authsome 0.4.1__tar.gz → 0.4.2__tar.gz

authsome-0.4.2/.github/release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "0.4.2"
+}

{authsome-0.4.1 → authsome-0.4.2}/CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## [0.4.2](https://github.com/agentrhq/authsome/compare/authsome-v0.4.1...authsome-v0.4.2) (2026-05-25)
+
+
+### Features
+
+* add device flow verification fields to auth schemas and CLI JSON output ([c24779c](https://github.com/agentrhq/authsome/commit/c24779c6df5939602f06bc3b18c5e270963cbdfc))
+* auto-create env handle identities ([72e1b35](https://github.com/agentrhq/authsome/commit/72e1b350cd13cd9923eb8e2f408c599cfaf98497))
+* env backed identity design ([e1662b5](https://github.com/agentrhq/authsome/commit/e1662b51963a6dac66d6d6f30f654ad04fc96736))
+* improve copy-to-clipboard functionality with browser fallback and UI feedback ([02daa81](https://github.com/agentrhq/authsome/commit/02daa8182ed9d22abe75670db09286979844223d))
+* restructure CLI commands under provider and admin namespaces ([7b4b31a](https://github.com/agentrhq/authsome/commit/7b4b31ad4fbc5bb8ffc2c1f60e0d69268844558e))
+* restructure CLI commands under provider and admin namespaces ([a326e3f](https://github.com/agentrhq/authsome/commit/a326e3f1c43d2037124f0ba49751c8a5af0daa81))
+* simplify Client ID label and implement robust cross-browser copy-to-clipboard logic ([d763f7f](https://github.com/agentrhq/authsome/commit/d763f7f7dc8bb33b7049c27be78d0cdd08195ede))
+
+
+### Bug Fixes
+
+* expose actionable session details in login --json ([87ae0b7](https://github.com/agentrhq/authsome/commit/87ae0b7aeee76b69abae13d488e9e0829031d0c8))
+* normalize cli error handling for json output ([fb2754b](https://github.com/agentrhq/authsome/commit/fb2754bded00bcdea76a7433736f59ae60f01cff))
+* update daemon process command to include admin subcommand ([7855c77](https://github.com/agentrhq/authsome/commit/7855c77ceec670887c1cd4947e4202aaeff3a9b2))
+
 ## [0.4.1](https://github.com/agentrhq/authsome/compare/authsome-v0.4.0...authsome-v0.4.1) (2026-05-25)
 
 

{authsome-0.4.1 → authsome-0.4.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: authsome
-Version: 0.4.1
+Version: 0.4.2
 Summary: A portable local authentication library for AI agents and developer tools
 Author-email: Manoj Bajaj <manojbajaj95@gmail.com>
 License-Expression: MIT

{authsome-0.4.1 → authsome-0.4.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "authsome"
-version = "0.4.1"
+version = "0.4.2"
 description = "A portable local authentication library for AI agents and developer tools"
 readme = "README.md"
 license = "MIT"

{authsome-0.4.1 → authsome-0.4.2}/skills/authsome/SKILL.md

@@ -40,9 +40,9 @@ to set any auth headers.
 - Run `authsome login <provider>` via Bash yourself — do NOT ask the user to
   run this. The browser opens on their machine; they complete OAuth without touching
   the terminal.
-- Poll the status of the login using `authsome list` after a few seconds
+- Poll the status of the login using `authsome provider list` after a few seconds
   - **If connected** — proceed normally.
-  - **If not yet connected** — display the authentication URL to the user, ask them to complete the login in their browser, and report back once done. Once the user confirms, run `authsome list` again to verify the connection before continuing.
+  - **If not yet connected** — display the authentication URL to the user, ask them to complete the login in their browser, and report back once done. Once the user confirms, run `authsome provider list` again to verify the connection before continuing.
 
