feat: integrate framework files into monorepo under packages/mosaic/framework/

Moves all Mosaic framework runtime files from the separate bootstrap repo
into the monorepo as canonical source. The @mosaic/mosaic npm package now
ships the complete framework — bin scripts, runtime configs, tools, and
templates — enabling standalone installation via npm install.

Structure:
  packages/mosaic/framework/
  ├── bin/          28 CLI scripts (mosaic, mosaic-doctor, mosaic-sync-skills, etc.)
  ├── runtime/      Runtime adapters (claude, codex, opencode, pi, mcp)
  ├── tools/        Shell tooling (git, prdy, orchestrator, quality, etc.)
  ├── templates/    Agent and repo templates
  ├── defaults/     Default identity files (AGENTS.md, STANDARDS.md, SOUL.md, etc.)
  ├── install.sh    Legacy bash installer
  └── remote-install.sh  One-liner remote installer

Key files with Pi support and recent fixes:
- bin/mosaic: launch_pi() with skills-local loop
- bin/mosaic-doctor: --fix auto-wiring for all 4 harnesses
- bin/mosaic-sync-skills: Pi as 4th link target, symlink-aware find
- bin/mosaic-link-runtime-assets: Pi settings.json patching
- bin/mosaic-migrate-local-skills: Pi skill roots, symlink find
- runtime/pi/RUNTIME.md + mosaic-extension.ts

Package ships 251 framework files in the npm tarball (278KB compressed).

packages/mosaic/framework/tools/authentik/README.md

@@ -0,0 +1,60 @@
+# Authentik Tool Suite
+
+Manage Authentik identity provider (SSO, users, groups, applications, flows) via CLI.
+
+## Prerequisites
+
+- `jq` installed
+- Authentik credentials in `~/src/jarvis-brain/credentials.json` (or `$MOSAIC_CREDENTIALS_FILE`)
+- Required fields: `authentik.url`, `authentik.username`, `authentik.password`
+
+## Authentication
+
+Scripts use `auth-token.sh` to auto-authenticate via username/password and cache the API token at `~/.cache/mosaic/authentik-token`. The token is validated on each use and refreshed automatically when expired.
+
+For better security, create a long-lived API token in Authentik admin (Directory > Tokens) and set `$AUTHENTIK_TOKEN` in your environment — the scripts will use it directly.
+
+## Scripts
+
+| Script            | Purpose                                    |
+| ----------------- | ------------------------------------------ |
+| `auth-token.sh`   | Authenticate and cache API token           |
+| `user-list.sh`    | List users (search, filter by group)       |
+| `user-create.sh`  | Create user with optional group assignment |
+| `group-list.sh`   | List groups                                |
+| `app-list.sh`     | List OAuth/SAML applications               |
+| `flow-list.sh`    | List authentication flows                  |
+| `admin-status.sh` | System health and version info             |
+
+## Common Options
+
+All scripts support:
+
+- `-f json` — JSON output (default: table)
+- `-h` — Show help
+
+## API Reference
+
+- Base URL: `https://auth.diversecanvas.com`
+- API prefix: `/api/v3/`
+- OpenAPI schema: `/api/v3/schema/`
+- Auth: Bearer token in `Authorization` header
+
+## Examples
+
+```bash
+# List all users
+~/.config/mosaic/tools/authentik/user-list.sh
+
+# Search for a user
+~/.config/mosaic/tools/authentik/user-list.sh -s "jason"
+
+# Create a user in the admins group
+~/.config/mosaic/tools/authentik/user-create.sh -u newuser -n "New User" -e new@example.com -g admins
+
+# List OAuth applications as JSON
+~/.config/mosaic/tools/authentik/app-list.sh -f json
+
+# Check system health
+~/.config/mosaic/tools/authentik/admin-status.sh
+```

