regstack 0.4.0__tar.gz → 0.5.0__tar.gz

{regstack-0.4.0 → regstack-0.5.0}/CLAUDE.md

@@ -77,6 +77,20 @@ The full plan, including milestone scope and deferred items, lives at
   four layers: validators (unit), writer (golden-file), routes
   (TestClient), full SPA flow (Playwright e2e). Run e2e with
   `inv test-e2e`; `inv test-all` chains it after the backend matrix.
+- **Theme designer — done.** `regstack theme design` opens a sibling
+  pywebview window with controls for every `--rs-*` variable and a
+  real-time preview of the bundled SSR widgets (renders the same
+  `.rs-*` classes the SSR pages render, so what you see is what
+  you'll ship). Save writes `regstack-theme.css`; the designer
+  round-trips values back into the form on next launch so iteration
+  is non-destructive. Lives in `src/regstack/wizard/theme_designer/`,
+  registered via a `_LazyThemeGroup` mirroring the OAuth pattern.
+  Same four-layer test stack (validators / writer / routes /
+  Playwright e2e). The shared scaffold (FastAPI app, uvicorn launcher,
+  pywebview shim, e2e fixture pattern) is duplicated rather than
+  abstracted into a base class — the two tools have meaningfully
+  different inputs and an early shared base would calcify the wrong
+  decisions. Refactor only when a third pywebview tool lands.
 
 ## Three kinds of single-use proof
 

{regstack-0.4.0 → regstack-0.5.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: regstack
-Version: 0.4.0
+Version: 0.5.0
 Summary: Embeddable user registration, login, and account management for FastAPI apps. SQLite / Postgres / MongoDB.
 Project-URL: Homepage, https://github.com/jdrumgoole/regstack
 Project-URL: Repository, https://github.com/jdrumgoole/regstack
@@ -143,7 +143,7 @@ result everywhere is what regstack is for.
 ✔ Server-rendered HTML pages, theme with one CSS file
 ✔ Pluggable email (console / SMTP / Amazon SES) and SMS (Amazon SNS / Twilio)
 ✔ Argon2 password hashing, CSP-friendly templates
-✔ Setup wizard (`regstack init`) and config validator (`regstack doctor`)
+✔ Setup wizards (live in their own pywebview windows): `regstack init` (project bootstrap), `regstack oauth setup` (guided Google OAuth client config), `regstack theme design` (live theme designer with preview), and `regstack doctor` (config validator)
 ✔ Three storage backends: SQLite, PostgreSQL, MongoDB — chosen by URL
 ```
 
@@ -186,7 +186,7 @@ register from the command line:
 ```bash
 curl -X POST http://localhost:8000/api/auth/register \
     -H 'content-type: application/json' \
-    -d '{"email":"alice@example.com","password":"hunter2hunter2","full_name":"Alice"}'
+    -d '{"email":"alice@app.example.com","password":"<password>","full_name":"Alice"}'
 ```
 
 The bundled example serves themed SSR pages at `/account/*`, prints
@@ -251,8 +251,8 @@ The same docs are also browsable as Markdown in [`docs/`](https://github.com/jdr
 Alpha. Single-file SQLite is the default and runs with no infrastructure;
 PostgreSQL and MongoDB backends pass the same parametrized integration
 suite. OAuth (Google) shipped in `v0.3.0`; the `regstack oauth setup`
-guided wizard shipped in `v0.4.0`. Latest tagged release: `v0.4.0`.
-See the
+guided wizard in `v0.4.0`; the live `regstack theme design` tool in
+`v0.5.0`. Latest tagged release: `v0.5.0`. See the
 [changelog](https://regstack.readthedocs.io/en/latest/changelog.html)
 for the per-release breakdown.
 

{regstack-0.4.0 → regstack-0.5.0}/README.md

@@ -72,7 +72,7 @@ result everywhere is what regstack is for.
 ✔ Server-rendered HTML pages, theme with one CSS file
 ✔ Pluggable email (console / SMTP / Amazon SES) and SMS (Amazon SNS / Twilio)
 ✔ Argon2 password hashing, CSP-friendly templates
-✔ Setup wizard (`regstack init`) and config validator (`regstack doctor`)
+✔ Setup wizards (live in their own pywebview windows): `regstack init` (project bootstrap), `regstack oauth setup` (guided Google OAuth client config), `regstack theme design` (live theme designer with preview), and `regstack doctor` (config validator)
 ✔ Three storage backends: SQLite, PostgreSQL, MongoDB — chosen by URL
 ```
 