 ---
 
@@ -56,16 +56,16 @@ Only when uv tool install fails, use fallback: `pipx install authsome` or `uvx a
 
 ### If you get an authentication error (401, 403) follow this decision tree:
 
-**1. Run `authsome list` to see all providers and their connections**
+**1. Run `authsome provider list` to see all providers and their connections**
 
 **2. If relevant provider exists but it has no connections → start the [login flow](#login-flow)**
 
-If there is a login error due to wrong client id/client secret you can delete the provider via `authsome remove <provider>` and start the [login flow](#login-flow)
+If there is a login error due to wrong client id/client secret you can delete the provider via `authsome provider remove <provider>` and start the [login flow](#login-flow)
 
 **3. If relevant provider exists and it is connected**
 
 For 401 error → you need to re-login, creds have expired
-- revoke the creds using `authsome revoke <provider>`
+- revoke the creds using `authsome provider revoke <provider>`
 - then start the [login flow](#login-flow)
 
 For 403 error → you need to re-login, with the correct scopes, or missing permissions
@@ -89,6 +89,9 @@ If you are unsure of the correct command syntax, need to check available flags,
 
 ```bash
 authsome --help
+authsome provider --help
+authsome connections --help
+authsome admin --help
 authsome run --help
 ```
 
@@ -104,6 +107,8 @@ authsome run --help
 - **Never** suggest the user open Gmail/Calendar/GitHub in their browser
   when they ask you to read or interact with those services. You have API
   access. Use it.
+- **Never** use `authsome export`, `--show-secret`, or any workflow that prints
+  tokens or API keys to the terminal. Use `authsome run -- ...` instead.
 - If the gateway returns a policy error (403 with a JSON body), respect
   the block. Do not retry or circumvent it.
 - If the skill fails, the goal took too many steps, the CLI behaved unexpectedly,

{authsome-0.4.1 → authsome-0.4.2}/skills/authsome/references/adding-provider.md

@@ -15,5 +15,5 @@ When the provider isn't in the bundled list, do this before writing any config:
 
 4. **Write and register the provider JSON** — follow the [provider registration guide](https://raw.githubusercontent.com/agentrhq/authsome/main/docs/register-provider.md) to write the provider JSON. Save the file to a local path (e.g. `/tmp/<provider>.json`), then register it:
    ```bash
-   authsome register /tmp/<provider>.json
+   authsome provider register /tmp/<provider>.json
    ```

{authsome-0.4.1 → authsome-0.4.2}/src/authsome/__init__.py

@@ -12,6 +12,9 @@ Usage:
     local proxy.
 """
 
+from importlib.metadata import PackageNotFoundError as _PkgNotFoundError
+from importlib.metadata import version as _pkg_version
+
 from loguru import logger as _logger
 
 from authsome.auth.models.connection import ConnectionRecord, Sensitive
@@ -39,9 +42,6 @@ from authsome.vault import Vault
 _logger.disable("authsome")
 
 try:
-    from importlib.metadata import PackageNotFoundError as _PkgNotFoundError
-    from importlib.metadata import version as _pkg_version
-
     __version__ = _pkg_version("authsome")
 except _PkgNotFoundError:
     __version__ = "unknown"

{authsome-0.4.1 → authsome-0.4.2}/src/authsome/audit/__init__.py

@@ -66,6 +66,7 @@ def _serialize_event(event: AuditEvent) -> str:
     return json.dumps(payload, separators=(",", ":"))
 
 
+# TODO: Better to use an audit library: otel or something similar
 def log(event_type: str, **kwargs: Any) -> None:
     """Append a structured server event to the configured log file."""
     if _log_path is None:
@@ -78,6 +79,7 @@ def log(event_type: str, **kwargs: Any) -> None:
             handle.write("\n")
 
 
+# FIXME: Why is there a  log and alog ?
 async def alog(event_type: str, **kwargs: Any) -> None:
     """Async wrapper around structured server event logging."""
     log(event_type, **kwargs)

{authsome-0.4.1 → authsome-0.4.2}/src/authsome/auth/flows/pkce.py

@@ -25,7 +25,7 @@ if TYPE_CHECKING:
 class PkceFlow(AuthFlow):
     """OAuth2 PKCE authorization code flow."""
 