packages/mosaic/framework/tools/authentik/admin-status.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+#
+# admin-status.sh — Authentik system health and version info
+#
+# Usage: admin-status.sh [-f format] [-a instance]
+#
+# Options:
+#   -f format     Output format: table (default), json
+#   -a instance   Authentik instance name (e.g. usc, mosaic)
+#   -h            Show this help
+set -euo pipefail
+
+MOSAIC_HOME="${MOSAIC_HOME:-$HOME/.config/mosaic}"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$MOSAIC_HOME/tools/_lib/credentials.sh"
+
+FORMAT="table"
+AK_INSTANCE=""
+
+while getopts "f:a:h" opt; do
+  case $opt in
+    f) FORMAT="$OPTARG" ;;
+    a) AK_INSTANCE="$OPTARG" ;;
+    h) head -13 "$0" | grep "^#" | sed 's/^# \?//'; exit 0 ;;
+    *) echo "Usage: $0 [-f format] [-a instance]" >&2; exit 1 ;;
+  esac
+done
+
+if [[ -n "$AK_INSTANCE" ]]; then
+  load_credentials "authentik-${AK_INSTANCE}"
+else
+  load_credentials authentik
+fi
+
+TOKEN=$("$SCRIPT_DIR/auth-token.sh" -q ${AK_INSTANCE:+-a "$AK_INSTANCE"})
+
+response=$(curl -sk -w "\n%{http_code}" \
+  -H "Authorization: Bearer $TOKEN" \
+  "${AUTHENTIK_URL}/api/v3/admin/system/")
+
+http_code=$(echo "$response" | tail -n1)
+body=$(echo "$response" | sed '$d')
+
+if [[ "$http_code" != "200" ]]; then
+  echo "Error: Failed to get system status (HTTP $http_code)" >&2
+  exit 1
+fi
+
+if [[ "$FORMAT" == "json" ]]; then
+  echo "$body" | jq '.'
+  exit 0
+fi
+
+echo "Authentik System Status"
+echo "======================="
+echo "$body" | jq -r '
+  "  URL:            \(.http_host // "unknown")\n" +
+  "  Version:        \(.runtime.authentik_version // "unknown")\n" +
+  "  Python:         \(.runtime.python_version // "unknown")\n" +
+  "  Workers:        \(.runtime.gunicorn_workers // "unknown")\n" +
+  "  Build Hash:     \(.runtime.build_hash // "unknown")\n" +
+  "  Embedded Outpost: \(.embedded_outpost_host // "unknown")"
+'

packages/mosaic/framework/tools/authentik/app-list.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+#
+# app-list.sh — List Authentik applications
+#
+# Usage: app-list.sh [-f format] [-s search] [-a instance]
+#
+# Options:
+#   -f format     Output format: table (default), json
+#   -s search     Search by application name
+#   -a instance   Authentik instance name (e.g. usc, mosaic)
+#   -h            Show this help
+set -euo pipefail
+
+MOSAIC_HOME="${MOSAIC_HOME:-$HOME/.config/mosaic}"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$MOSAIC_HOME/tools/_lib/credentials.sh"
+
+FORMAT="table"
+SEARCH=""
+AK_INSTANCE=""
+
+while getopts "f:s:a:h" opt; do
+  case $opt in
+    f) FORMAT="$OPTARG" ;;
+    s) SEARCH="$OPTARG" ;;
+    a) AK_INSTANCE="$OPTARG" ;;
+    h) head -14 "$0" | grep "^#" | sed 's/^# \?//'; exit 0 ;;
+    *) echo "Usage: $0 [-f format] [-s search] [-a instance]" >&2; exit 1 ;;
+  esac
+done
+
+if [[ -n "$AK_INSTANCE" ]]; then
+  load_credentials "authentik-${AK_INSTANCE}"
+else
+  load_credentials authentik
+fi
+
+TOKEN=$("$SCRIPT_DIR/auth-token.sh" -q ${AK_INSTANCE:+-a "$AK_INSTANCE"})
+
+PARAMS="ordering=name"
+[[ -n "$SEARCH" ]] && PARAMS="${PARAMS}&search=${SEARCH}"
+
+response=$(curl -sk -w "\n%{http_code}" \
+  -H "Authorization: Bearer $TOKEN" \
+  "${AUTHENTIK_URL}/api/v3/core/applications/?${PARAMS}")
+
+http_code=$(echo "$response" | tail -n1)
+body=$(echo "$response" | sed '$d')
+
+if [[ "$http_code" != "200" ]]; then
+  echo "Error: Failed to list applications (HTTP $http_code)" >&2
+  exit 1
+fi
+
+if [[ "$FORMAT" == "json" ]]; then
+  echo "$body" | jq '.results'
+  exit 0
+fi
+
+echo "NAME                          SLUG                          PROVIDER           LAUNCH URL"
+echo "----------------------------  ----------------------------  -----------------  ----------------------------------------"
+echo "$body" | jq -r '.results[] | [
+  .name,
+  .slug,
+  (.provider_obj.name // "none"),
+  (.launch_url // "—")
+] | @tsv' | while IFS=$'\t' read -r name slug provider launch_url; do
+  printf "%-28s  %-28s  %-17s  %s\n" \
+    "${name:0:28}" "${slug:0:28}" "${provider:0:17}" "$launch_url"
+done