@@ -115,7 +115,7 @@ register from the command line:
 ```bash
 curl -X POST http://localhost:8000/api/auth/register \
     -H 'content-type: application/json' \
-    -d '{"email":"alice@example.com","password":"hunter2hunter2","full_name":"Alice"}'
+    -d '{"email":"alice@app.example.com","password":"<password>","full_name":"Alice"}'
 ```
 
 The bundled example serves themed SSR pages at `/account/*`, prints
@@ -180,8 +180,8 @@ The same docs are also browsable as Markdown in [`docs/`](https://github.com/jdr
 Alpha. Single-file SQLite is the default and runs with no infrastructure;
 PostgreSQL and MongoDB backends pass the same parametrized integration
 suite. OAuth (Google) shipped in `v0.3.0`; the `regstack oauth setup`
-guided wizard shipped in `v0.4.0`. Latest tagged release: `v0.4.0`.
-See the
+guided wizard in `v0.4.0`; the live `regstack theme design` tool in
+`v0.5.0`. Latest tagged release: `v0.5.0`. See the
 [changelog](https://regstack.readthedocs.io/en/latest/changelog.html)
 for the per-release breakdown.
 

{regstack-0.4.0 → regstack-0.5.0}/docs/changelog.md

@@ -3,6 +3,33 @@
 All notable changes to this project are documented here. Versions follow
 [Semantic Versioning](https://semver.org/) once `1.0.0` ships.
 
+## 0.5.0 — 2026-05-02
+
+### Added
+
+- **Theme designer.** `regstack theme design` opens a native pywebview
+  window with controls for every `--rs-*` CSS custom property and a
+  real-time preview of the bundled SSR widgets (sign-in form, success
+  / error banners, danger-zone button). Saving writes
+  `regstack-theme.css`; the designer round-trips values back into the
+  form on next launch so iteration is non-destructive. `--print-only`
+  mode takes repeatable `--var NAME=VALUE` pairs (with a `dark:`
+  prefix for dark-scheme overrides) and writes the file headlessly.
+  Lives in `regstack.wizard.theme_designer`; registered as a lazy
+  Click subgroup so `regstack init` / `doctor` don't pay the
+  pywebview/uvicorn import cost.
+- "Why use regstack" pitch in `docs/index.md` updated to surface the
+  two pywebview tools (`oauth setup` + `theme design`) as a
+  distinguishing feature vs. fastapi-users / Auth0 / Keycloak.
+
+### Docs
+
+- New "About the examples" convention block at the top of
+  `docs/index.md`. Every URL, email, smtp host, and admin command
+  across the docs now extrapolates from the same fictional app at
+  `app.example.com` with `<username>` / `<password>` placeholders —
+  no more `user:pw@host/dbname` / `db.internal/myapp` mishmash.
+
 ## 0.4.0 — 2026-05-02
 