-    callback_port: int = 7999
+    callback_port: int = 7999  # TODO: Remove hardcoded ports, better to keep a global in config file
 
     async def begin(
         self,

{authsome-0.4.1 → authsome-0.4.2}/src/authsome/auth/models/config.py

@@ -7,6 +7,7 @@ from importlib.metadata import PackageNotFoundError, version
 from pydantic import BaseModel, Field
 
 
+# TODO: This is generic package level function, move it there
 def current_spec_version() -> int:
     """Return the config spec version derived from authsome's minor package version."""
     try:
@@ -22,12 +23,14 @@ def current_spec_version() -> int:
         return 0
 
 
+# TODO: This isn't a property of auth module
 class EncryptionConfig(BaseModel):
     """Vault encryption backend settings for the daemon."""
 
     mode: str = "auto"
 
 
+# TODO: This isn't a property of auth module
 class ServerConfig(BaseModel):
     """Daemon-owned server configuration."""
 

{authsome-0.4.1 → authsome-0.4.2}/src/authsome/auth/models/connection.py

@@ -15,7 +15,11 @@ from pydantic import BaseModel, Field
 
 from authsome.auth.models.enums import AuthType, ConnectionStatus
 
+# TODO: Auth module shouldn't worry about storage. Remove all key references
+# TODO: Remvoe hardcoded schema versions everywhere
 
+
+# TODO: Pydantic as secretstr, why not just use that?
 class Sensitive:
     """Marker annotation: field contains a secret that must be redacted before display."""
 
@@ -73,8 +77,8 @@ class ProviderMetadataRecord(BaseModel):
     Stored at key: vault:<vault_id>:<provider>:metadata
     """
 
-    schema_version: int = 2
-    identity: str | None = None
+    schema_version: int = 2  # TODO: Hardcoded schema version?
+    identity: str | None = None  # TODO: Why is identity / principal_id / vault_id in provider metadata?
     principal_id: str | None = None
     vault_id: str | None = None
     provider: str

{authsome-0.4.1 → authsome-0.4.2}/src/authsome/auth/models/provider.py

@@ -8,6 +8,8 @@ from pydantic import BaseModel, Field
 
 from authsome.auth.models.enums import AuthType, FlowType
 
+# TODO: Remove hardcoded schema versions everywhere
+
 
 class OAuthConfig(BaseModel):
     """OAuth2-specific provider configuration."""

{authsome-0.4.1 → authsome-0.4.2}/src/authsome/auth/sessions.py

@@ -34,7 +34,7 @@ class AuthSession(BaseModel):
     session_id: str
     provider: str
     identity: str | None = None
-    principal_id: str | None = None
+    principal_id: str | None = None  # TODO: Why is this optional ?
     connection_name: str
     flow_type: str
     state: str = AuthSessionStatus.PENDING

