feat: project detection support added

[KartikJha]

Changes

internal/cli/quickstart_detect.go (new file)

• Added DetectProject(dir string) DetectionResult — scans the working directory for framework signal files and returns a structured result with Framework, Type, BuildTool, Port, AppName, Detected, and AmbiguousCandidates
• Implements 14 detection priority levels covering: Angular, Flutter (web/native), Vite+React/Vue/Svelte/Vanilla, Next.js, Nuxt, SvelteKit, Expo, ASP.NET (.csproj), Java (Spring Boot / Java EE / Vanilla via pom.xml or build.gradle), PHP/Laravel (composer.json), Go (go.mod), Ruby on Rails (Gemfile), Python/Flask (requirements.txt / pyproject.toml), and package.json dep scanning for Express/Fastify/Hono/Ionic/React Native
• Config-file signals (e.g. angular.json, vite.config.ts) take priority over generic dep scanning to avoid false positives
• When multiple package.json deps match, AmbiguousCandidates is populated so the caller can prompt for disambiguation

internal/cli/quickstarts.go

New setup-experimental command flow:

• Added SetupInputs named struct replacing 3x repeated anonymous structs
• Added resolveRequestParams() — resolves DetectionSub placeholders in RequestParams (callbacks, logout URLs, web origins, name) using actual app name and port at runtime
• Integrated DetectProject() into RunE: on an existing project the detected framework/type/build-tool/port/name are shown as a summary and the user is asked to confirm; accepted values pre-fill SetupInputs so downstream prompts are skipped
• Ambiguous detection (multiple package.json deps) triggers a framework disambiguation prompt
• No-detection fallback (empty directory) prompts for all inputs: type -> framework (filtered by type) -> build tool -> port -> name
• getQuickstartConfigKey skips any field already populated (by flags or detection) and only asks for what is missing
• API creation now uses management.ResourceServer + cli.api.ResourceServer.Create() instead of management.Client
• API name defaults to <app-name>-API; API identifier defaults to https://<app-name-slug>
• API-only flow prompts the user to select an existing Auth0 application to associate with
• Registered all spec flags: --app, --api, --name, --type, --framework, --build-tool, --port, --callback-url, --logout-url, --web-origin-url, --identifier, --audience, --signing-alg, --scopes, --token-lifetime, --offline-access

Other fixes applied during review:

• Removed hardcoded RS256 overwrite on API signing algorithm
• Secret fields (e.g. AUTH0_SECRET, SESSION_SECRET) now use generateState(32) instead of a static placeholder
• Map iteration over EnvValues is now sorted for deterministic config file output
• Spring Boot YAML config uses gopkg.in/yaml.v2 with buildNestedMap() to correctly produce nested YAML from dot-delimited keys (e.g. okta.oauth2.issuer)
• All detection-related string literals replaced with the auth0.DetectionSub constant
• Output switched from fmt.Printf to cli.renderer.Infof for consistency
• m2m removed from the application type selection list
• Fixed "::none" error when only --api was selected (config key lookup now correctly skipped for API-only flows)
• Trailing periods removed from section comment dividers in internal/auth0/quickstart.go

---

References

• DXCDT-1554 — review comment fixes for setup-experimental
• DXCDT-1555 — tool detection module and CLI flow refinement

---

Testing

Manual — existing project:

cd /path/to/react-vite-project
auth0 quickstarts setup-experimental
# Expected: detects react/spa/vite/5173, shows summary, confirms, skips re-prompting those fields

Manual — empty directory:

mkdir empty-test && cd empty-test
auth0 quickstarts setup-experimental
# Expected: no detection panel, prompts for type -> framework -> build tool -> port -> name

Manual — API-only:

auth0 quickstarts setup-experimental --api --identifier https://my-api
# Expected: prompts to select an existing app, creates ResourceServer, no app client created

Manual — App + API:

auth0 quickstarts setup-experimental --app --api --name "My App"
# Expected: creates client, creates ResourceServer named "My App-API"

Unit tests for DetectProject covering each of the 14 signal rules: N/A (to be added in a follow-up — mocking os.ReadFile / os.Stat for the full matrix is tracked separately).