packages/mosaic/framework/tools/authentik/auth-token.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+#
+# auth-token.sh — Obtain and cache Authentik API token
+#
+# Usage: auth-token.sh [-f] [-q] [-a instance]
+#
+# Returns a valid Authentik API token. Checks in order:
+#   1. Cached token at ~/.cache/mosaic/authentik-token-<instance> (if valid)
+#   2. Pre-configured token from credentials.json (authentik.<instance>.token)
+#   3. Fails with instructions to create a token in the admin UI
+#
+# Options:
+#   -f            Force re-validation (ignore cached token)
+#   -q            Quiet mode — only output the token
+#   -a instance   Authentik instance name (e.g. usc, mosaic)
+#   -h            Show this help
+#
+# Environment variables (or credentials.json):
+#   AUTHENTIK_URL    — Authentik instance URL
+#   AUTHENTIK_TOKEN  — Pre-configured API token (recommended)
+set -euo pipefail
+
+MOSAIC_HOME="${MOSAIC_HOME:-$HOME/.config/mosaic}"
+source "$MOSAIC_HOME/tools/_lib/credentials.sh"
+
+FORCE=false
+QUIET=false
+AK_INSTANCE=""
+
+while getopts "fqa:h" opt; do
+  case $opt in
+    f) FORCE=true ;;
+    q) QUIET=true ;;
+    a) AK_INSTANCE="$OPTARG" ;;
+    h) head -22 "$0" | grep "^#" | sed 's/^# \?//'; exit 0 ;;
+    *) echo "Usage: $0 [-f] [-q] [-a instance]" >&2; exit 1 ;;
+  esac
+done
+
+if [[ -n "$AK_INSTANCE" ]]; then
+  load_credentials "authentik-${AK_INSTANCE}"
+else
+  load_credentials authentik
+fi
+
+CACHE_DIR="$HOME/.cache/mosaic"
+CACHE_FILE="$CACHE_DIR/authentik-token${AUTHENTIK_INSTANCE:+-$AUTHENTIK_INSTANCE}"
+
+_validate_token() {
+  local token="$1"
+  local http_code
+  http_code=$(curl -sk -o /dev/null -w "%{http_code}" \
+    --connect-timeout 5 --max-time 10 \
+    -H "Authorization: Bearer $token" \
+    "${AUTHENTIK_URL}/api/v3/core/users/me/")
+  [[ "$http_code" == "200" ]]
+}
+
+# 1. Check cached token
+if [[ "$FORCE" == "false" ]] && [[ -f "$CACHE_FILE" ]]; then
+  cached_token=$(cat "$CACHE_FILE")
+  if [[ -n "$cached_token" ]] && _validate_token "$cached_token"; then
+    [[ "$QUIET" == "false" ]] && echo "Using cached token (valid)" >&2
+    echo "$cached_token"
+    exit 0
+  fi
+  [[ "$QUIET" == "false" ]] && echo "Cached token invalid, checking credentials..." >&2
+fi
+
+# 2. Use pre-configured token from credentials.json
+if [[ -n "${AUTHENTIK_TOKEN:-}" ]]; then
+  if _validate_token "$AUTHENTIK_TOKEN"; then
+    # Cache it for faster future access
+    mkdir -p "$CACHE_DIR"
+    echo "$AUTHENTIK_TOKEN" > "$CACHE_FILE"
+    chmod 600 "$CACHE_FILE"
+    [[ "$QUIET" == "false" ]] && echo "Token validated and cached at $CACHE_FILE" >&2
+    echo "$AUTHENTIK_TOKEN"
+    exit 0
+  else
+    echo "Error: Pre-configured AUTHENTIK_TOKEN is invalid (API returned non-200)" >&2
+    exit 1
+  fi
+fi
+
+# 3. No token available
+echo "Error: No Authentik API token configured" >&2
+echo "" >&2
+echo "To create one:" >&2
+echo "  1. Log into Authentik admin: ${AUTHENTIK_URL}/if/admin/#/core/tokens" >&2
+echo "  2. Click 'Create' → set identifier (e.g., 'mosaic-agent')" >&2
+echo "  3. Select 'API Token' intent, uncheck 'Expiring'" >&2
+echo "  4. Copy the key and add to credentials.json:" >&2
+echo "     Add token to credentials.json under authentik.<instance>.token" >&2
+exit 1