authsome-0.4.2/src/authsome/cli/admin.py

@@ -0,0 +1,193 @@
+"""Administrative CLI commands for authsome."""
+
+import json as json_lib
+import os
+import sys
+from pathlib import Path
+
+import click
+
+from authsome.cli.context import ContextObj
+from authsome.cli.daemon_control import (
+    DaemonAlreadyRunningError,
+    DaemonUnavailableError,
+    daemon_status,
+    is_daemon_responsive,
+    is_port_occupied,
+    start_daemon,
+    stop_daemon,
+    wait_for_daemon_ready,
+)
+from authsome.cli.helpers import auth_command
+from authsome.paths import get_client_log_path, get_server_log_path
+
+
+@click.group(name="admin")
+def admin() -> None:
+    """Manage operator-facing daemon and maintenance commands."""
+
+
+@admin.command(name="log")
+@click.option("-n", "--lines", default=50, metavar="COUNT", help="Number of entries to show.")
+@click.option("--raw", is_flag=True, help="Show raw client debug log instead of structured audit entries.")
+@auth_command
+async def log_cmd(ctx_obj: ContextObj, lines: int, raw: bool) -> None:
+    """View structured audit entries or the raw client debug log."""
+    home = Path(os.environ.get("AUTHSOME_HOME", str(Path.home() / ".authsome")))
+
+    if raw:
+        log_path = get_client_log_path(home)
+        try:
+            raw_lines = log_path.read_text(encoding="utf-8", errors="replace").splitlines()[-lines:]
+        except FileNotFoundError:
+            raw_lines = []
+        ctx_obj.print_json({"log_file": str(log_path), "entries": raw_lines})
+        return
+
+    audit_path = get_server_log_path(home)
+    try:
+        raw_lines = audit_path.read_text(encoding="utf-8", errors="replace").splitlines()[-lines:]
+    except FileNotFoundError:
+        raw_lines = []
+
+    parsed: list[dict] = []
+    for line in raw_lines:
+        line = line.strip()
+        if not line:
+            continue
+        try:
+            parsed.append(json_lib.loads(line))
+        except Exception:
+            parsed.append({"raw": line})
+
+    ctx_obj.print_json({"log_file": str(audit_path), "entries": parsed})
+
+
+@admin.group(name="daemon")
+def daemon() -> None:
+    """Manage the local Authsome daemon."""
+
+
+@daemon.command(name="serve")
+@click.option("--host", default="127.0.0.1", show_default=True, metavar="HOST", help="Host interface to bind.")
+@click.option("--port", default=7998, type=int, show_default=True, metavar="PORT", help="TCP port to listen on.")
+@click.option("--reload", is_flag=True, help="Enable auto-reload on code changes.")
+def daemon_serve(host: str, port: int, reload: bool) -> None:
+    """Run the daemon in the foreground."""
+    from authsome.server.daemon import serve
+
+    serve(host=host, port=port, reload=reload)
+
+
+@daemon.command(name="start")
+@auth_command
+async def daemon_start(ctx_obj: ContextObj) -> None:
+    """Start the local daemon in the background."""
+    if await is_daemon_responsive():
+        ctx_obj.print_json({"status": "already_running", "message": "Daemon is already running."})
+        return
+
+    if is_port_occupied(7998):
+        ctx_obj.print_json(
+            {
+                "status": "port_occupied",
+                "message": "Port 7998 is occupied by an unrelated process. We did not start a new process.",
+            }
+        )
+        return
+
+    try:
+        start_daemon()