---

Checklist

• All new/changed/fixed functionality is covered by tests (or N/A)
• I have added documentation for all new/changed functionality (command --help text and flag descriptions updated inline)

[codecov-commenter]

Codecov Report

❌ Patch coverage is 57.97342% with 506 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.95%. Comparing base (55b66e5) to head (cb9922c).
⚠️ Report is 16 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/cli/quickstarts.go	42.07%	398 Missing and 15 partials ⚠️
internal/cli/quickstart_detect.go	84.86%	56 Missing and 15 partials ⚠️
internal/prompt/prompt.go	0.00%	11 Missing ⚠️
internal/cli/cli.go	0.00%	6 Missing ⚠️
internal/display/display.go	0.00%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1476      +/-   ##
==========================================
- Coverage   59.14%   58.95%   -0.19%     
==========================================
  Files         120      121       +1     
  Lines       21194    22585    +1391     
==========================================
+ Hits        12535    13316     +781     
- Misses       7841     8419     +578     
- Partials      818      850      +32     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ramya18101]

@KartikJha , Please fix the linters errors

[ramya18101]

• Colouring of newly created files/apps
• Fix the Prompt to confirm with name
• Port also should follow the name process
• Format the output msg
• Fix testcases for the main flow of each scenario which tests .env content and the requestparams Info
• Refactor the consts and help functions into 1 package instead of depending on auth package

[ramya18101]

Highlight that these flags are for the API

[ramya18101]

As discussed earlier, the port value should be prompted with default values like 5173 or 4200, as it varies depending on the configuration.

[ramya18101]

Instead of static build tool, try to fetch the build tool details from other files like .vite.config.ts

[ramya18101]

InfofNoSpace is not used at anywhere

[ramya18101]

Can this case go along with the default case

[KartikJha]

Current code: native dirs take priority over web target.                                                                                                                                      
  Collapsed version: web target takes priority over native dirs.
                                                                                                                                                                                                
  // Collapsed — web target wins even if android/ or ios/ exist
  switch {
  case pubspecHasFlutterWebTarget(data):
      result.Framework = "flutter-web"
      result.Type = "spa"
  default:
      result.Framework = "flutter"
      result.Type = "native"
      result.BundleID = readMobileBundleID(dir)
  }

  A Flutter project can legitimately have both — flutter create --platforms=android,ios,web produces a project with native dirs and a web: section in pubspec. The current code intentionally
  treats native dirs as the stronger signal, since a developer running setup-experimental on such a project is more likely targeting mobile Auth0 integration.

  So collapsing is valid only if you're okay with flipping that priority. If the intent is "native dirs beat web target when both exist", the explicit first case is load-bearing and should
  stay.
  

@ramya18101 most probably in this scenario we want to force the native scenario. Let me know if we still want to target web first then I can collapse the switch.

cc @arpit-jn @duedares-rvj

[ramya18101]

We don't need to display the app name and port as the detected values,
We can prompt the details by giving the default value

[KartikJha]

Updated

[ramya18101]

As discussed, we are not going to read the port values from the files,
Instead use the pre-defined default values shared in the Command Redesign Spec doc - v. 6
Remove these additional code

[KartikJha]

@ramya18101 as discussed in the call time complexity of using this function for extracting the port from signal files is not greater than usability of auto port detection as it runs on client machine and will make the command more AI tooling friendly.

The fallback behavior already covers the concern here. detectPortFromConfig returns defaultPort whenever extraction
fails — so using predefined defaults is what the code does when no port is found in the config file. The file read is
just a best-effort check before that.

The reason to keep it: inputs.Port feeds directly into the Auth0 callback URL registration (baseURL :=
fmt.Sprintf("http://localhost:%d", inputs.Port) at line 635). If a developer has customized their vite.config.ts to
port: 4000 and we register http://localhost:5173, Auth0 will reject the redirect at login. Detecting the actual port
prevents a silent misconfiguration that's painful to debug.

Removing extractPortFromContent would mean the fallback default is always used, trading a small file read for a
potential broken Auth0 callback URL. Given the function already has the safety net of falling back to the default on
any failure, I'd keep it.

[KartikJha]

Updated

[ramya18101]

recheck on the port values, as for all the non-native app types we are having the same default port

[KartikJha]

As discussed this comment is not an issue main issue is here

[KartikJha]

Updated

[ramya18101]

Isn't this handled again under - Step 3d: Prompt for port if not explicitly set --.

[KartikJha]

The two checks serve different execution paths and are not redundant.

The check at line 1482 (inside getQuickstartConfigKey) is the non-interactive fallback — when --no-input is set,
the Step 3d block is skipped entirely (guarded by canPromptFlag), so getQuickstartConfigKey is what ensures the
port gets a framework default before the config key is resolved.

The check at line 972 (inside Step 3d) pre-fills the interactive prompt default — without it, the prompt would
display 0 for the user to edit instead of the framework-appropriate value (e.g. 5173 for Vite). It's not setting
the final value; it's setting the starting value shown to the user.

So removing either one would be a regression: removing line 1482 breaks --no-input mode, removing line 972 breaks
the interactive prompt UX.

