged.noCommit ?? merged.commit === false,
@@ -39,6 +38,8 @@ function buildOptions(argv) {
         createPr: merged.createPr ?? false,
         noGitCheck: merged.noGitCheck ?? merged.gitCheck === false,
         direct: merged.direct ?? false,
+        scaffold: merged.scaffold ?? false,
+        pm: merged.pm,
         emitter: createInstallerEventEmitter(), // Will be replaced in runWithCore
     };
 }

package/dist/run.js.map

@@ -1 +1 @@
-{"version":3,"file":"run.js","sourceRoot":"","sources":["../src/run.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAGrD,OAAO,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AAC9D,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAEtC,YAAY,CAAC,mBAAmB,GAAG,EAAE,CAAC;AA6BtC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAmB;IACpD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,IAAmB;IACvC,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,EAAE,CAAC;IAEvC,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAExD,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,KAAK;QAC5B,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,KAAK;QAC1C,UAAU;QACV,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,KAAK;QAC5B,EAAE,EAAE,MAAM,CAAC,EAAE,IAAI,KAAK;QACtB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK;QAClC,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK;QACpC,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,KAAK;QAChC,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK;QAC1D,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK;QACpD,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK;QACpD,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK;QAClC,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK;QAC1D,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,KAAK;QAC9B,OAAO,EAAE,2BAA2B,EAAE,EAAE,kCAAkC;KAC3E,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,GAAY;IACrC,IAAI,CAAC,GAAG;QAAE,OAAO,OAAO,CAAC,GAAG,EAAE,CAAC;IAC/B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;AACpE,CAAC","sourcesContent":["import { readEnvironment } from './utils/environment.js';\nimport { runWithCore } from './lib/run-with-core.js';\nimport type { InstallerOptions } from './utils/types.js';\nimport type { Integration } from './lib/constants.js';\nimport { createInstallerEventEmitter } from './lib/events.js';\nimport path from 'path';\nimport { EventEmitter } from 'events';\n\nEventEmitter.defaultMaxListeners = 50;\n\nexport type InstallerArgs = {\n  integration?: Integration;\n  debug?: boolean;\n  forceInstall?: boolean;\n  installDir?: string;\n  default?: boolean;\n  local?: boolean;\n  ci?: boolean;\n  skipAuth?: boolean;\n  apiKey?: string;\n  clientId?: string;\n  homepageUrl?: string;\n  redirectUri?: string;\n  dashboard?: boolean;\n  inspect?: boolean;\n  noValidate?: boolean;\n  validate?: boolean;\n  noCommit?: boolean;\n  commit?: boolean;\n  noBranch?: boolean;\n  branch?: boolean;\n  createPr?: boolean;\n  noGitCheck?: boolean;\n  gitCheck?: boolean;\n  direct?: boolean;\n};\n\n/**\n * Main entry point for the wizard CLI.\n * Builds options from args and delegates to the core.\n */\nexport async function runInstaller(argv: InstallerArgs): Promise<void> {\n  const options = buildOptions(argv);\n  await runWithCore(options);\n}\n\n/**\n * Build InstallerOptions from CLI args and environment.\n */\nfunction buildOptions(argv: InstallerArgs): InstallerOptions {\n  const envArgs = readEnvironment();\n  const merged = { ...argv, ...envArgs };\n\n  const installDir = resolveInstallDir(merged.installDir);\n\n  return {\n    debug: merged.debug ?? false,\n    forceInstall: merged.forceInstall ?? false,\n    installDir,\n    local: merged.local ?? false,\n    ci: merged.ci ?? false,\n    skipAuth: merged.skipAuth ?? false,\n    apiKey: merged.apiKey,\n    clientId: merged.clientId,\n    homepageUrl: merged.homepageUrl,\n    redirectUri: merged.redirectUri,\n    dashboard: merged.dashboard ?? false,\n    integration: merged.integration,\n    inspect: merged.inspect ?? false,\n    noValidate: merged.noValidate ?? merged.validate === false,\n    noCommit: merged.noCommit ?? merged.commit === false,\n    noBranch: merged.noBranch ?? merged.branch === false,\n    createPr: merged.createPr ?? false,\n    noGitCheck: merged.noGitCheck ?? merged.gitCheck === false,\n    direct: merged.direct ?? false,\n    emitter: createInstallerEventEmitter(), // Will be replaced in runWithCore\n  };\n}\n\n/**\n * Resolve install directory to absolute path.\n */\nfunction resolveInstallDir(dir?: string): string {\n  if (!dir) return process.cwd();\n  return path.isAbsolute(dir) ? dir : path.join(process.cwd(), dir);\n}\n"]}