 ### Added

regstack-0.5.0/docs/cli.md

@@ -0,0 +1,187 @@
+# CLI reference
+
+`regstack` is the entry point installed by the package. All sub-commands
+share a config-loading model: programmatic kwargs > env vars >
+`regstack.secrets.env` > `regstack.toml` > defaults. The `--config <path>`
+flag overrides where the TOML file is found.
+
+## `regstack init`
+
+Interactive wizard that writes `regstack.toml` and `regstack.secrets.env`
+in the current directory. Asks which backend to use (SQLite default →
+Postgres → MongoDB), generates a 64-byte JWT secret, runs DNS sanity
+checks if asked, never provisions infrastructure.
+
+```bash
+uv run regstack init
+uv run regstack init --target /etc/app --force
+```
+
+Options:
+
+- `--target DIR` — directory to write the config files (default cwd).
+- `--force` — overwrite without confirming.
+
+Re-running the wizard prompts before overwriting unless `--force` is
+passed; pre-existing answers aren't kept (the wizard is intentionally
+stateless).
+
+## `regstack oauth setup`
+
+Opens a guided 12-step wizard in a native webview window that walks you
+through registering a Google OAuth 2.0 client (project selection,
+consent screen, redirect URI, credentials) and merges the result into
+your existing `regstack.toml` and `regstack.secrets.env`. The merge is
+**non-clobbering** — comments, unrelated tables (`[email]`, `[sms]`,
+…), and unrelated top-level keys are preserved. Re-run any time to
+rotate credentials or change the linking policy.
+
+```bash
+uv run regstack oauth setup
+uv run regstack oauth setup --target /etc/app
+```
+
+Options:
+
+- `--target DIR` — directory containing (or to receive) `regstack.toml`
+  (default cwd).
+- `--api-prefix PREFIX` — router prefix the host mounts regstack under
+  (default `/api/auth`). Used to compute the suggested redirect URI.
+- `--port N` — pin the wizard server's TCP port (default: random free
+  port on `127.0.0.1`).
+- `--print-only` — skip the GUI; print the TOML + secrets diff that
+  *would* be written to stdout, then exit. Useful for headless hosts
+  (CI, servers without a webview backend) and dry-run smoke tests.
+  Pair with `--client-id`, `--client-secret`, `--base-url`,
+  `--auto-link/--no-auto-link`, `--mfa/--no-mfa`.
+
+The interactive mode requires a desktop environment with a webview
+backend (WebKit on macOS, GTK / QtWebEngine on Linux, Edge WebView2 on
+Windows). On a headless host it exits with a clear error pointing at
+`--print-only`.
+
+The wizard binds to `127.0.0.1` only and authenticates every API call
+with a per-launch random token, so a hostile process on the same host
+can't drive the write endpoint.
+
+## `regstack theme design`
+
+Opens a live designer for `regstack-theme.css` in a native pywebview
+window. The left pane has controls for every `--rs-*` CSS custom
+property; the right pane renders the bundled SSR widgets (sign-in
+form, success / error messages, danger-zone button) with your changes
+applied in real time. Click **Save** to write the file; **Reset to
+defaults** to start over; **Copy CSS** to put the generated
+stylesheet on the clipboard without writing.
+
+```bash
+uv run regstack theme design
+uv run regstack theme design --target /var/www/static
+```
+
+Options:
+
+- `--target DIR` — directory to write `regstack-theme.css` into
+  (default cwd).
+- `--filename NAME` — output filename
+  (default `regstack-theme.css`).
+- `--port N` — pin the designer's TCP port (default: random free
+  port on `127.0.0.1`).
+- `--print-only` — skip the GUI; write the file from `--var` pairs
+  and emit a JSON summary. For headless / CI use.
+- `--var NAME=VALUE` — repeatable. Used with `--print-only`. Prefix
+  with `dark:` to set the dark-scheme value, e.g.
+  `--var dark:--rs-accent=#2dd4bf`.
+
+Re-running the designer reloads the previous values out of the file,
+so iterating on a theme is non-destructive. Only the `:root` and
+`@media (prefers-color-scheme: dark)` blocks are managed by the
+designer — anything else in the file is left alone.
+
+Same security shape as `regstack oauth setup`: binds `127.0.0.1`
+only, every API call requires a per-launch random token.
+
+## `regstack create-admin`
+
+Create or promote a superuser. Idempotent.
+
+```bash
+uv run regstack create-admin --email admin@app.example.com
+uv run regstack create-admin --email admin@app.example.com --password 'long-strong-password'
+uv run regstack create-admin --email admin@app.example.com --config /etc/app/regstack.toml
+```
+
+Options:
+
+- `--email EMAIL` *(required)*.
+- `--password PW` — if omitted, prompts (with confirmation).
+- `--config PATH` — TOML file to load (default: env or cwd).
+
+If the user already exists, the command sets `is_superuser=True` and
+keeps the existing password. If they don't exist, it creates the user
+with `is_active=True`, `is_verified=True`, `is_superuser=True` and the
+provided password.
+
+## `regstack migrate`
+
+Runs the bundled Alembic migrations against the configured
+`database_url`. Idempotent — re-running on a DB already at the target
+revision is a no-op. Use this on SQL backends (SQLite / PostgreSQL)
+to roll the schema forward to a new regstack release.
+
+```bash
+uv run regstack migrate
+uv run regstack migrate --target head
+uv run regstack migrate --config /etc/app/regstack.toml --target 0001
+```
+
+Options:
+
+- `--config PATH` — TOML file to load (default: cwd / `$REGSTACK_CONFIG`).
+- `--target REV` — revision to upgrade to (default `head`). Accepts
+  any Alembic revision spec: a revision id (`0001`), a relative step
+  (`+1`), or `head`.
+
+Mongo backends are silently skipped: TTL indexes are installed by
+`RegStack.install_schema()` on every app start, so there's no separate
+migration story to run. Output prints the before / after revision and
+exits non-zero if Alembic raises.
+
+## `regstack doctor`
+
+Runs read-only validation against the loaded config and reports each
+check on a green/red line. Exit code is the number of failed checks —
+suitable for use in container health checks.
+
+```bash
+uv run regstack doctor
+uv run regstack doctor --config /etc/app/regstack.toml
+uv run regstack doctor --check-dns
+uv run regstack doctor --send-test-email alice@app.example.com
+```
+
+Options:
+
+- `--config PATH` — TOML file to load.
+- `--check-dns` — run SPF / DMARC / MX `dig`s on the sender domain.
+  Internet-dependent; off by default.
+- `--send-test-email TO` — actually send a probe email through the
+  configured backend. Costs real money on SES; off by default.
+
+Default checks:
+
+| Check | Pass criterion |
+|-------|----------------|
+| `jwt secret` | Present, ≥ 32 chars |
+| `backend` | `Backend.ping()` succeeds (works for any backend) |
+| `schema` | Mongo: required indexes present. SQL: `users` table responds to `count(*)` |
+| `email backend` | `build_email_service(config.email)` instantiates |
+
+Optional checks:
+
+| Check | Pass criterion |
+|-------|----------------|
+| `dns mx` | At least one MX record on the sender domain |
+| `dns spf` | A TXT record containing `v=spf1` |
+| `dns dmarc` | A TXT record at `_dmarc.<domain>` containing `v=DMARC1` |
+| `email send` | The configured backend's `send()` returned without raising |

