Manage OAuth from CLI

[drew-harris]

Adds commands to manage OAuth clients from the CLI

Commands:
instant-cli auth client list
instant-cli auth client add
instant-cli auth client delete

All commands should be fully usable with --yes and have good help text so that agents can use.

Google is the only implemented provider currently.

Reviewing

git switch drewh/control-oauth-from-cli

In a directory with an app, use the commands to add/read/delete auth clients.

Note: Make sure to restart your backend

cd client/sandbox/cli-nodejs
INSTANT_CLI_DEV=1 pnpm exec instant-cli auth client list

I have been using this for testing. It requires nushell, but you can always give it to Claude and convert to bash.

#@ run it
cd ~/testing
print "SHOULD PASS"
do -i {INSTANT_CLI_DEV=true instant-cli auth client add --type google --name (random chars) --client-id lsjkdfj --app-type web --yes}
print "SHOULD FAIL"
do -i {INSTANT_CLI_DEV=true instant-cli auth client add --type google --name (random chars) --client-id lsjkdfj  --yes}
print "SHOULD FAIL"
do -i {INSTANT_CLI_DEV=true instant-cli auth client add  --name (random chars) --app-type web --yes}

#@ stopas
cd ~/testing
do -i {INSTANT_CLI_DEV=1 instant-cli auth client add --yes --type google --app-type web --name (random chars) --client-id foo}
do -i {INSTANT_CLI_DEV=true instant-cli auth client add --type google --name (random chars) --client-id lsjkdfj --app-type ios --yes}

#@ create then delete
cd ~/testing
let name = random chars;
print "SHOULD PASS"
do -i {INSTANT_CLI_DEV=true instant-cli auth client add --client-secret lskdjfkl --type google --name (random chars) --client-id lsjkdfj --app-type web --yes}
do -i {INSTANT_CLI_DEV=true instant-cli auth client delete --name $name}


#@ delete all auth clients
cd ~/testing
INSTANT_CLI_DEV=true instant-cli auth client list --json | from json

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds an auth client CLI group (add, list, delete), new OAuth schemas and HTTP helpers, interactive CLI prompting and flag validation, Google OAuth constants and re-exports, logging/UI defensive fixes, minor frontend import cleanup, and tightened backend authorization for app-auth endpoints.

Changes

Cohort / File(s)	Summary
Auth Client CLI Handlers client/packages/cli/src/commands/auth/client/add.ts, client/packages/cli/src/commands/auth/client/list.ts, client/packages/cli/src/commands/auth/client/delete.ts	New Effect-based CLI commands: add (interactive Google client creation with provider discovery/creation, app-type-specific prompts/validation), list (prints oauth_clients or JSON), and delete (delete by id/name or interactive selection).
CLI Command Registration client/packages/cli/src/index.ts	Registers auth client subcommands, wires parsed opts (merging raw argv for add) to handlers, and configures WithAppLayer/coercion options per command.
OAuth Models & HTTP Helpers client/packages/cli/src/lib/oauth.ts	New module with Schema models for authorized origins/providers/clients and response shapes; Effects: getAppsAuth, addOAuthProvider, addOAuthClient; and promptForRedirectURI.
CLI Prompting & Flag Utilities client/packages/cli/src/lib/ui.ts	Added flag decoders (getOptionalStringFlag, getBooleanFlag), invalidFlagError, prompt helpers (optOrPrompt, optionalOptOrPrompt), and stripFirstBlankLine.
UI Component & Logging Fixes client/packages/cli/src/ui/index.ts, client/packages/cli/src/logging.ts, client/packages/cli/src/layer.ts	TextInput gains sensitive prop and masks input when set; logging preserves variadic message arrays and spreads arguments; error printing defensively handles mixed hint error shapes.
Platform Constants & Re-exports client/packages/platform/src/consts.ts, client/packages/platform/src/index.ts	Added and re-exported Google OAuth endpoint and default callback URL constants.
Frontend Cleanup client/www/components/dash/AuthorizedOAuthAppsScreen.tsx, client/www/components/dash/auth/Google.tsx	Removed unused imports and consolidated UI imports; dropped unused SectionHeading import.
Backend Authorization Changes server/src/instant/dash/routes.clj	Switched several /dash/apps/:app_id handlers to use req->app-accepting-superadmin-or-ref-token! with :apps/read/:apps/write scopes instead of req->app-and-user!.
Package deps client/packages/cli/package.json	Added runtime dependency minimist and devDependency @types/minimist.

Sequence Diagram

sequenceDiagram
    actor User
    participant CLI
    participant UI as "Effect UI"
    participant State as "App Auth State"
    participant HTTP as "InstantHttpAuthed"
    participant Backend as "Dash Backend"

    User->>CLI: run `auth client add`
    CLI->>UI: prompt/select client type
    UI-->>CLI: client type (google)
    CLI->>State: getAppsAuth()
    State-->>CLI: providers + clients
    alt provider exists
        CLI->>CLI: use existing provider.id
    else
        CLI->>HTTP: addOAuthProvider(providerName)
        HTTP->>Backend: POST /dash/apps/{appId}/oauth_service_providers
        Backend-->>HTTP: provider created
        HTTP-->>CLI: provider id
    end
    CLI->>UI: prompt appType, clientName, clientId, clientSecret?, redirectURI?, skipNonceChecks?
    UI-->>CLI: collected inputs
    CLI->>HTTP: addOAuthClient(payload, meta)
    HTTP->>Backend: POST /dash/apps/{appId}/oauth_clients
    Backend-->>HTTP: created client
    HTTP-->>CLI: AddOAuthClientResponse
    CLI->>User: log created client details and redirect URI

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• Effect CLI rewrite (#2335) [bump to v0.22.177] #2335 — Large CLI rewrite touching similar CLI entrypoints, layers, and UI/logging code; likely code-level overlap.

Suggested reviewers

• nezaj
• stopachka

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Manage OAuth from CLI' directly and concisely summarizes the main change: adding CLI commands to manage OAuth clients.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description clearly documents the new OAuth client management commands, their usage patterns, and testing instructions, directly corresponding to the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch drewh/control-oauth-from-cli

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

View Vercel preview at instant-www-js-drewh-control-oauth-from-cli-jsv.vercel.app.

[stopachka]

Awwh yeah let's ship it!