+{"version":3,"file":"run.js","sourceRoot":"","sources":["../src/run.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAErD,OAAO,EAAE,2BAA2B,EAAE,MAAM,iBAAiB,CAAC;AAC9D,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAEtC,YAAY,CAAC,mBAAmB,GAAG,EAAE,CAAC;AA8BtC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAmB;IACpD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,IAAmB;IACvC,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,EAAE,CAAC;IAEvC,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAExD,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,KAAK;QAC5B,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,KAAK;QAC1C,UAAU;QACV,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,KAAK;QAC5B,EAAE,EAAE,MAAM,CAAC,EAAE,IAAI,KAAK;QACtB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK;QAClC,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK;QACpC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,KAAK;QAChC,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK;QAC1D,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK;QACpD,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK;QACpD,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK;QAClC,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK;QAC1D,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,KAAK;QAC9B,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK;QAClC,EAAE,EAAE,MAAM,CAAC,EAAE;QACb,OAAO,EAAE,2BAA2B,EAAE,EAAE,kCAAkC;KAC3E,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,GAAY;IACrC,IAAI,CAAC,GAAG;QAAE,OAAO,OAAO,CAAC,GAAG,EAAE,CAAC;IAC/B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;AACpE,CAAC","sourcesContent":["import { readEnvironment } from './utils/environment.js';\nimport { runWithCore } from './lib/run-with-core.js';\nimport type { InstallerOptions } from './utils/types.js';\nimport { createInstallerEventEmitter } from './lib/events.js';\nimport path from 'path';\nimport { EventEmitter } from 'events';\n\nEventEmitter.defaultMaxListeners = 50;\n\nexport type InstallerArgs = {\n  debug?: boolean;\n  forceInstall?: boolean;\n  installDir?: string;\n  default?: boolean;\n  local?: boolean;\n  ci?: boolean;\n  skipAuth?: boolean;\n  apiKey?: string;\n  clientId?: string;\n  homepageUrl?: string;\n  redirectUri?: string;\n  dashboard?: boolean;\n  inspect?: boolean;\n  noValidate?: boolean;\n  validate?: boolean;\n  noCommit?: boolean;\n  commit?: boolean;\n  noBranch?: boolean;\n  branch?: boolean;\n  createPr?: boolean;\n  noGitCheck?: boolean;\n  gitCheck?: boolean;\n  direct?: boolean;\n  scaffold?: boolean;\n  pm?: string;\n};\n\n/**\n * Main entry point for the wizard CLI.\n * Builds options from args and delegates to the core.\n */\nexport async function runInstaller(argv: InstallerArgs): Promise<void> {\n  const options = buildOptions(argv);\n  await runWithCore(options);\n}\n\n/**\n * Build InstallerOptions from CLI args and environment.\n */\nfunction buildOptions(argv: InstallerArgs): InstallerOptions {\n  const envArgs = readEnvironment();\n  const merged = { ...argv, ...envArgs };\n\n  const installDir = resolveInstallDir(merged.installDir);\n\n  return {\n    debug: merged.debug ?? false,\n    forceInstall: merged.forceInstall ?? false,\n    installDir,\n    local: merged.local ?? false,\n    ci: merged.ci ?? false,\n    skipAuth: merged.skipAuth ?? false,\n    apiKey: merged.apiKey,\n    clientId: merged.clientId,\n    homepageUrl: merged.homepageUrl,\n    redirectUri: merged.redirectUri,\n    dashboard: merged.dashboard ?? false,\n    inspect: merged.inspect ?? false,\n    noValidate: merged.noValidate ?? merged.validate === false,\n    noCommit: merged.noCommit ?? merged.commit === false,\n    noBranch: merged.noBranch ?? merged.branch === false,\n    createPr: merged.createPr ?? false,\n    noGitCheck: merged.noGitCheck ?? merged.gitCheck === false,\n    direct: merged.direct ?? false,\n    scaffold: merged.scaffold ?? false,\n    pm: merged.pm,\n    emitter: createInstallerEventEmitter(), // Will be replaced in runWithCore\n  };\n}\n\n/**\n * Resolve install directory to absolute path.\n */\nfunction resolveInstallDir(dir?: string): string {\n  if (!dir) return process.cwd();\n  return path.isAbsolute(dir) ? dir : path.join(process.cwd(), dir);\n}\n"]}

package/dist/test/force-insecure-storage.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/test/force-insecure-storage.js