+        await wait_for_daemon_ready(timeout=5)
+        ctx_obj.print_json({"status": "started", "message": "Daemon started successfully."})
+    except DaemonAlreadyRunningError as exc:
+        pid_str = f" (PID: {exc.pid})" if exc.pid else ""
+        ctx_obj.print_json({"status": "already_running", "message": f"Daemon is already running{pid_str}."})
+    except DaemonUnavailableError as exc:
+        ctx_obj.print_json({"error": exc.__class__.__name__, "message": str(exc)})
+        sys.exit(1)
+
+
+@daemon.command(name="stop")
+@auth_command
+async def daemon_stop(ctx_obj: ContextObj) -> None:
+    """Stop the local daemon."""
+    stopped, message = await stop_daemon()
+    status = "stopped" if stopped else "not_stopped"
+    ctx_obj.print_json({"status": status, "message": message})
+
+
+@daemon.command(name="restart")
+@auth_command
+async def daemon_restart(ctx_obj: ContextObj) -> None:
+    """Restart the local daemon."""
+    stopped, message = await stop_daemon()
+
+    if await is_daemon_responsive():
+        ctx_obj.print_json(
+            {
+                "status": "already_running",
+                "message": "Daemon is already running on port 7998. We did not start a new process.",
+                "stop_message": message,
+                "stopped": stopped,
+            }
+        )
+        return
+
+    if is_port_occupied(7998):
+        ctx_obj.print_json(
+            {
+                "status": "port_occupied",
+                "message": "Port 7998 is occupied by an unrelated process. We did not start a new process.",
+                "stop_message": message,
+                "stopped": stopped,
+            }
+        )
+        return
+
+    try:
+        start_daemon()
+        await wait_for_daemon_ready(timeout=5)
+        ctx_obj.print_json(
+            {
+                "status": "restarted" if stopped else "started",
+                "message": "Daemon restarted successfully." if stopped else "New daemon started.",
+                "stop_message": message,
+                "stopped": stopped,
+            }
+        )
+    except DaemonAlreadyRunningError as exc:
+        pid_str = f" (PID: {exc.pid})" if exc.pid else ""
+        ctx_obj.print_json(
+            {
+                "status": "already_running",
+                "message": f"Daemon is already running{pid_str}.",
+                "stop_message": message,
+                "stopped": stopped,
+            }
+        )
+    except DaemonUnavailableError as exc:
+        ctx_obj.print_json({"error": exc.__class__.__name__, "message": str(exc)})
+        sys.exit(1)
+
+
+@daemon.command(name="status")
+@auth_command
+async def daemon_status_cmd(ctx_obj: ContextObj) -> None:
+    """Show daemon status."""
+    status = await daemon_status()
+    ctx_obj.print_json(status)
+
+
+@daemon.command(name="logs")
+@click.option("-n", "--lines", default=80, metavar="COUNT", help="Number of lines to show.")
+@auth_command
+async def daemon_logs(ctx_obj: ContextObj, lines: int) -> None:
+    """Show daemon log output."""
+    from authsome.cli.daemon_control import LOG_FILE
+
+    if not LOG_FILE.exists():
+        ctx_obj.print_json({"log_file": str(LOG_FILE), "entries": []})
+        return
+    entries = LOG_FILE.read_text(encoding="utf-8", errors="replace").splitlines()[-lines:]
+    ctx_obj.print_json({"log_file": str(LOG_FILE), "entries": entries})

