From c939b77db3cdbc6576b465941e8722c158b66f88 Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Fri, 22 May 2026 16:00:33 +0800
Subject: [PATCH 1/3] docs: document --dapc seed flag for air-gapped OSS
 installs

---
 .../deployment-and-configuration.mdx          |  6 +++
 docs/logto-oss/using-cli/README.mdx           | 42 +++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/docs/logto-oss/deployment-and-configuration.mdx b/docs/logto-oss/deployment-and-configuration.mdx
index e1f02fc641f..e0537f66cd6 100644
--- a/docs/logto-oss/deployment-and-configuration.mdx
+++ b/docs/logto-oss/deployment-and-configuration.mdx
@@ -108,6 +108,12 @@ npm run cli db seed -- --swe
 
 Refer to the [Logto CLI](/logto-oss/using-cli) for more details.
 
+:::tip Air-gapped or offline installs
+
+If your deployment environment cannot reach `api.pwnedpasswords.com`, append `--dapc` to the seed command so the first admin sign-up does not hang on the HaveIBeenPwned breach check. See [Seed for air-gapped or offline deployments](/logto-oss/using-cli#seed-for-air-gapped-or-offline-deployments) for details.
+
+:::
+
 ### Shared connectors folder \{#shared-connectors-folder}
 
 By default, Logto will create a `connectors` folder in the root directory of the `core` folder. We recommend sharing the folder between multiple instances of Logto, you need to mount the `packages/core/connectors` folder to the container and run `npm run cli connector add -- --official` to deploy the connectors.
diff --git a/docs/logto-oss/using-cli/README.mdx b/docs/logto-oss/using-cli/README.mdx
index 1e5d1ab093a..24255de6b10 100644
--- a/docs/logto-oss/using-cli/README.mdx
+++ b/docs/logto-oss/using-cli/README.mdx
@@ -79,3 +79,45 @@ This will be helpful for one-off invocations, e.g.:
 ```bash
 npx @logto/cli db seed --db-url postgresql://your-database-url
 ```
+
+### Seed for air-gapped or offline deployments \{#seed-for-air-gapped-or-offline-deployments}
+
+Since Logto v1.40.0, the `db seed` command accepts an extra flag for environments that cannot reach the public internet during installation:
+
+```bash
+--dapc, --disable-admin-pwned-password-check
+```
+
+When set, the seeded `sign_in_experiences.password_policy` row for the **admin tenant** is `{"rejects": {"pwned": false}}` instead of the default `{}`. This skips the [HaveIBeenPwned (HIBP)](https://haveibeenpwned.com/) password breach check during the first admin sign-up, so creating the initial admin from the Welcome page no longer hangs when `api.pwnedpasswords.com` is unreachable (for example in air-gapped data centers or behind strict egress firewalls).
+
+The flag is scoped to the admin tenant only — the default tenant's password policy is left untouched, and stays under your control through Admin Console > **Sign-in experience** > **Password policy** after the first admin signs in. From the Admin Console you can also re-enable the HIBP check on the admin tenant at any time.
+
+Example:
+
+<Tabs groupId="cmd">
+
+  <TabItem value="cli" label="CLI">
+
+```bash
+logto db seed --dapc
+```
+
+  </TabItem>
+  <TabItem value="npm" label="npm">
+
+```bash
+npm run cli db seed -- --dapc
+```
+
+  </TabItem>
+  <TabItem value="npx" label="npx">
+
+```bash
+npx @logto/cli db seed --dapc
+```
+
+  </TabItem>
+
+</Tabs>
+
+The long alias `--disable-admin-pwned-password-check` is accepted as a more explicit equivalent in scripts.

From df9c3e6f9b4d16fae8148acb75ba86011ebf56ea Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Fri, 22 May 2026 16:40:26 +0800
Subject: [PATCH 2/3] docs: apply review feedback for
 --disable-admin-pwned-password-check

---
 docs/logto-oss/deployment-and-configuration.mdx |  2 +-
 docs/logto-oss/using-cli/README.mdx             | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/docs/logto-oss/deployment-and-configuration.mdx b/docs/logto-oss/deployment-and-configuration.mdx
index e0537f66cd6..f3209fc5c58 100644
--- a/docs/logto-oss/deployment-and-configuration.mdx
+++ b/docs/logto-oss/deployment-and-configuration.mdx
@@ -110,7 +110,7 @@ Refer to the [Logto CLI](/logto-oss/using-cli) for more details.
 