packages/mosaic/framework/tools/authentik/flow-list.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+#
+# flow-list.sh — List Authentik flows
+#
+# Usage: flow-list.sh [-f format] [-d designation] [-a instance]
+#
+# Options:
+#   -f format        Output format: table (default), json
+#   -d designation   Filter by designation (authentication, authorization, enrollment, etc.)
+#   -a instance      Authentik instance name (e.g. usc, mosaic)
+#   -h               Show this help
+set -euo pipefail
+
+MOSAIC_HOME="${MOSAIC_HOME:-$HOME/.config/mosaic}"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$MOSAIC_HOME/tools/_lib/credentials.sh"
+
+FORMAT="table"
+DESIGNATION=""
+AK_INSTANCE=""
+
+while getopts "f:d:a:h" opt; do
+  case $opt in
+    f) FORMAT="$OPTARG" ;;
+    d) DESIGNATION="$OPTARG" ;;
+    a) AK_INSTANCE="$OPTARG" ;;
+    h) head -14 "$0" | grep "^#" | sed 's/^# \?//'; exit 0 ;;
+    *) echo "Usage: $0 [-f format] [-d designation] [-a instance]" >&2; exit 1 ;;
+  esac
+done
+
+if [[ -n "$AK_INSTANCE" ]]; then
+  load_credentials "authentik-${AK_INSTANCE}"
+else
+  load_credentials authentik
+fi
+
+TOKEN=$("$SCRIPT_DIR/auth-token.sh" -q ${AK_INSTANCE:+-a "$AK_INSTANCE"})
+
+PARAMS="ordering=slug"
+[[ -n "$DESIGNATION" ]] && PARAMS="${PARAMS}&designation=${DESIGNATION}"
+
+response=$(curl -sk -w "\n%{http_code}" \
+  -H "Authorization: Bearer $TOKEN" \
+  "${AUTHENTIK_URL}/api/v3/flows/instances/?${PARAMS}")
+
+http_code=$(echo "$response" | tail -n1)
+body=$(echo "$response" | sed '$d')
+
+if [[ "$http_code" != "200" ]]; then
+  echo "Error: Failed to list flows (HTTP $http_code)" >&2
+  exit 1
+fi
+
+if [[ "$FORMAT" == "json" ]]; then
+  echo "$body" | jq '.results'
+  exit 0
+fi
+
+echo "NAME                          SLUG                          DESIGNATION       TITLE"
+echo "----------------------------  ----------------------------  ----------------  ----------------------------"
+echo "$body" | jq -r '.results[] | [
+  .name,
+  .slug,
+  .designation,
+  (.title // "—")
+] | @tsv' | while IFS=$'\t' read -r name slug designation title; do
+  printf "%-28s  %-28s  %-16s  %s\n" \
+    "${name:0:28}" "${slug:0:28}" "$designation" "${title:0:28}"
+done

packages/mosaic/framework/tools/authentik/group-list.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+#
+# group-list.sh — List Authentik groups
+#
+# Usage: group-list.sh [-f format] [-s search] [-a instance]
+#
+# Options:
+#   -f format     Output format: table (default), json
+#   -s search     Search by group name
+#   -a instance   Authentik instance name (e.g. usc, mosaic)
+#   -h            Show this help
+set -euo pipefail
+
+MOSAIC_HOME="${MOSAIC_HOME:-$HOME/.config/mosaic}"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$MOSAIC_HOME/tools/_lib/credentials.sh"
+
+FORMAT="table"
+SEARCH=""
+AK_INSTANCE=""
+
+while getopts "f:s:a:h" opt; do
+  case $opt in
+    f) FORMAT="$OPTARG" ;;
+    s) SEARCH="$OPTARG" ;;
+    a) AK_INSTANCE="$OPTARG" ;;
+    h) head -13 "$0" | grep "^#" | sed 's/^# \?//'; exit 0 ;;
+    *) echo "Usage: $0 [-f format] [-s search] [-a instance]" >&2; exit 1 ;;
+  esac
+done
+
+if [[ -n "$AK_INSTANCE" ]]; then
+  load_credentials "authentik-${AK_INSTANCE}"
+else
+  load_credentials authentik
+fi
+
+TOKEN=$("$SCRIPT_DIR/auth-token.sh" -q ${AK_INSTANCE:+-a "$AK_INSTANCE"})
+
+PARAMS="ordering=name"
+[[ -n "$SEARCH" ]] && PARAMS="${PARAMS}&search=${SEARCH}"
+
+response=$(curl -sk -w "\n%{http_code}" \
+  -H "Authorization: Bearer $TOKEN" \
+  "${AUTHENTIK_URL}/api/v3/core/groups/?${PARAMS}")
+
+http_code=$(echo "$response" | tail -n1)
+body=$(echo "$response" | sed '$d')
+
+if [[ "$http_code" != "200" ]]; then
+  echo "Error: Failed to list groups (HTTP $http_code)" >&2
+  exit 1
+fi
+
+if [[ "$FORMAT" == "json" ]]; then
+  echo "$body" | jq '.results'
+  exit 0
+fi
+
+echo "NAME                          PK                                    MEMBERS  SUPERUSER"
+echo "----------------------------  ------------------------------------  -------  ---------"
+echo "$body" | jq -r '.results[] | [
+  .name,
+  .pk,
+  (.users | length | tostring),
+  (if .is_superuser then "yes" else "no" end)
+] | @tsv' | while IFS=$'\t' read -r name pk members superuser; do
+  printf "%-28s  %-36s  %-7s  %s\n" "${name:0:28}" "$pk" "$members" "$superuser"
+done