{regstack-0.4.0 → regstack-0.5.0}/docs/configuration.md

@@ -85,15 +85,16 @@ regstack picks a backend at construction time from the URL scheme of
   - Notes
 
 * - SQLite
-  - `sqlite+aiosqlite:///./path.db`
+  - `sqlite+aiosqlite:///./dbname.db`
   - Default. Bundled in the base install — no extras needed.
     `:memory:` works too (per-test).
 * - Postgres
-  - `postgresql+asyncpg://user:pw@host/dbname`
+  - `postgresql+asyncpg://<username>:<password>@dbhost.example.com:5432/dbname`
   - Requires the `postgres` extra (pulls in `asyncpg`). The driver is
     pinned to `+asyncpg` — sync drivers won't work.
 * - MongoDB
-  - `mongodb://host:port/dbname` (or `mongodb+srv://`)
+  - `mongodb://<username>:<password>@dbhost.example.com:27017/dbname`
+    (or `mongodb+srv://<username>:<password>@app.abc123.mongodb.net/dbname`)
   - Requires the `mongo` extra (pulls in `pymongo`). Database is taken
     from the URL path; falls back to ``mongodb_database`` if absent.
 ```
@@ -234,14 +235,14 @@ The active backend exposes the same five repository protocols on
 ```toml
 [email]
 backend = "console"             # console | smtp | ses
-from_address = "noreply@…"
-from_name    = "MyApp"
+from_address = "noreply@app.example.com"
+from_name    = "Example App"
 
 # smtp
-smtp_host = "smtp.example.com"
+smtp_host = "smtp.app.example.com"
 smtp_port = 587
 smtp_starttls = true
-smtp_username = "myapp"
+smtp_username = "<username>"
 # smtp_password is a SecretStr — set via REGSTACK_EMAIL__SMTP_PASSWORD
 
 # ses

{regstack-0.4.0 → regstack-0.5.0}/docs/embedding.md

@@ -16,13 +16,13 @@ a working backend with no infrastructure. To switch:
 # regstack.toml
 
 # SQLite (default — file lives wherever the path points)
-database_url = "sqlite+aiosqlite:///./regstack.db"
+database_url = "sqlite+aiosqlite:///./dbname.db"
 
 # Postgres (needs the `postgres` extra → asyncpg)
-database_url = "postgresql+asyncpg://user:pw@db.internal/myapp"
+database_url = "postgresql+asyncpg://<username>:<password>@dbhost.example.com:5432/dbname"
 
 # MongoDB (needs the `mongo` extra → pymongo)
-database_url = "mongodb://db.internal:27017/myapp"
+database_url = "mongodb://<username>:<password>@dbhost.example.com:27017/dbname"
 ```
 
 Hosts that already manage their own connection pool — for example, an
@@ -210,7 +210,7 @@ one does not validate against the other. The
 ## Bootstrapping the first admin
 