 :::tip Air-gapped or offline installs
 
-If your deployment environment cannot reach `api.pwnedpasswords.com`, append `--dapc` to the seed command so the first admin sign-up does not hang on the HaveIBeenPwned breach check. See [Seed for air-gapped or offline deployments](/logto-oss/using-cli#seed-for-air-gapped-or-offline-deployments) for details.
+If your deployment environment cannot reach `api.pwnedpasswords.com`, append `--disable-admin-pwned-password-check` to the seed command so the first admin sign-up does not hang on the Have I Been Pwned breach check. See [Seed for air-gapped or offline deployments](/logto-oss/using-cli#seed-for-air-gapped-or-offline-deployments) for details.
 
 :::
 
diff --git a/docs/logto-oss/using-cli/README.mdx b/docs/logto-oss/using-cli/README.mdx
index 24255de6b10..3d872e57461 100644
--- a/docs/logto-oss/using-cli/README.mdx
+++ b/docs/logto-oss/using-cli/README.mdx
@@ -85,10 +85,10 @@ npx @logto/cli db seed --db-url postgresql://your-database-url
 Since Logto v1.40.0, the `db seed` command accepts an extra flag for environments that cannot reach the public internet during installation:
 
 ```bash
---dapc, --disable-admin-pwned-password-check
+--disable-admin-pwned-password-check, --dapc
 ```
 
-When set, the seeded `sign_in_experiences.password_policy` row for the **admin tenant** is `{"rejects": {"pwned": false}}` instead of the default `{}`. This skips the [HaveIBeenPwned (HIBP)](https://haveibeenpwned.com/) password breach check during the first admin sign-up, so creating the initial admin from the Welcome page no longer hangs when `api.pwnedpasswords.com` is unreachable (for example in air-gapped data centers or behind strict egress firewalls).
+When set, the seeded password policy on the **admin tenant** disables the [Have I Been Pwned (HIBP)](https://haveibeenpwned.com/) breach check by default. This means creating the initial admin from the Welcome page no longer hangs when `api.pwnedpasswords.com` is unreachable (for example in air-gapped data centers or behind strict egress firewalls).
 
 The flag is scoped to the admin tenant only — the default tenant's password policy is left untouched, and stays under your control through Admin Console > **Sign-in experience** > **Password policy** after the first admin signs in. From the Admin Console you can also re-enable the HIBP check on the admin tenant at any time.
 
@@ -99,25 +99,25 @@ Example:
   <TabItem value="cli" label="CLI">
 
 ```bash
-logto db seed --dapc
+logto db seed --disable-admin-pwned-password-check
 ```
 
   </TabItem>
   <TabItem value="npm" label="npm">
 
 ```bash
-npm run cli db seed -- --dapc
+npm run cli db seed -- --disable-admin-pwned-password-check
 ```
 
   </TabItem>
   <TabItem value="npx" label="npx">
 
 ```bash
-npx @logto/cli db seed --dapc
+npx @logto/cli db seed --disable-admin-pwned-password-check
 ```
 
   </TabItem>
 
 </Tabs>
 
-The long alias `--disable-admin-pwned-password-check` is accepted as a more explicit equivalent in scripts.
+The short alias `--dapc` is accepted as an equivalent for terser scripts.

From ef0078131d187f5fa1c24ff30a750a9ab7c13029 Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Mon, 25 May 2026 13:28:37 +0800
Subject: [PATCH 3/3] docs: document --disable-admin-pwned-password-check on
 logto init

Air-gapped users can now run a single `logto init --dapc` instead of
`init --skip-seed` + `db seed --dapc`. Updates the install command
options table, the air-gapped CLI section, and the deployment admonition
to surface both code paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../deployment-and-configuration.mdx          |  2 +-
 docs/logto-oss/using-cli/README.mdx           | 25 +++++++++++++++++--
 docs/logto-oss/using-cli/install-logto.mdx    |  9 ++++---
 3 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/docs/logto-oss/deployment-and-configuration.mdx b/docs/logto-oss/deployment-and-configuration.mdx
index f3209fc5c58..bbb4d2880fb 100644
--- a/docs/logto-oss/deployment-and-configuration.mdx
+++ b/docs/logto-oss/deployment-and-configuration.mdx
@@ -110,7 +110,7 @@ Refer to the [Logto CLI](/logto-oss/using-cli) for more details.
 