packages/mosaic/framework/tools/authentik/user-create.sh

@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+#
+# user-create.sh — Create an Authentik user
+#
+# Usage: user-create.sh -u <username> -n <name> -e <email> [-p password] [-g group] [-a instance]
+#
+# Options:
+#   -u username   Username (required)
+#   -n name       Display name (required)
+#   -e email      Email address (required)
+#   -p password   Initial password (optional — user gets set-password flow if omitted)
+#   -g group      Group name to add user to (optional)
+#   -f format     Output format: table (default), json
+#   -a instance   Authentik instance name (e.g. usc, mosaic)
+#   -h            Show this help
+#
+# Environment variables (or credentials.json):
+#   AUTHENTIK_URL — Authentik instance URL
+set -euo pipefail
+
+MOSAIC_HOME="${MOSAIC_HOME:-$HOME/.config/mosaic}"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$MOSAIC_HOME/tools/_lib/credentials.sh"
+
+USERNAME="" NAME="" EMAIL="" PASSWORD="" GROUP="" FORMAT="table" AK_INSTANCE=""
+
+while getopts "u:n:e:p:g:f:a:h" opt; do
+  case $opt in
+    u) USERNAME="$OPTARG" ;;
+    n) NAME="$OPTARG" ;;
+    e) EMAIL="$OPTARG" ;;
+    p) PASSWORD="$OPTARG" ;;
+    g) GROUP="$OPTARG" ;;
+    f) FORMAT="$OPTARG" ;;
+    a) AK_INSTANCE="$OPTARG" ;;
+    h) head -19 "$0" | grep "^#" | sed 's/^# \?//'; exit 0 ;;
+    *) echo "Usage: $0 -u <username> -n <name> -e <email> [-p password] [-g group] [-a instance]" >&2; exit 1 ;;
+  esac
+done
+
+if [[ -n "$AK_INSTANCE" ]]; then
+  load_credentials "authentik-${AK_INSTANCE}"
+else
+  load_credentials authentik
+fi
+
+if [[ -z "$USERNAME" || -z "$NAME" || -z "$EMAIL" ]]; then
+  echo "Error: -u username, -n name, and -e email are required" >&2
+  exit 1
+fi
+
+TOKEN=$("$SCRIPT_DIR/auth-token.sh" -q ${AK_INSTANCE:+-a "$AK_INSTANCE"})
+
+# Build user payload
+payload=$(jq -n \
+  --arg username "$USERNAME" \
+  --arg name "$NAME" \
+  --arg email "$EMAIL" \
+  '{username: $username, name: $name, email: $email, is_active: true}')
+
+# Add password if provided
+if [[ -n "$PASSWORD" ]]; then
+  payload=$(echo "$payload" | jq --arg pw "$PASSWORD" '. + {password: $pw}')
+fi
+
+# Add to group if provided
+if [[ -n "$GROUP" ]]; then
+  # Look up group PK by name
+  group_response=$(curl -sk \
+    -H "Authorization: Bearer $TOKEN" \
+    "${AUTHENTIK_URL}/api/v3/core/groups/?search=${GROUP}")
+  group_pk=$(echo "$group_response" | jq -r ".results[] | select(.name == \"$GROUP\") | .pk" | head -1)
+  if [[ -n "$group_pk" ]]; then
+    payload=$(echo "$payload" | jq --arg gk "$group_pk" '. + {groups: [$gk]}')
+  else
+    echo "Warning: Group '$GROUP' not found — creating user without group" >&2
+  fi
+fi
+
+response=$(curl -sk -w "\n%{http_code}" -X POST \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "$payload" \
+  "${AUTHENTIK_URL}/api/v3/core/users/")
+
+http_code=$(echo "$response" | tail -n1)
+body=$(echo "$response" | sed '$d')
+
+if [[ "$http_code" != "201" ]]; then
+  echo "Error: Failed to create user (HTTP $http_code)" >&2
+  echo "$body" | jq -r '.' 2>/dev/null >&2
+  exit 1
+fi
+
+if [[ "$FORMAT" == "json" ]]; then
+  echo "$body" | jq '.'
+else
+  echo "User created successfully:"
+  echo "$body" | jq -r '"  Username: \(.username)\n  Name:     \(.name)\n  Email:    \(.email)\n  PK:       \(.pk)"'
+fi