{authsome-0.4.1 → authsome-0.4.2}/src/authsome/cli/client.py

@@ -14,12 +14,12 @@ from urllib.parse import urlparse
 import requests
 
 from authsome.identity import (
-    ensure_local_identity,
-    load_private_key,
+    IdentitySource,
+    load_runtime_identity,
     mark_claimed,
     mark_registered,
 )
-from authsome.identity.local import IdentityMetadata
+from authsome.identity.local import RuntimeIdentity, load_identity
 from authsome.identity.proof import POP_AUTH_SCHEME, create_proof_jwt
 from authsome.server.urls import DEFAULT_SERVER_BASE_URL
 
@@ -77,17 +77,6 @@ def raise_for_error(response: requests.Response) -> None:
         raise exc
 
 
-def _selected_identity_handle(home: Path, env: Mapping[str, str] | None = None) -> str | None:
-    """Return the acting identity override, falling back to client config."""
-    from authsome.cli.client_config import load_client_config
-
-    values = env if env is not None else os.environ
-    override = values.get(IDENTITY_OVERRIDE_ENV, "").strip()
-    if override:
-        return override
-    return load_client_config(home).active_identity
-
-
 class AuthsomeApiClient:
     """Small typed wrapper around the daemon API."""
 
@@ -126,11 +115,16 @@ class AuthsomeApiClient:
         raise_for_error(response)
         return response.json()
 
+    def _runtime_identity(self) -> RuntimeIdentity:
+        return load_runtime_identity(self._home)
+
+    def _runtime_for_handle(self, handle: str) -> RuntimeIdentity:
+        return load_runtime_identity(self._home, env={IDENTITY_OVERRIDE_ENV: handle})
+
     async def _proof_headers(self, method: str, path: str, body: bytes) -> dict[str, str | bytes]:
         identity = await self.ensure_identity_ready()
-        private_key = load_private_key(self._home, identity.handle)
         token = create_proof_jwt(
-            private_key=private_key,
+            private_key=identity.signer,
             issuer=identity.did,
             subject=identity.handle,
             method=method,
@@ -139,16 +133,19 @@ class AuthsomeApiClient:
         )
         return {"Authorization": f"{POP_AUTH_SCHEME} {token}"}
 
-    async def ensure_identity_ready(self) -> IdentityMetadata:
+    async def ensure_identity_ready(self) -> RuntimeIdentity:
         """Ensure the acting identity is registered and, in hosted mode, claimed."""
-        identity = ensure_local_identity(self._home, active_handle=_selected_identity_handle(self._home))
+        runtime = self._runtime_identity()
+        if runtime.source is IdentitySource.ENV:
+            return await self._ensure_env_identity_ready(runtime)
 
         status: dict[str, Any] | None = None
+        identity = load_identity(self._home, runtime.handle)
         if not identity.registered:
             status = await self.register_identity(identity.handle, identity.did)
             identity = mark_registered(self._home, identity.handle)
         elif identity.claimed:
-            return identity
+            return runtime
         else:
             try:
                 status = await self.get_identity_status(identity.handle)
@@ -167,11 +164,33 @@ class AuthsomeApiClient:
                 except Exception:
                     pass
             await self._poll_claim_completion(identity.handle)
-            return mark_claimed(self._home, identity.handle)
+            identity = mark_claimed(self._home, identity.handle)
+            return self._runtime_for_handle(identity.handle)
 
         if registration_status in {"claimed", "registered"}:
-            return mark_claimed(self._home, identity.handle)
+            identity = mark_claimed(self._home, identity.handle)
+            return self._runtime_for_handle(identity.handle)
 
+        return self._runtime_for_handle(identity.handle)
+
+    async def _ensure_env_identity_ready(self, identity: RuntimeIdentity) -> RuntimeIdentity:
+        try:
+            status = await self.get_identity_status(identity.handle)
+        except Exception:
+            status = await self.register_identity(identity.handle, identity.did)
+
+        registration_status = status.get("registration_status", "registered")
+        if registration_status == "claim_required":
+            claim_url = status.get("claim_url")
+            if not claim_url:
+                status = await self.register_identity(identity.handle, identity.did)
+                claim_url = status.get("claim_url")
+            if claim_url:
+                try:
+                    webbrowser.open(claim_url)
+                except Exception:
+                    pass
+            await self._poll_claim_completion(identity.handle)
         return identity
 
     async def _poll_claim_completion(self, handle: str, *, timeout_seconds: int = 300) -> dict[str, Any]:
@@ -264,9 +283,6 @@ class AuthsomeApiClient:
     async def whoami(self) -> dict[str, Any]:
         return await self._get("/whoami")
 
-    async def rekey(self) -> dict[str, Any]:
-        return await self._post("/rekey", {})
-
     async def doctor(self) -> dict[str, Any]:
         return await self.ready()
 

{authsome-0.4.1 → authsome-0.4.2}/src/authsome/cli/context.py

@@ -54,33 +54,30 @@ class ContextObj:
             return
         if self.no_color:
             color = None
-        click.secho(message, err=err, fg=color, nl=nl)
+        click.secho(message, err=err or self.json_output, fg=color, nl=nl)
 
     def emit(self, message: str, color: str | None = None, nl: bool = True) -> None:
         """Print primary data output. Never suppressed by --quiet; respects --no-color."""
         if self.no_color:
             color = None
-        click.secho(message, fg=color, nl=nl)
+        click.secho(message, err=self.json_output, fg=color, nl=nl)
 
 
 pass_ctx = click.make_pass_decorator(ContextObj)
 