 :::tip Air-gapped or offline installs
 
-If your deployment environment cannot reach `api.pwnedpasswords.com`, append `--disable-admin-pwned-password-check` to the seed command so the first admin sign-up does not hang on the Have I Been Pwned breach check. See [Seed for air-gapped or offline deployments](/logto-oss/using-cli#seed-for-air-gapped-or-offline-deployments) for details.
+If your deployment environment cannot reach `api.pwnedpasswords.com`, append `--disable-admin-pwned-password-check` to either `logto init` or `npm run cli db seed` so the first admin sign-up does not hang on the Have I Been Pwned breach check. See [Seed for air-gapped or offline deployments](/logto-oss/using-cli#seed-for-air-gapped-or-offline-deployments) for details.
 
 :::
 
diff --git a/docs/logto-oss/using-cli/README.mdx b/docs/logto-oss/using-cli/README.mdx
index 3d872e57461..523abf3684a 100644
--- a/docs/logto-oss/using-cli/README.mdx
+++ b/docs/logto-oss/using-cli/README.mdx
@@ -82,7 +82,7 @@ npx @logto/cli db seed --db-url postgresql://your-database-url
 
 ### Seed for air-gapped or offline deployments \{#seed-for-air-gapped-or-offline-deployments}
 
-Since Logto v1.40.0, the `db seed` command accepts an extra flag for environments that cannot reach the public internet during installation:
+Since Logto v1.40.0, both the `init` (install) and `db seed` commands accept an extra flag for environments that cannot reach the public internet during installation:
 
 ```bash
 --disable-admin-pwned-password-check, --dapc
@@ -92,7 +92,28 @@ When set, the seeded password policy on the **admin tenant** disables the [Have
 
 The flag is scoped to the admin tenant only — the default tenant's password policy is left untouched, and stays under your control through Admin Console > **Sign-in experience** > **Password policy** after the first admin signs in. From the Admin Console you can also re-enable the HIBP check on the admin tenant at any time.
 
-Example:
+**One-step install** (recommended for fresh OSS deployments):
+
+<Tabs groupId="cmd">
+
+  <TabItem value="cli" label="CLI">
+
+```bash
+logto init --disable-admin-pwned-password-check
+```
+
+  </TabItem>
+  <TabItem value="npm" label="npm">
+
+```bash
+npm init @logto@latest -- --disable-admin-pwned-password-check
+```
+
+  </TabItem>
+
+</Tabs>
+
+**Seed an existing database** (when Logto is already extracted, or when re-seeding):
 
 <Tabs groupId="cmd">
 
diff --git a/docs/logto-oss/using-cli/install-logto.mdx b/docs/logto-oss/using-cli/install-logto.mdx
index a0d2cd6d19f..eb1a59f452b 100644
--- a/docs/logto-oss/using-cli/install-logto.mdx
+++ b/docs/logto-oss/using-cli/install-logto.mdx
@@ -37,10 +37,11 @@ Alternatively, you can add the options below to skip some questions:
 
 ```bash
 # All these options are optional
---db-url      The Postgres URL to Logto database
--p, --path    Path to your Logto instance, must be a non-existing path
---ss          Skip Logto database seeding
---oc          Add official connectors after installation
+--db-url                                    The Postgres URL to Logto database
+-p, --path                                  Path to your Logto instance, must be a non-existing path
+--ss                                        Skip Logto database seeding
+--oc                                        Add official connectors after installation
+--disable-admin-pwned-password-check, --dapc  Seed the admin tenant with the Have I Been Pwned (HIBP) password breach check disabled (for air-gapped or offline deployments). See [Seed for air-gapped or offline deployments](/logto-oss/using-cli#seed-for-air-gapped-or-offline-deployments).
 ```
 
 Run `logto init --help` for full help info.