packages/mosaic/framework/tools/authentik/user-list.sh

@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+#
+# user-list.sh — List Authentik users
+#
+# Usage: user-list.sh [-f format] [-s search] [-g group] [-a instance]
+#
+# Options:
+#   -f format     Output format: table (default), json
+#   -s search     Search term (matches username, name, email)
+#   -g group      Filter by group name
+#   -a instance   Authentik instance name (e.g. usc, mosaic)
+#   -h            Show this help
+#
+# Environment variables (or credentials.json):
+#   AUTHENTIK_URL — Authentik instance URL
+set -euo pipefail
+
+MOSAIC_HOME="${MOSAIC_HOME:-$HOME/.config/mosaic}"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$MOSAIC_HOME/tools/_lib/credentials.sh"
+
+FORMAT="table"
+SEARCH=""
+GROUP=""
+AK_INSTANCE=""
+
+while getopts "f:s:g:a:h" opt; do
+  case $opt in
+    f) FORMAT="$OPTARG" ;;
+    s) SEARCH="$OPTARG" ;;
+    g) GROUP="$OPTARG" ;;
+    a) AK_INSTANCE="$OPTARG" ;;
+    h) head -15 "$0" | grep "^#" | sed 's/^# \?//'; exit 0 ;;
+    *) echo "Usage: $0 [-f format] [-s search] [-g group] [-a instance]" >&2; exit 1 ;;
+  esac
+done
+
+if [[ -n "$AK_INSTANCE" ]]; then
+  load_credentials "authentik-${AK_INSTANCE}"
+else
+  load_credentials authentik
+fi
+
+TOKEN=$("$SCRIPT_DIR/auth-token.sh" -q ${AK_INSTANCE:+-a "$AK_INSTANCE"})
+
+# Build query params
+PARAMS="ordering=username"
+[[ -n "$SEARCH" ]] && PARAMS="${PARAMS}&search=${SEARCH}"
+[[ -n "$GROUP" ]] && PARAMS="${PARAMS}&groups_by_name=${GROUP}"
+
+response=$(curl -sk -w "\n%{http_code}" \
+  -H "Authorization: Bearer $TOKEN" \
+  "${AUTHENTIK_URL}/api/v3/core/users/?${PARAMS}")
+
+http_code=$(echo "$response" | tail -n1)
+body=$(echo "$response" | sed '$d')
+
+if [[ "$http_code" != "200" ]]; then
+  echo "Error: Failed to list users (HTTP $http_code)" >&2
+  exit 1
+fi
+
+if [[ "$FORMAT" == "json" ]]; then
+  echo "$body" | jq '.results'
+  exit 0
+fi
+
+# Table output
+echo "USERNAME              NAME                          EMAIL                         ACTIVE  LAST LOGIN"
+echo "--------------------  ----------------------------  ----------------------------  ------  ----------"
+echo "$body" | jq -r '.results[] | [
+  .username,
+  .name,
+  .email,
+  (if .is_active then "yes" else "no" end),
+  (.last_login // "never" | split("T")[0])
+] | @tsv' | while IFS=$'\t' read -r username name email active last_login; do
+  printf "%-20s  %-28s  %-28s  %-6s  %s\n" \
+    "${username:0:20}" "${name:0:28}" "${email:0:28}" "$active" "$last_login"
+done