[ramya18101]

So, re-check and remove the redundant logic as it already handled here

[KartikJha]

Updated

[ramya18101]

Do we really need this check..?
As app check is already happened in the start!

[KartikJha]

Good catch. Implemented the early return pattern — the redundant if inputs.App wrapper and the unreachable if !inputs.App check have been removed. The function
now starts with:

if !inputs.App {
return "", inputs, false, nil
}

and the rest of the logic sits flat without an extra nesting level.

[ramya18101]

Why are we highlighting the bugs..?

[KartikJha]

Updated

[ramya18101]

Instead of this complicated logic, Can we enhance the frameworksForType logic to store the supported buildTools for each Framework!

[KartikJha]

Done — introduced auth0.FrameworkBuildTools, a package-level map built from QuickstartConfigs at startup, keyed by
"type:framework" with the supported build tools sorted alphabetically. The dynamic search-and-sort block in
getQuickstartConfigKey is replaced with a single map lookup before configKey is built:

if tools := auth0.FrameworkBuildTools[inputs.Type+":"+inputs.Framework]; len(tools) > 0 {
buildToolKey = tools[0]
inputs.BuildTool = buildToolKey
wasAutoSelected = true
}

Kept it in auth0/quickstart.go alongside QuickstartConfigs rather than inside frameworksForType since it's derived
directly from the config map and serves a different concern — build tool resolution rather than prompting.

[ramya18101]

Divide it into functions as fetchNecessaryInputs and GetQsConfigKey

and since both inputs was used in both input and output params of that func, Please wisely use reference(*)

[KartikJha]

Done — extracted resolveSetupInputs (which handles type validation/prompting, framework prompting, port default,
and build tool resolution) out of getQuickstartConfigKey, keeping the latter focused on flow control and key
construction.

On the pointer suggestion: SetupInputs is a plain struct with only value-type fields (string, bool, int) plus one
map. In Go, the idiomatic pattern for "transform and return a struct" is pass-by-value with a named return — it
avoids aliasing, keeps callers from observing partial mutations on error paths, and makes the data flow explicit
in the signature. Since the struct is passed by value, any modifications inside resolveSetupInputs operate on a
local copy and do not affect the caller's original struct — the updated inputs are explicitly returned and the
caller decides what to do with them. A pointer would be appropriate if the struct were large enough to make
copying expensive, or if we needed shared mutable state across goroutines — neither applies here. The current
(SetupInputs, bool, error) return signature is the right call.

[ramya18101]

Why didn't we use existing flags here..?

[KartikJha]

Updated

[ramya18101]

Instead of using prompt.AskOne and cmd.Flags().Changed use our in-bulit flag methods

[KartikJha]

Updated

[ramya18101]

Why do we have identifier and audience as two seperate flags..
Aren't these both same..?

[KartikJha]

--audience is an intentional alias for --identifier to accommodate developers who are more familiar with Auth0's "audience"
terminology (used widely in Auth0 docs and SDK config). Both resolve to the same value — the resource server identifier. The else
if inputs.Identifier == "" { inputs.Identifier = inputs.Audience } line is exactly what handles that aliasing. The flag help
text already documents this: "Alias for --identifier (unique audience URL for the API)".

cc @arpit-jn @duedares-rvj

[ramya18101]

WHy are we having 2 flags..?

[KartikJha]

Assuming this is related to audience and identifier, it has been addressed here

[ramya18101]

Use the similar existing logic to handle validation:

auth0-cli/internal/cli/apis.go

Line 606 in 18e479e

// Heuristics to determine if this a valid ID, or an audience value

[KartikJha]

Updated

[ramya18101]

Rename as DetectionSubAsBase

[KartikJha]

Updated

[ramya18101]

WHy are we checking u == auth0.DetectionSubBase as we never set in the whole codebase as DetectionSubBase, we only used DetectionSub

[KartikJha]

Updated

[ramya18101]

Divide this function into: replaceDetectionSub and resolveDetectionSubValue
as it currently does 2 operations

[KartikJha]

Updated

[ramya18101]

If we are not using the 2nd field from the output param of GenerateAndWriteQuickstartConfig then why are we even sending it..?

[KartikJha]

The second output is the path of the envFile and is used in Test Suites to check for temp env file existence and overall makes the test suite more reliable.

[ramya18101]

Take the similar reference from :

auth0-cli/internal/cli/apis.go

Line 693 in 18e479e

func apiScopesFor(scopes []string) *[]management.ResourceServerScope {

and checkout the whole createAPI logic from the apis.go/createAPICmd

[KartikJha]

Updated