@@ -0,0 +1,9 @@
+import { setInsecureStorage } from '../lib/credentials.js';
+import { setInsecureConfigStorage } from '../lib/config-store.js';
+// Subprocess integration tests import bin.ts directly, which initializes
+// telemetry before command options are parsed. Flip the existing storage seams
+// first so startup auth lookup stays inside the test's temporary HOME instead
+// of touching the host keychain.
+setInsecureStorage(true);
+setInsecureConfigStorage(true);
+//# sourceMappingURL=force-insecure-storage.js.map

package/dist/test/force-insecure-storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"force-insecure-storage.js","sourceRoot":"","sources":["../../src/test/force-insecure-storage.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAC;AAElE,yEAAyE;AACzE,+EAA+E;AAC/E,8EAA8E;AAC9E,iCAAiC;AACjC,kBAAkB,CAAC,IAAI,CAAC,CAAC;AACzB,wBAAwB,CAAC,IAAI,CAAC,CAAC","sourcesContent":["import { setInsecureStorage } from '../lib/credentials.js';\nimport { setInsecureConfigStorage } from '../lib/config-store.js';\n\n// Subprocess integration tests import bin.ts directly, which initializes\n// telemetry before command options are parsed. Flip the existing storage seams\n// first so startup auth lookup stays inside the test's temporary HOME instead\n// of touching the host keychain.\nsetInsecureStorage(true);\nsetInsecureConfigStorage(true);\n"]}

package/dist/test/setup.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/test/setup.js

@@ -0,0 +1,38 @@
+import { vi } from 'vitest';
+/**
+ * Global test setup — runs before every spec file.
+ *
+ * Replaces @napi-rs/keyring with an in-memory implementation so the test
+ * suite can NEVER touch the real OS keychain. clearCredentials() and
+ * saveCredentials() operate on the live `workos-cli` keychain entry even when
+ * file-fallback storage is forced, so an un-mocked spec would wipe a
+ * developer's real CLI login (this happened — that's why this exists).
+ *
+ * Specs that need richer keyring behaviour (e.g. simulating an unavailable
+ * keychain) still declare their own vi.mock('@napi-rs/keyring', ...); a
+ * per-file mock overrides this global default. The __IS_TEST_MOCK__ sentinel
+ * is asserted by src/test/keyring-isolation.spec.ts so removing this setup
+ * fails CI instead of silently re-arming the footgun.
+ */
+vi.mock('@napi-rs/keyring', () => {
+    const store = new Map();
+    return {
+        __IS_TEST_MOCK__: true,
+        Entry: class MockEntry {
+            key;
+            constructor(service, account) {
+                this.key = `${service}:${account}`;
+            }
+            getPassword() {
+                return store.get(this.key) ?? null;
+            }
+            setPassword(password) {
+                store.set(this.key, password);
+            }
+            deletePassword() {
+                store.delete(this.key);
+            }
+        },
+    };
+});
+//# sourceMappingURL=setup.js.map