 ```bash
-uv run regstack create-admin --email admin@example.com
+uv run regstack create-admin --email admin@app.example.com
 ```
 
 The CLI prompts for a password (with confirmation). Re-running with
@@ -220,7 +220,7 @@ their password.
 In code:
 
 ```python
-await regstack.bootstrap_admin("admin@example.com", "long-strong-password")
+await regstack.bootstrap_admin("admin@app.example.com", "long-strong-password")
 ```
 
 This is idempotent — promotes an existing user, creates one if not

{regstack-0.4.0 → regstack-0.5.0}/docs/index.md

@@ -63,6 +63,52 @@ and keep the user table in your own database** — not "stand up a
 separate auth product" and not "write the boring 80% from scratch
 each time".
 
+### What's distinctive about regstack
+
+- **Native pywebview setup tools, not just Click prompts.**
+  - `regstack oauth setup` opens a real desktop window that walks an
+    operator through registering a Google OAuth 2.0 client and
+    merging the credentials into `regstack.toml` non-clobberingly —
+    no copy-pasting the redirect URI four times.
+  - `regstack theme design` opens a live theme designer with a
+    real-time preview of the SSR auth pages: tweak a colour, see
+    the Sign-in card update on the right; click Save to write
+    `regstack-theme.css`. CSS-only re-skin in minutes, no template
+    editing required.
+  Both tools are local-only (`127.0.0.1` + per-launch token), have
+  a `--print-only` mode for headless CI, and ship under the same
+  test-from-the-outside Playwright suite the SSR pages do.
+- **Zero vendor lock-in.** Your user table is in your database, not
+  someone else's. Switch storage backends by changing one URL.
+- **Opt-in everything.** No SMS extra → no `twilio` / `aioboto3`
+  install. No SES → no AWS SDK. No SSR → no Jinja templates loaded.
+  The base install is small.
+
+## About the examples
+
+To keep URLs and config values consistent across the docs, every
+example pretends to embed regstack into a fictional app hosted at
+`app.example.com`. Throughout the docs:
+
+| What | Value |
+|---|---|
+| Public host | `app.example.com` |
+| `base_url` | `https://app.example.com` |
+| Database host (prod) | `dbhost.example.com` |
+| Database user | `<username>` |
+| Database password | `<password>` |
+| Database name | `dbname` |
+| Email sender | `noreply@app.example.com` |
+| Local dev port | `localhost:8000` |
+
+So a Postgres URL looks like
+`postgresql+asyncpg://<username>:<password>@dbhost.example.com:5432/dbname`,
+a MongoDB URL like
+`mongodb://<username>:<password>@dbhost.example.com:27017/dbname`,
+and the local SQLite path `sqlite+aiosqlite:///./dbname.db`. Substitute
+your own values when copying — the shape is the only thing that
+matters.
+
 ## What's in the box
 
 - **Three storage backends, one API.** SQLite (the default — single
@@ -76,7 +122,12 @@ each time".
   forgot, reset, MFA confirm, account dashboard. Themed via CSS
   custom properties — no template editing required for a re-skin.
   Full template overrides are still possible per host.
-- **CLIs.** `regstack init` (interactive setup wizard),
+- **CLIs + native pywebview tools.**
+  `regstack init` (interactive project bootstrap),
+  `regstack oauth setup` (guided Google OAuth client configuration in
+  a native webview — see [OAuth guide](oauth.md)),
+  `regstack theme design` (live theme designer with a real-time preview
+  of the SSR widgets — see [theming guide](theming.md)),
   `regstack create-admin`, `regstack doctor`.
 - **OAuth — Sign in with Google** (opt-in, since 0.3.0). Authorization
   Code with PKCE, ID-token verification, identity-linking with a
@@ -139,7 +190,7 @@ changelog
 
 ## Project status
 
-Alpha. Latest tagged release: `v0.4.0`. SQLite is the default and
+Alpha. Latest tagged release: `v0.5.0`. SQLite is the default and
 runs with no infrastructure; PostgreSQL and MongoDB pass the same
 parametrized integration suite. The full backend matrix runs in
 parallel against every test, so a green CI on `main` is a strong

{regstack-0.4.0 → regstack-0.5.0}/docs/quickstart.md

@@ -144,7 +144,7 @@ uv run uvicorn examples.sqlite.main:app --reload
 # In another terminal
 curl -X POST http://localhost:8000/api/auth/register \
     -H 'content-type: application/json' \
-    -d '{"email":"a@example.com","password":"hunter2hunter2","full_name":"A"}'
+    -d '{"email":"alice@app.example.com","password":"<password>","full_name":"Alice"}'
 ```
 
 The SQLite demo enables verification by default. Look at the demo's

{regstack-0.4.0 → regstack-0.5.0}/docs/theming.md

@@ -4,6 +4,30 @@ The bundled UI ships a structural stylesheet (`core.css`) and a default
 theme stylesheet (`theme.css`). Hosts pick one of three integration
 levels depending on how much they want to override.
 