 
 def common_options(f):
-    @click.option("--json", "json_output", is_flag=True, help="Output in machine-readable JSON format.")
     @click.option("--quiet", is_flag=True, help="Suppress non-essential output.")
     @click.option("--no-color", is_flag=True, help="Disable ANSI colors.")
     @functools.wraps(f)
     def wrapper(*args, **kwargs):
-        json_output = kwargs.pop("json_output", False)
         quiet = kwargs.pop("quiet", False)
         no_color = kwargs.pop("no_color", False)
         ctx = click.get_current_context()
         if getattr(ctx, "obj", None) is None:
-            ctx.obj = ContextObj(json_output, quiet, no_color)
+            ctx.obj = ContextObj(True, quiet, no_color)
         else:
-            if json_output:
-                ctx.obj.json_output = True
+            ctx.obj.json_output = True
             if quiet:
                 ctx.obj.quiet = True
             if no_color:

{authsome-0.4.1 → authsome-0.4.2}/src/authsome/cli/daemon_control.py

@@ -99,7 +99,7 @@ def start_daemon() -> None:
     DAEMON_DIR.mkdir(parents=True, exist_ok=True)
     log = LOG_FILE.open("ab")
     process = subprocess.Popen(
-        [sys.executable, "-m", "authsome.cli.main", "daemon", "serve"],
+        [sys.executable, "-m", "authsome.cli.main", "admin", "daemon", "serve"],
         stdout=log,
         stderr=log,
         start_new_session=True,

{authsome-0.4.1 → authsome-0.4.2}/src/authsome/cli/helpers.py

@@ -17,7 +17,7 @@ from authsome.utils import format_error_code
 
 
 def handle_errors(func):
-    """Catch exceptions and print cleanly or return machine JSON."""
+    """Catch exceptions and return structured JSON errors."""
 
     @functools.wraps(func)
     def wrapper(ctx_obj: ContextObj, *args, **kwargs):
@@ -29,10 +29,7 @@ def handle_errors(func):
                 return asyncio.run(func(ctx_obj, *args, **kwargs))
             return func(ctx_obj, *args, **kwargs)
         except Exception as exc:
-            if ctx_obj.json_output:
-                ctx_obj.print_json({"error": exc.__class__.__name__, "message": str(exc)})
-            else:
-                ctx_obj.echo(f"Error: {exc}", err=True, color="red")
+            ctx_obj.print_json({"error": exc.__class__.__name__, "message": str(exc)})
             sys.exit(format_error_code(exc))
 
     return wrapper
@@ -65,7 +62,7 @@ def setup_logging(verbose: bool, log_file: Path | None) -> None:
         )
 
 
-def _validate_provider_endpoints(definition: Any, ctx_obj: ContextObj) -> list[tuple[str, str, bool]]:
+def _validate_provider_endpoints(definition: Any) -> list[tuple[str, str, bool]]:
     """Extract and validate provider endpoints for security."""
     endpoints_to_check: list[tuple[str, str, bool]] = []
     if definition.oauth:
@@ -86,21 +83,18 @@ def _validate_provider_endpoints(definition: Any, ctx_obj: ContextObj) -> list[t
         if "://" in val:
             parsed = urllib.parse.urlparse(val)
             if parsed.scheme != "https":
-                ctx_obj.echo(f"Error: {name} must use HTTPS scheme ({val})", err=True, color="red")
-                sys.exit(1)
+                raise click.ClickException(f"{name} must use HTTPS scheme ({val})")
             host = parsed.hostname
         else:
             host = val
 
         if host in ("localhost", "127.0.0.1", "::1"):
-            ctx_obj.echo(f"Error: {name} cannot be localhost ({val})", err=True, color="red")
-            sys.exit(1)
+            raise click.ClickException(f"{name} cannot be localhost ({val})")
 
         if host:
             try:
                 ipaddress.ip_address(host)
-                ctx_obj.echo(f"Error: {name} cannot be a bare IP address ({val})", err=True, color="red")
-                sys.exit(1)
+                raise click.ClickException(f"{name} cannot be a bare IP address ({val})")
             except ValueError:
                 pass