package/dist/test/setup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"setup.js","sourceRoot":"","sources":["../../src/test/setup.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE5B;;;;;;;;;;;;;;GAcG;AACH,EAAE,CAAC,IAAI,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAC/B,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxC,OAAO;QACL,gBAAgB,EAAE,IAAI;QACtB,KAAK,EAAE,MAAM,SAAS;YACZ,GAAG,CAAS;YAEpB,YAAY,OAAe,EAAE,OAAe;gBAC1C,IAAI,CAAC,GAAG,GAAG,GAAG,OAAO,IAAI,OAAO,EAAE,CAAC;YACrC,CAAC;YAED,WAAW;gBACT,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;YACrC,CAAC;YAED,WAAW,CAAC,QAAgB;gBAC1B,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YAChC,CAAC;YAED,cAAc;gBACZ,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACzB,CAAC;SACF;KACF,CAAC;AACJ,CAAC,CAAC,CAAC","sourcesContent":["import { vi } from 'vitest';\n\n/**\n * Global test setup — runs before every spec file.\n *\n * Replaces @napi-rs/keyring with an in-memory implementation so the test\n * suite can NEVER touch the real OS keychain. clearCredentials() and\n * saveCredentials() operate on the live `workos-cli` keychain entry even when\n * file-fallback storage is forced, so an un-mocked spec would wipe a\n * developer's real CLI login (this happened — that's why this exists).\n *\n * Specs that need richer keyring behaviour (e.g. simulating an unavailable\n * keychain) still declare their own vi.mock('@napi-rs/keyring', ...); a\n * per-file mock overrides this global default. The __IS_TEST_MOCK__ sentinel\n * is asserted by src/test/keyring-isolation.spec.ts so removing this setup\n * fails CI instead of silently re-arming the footgun.\n */\nvi.mock('@napi-rs/keyring', () => {\n  const store = new Map<string, string>();\n  return {\n    __IS_TEST_MOCK__: true,\n    Entry: class MockEntry {\n      private key: string;\n\n      constructor(service: string, account: string) {\n        this.key = `${service}:${account}`;\n      }\n\n      getPassword(): string | null {\n        return store.get(this.key) ?? null;\n      }\n\n      setPassword(password: string): void {\n        store.set(this.key, password);\n      }\n\n      deletePassword(): void {\n        store.delete(this.key);\n      }\n    },\n  };\n});\n"]}

package/dist/utils/analytics.d.ts

@@ -1,24 +1,65 @@
+import type { AuthMode, TerminationReason } from './telemetry-types.js';
 export declare class Analytics {
     private tags;
     private sessionId;
     private sessionStartTime;
     private distinctId?;
+    private mode?;
+    private authMode;
     private totalInputTokens;
     private totalOutputTokens;
     private agentIterations;
     constructor();
     setDistinctId(distinctId: string): void;
     setAccessToken(token: string): void;
+    setApiKeyAuth(apiKey: string): void;
+    setClaimTokenAuth(clientId: string, claimToken: string): void;
+    /**
+     * Set the auth mode explicitly for special cases. Normal CLI flows should use
+     * `configureAuthFromAvailableSources()` so transport and auth.mode stay aligned.
+     */
+    setAuthMode(mode: AuthMode): void;
     setGatewayUrl(url: string): void;
+    private isEnabled;
+    /**
+     * Configure telemetry transport and auth.mode from all available CLI auth
+     * sources. Priority: stored JWT, unclaimed-environment claim token, active
+     * environment API key, then WORKOS_API_KEY.
+     */
+    configureAuthFromAvailableSources(): AuthMode;
+    /**
+     * Initialize telemetry for non-installer commands.
+     * Sets telemetry URL from default config and loads auth credentials.
+     */
+    initForNonInstaller(): void;
     setTag(key: string, value: string | boolean | number | null | undefined): void;
     capture(eventName: string, properties?: Record<string, unknown>): void;
     captureException(error: Error, properties?: Record<string, unknown>): void;
     getFeatureFlag(_flagKey: string): Promise<string | boolean | undefined>;
+    /** All capture methods that record error details MUST go through this. */
+    private extractErrorFields;
+    private detectCiProvider;
+    private getEnvFingerprint;
     sessionStart(mode: 'cli' | 'tui' | 'headless', version: string): void;
     stepCompleted(name: string, durationMs: number, success: boolean, error?: Error): void;
     toolCalled(toolName: string, durationMs: number, success: boolean): void;
     llmRequest(model: string, inputTokens: number, outputTokens: number): void;
     incrementAgentIterations(): void;
+    emitCommandEvent(name: string, durationMs: number, success: boolean, options?: {
+        error?: Error;
+        flags?: string[];
+        reason?: TerminationReason;
+        errorCode?: string;
+        apiContext?: {
+            status?: number;
+            code?: string;
+            resource?: string;
+        };
+    }): void;
+    captureUnhandledCrash(error: Error, options?: {
+        command?: string;
+        version?: string;
+    }): void;
     shutdown(status: 'success' | 'error' | 'cancelled'): Promise<void>;
 }
 export declare const analytics: Analytics;