+## Quickest path: the live designer
+
+```bash
+uv run regstack theme design
+```
+
+Opens a native pywebview window with controls for every `--rs-*`
+variable on the left and a real-time preview of the bundled SSR
+widgets on the right. Tweak a colour, watch the Sign-in card update;
+click Save to write `regstack-theme.css`. There's a `--print-only`
+mode for headless / CI use:
+
+```bash
+uv run regstack theme design --print-only \
+    --var --rs-accent=#0d9488 \
+    --var --rs-radius=10 \
+    --var dark:--rs-accent=#2dd4bf
+```
+
+Re-running the designer reloads your previous values back into the
+form, so you can iterate without losing state. The rest of this guide
+explains the underlying override mechanisms — useful when you want
+to go beyond what the designer exposes.
+
 ## Level 1 — swap one stylesheet
 
 Set `config.theme_css_url` to a URL where your host serves a custom
@@ -34,9 +58,30 @@ Your `static/my-theme.css`:
 ```
 
 That's it — every regstack page picks up the new palette. See
-`examples/minimal/branding/theme.css` for a working wine-themed
+`examples/mongo/branding/theme.css` for a working wine-themed
 example.
 
+To support both light and dark mode, add a `prefers-color-scheme`
+block re-declaring whichever variables need to differ:
+
+```css
+:root {
+  --rs-accent:    #0d9488;
+  --rs-accent-bg: rgba(13, 148, 136, 0.08);
+}
+
+@media (prefers-color-scheme: dark) {
+  :root {
+    --rs-accent:    #2dd4bf;
+    --rs-accent-bg: rgba(45, 212, 191, 0.12);
+  }
+}
+```
+
+The bundled `theme.css` already supplies dark-mode defaults for every
+variable, so you only need to override the ones whose dark variant
+differs from the auto-derived contrast.
+
 ## Variables
 
 ```{list-table}

{regstack-0.4.0 → regstack-0.5.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "regstack"
-version = "0.4.0"
+version = "0.5.0"
 description = "Embeddable user registration, login, and account management for FastAPI apps. SQLite / Postgres / MongoDB."
 readme = "README.md"
 requires-python = ">=3.11"

{regstack-0.4.0 → regstack-0.5.0}/src/regstack/cli/__main__.py

@@ -28,6 +28,20 @@ class _LazyOauthGroup(click.Group):
         return setup_cmd
 
 
+class _LazyThemeGroup(click.Group):
+    """Same lazy-import pattern for the theme designer subtree."""
+
+    def list_commands(self, ctx: click.Context) -> list[str]:
+        return ["design"]
+
+    def get_command(self, ctx: click.Context, name: str) -> click.Command | None:
+        if name != "design":
+            return None
+        from regstack.wizard.theme_designer.cli import design as design_cmd
+
+        return design_cmd
+
+
 @click.group(help="regstack — embeddable account registration for FastAPI apps.")
 @click.version_option(__version__, prog_name="regstack")
 def cli() -> None:
@@ -39,6 +53,7 @@ cli.add_command(create_admin_cmd)
 cli.add_command(doctor_cmd)
 cli.add_command(migrate_cmd)
 cli.add_command(_LazyOauthGroup(name="oauth", help="OAuth provider setup wizards."))
+cli.add_command(_LazyThemeGroup(name="theme", help="Theme designer for the SSR pages."))
 
 
 def main() -> None:

regstack-0.5.0/src/regstack/version.py

@@ -0,0 +1 @@
+__version__ = "0.5.0"

regstack-0.5.0/src/regstack/wizard/theme_designer/__init__.py

@@ -0,0 +1,8 @@
+"""Interactive theme designer for regstack's SSR pages.
+
+``regstack theme design`` opens a native pywebview window with a live
+preview of the bundled SSR widgets and a panel of controls for the
+``--rs-*`` CSS custom properties. Saving writes a single
+``regstack-theme.css`` the host can serve and reference via
+``config.theme_css_url``.
+"""